cloud 2 Flashcards
(129 cards)
1
Q
What is the primary concern when considering moving to the cloud?
A
Security concerns.
2
Q
What does this section focus on regarding cloud environments?
A
Common threats and tools for mitigating risks.
3
Q
What are some common internal and external threats to cloud security?
A
- Data breaches
- DoS and DDoS attacks
- Insecure interfaces
- User error
- Data loss
4
Q
Name three popular scanning tools used to improve cloud security.
A
- Nmap
- Nessus
- Metasploit
5
Q
What is a credentialed scan in the context of network security?
A
A deeper scan performed using system credentials.
6
Q
What are agent-based scans?
A
Small applications that collect data from devices for analysis.
7
Q
What are network-based scans?
A
Tools that check devices on a network.
8
Q
What is shadow IT and why is it a concern for cloud security?
A
Shadow IT: Unapproved cloud apps used by employees. Concern: Leads to breaches and less IT control.
9
Q
What is an approved application list?
A
A list of trusted and secure applications for employees.
10
Q
What are the advantages of built-in security tools in cloud platforms?
A
- Reduces compatibility issues
- Increases visibility
- Provides centralized monitoring
- Scales efficiently.
11
Q
What are allow and deny rules in cloud security?
A
- Allow List: Only lets in traffic you approve.
- Deny List: Blocks traffic you don’t want.
12
Q
What are the characteristics of NACL (Network Access Control List)?
A
NACL rules can allow or deny traffic, are numbered for priority, and are stateless.
13
Q
What is the function of security groups in AWS?
A
Act as a virtual firewall for instances in a subnet.
14
Q
What is the function of VPC flow logs in AWS?
A
Record traffic for monitoring and troubleshooting.
15
Q
What does traffic mirroring do?
A
Captures and analyzes network traffic.
16
Q
What is a perimeter network in Azure and why is it recommended?
A
A DMZ that manages Internet traffic to protect internal resources.
17
Q
What is a Network Virtual Appliance (NVA)?
A
A VM that controls traffic with added security.
18
Q
Name three security features that third-party NVAs can provide.
A
- Firewalling
- IDS/IPS
- Antivirus
19
Q
What does a Network Security Group (NSG) do?
A
Provides firewall protection at the subnet level.
20
Q
What is an Application Security Group (ASG)?
A
Allows security policies based on application or workload type.
21
Q
Name two other Azure security tools.
A
- Azure Firewall
- MS Defender for Cloud
22
Q
What is the purpose of GCP’s virtual firewall?
A
IPv4 traffic to/from the VPC.
23
Q
What can the rules of GCP’s firewall target?
A
- Specific protocols
- Ports
- Sources
- Destinations
24
Q
What do VPC flow logs do?
A
Log TCP and UDP traffic at the subnet level.
25
How does GCP's Packet Mirroring service enhance security?
It copies traffic for security checks.
26
What is auto-scaling cloud security?
Cloud security that scales automatically, unlike on-premise security.
27
What is a CASB and how does it help secure hybrid and multi-cloud environments?
A tool that monitors cloud apps and resources for security policies.
28
What is device hardening and why is it important for cloud security?
Setting up and documenting secure configurations for protection.
29
Name two security techniques for device hardening.
* Disable unnecessary ports/services
* Use antivirus/anti-malware software
30
What are the three states of data?
* At rest
* In use
* In motion
31
What is DLP (Data Loss Prevention)?
Prevents unauthorized data access or loss.
32
What is the basic function of encryption?
To scramble data using an algorithm that can be reversed with the correct key.
33
Who can perform encryption?
* The data owner
* Cloud service provider
* A third party
34
What is one task involved in encryption?
* Decide where to store encryption keys
* Learn about the encryption capabilities of the CSP
* Consider the costs involved with each option.
35
What does the CIA triad stand for?
* Confidentiality
* Integrity
* Availability
36
What is a cipher?
A mathematical algorithm for encryption/decryption.
37
What is private key encryption?
Uses a single key known by both the sender and receiver.
38
What is public key encryption?
Uses a private key for encryption and a public key for decryption.
39
What is DNSSEC?
Uses public key cryptography to verify DNS records.
40
What are the encryption protocols for securing DNS traffic?
