Security & Compliance (25%)

Question 1

What is AWS responsible for in terms of security? (4)

Answer 1

o AWS global infrastructure – includes regions, edge locations, and availability zones.
o Building security – AWS controls access to its data centers where your data resides
o Maintains networking components (generators, etc)
o Responsible for any managed software service like RDS, S3, ECS, lambda, patching of host operating systems, and data access endpoints.

Question 2

What is the customer responsible for in terms of security? (6)

Answer 2

o Application data (includes encryption options – scrambling data so only authorized people can read it)
o Security configuration – responsible for securing your account & API calls, rotating credentials, restricting internet access from your VPCs)
o Patching – guest operating system, which includes updates and security patches
o Identity & access mgmt. – application security and identity, and access management
o Network traffic protection – which includes security group firewall configuration
o Installed Software – your application code, you should frequently scan for path vulnerabilities in your code.

Question 3

What is the EC2 shared responsibility model? (AWS vs. the customer)

Answer 3

• AWS is responsible for patching the host operating system, and the security of the physical server.
• The customer is responsible for installed applications, patching the guest operating system, and security controls

Question 4

What is the Lambda shared responsibility model? (AWS vs. the customer)

Answer 4

• AWS is responsible for Lambda service, upgrading Lambda languages, Lambda endpoints, operating system, underlying infrastructure, and software dependencies.
• The customer is responsible for security of code, storage of sensitive data, IAM for permissions

Question 5

What are the shared responsibilities between AWS and the customer?

Answer 5

• Patch management: AWS patches infrastructure, you patch guest operation system & applications
• Configuration management: AWS configures infrastructure devices, and you configure databases & applications
• Awareness & Training: AWS responsible for training their employees, you are responsible for training your employees.

Question 6

What is the Well-architected framework? (6 Pillars)
1 - 3
2 - 5
3 - 5
4 - 4
5 - 4
6 - 6

Answer 6

1) Operational Excellence – creating applications that effectively support production workloads
a. Deploy smaller, reversible changes
b. Script operations as code
c. Learn from failure & refine

2) Security – put mechanisms in place that help protect your systems & data
a. Automate security tasks
b. Encrypt data in transit & at rest
c. Assign only the least privileges required
d. Track who did what & when
e. Ensure security at all application layers

3) Reliability – designing systems that work consistently & recover quickly
a. Recover from failure automatically
b. Scale horizontally for resilience
c. Reduce idle resources
d. Manage change through automation
e. Test recovery procedures

4) Performance Efficiency – effective use of computing resources to meet system & business requirements while removing bottlenecks
a. Use serverless architectures first
b. Use multi-region deployments
c. Delegate tasks to a cloud vendor
d. Experiment with virtual resources

5) Cost Optimization – focuses on delivering optimum & resilient solutions at the least cost to the user
a. Utilize consumption-based pricing
b. Implement cloud financial management
c. Measure overall efficiency
d. Pay only for resources your application requires

6) Sustainability - dresses the long-term environmental, economic, and societal impact of your business activities.
a. Understand your impact
b. Establish sustainability goals
c. Maximize utilization
d. Anticipate and adopt new, more efficient hardware and software offerings
e. Use managed services
f. Reduce the downstream impact of your cloud workloads

Question 7

How to apply 6 pillars in the real-world?

Answer 7

1) Operational Excellence – use AWS CodeCommit for version control to enable tracking code changes to version-control CloudFormation templates of your infrastructure.
2) Security – Use CloudTrail to configure central logging of all actions performed in your account.
3) Reliability – use multi AZ deployments for enhanced availability & reliability of RDS databases.
4) Performance Efficiency – use Lambda to run code with zero administration.
5) Cost Optimization – use S3 intelligent tiering to automatically move your data between access tiers based on your usage patterns.
6) Sustainability - Use automation to manage the lifecycle of your development and test environments, and use managed device farms for testing.

Question 8

What allows you to control access to your AWS services & resources?
Benefits (2)

Answer 8

IAM Users: (Identity & Access Management)

• A free global service that helps you secure your cloud resources.
• You define who has access & what they can do.

Question 9

What are entities you create in IAM to represent the person or application needing to access your AWS resources?

Answer 9

Users (applications can also be users)

Question 10

Identities vs. Access?

Answer 10

Identities – who can access your resources (root user, individual users, groups, roles)
Access – what resources they can access (policies, AWS managed policies, customer managed policies, permissions boundaries)

Question 11

Authentication (who) vs. Authorization (what)?

Answer 11

Authentication – where you present you identity (username) & provide verification (password)
Authorization – determines what services & resources the authenticated identity has access to

Question 12

What can only the root user do?

Answer 12

Close your account, change email address, modify support plan

Question 13

What can individual users do?

Answer 13

Perform administrative tasks, launch EC2 instances, access application code, configure databases

Question 14

What is the principle of least privilege?

Answer 14

involves giving a use the minimum access required to get the job done.

Question 15

What is a collection of IAM users that helps you apply common access controls to all group members?

