SECURITY & COMPLIANCE Flashcards
(91 cards)
1
Q
____is responsible for constructing your house and ensuring that it is solidly built.
A
AWS
2
Q
____ responsibility to secure everything in the house by ensuring that the doors are closed and locked.
A
CUSTOMERS
3
Q
According the AWS shared responsibility model what is the customer responsible for?
A
Customers are responsible for the security of everything that they create and put in the AWS Cloud.
- You also control how access rights are granted, managed, and revoked.
4
Q
According to the shared responsibility model who is responsible for:
- Configuring, and patching the operating systems that will run on Amazon EC2 instances, configuring security groups, and managing user accounts.?
A
Customer are responsible of security in the cloud, making sure the os is patched and who has keys of house
5
Q
According the AWS shared responsibility model what is the AWS responsible for?
A
AWS is responsible for security of the cloud.
1. all layers of infrastructure e.g. data centre, host operating system and virtualisation layer
- Global infrastructure that runs aws cloud e.g. regions, az, edge locations
6
Q
According to the Shared responsibility model who is responsible for:
Securing Host operating system, the virtualization layer, physical security of the data centers
A
AWS
7
Q
According to the Shared responsibility model who is responsible for:
Securing AWS Regions, Availability Zones, and edge locations.
A
AWS
8
Q
Although you cannot visit AWS data centers to see this protection firsthand, what can you do to ensure things are secure?
A
AWS provides several reports from third-party auditors.
9
Q
According to the Shared responsibility model who is responsible for:
Maintaining network infrastructure
A
aws
10
Q
According to the Shared responsibility model who is responsible for:
Implementing physical security controls at data centers
A
aws
11
Q
According to the Shared responsibility model who is responsible for:
Maintaining servers that run Amazon EC2 instances
A
aws
12
Q
According to the Shared responsibility model who is responsible for:
Patching software on Amazon EC2 instances
A
cmr
13
Q
According to the Shared responsibility model who is responsible for:
Setting permissions for Amazon S3 objects
A
security in the cloud = cmr
14
Q
According to the Shared responsibility model who is responsible for:
Operating System?
A
Customer, aws can’t enter operating system!
15
Q
According to the Shared responsibility model who is responsible for:
Patching your Operating system?
A
AWS can notify you, but you have to patch your own system. No one can deploy anything to break your system except your team
16
Q
According to the Shared responsibility model who is responsible for:
Data
A
Customer has full control of their DATA, aws provides tool to secure your data
17
Q
What’s the best practice when using root user?
A
use the root user to create your first IAM user and assign it permissions to create other users.
Use the root user to perform tasks only available to the root user. E.g. changing your root user email address and changing your AWS support plan.
MFA
18
Q
What are the best practices for IAM users?
A
Create individual IAM users for each person
unique password with MFA
19
Q
What’s an IAM User?
A
identity that you create in AWS. It represents the person or application that interacts with AWS services and resources. It consists of a name and credentials.
20
Q
a document that allows or denies permissions to AWS services and resources.
A
IAM Policy
21
Q
______ enable you to customize users’ levels of access to resources. e.g. allow users to access all of the Amazon S3 buckets within your AWS account, or only a specific bucket.
A
IAM Policy
22
Q
Why should you not grant employees access to all of the buckets in your AWS account.
What rule does this go against?
A
Not complaint with LEAST PRIVALEGE
SHOULD BE EXPLICIT, user should only be given access to what they need.
23
Q
_____ a collection of IAM users.
A
IAM Groups
24
Q
How can you assign all users in the cashier team access to ‘receipts’?
A
assign an IAM policy to a group, all users in the group are granted permissions specified by the policy.
25
What IAM best practice can be used below:
What if a coffee shop employee hasn’t switched jobs permanently, but instead, rotates to different workstations throughout the day?
