Security, Identity & Compliance

Question 1

Where can you apply SCPs

Answer 1

At the OU or Account level

Question 2

Which roles are not affected by SCPs

Answer 2

Service-linked roles because they enable other AWS services to integrate with AWS Organizations

Question 3

What are the default permissions on Organization OUs

Answer 3

Does not allow anything by default. SCP must have an explicity Allow from the root to each OU.

Question 4

In which order does IAM policies are evaluated

Answer 4

1. SCP
2. Resource-based policies
3. Identity-based policies
4. IAM permissions boundaries
5. Session policies

Question 5

How can you restrict specific tags on resources

Answer 5

Using the aws:TagKeys on IAM policies condition. Or using SCP condition aws:RequestTag/key

Question 6

AWS Organizations - Tag Policies

Answer 6

Ensure consistent tags defineing keys and their allowed values

Question 7

What are AI Services opt-out policies

Answer 7

Is an Organization policy to avoid you content to be stored or used by AWS AI Services

Question 8

AWS IAM identity Center

Answer 8

One login for all:
1. AWS accounts in Organizations
2. Business Cloud Applications
3. SAML2.0 enabled applications
4. EC2 Windows Instances

Question 9

IAM Identity Center Permission Set

Answer 9

Grant access to a user or group in a list of target AWS accounts or OUs within your Organization. Creates corresponding IAM roles in each account and attaches the policies specified

Question 10

AWS IAM Identity Center

Attribute-Based Access Control

Answer 10

Fine grained permissions based on users attributes. Define permissions once, then modify access by changing the attributes.

Question 11

AWS Config Aggregators

Answer 11

Collects configuration data from multple accounts:
1. Individual accounts aggregator
2. Organization aggregator

Question 12

AWS Config rules for global services

Answer 12

Should be created in a sigle region to avoid duplicate copies and save costs.

Question 13

Auto-enable feature in Security Hub

Answer 13

Automatically enable Security Hub in all existing and future Organization accounts, and designating a central account as the administrator

Question 14

AWS Firewall Manager

Common Security Group Policy

Answer 14

You can centrally configure and manage SGs across all your accounts in Organizations, while still allowing developers to deploy specific SG rules

They are mapped to specific tags

Blogs

Question 15

AWS Firewall Manager perrequisites

Answer 15

1. Use AWS Organizations
2. Designate one ccount as the administrator
3. Enable AWS Config for all the accounts

Question 16

AWS Control Tower

Answer 16

Easy way to set up and govern a secure and compliant multi-account AWS environment based on best practices

Question 17

AWS Control Tower

Account Factory

Answer 17

Create pre-approved baselines and configurations to automate account provisioning

Question 18

AWS Control Tower

Guardrails

Answer 18

Detect and remediate policy violations:
1. Preventive - SCPs
2. Detective - AWS Config

Question 19

Resource Access Manager

Sharing VPC Subnets

Answer 19

Allow to have all resources launched in the same subnet
1. Cannot view, modify or delete resources in other accounts
2. Can communicate between resources in the same VPC
3. Security Groups from other accounts can be references

Question 20

Resource Access Manager

Managed Prefix List

Answer 20

A set of one or more CIDR blocks that you can reference in SGs and Route Tables.

Question 21

Resource Access Manager

Route53 Outbound Resolver

Answer 21

Scale forwarding rules of your DNS in multiple accounts and VPCs

Question 22

CloudTrail

Insights

Answer 22

Detect Unusual Activity. Analyzes normal management to create a baseline and then continuosly analyzes write events to detect patterns.

Question 23

Integrate IAM Access Analyzer findings into Security Hub

Answer 23

Can be directly integrated by enabling the integration setting in IAM Access Analyzer. Ensures that finding are automatically pushed to Security Hub.

Question 24

Amazon Detective

Answer 24

Analyze, investigate and quickly identify the root cause of potential security issues or suspicious activity.

Question 25

Parameter Store

Parameters Policies

Answer 25

Allow to assign a TTL to a parameter to force updating or deleting sensitive data such as passwords

Question 26

RDS

Transparent Data Encryption

Answer 26

Available for Oracle and SQL Server. Automatically encrypts data before it is written to storage, and automatically decrypts data when the data is read from storage.

