Security & Compliance

Question 1

DDOS Protection on AWS

Answer 1

• AWS Shield Standard
• AWS Shield Advanced (premium protection)
• AWS WAF
• CloudFront and Route 53

Question 2

AWS Shield Standard

Answer 2

• Free service that is activated for every AWS customer

Question 3

AWS Shield Advanced

Answer 3

• Protect against more sophisticated attack
• 24/7 access to AWS DDoS response team (DRP)

Question 4

AWS WAF – Web Application Firewall

Answer 4

• Protects your web applications from common web exploits (Layer 7)
• Layer 7 is HTTP

Question 5

AWS Network Firewall

Answer 5

• Protect your entire Amazon VPC
• From Layer 3 to Layer 7 protection

Question 6

AWS Firewall Manager

Answer 6

• Manage security rules in all accounts of an AWS Organization
• Rules are applied to new resources as they are created

Question 7

Data at rest vs. Data in transit

Answer 7

• Data at rest: data stored or archived
• Data in transit: data being moved from one location to another
• to encrypt use encryption keys

Question 8

AWS KMS (Key Management Service)

Answer 8

• KMS = AWS manages the encryption keys for us
• Anytime you hear “encryption” for an AWS service, it’s most likely KMS

Question 9

CloudHSM

Answer 9

• AWS provisions encryption hardware

Question 10

Types of KMS Keys

Answer 10

• Customer Managed Key, AWS Managed Key, AWS Owned Key, CloudHSM Keys (custom keystore)

Question 11

AWS Certificate Manager (ACM)

Answer 11

• provision, manage, and deploy SSL/TLS Certificates

Question 12

AWS Secrets Manager

Answer 12

• for storing secrets
• rotation of secrets every X days
• Integration with Amazon RDS

Question 13

Amazon GuardDuty

Answer 13

• Threat discovery to protect AWS Account
• Can protect against CryptoCurrency attacks

Question 14

Amazon Inspector

Answer 14

• Automated Security Assessments for EC2 instances, Container Images & Lambda
  functions

Question 15

AWS Config

Answer 15

• Helps with auditing and recording compliance
• Helps record configurations and changes over time

Question 16

AWS Macie

Answer 16

• uses machine learning and pattern matching to discover and protect sensitive data

Question 17

AWS Security Hub

Answer 17

• Central security tool
• automate security checks across several accounts

Question 18

Amazon Detective

Answer 18

• analyzes, investigates, and quickly identifies the root cause of security issues or suspicious activities (ML and graphs)

Question 19

AWS Abuse

Answer 19

• Report suspected AWS resources
• Spam, Port scanning, DoS or DDoS attacks, Intrusion attempts, Hosting objectionable or copyrighted content, Distributing malware

Question 20

Root user privileges

Answer 20

• Root user = Account Owner
• Lock away your AWS account root user access keys
• only by root user: Change account settings, Close your AWS account, Change or cancel your AWS Support plan, Register as a seller

Question 21

IAM Access Analyzer

Answer 21

• identify which resources are shared externally (Define ZoneofTrust)