Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Cloud Practicioner - Security and Compliance > Security and Compliance > Flashcards

Security and Compliance Flashcards

1
Q

What are the security and compliance sections?

A

Shared Responsibility Model
Well-Architected Framework

Security
Encryption
Secrets Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the Security services?

A

Identity and Access Management (IAM)
Web Application Firewall (WAF)
Shield
Macie
Config
GuardDuty
Inspector
Artifact
Cognito

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the encvryption services?

A

KMS (Key Management Service)
CloudHSM (Hardware Security Module)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the shared responsibility model?

A

Customer
Security in the Cloud

AWS
Security of the Cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

shared responsibility model - firewall configuration

A

Customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

shared responsibility model - Data center security for the physical building

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

shared responsibility model - Encryption of EBS volumes?

A

Customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Shared responsibility model - Language versions of Lambda

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Shared responsibility model - Taking database backups and RDS

A

Customer - it’s your data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Shared responsibility model - Updating the firmware on the underlying EC2 host

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Shared responsibility model - Ensuring data is encrypted at rest

A

Customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Shared responsibility model - Managing the network infrastructure architecture

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Shared responsibility model - Patching the guest operating system for EC2

A

Customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Shared responsibility model - And physically destroying storage media at the end of life

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How do you report abuse of AWS resources?
If you suspect there’s been a security breach
and or abuse of your AWS resources,

A

Contact the AWS Trust & Safety team using the Report Amazon AWS abuse form or by contacting abuse@amazonaws.com.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the 6 pillars of the Well-Arhcitected Framework?

A

Operational Exellence
Security
Reliability - ALWAYS GET THIS WRONG!
Performance Efficiency
Cost Optimization
Sustainability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What do the 6 pillars of the Well-Architected Framework Do?

A

The 6 pillars of the Well-Architected Framework describe design
principles and best practices for running workloads in the cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is operational excellence?

A

This pillar focuses on creating applications that effectively support production workflows.
You’ll need to plan for and anticipate failure by identifying your most critical failure points and making sure there’s redundancy.
You’ll want to deploy smaller, reversible changes. This is often done through infrastructure as code
which is a way to version control your AWS infrastructure.
You’ll also want to script operations as code and learn from failure and refine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the security pillar?

A

The security pillar focuses on putting mechanisms in place that help protect your systems and data.
It’s very important to understand this pillar and proactively seek the best practices.
You’ll want to automate security tasks like logging and risk mitigation, encrypt data in transit, and at rest.
You’ll want to make sure not to give any users or applications privileges that they don’t need.
You’ll also want to be able to track who did what and when through services like CloudTrail.
And finally, you want to consider all application layers in your security profile.
Securing your AWS account doesn’t do much good if your databases for your applications are open to the world.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the Reliability pillar?

A

his pillar focuses on designing systems that work consistently and recover quickly.
Much like the operational excellence pillar you want to make sure you understand where your applications can fail
and how you can have them recover automatically.
It’s also best practice to scale horizontally rather than vertically for resilience.
For example, if you have 5 EC2 instances serving traffic and one of them goes down, that’s not necessarily a huge deal.
But if you have one big instance serving traffic and that one fails, well, then none of your users can access the application.
You also want to reduce idle resources, manage change through automation, and test all of your recovery procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the Performance Efficiency pillar?

A

The performance efficiency pillar focuses on the effective use of computing resources
to meet system and business requirements when removing bottlenecks.
In other words, you want to understand your performance targets and where you’re underperforming as well as where you’re overperforming.
You should use serverless architectures first.
Meaning you should leverage AWS managed services as much as you can because they’re already optimized for the cloud.
You should use multi-region deployments.
If you use only one region, users across the globe may not get the best performance out of your application.
When appropriate, you should consider delegating tasks to a cloud vendor or experimenting with virtual resources to make sure your team is focused on the challenges that are unique to your cloud ecosystem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the Cost Optimization Pillar?

A

The cost optimization pillar focuses on delivering optimum and resilient solutions at the least cost.
Whenever possible, you should utilize consumption-based pricing.
You should also implement cloud financial management to measure and understand the costs you’re incurring.
You should measure your overall efficiency to make sure that you’re not paying for resources that aren’t being used.
And finally, you should pay only for resources your application requires.
It’s important to keep your accounts clean of unneeded resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the Sustainability pillar?

