Security and Compliance

Question 1

What is the default level of access a newly created IAM User is granted?

Answer 1

By default new IAM Users have no permissions to AWS services. They must be explicitly granted.

Question 2

What is an object in AWS stored as a JSON document that provides a formal statement of one or more permissions.

Answer 2

A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. Most policies are stored in AWS as JSON documents.

Question 3

What do Access Key ID and Secret Access Keys allow?

Answer 3

A Key and Secret Key combination are used to access AWS programmatically. To access the console you use an account and password combination.

Question 4

Power User Access allows ____.

Answer 4

Access to all AWS services except the management of groups and users within IAM.

Question 5

How can you allow cross-account console and programmatic access to an S3 bucket by users in a different account?

Answer 5

Setting up a cross account IAM role is currently the only method that will allow IAM users to access cross account S3 buckets both programmatically and via the AWS console.

Question 6

What does IAM allow?

Answer 6

IAM allows you to manage users, groups, roles, and their corresponding level of access to the AWS Platform.

Question 7

What level of access does the “root” account have?

Answer 7

The root account in an AWS account represents the Owner of the account and can do anything including changing billing details and even close the account. The details for this account should be locked away and only used when absolutely necessary.

Question 8

What is IAM?

Answer 8

IAM (Identity Access Management) allows you to manage users and their level of access.

Question 9

What does IAM use to manage users and their roles?

Answer 9

IMA uses groups to which users can be assigned.

The users will then inherit the permissions of the group.The permissions themselves are defined by policies.

Question 10

To what in AWS can you access using access keys and secret access keys?

Answer 10

Access keys and secret access keys are used to access AWS via the command line or via API, but not via the console.

Question 11

What does a credential report provide?

Answer 11

A credential report provides a download of all users in your account.It gives details such as the last use of passwords, when they need changing, whether it has an access key on the account, whether MFA has been enabled etc.

Question 12

How does IAM provide access?

Answer 12

IAM uses Groups to which people can be assigned to give access to resources

Question 13

How are IAM groups defined?

Answer 13

IAM groups are defined using policies which are created using JSON notation

Question 14

What is IAM used for?

Answer 14

Identity Access Management (IAM) is used for assigning roles and permissions to users

Question 15

Within IAM in what are users stored and what is used to set permissions?

Answer 15

Groups are used to store users and the users assume the permissions of that group. Group access is determined by JSON notation policies.

Question 16

What is a credential report?

Answer 16

A credential report is used as a download of all users in your account. It gives details such as the last use of passwords, when they need changing, whether it has an access key on the account, whether MFA has been enabled etc.

Question 17

What does IAM use to manage access?

Answer 17

IAM uses Groups (to which users can be assigned), and Roles to manage access.

Question 18

A customer has created an Administrators group in IAM containing 5 users. What does the customer attach to the group to ensure all the users have the needed administrative access?

Answer 18

IAM policies can be attached to a group to ensure all users in the group have the same access. AWS even has a managed policy, Administrator Access, you can use.

Question 19

What does WAF do?

Answer 19

WAF protects against SQL injection and cross-site scripting attacks.

Question 20

What is WAF?

Answer 20

WAF is Web Application Firewall that allows the monitoring of the http and https requests that are forwarded to CloudFront, an Application Load Balancer or API Gateway.

Question 21

What are the 3 different behaviours allowed by WAF?

Answer 21

The 3 different behaviours are:-

• Allow all requests except the ones you specify
• Block all requests except the ones you specify
• Count the requests that match the properties you specify

Question 22

What are some of the conditions of web requests that WAF can use to take action?

Answer 22

WAF can check:

• IP addresses that requests originate from
• The country the request originates from
• Values in request headers
• Length of requests
• Presence of SQL code

Question 23

What is Shield?

Answer 23

Shield is a managed Distributed Denial of Service (DDOS) protection service

Question 24

What with services does Shield work?

Answer 24

Shield provides DDoS protection and works with:

• CloudFront
• Route 53
• Elastic Load Balancer
• AWS Global Accelerator.

Question 25

What is Macie used for?

Answer 25

Macie is used to find Personally Identifiable Information stored in S3 using Machine Learning and AI.

Question 26

What is Macie?

