SECURITY, DEPLOYMENT & OPERATIONS

Question 1

product which can manage secrets within AWS

Answer 1

AWS Secrets Manager

Question 2

Does secrets manager support automatic rotation using Lambda?

Answer 2

Yes

Question 3

Can Secrets Manager directly integrate with RDS?

Answer 3

Yes

Question 4

Can Layer 7 Friirewalls identify normal or abnormal requests?

Answer 4

Yes

Question 5

Can Data at Layer 7 be inspected,b blocked, replaced or tagged?

Answer 5

Yes

Question 6

Are layer 7 Firewalls able to identify block and adjust specific applications?

Answer 6

Yes

Question 7

Helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources.

Answer 7

web application firewall

Question 8

Controls if traffic is allowed or blocked

Answer 8

WebACL

Question 9

Can one web ACL be associated with many resources?

Answer 9

yes

Question 10

Can rule groups be referenced by multiple WEBACLs?

Answer 10

Yes

Question 11

Rules designed to match if something occurs

Answer 11

Regular Rules

Question 12

Rules designed to match if something occurs at a certain rate

Answer 12

Rate-based Rules

Question 13

managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS

Answer 13

AWS Shield

Question 14

AWS Shield is protection at the perimeter in the region or edge of the AWS network

Answer 14

True

Question 15

Protects against Common (L3) Network Attacks or Transport (L4) Layer attacks

Answer 15

AWS Shield Standard

Question 16

AWS Shield Advanced protections are not enabled by default and must be explicitly enabled

Answer 16

True

Question 17

Does Shield Advanced offer cost protection for unmitigated attacks that should be stopped by Shield Advanced?

Answer 17

Yes

Question 18

AWS Shield Response Team is a feature of Shield Advanced that contacts you when your application is affected due to a possible attack

Answer 18

True

Question 19

Does Shield Advanced protect against Application (L7) Layer attacks?

Answer 19

Yes

Question 20

Shield Advanced provides real-time visibility of DDOS events and attacks

Answer 20

True

Question 21

service has multi-tenant access that uses hardware security modules that make it easy for you to create and control your encryption keys

Answer 21

AWS Key Management Service

Question 22

True single tenant Hardware Security Module hosted in the AWS Cloud

Answer 22

CloudHSM

Question 23

Fully FIPS 140-2 Level 3, accessed with industry-standard APIs (PCKS, JCE, CryptoNG)

Answer 23

CloudHSM

Question 24

Can KMS use CloudHSM as a custom key store?

Answer 24

Yes

Question 25

Does CloudHSM have native AWS integration

Answer 25

No

Question 26

Can CloudHSM be used for offloading the SSL/TLS processing for web servers?

Answer 26

Yes

Question 27

Can CloudHSM enable Transparent Data Encryption for Oracle Databases

Answer 27

Yes

Question 28

Can CloudHSM protect the private keys for an issuing Certificate Authority?

Answer 28

Yes

Question 29

Primary job is to record configuration changes over time on resources, used for auditing changes and compliance with standards

Answer 29

AWS Config

Question 30

Can AWS Config support cross-region and cross account?

Answer 30

Yes

Question 31

Can AWS Config generate SNS notifications and near-realtime events with Lambda & Eventbridge?

Answer 31

Yes

Question 32

Data security and Data privacy service used to discovere, monitor and protect data stored in S3 buckets.

Answer 32

Amazon Macie

Question 33

Used for Automated discovery of PII, PHI, Finance data

Answer 33

Amazon Macie

Question 34

Scans ec2 instances, the instance OS, or containers for vulnerabilities and deviations against best practices

Answer 34

Amazon Inspector

Question 35

Provides a report of findings of vulnerabilities and deviations ordered by priority

Answer 35

Amazon Inspector

Question 36

Does a network assessment in Amazon Inspector use an Agent?

Answer 36

No

Question 37

Does a Network and Host Assessment use an Agent?

Answer 37

Yes

Question 38

Is an Inspector agent required for package assessments such as common vulnerabilities and exposures (CVE) or Center for Internet Security (CIS) Benchmarks

Answer 38

Yes

Question 39

Continuous security monitoring service that analyses supported data sources

Answer 39

Amazon Guard Duty

Question 40

identifies unexpected and unauthorised activity

Answer 40

Amazon Guard Duty