Cloud Security

Question 1

What are the three aspects of information security?

Answer 1

Confidentiality, Integrity and Availability

Question 2

What does AWS Security Token Service (STS) do?

Answer 2

Issue temporary credentials

Question 3

What is an IAM role?

Answer 3

It is an AWS identity that defines and provides temporary security credentials to access resources and make API requests

Question 4

What is the compliance standard for information security?

Answer 4

ISO/IEC 27001 Framework

Question 5

What is SIEM

Answer 5

Security Information and Event Management - Big data threat intelligence with automated response

Question 6

What is an IDS?

Answer 6

Intrusion Detection Systems

Question 7

What is the difference between resource and identity based policies?

Answer 7

Identity based is attached to an identity, indicating what they can do
Resource based is attached to a resource allowing specific users or groups to perform certain API requests

Question 8

What is the different between inline and managed policies?

Answer 8

Inline policies are embedded in a principal identity (group, user or role)
Managed policies are standalone identity based policies

Question 9

What are the security design principles?

There are 7

Answer 9

• Apply principle of least privilege
• Enable traceability
• Secure all layers
• Automate security (infrastructure as code)
• Protect data in transit and at rest
• Prepare for security events
• Minimise the attack surface

Question 10

What is TLS?

Answer 10

Transport Layer Security

Question 11

What are MSOs and MSPs and what do they do?

Answer 11

Managed Services Organisation or Managed Service Providers (external) create guardrails for security, data protection and disaster recovery in the company

Question 12

What is the benefit of elasticity in the cloud?

Answer 12

Creates systems that can scale on demand

Question 13

What can a company use to ensure high availability during an attack?

Answer 13

Automatic scaling

Question 14

What security principle addresses monitoring, auditing, alerting actions and changes to the environment

Answer 14

Enable traceability

Question 15

What is a best practice for automation that can assist with providing a repeatable secure infrastructure?

Answer 15

Implement infrastructure as code

Question 16

What are the two things IAM provides?

Answer 16

Authentication - Who
Authorisation - What

Question 17

What are the two primary types of credentials used for authentication

Answer 17

Username and password
AWS Access Key

Question 18

What is the IAM Authentication best policy for long-term access?

Answer 18

To attach IAM Policies to groups and assign users to groups

Question 19

What does the AWS Organisation Service Control Policy (SCP) do?

Answer 19

Defines the maximum permissions for the account members of an OU

Question 20

How does AWS determine permissions with policies?

Answer 20

An explicit deny overrides any allow statement

Question 21

Which AWS Services provide identity federation to AWS Accounts and applications?

Answer 21

SSO and IAM (for multiple directories)

Question 22

What does AWS Directory Service do?

Answer 22

Allows you to use existing on-premises user credentials to access cloud resources

Question 23

What does Amazon Cognito do?

Answer 23

Enable user sign up, sign in and access control with web and mobile applications

Question 24

What can Amazon VPC do?

Answer 24

Provision a logically isolated section of the AWS Cloud to launch resources
- Select IP address range
- Create subnets
- Configure route tables and network gateways

Question 25

What is an internet gateway?

Answer 25

Provides a target in VPC route tables for internet-routable addresses Performs NAT for instances with public IPv4 addresses

Question 26

What does a NAT Gateway do?

Answer 26

Supports instances in a private subnet to connect to the internet Prevents the internet from initiating connection

Question 27

What does a NAT gateway require you to specify?

Answer 27

Public subnet to reside Elastic IP address to associate with the gateway

Question 28

What does the interface require when external traffic needs to reach an interface

Answer 28

A public IP Address on the interface and a route on the subnet's route table

Question 29

What is the largest and smallest CIDR block?

Answer 29

/16 is the largest, /28 the smallest

Question 30

How many IP Addresses does AWS reserve in CIDR blocks?

Answer 30

5 addresses 0 - network address 1 - internal communication 2 - DNS resolution 3 - future use 255 - broadcast

Question 31

What two things can you do with an elastic network interface?

Answer 31

Attach it to an instance, detach it and attach to a different one to reroute network traffic

Question 32

What is a security group?

Answer 32

A security group acts as a virtual firewall for an EC2 instance and controls traffic

Question 33

What do stateful security groups do?

Answer 33

Deny all inbound traffic and allow all outbound traffic

Question 34

What is a NACL?

Answer 34

Network Access Control Lists act as virtual firewalls on the VPC level to control traffic in and out of subnets.

Question 35

Are network ACLs stateful or stateless?

Answer 35

Stateless. They can either deny or allow inbound and outbound traffic

Question 36

What are the features of the default network ACL?

Answer 36

All inbound and outbound traffic is allowed

Question 37

What are the features of a default custom network ACL?

Answer 37

All inbound and outbound traffic is denied.

