Security and Compliance Flashcards

1
Q

AWS responsibilities in shared responsibility model

A

AWS Global Infrastructure - regions, edge locations, availability zones
Building Security - controlling data center access
Networking Components - maintaining generators, uninterruptible power supply (UPS) systems, computer room air conditing (CRAC) units, fire suppression systems, etc.
Software - managed services and patching of HOST operating systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

My responsibilities in shared responsibility model

A

Application Data - manging and encrypting data
Security Configurations - securing account/APIs, rotating credentials, restricting internet access from VPCs
Patching - responsible for guest OS
IAM
Network Traffic - security group firewall configurations
Installed Software - application code patching and scans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How to report abuse of AWS resources

A

Contact the AWS Trust and Safety team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

The 6 pillars of the Well-Architected Framework

A
  1. Operational Excellence
  2. Security
  3. Reliability
  4. Performance Efficiency
  5. Cost Optimization
  6. Sustainability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is WAF (framework)

A

The Well-Architected Framework describes the design principles and best practices for running workloads in the cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

WAF: Operational Excellence

A

Focus on creating applications that effectively support production workloads
- Plan for and anticipate failures
- Script operations as code
- Deploy smaller, reversible changes
- Learn from failure and refine

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

WAF: Security

A

Focus on putting mechanisms in place that protect your systems and data
- Automate security tasks
- Encrypt data in transit and at rest
- Assign only the least privileges required
- Track who did what and when
- Ensure security at all application layers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

WAF: Reliability

A

Focus on designing systems that work consistently and recover quickly
- Recover from failure automatically
- Scale horizontally for resilience
- Reduce idle resources
- Manage change through automation
- Test recovery procedures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

WAF: Performance Efficiency

A

Focus on the effective use of computing resources to meet system and business requirements while removing bottlenecks
- Use serverless architectures first
- Use multi-region deployments
- Delegate tasks to a cloud vendor
- Experiment with virtual resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

WAF: Cost Optimization

A

Focus on delivering optimum and resilient solutions at the least cost to the user
- Utilize consumption-based pricing
- Measure overall efficiency
- Implement Cloud Financial Management
- Pay only for resources your application requires

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

WAF: Sustainability

A

Focus on environmental impacts, especially energy consumption and efficiency
- Understand your impact
- Maximize utilization
- Establish sustainability goals
- Use managed services
- Reduce downstream impact

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Identity and Access Management (IAM)

A

IAM allows you to control access to your AWS services and resources
- Helps you secure your cloud resources
- You define who has access
- You define what they can do
- A free global service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

The principle of least privilege

A

Giving a user the minimum access required to get the job done

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How to create access keys for users that need access to the AWS CLI

A

IAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

IAM Credential Report

A

Lists all users in your account and the status of their various credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is WAF (security)

A

Web Application Firewall - Helps to protect your web applications against common web attacks.
- protects against SQL injection
- protects against cross-site scripting
- protects against common attack patterns

17
Q

What service protects against SQL injection and cross site scripting attacks?

A

WAF - Web Application Firewall

18
Q

Shield

A

Managed DDOS protection service
- always on
- standard is free
- advanced is a paid service

19
Q

Macie

A

Helps you discover and protect sensitive data
-machine learning
-evaluates S3 environments
-uncovers personally identifiable information (PII)

20
Q

Shield works with which services

A
  • CloudFront
  • Route 53
  • Elastic Load Balancing
  • AWS Global Accelerator
21
Q

Config

A

Allows you to assess, audit, and evaluate the configurations of your resources
- track configuration changes over time
- delivers configuration history to S3
- notification via SNS of configuration changes

22
Q

GuardDuty

A

An intelligent threat detection system that uncovers unauthorized behavior
- machine learning
- built in detection for EC2, S3, IAM
- reviews cloudtrail, vpc flow logs, and DNS logs

23
Q

Inspector

A

works with EC2 instances to uncover and report vulnerabilities
- Agent installed on EC2 instance
- Reports vulnerabilities
- Checks access from internet, remote root login, vulnerable software versions, etc.

24
Q

Artifact

A

Offers on-demand access to AWS security and compliance reports
- central repository for compliance reports from third-party auditors
- service organization controls (SOC) reports
- payment card industry (PCI) reports

25
Q

Cognito

A

helps you control access to mobile and web applications
- provides authentication and authorization
- helps you manage users
- assists with user sign-up and sign-in

26
Q

Key Management Services (KMS)

A

Allows you to generate and store encryption keys

27
Q

CloudHSM

A

Hardware Security Module (HSM) used to generate encryption keys
- dedicated hardware for security
- AWS does not have access to your keys
- Generate and manage your own encryption keys

28
Q

This service allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud

A

CloudHSM

29
Q

Secrets Manager

A

allows you to manage and retrieve secrets (passwords or keys)
- rotate, manage, and retrieve secrets
- integrates with services like RDS, Redshift, and DocumentDB
- Encrypt at rest

30
Q

This service allows you to retrieve database credentials with a call to its API, removing the need to hardcode sensitive information in plain text within your application code

A

Secrets Manager API