Question 27

Server Name Indication

Answer 27

Solves the problem of loading multiple SSL certificates onto one web server (to serve multiple websites). Only works for ALB, NLB and CloudFront.

Question 28

Amazon Detective

Role session analysis

Answer 28

Provide visibility to role usage, cross-account role assumption, and any role chaining activities performed across multiple accounts.

Question 29

Add accounts to AWS Organizations

Answer 29

1. Invite existing AWS accounts to join your organization from the management account
2. Creating a member account in an organization with AWS Organizations

Question 30

Where does ACM loads SSL certificates?

Answer 30

• Load Balancers
• CloudFront distributions
• APIs on API Gateways

Question 31

Cloud HSM

SSL Offloading

Answer 31

1. The server sends certificate.
2. The client generates a premaster secret and encrypts it with the server’s public key
3. To decrypt the client’s premaster secret, the server sends it to the HSM. The HSM uses the private key and then it sends the premaster secret to the server.
4. For the rest of the session, all messages sent between the client and the server are encrypted with derivatives of the master secret.

ssl offload overview

Question 32

S3 pre-signed URLs

Answer 32

Users given a pre-signed URL inherit the permissions of the person who generated the URL for GET / PUT

Question 33

IAM Access Information

Answer 33

IAM provides last accessed information to help you identify unused permissions so that you can remove them.

Question 34

IAM

Create SAML Identity Provider

Answer 34

1. Get the SAML metadata document from your IdP.
2. Add a provider and assign an IAM role to give external user identities permissions to access AWS resources in your account.
3. You must tell the IdP about AWS as a service provider. This is called relying party trust between your IdP and AWS.
4. Configure SAML assertions for the authentication response

Question 35

S3 Access Points

Answer 35

Create unique access control policies for each access point to easily control access to shared datasets. Any access point can be restricted to a VPC.

Question 36

S3 Multi Region Access Point

Answer 36

Provide a global endpoint for routing S3 request traffic between regions. Consider factors like network congestion and the location of the request to dynamically route your requests to the closest copy of your data.

Question 37

S3 Object Lambda Access Point

Answer 37

Add code to S3 GET, LIST, and HEAD requests to modify and process data as it is returned to an application. Reduces the need to create and store derivative copies of your data or to run proxies.

Transforming Objects

Question 38

Amazon Cognito Identity Pools

Answer 38

Provide temporary AWS credentials for users who are guests and for users who have been authenticated and received a token.

Question 39

Amazon Cognito User Pools

Answer 39

User directory for web and mobile app authentication and authorization.

Question 40

An Amazon Cognito user pool and identity pool used together

Answer 40

1. Your app user signs in through a user pool and receives OAuth 2.0 tokens.
2. Your app exchanges a user pool token with an identity pool for temporary AWS credentials.
3. Your app assigns the credentials session to your user

Question 41

IAM

OIDC Federation

Answer 41

Exchange a JWT for temporary security credentials in AWS that map to an IAM role with permissions to use specific resources in your AWS account.

Question 42

Which rules can be managed with AWS Firewall Manager?

Answer 42

1. WAF Rules
2. Shield Advanced
3. Security Groups
4. Network Firewall
5. Route53 resolver DNS Firewall

Question 43

Amazon Inspector

Where you can run automated security assessments?

Answer 43

1. EC2 instances with SSM
2. Container Images on ECR
3. Lambda Functions

Question 44

AWS Config Rules

Answer 44

Audit and record compliance of resources. Does not prevent actions from happening.
* Remediation can be through AWS SSM automations

Question 45

Amazon GuardDuty

Answer 45

Intelligent Threat Discovery from CloudTrail Events Logs, VPC Flow Logs and DNS Logs

Question 46

IAM Conditions

Answer 46

• aws:SourceIp: Restrict the client IP
• aws:RequestedRegion
• ec2:ResourceTags: Restrict based on tags
• aws:MultiFactorAuthPresent
• aws:PrincipalOrgID: Limit to member accounts of an organization

Question 47

AWS Security Hub

Answer 47

Central security tool to manage security across several AWS accounts and automate security checks

Question 48

Sources for Security Hub

Answer 48

• Macie
• GuardDuty
• Inspector
• Config
• Firewall Manager
• IAM Access Analyzer
• Systems Manager
• Health