Security and Compliance

Question 1

What are AWS’ Responsibilities in the shared security model?

Answer 1

AWS’ responsibility - Security of the Cloud - AWS is responsible for protecting and securing their infrastructure

AWS Global Infrastructure - AWS is responsible for its global infrastructure elements: Regions, edge locations, and Availability Zones

Building Security - AWS controls access to its data centers where your data resides

Networking Components - AWS maintains networking components: generators, uninterruptible power supply (UPS) systems, computer room air conditioning (CRAC) units, fire suppression systems, and more.

Software - AWS is responsible for any managed service like RDS, S3, ECS, or Lambda, patching of host operating systems, and data access endpoints.

Question 2

What are AWSs’ Responsibilities in the shared security model?

Answer 2

Your responsibility - Security in the Cloud - You are responsible for how the services are implemented and managing your application data

Application Data - You are responsible for managing your application data, which includes encryption options.

Security Configuration - You are responsible for securing your account and API calls, rotating credentials, restricting internet access from your VPCs, and more.

Patching - You are responsible for the guest operating system (OS), which includes updates and security patches.

Identity and Access - You are responsible for application security and identity and access management.

Network Traffic - You are responsible for network traffic protection, which includes security group firewall configuration.

Installed Software - You are responsible for your application code, installed software, and more. You should frequently scan for and patch vulnerabilities in your code.

Question 3

EC2 Shared Responsibility Model. You vs AWS?

Answer 3

You
Installed applications
Patching the guest operating system
Security controls

AWS
EC2 service
Patching the host operating system
Security of the physical server

Question 4

Lambda Shared Responsibility Model. You vs AWS?

Answer 4

You
Security of code
Storage of sensitive data
IAM for permissions

AWS
Lambda service
Upgrading Lambda languages
Lambda endpoints
Operating system
Underlying infrastructure
Software dependencies

Question 5

What responsibilities are shared in the Shared Security Responsibilities model?

Answer 5

Patch Management
AWS is responsible for patching infrastructure
You are responsible for patching guest OS and applications

Configuration Management
AWS is responsible for configuring infrastructure devices
You are responsible for configuring databases and applications

Awareness and Training
AWS is responsible for training their employees
You are responsible for training your employees

Question 6

Where do you report abuse of services to?

Answer 6

AWS Trust and Safety Team
abuse@amazonaws.com

Question 7

What are the 6 pillars of the Well-Architected Framework?

Answer 7

Operational Excellence

Security

Reliability

Performance Efficiency

Cost Optimization

Sustainability

Question 8

What does the Operational Excellence pillar of the Well-Architected Framework focus on?

Answer 8

This pillar focuses on creating applications that effectively support production workloads.
a. Plan for and anticipate failure
b. Script operations as code
c. Deploy smaller, reversible changes
d. Learn from failure and refine

Question 9

What does the Security pillar of the Well-Architected Framework focus on?

Answer 9

This pillar focuses on putting mechanisms in place that help protect your systems and data.
a. Automate security tasks
b. Assign only the least privileges required
c. Encrypt data in transit and at rest
d. Track who did what and when
e. Ensure security at all application layers

Question 10

What does the Reliability pillar of the Well-Architected Framework focus on?

Answer 10

This pillar focuses on designing systems that work consistently and recover quickly.
a. Recover from failure automatically
b. Stop guessing capacity
c. Scale horizontally for resilience
d. Manage change through automation
e. Test recovery procedures

Question 11

What does the Performance Efficiency pillar of the Well-Architected Framework focus on?

Answer 11

This pillar focuses on the effective use of computing resources to meet system and business requirements while removing bottlenecks.
a. Use serverless architectures first
b. Delegate tasks to a cloud vendor
c. Use multi-region deployments
d. Experiment with virtual resources

Question 12

What does the Cost Optimization pillar of the Well-Architected Framework focus on?

Answer 12

This pillar focuses on delivering optimum and resilient solutions at the least cost to the user
a. Utilize consumption-based pricing
b. Measure overall efficiency
c. Implement Cloud Financial Management
d. Pay only for resources your application requires

Question 13

What does the Sustainability pillar of the Well-Architected Framework focus on?

Answer 13

This pillar focuses on environmental impacts, especially energy consumption and efficiency.
a. Understand your impact
b. Maximize utilization Establish sustainability goals
c. Use managed services
d. Reduce downstream impact

Question 14

What does Identity and Access Management (IAM) provide?

Answer 14

Allows you to control access to your AWS services and resources

Helps you secure your cloud resources

You define who has access

You define what they can do

A free global service

Question 15

What are identities in AWS?

Answer 15

Identities are who can access your resources

Root user

Individual users

Groups

Roles

Question 16

What is Access in terms of AWS?

Answer 16

What resources your identities can access through the use of:

Policies

AWS managed policies

Customer managed policies

Permission boundaries

Question 17

What is Authentication?

Answer 17

Authentication - is where you present your identity (username) and provide verification (password).

Question 18

What is Authorization?

Answer 18

Authorization - determines which services and resources the authenticated identity has access to.

Question 19

What are Users?

Answer 19

Users - entities you create in IAM to represent the person or application needing to access your AWS resources.

