Security and Compliance

Question 1

Which service has a feature to download a report including the status of passwords and MFA devices?

Answer 1

IAM

Question 2

Where do you create access keys for accessing AWS via the CLI?

Answer 2

IAM

Question 3

Where do you control access to mobile and web applications?

Answer 3

Cognito

Question 4

What does Macie do?

Answer 4

Uses ML to discover and protects sensitive data in S3

Question 5

What does Shield do?

Answer 5

It is a managed DDoS protection service, giving notifications of suspected attacks and assistance from AWS during the attack.

Question 6

Pillar of the Well-Architected Framework that includes the use of information gathered through a workload process evaluation to drive adoption of new services or resources when they become available?

Answer 6

Performance Efficiency - the effective use of resources to meet demand.

Question 7

What are the 6 pillars of the Well-Architected Framework?

Answer 7

Cost optimisation
Operational excellence
Reliability
Performance efficiency
Sustainability+Security

CORPS

Question 8

Whose responsibility is it to manage the Lambda runtime environment?

Answer 8

AWS

Question 9

Whose responsibility is it to manage the versions of Lambda function code?

Answer 9

Your’s

Question 10

Which service automatically and continually scans an S3 bucket for mobile app users’ addresses?

Answer 10

Macie - uses ML to discover sensitive data stored on Amazon S3

Question 11

Which is the most efficient AWS feature to allow a company to restrict IAM users from making changes to a common admin IAM role created in all accounts in their organisation?

Answer 11

Service control policies (SCPs).

A feature of Organizations that allows you to create permissions/guardrails that apply to all accounts in a given organization

Question 12

What is the best way to give S3 access to all applications running on an EC2 instance?

Answer 12

Use an instance profile to pass an IAM role with S3 permissions to the EC2 instance.

Question 13

Why would you not use a policy to give S3 access to all applications running on an EC2 instance?

Answer 13

Policies are used to manage permissions for IAM users, groups, and roles, not applications

Question 14

How would you solve an issue of an employee not being able to perform any RDS actions on the Clients table?

Answer 14

Add the user to the group that has the necessary permission policy.

Create an identity-based policy.

Question 15

Who is responsible for managing network traffic?

Answer 15

You. Includes security group firewall configuration.

Question 16

Who is responsible for maintaining networking components?

Answer 16

AWS. Includes generators, uninterruptible power supply (UPS) systems, computer room air conditioning (CRAC) units, fire suppression systems, etc.

Question 17

What is GuardDuty?

Answer 17

An intelligent threat detection system than uncovers unauthorised behaviour.

Question 18

Which services can be used to prevent DDoS attacks?

Answer 18

AWS Shield Standard provides free protection against common and frequently occurring DDoS attacks.

Shield Advanced provides enhanced protections and 24/7 access to AWS experts for a fee, and is supported on Route 53, CloudFront, Elastic Load Balancing, AWS Global Accelerator.

Web Application Firewall (WAF) offers a “rate-based” rule that protects you from web-layer DDoS attacks, brute-force login attemps, and bots.

Question 19

Which service powers the creation of encrypted EBS volumes for EC2?

Answer 19

Key Management Service (KMS).

You can specify a KMS customer master key when you create an encrypted Amazon EBS volume.

Question 20

What is CloudHSM?

Answer 20

A hardware security module (HSM).

Generates encryption keys.

Used for handling encryption keys in AWS (not with EBS Volume Encryption)

Question 21

What does a developer need to log into an EC2 instance via SSH from their local machine?

Answer 21

Private key

SSH client

Question 22

What is KMS used for?

Answer 22

Generating keys for encrypting and decrypting data

Question 23

Which of these tasks require you to be signed in with root user credentials?

Close an AWS account

Changing the email address associated with the account

Configuring an S3 bucket to enable MFA

Creating a user with administrative access

Activating IAM access to Billing and Cost Management console

Modifying the support plan

Answer 23

Close an AWS account

Changing the email address associated with the account

Configuring an S3 bucket to enable MFA

Activating IAM access to Billing and Cost Management console

Question 24

Which security item is needed for developers to interact with AWS from the CLI?

Answer 24

Access key

Question 25

Which service allows grouping users together and applying permissions to them as a group?

Answer 25

AWS IAM

Question 26

Which service scans the contents of incoming or outgoing traffic for known attacks?

Answer 26

WAF

Question 27

What is the most efficient intelligent threat detection service for analysing malicious/unauthorised activity and continuously monitor CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs?

Answer 27

Amazon GuardDuty

Question 28

Which service assesses software vulnerabilities and unintended network exposure of your EC2 instances?

Answer 28

Amazon Inspector

Question 29

What is Amazon Inspector?

Answer 29

An automated vulnerability management service.

Continually scans EC2 and container workloads for software vulnerabilities and unintended network exposure.

Question 30

What is WAF?

Answer 30

Helps protect web applications from attacks

Allows you to configure rules that allow, block, or monitor web requests

Considers conditions such as
* IP addresses
* HTTP headers
* HTTP body
* URI strings
* SQL injection
* cross-site scripting

Question 31

Does AWS Shield Standard provide post-attack analysis?

Answer 31

No

Question 32

Does AWS Shield Standard provide network flow monitoring?

Answer 32

Yes

Question 33

Does AWS Shield Standard provide assistance with protection from common DDoS attacks?

Answer 33

Yes

Question 34

Does AWS Shield Standard reimburse related Route 53, CloudFront, and ELB DDoS charges?

Answer 34

No

Question 35

What does AWS Shield Standard do?

Answer 35

Safeguards web applications.

Its features include network flow monitoring and assistance with protection from common DDoS attacks

Question 36

What type of logs does CloudWatch produce?

Answer 36

Application-based logs

Question 37

What does CloudTrail do?

Answer 37

Provides visibility to API call activity for AWS infrastructure and other services

Question 38

What should be used to set up a virtual firewall for an EC2 instance?

Answer 38

Security group

Question 39

What does a security group do?

Answer 39

Acts as a firewall to protect your EC2 instance by controlling inbound and outbound traffic

Question 40

What does a Network ACL (NACL) do?

Answer 40

Acts as a firewall at the subnet level

Question 41

When attaching policies to users, groups, and roles, are you attaching the policies to:
* Principals
* Entities, or
* Identities

Answer 41

Identities

Question 42

What are principals?

Answer 42

A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS

Question 43

What are identities?

Answer 43

IAM resource objects that are used to identify and group e.g. users, groups, roles

Question 44

What are entities?

Answer 44

The users (IAM and federated) and roles that are created and used for authentication

Question 45

What is the difference between KMS and Secrets Manager?

Answer 45

KMS:
Generate and store encryption keys
SM:
Manage and retrieve secrets (passwords/keys)

Question 46

Which AWS feature can be used to manage and automate tasks on many resources?

Answer 46

Resource groups