Security in the Cloud Flashcards
A Distributed Denial of Service is an attack that attempts to make your website ______ to your end-users
A Distributed Denial of Service is an attack that attempts to make your website unavailable to your end-users
What are the three most common DDOS attacks, and at which layer do they operate?
SYN flood & NTP Amplification attack: Layer 4
GET/POST requests: Layer 7
What are CloudTrail’s three main benefits?
Near real-time _________ _________
_________ & _________ compliance
After-the-fact incident _________
What are CloudTrail’s three main benefits?
Near real-time intrusion detection
Industry & regulatory compliance
After-the-fact incident investigation
CloudTrail logs all ___ _____ made to your AWS account and stores these logs in ___
CloudTrail logs all API calls made to your AWS account and stores these logs in S3
What are the differences in cost between AWS Shield and AWS Shield Advanced?
AWS Shield: Free
AWS Shield Advanced: $3k a month & 1 yr commitment
What does AWS Shield Advanced offer that AWS Shield does not?
What does AWS Shield Advanced offer that AWS Shield does not?
A dedicated 24/7 DDOS response team
AWS WAF has three different behaviors:
- *______** all requests except the ones you specify
- *______** all requests except the ones you specify
- *_____** the requests that match the properties you specify
AWS WAF has three different behaviors:
Allow all requests except the ones you specify
- *Block** all requests except the ones you specify
- *Count** the requests that match the properties you specify
AWS WAF operates at which Layer, and which three attacks can it block?
Layer __
- *____** attacks
- *___** injection
- *_____-____** Scripting
AWS WAF
Layer 7
- *DDOS** attacks
- *SQL** injection
- *Cross-Site** Scripting
Which service allows you to block specific countries or IP addresses?
Which service allows you to block specific countries or IP addresses?
AWS WAF
How does AWS Guard Duty determine what normal behavior is in your account?
It uses __ to learn what normal behavior is in your account and alerts you of any ________ or _______ behavior.
AWS Guard Duty
It uses AI to learn what normal behavior is in your account and alerts you of any abnormal or malicious behavior.
AWS Guard Duty updates a database of known malicious domains using ______ ____ from _____ _______
AWS Guard Duty updates a database of known malicious domains using external feeds from third-parties.
What does logs does Guard Duty monitor? (3)
What does Guard Duty monitor?
Cloud Trail Logs, VPC Flow Logs, and DNS Logs
AWS Macie uses AI to analyze data in __ to help _______ and ______ the leak of data from which three pieces of information? (3)
AWS Macie uses AI to analyze data in S3 to help identify and prevent the leak of data from which three pieces of information?
- *PII Personal Identifiable Information**
PHI Personal Health Information
Financial Data
Macie alerts can be sent to Amazon _____________ and integrated with your _______ ____________ system
Macie alerts can be sent to Amazon Eventbridge and integrated with your event management system
AWS Inspector is used to run vulnerability scans on ___ _________ and _____
AWS Inspector is used to run vulnerability scans on both EC2 instances and VPCs
What are the two AWS Inspector scans called?
What are the two AWS Inspector scans called?
Host Assessment
Network Assessment
AWS Key Management Service is a managed service that makes it easy for you to _____ and ______ the encryption keys used to _______ your data
AWS Key Management Service is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data
You initiate KMS services by requesting the creation of a _______ ______ Key
You initiate KMS services by requesting the creation of a Customer Master Key (CMK)
The first way to generate a CMK is if AWS creates the CMK for you by generating the CMK within a _________ ________ module
The first way is AWS created the CMK for you by generating the CMK within a Hardware Security Modules
The second way to generate a CMK by importing your own ____ __________ Infrastructure and _____________ it with a CMK
The second way to generate a CMK is by importing your own Key Management Infrastructure and associating it with a CMK
The third way to generate a CMK is to have the key material generated and used in an AWS ________ cluster as part of the custom key store feature in AWS ___
The third way to generate a CMK is to have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS
What are the three ways to control permissions within KMS?
The ___ Policy
- *___** policies in combination with ___ policies
- *______** in combination with ___ policies
What are the three ways to control permissions within KMS?
The Key Policy
- *IAM** policies in combination with Key policies
- *Grants** in combination with Key policies
A Key Policy allows you to ________ the full scope of _____ to the CMK via a single ________
A Key Policy allows you to control the full scope of access to the CMK via a single document
Using ____ policies in combination with ___ policies enables you to manage all the permissions for your IAM identities in IAM
Using IAM policies in combination with Key policies enables you to manage all the permissions for your IAM identities in IAM
Grants in combination with Key policies enable you to allow _____ to the CMK as well as allow users to ________ their access to others
Grants in combination with Key policies enable you to allow access to the CMK as well as allow users to delegate their access to others
Between KMS or CloudHSM, which offers automatic Key Rotation?
Between KMS or CloudHSM, which has automatic Key Rotation?
KMS: automatic key rotation
CloudHSM: no automatic key rotation