AWS CLOUD PRACTITIONER ESSENTIALS MODULE 6
What is a denial-of-service (DoS) attack?
A deliberate attack that originates from a single source to make a website or application unavailable to users.
shared responsibility model
AWS is responsible for some parts of your environment and you (the customer) are responsible for other parts.
Customers: Security in the cloud
Customers are responsible for the security of everything that they create and put in the AWS Cloud. When using AWS services, you, the customer, maintain complete control over your content. You are responsible for managing security requirements for your content, including which content you choose to store on AWS, which AWS services you use, and who has access to that content. You also control how access rights are granted, managed, and revoked. The security steps that you take will depend on factors such as the services that you use, the complexity of your systems, and your company's specific operational and security needs. Steps include selecting, configuring, and patching the operating systems that will run on Amazon EC2 instances, configuring security groups, and managing user accounts.
What is AWS Key Management Service (AWS KMS)?
Enables you to perform encryption operations through the use of cryptographic keys.
What is encryption in transit?
Ensuring that your applications' data is secure while in storage (encryption at rest) and while it is transmitted
What is the best practice for IAM policy?
Follow the security principle of least privilege when granting permissions. By following this principle, you help to prevent users or roles from having more permissions than needed to perform their tasks. For example, if an employee needs access to only a specific bucket, specify the bucket in the IAM policy. Do this instead of granting the employee access to all of the buckets in your AWS account.
Which statement best describes the principle of least privilege?
Granting only the permissions that are needed to perform specific tasks
What does an IAM policy enable you to do ?
IAM policies enable you to customize users' levels of access to resources. For example, you can allow users to access all of the Amazon S3 buckets within your AWS account, or only a specific bucket.
What happens when organizing separate accounts into OUs?
You can more easily isolate workloads or applications that have specific security requirements. For instance, if your company has accounts that can access only the AWS services that meet certain regulatory requirements, you can put these accounts into one OU. Then, you can attach a policy to the OU that blocks access to all other AWS services that do not meet the regulatory requirements.
What do the compliance whitepapers and documentation contain in the Customer Compliance Center?
-AWS answers to key compliance questions -An overview of AWS risk and compliance -An auditing security checklist
Which tasks can you complete in AWS Artifact? (Select TWO.)
-Access AWS compliance reports on-demand. -Review, accept, and manage agreements with AWS.
What is a cryptographic key?
A cryptographic key is a random string of digits used for locking (encrypting) and unlocking (decrypting) data.
What is a distributed denial-of-service attack?
A deliberate attack that originates from multiple sources to make a website or application unavailable to users.
Which statement best describes an IAM policy?
A document that grants or denies permissions to AWS services and resources
What is AWS Shield Advanced?
A paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks.
What is AWS shield?
A service that protects applications against DDoS attacks. AWS Shield provides two levels of protection: Standard and Advanced.
What is Amazon GuardDuty?
A service that provides intelligent threat detection for your AWS infrastructure and resources. It identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.
What is AWS artifacts?
A service that provides on-demand access to AWS security and compliance reports and select online agreements.
What is a web access control list (ACL)?
A web access control list (web ACL) gives you fine-grained control over the web requests that your protected resource responds to. You can protect Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync resources.
What is AWS WAF?
A web application firewall that lets you monitor network requests that come into your web applications.
AWS Artifact consists of what two main sections?
AWS Artifact consists of two main sections: AWS Artifact Agreements and AWS Artifact Reports.
What happens when you create an organization?
AWS Organizations automatically creates a root, which is the parent container for all the accounts in your organization.
Which service helps protect your applications against distributed denial-of-service (DDoS) attacks?
AWS Shield
What happens as network traffic comes into your applications with AWS Shield Standard?
AWS Shield Standard uses a variety of analysis techniques to detect malicious traffic in real time and automatically mitigates it.