* DNS over TLS (DoT)
* DNS over HTTPS (DoH)
41
What is NTP?
Network Time Protocol used to synchronize time across networks.
42
How can NTP be secured?
Using NTS (Network Time Security) with TLS for authentication.
43
Name two common weak spots in security configurations.
* Unencrypted data and communications
* Weak or outdated security technologies
44
What is logical access control?
Remote access control as opposed to physical access control.
45
What types of identities exist in identity management?
* User identities
* Resource identities
46
What are service accounts?
Accounts assigned to resources like servers, while human users have user accounts.
47
What is an identity vault?
A storage system for credentials and identities.
48
What does PAM stand for?
Privileged Access Management.
49
What is the focus of PAM?
Stricter rules for users with elevated permissions.
50
Name two security precautions taken for privileged accounts.
* Limited use
* Limited access
51
What does AAA stand for in network security?
Authentication, Authorization, Accounting.
52
What is the purpose of authentication?
To verify your identity.
53
What does authorization determine?
What you can do after authentication.
54
What is the role of accounting in AAA?
To track actions for review.
55
What is a common requirement for password complexity?
* Complexity
* Lockout
* Length
* Expiration
56
What does MFA require?
Two or more factors from specified categories.
57
Name one factor from the 'something you know' category.
Password or PIN.
58
What is an example of 'something you have'?
An ATM card or smartphone.
59
What does 'something you are' refer to in MFA?
Biometric traits like fingerprints or facial patterns.
60
What is an example of 'somewhere you are'?
A specific location, such as a company building.
61
What does 'something you do' refer to?
Behavioral traits, such as typing patterns.
62
What is a digital signature?
A cryptographic method to authenticate a document using a private key.
63
How does a digital signature differ from a digital certificate?
A signature ensures document integrity, while a certificate proves identity in a PKI.
64
What is a user in AWS IAM?
An identity representing a person or application.
65
What is the root user in AWS?
The initial identity created when setting up an AWS account.
66
What is a group in AWS IAM?
A collection of users.
67
What is a permission in AWS IAM?
Specific actions allowed for an identity.
68
What is a policy in AWS IAM?
A collection of permissions assigned to an identity.
69
What is a role in AWS IAM?
An identity for assigning policies to other resources.
70
What is the principle of least privilege?
Limit access to the minimum needed to perform tasks.
71
What is Azure AD?
Azure’s identity management system using a flat-file structure.
72
Name 4 key terms in Azure IAM.
* User
* Group
* Role
* Permission
73
What does RBAC stand for?
Role-Based Access Control.
74
How are privileges assigned in RBAC?
Admins assign privileges based on roles described by the user's supervisor.
75
What are other popular access control methods in Azure Identity and Access Management?
* DAC (discretionary access control)
* MAC (mandatory access control)
76
What does DAS stand for?
Directly Attached Storage.
77
What does NAS stand for?
Network Attached Storage.
78
What does SAN stand for?
Storage Area Network.
79
What is the main difference between DAS, NAS, and SAN?
* DAS: Directly connected to one computer.
* NAS: Sharing files over a network.
* SAN: High-performance storage network for servers.
80
What does RAID 0 do?
Splits data for speed, no redundancy.
81
What is RAID 1 used for?
Mirrors data for redundancy.
82
Which RAID levels combine speed and redundancy?
* RAID 5
* RAID 6
* RAID 10
83
What are the three types of cloud storage technologies?
* Block storage
* File storage
* Object storage
84
What is object storage best for?
Large-scale cloud data.
85
Which storage type is used for databases?
Block storage.
86
What is block zoning?
Allocates disk zones for specific data types, reducing latency.
87
What is file system storage used for?
Organizing and storing files in folders.
88
When should you use object storage?
For data that doesn’t change often, like backups.
89
What are the three types of backups and how do they differ?
* Full Backup: Backs up all data every time.
* Incremental Backup: Backs up only data that has changed since the last backup of any kind.
* Differential Backup: Backs up data that has changed since the last full backup.
90
What are the key factors to consider when migrating data from on-premises to the cloud?
* Migration plan: Decide which data to transfer first.
* Data transfer costs: Moving data into the cloud is usually free, unless using special services like AWS Snowball.