Question 20

What can only the Root user do?

Answer 20

Only the Root user can do the following

Close your account

Change email address

Modify your support plan

Question 21

What is the principle of least privilege?

Answer 21

The Principle of least privilege involves giving a user the minimum access required to get the job done.

Question 22

What are Groups?

Answer 22

Groups - a collection of IAM users that helps you apply common access controls to all group members.

EC2 security groups act as firewalls while IAM groups are collections of users.

Question 23

What are roles?

Answer 23

Roles - define access permissions and are temporarily assumed by an IAM user or service
* You assume a role to perform a task in a single session
* Assumed by any user or service that needs it
* Access is assigned using policies
* You grant users in one AWS account access to resources in another AWS account
* Real world
○ You can attach a role to an instance that provides privileges (e.g., uploading files to S3) to applications running on the instance. Roles help you avoid sharing long-term credentials like access keys and protect your instances from unauthorized access.

Question 24

What are policies?

Answer 24

Policies - You manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.

Question 25

What are some best practices for IAM?

Answer 25

1. Enable MFA for privileged users
   
   2. Implement strong password policies
   3. Create individual users instead of using root
   4. Use roles for Amazon EC2 instances

Question 26

What is the IAM Credential Report?

Answer 26

IAM Credential Report - lists all users in your account and the status of their various credentials
* Lists all users and status of passwords, access keys, and MFA devices
* Used for auditing and compliance

Question 27

Application Security Services

What is a WAF?

Answer 27

WAF - Web Application Firewall - helps protect your web applications against common web attacks.
* Protects apps against common attack patterns
* Protects against SQL injection
* Protects against cross-site scripting

Question 28

Application Security Services

What is a Distributed Denial of Service (DDoS) attack?

Answer 28

Distributed Denial of Service (DDoS) - an attack that causes a traffic jam on a website or web application in an attempt to cause it to crash.

Question 29

Application Security Services

What is Shield?

Answer 29

a managed Distributed Denial of Service (DDoS) protection service
* Always-on detection
* Shield Standard is free
○ Provides free protection against common and frequently occurring attacks
○ Provides enhanced protections and 24/7 access to AWS experts for a fee
* Shield Advanced is a paid service
○ DDoS protection via Shield Advanced is supported on several services
§ CloudFront
§ Route 53
§ Elastic Load Balancing
§ AWS Global Accelerator

Question 30

Application Security Services

What is Macie?

Answer 30

Helps you discover and protect sensitive data
* Uses machine learning
* Evaluates S3 environment
* Uncovers personally identifiable information (PII)

Question 31

Additional Security Services

What is Config?

Answer 31

Config - allows you to assess, audit, and evaluate the configurations of your resources.
* Track configuration changes over time
* Delivers configuration history file to S3
* Notifications via Simple Notification Service (SNS) of every configuration change
* Use Case
○ Identify system-level configuration changes made to your EC2 instances. For example network, software, and OS configuration changes, system-level updates, and more.

Question 32

Additional Security Services

What is GuardDuty?

Answer 32

GuardDuty - an intelligent threat detection system that uncovers unauthorized behavior.
* Uses machine learning
* Built-in detection for EC2, S3, and IAM
* Reviews CloudTrail, VPC flow logs, and DNS logs
* Use Case
○ Detect unusual API calls in your account. GuardDuty’s anomaly detection feature evaluates all API request in your account and identifies events that are associated with common techniques used by attackers.

Question 33

Additional Security Services

What is Inspector?

Answer 33

Inspector - works with EC2 instances to uncover and report vulnerabilities.
* Agent installed on EC2 instance
* Reports vulnerabilities found
* Checks access from the Internet, remote root login, vulnerable software versions, etc.
* Use Case
○ Identify unintended network access to an EC2 instance via a detailed report of security findings

Question 34

Additional Security Services

What is Artifact?

Answer 34

Artifact - offers on-demand access to AWS security and compliance reports.
* Central repository for compliance reports from third-party auditors
* Service Organization Control (SOC) reports
* Payment Card Industry (PCI) reports
* Use Case
○ You need to access AWS’ certification for ISO compliance

Question 35

Additional Security Services

What is Cognito?

Answer 35

Cognito - helps you control access to mobile and web applications
* Provides authentication and authorization
* Helps you manage users
* Assist with user sign-up and sign-in
* Use Case
○ You need to add a social media sign-in to your web application

Question 36

Data Encryption and Secrets Management

What is KMS?

Answer 36

KMS - Key Management Service - allows you to generate and store encryption keys
* Key generator
* Store and control keys
* AWS manages encryption keys
* Automatically enabled for certain services

Question 37

Data Encryption and Secrets Management

What is CloudHSM?

Answer 37

CloudHSM - a hardware security module (HSM) used to generate encryption keys
* Dedicated hardware for security
* Generate and manage your own encryption keys
* AWS does not have access to your keys

Question 38

Data Encryption and Secrets Management

What is Secrets Manager?

Answer 38

Secrets Manager - allows you to manage and retrieve secrets (passwords or keys).
* Rotate, manage, and retrieve secrets
* Encrypt secrets at rest
* Integrates with services like RDS, Redshift, and DocumentDB