Other Security Aspects

Question 1

Are security groups stateful, or stateless?

Answer 1

Stateful.

Question 2

What does it mean when we talk about stateful, vs stateless when it comes to network traffic?

Answer 2

Stateful means responses to inbound traffic are allowed regardless of SG rules. Responses to outbound requests are allowed regardless of SG rules.
Stateless requires responses to be allowed explicitly by having the ports open for them.

Question 3

If you have a security group that allows traffic in from a given port, from a source of 0.0.0.0/0, who has access to the instance?

Answer 3

Everyone. 0.0.0.0/0 is the CIDR address equivalent of everyone.

Question 4

You create a Bastion host to only allow ssh instances from there. If you examine your logs to find that there are ssh sessions from IP addresses that are not the Bastion host, what could be the problem?

Answer 4

Check your security groups to ensure you didn’t allow ingress from another security group over 0.0.0.0/0

Question 5

you need to review your CloudTrail logs for unauthorized API calls. You noticed that there are enormous amounts of logs to review. Which AWS service should you use to query the logs and find what you need automatically?

Answer 5

AWS Athena

Question 6

What is AWS Artifact?

Answer 6

It provides on-demand downloads of AWS security and compliance documents, such as AWS ISO certifications, PCI, and SOC reports.

Question 7

Can you use AWS Artifact to upload your security and compliance documents to your auditors and regulators to demonstrate the security and compliance of your AWS infrastructure?

Answer 7

Yes

Question 8

True or False: You should let SysOps examination questions about security compliance confuse you through red herring questions that make you confuse AWS artifact/Trusted Advisor/ or Inspector?

Answer 8

False. Make sure you understand the differences between Artifact, Trusted Advisor, and Inspector.

Question 9

True or false: AWS Artifact provides audit reports of your AWS infrastructure?

Answer 9

False. Artifact is for downloading compliance documentation, and to upload reports for auditors and regulators.

Question 10

True or false: AWS Artifact is more than just a place to download compliance documentation and a place to upload your audit and regulation reports?

Answer 10

False: It’s just a place to upload and download documents. Don’t confuse it with other security services such as Trusted Advisor or Inspector.

Question 11

True or False: CloudHSM is a single tenancy service?

Answer 11

True: It is dedicated hardware for use with only your AWS account.

Question 12

Is KMS single or multi tenancy?

Answer 12

KMS is a multi-tenancy shared service.

Question 13

True or False: With CloudHSM, you are responsible for scaling and availability, patching, etc.

Answer 13

False, AWS provides all maintanence operations including scaling and HA.

Question 14

Who has key control in CloudHSM, you or AWS?

Answer 14

You

Question 15

Who has key control in KMS, you or AWS?

Answer 15

You and AWS - Kind of a trick question I guess.

Question 16

True or False: If your organization requires asymmetric keys, you should use KMS?

Answer 16

False. You will need CloudHSM

Question 17

If you need a managed key service that is FIPS 140-2 level 3 overall compliant, would you need CloudHSM or KMS?

Answer 17

CloudHSM

Question 18

If you need a managed key service that EAL-4 compliant, would you need CloudHSM or KMS?

Answer 18

CloudHSM

Question 19

True or False: If you just need a cheap, well guarded managed key service, you should choose KMS?

Answer 19

True

Question 20

True or False: If your organization requires extremely high security compliant managed key services, you should choose CloudHSM?

Answer 20

True

Question 21

True or false: unencrypted s3 buckets can be encrypted in place?

Answer 21

True: you do not need to create a new encrypted bucket and migrate data to it

Question 22

Your application currently stores data in an unencrypted DynamoDB cluster. Management is now requiring all data to be encrypted at rest. How can you achieve this?

Answer 22

Create a new encrypted DynamoDB and migrate the old database to the new.

Question 23

Your application currently stores data in an unencrypted RDS cluster. Management is now requiring all data to be encrypted at rest. How can you achieve this?

Answer 23

Create a new encrypted RDS and migrate the old database to the new.

Question 24

Your EC2 instance has a mounted EFS that is not encrypted. With the new encryption at rest policy, how can you achieve EFS encryption?

Answer 24

Create a new encrypted EFS and migrate from the old EFS to the new

Question 25

Your EC2 instance has a mounted EBS that is not encrypted. With the new encryption at rest policy, how can you achieve EBS encryption?

Answer 25

Create a new encrypted EBS volume and migrate from the old EBS to the new.

Question 26

Which data storage service can be encrypted in place?

Answer 26

S3

Question 27

Which data storage services do not support encryption in place and require migration from an unencrypted source to an encrypted target.

Answer 27

DynamoDB
RDS
EFS
EBS

Question 28

True or false: AWS has hinted at adding encryption in place for DynamoDB and you should do your own research on this before you take your exam to ensure you have the right information?

Answer 28

True.

Question 29

What do we mean by “encrypt in place”?

Answer 29

The ability to encrypt data after provisioning the service.

Question 30

For more information on KMS compliance, where would you look?

Answer 30

https://aws.amazon.com/kms/features/

Question 31

Should you read the AWS DDoS Whitepaper?

Answer 31

Yes: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

Question 32

for more information about CloudHSM, where would you look?

Answer 32

https://aws.amazon.com/cloudhsm/features/

Question 33

True or False: AWS Shield basic is turned on by default?

Answer 33

True