Security & Compliance

Question 1

What are the resposibily of AWS?

Answer 1

• Security of the Cloud
• Manged Services (Lambda, S3, etc)

Page 332

Question 2

What are the responsibilies of Customer?

Answer 2

• The Data in AWS
• Manage all the services that are no Managed by AWS, like services on EC2 Instances.
• Security data, encrypting data

Page 332

Question 3

What are the share responnsibility of AWS and Customer?

Answer 3

• Patch Managmet
• Configuration Managment
• Awareness
• Trainning

Page 332

Question 4

What is a DDOS Attack?

Answer 4

Distributed Denail of Service.
Happens when the service receive high level of work from several sources (Bots) with the intention of running out the resources of the platform.

Page 336

Question 5

Does AWS Shield Standar works against DDoS?

Answer 5

Yes, it works for Apps and Websites

Page 337

Question 6

What is the difference between AWS Shield and AWS Shield Advance?

Answer 6

• AWS Shield Advance provides a 24/4 premium protection.
• In AWS Shield standar, you will have a fee on Highe Loads.

Page 337

Question 7

Does AWS WAF works against DDoS Attack?

Answer 7

Yes, AWS Web Application Firewall work filtering requests on base of rules.

Page 337

Question 8

How Cluoud Route 53 can be used against DDoS Attaks?

Answer 8

• Distributing all the load along several servers, avoidin concentrate all the trafin in one server.
• It is impleenting on the edge, providing a high level security along with AWS Shield.

Page 337

Question 9

Auto Scaling is a good thecnic agains DDoS Attack?

Answer 9

Yes, you can increase you capacity accoriding the load but you must specify a limit.

Page 337

Question 10

Talking about OSI Model, what are the Layers where AWS Shield works with?

Answer 10

On Layer 3 (TCP) and 4 (Internet)

Page 339

Question 11

Talking about OSI Model, what are the Layers where AWS WAF works with?

Answer 11

Layer 7 (Application/HTTP Layer) HTTP Protocol is considered as a Application Protocol.

page 340

Question 12

On what of these services is deployed AWS WAF?

a. EC2
b. Application Lod Balancer
c. ECS
d. Route53
e. API Gateway
f. NACL
g. CloudFront
h. AWS AppSync
i. Amazon Cognito resources.

Answer 12

B. Application Load Balancer (Works with HTTP requests)
E. API Gateway (Works with HTTP requests)
G, H, I. Are service management as a Webservice.

Page 340

Question 13

What is Web ACL?

Answer 13

Web Access Control List
It’s a set of configuratioon of AWF where you can filter with more detail:
+ By IP
+ By Coutnry Origin
+ String match or regular expression (regex) match in a + part of the request
+ Size of a particular part of the request
+ Detection of malicious SQL code or scripting
+ Frequency, against DDoS.

Basicaly, it analize most of the HTTP Request to see if it meets some of these filtered characteritics.

Page 340

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.h

Question 14

What is Penetration Testing on AWS?

Answer 14

It’s a simulated cyber attack against your computer system to check for exploitable vulnerabilities.

Stages:
1. Planning and reconnaissance. Define de Goal of the attack
2. Scanning. Assesment how the system response againts attaks.
3. Gain Access. Evaluate if it’s possible access to the system.
4. Maintaning Access. Evaluate how long can the intrution has been accessed.
5. Analysis and WAF Configuration. With the outcomes, set the proper configurations on WAF.

Page 341

https://www.imperva.com/learn/application-security/penetration-testing/

Question 15

What are Data in Rest and Data in Transit?

Answer 15

Data in Rest: Any data that is kept/stored/achived.

Data in Transit: Any data that is travelint long communication paths, like public or private networks.

Page 343

Question 16

What are Encryption Keys?

Answer 16

They’re keys to encrypt and decrypt data in motion or rest.

Question 17

What is AWS KMS

Answer 17

AWS Key Management Service
+ It’s the manager for Encryption Keys
+ All the keys are managed for all the AWS services.

Page 344

Question 18

What are the three services that automaticaly encrypt data?

Answer 18

1. AWS CloudTrail Logs
2. S3 Glacier
3. Storage Gateway

All other services are optional to encrypt.

Page 344

Question 19

What is CloudHSM

Answer 19

It’s the same that AWS KMS but onpremise.
AWS Doesn’t manage you KMS, but you.

Page 345

https://aws.amazon.com/es/cloudhsm/

Question 20

What are the types of Customer Master Keys (CMK)?

Answer 20

1. Customer Managed CMK. Customer has the full control of the keys.
2. AWS managed CMK. Keys that AWS created for our behalf (beneffit).
3. AWS owned CMK. They’re the keys created and managed by AWS for itself.
4. Cloud HSM Keys. All the keys generate by you own CloudHSM.

