Security and Compliance Flashcards
What framework specified requirements for establishing implementing operating monitoring reviewing maintaining and improving a documented information security management system
ISO 27001:2005
What framework is government wide program that provides a standardized approach to security assessment authorization and continuous monitoring for cloud services
Fed ramp
What framework has the goal of the level to make it easier for people keep health insurance protect confidentiality and security of health information
HIPAA
What framework is focused on critical infrastructure cyber security
NIST
What framework is a widely accepted set of policies to optimize the scrutiny of card transactions
PCI
What AWS service protects against DDOS attacks
AWS shield
What technologies mitigate a DDOS attack?
ELB Route53 Cloudfront wAF Auto scaling Cloudwatch
Do you need to request pen test authorization if you plan on using a pen testing product from the AWS marketplace?
Yes
What tools can you use to create custom policies?
JSON
Visual editor
When can you attach roles to EC2 instances?
Anytime
When does a policy change take effect when made
Immediately
How can you enable MFA
CLI
Console
What service enables you to enforce MFA at the command line?
STS
What service allow temporary access to AWS resources?
STS
What are three STS sources
Federation AD
Federation mobile apps
Cross account access
What are the four logging services in AWS?
Cloudtrail
Config
Cloudwatch logs
VPC flow logs
What logging service tracks API calls?
Cloudtrail
What log service track all configure changes?
AWS config
What log service tracks network traffic?
VPC flow logs
Who can access AWS hypervisors?
AWS administrators
Do you need to scrub you EC2 instances before dcom?
No AWS will scrub post dcom and reallocation
Can you deploy a Linux system with HVM?
No. Windows only.
How is PV configured?
Hardware in ring 0
Guest in layer 1 and apps in layer 3
Can AWS staff access you EC2 instance?
No
You need to deploy an instance and ensure sockets, cored and host is is visible. As well as the affinity between host and instance. The instance placement must be targeted
Dedicated hosts
Your software is server bound. What AWS option can fulfill this need?
Dedicated hosts
Your administrator discovered a bug and you need to change a setting in thousands of instances
Ensure instances are tagged
Specify tag in run command
Ensure instances have a system manager role assigned
Can you use SSM with on prem?
Yes, you will need to install SSM agent
What service allows you to store information such as users, passwords, license keys to pass to a bootstrap script?
System manager parameter store
T or F
System manger parameter store forces you to store values as encrypted?
False
You can use plain text also
What is a S3 pre-signed URL?
T
What is the command to created an S3 pre-signed URL from the CLI? Also ensure it expires in 300 seconds
aws s3 presign S3://bucket name/file name —expires-in 300
What is the default length of time presigned urls exist for?
1 hour
What are two key AWS S3 config rules
Bucket write prohibited
Bucket read prohibited
What service does AWS inspector provide
Security assessment to improve security and compliance
Your manager has asked for detailed list of security issues prioritized by severity and put into a report
Use AWS inspector
Your manager has asked you to review the AWS infrastructure to identify ways to reduce cost, increase performance and improve security. What service should you use?
Trusted advisor
What subscription do you need to unlock all trusted advisor recommendations?
Business or enterprise
What are the 4 AWS inspector rules packages?
Common vuln
CIS operating system sec config bench
Sec BP
Runtime behaviour analysis
What are the 4 things trusted advisor will check?
Cost optimization
Availability
performance
Security
Sec groups are state full what does that mean?
If you open an inbound port the outbound port is also opened
What port does SQL use
1433
What port does http use?
80
What port does ssh use
22
You want to know you keeps provisioning instances in a large env when you have hundreds of developers with access?
Cloudtrail stores logs in S3, use Athena to grep out
You are being audited and it has been requested you provide all the AWS compliance docs. How can you gather all these?
AWS artifact
What is cloudHSM?
Cloud based hardware security module
What is the difference between KMA and cloudHSM?
KMS is shared tenancy
CloudHSM provides isolated hardware to store and provides FIPS
What services can be encrypted instantly
S3
What services would require a migration to occur to facilitate a requirement to encrypt existing data
DynamoDB
RDS
EFS
EBS