Security And Compliance

Question 1

Client is responsible for the security in the cloud for:

Answer 1

Installed applications
Patching the guest operating system
Security controls

Question 2

according to the shared responsibility model, AWS is responsible for

Answer 2

EC2 service
Patching the host operating system
Security of the physical server

Question 3

For the Lambda security model, the client is responsible for:

Answer 3

Security of code
Storage of sensitive data
IAM permissions

Question 4

For the Lambda security model, AWS is responsible for:

Answer 4

Lambda service
Upgrading Lambda languages
Operating system
Underlying infrastructure
Software dependencies

Question 5

The 6 pillars of the Well Architected Framework

Answer 5

Operational excellence
Security
Reliability
Performance efficiency
Cost optimization
Sustainability

Question 6

Principle of least privilege 

Answer 6

Give a user the minimum access required to get the job done

Question 7

What is a collection of IAM users that helps you apply common access controls to all group members:

Answer 7

A Group. Used to group users that perform a similar task.

Question 8

EC2 security groups act as ________, while IAM groups are a collection of ______.

Answer 8

Firewalls, users

Question 9

_____ define access permission and are temporarily assumed by an IAM user or services.

Answer 9

Roles

Whenever a user assumes a role, they have access to the resource according to what is stated in the policy.

Question 10

______ manage permissions for IAM groups, users, and roles by creating a _____ document in JSON format and attaching it.

Answer 10

Policies, policy

Question 11

IAM best practices

Answer 11

MFA for privileged users
Strong password policies
Create individual users instead of using the root for everything
Use roles for EC2 instances instead of long-term credentials like access keys

Question 12

IAM Credential Report

Answer 12

Lists all users in your account and the status of their credentials. Lists password status, access keys, MFA devices. Used for auditing and compliance.

Question 13

______ prevent unauthorized access to your networks by inspecting incoming and outgoing traffic against security rules you’ve defined.

Answer 13

Firewalls.

Question 14

Web Application Firewall (WAF)

Answer 14

Helps protect your web apps against common web attacks, including:
SQL injection
Cross-site scripting

Question 15

_____ cause traffic jams on websites or web apps to cause them to get overwhelmed and crash.

Answer 15

Distributed Denial of Service ( DDoS) attacks

Question 16

___ is a managed DDoS protection service

Answer 16

Shield.

There’s shield standard and advanced. Standard is free, and advanced supports several services.

Question 17

_____ uses ML to discover and protect sensitive data.

Answer 17

Macie.

Evaluates S3 environment

Question 18

Services supported by Shield

Answer 18

CloudFront
Elastic load balancer
Route 53
Global Accelerator

Question 19

____ allows you to assess, audit, and evaluate the configurations of your resources.

Answer 19

Config.

Tracks changes to various resources over time
Notifications via SNS of every config change

Question 20

An intelligent threat detection system that uncovers unauthorized or malicious activities in your AWS account.

Answer 20

GuardDuty

Uses ML to detect patterns
Built in detection for EC2, S3, IAM.
Detect unusual API calls in your account

Question 21

Works with EC2 instances to uncover and report vulnerabilities.

Answer 21

Inspector

An agent installed in EC2 instances. Works with EC2 only.

Question 22

Offers on demand access to security AND compliance reports.

Answer 22

Artifact

Central repository for reports from third party auditors.
Service Organization Control (SOC) reports.
Payment Card Industry (PCI) reports.

Question 23

Provides authentication and authorization to mobile and web applications, helps manage users, and controls access to mobile and web apps.

Answer 23

Cognito

Question 24

A(n) __________ “scrambles” data before sending it to someone. The person receiving the data will need a ___________ to unscramble the data and read it.

Answer 24

Encryption key, decryption key

Question 25

Allows you to generate and store encryption keys.

Answer 25

Key Management Service (KMS)

AWS manages the encryption keys.
Example: create encrypted EBS volumes

Question 26

CloudHSM

Answer 26

A hardware security module (HSM) used to generate encryption keys.

You manage your own keys, not AWS.
Dedicated hardware for security

Question 27

Allows you to manage and retrieve secrets.

Answer 27

Secrets Manager.

Encrypt secrets at rest.
Integrates with services.
Example: retrieve database credentials by calling the secrets manager API instead of hard coding it in plain text.