Security & Compliance Flashcards

1
Q

AWS shared responsibility Model

A
Protecting infrastructure ( hardware, software, facilities, and networking) that runs all the AWS services 
Managed service like S3, DynamoDB, RDS, etc
  • According to the Shared Responsibility Model, who is responsible for protecting hardware?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Customer Responsibility - security in the cloud

A

For EC2 instance, customer is responsible for management of the guest OS ( including Security patches and updates), firewall & network configuration, IAM
Encrypting application data

  • According to the Shared Responsibility Model, who is responsible for firewall and network configuration for EC2 Instances?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Shared controls

A

Patch management, configuration management, awareness & Training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a DDOS* Attack?:Distributed Denial of service

A

Attacker lunch multiple master server > the server lunch bots > the bot sends a request to our application server.
Application server is not build to handle many application server it will not not work anymore > user can not access it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Aws shield standard:

A
  • protects against DDOS attack for your website and applications, for all customers at no additional costs.
  • activities by default for every customer
  • free
  • Which AWS service’s ONLY role is to safeguard running applications from DDoS attacks?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

AWS shield Advanced:

A

24/7 premium DDos protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AWS WAF

A
  • firewall to filter incoming requests based on rules
  • filter specific request based on rules .
  • layer 7 is HTTP (vs layer 4 is TCP)
  • deploy on Application load balancer, API gateway, Cloudfront

A company would like to protect its web applications from common web exploits that may affect availability, compromise security, or consume excessive resources. Which AWS service should they use?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

KMS

A
  • Encryption keys managed by AWS
  • do not have access to the key Aws manage the key for us. We define who can access the key.
  • Which of the following services is managed by AWS and is used to manage encryption keys?

-

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CloudHSM

A

Hardware encryption, we manage encryption keys.

  • AWS provisions encryption hardware

CloudHSM keys(custom keystore):

  • Keys generated from your own cloudhSM hardware device
  • Cryptographic operations are performed with the ClodHSM cluther.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Type customer mask key: CMK

A
  • Create, manage and used by the customer, can enable or disable
  • Possibility of rotation policy ( new key generated every year, old key preserved)
  • Possibility to bring-your-own-key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AWS managed CMK

A
  • create , managed and used on the customers behalf by was

- Used by AWS service (aws/s3, asw/ebs, aws/redshift)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Aws owned CMK

A
  • Collection of CMKs that an AWs service owns and manages to use in multiple accounts
  • Aws can use those to protect resources in the account (but you cannot view the keys)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

GuardDuty

A

Find Malicious behavior with VPC, DNS, and Cloudtrail logs

  • Intelligent threat discovery to protect AWS account
  • Which service is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AWS Certificate Managed

A
  • provision, manage, and deploy SSL?TLS certificates

- A company would like to secure network communications using SSL & TLS certificates. Which AWS service can it use?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Artifact

A

Get access to compliance report such as PCI, ISO, etc

  • Artifact Reports- Allows you to download AWS security and compliance documents from third-party auditors, like AWS ISO certifications, Payment Card Industry(PCI), and System and Organization Control (SOC) reports
  • Artifcat Agreements- Allows you to review, accept, and track the status of AWS agreements such as the Business Associcated Addendum (BAA) or the Health Insurance Portability and Accountablity Act (HIPAA) for an individual account or in your organization

Where can you find on-demand access to AWS compliance documentation and AWS agreements?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Inspector

A

For EC2 only, Install agent and find Vulnerabilities

  • Automated Seceurity Assements
  • analyzed unintended network accessibility
  • A company would like to automate security on EC2 instances to assess security and vulnerabilities in these instances. Which AWS service should it use?
17
Q

AWS Config

A

Track config change and compliance against rules

  • Helps with Auditing and recording compliance of your AWS resources(see inventory)
  • You want to record configurations and changes over time. Which service allows you to do this?
18
Q

CloudTrail

A

Track API calls mad by users with account

19
Q

AWS Security Hub

A

gather security findings from multiple AWS accounts

  • security centrralized, muitl account
  • You want to centrally automate security checks across several AWS accounts. Which AWS service can you use?
20
Q

Amazon Detective

A
  • find the root cause of security issue or suspicious activities
  • (using ML and graphs )
  • Automatically collects and processes events from VPC flow logs, Cloudtrail, GuardDuty, and Cretae a unified view
  • Which AWS service lets you quickly find the root of potential security issues to take faster actions?
21
Q

AWS Abuse

A

report AWS resource used for abusive or illegal purposes

  • Which of the following options is a situation where you should contact the AWS Abuse team?
  • DDos attack from aws own ip
  • spam from aws owned ip or aws resource
  • hosting objectionable or copyright content on aws
22
Q

Root user privileges

A
  • change account setting
  • close your AWS account
  • change or cancel your AWS support plan
  • Register as seller on the reserved instance Marketplace

(Root user = Account owner (created when the account is created)

23
Q

Penetration Testing on AWS cloud

A
attack your own infrastructure to test your own security 
8 service:
- ec2, Nat gateway, elastic load balancers
- RDS
- Cloudfront
- Aurora
- API gateways 
- Lambada and lambda edge function 
- lightsail 
elastic Beanstalk environment
24
Q

Penetration Testing on your AWS cloud Prohibited Activities: just like an attack

A
  • DNS zone walking via Amazon Route 53 hosted zone
  • Denial of service (DoS), Distributed Denial of service (DDos), Simulated DoS, - Simulated DDos
  • Port flooding
  • Protocol flooding
  • Request flooding ( login request flooding, APL request flooding other simulated event, contact aws security team

You can perform any kind of penetration testing on any AWS service without prior approval. FALSE

25
Q

Data at rest

A

data stored or archived on a drive: like hard disk, RDS instance, S3 Glacier deep archive.

  • Data sitting on an RDS instance would be referred to as?
26
Q

Data in transit

A

data being moved from one location to another : like transfer from on-prem to aws, EC2 to DynamoDb, etc . data transferred on the network

27
Q

AWS Secrets Manager

A

a secrets to be managing in RDS and to be rotated , and it is a payservice

28
Q

Amazon Macie

A
  • data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
  • find sensitive data (ex:PLL data ) in Amzon s3 bucket
  • Which of the following services can you use to discover and protect your sensitive data in AWS?