Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS Cloud Practitioner > Security & Compliance Section > Flashcards

Security & Compliance Section Flashcards

1
Q

Responsibility - EC2

A

• For EC2 instance, customer is responsible for management of the guest OS
(including security patches and updates), firewall & network configuration, IAM
• Encrypting application data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Responsibility - RDS

A

AWS responsibility:
• Manage the underlying EC2 instance, disable SSH access
• Automated DB patching
• Automated OS patching
• Audit the underlying instance and disks & guarantee it functions

Your responsibility:
• Check the ports / IP / security group inbound rules in DB’s SG
• In-database user creation and permissions
• Creating a database with or without public access
• Ensure parameter groups or DB is configured to only allow SSL connections
• Database encryption setting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Responsibility - S3

A

AWS responsibility:
• Guarantee you get unlimited storage
• Guarantee you get encryption
• Ensure separation of the data between different customers
• Ensure AWS employees can’t access your data

Your responsibility: 
• Bucket configuration 
• Bucket policy / public setting 
• IAM user and roles 
• Enabling encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

AWS Shield Standard

A

• Free service that is activated for every AWS customer
• Provides protection from attacks such as SYN/UDP Floods, Reflection attacks
and other layer 3/layer 4 attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

AWS Shield Advanced

A

• Optional DDoS mitigation service ($3,000 per month per organization)
• Protect against more sophisticated attack on Amazon EC2, Elastic Load
Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53
• 24/7 access to AWS DDoS response team (DRP)
• Protect against higher fees during usage spikes due to DDoS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

AWS WAF – Web Application Firewall

A
  • Protects your web applications from common web exploits (Layer 7)
  • Layer 7 is HTTP (vs Layer 4 is TCP)
  • Deploy on Application Load Balancer, API Gateway, CloudFront
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

WAF can define Web ACL (Web Access Control List)

A
  • Rules can include IP addresses, HTTP headers, HTTP body, or URI strings
  • Protects from common attack - SQL injection and Cross-Site Scripting (XSS)
  • Size constraints, geo-match (block countries)
  • Rate-based rules (to count occurrences of events) – for DDoS protection
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Penetration testing without approval (8 services)

A
  • Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
  • Amazon RDS
  • Amazon CloudFront
  • Amazon Aurora
  • Amazon API Gateways
  • AWS Lambda and Lambda Edge functions
  • Amazon Lightsail resources
  • Amazon Elastic Beanstalk environments
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AWS KMS

A

• KMS = AWS manages the encryption keys for us

Encryption Opt-in:
• EBS volumes: encrypt volumes
• S3 buckets: Server-side encryption of objects
• Redshift database: encryption of data
• RDS database: encryption of data
• EFS drives: encryption of data

Encryption Automatically enabled:
• CloudTrail Logs
• S3 Glacier
• Storage Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CloudHSM

A
  • Dedicated Hardware (HSM = Hardware Security Module)

* You manage your own encryption keys entirely (not AWS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Types of CMK (Customer Master Keys)

A

Customer Managed CMK:
• Create, manage and used by the customer, can enable or disable
• Possibility of rotation policy (new key generated every year, old key preserved)
• Possibility to bring-your-own-key

AWS managed CMK:
• Created, managed and used on the customer’s behalf by AWS
• Used by AWS services (aws/s3, aws/ebs, aws/redshift)

AWS owned CMK:
• Collection of CMKs that an AWS service owns and manages to use in multiple accounts
• AWS can use those to protect resources in your account (but you can’t view the keys)

CloudHSM Keys (custom keystore):
• Keys generated from your own CloudHSM hardware device
• Cryptographic operations are performed within the CloudHSM cluster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AWS Certificate Manager (ACM)

A
  • Lets you easily provision, manage, and deploy SSL/TLS Certificates
  • Used to provide in-flight encryption for websites (HTTPS)
  • Integrations with (load TLS certificates on): Elastic Load Balancers, CloudFront Distributions, APIs on API Gateway
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS Secrets Manager

A
  • Automate generation of secrets on rotation (uses Lambda)
  • Integration with Amazon RDS (MySQL, PostgreSQL, Aurora)
  • Secrets are encrypted using KMS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AWS Artifact

A
  • Portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements
  • Artifact reports and agreements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Amazon GuardDuty

A
  • Intelligent Threat discovery to Protect AWS Account
  • Uses Machine Learning algorithms, anomaly detection, 3rd party data
  • One click to enable (30 days trial), no need to install software

Input data includes:
• CloudTrail Logs: unusual API calls, unauthorized deployments
• VPC Flow Logs: unusual internal traffic, unusual IP address
• DNS Logs: compromised EC2 instances sending encoded data within DNS queries

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Amazon Inspector

A
  • Automated Security Assessments for EC2 instances
  • Analyze the running OS against known vulnerabilities
  • Analyze against unintended network accessibility
  • AWS Inspector Agent must be installed on OS in EC2 instances
  • After the assessment, you get a report with a list of vulnerabilities
17
Q

AWS Config

A
  • Helps with auditing and recording compliance of your AWS resources
  • Helps record configurations and changes over time
  • Possibility of storing the configuration data into S3 (analyzed by Athena)
  • AWS Config is a per-region service
  • Can be aggregated across regions and accounts
18
Q

Amazon Macie

A

fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS (PII)

19
Q

AWS Security Hub

A

• Central security tool to manage security across several AWS accounts and
automate security checks
• Automatically aggregates alerts in predefined or personal findings formats from
various AWS services & AWS partner tools:
• GuardDuty
• Inspector
• Macie
• IAM Access Analyzer
• AWS Systems Manager
• AWS Firewall Manager
• AWS Partner Network Solutions

20
Q

Amazon Detective

A

• Amazon Detective analyzes, investigates, and quickly identifies the root
cause of security issues or suspicious activities (using ML and graphs)
• Automatically collects and processes events from VPC Flow Logs,
CloudTrail, GuardDuty and create a unified view
• Produces visualizations with details and context to get to the root cause

21
Q

AWS Abuse

A

Report suspected AWS resources used for abusive or illegal purposes

AWS Cloud Practitioner (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions