Security and Compliance

Question 1

ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information securit management system within the contect of teh organization’s overall business risks.

Answer 1

sure thing

Question 2

the federal risk and authorization management program, or fedramp is a government wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Answer 2

yuppers

Question 3

HIPPA is the federal health insurance portability and accountability act of 1996. the primary goal of the law is to make it easier for people to keep health insurance, protct the confidentiality and security of healthcare information and help the healcare industry control administrative costs.

Answer 3

yes

Question 4

framework for improving critical infrastructure cybersecurity

“…a set of industry standards and best practices to help organizations manage cybersecurity risks.”

Question 5

The payment card industry daat security standard PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information.

Question 6

PCI DSS v3.2

Build and maintain a secure network and systems

requirement1 : install and maintain a firewall config to protect cardholder data

requirement 2: do not use vendor supplied defaults for system password and other security parameters.

requierment 3: protect stored cardholder data

requierment 4: encrypt transmission of cardhoder data across open, public networks

requirement 5: protect all systems against malwayre and regularly upate anti virus software or programs

requirement 6: develop and maintain secure systems and applications

requirement 7: restrict accesst to cardholder data by business need to know

requirement 8: identify and authenticate access to ssytem components

requirement 9: restrict physical access to cardholder data

requirement 10: track and monitor alla ccess to network resources and cardholder data

requirement 11: regularly test security systems and processes

requirement 12: maintain a policy that adresses information security for all personnel.

Answer 6

you dont really need to know this

Question 7

SAS70 - statement on auditing standards no 70

soc1 - service organization controls - accounting standards

FISMA - federal info sec modernization act

Question 8

FIPS 140-2 is a US gvmt computer security satndard used to approve cryptographic modules. rated from level 1 ot level 4, with 4 being th highest security. Cloud HSM meeets the level 3 standard.

Question 9

a ___ attack acan be achieved by multiple mechanisms, such as large packet floods, by using a combination of reflection and amplification techniques, or by using large botnets.

Answer 9

DDoS

Question 10

_____ attacks can include things such as NTP, SSDP, DNS, CHargen, SNMP attacks, etc. and is where an attacker may send a third prty server (such as an NTP server) a request using a spoofed IP address. That server will then respond to that request with a greater payload than initial request (usually within the region of 28x54 times larger than the request) to the spoofed IP address.

THis means that if the attacker sends a packet with a spoofed IP address of 64 bytes, teh NTP server would respond with up to 3,456 bytes of traffic. Attackers can coordinate this and use multiple NTP servers a second to send legitimate NTP traffic to the target.

Answer 10

Amplification/Reflection

Question 11

_____

free service that protects all aws customers on elastic load balancing (ELB), amazon CF and route53

• protects against SYN/UDP Floods, reflection attacks and other layer 3/layer4 attacks
• advanced provides enhanced protections for your apps running on elb, CF and route53 against larger and more sophisticated attack. $3000 per month.

Answer 11

Shield

Question 12

aws ___ ___ provides

• always on, flow based monitoring of network traffic and active app monitoring ro provide near real time notifications of DDoS attacks.
• DDoS response team (DRT) 24x7 to manage and mitigate app layer DDoS attacks.
• Protects your AWS bill against higher fees due to elastic load balancing, CF and route53 usage spike during a DDoS attack.
• $3000/month

Answer 12

Shield advanced

Question 13

what services can you use to mitigate DDoS attack?

Answer 13

CF

route53

elb’s

wafs

autoscaling

cw

Question 14

T or F

you can purchase security products from 3rd party vendors on the MP

Answer 14

T

Question 15

T or F

You can not enable MFA using the command line or by using the console

Answer 15

False, you can use both CLI and command line to enable MFA

Question 16

Can you enforce the use of MFA with teh CLI by using the ____ token service

Answer 16

STS

Question 17

You can report on who is using MFA on a per user basis using ____ _____

Answer 17

credential reports

Question 18

____ grants users limited and temporary access to AWS resources

Answer 18

STS (security token service)

Question 19

STS

____ - uses securty assertion markup language (SAML)

• grants temp access based off users AD creds
• does not need to be a user in IAM
• single sign on allows users to log in to aws console without assigning IAM creds

______ _____ - Use facebook/amazon/google/or other OpenID providers to login.

____ ___ ____ - let’s users from one aws account access resources in another

Answer 19

Federation

federation with mobile apps

cross account access

Question 20

STS key terms:

_____ combining or joining a list of users in one domain (such as IAM) with a list of users in another domain (such as AD, Facebook, etc)

______ _____ -a service that allows you to take an identity from point A an join it (federate it) to point B

_____ _____ - Services like AD, FB, Google, etc.

____ - a user of a service lik Facebook, etc.

Answer 20

Federation

Identity Broker

Identity Store

Identities

Question 21

____ is a web app firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to CF or an app loadbalancer or to API GW. it lets you control access to your content.

