Security and Compliance

Question 1

AWS responsibilities in shared responsibility model

Answer 1

AWS Global Infrastructure - regions, edge locations, availability zones
Building Security - controlling data center access
Networking Components - maintaining generators, uninterruptible power supply (UPS) systems, computer room air conditing (CRAC) units, fire suppression systems, etc.
Software - managed services and patching of HOST operating systems

Question 2

My responsibilities in shared responsibility model

Answer 2

Application Data - manging and encrypting data
Security Configurations - securing account/APIs, rotating credentials, restricting internet access from VPCs
Patching - responsible for guest OS
IAM
Network Traffic - security group firewall configurations
Installed Software - application code patching and scans

Question 3

How to report abuse of AWS resources

Answer 3

Contact the AWS Trust and Safety team

Question 4

The 6 pillars of the Well-Architected Framework

Answer 4

1. Operational Excellence
2. Security
3. Reliability
4. Performance Efficiency
5. Cost Optimization
6. Sustainability

Question 5

What is WAF (framework)

Answer 5

The Well-Architected Framework describes the design principles and best practices for running workloads in the cloud

Question 6

WAF: Operational Excellence

Answer 6

Focus on creating applications that effectively support production workloads
- Plan for and anticipate failures
- Script operations as code
- Deploy smaller, reversible changes
- Learn from failure and refine

Question 7

WAF: Security

Answer 7

Focus on putting mechanisms in place that protect your systems and data
- Automate security tasks
- Encrypt data in transit and at rest
- Assign only the least privileges required
- Track who did what and when
- Ensure security at all application layers

Question 8

WAF: Reliability

Answer 8

Focus on designing systems that work consistently and recover quickly
- Recover from failure automatically
- Scale horizontally for resilience
- Reduce idle resources
- Manage change through automation
- Test recovery procedures

Question 9

WAF: Performance Efficiency

Answer 9

Focus on the effective use of computing resources to meet system and business requirements while removing bottlenecks
- Use serverless architectures first
- Use multi-region deployments
- Delegate tasks to a cloud vendor
- Experiment with virtual resources

Question 10

WAF: Cost Optimization

Answer 10

Focus on delivering optimum and resilient solutions at the least cost to the user
- Utilize consumption-based pricing
- Measure overall efficiency
- Implement Cloud Financial Management
- Pay only for resources your application requires

Question 11

WAF: Sustainability

Answer 11

Focus on environmental impacts, especially energy consumption and efficiency
- Understand your impact
- Maximize utilization
- Establish sustainability goals
- Use managed services
- Reduce downstream impact

Question 12

Identity and Access Management (IAM)

Answer 12

IAM allows you to control access to your AWS services and resources
- Helps you secure your cloud resources
- You define who has access
- You define what they can do
- A free global service

Question 13

The principle of least privilege

Answer 13

Giving a user the minimum access required to get the job done

Question 14

How to create access keys for users that need access to the AWS CLI

Answer 14

IAM

Question 15

IAM Credential Report

Answer 15

Lists all users in your account and the status of their various credentials

Question 16

What is WAF (security)

Answer 16

Web Application Firewall - Helps to protect your web applications against common web attacks.
- protects against SQL injection
- protects against cross-site scripting
- protects against common attack patterns

Question 17

What service protects against SQL injection and cross site scripting attacks?

Answer 17

WAF - Web Application Firewall

Question 18

Shield

Answer 18

Managed DDOS protection service
- always on
- standard is free
- advanced is a paid service

Question 19

Macie

Answer 19

Helps you discover and protect sensitive data
-machine learning
-evaluates S3 environments
-uncovers personally identifiable information (PII)

Question 20

Shield works with which services

Answer 20

• CloudFront
• Route 53
• Elastic Load Balancing
• AWS Global Accelerator

Question 21

Config

Answer 21

Allows you to assess, audit, and evaluate the configurations of your resources
- track configuration changes over time
- delivers configuration history to S3
- notification via SNS of configuration changes

Question 22

GuardDuty

Answer 22

An intelligent threat detection system that uncovers unauthorized behavior
- machine learning
- built in detection for EC2, S3, IAM
- reviews cloudtrail, vpc flow logs, and DNS logs

Question 23

Inspector

Answer 23

works with EC2 instances to uncover and report vulnerabilities
- Agent installed on EC2 instance
- Reports vulnerabilities
- Checks access from internet, remote root login, vulnerable software versions, etc.

Question 24

Artifact

Answer 24

Offers on-demand access to AWS security and compliance reports
- central repository for compliance reports from third-party auditors
- service organization controls (SOC) reports
- payment card industry (PCI) reports

Question 25

Cognito

Answer 25

helps you control access to mobile and web applications
- provides authentication and authorization
- helps you manage users
- assists with user sign-up and sign-in

Question 26

Key Management Services (KMS)

Answer 26

Allows you to generate and store encryption keys

Question 27

CloudHSM

Answer 27

Hardware Security Module (HSM) used to generate encryption keys
- dedicated hardware for security
- AWS does not have access to your keys
- Generate and manage your own encryption keys

Question 28

This service allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud

Answer 28

CloudHSM

Question 29

Secrets Manager

Answer 29

allows you to manage and retrieve secrets (passwords or keys)
- rotate, manage, and retrieve secrets
- integrates with services like RDS, Redshift, and DocumentDB
- Encrypt at rest

Question 30

This service allows you to retrieve database credentials with a call to its API, removing the need to hardcode sensitive information in plain text within your application code

Answer 30

Secrets Manager API