Security & Compliance Flashcards

1
Q

What are the resposibily of AWS?

A
  • Security of the Cloud
  • Manged Services (Lambda, S3, etc)

Page 332

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the responsibilies of Customer?

A
  • The Data in AWS
  • Manage all the services that are no Managed by AWS, like services on EC2 Instances.
  • Security data, encrypting data

Page 332

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the share responnsibility of AWS and Customer?

A
  • Patch Managmet
  • Configuration Managment
  • Awareness
  • Trainning

Page 332

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a DDOS Attack?

A

Distributed Denail of Service.
Happens when the service receive high level of work from several sources (Bots) with the intention of running out the resources of the platform.

Page 336

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Does AWS Shield Standar works against DDoS?

A

Yes, it works for Apps and Websites

Page 337

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the difference between AWS Shield and AWS Shield Advance?

A
  • AWS Shield Advance provides a 24/4 premium protection.
  • In AWS Shield standar, you will have a fee on Highe Loads.

Page 337

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Does AWS WAF works against DDoS Attack?

A

Yes, AWS Web Application Firewall work filtering requests on base of rules.

Page 337

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How Cluoud Route 53 can be used against DDoS Attaks?

A
  • Distributing all the load along several servers, avoidin concentrate all the trafin in one server.
  • It is impleenting on the edge, providing a high level security along with AWS Shield.

Page 337

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Auto Scaling is a good thecnic agains DDoS Attack?

A

Yes, you can increase you capacity accoriding the load but you must specify a limit.

Page 337

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Talking about OSI Model, what are the Layers where AWS Shield works with?

A

On Layer 3 (TCP) and 4 (Internet)

Page 339

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Talking about OSI Model, what are the Layers where AWS WAF works with?

A

Layer 7 (Application/HTTP Layer) HTTP Protocol is considered as a Application Protocol.

page 340

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

On what of these services is deployed AWS WAF?

a. EC2
b. Application Lod Balancer
c. ECS
d. Route53
e. API Gateway
f. NACL
g. CloudFront
h. AWS AppSync
i. Amazon Cognito resources.

A

B. Application Load Balancer (Works with HTTP requests)
E. API Gateway (Works with HTTP requests)
G, H, I. Are service management as a Webservice.

Page 340

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Web ACL?

A

Web Access Control List
It’s a set of configuratioon of AWF where you can filter with more detail:
+ By IP
+ By Coutnry Origin
+ String match or regular expression (regex) match in a + part of the request
+ Size of a particular part of the request
+ Detection of malicious SQL code or scripting
+ Frequency, against DDoS.

Basicaly, it analize most of the HTTP Request to see if it meets some of these filtered characteritics.

Page 340

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.h

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Penetration Testing on AWS?

A

It’s a simulated cyber attack against your computer system to check for exploitable vulnerabilities.

Stages:
1. Planning and reconnaissance. Define de Goal of the attack
2. Scanning. Assesment how the system response againts attaks.
3. Gain Access. Evaluate if it’s possible access to the system.
4. Maintaning Access. Evaluate how long can the intrution has been accessed.
5. Analysis and WAF Configuration. With the outcomes, set the proper configurations on WAF.

Page 341

https://www.imperva.com/learn/application-security/penetration-testing/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are Data in Rest and Data in Transit?

A

Data in Rest: Any data that is kept/stored/achived.

Data in Transit: Any data that is travelint long communication paths, like public or private networks.

Page 343

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are Encryption Keys?

A

They’re keys to encrypt and decrypt data in motion or rest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is AWS KMS

A

AWS Key Management Service
+ It’s the manager for Encryption Keys
+ All the keys are managed for all the AWS services.

Page 344

18
Q

What are the three services that automaticaly encrypt data?

A
  1. AWS CloudTrail Logs
  2. S3 Glacier
  3. Storage Gateway

All other services are optional to encrypt.

Page 344

19
Q

What is CloudHSM

A

It’s the same that AWS KMS but onpremise.
AWS Doesn’t manage you KMS, but you.

Page 345

https://aws.amazon.com/es/cloudhsm/

20
Q

What are the types of Customer Master Keys (CMK)?

A
  1. Customer Managed CMK. Customer has the full control of the keys.
  2. AWS managed CMK. Keys that AWS created for our behalf (beneffit).
  3. AWS owned CMK. They’re the keys created and managed by AWS for itself.
  4. Cloud HSM Keys. All the keys generate by you own CloudHSM.