Answer 21

WAF

Question 22

WAF -

YOu can configure conditions such as what IP addresses are allowed to make this request or what query string parameters need to be passed for teh request to be allowed, and then the app load balancer or CF will either allow this content to be received or to give a HTTP ____ status code.

Answer 22

403

Question 23

At itsmost basic level, AWS WAF allows 3 different behaviors

• allow ___requests except the one you specify
• block ___ requests except the ones you specify
• count the requests that ___ the properties you specify

Answer 23

all

all

match

Question 24

WAF integrates with what services?

Answer 24

APP load balancers

CloudFront

API GW

Question 25

AWF does not integrate with:

Answer 25

classic load balancers

network load balancers

Question 26

A ____ or virtual machine monitor is computer software, firmware, or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called a host machine, and each virtual machine is called a guest machine.

Answer 26

hypervisor

Question 27

Ec2 currently runs on Xen hypervisors. Xen can have guest operating systems runnign as either _____ or using ___ ___ ___

Answer 27

Paravirtualization

Hardware Virtual Machine

Question 28

____ guests are fully virtualized. The VMs on top of the hypervisors are not aware that they are sharing processing time with other VMs.

___ is a lighter form of virtualization and it used ot be quicker.

Answer 28

HVM

PV

Question 29

Tips

CHoose HVM over PV where possible

• PV is isolated by layers, Guest OS sits on layer 1, Apps on layer 3
• only AWS admins have access to hypervisors
• aws staff do not have access to EC2, that is your responsibility as a customer
• all storage memory and RAM memory is scrubbed before its delivered to you.

Answer 29

yes

Question 30

_____ _____ are ec2 instances that run in a VPC on hardware thats dedicated to a single customer. You dedicated instances are physically isolated at the host hardware level from instances that belong to other AWS accounts.

Answer 30

dedicated instances

Question 31

___ ____ may share hardware with other instances from the same AWS acount that are not dedicated instances

Answer 31

dedicated instances

Question 32

pay for dedicated instances on demand, save up to ___% by purchasing reserved instances, or save up to ___% by purchasing spot instances.

Answer 32

70, 90

Question 33

___ ____ gives you additional visibility and control over how instances are palced on a physical server, and you can consistently deploy your instances to the same physical server over time. As a result, dedicated hosts enable you to use your existing server bound software licenses and address corporate compliance and regulatory requirements.

Answer 33

dedicated hosts

Question 34

dedicated instances are charged by the instance, dedicated hosts are charged by the host.

Answer 34

True

Question 35

if you have specific regulatory requirements or licensing conditions, choose dedicated hosts.

Answer 35

T

Question 36

dedicated ____ give you much better visibility into things like sockets, cores, and host id.

Answer 36

hosts

Question 37

SSM agent needs to be installed on all of your managed instances

T or F

Answer 37

T

Question 38

SSM works with on prem and in cloud

Answer 38

T

Question 39

COnfidential info such as passwords, database connection strings, and license codes can be stored in ____ ___ ___

Answer 39

SSM parameter store

Question 40

SSM you can store in plain text or encrypt the data

Answer 40

T

Question 41

in SSM you can reference values by using their names

Answer 41

T

Question 42

T or F

you can access S3 objects using pre-sgned URLS

Answer 42

T

Question 43

Presigned URLs are typically done with SDk, but can also be done using CLI

Answer 43

T

Question 44

presigned URLs exist for a certain length of time in seconds. default is ___ hour

you can change this using “–expires-in” followed by the number of seconds.

Answer 44

1

Question 45

YOu can have aws config rules with s3 -

no public read access

no pubic write access

Answer 45

remember this

Question 46

____ is an autoamted security assessment service that helps improve the security ad compliance of apps deployed on aws. ____ automatically assesses apps for vulnerabilities or deviations from best practices. after performing an assessment, ___ produces a detailed list fo security findings by lvel of severity. these findings can b reviewed directly or as part of detailed assessment reports which are available via the amazon _____ console or API

Answer 46

inspector

Question 47

___ ____ is an online resource to help you reduce cost, increase performance, adn improve security by optimizing your aws environment.

it will advise you on cost optimization, preformance, security, fault tolerance

it does core checks and recommendations

Answer 47

Trusted advisor

Question 48

what service can you use to check service limits?

Answer 48

trusted advisor

Question 49

KMs is symmetric keys only

Answer 49

T

Question 50

CloudHSM is both symmetric and asymmetric keys

Answer 50

T

Question 51

____ files are used to validate the integrity of log files

Answer 51

digest

Question 52

cloudtrail log file integrity validation:

sha-256 hashing

sha-256 with RSA for digital signing

Answer 52

t