IAM role
26
_____ is an identity that you can assume to gain temporary access to permissions.
IAM role
27
Why is IAM role good for temporary workstations/roles?
employee can easily switch between workstations, but they can have access to only a single workstation at a time
must be granted permissions to switch to the role.
When someone assumes an IAM role, they abandon all previous permissions that they had under a previous role and assume the permissions of the new role.
28
How can you provide extra layer of security to in IAM?
MFA
| STRONG PASSWORD POLICY
29
Which IAM enables applications/services to carry out tasks?
IAM ROLE
30
When a user is created by default ____ ?
all actions are denied, IAM has to be specifically enabled.
31
Define least privilege?
Users are granted access only to what they need.
32
Which IAM does not require username & password?
IAM Role
33
Using _________ you can centrally control permissions for the accounts in your organization by using _______
AWS Organisation
Service control policy
34
_____ central location to manage multiple AWS accounts?
AWS organisation
35
What is SCP? Service control policy?
SCPs enable you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.
36
State the 4 main features of AWS organisation
1. Central Management of all AWS accounts and combine them into an organization
2. Consolidated billing for all member accounts through on account + bulk discount through consolidated billing
3. Hierarchical grouping of accounts into organizational units for regulatory compliance
4. AWS service and API actions access control using SCPs to restrict which AWS services the users and roles in each member account can access.
37
What is an Organisation Unit (OU) ?
you can group accounts into organizational units (OUs) to make it easier to manage accounts with similar business or security requirements.
When you apply a policy to an OU, all the accounts in the OU automatically inherit the permissions specified in the policy.
38
Whats the difference between OU and IAM Group?
An IAM group is a collection of IAM users, while an OU is a group of AWS accounts.
39
The finance and IT departments have requirements that do not overlap with those of any other department. You bring these accounts into your organization to take advantage of
consolidated billing, but you do not place them into any OUs.
40
The HR and legal departments need to access the same AWS services and resources and follow regulations, so you place them into
OU together. Placing them into an OU enables you to attach policies that apply to both the HR and legal departments’ AWS accounts.
41
What's the difference between AWS organisation & AWS Organisation Units?
AWS organization: consolidate multiple AWS accounts under one AWS organization, easier to manage and have consolidated billing
AWS organizational units: group accounts into organizational units (OUs) to make it easier to manage accounts with similar business or security requirements.
42
You are configuring service control policies (SCPs) in AWS Organizations. Which identities and resources can SCPs be applied to?
you can apply service control policies (SCPs) to the organization root, an individual member account, or an OU.
The SCP affects all IAM users, groups, and roles within an account, including the AWS account root user.
43
You can apply IAM policies to IAM users, groups, or roles. You cannot apply an IAM policy to the ______
AWS Account Root User
44
You need to uphold specific standards. An audit or inspection will ensure that the company has met those standards what AWS service can you use get reports?
AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements.
45
AWS Artifact consists of two main sections:
AWS Artifact Agreements and AWS Artifact Reports.
46
Suppose that your company needs to sign an agreement with AWS regarding information you store against Health Insurance Portability and Accountability Act (HIPAA) regulations. What AWS service can you use?
AWS Artifact Agreements, you can review, accept, and manage agreements for an individual account and for all your accounts in AWS Organizations
47
suppose that a member of your company’s development team is building an application and needs more information about their responsibility for complying with certain regulatory standards. Which AWS service?
AWS Artifact Reports provide compliance reports from third-party auditors, they are up to date and complaint globally
48
Where can you find more information about AWS compliance?
Customer Compliance center
49
Where can you find or read customer compliance stories to discover how companies in regulated industries have solved various compliance, governance, and audit challenges.
Customer Compliance Center
50
Where can you access compliance whitepapers and documentation on topics such as:
AWS answers to key compliance questions
An overview of AWS risk and compliance
An auditing security checklist
Customer Compliance Center
51
_____ includes an auditor learning path. This learning path is designed for individuals in auditing, compliance, and legal roles who want to learn more about how their internal operations can demonstrate compliance using the AWS Cloud.