A

The sustainability pillar.
This pillar focuses on environmental impacts especially energy consumption and efficiency.
It’s important that you understand and measure your impact by establishing sustainability goals.
Just like cost optimization, you want to maximize your utilization and not pay for idle resources.
Using managed services that are optimized for efficiency in the cloud can also reduce your environmental impact.
And finally, you want to consider what your downstream impact is.
What is your application built for and is it good for the earth?

24
Q

How might you use the Operational Excellance Pillar?

A

you may consider using CodeCommit to make sure your code has version control.
You should even version controls your CloudFormation templates, which define your infrastructure as code.

25
Q

How might you use the security pillar?

A

you can think about CloudTrail and logging all of the actions that are taken within your AWS account.

26
Q

How might you use the reliability pillar?

A

If one availability zone fails, I know that there’s a backup RDS instance ready to take on my database traffic.

27
Q

How might you use the performance efficiency pillar?

A

I think of Lambda. This reduces administration to run your code and it only runs on demand.

28
Q

How might you use the cost optimization pillar?

A

think of S3 intelligent tiering, which automatically moves data between access tiers
based on how frequently it’s accessed

29
Q

How might you use the sustainability pillar?

A

think about EC2 auto scaling. If you’re using EC2,
you want to make sure you can scale out to meet demand.
But just as important is being able to scale back when demand is low.
Not only is it better for the planet but it’s better for your wallet as well.

30
Q

What are the two components of IAM

A

Users
Groups

31
Q

What is the principle of least privilege?

A

This involves giving a user the minimum access required to get the job done.
By default, a brand new user doesn’t have permissions to do anything.
So when you set them up, don’t give them full access.
Just give them the access they need.

32
Q

What is IAM?

A

IAM - Identity and Access Management.
It allows you to control access to your AWS services and resources.

33
Q

What are AWS Users?

A

An IAM feature - Users are entities that you create in IAM to represent the person or application needing to access your AWS resources.

Did you know applications can also be users?
You’ll create a user in IAM so you can generate access keys for an application, let’s say, that’s running on premises
that needs access to your cloud resources.

Now, don’t forget, any activity they perform in your account is billed to your account and you have to pay that bill.

34
Q

What are AWS Groups

A

An IAM feature - A group is a collection of IAM users that helps you apply common access controls to all group members.

35
Q

What’s the difference between authentication and authorization?

A

authentication versus authorization.
authentication is who and authorization is what.
What is authentication?
Authentication is where you present your identity.
Let’s say your username and you provide verification like your password.
And then authorization determines which services and resources the authenticated identity has access to.

36
Q

What are IAM Roles?

A

Roles define access permissions and are temporarily assumed by an IAM user or service.
You assume a role to perform a task in a single session.
Assumed by any user or service that needs it.
Access is assigned using policies.
You grant users in one AWS account access to resources in another AWS account.

37
Q

What are IAM Policies

A

You manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.

38
Q

What are the IAM best practices?

A

There are several recommended best practices for IAM.

Enable MFA for privileged users.
You should enable multi-factor authentication (MFA) for the root user and other administrative users.

Implement Strong Password Policies
You should require IAM users to change their passwords after a specified period of time, prevent users from reusing previous passwords, and rotate security credentials regularly.

Create individual users instead of using root.
You shouldn’t use the root user for daily tasks.

Use roles for Amazon EC2 instances.
You should use roles for applications that run on EC2 instances instead of long-term credentials like access keys.

IAM Credential Report
The IAM credential report lists all users in your account and the status of their various credentials.

Lists all users and status of passwords, access keys, and MFA devices
Used for auditing and compliance
39
Q

What is the IAM Credential Report?

A

IAM Credential Report
The IAM credential report lists all users in your account and the status of their various credentials.

Lists all users and status of passwords, access keys, and MFA devices
Used for auditing and compliance
40
Q

What are the Application Security Services

A

Application Security Services
WAF
Shield
Macie

41
Q

What does Application Security Services do?

A

AWS has several software-based security tools available to help you monitor and protect your resources.

42
Q

What is WAF

A

Web Application Firewall

43
Q

What does WAF do?

A

WAF protects against SQL injection and cross-site scripting attacks.

WAF helps protect your web applications against common web attacks.
Protects apps against common attack patterns
Protects against SQL injection
Protects against cross-site scripting

44
Q

Where can you deploy WAF?

A

Deploy web app on EC2 and protect it from cross-site scripting attacks using WAF
You can deploy WAD on Cloud Fronta as part of your CDN solution to block malicious traffic

45
Q

What is Shield?

A

Shield provides DDoS protection and works with CloudFront, Route 53, Elastic Load Balancing, and AWS Global Accelerator.

Distributed Denial of Service (DDoS)
A DDoS attack causes a traffic jam on a website or web application in an attempt to cause it to crash.
Shield is a managed Distributed Denial of Service (DDoS) protection service.

Always-on detection
Shield Standard is free
Shield Advanced is a paid service

Shield Standard
	Provides free protection against common and frequently occurring attacks
Shield Advanced
	Provides enhanced protections and 24/7 access to AWS experts for a fee

DDoS protection via Shield Advanced is supported on several services.
	CloudFront
	Route 53
	Elastic Load Balancing
	AWS Global Accelerator

	Shield Advanced will give you notifications of DDoS attacks via CloudWatch metrics. 
	Additionally, with Shield Advanced, you have 24/7 access to AWS experts to assist during an attack.
46
Q

What is Macie?

A

Macie helps you find sensitive information.

Macie helps you discover and protect sensitive data.
Uses machine learning
Evaluates S3 environment
Uncovers personally identifiable information (PII)

Macie can be used to find sensitive data like passport numbers, social security numbers, and credit card numbers on S3.
47
Q

What are the 6 Additional Security Services?

A

Config
GuardDuty
Inspector
Artifact
Review
Cognito

48
Q

What is Config?

A

Config allows you to assess, audit, and evaluate the configurations of your resources.

Track configuration changes over time
Delivers configuration history file to S3
Notifications via Simple Notification Service (SNS) of every configuration change

Real World - Identify system-level configuration changes made to your EC2 instances.
Config allows you to record configuration changes within your EC2 instances. You can view network, software, and operating system (OS) configuration changes, system-level updates, and more.
49
Q

What is GuardDuty

A

GuardDuty is an intelligent threat detection system that uncovers unauthorized behavior.

Uses machine learning
Built-in detection for EC2, S3, and IAM
Reviews CloudTrail, VPC Flow Logs, and DNS logs

Real World - Detect unusual API calls in your account.
	GuardDuty's anomaly detection feature evaluates all API requests in your account and identifies events that are associated with common techniques used by attackers.
50
Q

What is Inspector?

A

Inspector works with EC2 instances to uncover and report vulnerabilities.

Agent installed on EC2 instance 
Reports vulnerabilities found
Checks access from the internet, remote root login, vulnerable software versions, etc.

Real World - Identify unintended network access to an EC2 instance via a detailed report of security findings
Inspector has several built-in rules to access your EC2 instances to find vulnerabilities and report them prioritized by level of severity.
51
Q

What is Artifact?

A

Artifact offers on-demand access to AWS security and compliance reports.

Central repository for compliance reports from third-party auditors
Service Organization Controls (SOC) reports
Payment Card Industry (PCI) reports

Real World - You need to access AWS' certification for ISO compliance.
	Artifact provides a central repository for AWS' security and compliance reports via a self-service portal.
52
Q

What is Cognito?

A

Cognito helps you control access to mobile and web applications.

Provides authentication and authorization
Helps you manage users 
Assists with user sign-up and sign-in

Real world - You need to add a social media sign-in to your web application.
	Cognito provides functionality that allows your users to sign in to your application through social media accounts like Facebook and Google.
53
Q

What are the data encryption services

A

KMS
HSM (Hardware Security Module)

54
Q

What is KMS?

A

Key Management Service (KMS)
AWS manages KMS keys

KMS allows you to generate and store encryption keys.
	Key generator
	Store and control keys
	AWS manages encryption keys
	Automatically enabled for certain services
55
Q

What is CloudHSM?

A

CloudHSM is a hardware security module (HSM) used to generate encryption keys.

you manage the keys generated with CloudHSM.

Dedicated hardware for security
Generate and manage your own encryption keys
AWS does not have access to your keys

Real World - Meet compliance requirements for data security by using dedicated hardware.
	CloudHSM allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud.
56
Q

What is Secrets Manager?

A

Secrets Manager allows you to manage and retrieve secrets (passwords or keys).

Secrets Manager has built-in integration for RDS, Redshift, and DocumentDB

	Rotate, manage, and retrieve secrets
	Encrypt secrets at rest
	Integrates with services like RDS, Redshift, and DocumentDB

Real World - Retrieve database credentials needed for your application code.
	Secrets Manager allows you to retrieve database credentials with a call to Secrets Manager APIs, removing the need to hardcode sensitive information in plain text within your application code.

Cloud Practicioner - Security and Compliance (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions