Security Essentials

Question 1

Q: What is the AWS Shared Responsibility Model?

Answer 1

A: AWS secures the cloud infrastructure (hardware, software, networking, and facilities), while customers secure their applications, data, and configurations within the cloud.

Question 2

Q: What is AWS IAM?

Answer 2

A: IAM is a service for securely managing access to AWS resources by defining users, groups, roles, and policies.

Question 3

Q: What are IAM best practices?

Answer 3

A: Enable MFA, follow the principle of least privilege, rotate credentials regularly, and avoid using the root account.

Question 4

Q: What is MFA in AWS?

Answer 4

A: An additional layer of security that requires a second form of authentication (e.g., a hardware or virtual token) in addition to a password.

Question 5

Q: What is AWS Organizations?

Answer 5

A: A service to manage multiple AWS accounts centrally, including consolidated billing, SCPs, and account governance.

Question 6

Q: What are Service Control Policies (SCPs)?

Answer 6

A: Policies that restrict permissions across accounts in an AWS Organization.

Question 7

Q: What is AWS Key Management Service (KMS)?

Answer 7

A: A managed service for creating and managing encryption keys to secure data across AWS services.

Question 8

Q: How is encryption at rest achieved in AWS?

Answer 8

A: By using AWS KMS to encrypt data stored in services like S3, EBS, RDS, and DynamoDB.

Question 9

Q: How is encryption in transit implemented?

Answer 9

A: By using SSL/TLS to encrypt data moving between AWS services or between AWS and external clients.

Question 10

Q: What is AWS Certificate Manager?

Answer 10

A: A service for provisioning, managing, and deploying SSL/TLS certificates.

Question 11

Q: What is Amazon GuardDuty?

Answer 11

A: A threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS environment.

Question 12

Q: What is AWS Web Application Firewall (WAF)?

Answer 12

A: A security service to protect web applications from common web exploits such as SQL injection and cross-site scripting.

Question 13

Q: What is AWS Shield?

Answer 13

A: A managed DDoS protection service that safeguards applications running on AWS.
- Standard: Free, basic protection for all AWS customers.
- Advanced: Paid, enhanced protection with detailed insights and DDoS cost protection.

Question 14

Q: What are security groups in AWS?

Answer 14

A: Stateful virtual firewalls that control inbound and outbound traffic for AWS resources like EC2 instances.

Question 15

Q: What are NACLs in AWS?

Answer 15

A: Stateless firewalls that operate at the subnet level to control traffic flow in and out of a VPC.

Question 16

Q: What is AWS Secrets Manager?

Answer 16

A: A service to securely store, manage, and rotate secrets such as database credentials, API keys, and passwords.

Question 17

Q: What is Amazon Inspector?

Answer 17

A: A service that automatically assesses AWS workloads for vulnerabilities and deviations from security best practices.

Question 18

Q: What are some VPC security features?

Answer 18

A: Security groups, NACLs, VPC Flow Logs, and private subnets.

Question 19

Q: What is AWS CloudTrail?

Answer 19

A: A service that records API calls, CLI commands, and other actions in AWS for auditing and compliance.

Question 20

Q: What are VPC Flow Logs?

Answer 20

A: Logs that capture IP traffic flow information to and from network interfaces in your VPC for monitoring and troubleshooting.

Question 21

Q: What is AWS Identity Center?

Answer 21

A: A service for managing SSO (Single Sign-On) access to AWS accounts and applications.

Question 22

Q: What is AWS Config?

Answer 22

A: A service that tracks resource configurations and compliance with security policies.

Question 23

Q: What is AWS Security Hub?

Answer 23

A: A centralized service that aggregates, monitors, and evaluates security findings across AWS services.

Question 24

Q: What security features does S3 offer?

Answer 24

A: Encryption (SSE-S3, SSE-KMS, SSE-C), bucket policies, block public access, and S3 Object Lock.

Question 25

Q: What is the principle of least privilege?

Answer 25

A: Granting only the permissions needed to perform a task and nothing more.

Question 26

Q: What is AWS Artifact?

Answer 26

A: A service for accessing compliance reports and agreements related to AWS security.

Question 27

Q: What are general security best practices in AWS?

Answer 27

• Enable MFA for all users.
• Regularly audit and monitor resources.
• Encrypt sensitive data.
• Use IAM roles instead of access keys.
• Keep systems patched and updated.

Question 28

Q: How is incident response managed in AWS?

Answer 28

A: Using tools like AWS Config, CloudTrail, GuardDuty, and Security Hub to detect and remediate security incidents.

Question 29

Q: Is penetration testing allowed in AWS?

Answer 29

A: Yes, but only for approved AWS services and following AWS guidelines.

Question 30

Q: How does AWS help mitigate DDoS attacks?

Answer 30

A: With AWS Shield, CloudFront, Route 53, and elastic scaling to absorb traffic spikes.

Question 31

Q: Which services are used for logging and monitoring in AWS?

Answer 31

A: CloudWatch, CloudTrail, VPC Flow Logs, and GuardDuty.

Question 32

Q: How is EBS data secured?

Answer 32

A: Using encryption at rest via AWS KMS and encryption in transit via HTTPS or VPN.

Question 33

Q: How can security processes be automated in AWS?

Answer 33

A: Using services like AWS Config, Lambda for custom automation, and Systems Manager for patching.

Question 34

Q: What is the Security Pillar in the AWS Well-Architected Framework?

Answer 34

A: A set of best practices focusing on identity, detection, infrastructure protection, data protection, and incident response.

Question 35

Q: How does AWS support compliance?

Answer 35

A: By providing compliance certifications like ISO 27001, HIPAA, GDPR, SOC 1/2/3, and PCI DSS.