Security & Compliance Flashcards
What are the resposibily of AWS?
- Security of the Cloud
- Manged Services (Lambda, S3, etc)
Page 332
What are the responsibilies of Customer?
- The Data in AWS
- Manage all the services that are no Managed by AWS, like services on EC2 Instances.
- Security data, encrypting data
Page 332
What are the share responnsibility of AWS and Customer?
- Patch Managmet
- Configuration Managment
- Awareness
- Trainning
Page 332
What is a DDOS Attack?
Distributed Denail of Service.
Happens when the service receive high level of work from several sources (Bots) with the intention of running out the resources of the platform.
Page 336
Does AWS Shield Standar works against DDoS?
Yes, it works for Apps and Websites
Page 337
What is the difference between AWS Shield and AWS Shield Advance?
- AWS Shield Advance provides a 24/4 premium protection.
- In AWS Shield standar, you will have a fee on Highe Loads.
Page 337
Does AWS WAF works against DDoS Attack?
Yes, AWS Web Application Firewall work filtering requests on base of rules.
Page 337
How Cluoud Route 53 can be used against DDoS Attaks?
- Distributing all the load along several servers, avoidin concentrate all the trafin in one server.
- It is impleenting on the edge, providing a high level security along with AWS Shield.
Page 337
Auto Scaling is a good thecnic agains DDoS Attack?
Yes, you can increase you capacity accoriding the load but you must specify a limit.
Page 337
Talking about OSI Model, what are the Layers where AWS Shield works with?
On Layer 3 (TCP) and 4 (Internet)
Page 339
Talking about OSI Model, what are the Layers where AWS WAF works with?
Layer 7 (Application/HTTP Layer) HTTP Protocol is considered as a Application Protocol.
page 340
On what of these services is deployed AWS WAF?
a. EC2
b. Application Lod Balancer
c. ECS
d. Route53
e. API Gateway
f. NACL
g. CloudFront
h. AWS AppSync
i. Amazon Cognito resources.
B. Application Load Balancer (Works with HTTP requests)
E. API Gateway (Works with HTTP requests)
G, H, I. Are service management as a Webservice.
Page 340
What is Web ACL?
Web Access Control List
It’s a set of configuratioon of AWF where you can filter with more detail:
+ By IP
+ By Coutnry Origin
+ String match or regular expression (regex) match in a + part of the request
+ Size of a particular part of the request
+ Detection of malicious SQL code or scripting
+ Frequency, against DDoS.
Basicaly, it analize most of the HTTP Request to see if it meets some of these filtered characteritics.
Page 340
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.h
What is Penetration Testing on AWS?
It’s a simulated cyber attack against your computer system to check for exploitable vulnerabilities.
Stages:
1. Planning and reconnaissance. Define de Goal of the attack
2. Scanning. Assesment how the system response againts attaks.
3. Gain Access. Evaluate if it’s possible access to the system.
4. Maintaning Access. Evaluate how long can the intrution has been accessed.
5. Analysis and WAF Configuration. With the outcomes, set the proper configurations on WAF.
Page 341
https://www.imperva.com/learn/application-security/penetration-testing/
What are Data in Rest and Data in Transit?
Data in Rest: Any data that is kept/stored/achived.
Data in Transit: Any data that is travelint long communication paths, like public or private networks.
Page 343
What are Encryption Keys?
They’re keys to encrypt and decrypt data in motion or rest.
What is AWS KMS
AWS Key Management Service
+ It’s the manager for Encryption Keys
+ All the keys are managed for all the AWS services.
Page 344
What are the three services that automaticaly encrypt data?
- AWS CloudTrail Logs
- S3 Glacier
- Storage Gateway
All other services are optional to encrypt.
Page 344
What is CloudHSM
It’s the same that AWS KMS but onpremise.
AWS Doesn’t manage you KMS, but you.
Page 345
https://aws.amazon.com/es/cloudhsm/
What are the types of Customer Master Keys (CMK)?
- Customer Managed CMK. Customer has the full control of the keys.
- AWS managed CMK. Keys that AWS created for our behalf (beneffit).
- AWS owned CMK. They’re the keys created and managed by AWS for itself.
