Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS > AWS Security > Flashcards

AWS Security Flashcards

1
Q

Who is responsible for keeping AWS resources secure?

A

Both the customer and AWS are responsible for keeping AWS resources secure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the customer’s responsibilities in the shared responsibility model?

A

The customer is responsible for the security of everything that they create and put in the AWS Cloud. This includes selecting, configuring, and patching the operating systems that will run on Amazon EC2 instances, configuring security groups, and managing user accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are AWS’s responsibilities in the shared responsibility model?

A

AWS is responsible for the security of the cloud. This includes areas such as the host operating system, the virtualization layer, and even the physical security of the data centers from which services operate. AWS also manages the security of the cloud, specifically the physical infrastructure that hosts your resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are some examples of customer responsibilities in the shared responsibility model?

A

Some examples of customer responsibilities in the shared responsibility model include:

Selecting and configuring the operating system for Amazon EC2 instances

Configuring security groups

Managing user accounts

Encrypting data

Implementing security best practices

Monitoring and auditing your environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are some examples of AWS responsibilities in the shared responsibility model?

A

Providing secure infrastructure

Protecting the physical security of data centers

Operating and maintaining the cloud
infrastructure

Updating and patching software

Monitoring the cloud environment for security threats

Responding to security incidents

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the difference between security in the cloud and security of the cloud?

A

Security in the cloud refers to the security of the customer’s data and applications that are hosted in the AWS Cloud. This includes things like selecting and configuring the operating system, configuring security groups, and managing user accounts. Security of the cloud refers to the security of the AWS infrastructure that hosts the customer’s data and applications. This includes things like the physical security of data centers, the hardware and software infrastructure, and the network infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are some of the benefits of the AWS shared responsibility model?

A

Reduced operational overhead: The customer does not have to worry about the day-to-day management of the physical infrastructure. This can save the customer time and money.

Increased security: AWS has a team of security experts who are responsible for the security of the cloud infrastructure. This means that the customer can be confident that their data is secure.

Flexibility: The AWS shared responsibility model gives the customer flexibility in how they manage the security of their data and applications. The customer can choose the level of security that is right for their needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some of the challenges of the AWS shared responsibility model?

A

The customer must be aware of their responsibilities: The customer must understand their responsibilities in the shared responsibility model. If the customer does not understand their responsibilities, they may not be able to protect their data and applications.

The customer must be able to manage their security: The customer must be able to manage the security of their data and applications. This includes things like configuring security groups, managing user accounts, and encrypting data.

The customer must be able to monitor their environment: The customer must be able to monitor their environment for security threats. This includes things like monitoring for unauthorized access, malware, and data breaches.**

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an IAM user?

A

An IAM user is an identity that you create in AWS. It represents the person or application that interacts with AWS services and resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the root user?

A

The root user is the first user created in an AWS account. It has full access to all AWS services and resources in the account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is an IAM role?

A

An IAM role is an identity that you can assume to gain temporary access to permissions. It is often used to grant access to AWS services and resources to applications or services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is AWS Identity and Access Management (IAM)?

A

IAM is a service that helps you manage access to AWS services and resources. It allows you to create and manage users, groups, and roles, and to control their permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is an IAM group?

A

An IAM group is a collection of IAM users. When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some best practices for IAM?

A

Do not use the root user for everyday tasks.
Create individual IAM users for each person who needs to access AWS.
Follow the principle of least privilege when granting permissions.
Use IAM groups to manage permissions.
Enable MFA for the root user and all IAM users.
Rotate IAM user credentials regularly.
Monitor IAM activity for suspicious activity.**

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the purpose of AWS Identity and Access Management (IAM)?

A

AWS Identity and Access Management (IAM) enables the secure management of access to AWS services and resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is multi-factor authentication (MFA)?

A

MFA is an extra layer of security that requires users to provide two or more pieces of information to verify their identity when signing in to AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the features explored in detail in relation to IAM?

A

The features explored in detail in relation to IAM are IAM users, groups, and roles, IAM policies, and multi-factor authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the role of the AWS Account Root User?

A

The AWS Account Root User is the initial identity created when an AWS account is set up. It has complete access to all AWS services and resources in the account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the recommended best practice regarding the use of the AWS Account Root User?

A

The recommended best practice is to not use the root user for everyday tasks. Instead, create an IAM user and assign appropriate permissions for regular tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How are permissions granted to an IAM user?

