Security and Compliance

Question 1

Patch Management - like for RDS its AWS responsibility but for EC2 software patch management is customer responsibility
Awareness and Training -like AWS gives this to their employees and you give it to your employees
Configuration Management

Answer 1

Shared Responsibility

Question 2

The attacker uses BOT requests to the application server which is unable to service genuine user’s requests due to overload from BOT requests.

Answer 2

DDoS

Question 3

Free and enabled for all customers against DDoS attack
Provides Layer 3 and 4 attacks and reflection attacks

Answer 3

AWS Shield Standard

Question 4

Paid and 24/7 DDoS protection and support

Answer 4

AWS Shield Advanced

Question 5

Filter requests based on rules and placed on Layer 7 like Application Load Balancer, API Gateway and CloudFront.
Protection against web exploits
Define Web ACL - filter based on IP addresses, HTTP header, body and URI strings, geo matching, rate based rules
Protects against SQL Injection and Cross Site Scripting (XSS)

Answer 5

AWS WAF(Web Application Firewall)

Question 6

Provide protection at Edge location when used along with Shield Architecture
Route 53 is protected by shield and routes the requests to CloudFront. CloudFront is also protected by shield and it caches the content on edge location
Use AWS WAF at CloudFront to filter the requests based on rules
Use Load Balancer on public subnet to scale the load at network level
Then behind load balancer user EC2 instances with ASG

Answer 6

CloudFront and Route 53

Question 7

Protect VPC overall from Layer 3 to 7.This operates at VPC level unlike Web ACL that operates at subnet level

Answer 7

AWS Network Firewall

Question 8

Simulated DDoS attacks, Port, Protocol and Request Flooding is not allowed

Answer 8

Penetration Testing

Question 9

the AWS encryption service and keys are managed by AWS. What is it called?

Answer 9

KMS

Question 10

AWS only provisions encryption hardware and encryption keys are managed by customer

Answer 10

CloudHSM(Hardware security module)

Question 11

Customer Master Keys
1. Customer managed CMK
2. AWS managed CMK
3. AWS owned CMK
4. Cloud HSM keys(found under custom key store)
For CloudTrail and Glacier S3 encryption is enabled by default

Answer 11

CMK

Question 12

Service for SSL/TLS certificates

Answer 12

ACM(AWS Certificate Manager)

Question 13

Store and Rotate passwords (Rotation using custom Lambda function)Integrated with Amazon RDSEncrypted using KMS

Answer 13

Secrets Manager

Question 14

Portal that provides AWS compliance and AWS agreement documents

Answer 14

AWS Artifacts

Question 15

Threat Detective Service
Detects anomalies in AWS account
Input is from CloudTrail logs, VPC flow logs, DNS logs, S3 logs, EBS logs, Lambda network activity, RDS and Aurora login logs, EKS audit logs and output can be sent to EventBridge to generate SNS or Lambda function

Answer 15

Amazon GuardDuty

Question 16

Run automated security assessments only on running EC2 instances, Lambda functions and Container images
ECR Check for OS, S/w vulnerabilities and network reachability
EC2 Reports its findings into AWS Security Hub and Amazon Event Bridge

Answer 16

Amazon Inspector

Question 17

Helps auditing and recording compliance of the AWS resources
It records the configurations and their changes over time

Answer 17

AWS Config

Question 18

Fully managed data security and data privacy service uses ML
Alert agains PII

Answer 18

AWS Macie

Question 19

Dashboard to manage security across several AWS accounts and automate security checksAggregates alerts from Config, Guard Duty, Inspector, Macie, iAM Access Analyzer, Systems Manager, Firewall, Health, Partnet Network Solutions

Answer 19

AWS Security Hub

Question 20

To analyze the root cause of security issues using ML and graphs

Answer 20

Amazon Detective

Question 21

Report suspected AWS resources used for abuse or illegal purpose

Answer 21

AWS Abuse

Question 22

Change the account settings, such as the account name, the email address, the root user password and root user access keys
View certain tax invoices
Close your account
Restore IAM user permissions
Change or cancel your AWS Support plan
Register as a seller in the Reserved Instance Marketplace
To configure an Amazon S3 bucket to enable MFA
To edit or delete an S3 bucket policy that is getting an invalid VPC ID or VPC endpoint ID
To sign up for GovCloud as well.

Answer 22

Root User Priviledges

Question 23

Track API calls made by users within the account

Answer 23

CloudTrail

Question 24

To identify which resources are shared externally outside your zone of trust

Answer 24

iAM Access Analyzer