wrong answers security

Question 1

Does Cloudtrail show dedicated configuration changes for an AWS resource?

Answer 1

No, AWS config does. Cloudtrail focuses on recording user API activity, but AWS config focusing on reporting the report of the configuration changes themselves, and the resulting state.

Question 2

Does AWS config record configuration changes for AWS resources?

Answer 2

Yes (for supported resource types)

Question 3

Can application load balancer be used as network layer?

Answer 3

No. Application Load balancer works on only level 7 (http).

Classic Load balancer ELB works on level 4 and 7, and network load balancer works on level 4

Question 4

What is level 4 network layer?

Answer 4

Transport, TCP, UDP, port

Question 5

What is level 7 network layer?

Answer 5

Application (HTTP, FTP)

Question 6

What does data key caching do?

Answer 6

Avoid generating new data keys all the time, uses cache instead. Improve performance, reduce cost, and help say in service limits.

Question 7

Does AWS shield do packet inspection?

Answer 7

No. AWS Shield does DDoS protection. For packet inspection you need a host-based intrusion detection system.

Question 8

What is the first step after detecting a compromised EC2 instance?

Answer 8

Investigate the instance for malware, and remove any discovered malware. AWS partner products can help search for malware

Question 9

Which can be used to check for unencrypted AWS volumes, Guard Duty, AWS Inspector, or AWS Config?

Answer 9

AWS Config

Question 10

What distinguishes CloudHSM from KMS

Answer 10

CloudHSM is a set of security features, including physical security, for FIPS-140-2 level 3 security.

With KMS only level 2 is possible.

Question 11

What service can be used to check for high security vulnerabilities on EC2?

Answer 11

AWS Inspector

Question 12

Can cloudwatch track S3 bucket access requests?

Answer 12

No. Use Server Access Logs

Question 13

What service is good for ah-hoc queries of ELB access logs?

Answer 13

AWS Athena, because it supports s3 as a data source

Question 14

Is it possible to import a root certificate authority in AWS Certificate Manager (ACM)?

Answer 14

No, a root CA needs to be created and cannot be imported

Question 15

How do you create a highly available certificate issuing capability?

Answer 15

Root Certificate Authorities must be created in two different regions in the AWS Certificate Manager. The two CAs operate independently.

Question 16

Can an ACM certificate be installed into a new Route 53 record set?

Answer 16

No. The record set is used for DNS queries, and does not terminate SSL or TLS. Certificates are used for SSL/TLS or https termination

Question 17

If you have multiple certificates from AWS, do you need to create multiple listeners for the an application load balance to use both, or can one listener use both certificates?

Answer 17

Both certificates can be installed onto one ALB listener. It is not possible to have two listeners created for the same port on one ALB.

Question 18

How is it possible to use AWS Certificate Manager (ACM) with cloudfront?

Answer 18

To use an ACM certificate with cloudfront, request or import your certificate to us-east-1

Question 19

Is it possible to prevent an administrator from granting access to restricted services by creating an IAM policy?

Answer 19

Yes. Service control policies can be applied to organizational units with multiple accounts. These policies can deny access and override account permissions.

Question 20

What is difference between GuardDuty and Inspector?

Answer 20

Inspector can assess setting and configuration for problems when you deploy, but guard duty monitors accounts, workloads, and data stored in s3 with machine learning to alert about potential threats

Question 21

Does guard duty protect from DDoS?

Answer 21

No, AWS Shield Does

Question 22

What is up with AWS WAF, AWS firewall manager, and AWS shield? Is one service more low level and one more high level?

Answer 22

AWS Web application firewall is the base tool for protection before requests are forwarded to Cloudfourt, application gateway rest apis, or ALBs, ect.

AWS firewall manager helps automate and manage AWS WAF. AWS shield adds more features ontop of WAF (dedicated support, advanced reporting)

Question 23

How are custom config rules checked, to verify a policy contains the correct denies?

Answer 23

AWS config rules can be be checked upon configuration changes, and they can also be set to poll periodically with a set frequency (1 hour, 3 hours, 6.. ect)

Question 24

What is needed to configure social IdP for a mobile app?

Answer 24

App Client ID, App Client Secret, List of scopes

this is the app authorizing with the IdP, OIDC token would be the user authenticating, not the app

Question 25

using the aws kms encrypt and aws kms decrypt commands, when does the user need to supply the –key-id for a CMK?

Answer 25

The –key-id only needs to be provided for the encrypt step. For decrypting, the key id is stored in the metadata.

However best practices reccomend specifying the key-id for both steps

Question 26

Which exists, and assists maintaining log integrity? Cloud Trail Integrity Validation, or System Manager Configuration Compliance service?

Answer 26

Cloud Trail Integrity Validation is a real feature, and can allow make it impossible to modify or forge logtrail files without detection.

The System Manager Configuration Compliance Service cannot be used as a service to monitor policies

Question 27

What is the priority order for conflictin IAM policy allows and denys?

Answer 27

Explicit Deny overrides explicit allow, which overrides implicit deny

Question 28

What is on IAM credential report?

Answer 28

the status of the users’ credentials, including passwords, access keys, MFA devices, and signing certificates

Question 29

How does one encrypt cloudtrail logs?

Answer 29

One does not need to do anything. Cloudtrail logs are encrypted by s3 server side encryption by default

Question 30

What is the policy evaluation priority for Session Policies, Resource based policies, AWS Organization Service Control Policies, and Identity based policies?

Answer 30

Explicit deny evaluated first, then implicit deny from Org SCP, then resource based policy, then identity based policy, the permission boundary, then session policy checks

Question 31

What kind of security does AWS Macie provide?

Answer 31

Macie provides data security. Personally identifiable information leaks for example.

Question 32

was does AWS System patch manager do?

Answer 32

AWS system patch manager scans patches, keeps lists of auto approved patches, and can either report on missing ones or automatically apply them

Question 33

What service helps get compliance reports, for example Payment Cart Industry reports or Service Org Control reports?

Answer 33

AWS artifact

Question 34

Guard Duty vs Macie. What is the difference

Answer 34

Guard duty might try to detect if unauthorized behavior is accessing data, but Macie will detect if sensitive data is there to begin with

Question 35

For cross account file upload, is full permissions to bucket owner granted by object ACL, or by bucket policy?

Answer 35

The object owner must provide a ACL to the bucket, that the bucket owner can use to provide accesss to other users in the account.

Question 36

Cognito User Pool vs Cognito Identity Pool? What is the difference

Answer 36

Cognito identity pool is for authorization, i.e. access control. What can a user access. Identities can be created for users with access to aws services.

User pools are for identity verification. Is the user actually the user?

Question 37

How often is AWS managed key rotated? How about CMK?

Answer 37

AWS managed key is rotated every 3 years. CMK rotation is optional, and done every 1 year if selected.