Security and Compliance Exam Tips Flashcards

1
Q

If you need an AWS service to have multiple IAM capabilities not offered by managed Roles or policies, how can you achieve this?

A

Through a custom policy or role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How can you create a new IAM policy?

A

Through the visual editor, or JSON

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When you attach a role to an EC2 instance, how long does it take for the effect to propagate to the server?

A

Immediately

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How long does it take for a newly attached policy to take effect on an EC2 instance?

A

right away

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True or false: While attaching a policy or role takes effect immediately, changing a policy takes time to propagate the changes?

A

False: Changes are immediate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Do you attach roles to EC2 instances via the CLI, or through the console?

A

Both - another trick question

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

MFA Enabling can be done via…

A

CLI or console

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Can MFA be enabled for both root and user accounts?

A

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Should you remember at a high level how STS token authentication works?

A

Yes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which AWS services provide logging?

A

CloudTrail
Config
CloudWatch Logs
VPC flow Logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

True or False: CloudWatch monitor API calls?

A

False: CloudTrails monitors API calls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

True or False: CloudWatch monitors performace?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

True or False: AWS Config records the state of your environment

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If you need to be notified of changes to your environment, which service should you use?

A

AWS Config

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

While taking the exam, should you choose HVM, or PV wherever possible?

A

HVM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Do you have access to the AWS hypervisor?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Does AWS have access to your EC2 instances?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Does AWS scrub all RAM and storage before allocating to a new customer?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

PV is isolated by layers. On which layer does the Guest OS sit? On which does the application sit?

A

Guest on layer 1

Application on layer 3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Do dedicated instances and dedicated hosts have dedicated hardware?

21
Q

How are dedicated instances charged?

A

Per instance

22
Q

How are dedicated hosts charged?

23
Q

if you have specific licensing, regulatory or compliance requirements, should you choose dedicated instancs, or hosts?

24
Q

Can dedicated instances share hardware with other non-dedicated instances within the same AWS account?

25
Do dedicated hosts give you better visibility in to things like sockets, cores, and host IDs?
Yes
26
In what two ways can you select instances to run commands using system manager?
via tagged groups, or manual selection
27
does an SSM agent need to be installed on managed instances?
Yes
28
Where are commands and parameters defined for Systems Manager?
in a Systems Manager Document
29
From where can commands be issued to EC2 instances?
AWS Console, CLI, Tools for Windows PowerShell, Systems Manager API, or Amazon SDKs
30
Can you manage on-prem systems using System Manager?
Yes
31
Where would you store confidential information such as passwords, license codes, etc for later use by your systems and applications?
AWS Systems Manager Parameter Store
32
Does the Parameter Store save string as clear text, or cipher?
Either, depending on your needs?
33
If you need to give access to an S3 object without needing to create an account, or make it public, how would you achieve this?
pre-signed URLs
34
How can pre-signed URLs be created
AWS SDK or CLI
35
What time unit are pre-signed URL availabilty based on?
Seconds
36
What is the default availability of a newly created pre-signed URL?
1 hour (3600 seconds)
37
What CLI command would you use to change the default availability time of a pre-signed URL?
--expires-in
38
Which two AWS Config rules should you be aware of for the SysOps exam?
No Public Read Access | No Public Write Access
39
How does Inspector work?
``` Create an assessment target Install agents on EC2 instances Create assessment template perform assessment run Review Findings against the rules ```
40
For Inspector, what Rules Packages are available?
``` Common vulnerabilities and exposures CIS Operating Systems Security Configuration Benchmarks Security Best Practices Runtime Behavior Analysis ```
41
What severity levels are there for Rules in AWS Inspector?
High Medium Low Informational
42
What will an Inspector Run do?
Monitor the network, file system, and processess activity. Compare what it sees to security rules Report on security issues observed within target during run Report findings and advise remediation
43
Will Inspector relieve you of the shared responsibility model, or perform miracles?
No, and... no.
44
What does Trusted Advisor advise on
Cost Optimization Availability Performance Security
45
Should you do more research on the shared responsibility model?
yes
46
Are security groups stateless or stateful?
Stateful
47
What is AWS Artifact?
A place to download compliance documents, and a place to upload your compliance results for auditors and regulators.
48
True or False: A Cloud Guru practice exams will ask questions not covered in the lessons?
True. So take them, and research things that aren't covered to ensure broader understanding of AWS stuff.