Security in the Cloud

Question 1

A Distributed Denial of Service is an attack that attempts to make your website ______ to your end-users

Answer 1

A Distributed Denial of Service is an attack that attempts to make your website unavailable to your end-users

Question 2

What are the three most common DDOS attacks, and at which layer do they operate?

Answer 2

SYN flood & NTP Amplification attack: Layer 4
GET/POST requests: Layer 7

Question 3

What are CloudTrail’s three main benefits?

Near real-time _________ _________
_________ & _________ compliance
After-the-fact incident _________

Answer 3

What are CloudTrail’s three main benefits?

Near real-time intrusion detection

Industry & regulatory compliance
After-the-fact incident investigation

Question 4

CloudTrail logs all ___ _____ made to your AWS account and stores these logs in ___

Answer 4

CloudTrail logs all API calls made to your AWS account and stores these logs in S3

Question 5

What are the differences in cost between AWS Shield and AWS Shield Advanced?

Answer 5

AWS Shield: Free
AWS Shield Advanced: $3k a month & 1 yr commitment

Question 6

What does AWS Shield Advanced offer that AWS Shield does not?

Answer 6

What does AWS Shield Advanced offer that AWS Shield does not?

A dedicated 24/7 DDOS response team

Question 7

AWS WAF has three different behaviors:

• *______** all requests except the ones you specify
• *______** all requests except the ones you specify
• *_____** the requests that match the properties you specify

Answer 7

AWS WAF has three different behaviors:

Allow all requests except the ones you specify

• *Block** all requests except the ones you specify
• *Count** the requests that match the properties you specify

Question 8

AWS WAF operates at which Layer, and which three attacks can it block?

Layer __

• *____** attacks
• *___** injection
• *_____-____** Scripting

Answer 8

AWS WAF

Layer 7

• *DDOS** attacks
• *SQL** injection
• *Cross-Site** Scripting

Question 9

Which service allows you to block specific countries or IP addresses?

Answer 9

Which service allows you to block specific countries or IP addresses?

AWS WAF

Question 10

How does AWS Guard Duty determine what normal behavior is in your account?

It uses __ to learn what normal behavior is in your account and alerts you of any ________ or _______ behavior.

Answer 10

AWS Guard Duty

It uses AI to learn what normal behavior is in your account and alerts you of any abnormal or malicious behavior.

Question 11

AWS Guard Duty updates a database of known malicious domains using ______ ____ from _____ _______

Answer 11

AWS Guard Duty updates a database of known malicious domains using external feeds from third-parties.

Question 12

What does logs does Guard Duty monitor? (3)

Answer 12

What does Guard Duty monitor?

Cloud Trail Logs, VPC Flow Logs, and DNS Logs

Question 13

AWS Macie uses AI to analyze data in __ to help _______ and ______ the leak of data from which three pieces of information? (3)

Answer 13

AWS Macie uses AI to analyze data in S3 to help identify and prevent the leak of data from which three pieces of information?

• *PII Personal Identifiable Information**

PHI Personal Health Information

Financial Data

Question 14

Macie alerts can be sent to Amazon _____________ and integrated with your _______ ____________ system

Answer 14

Macie alerts can be sent to Amazon Eventbridge and integrated with your event management system

Question 15

AWS Inspector is used to run vulnerability scans on ___ _________ and _____

Answer 15

AWS Inspector is used to run vulnerability scans on both EC2 instances and VPCs

Question 16

What are the two AWS Inspector scans called?

Answer 16

What are the two AWS Inspector scans called?

Host Assessment
Network Assessment

Question 17

AWS Key Management Service is a managed service that makes it easy for you to _____ and ______ the encryption keys used to _______ your data

Answer 17

AWS Key Management Service is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data

Question 18

You initiate KMS services by requesting the creation of a _______ ______ Key

Answer 18

You initiate KMS services by requesting the creation of a Customer Master Key (CMK)

Question 19

The first way to generate a CMK is if AWS creates the CMK for you by generating the CMK within a _________ ________ module

Answer 19

The first way is AWS created the CMK for you by generating the CMK within a Hardware Security Modules

Question 20

The second way to generate a CMK by importing your own ____ __________ Infrastructure and _____________ it with a CMK

Answer 20

The second way to generate a CMK is by importing your own Key Management Infrastructure and associating it with a CMK

Question 21

The third way to generate a CMK is to have the key material generated and used in an AWS ________ cluster as part of the custom key store feature in AWS ___

Answer 21

The third way to generate a CMK is to have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS

Question 22

What are the three ways to control permissions within KMS?

