Security & Compliance

Question 1

What principle should be applied to AWS users, application users, and other clouds and data centers connected to AWS?

Answer 1

The principle of least privilege.

Question 2

What is the shared responsibility model in AWS?

Answer 2

The customer is responsible for security in the cloud, while AWS is responsible for security of the cloud.

Question 3

What are the core tenets of security in the Well-Architected Framework?

Answer 3

Identity and access management, data stewardship and encryption, network security, application security compliance, and security management.

Question 4

Who is responsible for access management in AWS?

Answer 4

The customer is responsible for access management in their AWS cloud.

Question 5

What are customers responsible for in terms of operating systems and networking within their AWS account?

Answer 5

Customers are responsible for ensuring secure connections to VPC resources, keeping EC2 instances’ operating systems and security patches up to date, and provisioning firewalls to secure their network.

Question 6

What is the principle of least privilege?

Answer 6

It is the practice of giving the minimum permissions necessary to complete a task.

Question 7

How can customers offload some security responsibilities using managed services?

Answer 7

For instance, customers are responsible for security OS patches and encryption on EC2, but on RDS, these are built-in features.

Question 8

Who is responsible for encryption on AWS?

Answer 8

The customer is responsible for client-side encryption, encryption in transit, and encryption at rest.

Question 9

What can IAM policies be applied to?

Answer 9

IAM policies can be applied to users, user groups, and IAM roles, which can then be applied to resources or applications.

Question 10

What is encryption in transit and what AWS service helps with it?

Answer 10

Encryption in transit revolves around HTTPS, and AWS Certificate Manager helps with obtaining TLS certificates.

Question 11

What is IAM Identity Center used for?

Answer 11

IAM Identity Center is used to give users access to AWS resources by leveraging existing single sign-on directories.

Question 12

How is S3 encrypted by default?

Answer 12

S3 is encrypted by default using SSE S3 managed keys.

Question 13

What is Macie used for in AWS?

Answer 13

Macie is used to scan S3 buckets for sensitive information.

Question 14

How are EBS volumes and RDS instances encrypted?

Answer 14

They are encrypted by KMS (Key Management Service).

Question 15

What must you do to encrypt an existing RDS instance?

Answer 15

You must create a copy of the existing RDS instance to enable encryption.
- Then you restore the snapshot, modify connections, load balancers.
- Test if the RDS is working as supposed to.

Question 16

What are Parameter Store and Secrets Manager used for?

Answer 16

They are used to securely store parameters like login credentials or environment variables, with Secrets Manager also able to automatically rotate those secrets.

Question 17

What does AWS WAF protect against?

Answer 17

is a web application firewall service provided by Amazon Web Services. It helps protect web applications from common web-based attacks and provides additional security layers to your applications running on AWS infrastructure.

Question 18

What does AWS Shield protect against?

Answer 18

AWS Shield protects against DDoS attacks (Distributed Denial of Service).

Question 19

What does AWS Firewall Manager do?

Answer 19

AWS Firewall Manager manages AWS WAF, AWS Shield, and other security settings across multiple accounts.

Question 20

What is AWS Security Hub?

Answer 20

AWS Security Hub provides a single-pane view to prioritize and take action on security findings from multiple AWS services.

Question 21

Who are the four horsemen of security confusion?

Answer 21

Trusted Advisor, Amazon GuardDuty, Amazon Detective, and Amazon Inspector.

Question 22

What does AWS Trusted Advisor do?

Answer 22

AWS Trusted Advisor provides best practice advice.

Question 23

What does Amazon GuardDuty do?

Answer 23

Amazon GuardDuty alerts you if it detects active threats.

Question 24

What does Amazon Detective help with?

Answer 24

Amazon Detective helps investigate security events that have already happened.

Question 25

What does Amazon Inspector detect?

Answer 25

Amazon Inspector detects workload vulnerabilities, including software and network vulnerabilities.

Question 26

What is AWS Artifact used for?

Answer 26

AWS Artifact is used to download compliance documents to prove compliance and help improve AWS architecture.

Question 27

What is AWS Organizations used for?

Answer 27

AWS Organizations helps manage multiple accounts and enables consolidated billing.

Question 28

What is AWS Control Tower used for?

Answer 28

AWS Control Tower automates best practices in multi-account management.

Question 29

How does AWS Security Hub integrate with AWS Organizations?

Answer 29

AWS Security Hub provides an organization-wide view of security findings and integrates well with AWS Organizations.

Question 30

Your company wants to use machine learning to assist in monitoring for sensitive data such as PII (personally identifiable information) in their S3 buckets. How can they most easily achieve this?

Answer 30

Macie uses machine learning (ML) and pattern matching to discover and help you protect your sensitive data.

Question 31

Which AWS service will protect your AWS resources from DDoS attacks?

Answer 31

AWS Shield

Question 32

Your company has decided to split its workloads into multiple AWS accounts, but it still wants to be able to take advantage of consolidated billing. How can it accomplish this?

Answer 32

Use AWS Organizations to manage multiple accounts.

Question 33

Your company want to leverage machine learning to automatically detect security events across your AWS environment. How can they achieve this with the lowest operational overhead?

1. Trusted Advisor
2. Enable Amazon Inspector
3. Enable GuardDuty
4. Enable Detective

Answer 33

While Detective does leverage machine learning, its purpose is primarily investigating security events that have already happened.

Correct Answer
GuardDuty is an intelligent threat detection service that can dynamically detect threats across your AWS account or Organization.

Question 34

Which service can be used to scan for network and software vulnerabilities on your EC2 instances?

1. GuardDuty
2. Detective
3. Trusted Advisor
4. Inspector

Answer 34

Inspector

Question 35

What is the easiest way to ensure that you S3 objects are encrypted at rest?

1. Encrypt the S3 bucket with Secrets Manager.
2. Encrypt the data at rest by applying KMS managed keys.
3. Use Certificate Manager to provision SSL/TLS certificates to encrypt the S3 bucket.
4. S3 buckets are server-side encrypted by default with SSE-S3 managed keys.

Answer 35

S3 buckets are server-side encrypted by default with SSE-S3 managed keys.

Question 36

What can you use to assign granular permissions to users, roles, and groups?

1. KMS
2. IAM Policies
3. Security Token Service (STS)
4. Config Rules

Answer 36

IAM Policies

Question 37

A regulator has requested documentation that proves your AWS solutions can meet GDPR compliance. What service can help with this?

1. AWS Control Tower
2. AWS Cloud Security
3. AWS Artifact
4. Security Hub

Answer 37

AWS Artifact