Domain 2: Security and Compliance

Question 1

What is associated with the access keys that are used
in managing your cloud resources
via the AWS Command Line Interface (AWS CLI) ? ***

Answer 1

IAM User

Question 2

Associated with an identity or resource,

defines their permissions

Answer 2

IAM Policy

Question 3

How can you apply
and manage
common access permissions for a large number of IAM users
in AWS?

Answer 3

Attach the necessary policies
or permissions
required to a new IAM Group

then afterwards, add the IAM Users to the IAM group

Question 4

A collection of IAM users.

It lets you specify permissions for multiple users,
which can make it easier
to manage the permissions for those users

Answer 4

IAM Group

Question 5

An automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Automatically assesses applications for exposure, vulnerabilities, and deviations from best practices

Answer 5

AWS Inspector

Question 6

What are the things that you can implement
to improve the security of your
Identity and Access Management (IAM) users?

Answer 6

Configure a strong password policy for your users and Enable Multi-Factor Authentication (MFA)

Question 7

In the VPC dashboard of your AWS Management Console, which of the following services or feature below can you manage?

Answer 7

Network ACLs and Security Groups

Question 8

These services have their own respective dashboards

Answer 8

Amazon CloudFront,
AWS Lambda,
and Amazon Route 53

Question 9

Lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define

Answer 9

Amazon Virtual Private Cloud (Amazon VPC)

Question 10

Shared control between AWS and the customer

Answer 10

1. Patch Management
2. Configuration Management
3. Awareness and Training

Question 11

Inherited controls

which a customer fully inherits from AWS

Answer 11

Physical and Environmental controls

Question 12

Customer specific controls

which are solely the responsibility of the customer based on the application they are deploying within AWS services

Answer 12

Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments

Question 13

Customer Responsibility for security ‘in’ the cloud

Answer 13

1. Customer Data
2. Platform, applications, identity & access management
3. OS, Network & Firewall Configuration
4. Client-side data encryption & data integrity authentication
5. Server-side encryption
6. Networking traffic protection

Question 14

AWS Responsibility for security ‘of’ the Cloud

Answer 14

1. Software (compute, storage, database, networking)

2. Hardware/AWS Global Infrastructure (regions, availability zones, edge locations)

Question 15

There is an incident with your team where an S3 object was deleted using an account without the owner’s knowledge.

What can be done to prevent unauthorized deletion of your S3 objects?

Answer 15

Configure MFA delete on the S3 bucket

Question 16

You are permitted to conduct security assessments and penetration testing without prior approval against which AWS resources?

Answer 16

Amazon RDS and Amazon Aurora

Question 17

Allowed Services to conduct security assessments

Answer 17

• Amazon EC2 instances, Nat Gateways, and ELB’s
• Amazon RDS, CloudFront, Aurora,
  API Gateways, Lightsail resources
• AWS Lambda and Lambda Edge functions
• Amazon Elastic Beanstalk environments

Question 18

Prohibited Activities to conduct security assessments

Answer 18

• DNS zone walking via Amazon Route 53 Hosted Zones
• DoS, DDoS, simulated Dos, Simulated DDoS
• Port flooding
• Procotol flooding
• Request flooding (login request flooding, API request flooding)

Question 19

Network Access Control List (ACL)

Answer 19

An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets

Question 20

Security Group

Answer 20

Used to secure your EC2 instances and RDS databases in a similar way with how network ACLs work.

However, they are not used for subnet security

Question 21

AWS IAM

Answer 21

It is a service used for account and user management

Question 22

AWS Config

Answer 22

It is a tool that checks for resource compliance in your account

Question 23

Amazon Cognito Identity Pool

Answer 23

Should use if you need to provide temporary AWS credentials for users who have been authenticated via their social media logins as well as for guest users who do not require any authentication

Question 24

Amazon Cognito User Pool

Answer 24

A user directory in Amazon Cognito

Question 25

Amazon Cognito Sync

Answer 25

A client library that enables cross-device syncing of application-related user data

Question 26

AWS GovCloud

Answer 26

An isolated AWS Region

which is designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements

Question 27

AWS Certificate Manager

Answer 27

Lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

This service does not store certifications or compliance-related documents

Question 28

What is the most secure way to provide applications temporary access to your AWS resources?

