AWS WAF has three different behaviors: ______ all requests except the ones you specify ______ all requests except the ones you specify _____ the requests that match the properties you specify

AWS WAF has three different behaviors: Allow all requests except the ones you specify Block all requests except the ones you specify Count the requests that match the properties you specify

AWS WAF operates at which Layer, and which three attacks can it block? Layer __ ____ attacks ___ injection _____-____ Scripting

AWS WAF Layer 7 DDOS attacks SQL injection Cross-Site Scripting

What are the three ways to control permissions within KMS? The ___ Policy ___ policies in combination with ___ policies ______ in combination with ___ policies

What are the three ways to control permissions within KMS? The Key Policy IAM policies in combination with Key policies Grants in combination with Key policies

Security in the Cloud Flashcards by Raymond Sylverne

A Distributed Denial of Service is an attack that attempts to make your website ______ to your end-users

A Distributed Denial of Service is an attack that attempts to make your website unavailable to your end-users

How well did you know this?

Not at all

Perfectly

What are the three most common DDOS attacks, and at which layer do they operate?

SYN flood & NTP Amplification attack: Layer 4
GET/POST requests: Layer 7

How well did you know this?

Not at all

Perfectly

What are CloudTrail’s three main benefits?

Near real-time _________ _________
_________ & _________ compliance
After-the-fact incident _________

What are CloudTrail’s three main benefits?

Near real-time intrusion detection

Industry & regulatory compliance
After-the-fact incident investigation

How well did you know this?

Not at all

Perfectly

CloudTrail logs all ___ _____ made to your AWS account and stores these logs in ___

CloudTrail logs all API calls made to your AWS account and stores these logs in S3

How well did you know this?

Not at all

Perfectly

What are the differences in cost between AWS Shield and AWS Shield Advanced?

AWS Shield: Free
AWS Shield Advanced: $3k a month & 1 yr commitment

How well did you know this?

Not at all

Perfectly

What does AWS Shield Advanced offer that AWS Shield does not?

A dedicated 24/7 DDOS response team

How well did you know this?

Not at all

Perfectly

AWS WAF has three different behaviors:

*______** all requests except the ones you specify
*______** all requests except the ones you specify
*_____** the requests that match the properties you specify

AWS WAF has three different behaviors:

Allow all requests except the ones you specify

*Block** all requests except the ones you specify
*Count** the requests that match the properties you specify

How well did you know this?

Not at all

Perfectly

AWS WAF operates at which Layer, and which three attacks can it block?

Layer __

*____** attacks
*___** injection
*_____-____** Scripting

AWS WAF

Layer 7

*DDOS** attacks
*SQL** injection
*Cross-Site** Scripting

How well did you know this?

Not at all

Perfectly

Which service allows you to block specific countries or IP addresses?

AWS WAF

How well did you know this?

Not at all

Perfectly

How does AWS Guard Duty determine what normal behavior is in your account?

It uses __ to learn what normal behavior is in your account and alerts you of any ________ or _______ behavior.

AWS Guard Duty

It uses AI to learn what normal behavior is in your account and alerts you of any abnormal or malicious behavior.

How well did you know this?

Not at all

Perfectly

AWS Guard Duty updates a database of known malicious domains using ______ ____ from _____ _______

AWS Guard Duty updates a database of known malicious domains using external feeds from third-parties.

How well did you know this?

Not at all

Perfectly

What does logs does Guard Duty monitor? (3)

What does Guard Duty monitor?

Cloud Trail Logs, VPC Flow Logs, and DNS Logs

How well did you know this?

Not at all

Perfectly

AWS Macie uses AI to analyze data in __ to help _______ and ______ the leak of data from which three pieces of information? (3)

AWS Macie uses AI to analyze data in S3 to help identify and prevent the leak of data from which three pieces of information?

*PII Personal Identifiable Information**

PHI Personal Health Information

Financial Data

How well did you know this?

