Security and Compliance Flashcards
AWS Command Line Interface (CLI)
allows you to access resources in your AWS account through a terminal or command window. Access keys are needed when using the CLI and can be generated using IAM
USER>SSH Client on laptop>EC2 Instance
Uses private key users public key
EC2 Groups Vs. IAM Groups
EC2 security groups act as firewalls
IAM groups are collections of users
Roles
Roles define access permissions and are temporarily assumed by an IAM user or service
- You assume a role to perform a task in a single session
- Access is assigned using policies
Roles help you avoid sharing long term credentials like access keys and protect your instances from unauthorized access
EC2 Instance> S3 Bucket Upload> S3
Policies
Manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.
User + POLICY + RDS
(JSON)
{
"Version"....",
"Statement":[
{
"Action":rds*,
"Effect": "Allow",
"Resource": [...]
}
]
}
IAM Credential Report
Lists all users in your account and the status of their various credentials
Lists all users and status of passwords, access keys and MFA devices
Used for auditing and compliance
Web Application Firewall (WAF)
Helps protect your web applications against common web attacks
- Protects apps against common attack patterns
- Protects against SQL injection
- Protects against cross-site scripting
Shield
Managed Distributed Denial of Service (DDoS) protection service
- Always-on detection
- Shield standard is free
- Shield Advanced is a paid service
Shield Standard Vs. Shield Advanced
Standard- Provides free protection against common and frequently occurring attacks
Advanced- Provides enhanced protections and 24/7 access to AWS experts for a fee
Shield Advanced is supported on several services
- CloudFront
- Route 53
- Elastic Load Balancing
- AWS Global Accelerator
Macie
Helps your discover and protect sensitive data
- Uses machine learning
- Evaluates S3 environment
- Uncovers personally identifiable information (PII)
config
Allows you to assess, audit, and evaluate the configurations of your resources
- Track configuration changes over time
- Delivers configuration history file to S3
- Notifications via Simple Notification Service (SNS) of every configuration change
GuardDuty
Is an intelligent threat detection system that uncovers unauthorized behavior
- Uses machine learning
- Built-in detection for EC2, S3, and IAM
- Reviews CloudTrail, VPC Flow Logs, and DNS logs
Inspector
Works with EC2 instances to uncover and report vulnerabilities
- Agent installed on EC2 Instance
- Reports vulnerabilities found
- Checks access from the internet, remote root login, vulnerable software versions, etc.
Artifact
Offers on-demand access to AWS security and compliance reports
- Central repository for compliance reports from third-party auditors
- Service Organization Controls (SOC) reports
- Payment Card Industry (PCI) reports
Cognito
Help you control access to mobile and web applications
- Provides authentication and authorization
- Help you mange users
- Assists with user sign-up and sign-in
Key Management Service (KMS)
Allows your to generate and store encryption keys
- Key generator
- Store and control keys
- AWS manages encryption keys
- Automatically enabled for certain services (CloudTrail Logs, S3 Glacier, Storage Gateway)
CloudHSM
Hardware security module (HSM) used to generate encryption keys
- Dedicated hardware for security
- Generate and manage your own encryption keys
- AWS does not have access to your keys
Secrets Manager
Allows you to manage and retrieve secrets (passwords or keys)
- Rotate, manage, and retrieve secrets
- Encrypt secrets at rest (use encryption keys that you own then stored in KMS)
- Integrates with services like RDS, Redshift, and DocumentDB
Which service protects your web application from cross-site scripting attacks?
Amazon Inspector
AWS Shield
Amazon Macie
AWS Web Application Firewall (WAF)
AWS Web Application Firewall (WAF)
WAF helps protect your web applications from common web attacks, like SQL injection or cross-site scripting.
Which of the following are considered IAM best practices?
Choose 2
Use access keys to manage EC2 applications.
Enable multi-factor authentication (MFA) for administrative accounts as well as the root user.
Use the root account for daily administrative tasks.
Implement strong password policies.
Enable multi-factor authentication (MFA) for administrative accounts as well as the root user.
Implement strong password policies.
Which service has a feature that can assist with compliance and auditing by offering a downloadable report that provides the status of passwords and MFA devices in your account?
AWS Secrets Manager
AWS Artifact
AWS Systems Manager
AWS Identity and Access Management (IAM)
AWS Trusted Advisor
AWS Identity and Access Management (IAM)
IAM provides a downloadable credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices.