* Data transfer time: Moving large data may cause delays.
* Data types: Different data types might need different cloud storage.
91
What is the primary difference between thin provisioning and fat provisioning?
* Thin Provisioning: Allocates storage only when needed, saving space but risking running out of it.
* Fat Provisioning: Allocates all storage upfront, ensuring it's available but wasting unused space.
92
What is storage replication?
Keeping copies of data in multiple locations.
93
What is storage mirroring?
Real-time data duplication.
94
What is cloud bursting?
Using cloud resources temporarily during spikes.
95
How is hybrid cloud used for compliance?
Store sensitive data on-prem and less critical in the cloud.
96
What is hybrid cloud used for archives?
Storing rarely accessed data in the cloud.
97
What is the purpose of monitoring cloud resources?
To track metrics like utilization, performance, and availability.
98
What are KPIs in cloud monitoring?
Key Performance Indicators, used to track the performance of cloud resources.
99
What common metrics should be tracked?
* Utilization
* Elasticity usage
* Performance
* Availability
* Cost
100
What is ConMon (Continuous Monitoring)?
Provides near-instant feedback on cloud resource performance.
101
What are the two types of tags?
* Explicit tags
* Implicit tags
102
What is a network TAP used for?
To capture traffic between devices for monitoring and analysis.
103
What role does a packet broker play?
It sorts and processes traffic, and can decrypt or mask data for further analysis.
104
What tools might analyze network traffic?
* WAF (Web Application Firewall)
* SIEM
* IDS/IPS
105
What is the role of a WAF (web application firewall) in application security?
To protect web applications by filtering and monitoring HTTP traffic.
106
What does ITSM stand for?
IT Service Management.
107
Name three core practices of ITSM (IT service management) tools.
* Incident management
* Change management
* Service request management
108
What is the 'five-second rule' for dashboards?
Information should be identifiable in five seconds.
109
What does 'less is more' mean for dashboards?
Keep the number of visualizations under 10.
110
What is the 'first things first' rule for dashboards?
Display critical information first.
111
What does Syslog do?
Collects and processes logs about events on networked systems.
112
What are the three primary components of Syslog?
* Event message format
* Transmission
* Handling
113
What is SNMP used for?
Real-time monitoring of network devices.
114
What are the components of a Network Management System (NMS)?
* NMS Server - Central server for data collection.
* Managed Device - Network nodes being monitored.
* Network Management Agent - Software that collects data from devices.
* Management Information Base (MIB) - Database of managed objects.
* Network Monitoring Tools - Tools for visualization and alerts.
115
What are three benefits of automation in the cloud?
* Faster deployment and adjustments
* Better control and lower costs
* Improved security
116
Name two maintenance and security tasks that can be automated.
* Create snapshots and backups
* Apply patches and updates
117
What is a runbook?
A document outlining procedures to complete IT tasks, often followed by humans.
118
What does IaC (Infrastructure as Code) do?
Automates cloud setups by writing tasks in code.
119
What are playbooks in the context of IaC?
A collection of tasks arranged in order.
120
What is the difference between the push model and pull model?
* Push model: The server pushes updates to resources
* Pull model: Resources pull updates from the server.
121
What is the difference between imperative and declarative approaches?
* Imperative: Tells exactly what to do, step by step.
* Declarative: Describes what you want, not how to do it.
122
Explain the terms 'immutable' and 'idempotent' in the context of cloud environments.
* Idempotent: Can apply changes without affecting existing resources.
* Immutable: No changes after deployment.
123
What is the difference between AI and ML?
* AI: Adapts based on inputs.
* ML: Learns from data.
124
What is supervised learning?
Uses labeled data for training.
125
What is unsupervised learning?
Uses unlabeled data for training.
126
What is reinforcement learning?
Learns by interacting with the environment.
127
How does maintenance responsibility vary in cloud service models?
It varies by IaaS, PaaS, and SaaS models.
128
List the standard operating procedures for patch management across cloud platforms.
* Installing agents
* Testing
* Choosing update targets
* Considering backups
* Scanning
129
What does AWS CloudEndure offer for disaster recovery?
* RPO: < 1 second (minimal data loss)
* RTO: Minutes (quick recovery).