A

By default, a newly created IAM user has no permissions associated with it. Specific permissions need to be granted to the IAM user to perform actions in AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an IAM user in AWS?

A

An IAM user is an identity created in AWS for individuals or applications to interact with AWS services and resources. It consists of a name and credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is an IAM policy?

A

An IAM policy is a document that grants or denies permissions to AWS services and resources. It allows customization of users’ access levels to resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What security principle should be followed when granting permissions in IAM policies?

A

The security principle of least privilege should be followed, granting users or roles only the permissions necessary to perform their tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How are IAM policies used in granting access to specific resources?

A

IAM policies specify the allowed actions and resources for a user. For example, an IAM policy can grant access to a specific Amazon S3 bucket.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the purpose of IAM groups?

A

IAM groups are collections of IAM users. When an IAM policy is assigned to a group, all users in the group are granted the permissions specified by the policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the advantage of using IAM groups in managing permissions?

A

Assigning IAM policies at the group level makes it easier to adjust permissions when an employee changes roles. Users can be added or removed from groups to grant or revoke permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are IAM roles in AWS?

A

IAM roles are identities that can be assumed to gain temporary access to permissions. They are ideal for situations where temporary access is needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the purpose of multi-factor authentication (MFA) in IAM?

A

Multi-factor authentication (MFA) provides an additional layer of security for AWS accounts. It requires users to provide multiple forms of verification to access the account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How does MFA work in IAM?

A

Users enter their IAM user ID and password, and then provide an authentication response from their MFA device, such as a hardware key or smartphone application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the recommended best practice regarding MFA in AWS?

A

It is recommended to enable MFA for both the root user and IAM users in order to enhance the security of the AWS account and protect against unauthorized access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the default permissions for a new IAM user?

A

By default, a new IAM user has no permissions associated with it. This means that the user cannot perform any actions in AWS, such as launching an Amazon EC2 instance or creating an Amazon S3 bucket.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What can a user with the default IAM policy do?

A

Sign in to the AWS Management Console

Change their password

Access their user information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is AWS Organizations?

A

AWS Organizations is a service that helps you consolidate and manage multiple AWS accounts within a central location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is a root in AWS Organizations?

A

A root is the parent container for all the accounts in your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are service control policies (SCPs)?

A

SCPs are a type of policy that you can use to centrally control permissions for the accounts in your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the purpose of AWS Organizations?

A

AWS Organizations allows the consolidation and management of multiple AWS accounts within a central location.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

How can permissions be centrally controlled for accounts in AWS Organizations?

A

Permissions for accounts in AWS Organizations can be centrally controlled using service control policies (SCPs). SCPs restrict access to AWS services, resources, and API actions for users and roles in each account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is the role of consolidated billing in AWS Organizations?

A

Consolidated billing is a feature of AWS Organizations that enables the billing of multiple accounts under a single payment method. It simplifies billing and provides a comprehensive view of costs across the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are organizational units (OUs) in AWS Organizations?

A

Organizational units (OUs) are groups used to organize accounts within AWS Organizations. They facilitate the management of accounts with similar business or security requirements.

32
Q

How do policies apply to accounts within an organizational unit (OU)?

A

When a policy is applied to an OU, all accounts within that OU inherit the permissions specified in the policy. This simplifies the administration of permissions for multiple accounts.

33
Q

How can OUs be used to enforce specific security requirements within AWS Organizations?

A

By organizing separate accounts into OUs, workloads or applications with specific security requirements can be isolated. Policies can be attached to OUs to restrict access to AWS services that do not meet the required security standards.

34
Q

How can AWS Organizations be used in a company scenario?

A

In a company scenario, AWS Organizations can be used to consolidate separate AWS accounts for different departments, such as finance, IT, HR, and legal, into a single organization. OUs can be created to group accounts based on their departmental requirements.

35
Q

How are the finance and IT departments managed within AWS Organizations?

A

The finance and IT departments’ accounts can be brought into the organization for benefits like consolidated billing, but they may not be placed in any OUs.

36
Q

How are the HR and legal departments managed within AWS Organizations?

A

The HR and legal departments’ accounts can be placed into an OU together to facilitate the attachment of policies that apply to both departments’ AWS accounts.

37
Q

Can access for users, groups, and roles still be provided through IAM in AWS Organizations?