Customer Compliance Center
52
Which tasks can you complete in AWS Artifact?
Access AWS compliance reports on-demand.
| Review, accept, and manage agreements with AWS.
53
Where can you find documentation like the AWS Risk and Security Whitepaper, which you should read to ensure that you understand security and compliance with AWS.
AWS Artifact
54
Under the shared responsibility model what is AWS & Customers responsible for in terms of compliance!?
AWS underlying platform is secure and AWS can provide documentation on what types of compliance requirements they meet, through AWS Artifact
what you build on AWS is up to you. You control the architecture of your applications they need to be built with compliance, security, and the shared responsibility model in mind.
55
Whats a DDOS attack?
A denial-of-service (DoS) attack is a deliberate attempt to make a website or application unavailable to users.
56
What is this an example of?
An attacker might flood a website or application with excessive network traffic until the targeted website or application becomes overloaded and is no longer able to respond. If the website or application becomes unavailable, this denies service to users who are trying to make legitimate requests.
Attack originates from single source, DDOS Denial of service attack
57
multiple sources are used to start an attack that aims to make a website or application unavailable. This can come from a group of attackers
What is this an example of?
Distributed denial of service attack, attack originates from multiple sources.
58
The single attacker uses multiple infected computers (also known as “bots”) to send excessive traffic to a website making it unavailable.
What is thin an example of?
Distributed denial of service attack, attack comes from multiple sources.
59
To help minimize the effect of DoS and DDoS attacks on your applications, you can use ____
AWS Shield
60
_____ is a service that protects applications against DDoS attacks. AWS Shield provides two levels of protection: ____ ______
AWS Shield
Standard & Advanced protection
61
What's the difference between AWS Shield Standard and Advanced Protections?
AWS shield standard is free, automatically protects resources from most common DDOS attacks, network traffic analysis to detect malicious traffic in real time and mitigates is.
AWS advanced is paid, detailed attack diagnostics, detect and mitigate sophisticated DDOS attacks. Integrate with AWS WAF, to write custom rules to mitigate complex DDOS attacks. Also integrates with other AWS services e.g. cloudfront, route 53, elastic load balancing.
62
Which AWS shield protection is best suited for NEW modern DDOS attack prevention and why?
AWS advanced is paid, detailed attack diagnostics, detect and mitigate sophisticated DDOS attacks.
Integrate with AWS WAF, to write custom rules to mitigate complex DDOS attacks.
Also integrates with other AWS services e.g. cloudfront, route 53, elastic load balancing.
63
How does AWS shield standard automatically mitigate common DDOS attacks?
As network traffic comes into your applications, AWS Shield Standard uses a variety of analysis techniques to detect malicious traffic in real time and automatically mitigates it.
64
Which additional services can AWS Shield Advanced integrate with?
Integrate with AWS WAF, to write custom rules to mitigate complex DDOS attacks.
Also integrates with other AWS services e.g. cloudfront, route 53, elastic load balancing.
65
Whats the difference between DOS and DDOS?
DOS = one attack source
DDOS = Multiple sources
66
In addition to AWS shield analyzing network traffic, what other security solution can we use to block unwanted network traffic requests?
security groups operate at the AWS network level, not at the EC2 instance level, like an operating system firewall might.
if you are not on the list you will not get in and talk to the server!
67
ELB handles the http traffic request first, so it waits until the entire message, no matter how fast or slow, is complete before sending it over to the front end web server. Slowloris attack initiated, why won't this attack work realistically?
ELB is scalable
To overwhelm ELB, you would once again have to overwhelm the entire AWS region
68
_______ enables you to perform encryption operations through the use of cryptographic keys
AWS Key Management Service (AWS KMS)
69
A cryptographic key is _______________________________________________
a random string of digits used for locking (encrypting) and unlocking (decrypting) data
70
what can we use AWS Key Management service for? 3 points
Create, manage, and use cryptographic keys. e.g. lock out doors
Also, control the use of keys across a wide range of services and in your applications. e.g. where which key can fit, door A not door B
You can choose the specific levels of access control that you need for your keys. e.g. which IAM users and roles are able to manage keys or can temporarily disable keys so that they are no longer in use by anyone. e.g. who we give our keys too.