Not at all

Perfectly

Macie alerts can be sent to Amazon _____________ and integrated with your _______ ____________ system

Macie alerts can be sent to Amazon Eventbridge and integrated with your event management system

How well did you know this?

Not at all

Perfectly

AWS Inspector is used to run vulnerability scans on ___ _________ and _____

AWS Inspector is used to run vulnerability scans on both EC2 instances and VPCs

How well did you know this?

Not at all

Perfectly

What are the two AWS Inspector scans called?

Host Assessment
Network Assessment

How well did you know this?

Not at all

Perfectly

AWS Key Management Service is a managed service that makes it easy for you to _____ and ______ the encryption keys used to _______ your data

AWS Key Management Service is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data

How well did you know this?

Not at all

Perfectly

You initiate KMS services by requesting the creation of a _______ ______ Key

You initiate KMS services by requesting the creation of a Customer Master Key (CMK)

How well did you know this?

Not at all

Perfectly

The first way to generate a CMK is if AWS creates the CMK for you by generating the CMK within a _________ ________ module

The first way is AWS created the CMK for you by generating the CMK within a Hardware Security Modules

How well did you know this?

Not at all

Perfectly

The second way to generate a CMK by importing your own ____ __________ Infrastructure and _____________ it with a CMK

The second way to generate a CMK is by importing your own Key Management Infrastructure and associating it with a CMK

How well did you know this?

Not at all

Perfectly

The third way to generate a CMK is to have the key material generated and used in an AWS ________ cluster as part of the custom key store feature in AWS ___

The third way to generate a CMK is to have the key material generated and used in an AWS CloudHSM cluster as part of the custom key store feature in AWS KMS

How well did you know this?

Not at all

Perfectly

What are the three ways to control permissions within KMS?

The ___ Policy

*___** policies in combination with ___ policies
*______** in combination with ___ policies

What are the three ways to control permissions within KMS?

The Key Policy

*IAM** policies in combination with Key policies
*Grants** in combination with Key policies

How well did you know this?

Not at all

Perfectly

A Key Policy allows you to ________ the full scope of _____ to the CMK via a single ________

A Key Policy allows you to control the full scope of access to the CMK via a single document

How well did you know this?

Not at all

Perfectly

Using ____ policies in combination with ___ policies enables you to manage all the permissions for your IAM identities in IAM

Using IAM policies in combination with Key policies enables you to manage all the permissions for your IAM identities in IAM

How well did you know this?

Not at all

Perfectly

Grants in combination with Key policies enable you to allow **\_\_\_\_\_** to the CMK as well as allow users to **\_\_\_\_\_\_\_\_** their access to others

Grants in combination with Key policies enable you to allow **access** to the CMK as well as allow users to **delegate** their access to others

Between KMS or CloudHSM, which offers automatic Key Rotation?

Between KMS or CloudHSM, which has automatic Key Rotation? KMS: automatic key rotation CloudHSM: no automatic key rotation

What is the difference in Tenancy Rules regarding KMS vs. CloudHSM: KMS: **\_\_\_\_\_\_** Tenancy CloudHSM: **\_\_\_\_\_\_\_\_** host to you and you have full control of **\_\_\_\_\_\_\_\_ \_\_\_\_\_\_\_\_**

What is the difference in Tenancy Rules regarding KMS vs. CloudHSM: KMS: **Shared** Tenancy CloudHSM: **Dedicated** host to you, and you have full control of **underlying** **hardware**

CloudHSM offers full control of users, **\_\_\_\_\_\_**, and **\_\_\_\_\_**

CloudHSM offers full control of **users, groups, and keys**

Secrets Manager can be used to securely store (3) **\_\_\_\_\_\_\_\_** credentials Passwords **\_\_\_/\_\_\_** Keys

Secrets Manager can be used to securely store (3) * *Database** credentials * *Passwords** * *API/SSH** Keys

When enabled, Secrets Manager will **\_\_\_\_\_\_\_** credentials **\_\_\_\_\_\_\_\_\_\_**. If applications and instances are not properly configured, you won't be able to access your \_\_\_\_\_\_\_\_\_\_

