Security & Compliance

Question 1

AWS shared responsibility Model

Answer 1

Protecting infrastructure ( hardware, software, facilities, and networking) that runs all the AWS services 
Managed service like S3, DynamoDB, RDS, etc

• According to the Shared Responsibility Model, who is responsible for protecting hardware?

Question 2

Customer Responsibility - security in the cloud

Answer 2

For EC2 instance, customer is responsible for management of the guest OS ( including Security patches and updates), firewall & network configuration, IAM
Encrypting application data

• According to the Shared Responsibility Model, who is responsible for firewall and network configuration for EC2 Instances?

Question 3

Shared controls

Answer 3

Patch management, configuration management, awareness & Training

Question 4

What is a DDOS* Attack?:Distributed Denial of service

Answer 4

Attacker lunch multiple master server > the server lunch bots > the bot sends a request to our application server.
Application server is not build to handle many application server it will not not work anymore > user can not access it

Question 5

Aws shield standard:

Answer 5

• protects against DDOS attack for your website and applications, for all customers at no additional costs.
• activities by default for every customer
• free
• Which AWS service’s ONLY role is to safeguard running applications from DDoS attacks?

Question 6

AWS shield Advanced:

Answer 6

24/7 premium DDos protection

Question 7

AWS WAF

Answer 7

• firewall to filter incoming requests based on rules
• filter specific request based on rules .
• layer 7 is HTTP (vs layer 4 is TCP)
• deploy on Application load balancer, API gateway, Cloudfront

A company would like to protect its web applications from common web exploits that may affect availability, compromise security, or consume excessive resources. Which AWS service should they use?

Question 8

KMS

Answer 8

• Encryption keys managed by AWS
• do not have access to the key Aws manage the key for us. We define who can access the key.
• Which of the following services is managed by AWS and is used to manage encryption keys?

-

Question 9

CloudHSM

Answer 9

Hardware encryption, we manage encryption keys.

• AWS provisions encryption hardware

CloudHSM keys(custom keystore):

• Keys generated from your own cloudhSM hardware device
• Cryptographic operations are performed with the ClodHSM cluther.

Question 10

Type customer mask key: CMK

Answer 10

• Create, manage and used by the customer, can enable or disable
• Possibility of rotation policy ( new key generated every year, old key preserved)
• Possibility to bring-your-own-key

Question 11

AWS managed CMK

Answer 11

• create , managed and used on the customers behalf by was

- Used by AWS service (aws/s3, asw/ebs, aws/redshift)

Question 12

Aws owned CMK

Answer 12

• Collection of CMKs that an AWs service owns and manages to use in multiple accounts
• Aws can use those to protect resources in the account (but you cannot view the keys)

Question 13

GuardDuty

Answer 13

Find Malicious behavior with VPC, DNS, and Cloudtrail logs

• Intelligent threat discovery to protect AWS account
• Which service is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?

Question 14

AWS Certificate Managed

Answer 14

• provision, manage, and deploy SSL?TLS certificates

- A company would like to secure network communications using SSL & TLS certificates. Which AWS service can it use?

Question 15

Artifact

Answer 15

Get access to compliance report such as PCI, ISO, etc

• Artifact Reports- Allows you to download AWS security and compliance documents from third-party auditors, like AWS ISO certifications, Payment Card Industry(PCI), and System and Organization Control (SOC) reports
• Artifcat Agreements- Allows you to review, accept, and track the status of AWS agreements such as the Business Associcated Addendum (BAA) or the Health Insurance Portability and Accountablity Act (HIPAA) for an individual account or in your organization

Where can you find on-demand access to AWS compliance documentation and AWS agreements?

Question 16

Inspector

Answer 16

For EC2 only, Install agent and find Vulnerabilities

• Automated Seceurity Assements
• analyzed unintended network accessibility
• A company would like to automate security on EC2 instances to assess security and vulnerabilities in these instances. Which AWS service should it use?

Question 17

AWS Config

Answer 17

Track config change and compliance against rules

• Helps with Auditing and recording compliance of your AWS resources(see inventory)
• You want to record configurations and changes over time. Which service allows you to do this?

Question 18

CloudTrail

Answer 18

Track API calls mad by users with account

Question 19

AWS Security Hub

Answer 19

gather security findings from multiple AWS accounts

• security centrralized, muitl account
• You want to centrally automate security checks across several AWS accounts. Which AWS service can you use?

Question 20

Amazon Detective

Answer 20

• find the root cause of security issue or suspicious activities
• (using ML and graphs )
• Automatically collects and processes events from VPC flow logs, Cloudtrail, GuardDuty, and Cretae a unified view
• Which AWS service lets you quickly find the root of potential security issues to take faster actions?

Question 21

AWS Abuse

Answer 21

report AWS resource used for abusive or illegal purposes

• Which of the following options is a situation where you should contact the AWS Abuse team?
• DDos attack from aws own ip
• spam from aws owned ip or aws resource
• hosting objectionable or copyright content on aws

Question 22

Root user privileges

Answer 22

• change account setting
• close your AWS account
• change or cancel your AWS support plan
• Register as seller on the reserved instance Marketplace

(Root user = Account owner (created when the account is created)

Question 23

Penetration Testing on AWS cloud

Answer 23

attack your own infrastructure to test your own security 
8 service:
- ec2, Nat gateway, elastic load balancers
- RDS
- Cloudfront
- Aurora
- API gateways 
- Lambada and lambda edge function 
- lightsail 
elastic Beanstalk environment

Question 24

Penetration Testing on your AWS cloud Prohibited Activities: just like an attack

Answer 24

• DNS zone walking via Amazon Route 53 hosted zone
• Denial of service (DoS), Distributed Denial of service (DDos), Simulated DoS, - Simulated DDos
• Port flooding
• Protocol flooding
• Request flooding ( login request flooding, APL request flooding other simulated event, contact aws security team

You can perform any kind of penetration testing on any AWS service without prior approval. FALSE

Question 25

Data at rest

Answer 25

data stored or archived on a drive: like hard disk, RDS instance, S3 Glacier deep archive.

• Data sitting on an RDS instance would be referred to as?

Question 26

Data in transit

Answer 26

data being moved from one location to another : like transfer from on-prem to aws, EC2 to DynamoDb, etc . data transferred on the network

Question 27

AWS Secrets Manager

Answer 27

a secrets to be managing in RDS and to be rotated , and it is a payservice

Question 28

Amazon Macie

Answer 28

• data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
• find sensitive data (ex:PLL data ) in Amzon s3 bucket
• Which of the following services can you use to discover and protect your sensitive data in AWS?