AWS Security Flashcards

Question

What is the purpose of IAM groups?

Answer 1

IAM groups are collections of IAM users. When an IAM policy is assigned to a group, all users in the group are granted the permissions specified by the policy.

Answer 2

Assigning IAM policies at the group level makes it easier to adjust permissions when an employee changes roles. Users can be added or removed from groups to grant or revoke permissions.

Answer 3

IAM roles are identities that can be assumed to gain temporary access to permissions. They are ideal for situations where temporary access is needed.

Answer 4

Multi-factor authentication (MFA) provides an additional layer of security for AWS accounts. It requires users to provide multiple forms of verification to access the account.

Answer 5

Users enter their IAM user ID and password, and then provide an authentication response from their MFA device, such as a hardware key or smartphone application.

Answer 6

It is recommended to enable MFA for both the root user and IAM users in order to enhance the security of the AWS account and protect against unauthorized access.

Answer 7

By default, a new IAM user has no permissions associated with it. This means that the user cannot perform any actions in AWS, such as launching an Amazon EC2 instance or creating an Amazon S3 bucket.

Answer 8

Sign in to the AWS Management Console Change their password Access their user information

Answer 9

AWS Organizations is a service that helps you consolidate and manage multiple AWS accounts within a central location.

Answer 10

A root is the parent container for all the accounts in your organization.

Answer 11

SCPs are a type of policy that you can use to centrally control permissions for the accounts in your organization.

Answer 12

AWS Organizations allows the consolidation and management of multiple AWS accounts within a central location.

Answer 13

Permissions for accounts in AWS Organizations can be centrally controlled using service control policies (SCPs). SCPs restrict access to AWS services, resources, and API actions for users and roles in each account.

Answer 14

Consolidated billing is a feature of AWS Organizations that enables the billing of multiple accounts under a single payment method. It simplifies billing and provides a comprehensive view of costs across the organization.

Answer 15

Organizational units (OUs) are groups used to organize accounts within AWS Organizations. They facilitate the management of accounts with similar business or security requirements.

Answer 16

When a policy is applied to an OU, all accounts within that OU inherit the permissions specified in the policy. This simplifies the administration of permissions for multiple accounts.

Answer 17

By organizing separate accounts into OUs, workloads or applications with specific security requirements can be isolated. Policies can be attached to OUs to restrict access to AWS services that do not meet the required security standards.

Answer 18

In a company scenario, AWS Organizations can be used to consolidate separate AWS accounts for different departments, such as finance, IT, HR, and legal, into a single organization. OUs can be created to group accounts based on their departmental requirements.

Answer 19

The finance and IT departments' accounts can be brought into the organization for benefits like consolidated billing, but they may not be placed in any OUs.

Answer 20

The HR and legal departments' accounts can be placed into an OU together to facilitate the attachment of policies that apply to both departments' AWS accounts.

Answer 21

Yes, even when accounts are grouped into OUs within AWS Organizations, access for users, groups, and roles can still be managed through IAM.

Answer 22

Grouping accounts into OUs allows for easier management of access to services and resources based on the specific needs of each account. It also prevents unauthorized access to services and resources that are not required by an account.

Answer 23

You cannot create accounts in an organization that are not in the same AWS Region as the root account. You cannot move accounts between organizations. You cannot delete the root account

Answer 24

Consolidated billing in AWS Organizations allows for the aggregation of charges from multiple AWS accounts into a single payment method, simplifying billing and cost management for the organization.

Answer 25

AWS Organizations provides centralized control over permissions, allowing organizations to enforce security policies consistently across multiple accounts and implement granular access controls.

Answer 26

The correct two response options are: An individual member account An organizational unit (OU) In AWS Organizations, you can apply service control policies (SCPs) to the organization root, an individual member account, or an OU. An SCP affects all IAM users, groups, and roles within an account, including the AWS account root user. You can apply IAM policies to IAM users, groups, or roles. You cannot apply an IAM policy to the AWS account root user.

Answer 27

No, SCPs are used to restrict permissions rather than grant additional permissions. They help enforce security and compliance requirements by limiting access to AWS services and resources.

Answer 28

When an account is removed from an OU, it no longer inherits the policies attached to that OU. The account's permissions will be determined solely by the policies applied directly to the account.