A

Yes, even when accounts are grouped into OUs within AWS Organizations, access for users, groups, and roles can still be managed through IAM.

38
Q

What benefits does grouping accounts into OUs provide within AWS Organizations?

A

Grouping accounts into OUs allows for easier management of access to services and resources based on the specific needs of each account. It also prevents unauthorized access to services and resources that are not required by an account.

39
Q

What are some of the limitations of AWS Organizations?

A

You cannot create accounts in an organization that are not in the same AWS Region as the root account.

You cannot move accounts between organizations.

You cannot delete the root account

39
Q

What is the advantage of consolidated billing in AWS Organizations?

A

Consolidated billing in AWS Organizations allows for the aggregation of charges from multiple AWS accounts into a single payment method, simplifying billing and cost management for the organization.

39
Q

How does AWS Organizations enhance security for multiple accounts?

A

AWS Organizations provides centralized control over permissions, allowing organizations to enforce security policies consistently across multiple accounts and implement granular access controls.

40
Q

You are configuring service control policies (SCPs) in AWS Organizations. Which identities and resources can SCPs be applied to?
IAM users
IAM groups
An individual member account IAM roles
An organizational unit (OU)

A

The correct two response options are:

An individual member account

An organizational unit (OU)

In AWS Organizations, you can apply service control policies (SCPs) to the organization root, an individual member account, or an OU. An SCP affects all IAM users, groups, and roles within an account, including the AWS account root user.

You can apply IAM policies to IAM users, groups, or roles. You cannot apply an IAM policy to the AWS account root user.

41
Q

Can SCPs be used to grant additional permissions beyond those provided by IAM policies?

A

No, SCPs are used to restrict permissions rather than grant additional permissions. They help enforce security and compliance requirements by limiting access to AWS services and resources.

42
Q

What happens when an account is removed from an OU in AWS Organizations?

A

When an account is removed from an OU, it no longer inherits the policies attached to that OU. The account’s permissions will be determined solely by the policies applied directly to the account.

43
Q

Can SCPs be applied to the root of an organization in AWS Organizations?

A

Yes, SCPs can be applied to the root of an organization in AWS Organizations to set top-level restrictions that apply to all accounts within the organization.

44
Q

What is AWS Artifact?

A

AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements.

45
Q

What are AWS Artifact Agreements?

A

AWS Artifact Agreements are agreements that you can sign with AWS to govern your use of certain types of information in AWS services.

46
Q

What are AWS Artifact Reports?

A

AWS Artifact Reports are compliance reports from third-party auditors that verify that AWS is compliant with a variety of global, regional, and industry-specific security standards and regulations.

47
Q

What are the benefits of using AWS Artifact?

A

On-demand access to compliance reports

Ability to manage agreements for individual accounts and AWS Organizations

Up-to-date compliance reports

48
Q

How do I find out which compliance reports are relevant to my business?

A

Reviewing the AWS Artifact Compliance Report Catalog

Consulting with your legal or compliance team

49
Q

How do I use AWS Artifact Reports to demonstrate compliance with regulations?

A

Providing the reports to your auditors or regulators

Linking to the reports in your compliance documentation

50
Q

What is the purpose of AWS Artifact Agreements?

A

AWS Artifact Agreements allow companies to review, accept, and manage agreements with AWS related to the use of specific types of information within AWS services.

51
Q

How frequently are AWS Artifact Reports updated?

A

AWS Artifact Reports remain up to date with the latest reports released, ensuring that customers have access to the most current compliance information.

52
Q

Which tasks can you complete in AWS Artifact?
Access AWS compliance reports on-demand.
Consolidate and manage multiple AWS accounts within a central location.
Create users to enable people and applications to interact with AWS services and resources.
Set permissions for accounts by configuring service control policies (SCPs).
Review, accept, and manage agreements with AWS.

A

The correct two response options are:

Access AWS compliance reports on-demand.

Review, accept, and manage agreements with AWS.

The other response options are incorrect because:

Consolidate and manage multiple AWS accounts within a central location- This task can be completed in AWS Organizations.

Create users to enable people and applications to interact with AWS services and resources- This task can be completed in AWS Identity and Access Management (IAM).

Set permissions for accounts by configuring service control policies (SCPs)- This task can be completed in AWS Organizations.