Page 347

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

Question 21

What is ACM?

Answer 21

AWS Certified Manager
+ Provides and provisioning TLS/SSL Certificates.
+ Performes autorenewal of certificates.
+ Support public and private certificates.

Page 348

Question 22

Which services can use ACM?

Answer 22

+ Elastic Load Balancer
+ CloudFront Distributions
+ API On Gateway

Page 348

Question 23

What is AWS Secret Manager?

Answer 23

+ It’s a storage to keep all kind of private credentials from AWS or 3rths.
+ It can be integrated with Amazon RDS.
+ Secrets are encrypted with KMS.
+ It can rotate secrets, avoiding static secrets.

Page 348

Question 24

What is AWS Artifact?

Answer 24

It’s a Portal where you can check and download compliance documentation and AWS agreements

It’s useful to support internal audit or compliance.

Page 350

Question 25

What is **Amazon GuardDuty**?

Answer 25

It's a service to detect threats according of: + Behaivor of the accounts. + Workload | Page 351

Question 26

From where does **Amazon GuardDuty** get the iformation to analyze with ML?

Answer 26

* CloudTrail Event Logs. * VPC FlowLogs. * DNS Logs (Route 53). * Kubernet Audit Logs. * *Other AWS Service that produce logs and can be setup in Amazon GuardDuty*. | Page 351

Question 27

What is **Amazon Inspector**?

Answer 27

**Automated Security Assessments** + A managed service that connect so SSm Agent services. + Analyze SO looking for vulneravilites. + Analyze unintended network accessibility. + It can be instales in EC2 instances or ECS images. ## Footnote Page 353

Question 28

Which of these services can be used by **Amazon Inspector** to report events: A. SNS B. SQS C. Security Hub D. Event Bridges

Answer 28

**C** (Security Hub) and **D** (Event Bridge) ## Footnote Page 353

Question 29

What is **AWS Config**?

Answer 29

It's a Service that: + Allow configure your AWS Services. + Audit and Monitoring AWS Configurations. + Evaluate AWS Configurations. + Automate AWS Configurations. + Track changes on configurations. | https://aws.amazon.com/es/config/ ## Footnote Page 355

Question 30

With AWS Config, can you store configuration in some AWS sotrages?

Answer 30

Yes, they can be saved in S3 Buckets ## Footnote Page 355

Question 31

Is AWS Config a Global Service?

Answer 31

No,it's a Regional Service but can work across regions. ## Footnote Page 355

Question 32

Does AWS Config detect change in an Architecture Auto Scaling?

Answer 32

Yes, it's detect the change as a configuration change and reporte them as an event. ## Footnote Page 356

Question 33

What is **Amazon MACIE**?

Answer 33

It's a service managed that works with ML to detect sesitive data and protect them. Works with patterns ## Footnote Page 357

Question 34

Is PII part of data information that MACIE works with?

Answer 34

YES **Personal Identifiable Information (PII)** is detected by MACIE and sensored. ## Footnote Page 357

Question 35

What is **AWS Security Hub**?

Answer 35

Central security tool to manage security across several AWS accounts and automate security checks. ## Footnote Page 357

Question 36

What of these services are NOT integrated with AWS Security Hub? A. GuardDuty B. AWS CloudFront C. Inspector D. Macie E. IAM Access Analyzer F. AWS Systems Manager G. AWS Firewall Manager H. AWS Partner Network Solutions I. Must first enable the AWS Config J. AWS Lambda K. AWS CloudWatch Log

Answer 36

B, J, K All the other services ar part of a security suit that can be intergrate or work with AWS Security HUB ## Footnote Page 358

Question 37

What is **Amazon Detective**?

Answer 37

It's a service to analize and detect the ROOT cause of the issue or suspicios activity. ## Footnote Page 360

Question 38

From where Does Amazon Detective take the information that analize it?

Answer 38

From event of: + VPC Flows Logs + ClowdTrial + GuardUDuty ## Footnote Page 360

Question 39

Does Amazon Detective have a UI?

Answer 39

Yes, all the information collected and procceses is ogrnized in an Unified View ## Footnote Page 360

Question 40

What is AWS Abuse?

Answer 40

Report AWS resources used for abusive or illegal purposes. It can works automatically or by claiming throught **AWS Abuse Form**. ## Footnote Page 361, 364

Question 41

Wha is a **Root User**?

Answer 41

+ It's the **Account Owner**. + if you want to cancel your account, you mus use the *Root User*. + Has complite access to all AWS Services. + Has complite access manages you AWS Subaccounts + Has Rights to publish on Marketplace. ## Footnote Page 362

Question 42

A company would like to secure network communications using SSL & TLS certificates. Which AWS service can it use?

Answer 42

Amazon Certfied Manager