Answer 29

Yes, SCPs can be applied to the root of an organization in AWS Organizations to set top-level restrictions that apply to all accounts within the organization.

Answer 30

AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements.

Answer 31

AWS Artifact Agreements are agreements that you can sign with AWS to govern your use of certain types of information in AWS services.

Answer 32

AWS Artifact Reports are compliance reports from third-party auditors that verify that AWS is compliant with a variety of global, regional, and industry-specific security standards and regulations.

Answer 33

On-demand access to compliance reports Ability to manage agreements for individual accounts and AWS Organizations Up-to-date compliance reports

Answer 34

Reviewing the AWS Artifact Compliance Report Catalog Consulting with your legal or compliance team

Answer 35

Providing the reports to your auditors or regulators Linking to the reports in your compliance documentation

Answer 36

AWS Artifact Agreements allow companies to review, accept, and manage agreements with AWS related to the use of specific types of information within AWS services.

Answer 37

AWS Artifact Reports remain up to date with the latest reports released, ensuring that customers have access to the most current compliance information.

Answer 38

The correct two response options are: Access AWS compliance reports on-demand. Review, accept, and manage agreements with AWS. The other response options are incorrect because: Consolidate and manage multiple AWS accounts within a central location- This task can be completed in AWS Organizations. Create users to enable people and applications to interact with AWS services and resources- This task can be completed in AWS Identity and Access Management (IAM). Set permissions for accounts by configuring service control policies (SCPs)- This task can be completed in AWS Organizations.

Answer 39

A denial-of-service attack is a deliberate attempt to make a website or application unavailable to users by overwhelming it with excessive network traffic.

Answer 40

In a DDoS attack, multiple sources, including a group of attackers or a single attacker using multiple infected computers (bots), are used to overwhelm a website or application and make it inaccessible.

Answer 41

A successful DoS attack prevents legitimate users from accessing the targeted website or application, as it becomes overloaded and unable to respond to their requests.

Answer 42

While a DoS attack typically originates from a single source, a DDoS attack involves multiple sources simultaneously attacking the target, making it harder to block or mitigate.

Answer 43

AWS Shield is a service provided by Amazon Web Services (AWS) that offers protection against DDoS attacks.

Answer 44

AWS Shield provides two levels of protection: Standard and Advanced.

Answer 45

AWS Shield Standard automatically protects all AWS customers at no additional cost, defending against common and frequently occurring types of DDoS attacks.

Answer 46

AWS Shield Standard employs various analysis techniques to detect malicious traffic in real time and automatically mitigates the attack as network traffic reaches the applications.

Answer 47

AWS Shield Advanced is a paid service that offers more comprehensive protection against sophisticated DDoS attacks and includes detailed attack diagnostics.

Answer 48

AWS Shield can integrate with services such as Amazon CloudFront, Amazon Route 53, Elastic Load Balancing, and AWS WAF (Web Application Firewall) to enhance DDoS protection and mitigation capabilities.

Answer 49

By integrating AWS Shield with AWS WAF, custom rules can be written to mitigate complex DDoS attacks, further enhancing the protection provided by both services.

Answer 50

Protection from the most common, frequently occurring types of DDoS attack Detailed attack diagnostics The ability to detect and mitigate sophisticated DDoS attacks Integration with other AWS services

Answer 51

Volumetric attacks: These attacks involve flooding a website or application with excessive network traffic. Protocol attacks: These attacks involve sending invalid or malicious network traffic to a website or application. Application-layer attacks: These attacks involve exploiting vulnerabilities in a website or application's code.

Answer 52

HTTP level attacks, such as complicated product searches initiated by a large number of bot machines, aim to consume resources and attention, making it difficult for legitimate users to access the services.

Answer 53

Using a DDoS mitigation service like AWS Shield Implementing security best practices, such as using strong passwords and firewalls Keeping your website or application software up to date

Answer 54

AWS provides solutions for DDoS protection, including AWS Shield and AWS WAF (Web Application Firewall).

Answer 55

A UDP flood attack involves sending a small request with a fake return address to a service, such as the National Weather Service, that responds with a massive amount of data. The target server becomes overwhelmed trying to process the unwanted information.

