Security in the Cloud Flashcards

1
Q

A Distributed Denial of Service is an attack that attempts to make your website ______ to your end-users

A

A Distributed Denial of Service is an attack that attempts to make your website unavailable to your end-users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the three most common DDOS attacks, and at which layer do they operate?

A

SYN flood & NTP Amplification attack: Layer 4
GET/POST requests: Layer 7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are CloudTrail’s three main benefits?

Near real-time _________ _________
_________ & _________ compliance
After-the-fact incident _________

A

What are CloudTrail’s three main benefits?

Near real-time intrusion detection

Industry & regulatory compliance
After-the-fact incident investigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CloudTrail logs all ___ _____ made to your AWS account and stores these logs in ___

A

CloudTrail logs all API calls made to your AWS account and stores these logs in S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the differences in cost between AWS Shield and AWS Shield Advanced?

A

AWS Shield: Free
AWS Shield Advanced: $3k a month & 1 yr commitment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does AWS Shield Advanced offer that AWS Shield does not?

A

What does AWS Shield Advanced offer that AWS Shield does not?

A dedicated 24/7 DDOS response team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AWS WAF has three different behaviors:

  • *______** all requests except the ones you specify
  • *______** all requests except the ones you specify
  • *_____** the requests that match the properties you specify
A

AWS WAF has three different behaviors:

Allow all requests except the ones you specify

  • *Block** all requests except the ones you specify
  • *Count** the requests that match the properties you specify
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AWS WAF operates at which Layer, and which three attacks can it block?

Layer __

  • *____** attacks
  • *___** injection
  • *_____-____** Scripting
A

AWS WAF

Layer 7

  • *DDOS** attacks
  • *SQL** injection
  • *Cross-Site** Scripting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which service allows you to block specific countries or IP addresses?

A

Which service allows you to block specific countries or IP addresses?

AWS WAF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How does AWS Guard Duty determine what normal behavior is in your account?

It uses __ to learn what normal behavior is in your account and alerts you of any ________ or _______ behavior.

A

AWS Guard Duty

It uses AI to learn what normal behavior is in your account and alerts you of any abnormal or malicious behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AWS Guard Duty updates a database of known malicious domains using ______ ____ from _____ _______

A

AWS Guard Duty updates a database of known malicious domains using external feeds from third-parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does logs does Guard Duty monitor? (3)

A

What does Guard Duty monitor?

Cloud Trail Logs, VPC Flow Logs, and DNS Logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS Macie uses AI to analyze data in __ to help _______ and ______ the leak of data from which three pieces of information? (3)

A

AWS Macie uses AI to analyze data in S3 to help identify and prevent the leak of data from which three pieces of information?

  • *PII Personal Identifiable Information**

PHI Personal Health Information

Financial Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Macie alerts can be sent to Amazon _____________ and integrated with your _______ ____________ system

A

Macie alerts can be sent to Amazon Eventbridge and integrated with your event management system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS Inspector is used to run vulnerability scans on ___ _________ and _____

A

AWS Inspector is used to run vulnerability scans on both EC2 instances and VPCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the two AWS Inspector scans called?

A

What are the two AWS Inspector scans called?

Host Assessment
Network Assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

AWS Key Management Service is a managed service that makes it easy for you to _____ and ______ the encryption keys used to _______ your data

A

AWS Key Management Service is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You initiate KMS services by requesting the creation of a _______ ______ Key

A

You initiate KMS services by requesting the creation of a Customer Master Key (CMK)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The first way to generate a CMK is if AWS creates the CMK for you by generating the CMK within a _________ ________ module

A

The first way is AWS created the CMK for you by generating the CMK within a Hardware Security Modules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The second way to generate a CMK by importing your own ____ __________ Infrastructure and _____________ it with a CMK

A

The second way to generate a CMK is by importing your own Key Management Infrastructure and associating it with a CMK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The third way to generate a CMK is to have the key material generated and used in an AWS ________ cluster as part of the custom key store feature in AWS ___

A

The third way to generate a CMK is to have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the three ways to control permissions within KMS?

The ___ Policy

  • *___** policies in combination with ___ policies
  • *______** in combination with ___ policies
A

What are the three ways to control permissions within KMS?

