Security and Monitoring

Question 1

What is a security group?

Answer 1

A virtual firewall for EC2 instances

Question 2

What is bootstrap scripts?

Answer 2

a script that runs when instance first runs

Question 3

what permissions does bootstrap script have?

Answer 3

full administrative access

Question 4

How long does it take for changes to security groups to occur?

Answer 4

Immediately

Question 5

How many EC2 instances can you have in a security group?

Answer 5

Any number

Question 6

Why can there only be one security group attached to an EC2 instance?

Answer 6

There can many security groups attached to an EC2 instance

Question 7

What inbound traffic is blocked by default?

Answer 7

All inbound traffic

Question 8

Is a network ACL or security group hit first when a request is coming from the internet into a public subnet?

Answer 8

The network ACL is hit first

Question 9

What does 0.0.0.0/0 do?

Answer 9

Let’s everything in

Question 10

What is the first line of defense?

Answer 10

Network ACL’s

Question 11

What is a Network ACL?

Answer 11

An layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets

Question 12

By default what inbound and outbound traffic is allowed by the default network ACL?

Answer 12

All

Question 13

Does a VPC automatically have a network ACL?

Answer 13

Yes

Question 14

What inbound and outbound traffic is allowed by default in a custom network ACL?

Answer 14

None

Question 15

Should you block IP addresses using a network ACL’s or security groups

Answer 15

Network ACL

Question 16

How many network ACL’s can a subnet be associated with?

Answer 16

One

Question 17

Are security groups or network ACL’s stateless?

Answer 17

Network ACL

Question 18

In what order are the network ACL’s numbered list of rules evaluated?

Answer 18

In order from lowest number

Question 19

What does VPN Cloudhub do?

Answer 19

Connect multiple sites with differing VPN’s together

Question 20

What measure does VPN Cloudhub do to protect your data since it uses the public internet?

Answer 20

Encrypts your data

Question 21

What is cloudwatch?

Answer 21

A monitoring and observability platform designed to give insight into your AWS architecture and potential problems

Question 22

What should you create to notify you of a system failure?

Answer 22

An alarm

Question 23

What are default metrics for cloudwatch?

Answer 23

CPU utilization and network throughout

Question 24

What are custom metrics for cloudwatch?

Answer 24

EC2 memory utilization, EBS storage capacity

Question 25

What is cloudwatch logs?

Answer 25

A tool that allows you to monitor, store, and access log files from a variety of sources

Question 26

What is a log event?

Answer 26

A record of what happened

Question 27

What does a log event contain?

Answer 27

The data and a timestamp

Question 28

What is a log stream?

Answer 28

A collection of log events from the same source

Question 29

What is a log group?

Answer 29

A collection of log streams

Question 30

What is a filter pattern in cloud watch logs?

Answer 30

A way to look for specific errors

Question 31

What is Amazon managed Grafana?

Answer 31

Fully managed AWS service allowing instant querying correlating and visualizing of your operational metrics, logs, and traces

Question 32

What are Grafana workspaces?

Answer 32

areas created to allow separate data visualizations and querying

Question 33

Does Grafana have built in security?

Answer 33

Yes

Question 34

What are some key use examples for Amazon managed Grafana?

Answer 34

container metric visualizations, internet of things monitoring, troubleshooting

Question 35

What is Amazon managed service for prometheus?

Answer 35

Serverless, prometheus compatible service used for securely monitoring container metrics at scale

Question 36

What is CloudTrail?

Answer 36

it increases visibility into your user and resource activity by recording AWS Management Console actions and API calls

Question 37

What is logged with CloudTrails?

Answer 37

Metadata of API call, identity of API caller, time of API call, source IP address of API caller, request parameters, response elements returned by server

Question 38

What is logged with CloudTrails?

Answer 38

Metadata of API call, identity of API caller, time of API call, source IP address of API caller, request parameters, response elements returned by server

Question 39

What can you think of CloudTrails as?

Answer 39

The CCTV system of your AWS account

Question 40

What is AWS Shield?

Answer 40

Free DDoS protection for ELB, CloudFront, and Route 53

Question 41

What layer attacks does Shield protect against?

Answer 41

Layer 3/4 (SYN floods, reflection attacks, etc)

Question 42

What is AWS Shield Advanced?

Answer 42

Enhanced protection for ELB, Cloudfront, and Route 53

Question 43

What is the difference between Shield and Shield Advanced?

Answer 43

24/7 access to DDoS response time, real time alerts, and Advanced is 3000 per month

Question 44

What is AWS WAF?

Answer 44

AWS web application firewall is a service that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an application load balancer

Question 45

If you want to control what IP addresses are allowed to make requests, what should you use?

Answer 45

AWS WAF

Question 46

If you are afraid of layer 7 attacks, what should you use?

Answer 46

AWS WAF

Question 47

What are the three conditions available on AWS WAF?