The ___ Policy

• *___** policies in combination with ___ policies
• *______** in combination with ___ policies

Answer 22

What are the three ways to control permissions within KMS?

The Key Policy

• *IAM** policies in combination with Key policies
• *Grants** in combination with Key policies

Question 23

A Key Policy allows you to ________ the full scope of _____ to the CMK via a single ________

Answer 23

A Key Policy allows you to control the full scope of access to the CMK via a single document

Question 24

Using ____ policies in combination with ___ policies enables you to manage all the permissions for your IAM identities in IAM

Answer 24

Using IAM policies in combination with Key policies enables you to manage all the permissions for your IAM identities in IAM

Question 25

Grants in combination with Key policies enable you to allow _____ to the CMK as well as allow users to ________ their access to others

Answer 25

Grants in combination with Key policies enable you to allow access to the CMK as well as allow users to delegate their access to others

Question 26

Between KMS or CloudHSM, which offers automatic Key Rotation?

Answer 26

Between KMS or CloudHSM, which has automatic Key Rotation?

KMS: automatic key rotation
CloudHSM: no automatic key rotation

Question 27

What is the difference in Tenancy Rules regarding KMS vs. CloudHSM:

KMS: ______ Tenancy
CloudHSM: ________ host to you and you have full control of ________ ________

Answer 27

What is the difference in Tenancy Rules regarding KMS vs. CloudHSM:

KMS: Shared Tenancy
CloudHSM: Dedicated host to you, and you have full control of underlying hardware

Question 28

CloudHSM offers full control of users, ______, and _____

Answer 28

CloudHSM offers full control of users, groups, and keys

Question 29

Secrets Manager can be used to securely store (3)

________ credentials
Passwords
___/___ Keys

Answer 29

Secrets Manager can be used to securely store (3)

• *Database** credentials
• *Passwords**
• *API/SSH** Keys

Question 30

When enabled, Secrets Manager will _______ credentials __________. If applications and instances are not properly configured, you won’t be able to access your __________

Answer 30

When enabled, Secrets Manager will rotate credentials immediately. If applications and instances are not properly configured, you won’t be able to access your resources

Question 31

Parameter Store and Secrets Manager offer similar services when should you use one versus the other?

If you are trying to ________ cost use _________

Answer 31

Parameter Store and Secrets Manager offer similar services when should you use one versus the other?

If you are trying to minimize cost use the parameter store

Question 32

Secrets Manager is perfect if you need more than 10,000 __________, key ________ or the need to generate passwords using _____________

Answer 32

Secrets Manager is perfect if you need more than 10,000 parameters, key rotations, or need to generate passwords using CloudFormation

Question 33

Presigned URLs let you _____ _______ files from your S3 bucket

Answer 33

Presigned URLs let you share private files from your S3 bucket

Question 34

When it comes to IAM policies, if something is not explicitly allowed it is ______ _____

Answer 34

When it comes to IAM policies if something is not explicitly allowed it is implicitly denied

Question 35

An IAM policy needs to be ________ before it can have an _____

Answer 35

An IAM policy needs to be attached before it can have an effect

Question 36

AWS Managed Microsoft AD is the best choice if you have more than _____ users and/or need a ____ relationship setup

Answer 36

AWS Managed Microsoft AD is the best choice if you have more than 5000 users and/or need a trust relationship setup

Question 37

AD Connector is the best choice when you want to use an existing _____ ________ with AWS Services

Answer 37

AD Connector is the best choice when you want to use an existing Active Directory with AWS Services

Question 38

AD Connector comes in two sizes what are they, and what are the user maximum counts?

Answer 38

AD Connector comes in two sizes what are they, and what are the user maximum counts?

Small: designed for orgs w/up to 500 users
Large: designed for orgs w/up to 5000 users

Question 39

What type of connection do you require, when using AWS Managed Microsoft AD or AD connector?

Answer 39

What type of connection do you require when using AWS Managed Microsoft AD or AD connector?

VPN or Direct Connect

Question 40

Simple AD is the most inexpensive AD service and is the best option if you have less than ___ users and don’t need ________ AD features

Answer 40

Simple AD is the most inexpensive AD service and is the best option if you have less than 500 users and don’t need advanced AD features

Question 41

Simple AD features

Manage users, groups, and _______
_______-based SSO
Supports joining _____ or ________-based EC2 instances

Answer 41

Simple AD features

Manage users, groups, and policies
Kerberos-based SSO
Supports joining Linux or Windows-based EC2 instances

Question 42

Rules contain a statement that defines the __________ ______, and an ______ to take if a web request meets the ______

Answer 42

Rules contain a statement that defines the inspection criteria, and an action to take if a web request meets the criteria

Question 43

What type of encryption does KMS support (2)

Answer 43

Symmetric and Asymmetric encryption

Question 44

Customer Master Key (CMK) contains the ___ _______ used to ______ and ______ data

Answer 44

Customer Master Key (CMK) contains the key material used to encrypt and decrypt data

Question 45

What is the data size limit that CMK can encrypt?