When enabled, Secrets Manager will **rotate** credentials **immediately**. If applications and instances are not properly configured, you won't be able to access your **resources**

Parameter Store and Secrets Manager offer similar services when should you use one versus the other? If you are trying to **\_\_\_\_\_\_\_\_** cost use **\_\_\_\_\_\_\_\_\_**

Parameter Store and Secrets Manager offer similar services when should you use one versus the other? If you are trying to **minimize** cost use the **parameter store**

Secrets Manager is perfect if you need more than 10,000 **\_\_\_\_\_\_\_\_\_\_**, key ________ or the need to generate passwords using \_\_\_\_\_\_\_\_\_\_\_\_\_

Secrets Manager is perfect if you need more than 10,000 **parameters**, **key rotations,** or need to generate passwords using **CloudFormation**

Presigned URLs let you **\_\_\_\_\_ \_\_\_\_\_\_\_** files from your S3 bucket

Presigned URLs let you **share** **private** files from your S3 bucket

When it comes to IAM policies, if something is not explicitly allowed it is ______ \_\_\_\_\_

When it comes to IAM policies if something is not explicitly allowed it is **implicitly denied**

An IAM policy needs to be ________ before it can have an **\_\_\_\_\_**

An IAM policy needs to be **attached** before it can have an **effect**

AWS Managed Microsoft AD is the best choice if you have more than _____ users and/or need a ____ relationship setup

AWS Managed Microsoft AD is the best choice if you have more than **5000 users** and/or need a **trust** relationship setup

AD Connector is the best choice when you want to use an existing _____ \_\_\_\_\_\_\_\_ with AWS Services

AD Connector is the best choice when you want to use an existing **Active Directory** with AWS Services

AD Connector comes in two sizes what are they, and what are the user maximum counts?

AD Connector comes in two sizes what are they, and what are the user maximum counts? Small: designed for orgs w/up to 500 users Large: designed for orgs w/up to 5000 users

What type of connection do you require, when using AWS Managed Microsoft AD or AD connector?

What type of connection do you require when using AWS Managed Microsoft AD or AD connector? VPN or Direct Connect

Simple AD is the most inexpensive AD service and is the best option if you have less than **\_\_\_** users and don't need **\_\_\_\_\_\_\_\_** AD features

Simple AD is the most inexpensive AD service and is the best option if you have less than **500** users and don't need **advanced** AD features

Simple AD features Manage users, groups, and **\_\_\_\_\_\_\_** **\_\_\_\_\_\_\_**-based SSO Supports joining **\_\_\_\_\_** or **\_\_\_\_\_\_\_\_**-based EC2 instances

Simple AD features Manage users, groups, and **policies** **Kerberos**-based SSO Supports joining **Linux** or **Windows**-based EC2 instances

Rules contain a statement that defines the **\_\_\_\_\_\_\_\_\_\_ \_\_\_\_\_\_**, and an **\_\_\_\_\_\_** to take if a web request meets the **\_\_\_\_\_\_**

Rules contain a statement that defines the **inspection criteria**, and an **action** to take if a web request meets the **criteria**

What type of encryption does KMS support (2)

Symmetric and Asymmetric encryption

Customer Master Key (CMK) contains the ___ \_\_\_\_\_\_\_ used to ______ and ______ data

Customer Master Key (CMK) contains the **key material** used to **encrypt** and **decrypt** data

What is the data size limit that CMK can encrypt?

CMK can encrypt up to 4KB in size

What type of key would you use if you wanted to encrypt a large amount of data?