Answer 28

Create an IAM role and have the application assume the role

Question 29

Amazon GuardDuty

Answer 29

A threat detection service that continuously monitors for malicious activity and unauthorized behaviour to protect your AWS accounts and workloads

Question 30

AWS Shield

Answer 30

Managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS

Question 31

Amazon Macie

Answer 31

A machine learning-powered security service that discovers, classifies, and protects sensitive data such as personally identifiable information (PII)
or intellectual property

Question 32

Amazon Cognito

Answer 32

Primarily used if you want to add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily

Question 33

IAM Policy Simulator

Answer 33

Use to test and troubleshoot IAM and resource-based policies?

Question 34

Which of the following policies grant the necessary permissions required to access your Amazon S3 resources?

Answer 34

User policies and Bucket policies

Question 35

What is the best way to keep track of all activities made in your AWS account?

Answer 35

Create a multi-region trail in AWS CloudTrail

Question 36

What service acts as a firewall for your EC2 instances?

Answer 36

Security Group

Question 37

Elastic Network Interface

Answer 37

A logical networking component in a VPC that represents a virtual network card.

It does not serve as a virtual firewall for your instances

Question 38

What is an account alias is in IAM?

Answer 38

A substitute for an account ID in the web address for your account

Question 39

Which of the following do you need to programmatically interact with your AWS environment?

Answer 39

AWS SDK and Access keys

Question 40

Which compliance requirement has AWS achieved that allows handling of medical information?

Answer 40

HIPAA

Health Insurance Portability and Accountability Act

Question 41

PCI DSS

Answer 41

Payment Card Industry Data Security Standard

This is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment

Question 42

SOC 1

Answer 42

System and Organization Controls 1

This is a report on Controls at a Service Organization which are relevant to user entities internal control over financial reporting

Question 43

SOC 2

Answer 43

System and Organization Controls 2

This is focused more on making sure that systems are set up so they assure security, availability, processing integrity, confidentiality, and privacy of customer data

Question 44

A company plans to work with a third-party provider to deploy a new application that will be accessed globally.

You need to delegate permissions to access resources without using permanent credentials.

What should you use?

Answer 44

IAM Role

Are a secure way to grant permissions to entities you trust without creating dedicated user accounts

Question 45

Service Control Policy

Answer 45

This is a feature of AWS Organizations.

It’s a policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects.

They’re similar to IAM permission policies except that they don’t grant any permissions.

Instead, They’re are just filters that allow only the specified services and actions to be used in affected accounts

Question 46

What service will allow you to safely store and automatically rotate database secrets for services such as Amazon RDS and Amazon Redshift?

Answer 46

AWS Secrets Manager

Question 47

AWS Secrets Manager

Answer 47

Helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle

Question 48

VPC Endpoint

Answer 48

Enables you to privately connect your VPC to Amazon S3 without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection

Question 49

AWS Abuse

Answer 49

Addresses many different types of potentially abusive activities such as phishing, malware, spam, and denial of service (DoS) or distributed denial of service (DDoS) incidents.

When abuse is reported, we alert customers so they can take the remediation action that is necessary.

Customers want to build automation for handling abuse events and the actions to remediate them

Question 50

Which AWS services should you use to upload

Secure Sockets Layer (SSL) certificates?

Answer 50

AWS IAM and AWS Certificate Manager

Question 51

The Chief Technology Officer wants to control the use of services across multiple AWS accounts using AWS Organizations. What service must be used to satisfy this requirement?

Answer 51

Service Control Policy

Question 52

AWS Systems Manager

Answer 52

Automates common maintenance and deployment tasks of EC2 instances and other AWS resources

Question 53

A company plans to restrict access to content served from an Amazon S3 bucket using Amazon CloudFront.

What features can you use to satisfy this requirement?

Answer 53

Origin Access Identity

Question 54

IAM User

Answer 54

Make use of access keys for long-term programmatic credentials.

Access keys consist of two parts:

access key ID and a secret access key.

You can use access keys to sign programmatic requests to the AWS CLI or AWS API