Security and Compliance

Question 1

What acts like built-in firewalls per instance for your virtual servers?

Answer 1

Security groups

Security groups act like built-in firewalls for your virtual servers — the rules you create define what is allowed to talk to your instances and how.

Although network access control lists can be used to block or deny traffic, these operate at the subnet level (covering all instances in the subnet with the same ruleset), not per instance as the question specifies. Route tables tell traffic where it should go next to reach its destination, and an Availability Zone is a collection of data centers — which isn’t relevant in this question.

Question 2

Network access control lists

Answer 2

Network access control lists ensure the proper traffic is allowed in the subnet.

Like a cross walk light - only peeps allowed into street at right time

Question 3

Microsoft has announced a new patch for its operating system. For a platform-as-a-service solution, who would be responsible for applying the patch?

Answer 3

AWS - The platform-as-a-service model removes the need for organizations to manage the underlying infrastructure (usually hardware and operating systems) and allows you to focus on the deployment and management of your applications.

The customer is responsible for patching the operating system for infrastructure-as-a-service solutions, but AWS is responsible for patching the operating system for platform-as-a-service solutions.

Question 4

A huge department store sells products online and in-person. Most of their customers use credit cards instead of cash when making purchases. For security purposes, the credit card data must be encrypted at rest. Which services allow the department store to generate and store the encryption key used to secure the credit card numbers?

Answer 4

Key Management Service (KMS) - KMS allows you to generate and store encryption keys.
AND
CloudHSM - CloudHSM is a hardware security module (HSM) used to generate and store encryption keys.

Question 5

Identity and Access Management (IAM)

Answer 5

IAM allows you to control access to your AWS services and resources.

Question 6

A customer has created an Administrators group in IAM containing 5 users. What does the customer attach to the group to ensure all the users have the needed administrative access?

Answer 6

IAM policy

Policies can be attached to a group to ensure all users in the group have the same access. AWS even has a managed policy, Administrator Access, you can use.

Question 7

IAM service role

Answer 7

An IAM service role is a role that an AWS service assumes to perform actions. Roles are not associated with a specific user or group.

Question 8

Macie

Answer 8

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS —> used to protect your data!

Macie uses machine learning to discover sensitive data stored on Amazon S3. Macie automatically detects a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers.

Question 9

GuardDuty

Answer 9

While GuardDuty has built-in detection for Amazon S3, it only uncovers unauthorized behavior, not personally identifiable information (PII).

Question 10

Bucket access policy

Answer 10

A bucket access policy can be attached directly to an S3 bucket to limit access to specific users.

Question 11

Access keys

Answer 11

Access keys are long-term credentials for an IAM user.

Question 12

Which of the following is an AWS Well-Architected Framework design principle related to operational excellence?

Answer 12

Deploy smaller, reversible changes.

This is a design principle related to operational excellence. Smaller changes can easily be reverted, if necessary.

Question 13

Under the shared responsibility model, which task is AWS’ responsibility when managing AWS Lambda functions?

Answer 13

Managing the Lambda runtime environment — AWS is responsible for the Lambda runtime environment.

You are responsible for managing the versions of your application code

Question 14

Well-Architected Framework - Performance Efficiency

Answer 14

This Performance Efficiency pillar focuses on the effective use of resources to meet demand. In this pillar, you would use the information gathered through the evaluation process to actively drive adoption of new services or resources. You would also define a process to improve workload performance, and you would need to stay up-to-date on new resources and services.

Question 15

Well-Architected Framework - Operational Excellence

Answer 15

The Operational Excellence pillar focus on building applications that effectively support your workloads.

Question 16

IAM credential report

Answer 16

The IAM credential report lists all the users and the status of their various credentials, including passwords, access keys, server certificates, and MFA devices.

Question 17

AWS Artifact

Answer 17

Artifact offers on-demand access to AWS security and compliance reports.

Question 18

Secrets Manager

Answer 18

Secrets Manager allows you to manage and retrieve secrets (passwords or keys).

Question 19

A customer is managing multiple AWS accounts using AWS Organizations. What can the customer use to restrict the same permissions across all AWS accounts managed under AWS Organizations using minimal effort?

Answer 19

Service control policies

AWS Organizations provides central governance and management for multiple accounts. Organization service control policies (SCPs) allow you to create permissions guardrails that apply to all accounts within a given organization.

There is no such thing as an IAM organization policy.

Question 20

Which of the following AWS services can help you assess the fault tolerance of your AWS environment?

Answer 20

AWS Trusted Advisor can help you assess the fault tolerance of your AWS environment. AWS Inspector can help you assess your security.

Question 21

A company is configuring IAM for its new AWS account. There are 5 departments with between 5 to 10 users in each department. How can they efficiently apply access permissions for each of these departments and simplify management of these users?

Answer 21

Create policies for each department that define the permissions needed. Create an IAM group for each department and attach the policy to each group. Add each department’s members to their respective IAM group.

