Security & Compliance

Question 1

AWS Shield Standard

Answer 1

Default DDOS protection

Question 2

AWS Shield Advanced

Answer 2

24/7 premium DDOS protection

Question 3

AWS WAF

Answer 3

Rules based filtering
Layer 7 protection (HTTP)
Deploy on ALB, API, CloudFront

Question 4

CloudFront and Route53

Answer 4

Protection at the edge

Question 5

AWS Shield

Answer 5

Protects against common attacks (syn floods, reflection attacks, etc.)

Question 6

AWS Shield Advanced

Answer 6

Protects against more sophisticated attacks on major AWS services
24/7 Response Team
$3,000/month/organization

Question 7

Web ACL

Answer 7

WAF feature
Rules for IP, HTTP headers, HTTP body, URI
SQL Injection, XSS
geo-block

Question 8

Best way to protect entire VPC?

Answer 8

AWS Network Firewall

Question 9

Pentesting on AWS Cloud

Answer 9

Don’t need auth for 8 core services

Question 10

Pentesting restrictions

Answer 10

No DOS
No network flooding
No Request flooding
No DNS zone walking

Question 11

AWS KMS

Answer 11

AWS manages encryption keys

Question 12

Services needing encryption opt-in (5)

Answer 12

EBS volumes
S3
Redshift
RDS
EFS

Question 13

Services with default encryption (3)

Answer 13

Cloudtrail logs
S3 Glacier
Storage gateway

Question 14

CloudHSM

Answer 14

AWS provisioned encryption HW

Question 15

CloudHSM

Answer 15

Manage your own keys

Question 16

Customer managed CMK

Answer 16

Customer managed keys, BYOK, rotation policy

Question 17

AWS managed CMK

Answer 17

AWS manages keys

Question 18

AWS owned CMK

Answer 18

Collection of CMK’s to use in multiple accounts

Question 19

AWS Certificate Manager (ACM)

Answer 19

Create TLS certs

Question 20

Certificate Manager cost

Answer 20

Free

Question 21

AWS Secrets Manager

Answer 21

Store secrets
Capable of rotation

Question 22

Secrets Manager integrated with which service?

Answer 22

RDS

Question 23

AWS Artifact

Answer 23

Compliance and agreements portal

Question 24

Guard Duty

Answer 24

Looks at logs and events to find threats and unusual traffic

Question 25

Which service is good for finding cryptocurrency attacks?

Answer 25

GuardDuty

Question 26

Amazon Inspector

Answer 26

Automated vulnerability inspections

Question 27

Which service performs vulnerability scanning on EC2, container images, and Lambda?

Answer 27

Amazon inspector

Question 28

AWS Config

Answer 28

Records configurations and changes
Ensures settings compliance
Stored in S3

Question 29

Amazon Macie

Answer 29

Fully managed service to discover and protect sensitive data (PII) in AWS

Question 29

AWS Security Hub

Answer 29

Centralized security dashboard
Aggregates alerts
Requires AWS Config
Costs $

Question 29

Amazon Detective

Answer 29

Root cause analysis for security issues or suspicious activity

Question 30

AWS Abuse

Answer 30

Report suspicious AWS services to AWS

Question 31

Root user is who?

Answer 31

Account owner

Question 32

Root user unique permissions

Answer 32

Change account settings
Close account
Change/Cancel support plan
Register as a reseller for reserved instances
More

Question 33

IAM Access Analyzer

Answer 33

Find services shared externally

Question 34

Zone of trust

Answer 34

AWS Account or org. Anything outside of the zone may be an finding.