The Key Policy

  • *IAM** policies in combination with Key policies
  • *Grants** in combination with Key policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A Key Policy allows you to ________ the full scope of _____ to the CMK via a single ________

A

A Key Policy allows you to control the full scope of access to the CMK via a single document

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Using ____ policies in combination with ___ policies enables you to manage all the permissions for your IAM identities in IAM

A

Using IAM policies in combination with Key policies enables you to manage all the permissions for your IAM identities in IAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Grants in combination with Key policies enable you to allow _____ to the CMK as well as allow users to ________ their access to others

A

Grants in combination with Key policies enable you to allow access to the CMK as well as allow users to delegate their access to others

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Between KMS or CloudHSM, which offers automatic Key Rotation?

A

Between KMS or CloudHSM, which has automatic Key Rotation?

KMS: automatic key rotation
CloudHSM: no automatic key rotation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the difference in Tenancy Rules regarding KMS vs. CloudHSM:

KMS: ______ Tenancy
CloudHSM: ________ host to you and you have full control of ________ ________

A

What is the difference in Tenancy Rules regarding KMS vs. CloudHSM:

KMS: Shared Tenancy
CloudHSM: Dedicated host to you, and you have full control of underlying hardware

28
Q

CloudHSM offers full control of users, ______, and _____

A

CloudHSM offers full control of users, groups, and keys

29
Q

Secrets Manager can be used to securely store (3)

________ credentials
Passwords
___/___ Keys

A

Secrets Manager can be used to securely store (3)

  • *Database** credentials
  • *Passwords**
  • *API/SSH** Keys
30
Q

When enabled, Secrets Manager will _______ credentials __________. If applications and instances are not properly configured, you won’t be able to access your __________

A

When enabled, Secrets Manager will rotate credentials immediately. If applications and instances are not properly configured, you won’t be able to access your resources

31
Q

Parameter Store and Secrets Manager offer similar services when should you use one versus the other?

If you are trying to ________ cost use _________

A

Parameter Store and Secrets Manager offer similar services when should you use one versus the other?

If you are trying to minimize cost use the parameter store

32
Q

Secrets Manager is perfect if you need more than 10,000 __________, key ________ or the need to generate passwords using _____________

A

Secrets Manager is perfect if you need more than 10,000 parameters, key rotations, or need to generate passwords using CloudFormation

33
Q

Presigned URLs let you _____ _______ files from your S3 bucket

A

Presigned URLs let you share private files from your S3 bucket

34
Q

When it comes to IAM policies, if something is not explicitly allowed it is ______ _____

A

When it comes to IAM policies if something is not explicitly allowed it is implicitly denied

35
Q

An IAM policy needs to be ________ before it can have an _____

A

An IAM policy needs to be attached before it can have an effect

36
Q

AWS Managed Microsoft AD is the best choice if you have more than _____ users and/or need a ____ relationship setup

A

AWS Managed Microsoft AD is the best choice if you have more than 5000 users and/or need a trust relationship setup

37
Q

AD Connector is the best choice when you want to use an existing _____ ________ with AWS Services

A

AD Connector is the best choice when you want to use an existing Active Directory with AWS Services

38
Q

AD Connector comes in two sizes what are they, and what are the user maximum counts?

A

AD Connector comes in two sizes what are they, and what are the user maximum counts?

Small: designed for orgs w/up to 500 users
Large: designed for orgs w/up to 5000 users

39
Q

What type of connection do you require, when using AWS Managed Microsoft AD or AD connector?

A

What type of connection do you require when using AWS Managed Microsoft AD or AD connector?

VPN or Direct Connect

40
Q

Simple AD is the most inexpensive AD service and is the best option if you have less than ___ users and don’t need ________ AD features

A

Simple AD is the most inexpensive AD service and is the best option if you have less than 500 users and don’t need advanced AD features

41
Q

Simple AD features

Manage users, groups, and _______
_______-based SSO
Supports joining _____ or ________-based EC2 instances

A

Simple AD features

Manage users, groups, and policies
Kerberos-based SSO
Supports joining Linux or Windows-based EC2 instances

42
Q

Rules contain a statement that defines the __________ ______, and an ______ to take if a web request meets the ______

A

Rules contain a statement that defines the inspection criteria, and an action to take if a web request meets the criteria

43
Q

What type of encryption does KMS support (2)

A

Symmetric and Asymmetric encryption

44
Q

Customer Master Key (CMK) contains the ___ _______ used to ______ and ______ data

A

Customer Master Key (CMK) contains the key material used to encrypt and decrypt data

45
Q

What is the data size limit that CMK can encrypt?