Answer 15

Groups

Question 16

What are some examples of groups? (3)

Answer 16

Administrators – perform admin tasks such as creating new users
Developers – use compute & database services to build applications
Analysts – run budget & usage reports

Question 17

What is the difference between EC2 and IAM groups?

Answer 17

EC2 security groups act as firewalls, while IAM groups are collections of users.

Question 18

What are access permissions and are temporarily assumed by an IAM user or service
What are examples? (2)

Answer 18

Roles.

a. E.g. devops-engineer role – can create code branch in CodeCommit, can list pipelines in CodePipeline)
b. E.g. Lambda-execution role –can list contents of an S3 bucket or query DynamoDb

Question 19

How do you manage permissions for IAM users, groups, and roles?

Answer 19

By creating a policy document in JSON format & attaching it

Question 20

Example of policies in the real world?

Answer 20

you can add a bucket access policy directly to an Amazon S3 bucket to grant IAM users access permissions to the bucket & the objects in it.

Question 21

What are IAM best practices? (4)

Answer 21

1) Enabled MFA for privileged users
2) Always implement strong password policies (e.g. change PW after a specific period of time)
3) Create individual users instead of using root (you should not use root user for daily tasks)
4) Use roles for apps that run on Amazon EC2 instances

Question 22

What prevent unauthorized access to your networks by inspecting incoming & outgoing traffic against security rules you’ve defined?

Answer 22

Firewalls

Question 23

What are the benefits of Web Application Firewall (WAF)? (3)

Answer 23

• Helps protect your web applications against common web attacks
• Protects against SQL injection
• Protects against cross-site scripting

Question 24

What causes a traffic jam on a website in an attempt to make it crash?

Answer 24

Distributed Denial of Service (DDoS)

Question 25

What is a managed distributed denial of service (DDOS) protection service?
Benefits (3)

Answer 25

AWS Shield

• Always on detection
• Shield standard is free (protection against common & frequently occurring attacks)
• Shield advanced is a paid service (enhanced protection & 24/7 access to AWS experts for a fee)

Question 26

DDoS protection via Shield Advanced is supported on which services? (4)

Answer 26

• EC2, CloudFront, Route53, Elastic Load balancing (ELB), AWS Global Accelerator

Question 27

Which service helps you discover & protect sensitive data?

Benefits (3)

Answer 27

Macie.

Benefits:

• Uses machine learning
• Evaluates S3 environment
• Uncovers personally identifiable information (PII) like credit cards or SSNs

Question 28

Which service allows you to assess, audit, and evaluate the configurations of your resources within your EC2 instances?
Benefits (3)

Answer 28

AWS Config

• Tracks configuration changes over time
• Delivers configuration history file to S3
• Notifications via SNS of every configuration change

Question 29

Which service is an intelligent threat detection system that uncovers unauthorized behavior?
Benefits (3)

Answer 29

GuardDuty

• Uses machine learning
• Has built-in detection for EC2, S3, and IAM
• Use to analyze data such as CloudTrail, VPC Flow Logs, and DNS logs

Question 30

Which service works with EC2 instances to uncover & report vulnerabilities?

Answer 30

Inspector.

Benefits:

• Agent is directly installed on EC2 instance
• Includes checking for access from the internal, remote root login, vulnerable software versions, etc.

Question 31

Which service offers on-demand access to AWS security & compliance reports (Service Organization Controls (SOC) & Payment Card Industry (PCI) reports))?

Answer 31

Artifact

Question 32

How is Artifact used in the real world?

Answer 32

if you need to access AWS’s certification for ISO compliance, artifact provides a repository for AWS’s security & compliance reports via a self-service portal.

Question 33

Which service helps you control access to mobile and web applications?
Benefits? (3)

Answer 33

Cognito

• Provides authentication & authorization
• Helps you manage users
• Assists with user sign-up and sign-in to your mobile web app

Question 34

How is Cognito used in the real world?

Answer 34

Cognito provides functionality that allows your users to sign in your application using social media accounts like FB & Google.

Question 35

What is Data in flight vs. data at rest?

Answer 35

Data in flight – data that is moving from one location to another (e.g. sending a txt)
Data at rest – data that is inactive or stored for later use (e.g. data stored in an S3 bucket)

Question 36

Which service allows you to generate and store encryption keys?
Note: Code gets encrypted with encryption key. Reader needs decryption key to read code.
Benefits? (3)

Answer 36

Key Management Service (KMS)

• stores & controls keys
• AWS manages encryption keys
• Is automatically enabled for certain services (Cloud Trail logs, S3 glacier, storage gateway)

Question 37

Which service is a hardware security module (HSM) used to generate encryption keys?
Benefits? (3)

Answer 37

CloudHSM
Benefits:
- Dedicated hardware for security
- Allows you to generate your own encryption keys
- AWS does not have access to your keys (they give you the hardware so you can generate your keys)

Question 38

Which service allows you to manage & retrieve secrets (passwords or keys)?
Benefits? (3)

Answer 38

Secrets Manager.

Benefits:

• Rotate, manage, and retrieve secrets
• Encrypt secrets at rest (using encryption keys that you own and then store in KMS)
• Integration with RDS, Redshift, & DocumentDB