Answer 45

CMK can encrypt up to 4KB in size

Question 46

What type of key would you use if you wanted to encrypt a large amount of data?

Answer 46

Data encryption key

Question 47

CloudHSM is a cloud-based _________ _________ module

Answer 47

CloudHSM is a cloud-based hardware security module

Question 48

With CloudHSM you ________ and use your own ________ ___

Answer 48

With CloudHSM you generate and use your own encryption key

Question 49

With CloudHSM you retain _______ of your encryption keys. AWS has no ________ of your encryption keys

Answer 49

With CloudHSM you retain control of your encryption keys. AWS has no visibility of your encryption keys

Question 50

What services does AWS Certificate Manager integrate with (5)

Elastic ____ _________
Elastic _________
Cloud_________
Cloud_____
____ Enclaves

Answer 50

Elastic Load Balancing
Elastic Beanstalk
CloudFormation
Cloudfront
Nitro Enclaves

Question 51

A ___ ______ tells AWS WAF what to do with a web request when it matches the ______ defined in the ____

Answer 51

A rule action tells AWS WAF what to do with a web request when it matches the criteria defined in the rule

Question 52

AWS KMS allows you to control Key usage across AWS _______ and __________

Answer 52

AWS KMS allows you to control Key usage across AWS services and applications

Question 53

Parameter Store provides secure hierarchical storage for configuration ____ and _______

Answer 53

Parameter Store provides secure hierarchical storage for configuration data and secrets

Question 54

What type of data does Parameter Store maintain as values?

_________

_________ strings

________ Codes

Answer 54

What type of data does Parameter Store maintain as values?

Passwords

Database strings

License Codes

Question 55

Parameter Store can store values in two forms, what are they?

Answer 55

Parameter Store can store values in two forms; what are they?

Plaintext (unencrypted)

Ciphertext (encrypted)

Question 56

Secrets Manager rotates secrets safely without the need for ____ __________

Answer 56

Secrets Manager rotates secrets safely without the need for code deployments

Question 57

Secrets Manager offers an automatic rotation of credentials (built-in) for which three AWS Services?

Amazon ___

Amazon ________

Amazon __________

Answer 57

Secrets Manager offers an automatic rotation of credentials (built-in) for:

Amazon RDS

Amazon Redshift

Amazon DocumentDB

Question 58

AWS WAF lets you create rules to filter web traffic based on conditions like __ _________, ____ headers, and _____

Answer 58

AWS WAF lets you create rules to filter web traffic based on conditions like IP address, HTTP headers, and URL’s

Question 59

AWS Shield supports _____ mitigation & protection against Layer _____ & ____ attacks.

Answer 59

AWS Shield supports DDOS mitigation & protection against Layer three & four attacks.

Question 60

AWS KMS key can do what 3 things to data keys?

Answer 60

AWS KMS key can be use to generate, encrypt and decrypt data keys

Question 61

What is the Automatic rotational period for AWS & Customer managed KMS keys?

Answer 61

Automatic Rotation Cycles

Customer Managed KMS key: 365 days

AWS Managed KMS key: 1095 days/ 3yrs

Question 62

To share snapshots with another account, you must specify which two permissions.

Answer 62

To share snapshots with another account you must specify Decrypt and CreateGrant permissions

Question 63

The kms:ViaService condition key can be used to limit what ?

Answer 63

The kms:ViaService condition key can be used to limit key usage to specific AWS services

Question 64

What is the API action removes key material?

Answer 64

You must use the DeletelmportedKeyMaterial API to remove the key material

Question 65

An Amazon Cognito User Pool is a directory for managing _________ & _____________ for mobile applications

Answer 65

An Amazon Cognito User Pool is a directory for managing sign-in and sign-up for mobile applications

Question 66

Cognito Identity pools are used to obtain ____________ and _________ ______________ for AWS services

Answer 66

Cognito Identity pools are used to obtain temporary, & limited-privilege credentials for AWS services

Question 67

What two locations can Cognito Identities come from?

Answer 67

Identities can come from a Cognito user pool

Identities can also come from social Identity providers (IdPs)