A

CMK can encrypt up to 4KB in size

46
Q

What type of key would you use if you wanted to encrypt a large amount of data?

A

Data encryption key

47
Q

CloudHSM is a cloud-based _________ _________ module

A

CloudHSM is a cloud-based hardware security module

48
Q

With CloudHSM you ________ and use your own ________ ___

A

With CloudHSM you generate and use your own encryption key

49
Q

With CloudHSM you retain _______ of your encryption keys. AWS has no ________ of your encryption keys

A

With CloudHSM you retain control of your encryption keys. AWS has no visibility of your encryption keys

50
Q

What services does AWS Certificate Manager integrate with (5)

Elastic ____ _________
Elastic _________
Cloud_________
Cloud_____
____ Enclaves

A

Elastic Load Balancing
Elastic Beanstalk
CloudFormation
Cloudfront
Nitro Enclaves

51
Q

A ___ ______ tells AWS WAF what to do with a web request when it matches the ______ defined in the ____

A

A rule action tells AWS WAF what to do with a web request when it matches the criteria defined in the rule

52
Q

AWS KMS allows you to control Key usage across AWS _______ and __________

A

AWS KMS allows you to control Key usage across AWS services and applications

53
Q

Parameter Store provides secure hierarchical storage for configuration ____ and _______

A

Parameter Store provides secure hierarchical storage for configuration data and secrets

54
Q

What type of data does Parameter Store maintain as values?

_________

_________ strings

________ Codes

A

What type of data does Parameter Store maintain as values?

Passwords

Database strings

License Codes

55
Q

Parameter Store can store values in two forms, what are they?

A

Parameter Store can store values in two forms; what are they?

Plaintext (unencrypted)

Ciphertext (encrypted)

56
Q

Secrets Manager rotates secrets safely without the need for ____ __________

A

Secrets Manager rotates secrets safely without the need for code deployments

57
Q

Secrets Manager offers an automatic rotation of credentials (built-in) for which three AWS Services?

Amazon ___

Amazon ________

Amazon __________

A

Secrets Manager offers an automatic rotation of credentials (built-in) for:

Amazon RDS

Amazon Redshift

Amazon DocumentDB

58
Q

AWS WAF lets you create rules to filter web traffic based on conditions like __ _________, ____ headers, and _____

A

AWS WAF lets you create rules to filter web traffic based on conditions like IP address, HTTP headers, and URL’s

59
Q

AWS Shield supports _____ mitigation & protection against Layer _____ & ____ attacks.

A

AWS Shield supports DDOS mitigation & protection against Layer three & four attacks.

60
Q

AWS KMS key can do what 3 things to data keys?

A

AWS KMS key can be use to generate, encrypt and decrypt data keys

61
Q

What is the Automatic rotational period for AWS & Customer managed KMS keys?

A

Automatic Rotation Cycles

Customer Managed KMS key: 365 days

AWS Managed KMS key: 1095 days/ 3yrs

62
Q

To share snapshots with another account, you must specify which two permissions.

A

To share snapshots with another account you must specify Decrypt and CreateGrant permissions

63
Q

The kms:ViaService condition key can be used to limit what ?

A

The kms:ViaService condition key can be used to limit key usage to specific AWS services

64
Q

What is the API action removes key material?

A

You must use the DeletelmportedKeyMaterial API to remove the key material

65
Q

An Amazon Cognito User Pool is a directory for managing _________ & _____________ for mobile applications

A

An Amazon Cognito User Pool is a directory for managing sign-in and sign-up for mobile applications

66
Q

Cognito Identity pools are used to obtain ____________ and _________ ______________ for AWS services

A

Cognito Identity pools are used to obtain temporary, & limited-privilege credentials for AWS services

67
Q

What two locations can Cognito Identities come from?

A

Identities can come from a Cognito user pool

Identities can also come from social Identity providers (IdPs)