Security & Compliance Flashcards
Which AWS services support VPC Gateway Endpoint for private connection from a VPC? (two)
Amazon S3
Amazon DynamoDB
VPC Gateway Endpoint: Enables private connection to supported AWS services without internet gateway, NAT, VPN, or Direct Connect.
Two Types of VPC Endpoints:
- Interface Endpoint: Uses private IP, powered by AWS PrivateLink.
- Gateway Endpoint: Target for route table, supports S3 and DynamoDB.
Which AWS resources are protected by AWS Shield Advanced against DDoS attacks?
Amazon Route 53
AWS Global Accelerator
- AWS Shield Advanced provides advanced protection for network layer (Layer 3), transport layer (Layer 4), and application layer (Layer 7) DDoS attacks.
- Protection extends to web applications running on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, Route 53, and Global Accelerator.
What is a recommended method to provide programmatic access to AWS resources?
Use Access Key ID and Secret Access Key
- These keys are long-term credentials for IAM users or root accounts.
- Access Key ID and Secret Access Key are used together to sign programmatic requests through AWS CLI, SDKs, or the API.
- Securely store both parts of the key, as the secret key is only available during creation. If lost, you must create a new pair.
Access Key ID and Secret Access Key are linked to which AWS IAM entities?
IAM User
- Access keys are long-term credentials for IAM users or the AWS root account and are used to sign programmatic requests.
- The access key pair consists of Access Key ID and Secret Access Key, which authenticate requests to AWS services.
Which two AWS services have data encryption automatically enabled?
Amazon S3
- Default encryption for all objects using server-side encryption (SSE-S3)
AWS Storage Gateway
- Encrypts all data transferred between the gateway and AWS storage using SSL
- Applies to File, Volume, and Tape Gateways
Which two AWS services specialize in data migration from on-premises to AWS Cloud?
AWS Snowball
- Physically transports large-scale data using secure devices
- Moves terabytes to petabytes efficiently
AWS Database Migration Service (DMS)
- Migrates operational databases with minimal downtime
- Supports commercial and open-source databases
What types of best practice recommendations does AWS Trusted Advisor provide?
Cost Optimization: Identifies underutilized resources to help reduce costs.
Service Limits: Alerts when usage is approaching AWS limits to prevent disruptions.
Performance: Helps optimize the performance of your AWS environment.
Security: Provides guidance on securing your AWS resources.
Fault Tolerance: Suggests improvements to enhance the resilience of your infrastructure.
How can a company centralize and manage logs from both AWS and on-premises servers?
Amazon CloudWatch Logs collects and stores logs from:
- EC2 instances
- AWS services (CloudTrail, Route 53, etc.)
- On-premises servers
Provides search, filtering, and analysis of logs.
Helps with troubleshooting, security monitoring, and auditing.
Can AWS customers conduct security assessments on their own AWS infrastructure?
Yes, penetration testing is allowed for certain AWS services without prior approval.
- Customers cannot test AWS infrastructure itself, only their own resources.
- AWS provides a list of approved services for self-initiated penetration testing.
Which AWS authentication mechanism supports an AWS Multi-Factor Authentication (AWS MFA) device that you can plug into a USB port on your computer?
U2F (Universal 2nd Factor) Security Key
- A physical device that plugs into a USB port.
- Uses FIDO Alliance standards for secure authentication.
- Instead of entering a code, users tap the device after entering credentials.
Where can AWS customers access compliance documents, such as Payment Card Industry (PCI) reports?
AWS Artifact
- A self-service portal for compliance reports and security certifications.
- Provides SOC reports, PCI reports, and accreditation certifications.
- Available at no cost for AWS customers.
What are two benefits of AWS Web Application Firewall (AWS WAF)?
Can block all requests except the ones you allow – Useful for restricting access based on specific request properties like IP addresses.
Can check for SQL injection – Detects and blocks requests containing malicious SQL code.
Which AWS entity lists all users in an account and provides details on passwords, access keys, and MFA devices?
Credentials Report
- Lists all users in an AWS account.
- Shows the status of passwords, access keys, and MFA devices.
- Useful for auditing and compliance efforts.
What AWS service provides operational insights into resources and helps identify potential issues affecting applications?
AWS Systems Manager
- Centralizes operational data and automates tasks across AWS resources.
- Allows grouping resources for monitoring and management.
- Provides insights into API activity, configuration changes, operational alerts, software inventory, and compliance.
- Helps maintain visibility and control over AWS operations.
What AWS service provides temporary security credentials to control access to AWS resources?
AWS Security Token Service (AWS STS)
- Issues temporary, limited-privilege security credentials.
- Supports IAM users and federated users.
- Temporary credentials expire after a configurable period.
- Reduces security risks compared to long-term access keys.
What is AWS Control Tower, and how does it help manage AWS accounts?
AWS Control Tower is a service that simplifies multi-account AWS management using pre-defined blueprints and guardrails.
- Automates the setup of a secure, well-architected landing zone for new AWS accounts.
- Helps enforce security, compliance, and governance across multiple accounts.
- Provides preventive and detective guardrails to guide best practices.
- Works with AWS Organizations, AWS IAM Identity Center, AWS Config, and Service Control Policies (SCPs) for governance.
What are AWS Service Control Policies (SCPs) and how do they enhance security?
AWS Service Control Policies (SCPs) are IAM-like policies applied at the organizational level to control AWS service permissions.
- Used with AWS Organizations to set account-wide restrictions.
- Do not grant permissions but act as a guardrail to limit what IAM roles and users can do.
- Can enforce security best practices, such as blocking root account access or restricting certain AWS regions.
- Help organizations ensure compliance by preventing unauthorized actions across all accounts.
What is the easiest way to encrypt AWS service data using AWS Key Management Service (KMS)?
AWS-managed KMS keys
- AWS automatically creates and manages encryption keys for supported services.
- These keys are known as AWS-managed keys (previously called AWS-managed CMKs).
- Used only within your AWS account.
- Cannot be managed, rotated, or deleted manually.
- Some AWS services cover encryption costs on your behalf.
- Visible in the AWS KMS console under “AWS managed keys.”
On which AWS services can AWS Web Application Firewall (WAF) be deployed?
- Amazon CloudFront (for global content delivery)
- Application Load Balancer (ALB) (for web applications)
- Amazon API Gateway (for securing APIs)
- AWS AppSync (for GraphQL APIs)
- AWS WAF helps protect applications from common threats like SQL injection and cross-site scripting (XSS).
Which data sources does Amazon Detective use to analyze security events?
AWS CloudTrail logs, Amazon VPC Flow Logs, and Amazon GuardDuty findings
- Amazon Detective processes data from AWS CloudTrail, VPC Flow Logs, and GuardDuty findings.
- It analyzes trillions of events to create an interactive security view of resources, users, and interactions.
- Requires GuardDuty to be enabled for at least 48 hours before activation.
By default, which type of events does AWS CloudTrail log?
Management events
- CloudTrail logs management events (also called control plane operations) by default.
- Examples: registering devices, configuring routing rules, setting up logging.
- Data events and CloudTrail Insights require additional configuration and incur extra costs.