Answer 26

Macie is a security service that uses Machine Learning and NLP (Natural Language Processing) to discover, classify and protect sensitive data stored in S3.It provides dashboards, reports and alerts and can also analyse and query Cloudtrail logs.

Question 27

What is AWS Config?

Answer 27

AWS Config is a service that enables you to assess, audit and evaluate the configurations of your AWS resources.

Config allows you to identify changes to various resources over time

Question 28

What is GuardDuty?

Answer 28

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorised behaviour to protect your AWS accounts and workloads.

Question 29

What is Inspector?

Answer 29

Inspector works with EC2 instances (only) to uncover and report vulnerabilities

Question 30

What is Artifact?

Answer 30

Artefact offers on-demand access to AWS security and compliance reports.

Artifact provides a central repository for AWS’ security and compliance reports via a self-service portal.

Question 31

What is AWS Cognito?

Answer 31

Cognito provides authentication, authorisation and user management for web and mobile apps. It allows users to sign-in either directly or through a 3rd party such as Facebook, Amazon, Google or Apple.

Question 32

What are the two main components of AWS Cognito?

Answer 32

User pools and Identity pools are the main components of AWS Cognito

Question 33

What is KMS?

Answer 33

Key Management Service (KMS) allows you to generate and store encryption keys

Question 34

What is CloudHSM?

Answer 34

CloudHSM is a hardware security module (HSM) used to generate and manage encryption keys.

CloudHSM allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud.

Question 35

What is Secrets Manager?

Answer 35

Secrets Manager allows you to manage and retrieve secrets (passwords or keys)

It integrates with services such as RDS, Redshift and DocumentDB and encrypts secrets at rest

Question 36

What does data encryption do?

Answer 36

Data encryption encodes data so it cannot be read by unauthorized users.

Question 37

How would you create and manage access keys for users that need to access AWS services from the AWS Command Line Interface (CLI)?

Answer 37

IAM allows you to create and manage access keys for an IAM user.

Question 38

Does KMS or CloudHSM allow you to manage your own encryption keys?

Answer 38

Cloud HSM allows you to manage your own encryption keys that AWS cannot access.

Question 39

What is Secrets Manager and what does it do?

Answer 39

Secrets Manager allows you to manage and retrieve secrets (passwords or keys).

It allows you to encrypt secrets at rest, rotate and manage them throughout the lifecycle.

Question 40

What allows you to identify changes to various resources over time?

Answer 40

Config allows you to identify changes to various resources over time.

Question 41

With what does Inspector work?

Answer 41

Inspector works with EC2 only.

Question 42

What controls access to mobile and web applications?

Answer 42

Cognito controls access to mobile and web applications.

Question 43

What identifies malicious or unauthorised activities in your AWS account?

Answer 43

GuardDuty allows you to identify malicious and unauthorised activities.

Question 44

Which policy will provide information on performing penetration testing on your EC2 instances?

Answer 44

Customer Service Policy for Penetration Testing

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for Amazon EC2 instances, NAT gateways, elastic load balancers, and 7 other services.

Question 45

A purchasing department staff member is set up as an AWS user in the company’s Procurement AWS account. At each month-end, the staff member needs access to an application running on EC2 in the company’s Accounts Payable AWS account to reconcile reports.

What is the best way to provide secure and operationally efficient access to the Accounts Payable application?

Answer 45

Have the user request temporary security credentials for the application by assuming a role

The staff member should be given the ability to assume a role programmatically with the permissions necessary to run the Accounts Payable application.

Question 46

A customer has set up an Amazon S3 bucket and wants to limit access to specific users. What is the most efficient way to do so?

Answer 46

Bucket access policy

You can add a bucket access policy directly to an Amazon S3 bucket to grant IAM users access permissions for the bucket and the objects in it.

Question 47

You would like to give an application running on one of your EC2 instances access to an S3 bucket. What is the best way to implement this?

Answer 47

Assign the instance an IAM role

The recommended method to assign permissions to apps running in EC2 is to use IAM roles

Question 48

DELETE - Identity v.s. Entity v.s. Principal

Answer 48

An entity can authenticate to become a principal in AWS IAM. A principal can have one or more identities (but only ever one at a time). An identity can have identity policies associated with it.