Data encryption key

CloudHSM is a cloud-based _________ \_\_\_\_\_\_\_\_\_ module

CloudHSM is a cloud-based hardware security module

With CloudHSM you **\_\_\_\_\_\_\_\_** and use your own **\_\_\_\_\_\_\_\_ \_\_\_**

With CloudHSM you **generate** and use your own **encryption key**

With CloudHSM you retain **\_\_\_\_\_\_\_** of your encryption keys. AWS has no **\_\_\_\_\_\_\_\_** of your encryption keys

With CloudHSM you retain **control** of your encryption keys. AWS has no **visibility** of your encryption keys

What services does AWS Certificate Manager integrate with (5) Elastic ____ \_\_\_\_\_\_\_\_\_ Elastic \_\_\_\_\_\_\_\_\_ Cloud\_\_\_\_\_\_\_\_\_ Cloud\_\_\_\_\_ \_\_\_\_ Enclaves

Elastic Load Balancing Elastic Beanstalk CloudFormation Cloudfront Nitro Enclaves

A ___ \_\_\_\_\_\_ tells AWS WAF what to do with a web request when it matches the ______ defined in the \_\_\_\_

A **rule action** tells AWS WAF what to do with a web request when it matches the **criteria** defined in the **rule**

AWS KMS allows you to control Key usage across AWS _______ and \_\_\_\_\_\_\_\_\_\_

AWS KMS allows you to control Key usage across **AWS services and applications**

Parameter Store provides secure hierarchical storage for configuration ____ and \_\_\_\_\_\_\_

Parameter Store provides secure hierarchical storage for configuration **data and secrets**

What type of data does Parameter Store maintain as values? \_\_\_\_\_\_\_\_\_ \_\_\_\_\_\_\_\_\_ strings \_\_\_\_\_\_\_\_ Codes

What type of data does Parameter Store maintain as values? **Passwords** **Database** strings **License** Codes

Parameter Store can store values in two forms, what are they?

Parameter Store can store values in two forms; what are they? Plaintext (unencrypted) Ciphertext (encrypted)

Secrets Manager rotates secrets safely without the need for ____ \_\_\_\_\_\_\_\_\_\_

Secrets Manager rotates secrets safely without the need for **code deployments**

Secrets Manager offers an automatic rotation of credentials (built-in) for which **three AWS Services?** Amazon \_\_\_ Amazon \_\_\_\_\_\_\_\_ Amazon \_\_\_\_\_\_\_\_\_\_

Secrets Manager offers an automatic rotation of credentials (built-in) for: Amazon RDS Amazon Redshift Amazon DocumentDB

AWS WAF lets you create rules to filter web traffic based on conditions like **\_\_ \_\_\_\_\_\_\_\_\_, \_\_\_\_** headers, and **\_\_\_\_\_**

AWS WAF lets you create rules to filter web traffic based on conditions like **IP address, HTTP** headers, and **URL's**

AWS Shield supports _____ mitigation & protection against Layer _____ & ____ attacks.

AWS Shield supports **DDOS** mitigation & protection against Layer **three** & **four** attacks.

AWS KMS key can do what 3 things to data keys?

AWS KMS key can be use to **generate, encrypt and decrypt data keys**

What is the Automatic rotational period for AWS & Customer managed KMS keys?

Automatic Rotation Cycles Customer Managed KMS key: 365 days AWS Managed KMS key: 1095 days/ 3yrs

To share snapshots with another account, you must specify which two permissions.

To share snapshots with another account you must specify Decrypt and CreateGrant permissions

The kms:ViaService condition key can be used to limit what ?

The kms:ViaService condition key can be used to limit key usage to specific AWS services

What is the API action removes key material?

You must use the DeletelmportedKeyMaterial API to remove the key material

An Amazon Cognito User Pool is a directory for managing _________ & _____________ for mobile applications

An Amazon Cognito User Pool is a directory for managing sign-in and sign-up for mobile applications

Cognito Identity pools are used to obtain ____________ and _________ \_\_\_\_\_\_\_\_\_\_\_\_\_\_ for AWS services

Cognito Identity pools are used to obtain **temporary, & limited-privilege credentials** for AWS services

What two locations can Cognito Identities come from?

Identities can come from a Cognito user pool Identities can also come from social **Identity providers (IdPs)**

Security in the Cloud Flashcards

(67 cards)