Security and Compliance

Question 1

Customers shared responsibility

Answer 1

Responsibility for the security in the cloud
* Customer data
* platform
* Applications
* IAM
* OS, Network and firewall configs
* client side data encryption and data integrity configs
* server side encryption
* networking traffic protection

Question 2

AWS shared responsibility

Answer 2

Software
* compute
* storage
* database
* networking

Hardware/Global infrastruture
* regions
* availability zones
* edge locations

Question 3

What are the aws compliance programs

Answer 3

• Certifications / attestations.
• Laws, regulations, and privacy.
• Alignments / frameworks.

it varies among AWS services

Question 4

AWS IAM

Answer 4

it helps you securely control access to AWS resources

Question 5

AWS Trusted Advisor

Answer 5

its an assitant that helps one provision your resources following AWS best practices

Question 6

AWS Personal Health Dashboard

Answer 6

A personalized view of the health of AWS services, and alerts when your resources are impacted

• it prompts the user with alerts and notifications on AWS scheduled activities, pending issues and planned charges

Question 7

List the AWS support plans

Answer 7

• Basic
• Developer
• Business
• Enterprise

Question 8

Basic

Answer 8

• email support only
• for billing and acct
• 7 trusted advisor checks
• $0/month

Question 9

Developer

Answer 9

• Tech support via email (reply ~ 24 hrs)
• No third party support
• General guidance <24hrs
• System Impaired < 12hrs
• 7 trusted advisor checks
• $29/month

Question 10

Business

Answer 10

• Tech support via email (reply ~ 24 hrs)
• Tech support via chat, phone, anytime 24/7
• General guidance <24hrs
• System Impaired < 12hrs
• Production system impaired < 4hrs
• Production system down < 1hrs
• all trusted advisor checks
• $100/month

Question 11

Enterprise

Answer 11

• Tech support via email (reply ~ 24 hrs)
• Tech support via chat, phone, anytime 24/7
• General guidance <24hrs
• System Impaired < 12hrs
• Production system impaired < 4hrs
• Production system down < 1hrs
• Business-critical down <15m
• personal concierge
• TAM (Technical Account Manager: someone that knows AWS in and out, he helps reduce the bill)
• all trusted advisor checks
• $15,000/month

Question 12

security group

Answer 12

-it acts as a virtual firewall by controlling the traffic both inbound and outbound.

• it acts tn the instance level
• you can change a security group associated with an ec2 instance if the instance is in the running state

Question 13

Amazon VPC

Answer 13

It enables you to launch AWS resources into a virtual network that you have already defined

Question 14

subnet

Answer 14

A range of Ip addresses in your VPC

• security groups and NACL are used to protect resources in a subnet

Question 15

Public Subnet

Answer 15

uses resources that can be connected to the internet

Question 16

Private subnet

Answer 16

uses resources that wont be connected to the internet

Question 17

Route Table

Answer 17

A set of rules (called routes) that are used to determine where network traffic is directed.

Question 18

Internet Gateway

Answer 18

A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.

• you can only have 1 gateway in your VPC

Question 19

Which resource does Amazon Inspector perform network accesibility checks on

Answer 19

Amazon EC2 instance`

Question 20

IAM role

Answer 20

it is an IAM identity that you can create in your account that has specific permisions.

• similar to IAM users

Question 21

IAM user group

Answer 21

a collection of IAM users

Question 22

IAM User

Answer 22

it is an entity that u can create in AWS to represent the person or application that uses it to interact with AWS

• they have access to Access keys
  – Acces key ID
  – secret access key

Question 23

IAM Policies

Answer 23

are used to manage access in AWS by attaching them to IAM identities (users, user groups, or roles) or AWS resources

Question 24

Amazon Macie

Answer 24

it is a managed security service which can be used to detect personally identifiable information (PII) such as names, password, credit card numbers from large amounts of data stored in Amazon s3 bucket.

• it uses ml to protect sensitive data like passwords

Question 25

AWS Shield

Answer 25

It is used for defecting against DDOS attacks

Question 26

AWS shield advance

Answer 26

For higher level of protection against Attacks targets in your web applications running on Amazon EC2, elastic load balancing,, cloud front and Route 52 resources

you can subscribe to AWS shield advanced

Question 27

AWS CloudTrail

Answer 27

It is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account

Question 28

Network ACL

Answer 28

Network access control list is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.

• it is a subnet level

Question 29

AWS Secrets Manager

Answer 29

it i sused to store and manage secrets used to access database or other resources in AWS

• it is used to securely store and automatically rotate credentials for databases hosted on RDS

Question 30

AWS Systems manager Parameter Store

Answer 30

it is used to store config data and secrets securely in a plain or encrypted format

Question 31

Ama

Question 32

Amazon detective

Answer 32

Amazon Detective automatically collects log data from your AWS resources and uses machine learning (ML), statistical analysis, and graph theory to build a linked dataset that you can use to conduct more efficient security investigations.

• it is passive protection
• makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities

Question 33

Amazon Detective

Answer 33

is an automated security assessment service that helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on the instances

Question 34

Amazon security Hub

Answer 34

is a service that gives you aggregated visibility into your security and compliance status across multiple AWS accounts

Question 35

AWS WAF

Answer 35

helps Protect your web applications from common exploits

• it is launched with
  - Amazon cloud front
  - Application load balancer
  - Amazon API Gateway
  - AWS AppSync

Question 36

AWS Security

Answer 36

Used to download AWS security and compliance documents

Question 37

Security Groups

Answer 37

Security groups allow specific inbound and outbound traffic at the resource level (such as an EC2 instance)

• it is resource/instance level

Question 38

AWS Firewall Manager

Answer 38

It makes it possible to manage VPC security groups, AWS Shield Advanced and WAF rules on one platform even across multiple AWS accts.

Question 39

AWS Security Hub

Answer 39

It is a full-view, single-look, comprehensive depiction of the security state of the customer’s AWS environment.

Question 40

AWS IAM Access Analyzer

Answer 40

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to
AWS resource