Security and Compliance Exam Tips

Question 1

If you need an AWS service to have multiple IAM capabilities not offered by managed Roles or policies, how can you achieve this?

Answer 1

Through a custom policy or role

Question 2

How can you create a new IAM policy?

Answer 2

Through the visual editor, or JSON

Question 3

When you attach a role to an EC2 instance, how long does it take for the effect to propagate to the server?

Answer 3

Immediately

Question 4

How long does it take for a newly attached policy to take effect on an EC2 instance?

Answer 4

right away

Question 5

True or false: While attaching a policy or role takes effect immediately, changing a policy takes time to propagate the changes?

Answer 5

False: Changes are immediate.

Question 6

Do you attach roles to EC2 instances via the CLI, or through the console?

Answer 6

Both - another trick question

Question 7

MFA Enabling can be done via…

Answer 7

CLI or console

Question 8

Can MFA be enabled for both root and user accounts?

Answer 8

yes

Question 9

Should you remember at a high level how STS token authentication works?

Answer 9

Yes.

Question 10

Which AWS services provide logging?

Answer 10

CloudTrail
Config
CloudWatch Logs
VPC flow Logs

Question 11

True or False: CloudWatch monitor API calls?

Answer 11

False: CloudTrails monitors API calls.

Question 12

True or False: CloudWatch monitors performace?

Answer 12

True

Question 13

True or False: AWS Config records the state of your environment

Answer 13

True

Question 14

If you need to be notified of changes to your environment, which service should you use?

Answer 14

AWS Config

Question 15

While taking the exam, should you choose HVM, or PV wherever possible?

Answer 15

HVM

Question 16

Do you have access to the AWS hypervisor?

Answer 16

No

Question 17

Does AWS have access to your EC2 instances?

Answer 17

No

Question 18

Does AWS scrub all RAM and storage before allocating to a new customer?

Answer 18

Yes

Question 19

PV is isolated by layers. On which layer does the Guest OS sit? On which does the application sit?

Answer 19

Guest on layer 1

Application on layer 3

Question 20

Do dedicated instances and dedicated hosts have dedicated hardware?

Answer 20

Yes

Question 21

How are dedicated instances charged?

Answer 21

Per instance

Question 22

How are dedicated hosts charged?

Answer 22

Per host

Question 23

if you have specific licensing, regulatory or compliance requirements, should you choose dedicated instancs, or hosts?

Answer 23

Hosts

Question 24

Can dedicated instances share hardware with other non-dedicated instances within the same AWS account?

Answer 24

yes

Question 25

Do dedicated hosts give you better visibility in to things like sockets, cores, and host IDs?

Answer 25

Yes

Question 26

In what two ways can you select instances to run commands using system manager?

Answer 26

via tagged groups, or manual selection

Question 27

does an SSM agent need to be installed on managed instances?

Answer 27

Yes

Question 28

Where are commands and parameters defined for Systems Manager?

Answer 28

in a Systems Manager Document

Question 29

From where can commands be issued to EC2 instances?

Answer 29

AWS Console, CLI, Tools for Windows PowerShell, Systems Manager API, or Amazon SDKs

Question 30

Can you manage on-prem systems using System Manager?

Answer 30

Yes

Question 31

Where would you store confidential information such as passwords, license codes, etc for later use by your systems and applications?

Answer 31

AWS Systems Manager Parameter Store

Question 32

Does the Parameter Store save string as clear text, or cipher?

Answer 32

Either, depending on your needs?

Question 33

If you need to give access to an S3 object without needing to create an account, or make it public, how would you achieve this?

Answer 33

pre-signed URLs

Question 34

How can pre-signed URLs be created

Answer 34

AWS SDK or CLI

Question 35

What time unit are pre-signed URL availabilty based on?

Answer 35

Seconds

Question 36

What is the default availability of a newly created pre-signed URL?

Answer 36

1 hour (3600 seconds)

Question 37

What CLI command would you use to change the default availability time of a pre-signed URL?

Answer 37

–expires-in

Question 38

Which two AWS Config rules should you be aware of for the SysOps exam?

Answer 38

No Public Read Access

No Public Write Access

Question 39

How does Inspector work?

Answer 39

Create an assessment target
Install agents on EC2 instances
Create assessment template
perform assessment run
Review Findings against the rules

Question 40

For Inspector, what Rules Packages are available?

Answer 40

Common vulnerabilities and exposures
CIS Operating Systems Security Configuration
Benchmarks
Security Best Practices
Runtime Behavior Analysis

Question 41

What severity levels are there for Rules in AWS Inspector?

Answer 41

High
Medium
Low
Informational

Question 42

What will an Inspector Run do?

Answer 42

Monitor the network, file system, and processess activity.
Compare what it sees to security rules
Report on security issues observed within target during run
Report findings and advise remediation

Question 43

Will Inspector relieve you of the shared responsibility model, or perform miracles?

Answer 43

No, and… no.

Question 44

What does Trusted Advisor advise on

Answer 44

Cost Optimization
Availability
Performance
Security

Question 45

Should you do more research on the shared responsibility model?

Answer 45

yes

Question 46

Are security groups stateless or stateful?

Answer 46

Stateful

Question 47

What is AWS Artifact?

Answer 47

A place to download compliance documents, and a place to upload your compliance results for auditors and regulators.

Question 48

True or False: A Cloud Guru practice exams will ask questions not covered in the lessons?

Answer 48

True. So take them, and research things that aren’t covered to ensure broader understanding of AWS stuff.