What is the role of CloudHSM?
It will allow all users to view and access encryption keys.
Its role is to easily create and use your own encryption keys.
It is software used for encryption key management.
Its role is to manage and retrieve passwords or keys.
Its role is to easily create and use your own encryption keys.
AWS CloudHSM enables you to easily create and use your own encryption keys on the AWS Cloud.
In the AWS shared responsibility model, what is AWS not responsible for?
Choose 3
Setting permissions for objects stored in Amazon S3
Amazon Relational Database Service (RDS) database backups
Decommissioning storage devices that have reached the end of life
Amazon Elastic Block Store (EBS) snapshots
Backup power generators
AWS Lambda language versions
Setting permissions for objects stored in Amazon S3
Amazon Relational Database Service (RDS) database backups
Amazon Elastic Block Store (EBS) snapshots
Which service can integrate with a Lambda function to automatically take remediation steps when it uncovers suspicious network activity when monitoring logs in your AWS account?
Amazon GuardDuty
AWS Systems Manager
Amazon Inspector
AWS CloudTrail
Amazon GuardDuty
GuardDuty can perform automated remediation actions by leveraging Amazon CloudWatch Events and AWS Lambda. GuardDuty continuously monitors for threats and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. GuardDuty analyzes multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.
Which service allows you to generate encryption keys managed by AWS?
AWS Key Manager (KM)
AWS Key Management Service (KMS)
AWS CloudHSM
AWS Identity and Access Management (IAM)
AWS Key Management Service (KMS)
KMS allows you to generate and manage encryption keys. The keys generated by KMS are managed by AWS.
Which service allows you to locate credit card numbers stored in Amazon S3?
Amazon Comprehend
Amazon Rekognition
Amazon Macie
Amazon Inspector
Amazon Macie
Macie is a data privacy service that helps you uncover and protect your sensitive data, such as personally identifiable information (PII) like credit card numbers, passport numbers, social security numbers, and more.
Which service allows you to record software configuration changes within your Amazon EC2 instances over time?
AWS Config
AWS Systems Manager
AWS Trusted Advisor
AWS Inspector
AWS Config
Config helps with recording compliance and configuration changes over time for your AWS resources.
In the shared responsibility model, what is the customer responsible for?
Choose 2
Patching the host operating system (OS)
Cloud infrastructure
Patching the guest operating system (OS)
Firewall configuration and application security
Patching the guest operating system (OS)
Firewall configuration and application security
Which of the following are tasks that only the root user can complete?
Choose 2
Launch EC2 instances.
Change the account name and email address.
Modify your support plan.
Configure databases.
Change the account name and email address.
Modify your support plan.
Select the FALSE statement regarding the pillars of the AWS Well-Architected Framework.
The Cost Optimization pillar enables the ability to run systems to deliver business value at the lowest price point by utilizing a capital expenditures (CAPEX) model.
The Security pillar enables the ability to protect data, systems, and assets to improve your cloud security.
The Performance Efficiency pillar enables the ability to use computing resources efficiently as demand and technology changes.
The Operational Excellence pillar enables the ability to support development, run workloads effectively, gain operational insights, and improve supporting processes and procedures.
The Cost Optimization pillar enables the ability to run systems to deliver business value at the lowest price point by utilizing a capital expenditures (CAPEX) model.
The Cost Optimization pillar does enable the ability to run systems to deliver business value at the lowest price point. However, it favors the operating expenses (OPEX) model, rather than the capital expenditures (CAPEX) model.
How do you manage permissions for multiple users at once using AWS Identity and Access Management (IAM)?
Roles
Groups
Policies
EC2 security groups
Groups
An IAM group is a collection of IAM users. When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy.
Which service allows you to create access keys for someone needing to access AWS via the command line interface (CLI)?
Amazon Cloud Directory
AWS Secrets Manager
AWS Identity and Access Management (IAM)
AWS Security Hub
AWS Identity and Access Management (IAM)
IAM allows you to create users and generate access keys for users needing to access AWS via the CLI.
Which service helps you control access to mobile and web applications?
Cognito
Macie
Shield
IAM
Cognito
Cognito helps you control access to mobile and web applications.
Which of the following are pillars of the AWS Well-Architected Framework? (Choose 3.)
Choose 3
Environmental Responsibility Pillar
Security pillar
Operational excellence pillar
Cost optimization pillar
Security pillar
Operational excellence pillar
Cost optimization pillar