Answer 56

A Slow Loris attack simulates a slow connection by sending requests in a way that prevents the server from completing the processing of each request. This can tie up server resources and slow down the overall performance.

Answer 57

Security groups, operating at the AWS network level, allow only proper request traffic to reach the server, mitigating low-level network attacks like UDP floods. Security groups operate at the AWS network level, not at the EC2 instance level like an operating system firewall might. So massive attacks like UDP floods or reflection attacks just get shrugged off by the scale of the entire AWS regions capacity. Not your individual EC2s capacity.

Answer 58

AWS Shield with AWS WAF is a specialized defense tool that combines web application firewall capabilities with machine learning to filter incoming traffic and proactively defend against evolving DDoS attack vectors.

Answer 59

The ELB ensures that the entire HTTP message is complete before forwarding it to the web server, preventing Slow Loris attacks from tying up server resources.

Answer 60

The scale and distributed nature of AWS infrastructure make it difficult and expensive for attackers to overwhelm the entire AWS region, providing a strong defense against DDoS attacks.

Answer 61

A cryptographic key is a random string of digits used for encrypting and decrypting data. AWS KMS enables the generation and control of cryptographic keys.

Answer 62

AWS Key Management Service (AWS KMS) is a service that allows you to create, manage, and use cryptographic keys for encryption operations to secure data at rest and in transit.

Answer 63

AWS KMS allows you to specify the levels of access control for your keys. You can define which IAM users and roles can manage keys and disable keys temporarily when not in use.

Answer 64

AWS WAF (Web Application Firewall) is a service that helps protect web applications by monitoring and controlling network requests that come into the applications.

Answer 65

AWS WAF uses web access control lists (ACLs) to block or allow traffic to protect AWS resources. It works with Amazon CloudFront and Application Load Balancer to filter and control network requests.

Answer 66

With AWS WAF, you can configure a web ACL to allow all requests except those from specified IP addresses. If a request matches the blocked IP addresses, access is denied; otherwise, it is allowed.

Answer 67

Amazon Inspector is a service that performs automated security assessments of applications. It identifies security vulnerabilities and deviations from best practices to improve application security and compliance.

Answer 68

After an assessment, Amazon Inspector provides a list of security findings prioritized by severity level. Each finding includes a detailed description of the security issue and recommendations for remediation.

Answer 69

Amazon GuardDuty is a service that detects threats by monitoring network activity and account behavior within an AWS environment, providing intelligent threat detection for AWS infrastructure and resources.

Answer 70

Amazon GuardDuty continuously analyzes data from various AWS sources, such as VPC Flow Logs and DNS logs, to detect potential threats. When threats are detected, detailed findings and recommended remediation steps are provided for review and action.

Answer 71

The principle of least privilege is a security concept that states that a user or process should be given only the minimum level of access or permissions necessary to perform its intended function. Here are the key principles of least privilege Minimal Access: Users and processes should have access rights only to the resources and actions required to perform their specific tasks. Unnecessary privileges should be removed or restricted. Need-to-Know Basis: Users should have access to information based on their specific job responsibilities and requirements. They should only have access to the data necessary for their work and not be granted access to sensitive or unrelated information. Role-Based Access Control (RBAC): Access rights are assigned based on predefined roles or job functions rather than individual permissions. This allows for easier management of permissions and ensures that users have access to resources based on their roles. Just-In-Time (JIT) Privilege Access: Privileges are granted to users or processes for a limited period when they are needed and revoked when no longer required. This reduces the risk of prolonged or unnecessary access. Separation of Duties: Critical tasks should be divided among multiple users or processes to prevent a single user from having complete control or access to sensitive systems or information. This helps minimize the potential for abuse or mistakes.

Answer 72

The correct response option is: A document that grants or denies permissions to AWS services and resources. IAM policies provide you with the flexibility to customize users’ levels of access to resources. For instance, you can allow users to access all the Amazon S3 buckets in your AWS account or only a specific bucket. The other response options are incorrect because: Multi-factor authentication (MFA) is an authentication process that provides an extra layer of protection for your AWS account. An IAM role is an identity that you can assume to gain temporary access to permissions. The root user identity is the identity that is established when you first create an AWS account.