Answer 47

Allow all (except what you specify), deny all (except what you specify), count what matches conditions you stated

Question 48

What is AWS GuardDuty?

Answer 48

A threat detection service that uses machine learning to continuously monitor for malicious behavior

Question 49

Where do GuardDuty alerts appear?

Answer 49

GuardDuty console and Cloudwatch events

Question 50

What does GuardDuty monitor?

Answer 50

Cloudtrail logs, VPC flow logs, and DNS logs

Question 51

What is firewall manager?

Answer 51

A security management service that goes across multiple AWS accounts

Question 52

What is Macie?

Answer 52

Uses machine learning and pattern matching to discover sensitive data stored in S3

Question 53

Can Macie utilize automated remediation actions?

Answer 53

Yes

Question 54

What is amazon inspector?

Answer 54

Automatically assesses applications for vulnerabilities or deviations from best practice

Question 55

What are the 2 types of Amazon inspector assessments?

Answer 55

Network assessments, host assessments

Question 56

What is KMS?

Answer 56

Key management service

Question 57

What is a CMK in regards to KMS?

Answer 57

A customer master key is a logical representation of a master key

Question 58

What is a HSM?

Answer 58

a hardware security module is a physical computing device that safeguards and manages digital keys and performs encryption and decryption functions

Question 59

What are the three ways a CMK is created?

Answer 59

AWS creates it for you in HSMs, import key material from own key management infrastructure, have key material generated in AWS CloudHSM cluster

Question 60

How often can you have AWS KMS rotate the CMK?

Answer 60

every year

Question 61

What CMKs do not support automatics key rotation?

Answer 61

imported keys, asymmetric keys, or keys generated in AWS CloudHSM

Question 62

What type of policy do KMS CMK's require?

Answer 62

a resource policy

Question 63

What is the difference between KMS and CloudHSM?

Answer 63

KMS has shared tenancy of underlying hardware, CloudHSM is dedicated to you, KSM has automatic key rotation, CloudHSM does not

Question 64

What is Secrets Manager?

Answer 64

A service that securely stores, encrypts, and rotates your database credentials and other secrets

Question 65

What must you do before enabling credential rotation?

Answer 65

make sure all application instances are configured to use secrets manager

Question 66

Does secret manager rotate credentials automatically?

Answer 66

Yes

Question 67

What is parameter store?

Answer 67

a capability of AWS systems manager that provides secure, hierarchical storage

Question 68

If you are trying minimize costs and don't need key rotation, what secure storage solution should you use?

Answer 68

parameter storage

Question 69

What is the maximum amount of parameters for parameter storage?

Answer 69

10,000

Question 70

How can the owner of a private object in S3 grant time limited permission to download the object?

Answer 70

by creating a presigned URL

Question 71

if you want someone to have access to all the contents of multiple restricted files, what should you use?

Answer 71

Presigned cookies

Question 72

What is AWS Certificate Manager?

Answer 72

allows you to create, manage, and deploy public and private SSL certificates for use with other AWS services

Question 73

How much does AWS charge for provisioning public and private certificates?

Answer 73

for free

Question 74

Does AWS Certificate Manager automatically renew and deploy certificates?

Answer 74

Yes

Question 75

What service should you use to manage your SSL certificates?

Answer 75

AWS Certificate manager

Question 76

What is AWS audit manager?

Answer 76

with it, you can continuously audit your AWS usage to make sure you stay compliant with industry standards and regulations

Question 77

Is audit manager an automated service?

Answer 77

yes

Question 78

If you need continuous auditing, what should you use?

Answer 78

audit manager

Question 79

What is AWS artifact?

Answer 79

A single source you can visit to get the compliance -related information that matters to you

Question 80

If you need to compliance reports, what should you use?

Answer 80

AWS artifact

Question 81

What is amazon cognito?

Answer 81

it provides authentication, authorization, and user management for your web and mobile apps in a single service without the need for custom code

Question 82

What is the series of events that Cognito does to sign in?

Answer 82

Authenticates and gets a token, exchanges that token in for AWS credentials in the identity pool, finally uses AWS credentials to sign in

Question 83

What is Amazon Detective?

Answer 83

it pulls data in from your AWS resources and uses machine learning, stat analysis, and graph theory to quickly figure out the root cause of your security issues

Question 84

If you need to know the root cause of an event, what should you use?

Answer 84

Amazon detective

Question 85

What is network firewall?

Answer 85

a managed service that makes it easy to deploy a physical firewall across your VPC's.

Question 86

Does AWS Network Firewall work with Firewall Manager?

Answer 86

Yes

Question 87

If you need an intrusion prevention system or to filter internet traffic before it reaches your gateway, what should you use?

Answer 87

AWS Network FIrewall

Question 88

If you need an intrusion prevention system or to filter internet traffic before it reaches your gateway, what should you use?

Answer 88

AWS Network FIrewall

Question 89

What is AWS Security Hub?

Answer 89

a single place to view all your security alerts from differing services