Security & Compliance

Question 1

What is AWS’s responsibility with security?

Answer 1

Security OF the cloud

Question 2

What is your responsibility with security?

Answer 2

Security IN the cloud

Question 3

What are shared responsibilities with between AWS and you?

Answer 3

1. Patch Management
2. Configuration Management
3. Awareness and Training

Question 4

What is DDOS attack?

Answer 4

Distributed Denial of service

Question 5

What does AWS Shield Standard do to help against DDOS attack?

Answer 5

Protects against DDOS attack for your website and applications, for all customers at no additional cost

Question 6

What does AWS Shield Advanced do to help against DDOS attack?

Answer 6

24/7 premium DDOS protection

Question 7

What does AWS WAF (web application firewall) do to help with DDOS attack?

Answer 7

Filter specific requests based on rules

Question 8

How does CloudFront and Route 53 protect against DDOS?

Answer 8

Availability protection using global edge network and combined with AWS Shield provides attack mitigation at the edge

Question 9

What role does AWS Auto Scaling have in a DDOS attack?

Answer 9

Scale to provide more servers

Question 10

What is AWS Shield?

Answer 10

Free service that is activated for every AWS customer. Provides protection from attacks on layers 3 and 4

Question 11

What is AWS Shield Advanced?

Answer 11

Optional DDoS mitigation service ($3000 per month per organization). Protect against more sophisticated attacks. 24/7 access to AWS DDoS response team (DRP). Protect against higher fees during usage spikes due to DDoS

Question 12

What is AWS WAF?

Answer 12

Protects your web applications from common web exploits (layer 7). Deploy on ALB, API Gateway, CloudFront. Define Web Access Control List (ACL)

Question 13

What is layer 7?

Answer 13

HTTP

Question 14

What is layer 4?

Answer 14

TCP

Question 15

Can you do penetration testing on AWS?

Answer 15

You can test some of your own infrastructure without approval, but only some and only some types of attacks. Others you need approval

Question 16

Data at rest?

Answer 16

Data stored or archived on a device

Question 17

Data in transit?

Answer 17

Data being moved from one location to another

Question 18

What is used to encrypt data?

Answer 18

Encryption keys

Question 19

What is AWS KMS (Key Management Service)?

Answer 19

AWS manages the encryption keys for us

Question 20

What is CloudHSM?

Answer 20

AWS provisions encryption hardware. Dedicated hardware (HSM = Hardware security module) is sent and you manage your own encryption keys entirely

Question 21

What types of customer master keys: CMK (customer master keys)?

Answer 21

1. Customer Managed CMK
2. AWS managed CMK
3. AWS owned CMK
4. CloudHSM Keys (custom keystore)

Question 22

What is customer managed CMK?

Answer 22

Create, manage, and used by the customer, can enable or disable. Can have a rotation policy and can have possibility of bring-your-own-key

Question 23

What is AWS managed CMK?

Answer 23

Created, managed, and used on the custom’s behalf by AWS, used by aws services

Question 24

What is AWS owned CMK?

Answer 24

Collection of CMKs that an AWS service owns and manages to use in multiple account. You cannot see the keys

Question 25

What is CloudHSM Keys?

Answer 25

Keys generated from your own CloudHSM hardware device

Question 26

What is AWS Certificate Manger (ACM)?

Answer 26

Lets you easily provision, manage, and deploy SSL/TLS Certificates. Used to provide in-flight encryption for websites (HTTPS), free of charge for public TLS certificates and loads certificates to services

Question 27

What is AWS Secrets Manager?

Answer 27

Meant for storing secrets. Capability to force rotation of secrets every X days. Mostly meant for RDS integration

Question 28

What is AWS Artifact?

Answer 28

Not really a service, but is a portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements. Can be used to support internal audit or compliance

Question 29

What is Artifact Reports?

Answer 29

Allows you to download AWS security and compliance documents from third party auditors

Question 30

What is Artifact Agreements?

Answer 30

Allows you to review, accept, and track the status of AWS agreements.

Question 31

What is Amazon GuardDuty?

Answer 31

Intelligent Threat discovery to Protect AWS account. Uses machine learning to look for anomaly in logs. Can setup CloudWatch Event rule to be notified in case of findings

Question 32

What is Amazon Inspector?

Answer 32

Automated Security Assessments for EC2 Instances. After assessment you get a report with list of vulnerabilities

Question 33

What is AWS Config?

