Security, Compliance and Governance

Question 1

What is the shared responsibility model?

Answer 1

A model where you can see who is responsible for what?

Question 2

What is main responsibility of AWS conform the Shared Responsibility Model?

Answer 2

AWS is responsible for the security ‘of’ the cloud.

• hardware
• underlaying software

Question 3

What is the main responsibility of the Customer conform the Shared Responsibility Model?

Answer 3

As a customer you are responsible for the security in the cloud,

• data in the cloud
• network and firewall config
• Encryption of data

Question 4

who is responsible for having all the EC2 instances up-to-date

Answer 4

You, as a customer

Question 5

Who is responsible for server-side encryption?

Answer 5

You, as the customer

Question 6

Who is responsible for security of AWS Managed Services like RDS?

Answer 6

AWS is. If you host your DB on an EC2 server you, as a user, is responsible. When using RDS to run your DB AWS is responsible.

the customer stays responsible for network and who has access

Question 7

What is the principle of least privilege?

Answer 7

this states that you should only grant permissions needed to complete a task.

Question 8

What are granular permissions?

Answer 8

specific (parts) of a service that someone had access to. To achieve this we need to have IAM in place.

Question 9

What is stated in IAM Policies?

Answer 9

The permissions for users, user-groups, IAM role (resoures can also have a role)

Question 10

What is best practice for IAM access keys?

Answer 10

Rotate them regularly. So the changes of a key gets ‘stolen’ is reduced.

Question 11

Do IAM role-keys rotate automatically?

Answer 11

yes

Question 12

What does IAM Access Analyzer do?

Answer 12

• Identify resources with external access
• Validate IAM Policies
• Generate IAM policies based on usages

Question 13

What does IAM Policy Simulator do?

Answer 13

• Test new IAM policies before granting them to users, groups or roles

Question 14

What is federated identity?

Answer 14

Using an external Identity provider (like Microsoft AD -> single sign on) to verify someone’s identity.

Question 15

What is IAM Identity Center

Answer 15

The service that gives a user a (temporarily) role when they are log-in via single-sign-on method

Question 16

What is Amazon Cognito?

Answer 16

• Create user pools and grand temporary access keys
• Leverage social or identity provider for authentication.

Question 17

What does AWS Directory Service do?

Answer 17

• Connect our AWS eco system to an existing MS AD
• Host a managed Microsoft AD on AWS

Question 18

What does AWS Security Token Service (STS) do?

Answer 18

provide temporary access. e.g. like read-only access for an audit.

Question 19

What is Amazon Macie?

Answer 19

A service that searches your S3 buckets for personally identifiable information and encrypt this.

Question 20

What is Key Management Service (KMS)?

Answer 20

provides a key for ECB or other resources like RDS?

Question 21

What does AWS Certificate Manager do?

Answer 21

Provision, deploy, renew SSL/TLS certificates

Question 22

What does Systems Manager Parameter Store do?

Answer 22

keeps parameters secure. for example an EC2 service needs access to an Database, you keep the login credentials save in the Systems Manager Parameter Store.

Question 23

What does Secrets Manager do?

Answer 23

Adds an extra layer of protection on top of Systems Manager Parameter Store by automatically rotating your secrets,

Question 24

True / false | new S3 buckets are always encrypted unless (encrypt is disabled)

Answer 24

true

Question 25

What is a Network Access Control List (NACLs)?

Answer 25

Stateless access control in your VPC and subnets

stateless doesn’t care about in- or outgoing traffic

Question 26

What do security groups do for Network access control?

Answer 26

provide statefull acces contol

staefull means it checks if it’s in-or out going traffic.

Question 27

What does AWS network firewall do?

Answer 27

firewall goes further then security groups and NACLL’s .

A firewall can define complex rules to inspect traffic within your VPCs

Question 28

What does AWS Web Application firewall (WAF) do?

Answer 28

protects you web application against the most common exploit’s.

like SQL injections, cross site scripting.

Question 29

What is AWS Shield?

Answer 29

protects you against DDoS attacks.

Question 30

What are the costs of the different AWS shield service?

Answer 30

Shield standard -> free
Shield advanced -> paid but with 24/7 access to a DDoS support team

Question 31

What is AWS Firewall manager?

Answer 31

The central place where you manage:
- AWS Firewall
- AWS WAF
- AWS Shield

Question 32

What is AWS Security Hub?

Answer 32

The hub where you see prioritized findings (security risks) Sercies that are connected are:
- Firewall manager
- Macie
- IAM Access manager
- Guard Duty
- Systems Manager

Question 33

What is AWS Guard Duty do?

Answer 33

Tracks activity logs and scans for malicious behavior using machine learning

Question 34

What does AWS Inspector do?

Answer 34

Inspects workload for vulnerabilities and network access.

Question 35

What does Amazon Detective do?

Answer 35

Used for analyzing security events that already happened.

Question 36

What does Amazon inspector do?

Answer 36

Inspects / scans workloads for software vulnerabilities and network exposure. (check lambda’s , ec2 instances etc)

Question 37

What is AWS Cloud Security?

Answer 37

The main landing page for security information.

Question 38

What is on the AWS Security blog?

Answer 38

The blog helps you to stay up-2-date about announcements and innovation about security.

Question 39

What is on the AWS marketplace?

Answer 39

Here you find pre-build security solutions from 3rd party vendors.

Question 40

What does AWS Organizations?

Answer 40

Administer multiple AWS accounts from a single point. ere you have:
- an over view of all cost
- ability to organize and limit access to resources

Question 41

What is AWS control tower?

Answer 41

Automate account creation and the application best-practice config rules and SCP’s. It provides automated guard rails

Question 42

What is AWS artifact?

Answer 42

Download AWS security and other compliance documents and provide them to regulators and inform them about your cloud architecture,

Question 43

What does AWS audit manager do?

Answer 43

Automate assessments against framework designed to meet common compliance standards.

Question 44

Who’s resposibility is it to demonstrate beeing compliant with (GDPR, other security rulings)?

Answer 44

The customer is in the end responsible, but AWS and the customer share this