- Cloud HSM Keys. All the keys generate by you own CloudHSM.
Page 347
https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html
What is ACM?
AWS Certified Manager
+ Provides and provisioning TLS/SSL Certificates.
+ Performes autorenewal of certificates.
+ Support public and private certificates.
Page 348
Which services can use ACM?
+ Elastic Load Balancer
+ CloudFront Distributions
+ API On Gateway
Page 348
What is AWS Secret Manager?
+ It’s a storage to keep all kind of private credentials from AWS or 3rths.
+ It can be integrated with Amazon RDS.
+ Secrets are encrypted with KMS.
+ It can rotate secrets, avoiding static secrets.
Page 348
What is AWS Artifact?
It’s a Portal where you can check and download compliance documentation and AWS agreements
It’s useful to support internal audit or compliance.
Page 350
What is Amazon GuardDuty?
It’s a service to detect threats according of:
+ Behaivor of the accounts.
+ Workload
Page 351
From where does Amazon GuardDuty get the iformation to analyze with ML?
- CloudTrail Event Logs.
- VPC FlowLogs.
- DNS Logs (Route 53).
- Kubernet Audit Logs.
- Other AWS Service that produce logs and can be setup in Amazon GuardDuty.
Page 351
What is Amazon Inspector?
Automated Security Assessments
+ A managed service that connect so SSm Agent services.
+ Analyze SO looking for vulneravilites.
+ Analyze unintended network accessibility.
+ It can be instales in EC2 instances or ECS images.
Page 353
Which of these services can be used by Amazon Inspector to report events:
A. SNS
B. SQS
C. Security Hub
D. Event Bridges
C (Security Hub) and D (Event Bridge)
Page 353
What is AWS Config?
It’s a Service that:
+ Allow configure your AWS Services.
+ Audit and Monitoring AWS Configurations.
+ Evaluate AWS Configurations.
+ Automate AWS Configurations.
+ Track changes on configurations.
https://aws.amazon.com/es/config/
Page 355
With AWS Config, can you store configuration in some AWS sotrages?
Yes, they can be saved in S3 Buckets
Page 355
Is AWS Config a Global Service?
No,it’s a Regional Service but can work across regions.
Page 355
Does AWS Config detect change in an Architecture Auto Scaling?
Yes, it’s detect the change as a configuration change and reporte them as an event.
Page 356
What is Amazon MACIE?
It’s a service managed that works with ML to detect sesitive data and protect them.
Works with patterns
Page 357
Is PII part of data information that MACIE works with?
YES Personal Identifiable Information (PII) is detected by MACIE and sensored.
Page 357
What is AWS Security Hub?
Central security tool to manage security across several AWS accounts and automate security checks.
Page 357
What of these services are NOT integrated with AWS Security Hub?
A. GuardDuty
B. AWS CloudFront
C. Inspector
D. Macie
E. IAM Access Analyzer
F. AWS Systems Manager
G. AWS Firewall Manager
H. AWS Partner Network Solutions
I. Must first enable the AWS Config
J. AWS Lambda
K. AWS CloudWatch Log
B, J, K
All the other services ar part of a security suit that can be intergrate or work with AWS Security HUB
Page 358
What is Amazon Detective?
It’s a service to analize and detect the ROOT cause of the issue or suspicios activity.
Page 360
From where Does Amazon Detective take the information that analize it?
From event of:
+ VPC Flows Logs
+ ClowdTrial
+ GuardUDuty
Page 360
Does Amazon Detective have a UI?
Yes, all the information collected and procceses is ogrnized in an Unified View
Page 360
What is AWS Abuse?
Report AWS resources used for abusive or illegal purposes.
It can works automatically or by claiming throught AWS Abuse Form.
Page 361, 364
Wha is a Root User?
+ It’s the Account Owner.
+ if you want to cancel your account, you mus use the Root User.
+ Has complite access to all AWS Services.
+ Has complite access manages you AWS Subaccounts
+ Has Rights to publish on Marketplace.
Page 362
A company would like to secure network communications using SSL & TLS certificates. Which AWS service can it use?
Amazon Certfied Manager
