Domain 2 Flashcards
Security and Compliance (37 cards)
You are hosting a MySQL database on Amazon RDS. Are you responsible for patching the database engine on an Amazon RDS database instance or is AWS responsible for this security patching?
AWS is responsible for patching on Amazon RDS.
You have a database running on Amazon EC2? Who would be responsible for patching of the Amazon EC2 instance?
You are responsible for the patching of your Amazon EC2 instance.
Where can you find information about compliance on AWS?
AWS compliance programs such as AWS Artifact, the Security Center, and the AWS Knowledge Center.
What AWS service helps to identify an IAM user who deleted an Amazon EC2 instance in your production environment?
AWS CloudTrail is a service for governance, compliance, operational auditing, and risk auditing of your AWS account that continuously monitors, and retains account activity related to actions across your AWS infrastructure.
What are some actions you can perform as the account root user of your AWS account?
As the account root user, you can change your account settings, restore IAM user permissions, activate access to the AWS Billing and Cost Management console, register as a seller, configure an S3 bucket to enable multi-factor authentication, close your AWS account, and more.
What identity in AWS has associated usernames and passwords?
IAM users.
What AWS service would you choose if you need to create rules to filter web traffic based on conditions such as IP addresses, HTTP headers, or custom URLs?
AWS WAF helps to control traffic with rules that you define that block common attack patterns such as SQL injections or cross-site scripting.
Can you conduct security assessments and penetration testing without prior approval against your AWS resources?
Yes, but only for certain services.
Which of the following is the customer responsible for updating and patching, according to the AWS shared responsibility model?
a. Amazon FSx for Windows File Server
b. Amazon WorkSpaces virtual Windows desktop
c. AWS Directory Service for Microsoft Active Directory
d. Amazon RDS for Microsoft SQL Server
b. Amazon WorkSpaces virtual Windows desktop
WorkSpaces provides a managed Desktop as a Service offering. WorkSpaces gives users the ability to interact with a virtual desktop. It is the responsibility of the customer to update and patch the operating system and any software installed by the customer in WorkSpaces. You can schedule maintenance windows or manually make the update yourself.
What is Amazon FSx for Windows File Server?
FSx for Windows File Server is a fully managed service that provides shared storage built on a Windows Server. AWS is responsible for updates and patches of the server.
What is AWS Directory Service for Microsoft Active Directory?
AWS Managed Microsoft AD is a managed service that gives you the ability to connect to your existing active directory or to migrate workloads. AWS is responsible for updates and patches for AWS Managed Microsoft AD.
Which service provides risk auditing by continuously monitoring and logging API requests to resources in an account, which includes user actions in the AWS Management Console and AWS SDKs?
AWS CloudTrail
CloudTrail helps to provide governance, compliance, and operational risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface (AWS CLI), and AWS SDKs and APIs.
What is AWS Config?
AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This view includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. However, AWS Config does not log API calls to resources.
What is AWS Health?
AWS Health provides ongoing visibility into your resource performance and the availability of your AWS services and accounts. You can use AWS Health events to learn how service and resource changes might affect your applications that run on AWS. AWS Health provides relevant and timely information to help you manage events in progress. However, AWS Health does not log API calls to resources.
A cloud practitioner wants to explicitly deny network traffic to a subnet inside of an Amazon VPC.
Which solution will meet this requirement?
a. Network ACLs
b. Security Groups
c. Transit Gateway
d. Route Table
a. Network ACLs
Network ACLs are firewalls that you can use to deny traffic on the VPC subnet level.
A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level. You can use the default network ACL for your VPC, or you can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups in order to add an additional layer of security to your VPC.
There is no additional charge for using network ACLs.
What are security groups?
Security groups are firewalls that you can use on the resource level inside of a VPC subnet. You can use security groups to control inbound and outbound traffic to a resource.
A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.
What is a transit gateway?
You can use a transit gateway to interconnect your VPC and on-premises networks through a central hub. You cannot use transit gateways to deny traffic on the subnet level.
A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure. All network traffic between AWS data centers is automatically encrypted at the physical layer.
What is a route table?
You can use a route table to direct traffic from your subnet and gateway. Route tables cannot explicitly block network traffic inside of a VPC.
A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.
A cloud practitioner must define the AWS shared responsibility model.
What is the customer’s responsibility? (Select TWO.)
a. Configure IAM users for least-privilege access
b. Install patches to the database of Amazon RDS DB instances
c. Determine which services have access to an Amazon DynamoDB table
d. Patch the physical AWS network equipment
e. Patch the operating system used by AWS Lambda functions
a. Configure IAM users for least-privilege access & c. Determine which services have access to an Amazon DynamoDB table
AWS provides the functionality of AWS Identity and Access Management (IAM). However, the customer determines who receives specific access rights. The customer defines IAM users and assigns policies to those users.
The customer is responsible for controlling access between services. Access between services represents security in the cloud.
Which service or feature will enhance the security of access to the AWS Management Console? (Select TWO.)
a. AWS Secrets Manager
b. AWS Certificate Manager (ACM)
c. Multi-factor authentication (MFA)
d. Security groups
e. Complex password requirements
c. Multi-factor authentication (MFA) & e. Complex password requirements
MFA is a simple best practice that adds an extra layer of protection on top of your username and password. When you configure MFA, a user who signs in to the AWS Management Console will be prompted for their username and password. This is the first factor of what they know. The user will then be prompted for an authentication code from their MFA device. This is the second factor of what they have. MFA provides increased security for your AWS account settings and resources.
Complex password requirements help protect against improper access to the AWS Management Console by making passwords more difficult to guess.
Which service should someone use to turn on single sign-on (SSO) to the AWS Management Console?
AWS IAM Identity Center
IAM Identity Center provides you with the ability to manage sign-in security for your workforce users. IAM Identity Center can be used for SSO integration to access the AWS Management Console.
What is AWS Directory Service?
Directory Service is a managed directory service that provides a way to organize information related to your company. Directory Service does not provide the ability for SSO integration to access the AWS Management Console.
A company has a new requirement to log actions taken in a production account.
Which AWS service should meet that requirement?
AWS CloudTrail
Actions performed in AWS are recorded as events in CloudTrail. You can use CloudTrail to log actions taken in a production account, such as actions taken in the AWS Management Console, AWS CLI, and AWS SDKs.
What is Amazon CloudWatch?
CloudWatch is used to monitor resources and applications that you run on AWS in near real time. CloudWatch can collect and track metrics to measure specific resource concerns, but it does not log actions taken in an account.
