Chapter4: Security and Compliance Quiz
In the shared responsibility model, what is the customer responsible for? Choose 2 Firewall configuration and application security Patching the guest operating system (OS) Patching the host operating system (OS) Cloud infrastructure
You are responsible for firewall configuration and securing your application. You are responsible for patching the guest OS, including updates and security patches.
What is the purpose of CloudHSM? Its purpose is to enable you to easily create and use your own encryption keys. It will allow all users to view and access encryption keys. It is software used for encryption key management. Its purpose is to manage and retrieve passwords or keys.
AWS CloudHSM enables you to easily create and use your own encryption keys in the AWS Cloud.
Which of the following are considered IAM best practices? Choose 2 Use the root account for daily administrative tasks. Use access keys to manage EC2 applications. Enable multi-factor authentication (MFA) for administrative accounts as well as the root user. Implement strong password policies.
Administrative accounts, as well as the root user, have significant control of the system and should be protected as much as possible. Policies like password expiration and preventing the reuse of passwords are good policies to adopt to ensure the security of your environments.
How do you manage permissions for multiple users at once using AWS Identity and Access Management (IAM)? EC2 security groups Policies Roles Groups
An IAM group is a collection of IAM users. When you assign an IAM policy to a group, all users in the group are granted permissions specified by the policy.
Which of the following are tasks that only the root user can complete? Choose 2 Launch EC2 instances. Close your AWS account. Configure databases. Change the account name and email address.
Close your AWS account. Change the account name and email address. You must sign in as the AWS account root user to close your AWS account. If you sign in as an IAM user or role, you can't close an account. AWS Documentation: Tasks that require root user credentials. Only the root account can change an email address and account name. AWS Documentation: Tasks that require root user credentials.
Which service helps you control access to mobile and web applications? Cognito IAM Macie Shield
Cognito helps you control access to mobile and web applications. Next question
Which service allows you to record software configuration changes within your Amazon EC2 instances over time? AWS Inspector AWS Systems Manager AWS Config AWS Trusted Advisor
Config helps with recording compliance and configuration changes over time for your AWS resources.
Which service can integrate with a Lambda function to automatically take remediation steps when it uncovers suspicious network activity when monitoring logs in your AWS account? AWS Systems Manager Amazon GuardDuty AWS CloudTrail Amazon Inspector
GuardDuty can perform automated remediation actions by leveraging Amazon CloudWatch Events and AWS Lambda. GuardDuty continuously monitors for threats and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. GuardDuty analyzes multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.
In the AWS shared responsibility model, what is AWS not responsible for? Choose 3 AWS Lambda language versions Setting permissions for objects stored in Amazon S3 Amazon Elastic Block Store (EBS) snapshots Amazon Relational Database Service (RDS) database backups Decommissioning storage devices that have reached the end of life Backup power generators
Setting permissions for objects stored in Amazon S3 Amazon Elastic Block Store (EBS) snapshots Amazon Relational Database Service (RDS) database backups
Which service has a feature that can assist with compliance and auditing by offering a downloadable report that provides the status of passwords and MFA devices in your account? AWS Identity and Access Management (IAM) AWS Trusted Advisor AWS Secrets Manager AWS Artifact AWS Systems Manager
Sorry! Artifact provides access to AWS security and compliance reports and select online agreements. These reports are for AWS and aren't account specific. Correct Answer IAM provides a downloadable credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices.
Which service allows you to generate encryption keys managed by AWS? AWS Key Management Service (KMS) AWS Identity and Access Management (IAM) AWS CloudHSM AWS Key Manager (KM)
Sorry! CloudHSM is a hardware device that allows you to easily generate and use your own encryption keys. You manage the keys — not AWS. Correct Answer KMS allows you to generate and manage encryption keys. The keys generated by KMS are managed by AWS.
Which service allows you to create access keys for someone needing to access AWS via the command line interface (CLI)? Amazon Cloud Directory AWS Secrets Manager AWS Identity and Access Management (IAM) AWS Security Hub
Sorry! Secrets Manager allows you to securely store secrets, like passwords, needed by your applications. Correct Answer IAM allows you to create users and generate access keys for users needing to access AWS via the CLI.
Select the FALSE statement regarding the pillars of the AWS Well-Architected Framework. The Security pillar enables the ability to protect data, systems, and assets to improve your cloud security. The Performance Efficiency pillar enables the ability to use computing resources efficiently as demand and technology changes. The Operational Excellence pillar enables the ability to support development, run workloads effectively, gain operational insights, and improve supporting processes and procedures. The Cost Optimization pillar enables the ability to run systems to deliver business value at the lowest price point by utilizing a capital expenditures (CAPEX) model.
The Cost Optimization pillar does enable the ability to run systems to deliver business value at the lowest price point. However, it favors the operating expenses (OPEX) model, rather than the capital expenditures (CAPEX) model.
Which of the following are pillars of the AWS Well-Architected Framework? (Choose 3.) Choose 3 Cost optimization pillar Operational excellence pillar Security pillar Environmental Responsibility Pillar
The cost optimization pillar focuses on avoiding unnecessary costs. Key topics include understanding spending over time and controlling fund allocation, selecting resources of the right type and quantity, and scaling to meet business needs without overspending. The operational excellence pillar focuses on running and monitoring systems, and continually improving processes and procedures. Key topics include automating changes, responding to events, and defining standards to manage daily operations. The security pillar focuses on protecting information and systems. Key topics include confidentiality and integrity of data, managing user permissions, and establishing controls to detect security events.
Which service protects your web application from cross-site scripting attacks? Amazon Macie AWS Web Application Firewall (WAF) AWS Shield Amazon Inspector
WAF helps protect your web applications from common web attacks, like SQL injection or cross-site scripting.