52
Q

What is a denial-of-service (DoS) attack?

A

A denial-of-service attack is a deliberate attempt to make a website or application unavailable to users by overwhelming it with excessive network traffic.

52
Q

What is a distributed denial-of-service (DDoS) attack?

A

In a DDoS attack, multiple sources, including a group of attackers or a single attacker using multiple infected computers (bots), are used to overwhelm a website or application and make it inaccessible.

52
Q

How does a DoS attack affect users?

A

A successful DoS attack prevents legitimate users from accessing the targeted website or application, as it becomes overloaded and unable to respond to their requests.

53
Q

How does a DDoS attack differ from a DoS attack?

A

While a DoS attack typically originates from a single source, a DDoS attack involves multiple sources simultaneously attacking the target, making it harder to block or mitigate.

54
Q

What is AWS Shield?

A

AWS Shield is a service provided by Amazon Web Services (AWS) that offers protection against DDoS attacks.

55
Q

What are the two levels of protection provided by AWS Shield?

A

AWS Shield provides two levels of protection: Standard and Advanced.

56
Q

What does AWS Shield Standard offer?

A

AWS Shield Standard automatically protects all AWS customers at no additional cost, defending against common and frequently occurring types of DDoS attacks.

57
Q

How does AWS Shield Standard mitigate DDoS attacks?

A

AWS Shield Standard employs various analysis techniques to detect malicious traffic in real time and automatically mitigates the attack as network traffic reaches the applications.

58
Q

What does AWS Shield Advanced provide?

A

AWS Shield Advanced is a paid service that offers more comprehensive protection against sophisticated DDoS attacks and includes detailed attack diagnostics.

59
Q

How can AWS Shield be integrated with other AWS services?

A

AWS Shield can integrate with services such as Amazon CloudFront, Amazon Route 53, Elastic Load Balancing, and AWS WAF (Web Application Firewall) to enhance DDoS protection and mitigation capabilities.

60
Q

What is the benefit of integrating AWS Shield with AWS WAF?

A

By integrating AWS Shield with AWS WAF, custom rules can be written to mitigate complex DDoS attacks, further enhancing the protection provided by both services.

61
Q

What are the benefits of using AWS Shield?

A

Protection from the most common, frequently occurring types of DDoS attack

Detailed attack diagnostics

The ability to detect and mitigate sophisticated DDoS attacks

Integration with other AWS services

62
Q

What are some of the most common types of DDoS attacks?

A

Volumetric attacks: These attacks involve flooding a website or application with excessive network traffic.

Protocol attacks: These attacks involve sending invalid or malicious network traffic to a website or application.

Application-layer attacks: These attacks involve exploiting vulnerabilities in a website or application’s code.

63
Q

How do HTTP level attacks work?

A

HTTP level attacks, such as complicated product searches initiated by a large number of bot machines, aim to consume resources and attention, making it difficult for legitimate users to access the services.

63
Q

How can I protect my website or application from DDoS attacks?

A

Using a DDoS mitigation service like AWS Shield

Implementing security best practices, such as using strong passwords and firewalls

Keeping your website or application software up to date

63
Q

How can AWS help defend against DDoS attacks?

A

AWS provides solutions for DDoS protection, including AWS Shield and AWS WAF (Web Application Firewall).

63
Q

What is a UDP flood attack?

A

A UDP flood attack involves sending a small request with a fake return address to a service, such as the National Weather Service, that responds with a massive amount of data. The target server becomes overwhelmed trying to process the unwanted information.

63
Q

What is a Slow Loris attack?

A

A Slow Loris attack simulates a slow connection by sending requests in a way that prevents the server from completing the processing of each request. This can tie up server resources and slow down the overall performance.

63
Q

What is the role of security groups in DDoS protection?

A

Security groups, operating at the AWS network level, allow only proper request traffic to reach the server, mitigating low-level network attacks like UDP floods.
Security groups operate at the AWS network level, not at the EC2 instance level like an operating system firewall might. So massive attacks like UDP floods or reflection attacks just get shrugged off by the scale of the entire AWS regions capacity. Not your individual EC2s capacity.

64
Q

What is AWS Shield with AWS WAF?

A

AWS Shield with AWS WAF is a specialized defense tool that combines web application firewall capabilities with machine learning to filter incoming traffic and proactively defend against evolving DDoS attack vectors.

