AWS Module 4 Cloud Security
In the shared responsibility model, which two of the following are examples of "security in the cloud" (Choose two.)
"Encryption of data at rest and data in transit" and "Security group configurations" are examples of security in the cloud.
Which statements about IAM user authentication are true?
- AWS credentials to authenticate with any supported services must be provided - A username and password to authenticate to the console must be provided
Resource-based policies
- Attached to a resource (i.e. S3 bucket) - Specifies who has access to the resource and what actions they can perform on it - The policies are INLINE only, not managed - supported only by some AWS services
Which of the following are AWS Identity and Access Management (IAM) best practices for Amazon Web Services (AWS)? (Select THREE.)
-Use policy conditions for extra security. -Use groups to assign permissions to IAM users. -Enable multi-factor authentication (MFA).
In the shared responsibility model, which of the following are examples of "security of the cloud"? (Choose 2) 1. Compliance with compute security standards and regulations 2. Physical infrastructure 3. Security group configurations 4. Encryption of data at rest and data in transit
1. Compliance with compute security standards and regulations 3. Security group configurations
When creating an AWS Identity and Access Management (IAM) policy, what are the two types of access that can be granted to a user? (Choose 2) 1. Institute access 2. Programmatic Access 3. AWS Management Console Access 4. Administrative Access
2. Programmatic Access 3. AWS Management Console Access
Which of the following are best practices to secure your account using the identity and Access Management (IAM)? (Choose 2) 1. Provide users with default administrative privileges 2. Leave it alone 3. Managing access to AWS resources 4. Avoid giving access rights to multiple users 5. Define fine-grained access rights
3. Managing access to AWS resources 5. Define fine-grained access rights
IAM group
A collection of IAM users that are granted identical authorization
IAM user
A person or application that can authenticate with an AWS account.
What is the difference between a role and a user in reference to IAM?
A role does not have credentials associated with it, whereas users do.
Principle of Least Privilege
A security discipline that requires that a particular user, system, or application be given no more privilege than necessary to perform its function or job. *Given only permission needed to perform specific task*
Root User
A single sign-in identity that has complete access to all AWS services and resources in the account
Security Group
A virtual firewall to control inbound and outbound traffic for your instance .
A doctor's office wants to make sure its staff meets all compliance regulations as they store sensitive patient data in the cloud. Which cloud service would best meet this need?
AWS Artifact
True or False? AWS Key Management Service (AWS KMS) enables you to assess, audit, and evaluate the configurations of your AWS resources.
AWS Key Management Service (AWS KMS) is a service that allows you to create and manage encryption keys and control the use of encryption access across a wide range of AWS services and in your applications.
Which cloud service would best serve a security administrator who wants to block all traffic from a specific IP address?
AWS WAF
After initial login, what does AWS recommend as best practice for the AWS account root user? (Select the best answer.)
After initial login, AWS recommends deleting the access keys of the AWS account root user as the best practice.
IAM Permissions
An explicit deny will always override any allow statement
Inline Policies
Are directly embedded into one single entity (user, group, or role)
Identity-based policy
Attach a policy to any IAM entity - User, Group, or Role Policies specify - - Actions that MAY be performed by the entity - Actions that MAY NOT be performed by the entity - A single policy can be attached to multiple entities - A single entity can have multiple policies attached to it.
What is the correct term for the process of verifying a user's identity as a developer?
Authentication
Which AWS Identity and Access Management (IAM) resource explicitly grants or denies permissions to a user or group of users?
IAM policies
Which statements are true about evaluation logic for AWS Identity and Access Management (IAM) policies?
By default, all requests are denied. An explicit deny overrides an explict allow
AWS Identity and Access Management
Handles authentication, and enforces authorization policies for users who need access to computing resources.
Which of the following should be done by the AWS account root user? (Select the best answer) - Secure access for applications - Integrate into cloud - Changing the AWS support plan
Changing the AWS support plan
Which of the following should be done by the AWS account root user.
Changing the AWS support plan can only be done by the AWS account root user. The other tasks are done with IAM.
Which suggestion is an Amazon Web Services (AWS) recommendation for securing AWS credentials for applications that run Amazon Elastic Computer Cloud (Amazon EC2) Instances?
Create an IAM role and attach it to EC2 instances
A company is storing an access key (access key ID and secret access key) in a text file on a custom AMI. The company uses the access key to access DynamoDB tables from instances created from the AMI. The security team has mandated a more secure solution. Which solution will meet the security team's mandate?
Create an IAM role with permissions to access the table, and launch all instances with the new role. Any solution involving the creation of an access key then introduces the complexity of managing that secret.
Which statement reflects best practices when granting permissions to users, groups, roles, and resources?
Create policies that follow the principle of least privilege
Amazon Inspector
Helps customers identify security vulnerabilities and deviations from security best practices in applications, before they are deployed and while they are running in a production environment
After the login, what does AWS recommend as the best practice for the AWS account root user? (Select the best answer) - Delete the AWS account root user - Revoke roots user access - Restrict root user access - Delete the access keys
Delete the access keys
What is the effect of the following policy statement?
Denies actions on DynamoDB or Amazon S3 resources except for the resources that are listed in the NotResource element
How would a system administrator add an additional layer of login security to a user's AWS Management Console? (Select the best answer) - User Amazon Cloud Directory - Audit Access - Enable multi-factor authentication - Enable restricted access
Enable multi-factor authentication
Shared responsibility between AWS and Customer
Ensuring security and compliance
What IAM feature in AWS lets you change the policy for multiple users all at once?
Groups
An administrator created an AWS Identity and Access Management (IAM) group called managers within an AWS account. A ____ policy is attached to the managers group. It allows managers to read from and write to an Amazon S3 bucket in the same AWS account. What type of policy?
Identity-based
In the shared responsibility model, AWS is responsible for providing what? (Select the best answer.)
In the shared responsibility model, AWS is responsible for providing security of the cloud.
What is the format of the AWS IAM polices that define the allowable API calls an entity can evoke?
JSON
Which is the following is the responsibility of AWS under the AWS shared responsibility model? (Select the best answer) - Configuring third-party applications - Maintaining physical hardware - Security - Management of Cloud
Maintaining physical hardware
Which of the following is the responsibility of AWS under the AWS shared responsibility model? (Select the best answer.)
Maintaining physical hardware is the responsibility of AWS under the shared responsibility model.
Which of the following are best practices to secure your account using AWS Identity and Access Management (IAM)? (Choose two.)
Managing access to AWS resources and defining fine-grained access rights are best practices when securing accounts with AWS IAM.
Authentication Scenario: App User
Must sigh in to the photo app which requires that they authenticate w/ your app (application authentication); upload and verify picture
Customer responsibility
Security *in* the Cloud, managing their data, using IAM and other security features, customer data
AWS Responsibility
Security *of* the cloud, provides security for cloud's physical infrastructure, operates, manages, and controls security of the cloud
Which option is the Amazon Web Services (AWS) customer responsible for under the AWS shared responsibility model?
Security group configuration Client-side data
In the shared responsibility model, AWS is responsible for providing what? (Select the best answer) - Security of the Cloud - Security of the Platform - Security of the Infrastructure - Security of the computer
Security of the cloud
Which statement best contrasts AWS Shield and AWS WAF?
Shield is for stopping DDoS attacks, whereas AWS WAF is for filtering specific web traffic.
How to authenticate from console
Sign in with your username and password
Managed Policies
Standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account
IAM policy
The document that defines which resources can be accessed and the level of access to each resource. *JavaScript Object Notation (JSON) document*
Authorization
The process of giving someone permission to do or have something; *what should they be allowed to do*
According to the AWS best practices, which of the following is true about the AWS account root user?
The root user should not be used for everyday tasks because it is a security vulnerability.
How to authenticate programmatically
Through AWS CLI, SDKs, and APIs, provide an AWS access key (a combination of an access key ID and a secrete access key)
How would the system administrator add an additional layer of login security to a user's AWS management console? (Select the best answer.)
To add an additional layer of login security to a user's AWS Management Console, enable multi-factor authentication.
What is the purpose of Amazon Inspector?
To assess cloud services and provide reports on security vulnerabilities
AWS WAF
To filter internet traffic so that only IP addresses from within the bank can access sensitive data and also to strictly limit what types of requests can be made to the cloud services from outside the bank.
AWS Artifact
To implement a security rule set. The rule set would help the bank stay in compliance with the security protocols that it must follow to protect data.
Shield
To protect the bank's computer system from a DDoS attack. A DDoS attack might shut down all services and even be used to cover up other cyberattacks.
Amazon Inspector
To run weekly assessments to stay up to date on all the cloud services and make sure that security best practices are not missed.
True / False? AWS Key Management Service (AWS KMS) enables you to assess, audit, and evaluate the configurations of your AWS resources.
True
True / False? AWS Organizations enables you to consolidate multiple AWS accounts so that you centrally manage them.
True When creating IAM policy, a user can be granted AWS Management Console access and programmatic access.
IAM role
Useful mechanism to grant a set of permissions for making AWS service requests.
True or False? AWS Organizations enables you to consolidate multiple AWS accounts so that you centrally manage them.
When creating an IAM policy, a user can be granted AWS Management Console access and programmatic access.
When creating an AWS Identity and Access Management (IAM) policy, what are the two types of access that can be granted to a user? (Choose two.)
When creating an IAM policy, a user can be granted AWS management console access and programmatic access.
Authentication Scenario: Developer
You must use AWS credentials to authenticate to the AWS account (AWS account authentication)
Multi-factor authentication (MFA)
users are asked to present several separate pieces of evidence involving knowledge (something they know like a password), possession (something they have like a texted code), and/or inherence (something they are like biometrics).
Authentication
verifying the identity of the person or device attempting to access the system; *who is requesting access*
AWS Identity and Access Management (IAM)
• Securely controls individual and group access to your AWS resources • Integrates with other AWS services • Supports federated identity management • Supports granular permissions • Supports multi-factor authentication (MFA)