Page 347

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html

21
Q

What is ACM?

A

AWS Certified Manager
+ Provides and provisioning TLS/SSL Certificates.
+ Performes autorenewal of certificates.
+ Support public and private certificates.

Page 348

22
Q

Which services can use ACM?

A

+ Elastic Load Balancer
+ CloudFront Distributions
+ API On Gateway

Page 348

23
Q

What is AWS Secret Manager?

A

+ It’s a storage to keep all kind of private credentials from AWS or 3rths.
+ It can be integrated with Amazon RDS.
+ Secrets are encrypted with KMS.
+ It can rotate secrets, avoiding static secrets.

Page 348

24
Q

What is AWS Artifact?

A

It’s a Portal where you can check and download compliance documentation and AWS agreements

It’s useful to support internal audit or compliance.

Page 350

25
Q

What is Amazon GuardDuty?

A

It’s a service to detect threats according of:
+ Behaivor of the accounts.
+ Workload

Page 351

26
Q

From where does Amazon GuardDuty get the iformation to analyze with ML?

A
  • CloudTrail Event Logs.
  • VPC FlowLogs.
  • DNS Logs (Route 53).
  • Kubernet Audit Logs.
  • Other AWS Service that produce logs and can be setup in Amazon GuardDuty.

Page 351

27
Q

What is Amazon Inspector?

A

Automated Security Assessments
+ A managed service that connect so SSm Agent services.
+ Analyze SO looking for vulneravilites.
+ Analyze unintended network accessibility.
+ It can be instales in EC2 instances or ECS images.

Page 353

28
Q

Which of these services can be used by Amazon Inspector to report events:

A. SNS
B. SQS
C. Security Hub
D. Event Bridges

A

C (Security Hub) and D (Event Bridge)

Page 353

29
Q

What is AWS Config?

A

It’s a Service that:
+ Allow configure your AWS Services.
+ Audit and Monitoring AWS Configurations.
+ Evaluate AWS Configurations.
+ Automate AWS Configurations.
+ Track changes on configurations.

https://aws.amazon.com/es/config/

Page 355

30
Q

With AWS Config, can you store configuration in some AWS sotrages?

A

Yes, they can be saved in S3 Buckets

Page 355

31
Q

Is AWS Config a Global Service?

A

No,it’s a Regional Service but can work across regions.

Page 355

32
Q

Does AWS Config detect change in an Architecture Auto Scaling?

A

Yes, it’s detect the change as a configuration change and reporte them as an event.

Page 356

33
Q

What is Amazon MACIE?

A

It’s a service managed that works with ML to detect sesitive data and protect them.

Works with patterns

Page 357

34
Q

Is PII part of data information that MACIE works with?

A

YES Personal Identifiable Information (PII) is detected by MACIE and sensored.

Page 357

35
Q

What is AWS Security Hub?

A

Central security tool to manage security across several AWS accounts and automate security checks.

Page 357

36
Q

What of these services are NOT integrated with AWS Security Hub?

A. GuardDuty
B. AWS CloudFront
C. Inspector
D. Macie
E. IAM Access Analyzer
F. AWS Systems Manager
G. AWS Firewall Manager
H. AWS Partner Network Solutions
I. Must first enable the AWS Config
J. AWS Lambda
K. AWS CloudWatch Log

A

B, J, K
All the other services ar part of a security suit that can be intergrate or work with AWS Security HUB

Page 358

37
Q

What is Amazon Detective?

A

It’s a service to analize and detect the ROOT cause of the issue or suspicios activity.

Page 360

38
Q

From where Does Amazon Detective take the information that analize it?

A

From event of:
+ VPC Flows Logs
+ ClowdTrial
+ GuardUDuty

Page 360

39
Q

Does Amazon Detective have a UI?

A

Yes, all the information collected and procceses is ogrnized in an Unified View

Page 360

40
Q

What is AWS Abuse?

A

Report AWS resources used for abusive or illegal purposes.

It can works automatically or by claiming throught AWS Abuse Form.

Page 361, 364

41
Q

Wha is a Root User?

A

+ It’s the Account Owner.
+ if you want to cancel your account, you mus use the Root User.
+ Has complite access to all AWS Services.
+ Has complite access manages you AWS Subaccounts
+ Has Rights to publish on Marketplace.

Page 362

42
Q

A company would like to secure network communications using SSL & TLS certificates. Which AWS service can it use?

A

Amazon Certfied Manager