64
Q

How does the elastic load balancer (ELB) help in mitigating Slow Loris attacks?

A

The ELB ensures that the entire HTTP message is complete before forwarding it to the web server, preventing Slow Loris attacks from tying up server resources.

65
Q

How does the architecture of AWS provide an advantage in DDoS protection?

A

The scale and distributed nature of AWS infrastructure make it difficult and expensive for attackers to overwhelm the entire AWS region, providing a strong defense against DDoS attacks.

65
Q

What is a cryptographic key?

A

A cryptographic key is a random string of digits used for encrypting and decrypting data. AWS KMS enables the generation and control of cryptographic keys.

66
Q

What is AWS Key Management Service (AWS KMS)?

A

AWS Key Management Service (AWS KMS) is a service that allows you to create, manage, and use cryptographic keys for encryption operations to secure data at rest and in transit.

67
Q

How does AWS KMS provide access control for keys?

A

AWS KMS allows you to specify the levels of access control for your keys. You can define which IAM users and roles can manage keys and disable keys temporarily when not in use.

68
Q

What is AWS WAF?

A

AWS WAF (Web Application Firewall) is a service that helps protect web applications by monitoring and controlling network requests that come into the applications.

69
Q

How does AWS WAF work?

A

AWS WAF uses web access control lists (ACLs) to block or allow traffic to protect AWS resources. It works with Amazon CloudFront and Application Load Balancer to filter and control network requests.

70
Q

How can AWS WAF be used to allow/block specific requests?

A

With AWS WAF, you can configure a web ACL to allow all requests except those from specified IP addresses. If a request matches the blocked IP addresses, access is denied; otherwise, it is allowed.

71
Q

What is Amazon Inspector?

A

Amazon Inspector is a service that performs automated security assessments of applications. It identifies security vulnerabilities and deviations from best practices to improve application security and compliance.

72
Q

What does Amazon Inspector provide after performing an assessment?

A

After an assessment, Amazon Inspector provides a list of security findings prioritized by severity level. Each finding includes a detailed description of the security issue and recommendations for remediation.

73
Q

What is Amazon GuardDuty?

A

Amazon GuardDuty is a service that detects threats by monitoring network activity and account behavior within an AWS environment, providing intelligent threat detection for AWS infrastructure and resources.

74
Q

How does Amazon GuardDuty work?

A

Amazon GuardDuty continuously analyzes data from various AWS sources, such as VPC Flow Logs and DNS logs, to detect potential threats. When threats are detected, detailed findings and recommended remediation steps are provided for review and action.

75
Q

What are the principales of least priviliges ?

A

The principle of least privilege is a security concept that states that a user or process should be given only the minimum level of access or permissions necessary to perform its intended function. Here are the key principles of least privilege

Minimal Access: Users and processes should have access rights only to the resources and actions required to perform their specific tasks. Unnecessary privileges should be removed or restricted.

Need-to-Know Basis: Users should have access to information based on their specific job responsibilities and requirements. They should only have access to the data necessary for their work and not be granted access to sensitive or unrelated information.

Role-Based Access Control (RBAC): Access rights are assigned based on predefined roles or job functions rather than individual permissions. This allows for easier management of permissions and ensures that users have access to resources based on their roles.

Just-In-Time (JIT) Privilege Access: Privileges are granted to users or processes for a limited period when they are needed and revoked when no longer required. This reduces the risk of prolonged or unnecessary access.

Separation of Duties: Critical tasks should be divided among multiple users or processes to prevent a single user from having complete control or access to sensitive systems or information. This helps minimize the potential for abuse or mistakes.

76
Q

Which statement best describes an IAM policy?

An authentication process that provides an extra layer of protection for your AWS account

A document that grants or denies permissions to AWS services and resources

An identity that you can assume to gain temporary access to permissions

The identity that is established when you first create an AWS account

A

The correct response option is: A document that grants or denies permissions to AWS services and resources.

IAM policies provide you with the flexibility to customize users’ levels of access to resources. For instance, you can allow users to access all the Amazon S3 buckets in your AWS account or only a specific bucket.

The other response options are incorrect because:

Multi-factor authentication (MFA) is an authentication process that provides an extra layer of protection for your AWS account.

An IAM role is an identity that you can assume to gain temporary access to permissions.

The root user identity is the identity that is established when you first create an AWS account.

AWS (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions