Security and Compliance

Question 1

What are the security and compliance sections?

Answer 1

Shared Responsibility ModelWell-Architected FrameworkSecurityEncryptionSecrets Management

Question 2

What are the Security services?

Answer 2

Identity and Access Management (IAM) Web Application Firewall (WAF) Shield Macie Config GuardDuty Inspector Artifact Cognito

Question 3

What are the encvryption services?

Answer 3

KMS (Key Management Service)CloudHSM (Hardware Security Module)

Question 4

What is the shared responsibility model?

Answer 4

Customer Security in the CloudAWS Security of the Cloud

Question 5

shared responsibility model - firewall configuration

Answer 5

Customer

Question 6

shared responsibility model - Data center security for the physical building

Answer 6

AWS

Question 7

shared responsibility model - Encryption of EBS volumes?

Answer 7

Customer

Question 8

Shared responsibility model - Language versions of Lambda

Answer 8

AWS

Question 9

Shared responsibility model - Taking database backups and RDS

Answer 9

Customer - it’s your data

Question 10

Shared responsibility model - Updating the firmware on the underlying EC2 host

Answer 10

AWS

Question 11

Shared responsibility model - Ensuring data is encrypted at rest

Answer 11

Customer

Question 12

Shared responsibility model - Managing the network infrastructure architecture

Answer 12

AWS

Question 13

Shared responsibility model - Patching the guest operating system for EC2

Answer 13

Customer

Question 14

Shared responsibility model - And physically destroying storage media at the end of life

Answer 14

AWS

Question 15

How do you report abuse of AWS resources?If you suspect there’s been a security breachand or abuse of your AWS resources,

Answer 15

Contact the AWS Trust & Safety team using the Report Amazon AWS abuse form or by contacting abuse@amazonaws.com.

Question 16

What are the two components of IAM

Answer 16

UsersGroups

Question 17

What is the principle of least privilege?

Answer 17

This involves giving a user the minimum access required to get the job done. By default, a brand new user doesn’t have permissions to do anything. So when you set them up, don’t give them full access. Just give them the access they need.

Question 18

What is IAM?

Answer 18

IAM - Identity and Access Management. It allows you to control access to your AWS services and resources.

Question 19

What are AWS Users?

Answer 19

An IAM feature - Users are entities that you create in IAM to represent the person or application needing to access your AWS resources.Did you know applications can also be users?You’ll create a user in IAM so you can generate access keys for an application, let’s say, that’s running on premisesthat needs access to your cloud resources.Now, don’t forget, any activity they perform in your account is billed to your account and you have to pay that bill.

Question 20

What are AWS Groups

Answer 20

An IAM feature - A group is a collection of IAM users that helps you apply common access controls to all group members.

Question 21

What’s the difference between authentication and authorization?

Answer 21

authentication versus authorization. authentication is who and authorization is what.What is authentication? Authentication is where you present your identity. Let’s say your username and you provide verification like your password.And then authorization determines which services and resources the authenticated identity has access to.

Question 22

What are IAM Roles?

Answer 22

Roles define access permissions and are temporarily assumed by an IAM user or service. You assume a role to perform a task in a single session. Assumed by any user or service that needs it. Access is assigned using policies. You grant users in one AWS account access to resources in another AWS account.

Question 23

What are IAM Policies

Answer 23

You manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.

Question 24

What are the IAM best practices?

Answer 24

There are several recommended best practices for IAM.Enable MFA for privileged users. You should enable multi-factor authentication (MFA) for the root user and other administrative users.Implement Strong Password Policies You should require IAM users to change their passwords after a specified period of time, prevent users from reusing previous passwords, and rotate security credentials regularly.Create individual users instead of using root. You shouldn’t use the root user for daily tasks. Use roles for Amazon EC2 instances. You should use roles for applications that run on EC2 instances instead of long-term credentials like access keys.IAM Credential Report The IAM credential report lists all users in your account and the status of their various credentials. Lists all users and status of passwords, access keys, and MFA devices Used for auditing and compliance

Question 25

What is the IAM Credential Report?

Answer 25

IAM Credential Report The IAM credential report lists all users in your account and the status of their various credentials. Lists all users and status of passwords, access keys, and MFA devices Used for auditing and compliance

Question 26

What are the Application Security Services

Answer 26

Application Security Services WAF Shield Macie

Question 27

What does Application Security Services do?

Answer 27

AWS has several software-based security tools available to help you monitor and protect your resources.

Question 28

What is WAF

Answer 28

Web Application Firewall

Question 29

What does WAF do?

Answer 29

WAF protects against SQL injection and cross-site scripting attacks.WAF helps protect your web applications against common web attacks. Protects apps against common attack patterns Protects against SQL injection Protects against cross-site scripting

Question 30

Where can you deploy WAF?