AWS: Security of the cloud
AWS is responsible for security of the cloud. AWS operates, manages, and controls the components at all layers of infrastructure. This includes areas such as the host operating system, the virtualization layer, and even the physical security of the data centers from which services operate. AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure includes AWS Regions, Availability Zones, and edge locations. AWS manages the security of the cloud, specifically the physical infrastructure that hosts your resources, which include: Physical security of data centers Hardware and software infrastructure Network infrastructure Virtualization infrastructure Although you cannot visit AWS data centers to see this protection firsthand, AWS provides several reports from third-party auditors. These auditors have verified its compliance with a variety of computer security standards and regulations.
What happens after you enable Amazon GuardDuty?
After you have enabled GuardDuty for your AWS account, GuardDuty begins monitoring your network and account activity. You do not have to deploy or manage any additional security software. GuardDuty then continuously analyzes data from multiple AWS sources, including VPC Flow Logs and DNS logs.
What happens when you apply a policy to an OU?
All the accounts in the OU automatically inherit the permissions specified in the policy.
What does Amazon Inspector do?
Amazon Inspector security assessments help you check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for access to your EC2 instances from the internet, remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.
What is an IAM group?
An IAM group is a collection of IAM users. When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy.
What is an IAM policy?
An IAM policy is a document that allows or denies permissions to AWS services and resources.
What is an IAM role?
An IAM role is an identity that you can assume to gain temporary access to permissions.
What is an IAM user?
An IAM user is an identity that you create in AWS. It represents the person or application that interacts with AWS services and resources. It consists of a name and credentials.
What is an example of a denial-of-service (DoS) attack?
An attacker might flood a website or application with excessive network traffic until the targeted website or application becomes overloaded and is no longer able to respond. If the website or application becomes unavailable, this denies service to users who are trying to make legitimate requests.
What is Amazon Inspector?
An automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.
You are configuring service control policies (SCPs) in AWS Organizations. Which identities and resources can SCPs be applied to? (Select TWO.)
An organizational unit (OU) -An individual member account
Why does assigning IAM policies at the group level make it easier?
Assigning IAM policies at the group level also makes it easier to adjust permissions when an employee transfers to a different job. -This ensures that employees have only the permissions that are required for their current role.
What is AWS Shield Standard?
Automatically protects all AWS customers at no cost. It protects your AWS resources from the most common, frequently occurring types of DDoS attacks.
What happens when you create a new IAM user in AWS?
By default, when you create a new IAM user in AWS, it has no permissions associated with it. To allow the IAM user to perform specific actions in AWS, such as launching an Amazon EC2 instance or creating an Amazon S3 bucket, you must grant the IAM user the necessary permissions.
What is another feature of AWS organizations?
Consolidated billing
What is Customer Compliance Center?
Contains resources to help you learn more about AWS compliance.
Which task can AWS Key Management Service (AWS KMS) perform?
Create cryptographic keys.
What is the best practice for the root user?
Do not use the root user for everyday tasks. Instead, use the root user to create your first IAM user and assign it permissions to create other users. Then, continue to create other IAM users, and access those identities for performing regular tasks throughout AWS. Only use the root user when you need to perform a limited number of tasks that are only available to the root user. Examples of these tasks include changing your root user email address and changing your AWS support plan.
What does IAM do?
IAM gives you the flexibility to configure access based on your company's specific operational and security needs. You do this by using a combination of IAM features, which are explored in detail in this lesson: -IAM users, groups, and roles -IAM policies -Multi-factor authentication
An employee requires temporary access to create several Amazon S3 buckets. Which option would be the best choice for this task?
IAM role
What is IAM roles best practice?
IAM roles are ideal for situations in which access to services or resources needs to be granted temporarily, instead of long-term.
What happens when Amazon GuardDuty detects any threats?
If GuardDuty detects any threats, you can review detailed findings about them from the AWS Management Console. Findings include recommended steps for remediation. You can also configure AWS Lambda functions to take remediation steps automatically in response to GuardDuty's security findings.
Multi-factor authentication (MFA)
In IAM, multi-factor authentication (MFA) provides an extra layer of security for your AWS account.
What is an example of a distributed denial-of-service attack?