Answer 33

Helps with auditing and recording compliance with your AWS resources. Helps record configurations and changes over time. Per region service, but can be aggregated across regions and accounts

Question 34

What is AWS Macie?

Answer 34

Fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data, personally identifiable information (PII). in AWS. Helps identify and alerts you of findings

Question 35

What is AWS security Hub?

Answer 35

Central security tool to manage security across several AWS accounts and automate security checks. Need to first enable AWS Config service

Question 36

What is Amazon Detective?

Answer 36

Analyzes, investigates, and quickly identifies the root cause of security issues or suspicious activities.

Question 37

What is AWS Abuse?

Answer 37

Report to abuse team if you suspect abuse

Question 38

What is root user prileges?

Answer 38

Root user is Account Owner. Has complete access to all AWS services and resources. Can do things even the most privileged created users can’t do

Question 39

What actions can only a root user do?

Answer 39

1. Change account settings
2. Close your AWS account
3. Change or cancel your AWS Support plan
4. Register as a seller in the Reserved Instance Marketplace

Question 40

Data sitting on an RDS instance would be referred to as?

1. Data in transit
2. Data at rest
3. Encrypted data

Answer 40

Data at rest

Question 41

According to the Shared Responsibility Model, who is responsible for firewall and network configuration for EC2 Instances?

1. AWS
2. The customer
3. AWS and the customer

Answer 41

The customer

Question 42

Which of the following services can you use to discover and protect your sensitive data in AWS?

1. Macie
2. Shield
3. Artifact
4. X-Ray

Answer 42

Macie

Question 43

Which AWS service lets you quickly find the root of potential security issues to take faster actions?

1. Inspector
2. Detective
3. CloudWatch
4. WAF

Answer 43

Detective

Question 44

A company would like to protect its web applications from common web exploits that may affect availability, compromise security, or consume excessive resources. Which AWS service should they use?

1. Auto Scaling Groups
2. Shield
3. CloudHSM
4. Web Application Firewall

Answer 44

Web Application Firewall

Question 45

Where can you find on-demand access to AWS compliance documentation and AWS agreements?

1. Artifact
2. Personal Health Dashboard
3. Secrets Manger
4. Shared Responsibility Model

Answer 45

Artifact

Question 46

You can perform any kind of penetration testing on any AWS service without prior approval

1. True
2. False

Answer 46

False

Question 47

You want to record configurations and changes over time. Which service allows you to do this?

1. Config
2. Inspector
3. GuardDuty
4. Secrets Manager

Answer 47

Config

Question 48

According to the shared responsibility model, who is responsible for patch management?

1. AWS
2. The customer
3. AWS and the customer

Answer 48

AWS and the customer

Question 49

You want to centrally automate security checks across several AWS accounts. Which AWS service can you use?

1. Macie
2. Detective
3. CloudTrail
4. Security Hub

Answer 49

Security Hub

Question 50

Which of the following services is managed by AWS and is used to manage encryption keys?

1. CloudHSM
2. KMS
3. AWS Secrets Manager
4. IAM

Answer 50

KMS

Question 51

A company would like to automate security on EC2 instances to assess security and vulnerabilities in these instances. Which AWS service should it use?

1. Config
2. Trusted Advisor
3. Inspector
4. Systems Manager

Answer 51

Inspector

Question 52

Which of the following actions does NOT require the root user?

1. Close your AWS account
2. Change your AWS Support Plan
3. Register as a seller in the Reserved Instance Marketplace
4. Access the billing dashboard

Answer 52

Access the billing dashboard

Question 53

According to the Shared Responsibility Model, who is responsible for protecting hardware?

1. AWS
2. The customer
3. AWS and the customer

Answer 53

AWS

Question 54

Which AWS service’s ONLY role is to safeguard running applications from DDoS attacks?

1. WAF
2. Shield
3. CloudFront
4. KMS

Answer 54

Shield

Question 55

Which service is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?

1. KMS
2. WAF
3. Inspector
4. GuardDuty

Answer 55

GuardDuty

Question 56

Which of the following options is NOT a situation where you should contact the AWS Abuse team?

1. DDoS attack from AWS-owned IP addresses
2. Spam from AWS-owned IP addresses or AWS resources
3. Hosting objectionable or copyrighted content on AWs
4. Losing your MFA device

Answer 56

Losing your MFA device