Answer 30

Deploy web app on EC2 and protect it from cross-site scripting attacks using WAF You can deploy WAD on Cloud Fronta as part of your CDN solution to block malicious traffic

Question 31

What is Shield?

Answer 31

Shield provides DDoS protection and works with CloudFront, Route 53, Elastic Load Balancing, and AWS Global Accelerator.Distributed Denial of Service (DDoS) A DDoS attack causes a traffic jam on a website or web application in an attempt to cause it to crash. Shield is a managed Distributed Denial of Service (DDoS) protection service. Always-on detection Shield Standard is free Shield Advanced is a paid service Shield Standard Provides free protection against common and frequently occurring attacks Shield Advanced Provides enhanced protections and 24/7 access to AWS experts for a fee DDoS protection via Shield Advanced is supported on several services. CloudFront Route 53 Elastic Load Balancing AWS Global Accelerator Shield Advanced will give you notifications of DDoS attacks via CloudWatch metrics. Additionally, with Shield Advanced, you have 24/7 access to AWS experts to assist during an attack.

Question 32

What is Macie?

Answer 32

Macie helps you find sensitive information. Macie helps you discover and protect sensitive data. Uses machine learning Evaluates S3 environment Uncovers personally identifiable information (PII) Macie can be used to find sensitive data like passport numbers, social security numbers, and credit card numbers on S3.

Question 33

What are the 6 Additional Security Services?

Answer 33

ConfigGuardDutyInspectorArtifactReviewCognito

Question 34

What is Config?

Answer 34

Config allows you to assess, audit, and evaluate the configurations of your resources. Track configuration changes over time Delivers configuration history file to S3 Notifications via Simple Notification Service (SNS) of every configuration change Real World - Identify system-level configuration changes made to your EC2 instances. Config allows you to record configuration changes within your EC2 instances. You can view network, software, and operating system (OS) configuration changes, system-level updates, and more.

Question 35

What is GuardDuty

Answer 35

GuardDuty is an intelligent threat detection system that uncovers unauthorized behavior. Uses machine learning Built-in detection for EC2, S3, and IAM Reviews CloudTrail, VPC Flow Logs, and DNS logs Real World - Detect unusual API calls in your account. GuardDuty’s anomaly detection feature evaluates all API requests in your account and identifies events that are associated with common techniques used by attackers.

Question 36

What is Inspector?

Answer 36

Inspector works with EC2 instances to uncover and report vulnerabilities. Agent installed on EC2 instance Reports vulnerabilities found Checks access from the internet, remote root login, vulnerable software versions, etc. Real World - Identify unintended network access to an EC2 instance via a detailed report of security findings Inspector has several built-in rules to access your EC2 instances to find vulnerabilities and report them prioritized by level of severity.

Question 37

What is Artifact?

Answer 37

Artifact offers on-demand access to AWS security and compliance reports. Central repository for compliance reports from third-party auditors Service Organization Controls (SOC) reports Payment Card Industry (PCI) reports Real World - You need to access AWS’ certification for ISO compliance. Artifact provides a central repository for AWS’ security and compliance reports via a self-service portal.

Question 38

What is Cognito?

Answer 38

Cognito helps you control access to mobile and web applications. Provides authentication and authorization Helps you manage users Assists with user sign-up and sign-in Real world - You need to add a social media sign-in to your web application. Cognito provides functionality that allows your users to sign in to your application through social media accounts like Facebook and Google.

Question 39

What are the data encryption services

Answer 39

KMSHSM (Hardware Security Module)

Question 40

What is KMS?

Answer 40

Key Management Service (KMS)AWS manages KMS keys KMS allows you to generate and store encryption keys. Key generator Store and control keys AWS manages encryption keys Automatically enabled for certain services

Question 41

What is CloudHSM?

Answer 41

CloudHSM is a hardware security module (HSM) used to generate encryption keys.you manage the keys generated with CloudHSM. Dedicated hardware for security Generate and manage your own encryption keys AWS does not have access to your keys Real World - Meet compliance requirements for data security by using dedicated hardware. CloudHSM allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud.

Question 42

What is Secrets Manager?

Answer 42

Secrets Manager allows you to manage and retrieve secrets (passwords or keys). Secrets Manager has built-in integration for RDS, Redshift, and DocumentDB Rotate, manage, and retrieve secrets Encrypt secrets at rest Integrates with services like RDS, Redshift, and DocumentDB Real World - Retrieve database credentials needed for your application code. Secrets Manager allows you to retrieve database credentials with a call to Secrets Manager APIs, removing the need to hardcode sensitive information in plain text within your application code.