71
Your keys ________ , and you are always in control of them.
never leave aws kms
72
We can protect our data when in rest or in transit using _____
encryption
73
what is encryption?
securing data in a way that only authorised parties can access it,
74
What is an example of encrypting data at rest? Example with AWS pls
Use AWS KMS to encrypt and decrypt our DynamoDB table to prevent unauthorized access.
75
we have a Redshift instance running. And we want to connect it with a SQL client. How can we encrypt this data and why is it needed?
.
SSL connections encrypt data, and we can use service certificates to validate and authorize a client.
This means that data is protected when passing between Redshift, and our client
76
How can we protect data transiting between numerous other AWS services such as SQS, S3, RDS?
SSL connections to encrypt data, and we can use service certificates to validate, and authorize a client. This means that data is protected when passing between AWS service and our client.
77
_____ web application firewall that lets you monitor network requests that come into your web applications.
AWS WAF
78
Suppose that your application has been receiving malicious network requests from several IP addresses. You want to prevent these requests from continuing to access your application, but you also want to ensure that legitimate users can still access it.
What AWS service would you use?
configure the web ACL to allow all requests except those from the IP addresses that you have specified.
AWS WAF uses web access control list (ACL), to check against the list of rules that you have configured to allows access to the application.
79
AWS WAF works together with Amazon ___________ ___________ & uses ____________ to protect AWS resources.
works together with Amazon CloudFront and an Application Load Balancer
Uses W(ACL) to filter against set rules.
80
Amazon Inspector can be used to
perform automated security assessments to meet security best practices instead of manual testing.
81
___________ performed an assessment, it provides you with a list of security findings. The list prioritizes by severity level, including a detailed description of each security issue and a recommendation for how to fix it.
Amazon inspector
82
Alongside automated security assessments, what else does AWS inspector do?
provides you with a prioritised list of security findings and a recommendation for how to fix it.
83
Under the shared responsibility model, customers are responsible for the security of their applications, processes, and tools that run on AWS services.
How does AWS help?
What does the customer do?
AWS inspector automates security assessment & provides you with a prioritised list of security findings and a recommendation for how to fix it.
But the user has to implement them, the aws fixes are not 100% user does have to test them ext
84
____ is a service that provides intelligent threat detection for your AWS infrastructure and resources.
Amazon GuardDuty
85
How does Amazon GuardDuty work?
provides intelligent threat detection for your AWS infrastructure and resources. It identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.
If GuardDuty detects any threats, you can find fixes on management console
86
Like AWS Shield advanced, can AWS GuardDuty integrate with other AWS services?
configure AWS Lambda functions to fix issues highlighted by GuardDuty’s security findings.
87
Whats the difference between AWS Shield and AWS GuardDuty?
AWS Shield is for DDOS attacks, network traffic
AWS GuardDuty provides intelligent threat detection for your AWS infrastructure and resources. Analysis and learn from your behaviour to identify issues then provides fixes unlike AWS Shield.
Dont get confused with AWS inspector!
88
Which service will inform you of the following:
open access to Amazon EC2 instances and installations of vulnerable software versions.
amazon Inspector automatically checks applications for security vulnerabilities and deviations from security best practices and how to fix it.
89
if you have an existing corporate identity store, you can federate those users to AWS, using __________ which allows your users to use one login for both your corporate systems as well as AWS
IAM Role based access.
90
________ runs independently from your other AWS services. So it won't affect performance or availability of your existing infrastructure, and workloads.
AWS GuardDuty
91
Which service can help you retrieve findings through an API. So as to go towards the best practice of performing remediation to fix issues.
amazon inspector
