Security in the Cloud Flashcards

(67 cards)

1
Q

A Distributed Denial of Service is an attack that attempts to make your website ______ to your end-users

A

A Distributed Denial of Service is an attack that attempts to make your website unavailable to your end-users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the three most common DDOS attacks, and at which layer do they operate?

A

SYN flood & NTP Amplification attack: Layer 4
GET/POST requests: Layer 7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are CloudTrail’s three main benefits?

Near real-time _________ _________
_________ & _________ compliance
After-the-fact incident _________

A

What are CloudTrail’s three main benefits?

Near real-time intrusion detection

Industry & regulatory compliance
After-the-fact incident investigation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CloudTrail logs all ___ _____ made to your AWS account and stores these logs in ___

A

CloudTrail logs all API calls made to your AWS account and stores these logs in S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the differences in cost between AWS Shield and AWS Shield Advanced?

A

AWS Shield: Free
AWS Shield Advanced: $3k a month & 1 yr commitment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does AWS Shield Advanced offer that AWS Shield does not?

A

What does AWS Shield Advanced offer that AWS Shield does not?

A dedicated 24/7 DDOS response team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AWS WAF has three different behaviors:

  • *______** all requests except the ones you specify
  • *______** all requests except the ones you specify
  • *_____** the requests that match the properties you specify
A

AWS WAF has three different behaviors:

Allow all requests except the ones you specify

  • *Block** all requests except the ones you specify
  • *Count** the requests that match the properties you specify
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AWS WAF operates at which Layer, and which three attacks can it block?

Layer __

  • *____** attacks
  • *___** injection
  • *_____-____** Scripting
A

AWS WAF

Layer 7

  • *DDOS** attacks
  • *SQL** injection
  • *Cross-Site** Scripting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which service allows you to block specific countries or IP addresses?

A

Which service allows you to block specific countries or IP addresses?

AWS WAF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How does AWS Guard Duty determine what normal behavior is in your account?

It uses __ to learn what normal behavior is in your account and alerts you of any ________ or _______ behavior.

A

AWS Guard Duty

It uses AI to learn what normal behavior is in your account and alerts you of any abnormal or malicious behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AWS Guard Duty updates a database of known malicious domains using ______ ____ from _____ _______

A

AWS Guard Duty updates a database of known malicious domains using external feeds from third-parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What does logs does Guard Duty monitor? (3)

A

What does Guard Duty monitor?

Cloud Trail Logs, VPC Flow Logs, and DNS Logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS Macie uses AI to analyze data in __ to help _______ and ______ the leak of data from which three pieces of information? (3)

A

AWS Macie uses AI to analyze data in S3 to help identify and prevent the leak of data from which three pieces of information?

  • *PII Personal Identifiable Information**

PHI Personal Health Information

Financial Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Macie alerts can be sent to Amazon _____________ and integrated with your _______ ____________ system

A

Macie alerts can be sent to Amazon Eventbridge and integrated with your event management system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS Inspector is used to run vulnerability scans on ___ _________ and _____

A

AWS Inspector is used to run vulnerability scans on both EC2 instances and VPCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the two AWS Inspector scans called?

A

What are the two AWS Inspector scans called?

Host Assessment
Network Assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

AWS Key Management Service is a managed service that makes it easy for you to _____ and ______ the encryption keys used to _______ your data

A

AWS Key Management Service is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You initiate KMS services by requesting the creation of a _______ ______ Key

A

You initiate KMS services by requesting the creation of a Customer Master Key (CMK)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The first way to generate a CMK is if AWS creates the CMK for you by generating the CMK within a _________ ________ module

A

The first way is AWS created the CMK for you by generating the CMK within a Hardware Security Modules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The second way to generate a CMK by importing your own ____ __________ Infrastructure and _____________ it with a CMK

A

The second way to generate a CMK is by importing your own Key Management Infrastructure and associating it with a CMK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

The third way to generate a CMK is to have the key material generated and used in an AWS ________ cluster as part of the custom key store feature in AWS ___

A

The third way to generate a CMK is to have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the three ways to control permissions within KMS?

The ___ Policy

  • *___** policies in combination with ___ policies
  • *______** in combination with ___ policies
A

What are the three ways to control permissions within KMS?