By creating an IAM group, all like users can be managed all at one time. Once the permissions are defined within the policy, it can be attached to the IAM group, allowing them access to the resources/services stated within the policy.

Policies assign permissions, not IAM roles.

Question 22

Which service powers the creation of encrypted EBS volumes for Amazon EC2?

Answer 22

Key Management Service (KMS)

When you create an encrypted Amazon EBS volume, you’re able to specify a KMS customer master key.

Question 23

AWS Shield

Answer 23

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

Question 24

What does a developer need in order to log in to an EC2 instance via SSH from their local machine?

Answer 24

Public & private key and a SSH client
A key pair, consisting of a private key and a public key, is a set of security credentials you use to prove your identity when connecting to an instance. Amazon EC2 stores the public key.

An SSH client is a program that allows establishing a secure connection from your local laptop to an EC2 instance

NOT - Key Management System (KMS) generated key
KMS is used to generate keys for encrypting and decrypting data..

Question 25

How can a customer meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud?

Answer 25

CloudHSM allows customers to meet compliance requirements for data security by using dedicated hardware

Question 26

You would like to give an application running on one of your EC2 instances access to an S3 bucket. What is the best way to implement this?

Answer 26

Assign the instance an IAM role

The recommended method to assign permissions to apps running in EC2 is to use IAM roles

Question 27

A new application needs temporary access to resources in AWS. How can this best be achieved?

Answer 27

Create an IAM role and have the application assume the role. – Roles define access permissions and are temporarily assumed by an IAM user or service.

NOT policy – A policy cannot be attached directly to an application. A policy can be attached to a role, and the application could assume the role

Question 28

Principal (in IAM)

Answer 28

A principal is a person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.

Question 29

Resource (in IAM)

Answer 29

Resources are the user, group, role, policy, and identity provider objects that are stored in IAM. As with other AWS services, you can add, edit, and remove resources from IAM.

Question 30

Entities (in IAM)

Answer 30

IAM entities are the users (IAM users and federated users) and roles that are created and used for authentication.

Question 31

Identities (in IAM)

Answer 31

Identities are the IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.

Question 32

How does AWS Shield Standard help protect your environment?

Answer 32

By blocking DDOS attacks.

AWS Shield Standard is included at no extra cost, but will only block DDoS attacks on your AWS resources. It will not scan the contents of incoming or outgoing traffic (this is a function of WAF) and will not protect your environment from viruses.

Question 33

Network ACL

Answer 33

A network access control list (NACL) is an optional layer of security for your VPC that ensures the proper traffic is allowed into the subnet.

Question 34

Security group

Answer 34

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to 5 security groups to the instance.

Security groups act AT THE INSTANCE LEVEL, NOT THE SUBNET LEVEL

Question 35

AWS Shield Advanced

Answer 35

AWS Shield Advanced provides enhanced protections and 24/7 access to AWS experts for a fee.

Question 36

Access keys

Answer 36

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

Access keys consist of two parts: an access key ID and a secret access key

Question 37

GuardDuty

Answer 37

GuardDuty is an intelligent threat detection system that uncovers unauthorized behavior. — think guard dog that protects against unwanted behaviors

Question 38

Which following statement is true of newly created security groups with their default rules?

Answer 38

ew security groups allow only outbound traffic and block all incoming traffic.

By default, new security groups start with only an outbound rule to allow all traffic to leave the instances. You must add rules to enable any inbound traffic.

Question 39

Resource groups

Answer 39

You can use resource groups to organize your AWS resources. Resource groups make it easier to manage and automate tasks on large numbers of resources at one time

Question 40

Tagging

Answer 40

Tagging assists with the organization of resources, but not directly managing those resources. Amazon Web Services allows customers to assign metadata to their AWS resources in the form of tags. Each tag is a simple label consisting of a customer-defined key and an optional value that can make it easier to manage, search for, and filter resources by purpose, owner, environment, or other criteria.

Question 41

Your organization is multi-national and uses multiple AWS Regions. Which AWS service can be used to route users to the nearest data center to reduce latency?

Answer 41

Route 53 is a DNS service that routes users to applications. Amazon Route 53 effectively connects user requests to infrastructure running in AWS (e.g., Amazon EC2 instances, Elastic Load Balancing load balancers, or Amazon S3 buckets) and can also be used to route users to infrastructure outside of AW

Question 42

Which of the following is TRUE when considering subnets in a VPC?

Answer 42

By default, all subnets within a VPC can communicate with each other, without needing any other resources or configuration.

Question 43

A small startup is configuring its AWS Cloud environment. Which AWS service will allow grouping these users together and applying permissions to them as a group?

Answer 43

IAM allows you to control access to your AWS services and resources.

Resource groups help you organize resources like EC2 instances, not users.

Question 44

AWS X-Ray

Answer 44

AWS X-Ray provides an end-to-end view of requests as they travel through your application, and shows a map of your application’s underlying components. You can use X-Ray to analyze from simple three-tier applications to complex microservices applications consisting of thousands of services.