Question 38

Differentiate between security groups and network ACLs

Answer 38

Security groups are interface level, but network ACLs are subnet level Security groups support allow rules only, but network ACLs support both allow and deny rules. Security groups are stateful, but network ACLs are stateless. For security groups, all rules are evaluated before the decision is made to allow traffic. For network ACLs, rules are evaluated in number order before the decision is made to allow traffic

Question 39

What does ELB do? What are its three types?

Answer 39

Distributes incoming traffic and supports high availability with health checks Provides - Classic Load Balancer - Network Load Balancer - Application Load Balancer

Question 40

What three features serve as data protection in ELB?

Answer 40

Single Point of Contact Encryption at rest Encryption in transit

Question 41

What are the best practices to protect your network? (4)

Answer 41

Control traffic at all layers Inspect and filter at application level Automate network protection Limit exposure

Question 42

What does Amazon Inspector do?

Answer 42

Run automated security assessments on EC2 instances and applications to find vulnerabilities

Question 43

What does AWS Systems manager do?

Answer 43

Lets you view operational data from multiple AWS services

Question 44

What are the three tiers of a web application?

Answer 44

Presentation, Application and data

Question 45

What does S3 Block public Access do?

Answer 45

Helps manage access to S3 resources

Question 46

What are the Amazon S3 Protection features?

Answer 46

- Block public access - Versioning - Object Lock

Question 47

What does Object lock do?

Answer 47

Stores objects using write-once read-many

Question 48

What are the two object lock retention modes?

Answer 48

Governance - users need special permissions to alter settings Compliance - cannot be altered by any user

Question 49

What are the two types of protection through encryption?

Answer 49

Client side encryption and server side encryption

Question 50

What are the types of server side encryption?

Answer 50

SSE-C, SSE-S3 and SSE-KMS

Question 51

How do you protect data in transit?

Answer 51

Use SSL (Secure Socket Layer) endpoints over TLS (Transport layer security) Use encryption Use VPC

Question 52

What is AWS ACM?

Answer 52

Amazon Certificate Manager provides an interface to manage both public and private certificates

Question 53

What is AWS CA?

Answer 53

Certificate Authority can manage private CAs to issue certificates

Question 54

What are the data protection best practices?

Answer 54

Presigned url for temporary access Use S3 protection features Enabla MFA for deletion

Question 55

What is AWS Secrets Manager?

Answer 55

Manages access to secrets

Question 56

What is Amazon Macie?

Answer 56

Machine learning service that can discover, classify and protect sensitive data in AWS

Question 57

What is logging?

Answer 57

The collection and recording of activity and data

Question 58

What are the 4 things logging is useful for?

Answer 58

1. Troubleshooting 2. Auditing 3. Recordkeeping 4. Incident Response and remediation

Question 59

What is monitoring

Answer 59

The continuous verification of the security and performance of applications and data

Question 60

What does CloudTrail do?

Answer 60

Records actions taken by user, role or AWS Account

Question 61

What are the AWS services with built in logs?

Answer 61

S3 - server access logs VPC - Flow logs (inbound and outbound IP traffic) ELB - access logs

Question 62

What is Amazon CloudWatch?

Answer 62

Monitors resource and application performance

Question 63

# D C A What are the best practices for logging and monitoring?

Answer 63

Define organisational requirements Configure service and application logging Analyse your logs centrally

Question 64

What does Trusted Advisor do?

Answer 64

Provides recommendations based on cost optimization, security, fault tolerance, service limits and performance imporvements

Question 65

What is amazon EventBridge?

Answer 65

A serverless event bus service

Question 66

What is AWS Security hub?

Answer 66

Automated cloud security monitor that aggregates security alerts from various services

Question 67

What does amazon Config do?

Answer 67

Assess, audit and evaluate resource configurations

Question 68

What is incident recognition and response?

Answer 68

A set of information security policies and procedures that can be used to identify, contain and eliminate cyber attacks

Question 69

What are the two phases of incident response?

Answer 69

Discovery and recognition - identify, log and categorise Resolution and recover - isolate, stage and deploy fix

Question 70

What does Amazon GuardDuty do?

Answer 70

Continuous security monitoring service to identify unauthorised and malicious activity

Question 71

What does Amazon Shield do?

Answer 71

Automatically protects network from a DDoS attack

Question 72

Name the AWS Services that support the discovery and recognition phase?

Answer 72

CloudWatch (monitoring solution) Trusted Advisor Config Inspector Shield GuardDuty

Question 73

What does CloudFormation do?

Answer 73

Model and setup AWS resources with templates

Question 74

What is SNS?

Answer 74

Simple Notification Service - apps, end users and devices can send and receive notifications from the cloud

Question 75

What is AWS Step functions?

Answer 75

Visual workflow service that developers use to build event-driven applications

Question 76

What is AWS Lambda

Answer 76

Serverless event driven compute service that can run code on demand