The Key Policy

  • *IAM** policies in combination with Key policies
  • *Grants** in combination with Key policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

A Key Policy allows you to ________ the full scope of _____ to the CMK via a single ________

A

A Key Policy allows you to control the full scope of access to the CMK via a single document

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Using ____ policies in combination with ___ policies enables you to manage all the permissions for your IAM identities in IAM

A

Using IAM policies in combination with Key policies enables you to manage all the permissions for your IAM identities in IAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Grants in combination with Key policies enable you to allow **\_\_\_\_\_** to the CMK as well as allow users to **\_\_\_\_\_\_\_\_** their access to others
Grants in combination with Key policies enable you to allow **access** to the CMK as well as allow users to **delegate** their access to others
26
Between KMS or CloudHSM, which offers automatic Key Rotation?
Between KMS or CloudHSM, which has automatic Key Rotation? KMS: automatic key rotation CloudHSM: no automatic key rotation
27
What is the difference in Tenancy Rules regarding KMS vs. CloudHSM: KMS: **\_\_\_\_\_\_** Tenancy CloudHSM: **\_\_\_\_\_\_\_\_** host to you and you have full control of **\_\_\_\_\_\_\_\_ \_\_\_\_\_\_\_\_**
What is the difference in Tenancy Rules regarding KMS vs. CloudHSM: KMS: **Shared** Tenancy CloudHSM: **Dedicated** host to you, and you have full control of **underlying** **hardware**
28
CloudHSM offers full control of users, **\_\_\_\_\_\_**, and **\_\_\_\_\_**
CloudHSM offers full control of **users, groups, and keys**
29
Secrets Manager can be used to securely store (3) **\_\_\_\_\_\_\_\_** credentials Passwords **\_\_\_/\_\_\_** Keys
Secrets Manager can be used to securely store (3) * *Database** credentials * *Passwords** * *API/SSH** Keys
30
When enabled, Secrets Manager will **\_\_\_\_\_\_\_** credentials **\_\_\_\_\_\_\_\_\_\_**. If applications and instances are not properly configured, you won't be able to access your \_\_\_\_\_\_\_\_\_\_
When enabled, Secrets Manager will **rotate** credentials **immediately**. If applications and instances are not properly configured, you won't be able to access your **resources**
31
Parameter Store and Secrets Manager offer similar services when should you use one versus the other? If you are trying to **\_\_\_\_\_\_\_\_** cost use **\_\_\_\_\_\_\_\_\_**
Parameter Store and Secrets Manager offer similar services when should you use one versus the other? If you are trying to **minimize** cost use the **parameter store**
32
Secrets Manager is perfect if you need more than 10,000 **\_\_\_\_\_\_\_\_\_\_**, key ________ or the need to generate passwords using \_\_\_\_\_\_\_\_\_\_\_\_\_
Secrets Manager is perfect if you need more than 10,000 **parameters**, **key rotations,** or need to generate passwords using **CloudFormation**
33
Presigned URLs let you **\_\_\_\_\_ \_\_\_\_\_\_\_** files from your S3 bucket
Presigned URLs let you **share** **private** files from your S3 bucket
34
When it comes to IAM policies, if something is not explicitly allowed it is ______ \_\_\_\_\_
When it comes to IAM policies if something is not explicitly allowed it is **implicitly denied**
35
An IAM policy needs to be ________ before it can have an **\_\_\_\_\_**
An IAM policy needs to be **attached** before it can have an **effect**
36
AWS Managed Microsoft AD is the best choice if you have more than _____ users and/or need a ____ relationship setup
AWS Managed Microsoft AD is the best choice if you have more than **5000 users** and/or need a **trust** relationship setup
37
AD Connector is the best choice when you want to use an existing _____ \_\_\_\_\_\_\_\_ with AWS Services
AD Connector is the best choice when you want to use an existing **Active Directory** with AWS Services
38
AD Connector comes in two sizes what are they, and what are the user maximum counts?
AD Connector comes in two sizes what are they, and what are the user maximum counts? Small: designed for orgs w/up to 500 users Large: designed for orgs w/up to 5000 users
39
What type of connection do you require, when using AWS Managed Microsoft AD or AD connector?
What type of connection do you require when using AWS Managed Microsoft AD or AD connector? VPN or Direct Connect
40
Simple AD is the most inexpensive AD service and is the best option if you have less than **\_\_\_** users and don't need **\_\_\_\_\_\_\_\_** AD features
Simple AD is the most inexpensive AD service and is the best option if you have less than **500** users and don't need **advanced** AD features
41
Simple AD features Manage users, groups, and **\_\_\_\_\_\_\_** **\_\_\_\_\_\_\_**-based SSO Supports joining **\_\_\_\_\_** or **\_\_\_\_\_\_\_\_**-based EC2 instances