In a distributed denial-of-service (DDoS) attack, multiple sources are used to start an attack that aims to make a website or application unavailable. This can come from a group of attackers, or even a single attacker. The single attacker can use multiple infected computers (also known as "bots") to send excessive traffic to a website or application.
What can you read in the Customer Compliance Center?
In the Customer Compliance Center, you can read customer compliance stories to discover how companies in regulated industries have solved various compliance, governance, and audit challenges.
What happens when a request comes into AWS WAF?
It checks against the list of rules that you have configured in the web ACL. If a request did not come from one of the blocked IP addresses, it allows access to the application.
What else does the Customer Compliance Center include?
It includes an auditor learning path. This learning path is designed for individuals in auditing, compliance, and legal roles who want to learn more about how their internal operations can demonstrate compliance using the AWS Cloud.
What happens as network traffic comes into your applications with AWS Shield Advanced ?
It integrates with other services such as Amazon CloudFront, Amazon Route 53, and Elastic Load Balancing. Additionally, you can integrate AWS Shield with AWS WAF by writing custom rules to mitigate complex DDoS attacks.
What happens when a request comes from one of the blocked IP addresses that you have specified in the web ACL?
It is denied access.
Which tasks are the responsibilities of customers? (Select TWO.)
Patching software on Amazon EC2 instances -Setting permissions for Amazon S3 objects
What is AWS Artifact Reports?
Suppose that a member of your company's development team is building an application and needs more information about their responsibility for complying with certain regulatory standards. -Provides compliance reports from third-party auditors. These auditors have tested and verified that AWS is compliant with a variety of global, regional, and industry-specific security standards and regulations. AWS Artifact Reports remains up to date with the latest reports released. You can provide the AWS audit artifacts to your auditors or regulators as evidence of AWS security controls.
AWS Organizations
Suppose that your company has multiple AWS accounts. You can use AWS Organizations to consolidate and manage multiple AWS accounts within a central location.
What is AWS AWS Artifact Agreements?
Suppose that your company needs to sign an agreement with AWS regarding your use of certain types of information throughout AWS services -You can review, accept, and manage agreements for an individual account and for all your accounts in AWS Organizations. Different types of agreements are offered to address the needs of customers who are subject to specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).
TRUE OR FALSE? AWS does not guarantee that following the provided recommendations resolves every potential security issue. Under the shared responsibility model, customers are responsible for the security of their applications, processes, and tools that run on AWS services.
TRUE
What does the root user do?
The root user is accessed by signing in with the email address and password that you used to create your AWS account. You can think of the root user as being similar to the owner of the coffee shop. It has complete access to all the AWS services and resources in the account.
What does shared responsibility model divide into?
The shared responsibility model divides into customer responsibilities (commonly referred to as "security in the cloud") and AWS responsibilities (commonly referred to as "security of the cloud").
Before an IAM user, application, or service can assume an IAM role, what must happen?
They must be granted permissions to switch to the role. When someone assumes an IAM role, they abandon all previous permissions that they had under a previous role and assume the permissions of the new role.
What is the best practice for IAM users?
We recommend that you create individual IAM users for each person who needs to access AWS. Even if you have multiple employees who require the same level of access, you should create individual IAM users for each of them. This provides additional security by allowing each IAM user to have a unique set of security credentials.
What is a root user?
When you first create an AWS account, you begin with an identity known as the root user.
What do you do in AWS organizations to make it easier to manage accounts?
You can group accounts into organizational units (OUs) to make it easier to manage accounts with similar business or security requirements.
With AWS KMS, you can choose the specific levels of access control that you need for your keys. What else can you specify?
You can specify which IAM users and roles are able to manage keys. Alternatively, you can temporarily disable keys so that they are no longer in use by anyone. Your keys never leave AWS KMS, and you are always in control of them.
What else can AWS KMS allow you to do?
You can use AWS KMS to create, manage, and use cryptographic keys. You can also control the use of keys across a wide range of services and in your applications.
In AWS Organizations, how do you centrally control permissions for the accounts in your organization?
You use service control policies (SCPs). SCPs enable you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.
AWS Identity and Access Management (IAM)
enables you to manage access to AWS services and resources securely.
