SECURITY, DEPLOYMENT & OPERATIONS Flashcards
product which can manage secrets within AWS
AWS Secrets Manager
Does secrets manager support automatic rotation using Lambda?
Yes
Can Secrets Manager directly integrate with RDS?
Yes
Can Layer 7 Friirewalls identify normal or abnormal requests?
Yes
Can Data at Layer 7 be inspected,b blocked, replaced or tagged?
Yes
Are layer 7 Firewalls able to identify block and adjust specific applications?
Yes
Helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources.
web application firewall
Controls if traffic is allowed or blocked
WebACL
Can one web ACL be associated with many resources?
yes
Can rule groups be referenced by multiple WEBACLs?
Yes
Rules designed to match if something occurs
Regular Rules
Rules designed to match if something occurs at a certain rate
Rate-based Rules
managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS
AWS Shield
AWS Shield is protection at the perimeter in the region or edge of the AWS network
True
Protects against Common (L3) Network Attacks or Transport (L4) Layer attacks
AWS Shield Standard
AWS Shield Advanced protections are not enabled by default and must be explicitly enabled
True
Does Shield Advanced offer cost protection for unmitigated attacks that should be stopped by Shield Advanced?
Yes
AWS Shield Response Team is a feature of Shield Advanced that contacts you when your application is affected due to a possible attack
True
Does Shield Advanced protect against Application (L7) Layer attacks?
Yes
Shield Advanced provides real-time visibility of DDOS events and attacks
True
service has multi-tenant access that uses hardware security modules that make it easy for you to create and control your encryption keys
AWS Key Management Service
True single tenant Hardware Security Module hosted in the AWS Cloud
CloudHSM
Fully FIPS 140-2 Level 3, accessed with industry-standard APIs (PCKS, JCE, CryptoNG)
CloudHSM
Can KMS use CloudHSM as a custom key store?
Yes
Does CloudHSM have native AWS integration
No
Can CloudHSM be used for offloading the SSL/TLS processing for web servers?
Yes
Can CloudHSM enable Transparent Data Encryption for Oracle Databases
Yes
Can CloudHSM protect the private keys for an issuing Certificate Authority?
Yes
Primary job is to record configuration changes over time on resources, used for auditing changes and compliance with standards
AWS Config
Can AWS Config support cross-region and cross account?
Yes
Can AWS Config generate SNS notifications and near-realtime events with Lambda & Eventbridge?
Yes
Data security and Data privacy service used to discovere, monitor and protect data stored in S3 buckets.
Amazon Macie
Used for Automated discovery of PII, PHI, Finance data
Amazon Macie
Scans ec2 instances, the instance OS, or containers for vulnerabilities and deviations against best practices
Amazon Inspector
Provides a report of findings of vulnerabilities and deviations ordered by priority
Amazon Inspector
Does a network assessment in Amazon Inspector use an Agent?
No
Does a Network and Host Assessment use an Agent?
Yes
Is an Inspector agent required for package assessments such as common vulnerabilities and exposures (CVE) or Center for Internet Security (CIS) Benchmarks
Yes
Continuous security monitoring service that analyses supported data sources
Amazon Guard Duty
identifies unexpected and unauthorised activity
Amazon Guard Duty