Simple AD features Manage users, groups, and **policies** **Kerberos**-based SSO Supports joining **Linux** or **Windows**-based EC2 instances
42
Rules contain a statement that defines the **\_\_\_\_\_\_\_\_\_\_ \_\_\_\_\_\_**, and an **\_\_\_\_\_\_** to take if a web request meets the **\_\_\_\_\_\_**
Rules contain a statement that defines the **inspection criteria**, and an **action** to take if a web request meets the **criteria**
43
What type of encryption does KMS support (2)
Symmetric and Asymmetric encryption
44
Customer Master Key (CMK) contains the ___ \_\_\_\_\_\_\_ used to ______ and ______ data
Customer Master Key (CMK) contains the **key material** used to **encrypt** and **decrypt** data
45
What is the data size limit that CMK can encrypt?
CMK can encrypt up to 4KB in size
46
What type of key would you use if you wanted to encrypt a large amount of data?
Data encryption key
47
CloudHSM is a cloud-based _________ \_\_\_\_\_\_\_\_\_ module
CloudHSM is a cloud-based hardware security module
48
With CloudHSM you **\_\_\_\_\_\_\_\_** and use your own **\_\_\_\_\_\_\_\_ \_\_\_**
With CloudHSM you **generate** and use your own **encryption key**
49
With CloudHSM you retain **\_\_\_\_\_\_\_** of your encryption keys. AWS has no **\_\_\_\_\_\_\_\_** of your encryption keys
With CloudHSM you retain **control** of your encryption keys. AWS has no **visibility** of your encryption keys
50
What services does AWS Certificate Manager integrate with (5) Elastic ____ \_\_\_\_\_\_\_\_\_ Elastic \_\_\_\_\_\_\_\_\_ Cloud\_\_\_\_\_\_\_\_\_ Cloud\_\_\_\_\_ \_\_\_\_ Enclaves
Elastic Load Balancing Elastic Beanstalk CloudFormation Cloudfront Nitro Enclaves
51
A ___ \_\_\_\_\_\_ tells AWS WAF what to do with a web request when it matches the ______ defined in the \_\_\_\_
A **rule action** tells AWS WAF what to do with a web request when it matches the **criteria** defined in the **rule**
52
AWS KMS allows you to control Key usage across AWS _______ and \_\_\_\_\_\_\_\_\_\_
AWS KMS allows you to control Key usage across **AWS services and applications**
53
Parameter Store provides secure hierarchical storage for configuration ____ and \_\_\_\_\_\_\_
Parameter Store provides secure hierarchical storage for configuration **data and secrets**
54
What type of data does Parameter Store maintain as values? \_\_\_\_\_\_\_\_\_ \_\_\_\_\_\_\_\_\_ strings \_\_\_\_\_\_\_\_ Codes
What type of data does Parameter Store maintain as values? **Passwords** **Database** strings **License** Codes
55
Parameter Store can store values in two forms, what are they?
Parameter Store can store values in two forms; what are they? Plaintext (unencrypted) Ciphertext (encrypted)
56
Secrets Manager rotates secrets safely without the need for ____ \_\_\_\_\_\_\_\_\_\_
Secrets Manager rotates secrets safely without the need for **code deployments**
57
Secrets Manager offers an automatic rotation of credentials (built-in) for which **three AWS Services?** Amazon \_\_\_ Amazon \_\_\_\_\_\_\_\_ Amazon \_\_\_\_\_\_\_\_\_\_
Secrets Manager offers an automatic rotation of credentials (built-in) for: Amazon RDS Amazon Redshift Amazon DocumentDB
58
AWS WAF lets you create rules to filter web traffic based on conditions like **\_\_ \_\_\_\_\_\_\_\_\_, \_\_\_\_** headers, and **\_\_\_\_\_**
AWS WAF lets you create rules to filter web traffic based on conditions like **IP address, HTTP** headers, and **URL's**
59
AWS Shield supports _____ mitigation & protection against Layer _____ & ____ attacks.
AWS Shield supports **DDOS** mitigation & protection against Layer **three** & **four** attacks.
60
AWS KMS key can do what 3 things to data keys?
AWS KMS key can be use to **generate, encrypt and decrypt data keys**
61
What is the Automatic rotational period for AWS & Customer managed KMS keys?
Automatic Rotation Cycles Customer Managed KMS key: 365 days AWS Managed KMS key: 1095 days/ 3yrs
62
To share snapshots with another account, you must specify which two permissions.
To share snapshots with another account you must specify Decrypt and CreateGrant permissions
63
The kms:ViaService condition key can be used to limit what ?
The kms:ViaService condition key can be used to limit key usage to specific AWS services
64
What is the API action removes key material?
You must use the DeletelmportedKeyMaterial API to remove the key material
65
An Amazon Cognito User Pool is a directory for managing _________ & _____________ for mobile applications
An Amazon Cognito User Pool is a directory for managing sign-in and sign-up for mobile applications
66
Cognito Identity pools are used to obtain ____________ and _________ \_\_\_\_\_\_\_\_\_\_\_\_\_\_ for AWS services
Cognito Identity pools are used to obtain **temporary, & limited-privilege credentials** for AWS services
67
What two locations can Cognito Identities come from?
Identities can come from a Cognito user pool Identities can also come from social **Identity providers (IdPs)**