CISN 74A - Security in Amazon Web Services
What is the benefit of elasticity in the cloud?
Create systems that scale to the require capacity based on changes in demand.
The administrator of a company's AWS resources creates a standalone policy and attaches it to a principle entity to define their permissions. Which type of policy has the administrator created?
Customer managed policy
Which security principle addresses monitoring, alerting, and auditing actions and changes to the environment in real time?
Enable traceability
Which statement about multi-factor authentication (MFA) is true?
MFA requires two or more factors to achieve authentication.
Security and compliance are shared responsibilities between AWS and the customer. What is an AWS responsibility?
Patching network infrastructure
What is the pricing model that AWS customers can use to pay for resources on an as-needed basis?
Pay as you go
A company wants to create a multi-tier website. What is the best practice for creating a load balancer and subnet architecture?
Place the web server and database in a private subnet, and the load balancer in a public subnet.
A three-tier web application environment is a modular client-server architecture. What are the three tiers?
Presentation, application, and data
Which statement about service control policies (SPCs) is true?
SCPs can restrict access to services, resources, or API actions.
What are the best practices for handling an incident?
• Identify key personnel, external resources, and tooling. • Automate containment capabilities. • Develop incident response plans. • Pre-provision access and tools. • Run incident response game days.
Which statement best describes an AWS Identity and Access Management (IAM) role?
► A role is an identity that is used to grant a temporary set of permissions to make AWS service requests. Roles provide temporary permissions for the user they are granted to. When the user is finished with the role, the permissions are removed.
A system administrator discovers that a user had deleted an Amazon S3 bucket without authorization, which triggered an incident response. Which AWS service can they use to determine the identity of the user that committed the incident?
► AWS CloudTrail CloudTrail can provide a record of actions taken within your environment. CloudTrail logs include information such as the action type, identity of the user, and time and date of the action.
Which AWS service can be used to store items, such as database credentials, securely without having to hard code them into the source code or a configuration file?
► AWS Secrets Manager Use Secrets Manager to extract sensitive information such as credentials from you source code.
Which AWS service does AWS Identity and Access Management (IAM) rely on to provide temporary security credentials for roles?
► AWS Security Token Service (AWS STS) When a user assumes a role, the user's prior permissions are temporarily forgotten, and AWS STST issues new security credentials for the duration of the session.
An administrator wants to ensure that they optimize their AWS infrastructure and also improve security performance. Which option would meet their need?
► AWS Trusted Advisor Trusted Advisor evaluates your account to identify ways to optimize you AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.
An administrator would like to have additional insight into their applications, and collect operational data in the form of logs, metrics, and events. Which AWS service would meet their need?
► Amazon CloudWatch CloudWatch collects operational data as logs, metrics, and events. The service also provides actionable insights to monitor your applications, respond to system-wide performance changes, and optimize resource utilization.
Which AWS logging and monitoring service is a serverless event bus service that can connect your applications with data from a variety of sources?
► Amazon EventBridge EventBridge is a serverless event bus service that makes it easier for you to build event-driven applications by connecting those applications with data from a variety of sources.
What is one method that a company could use to ensure high availability during a security attack?
► Automatic scaling By enabling automatic scaling, if a major disruption occurs, sufficient capacity is available to load balance traffic and route it to remaining sites.
Which statement about AWS CloudTrail is true?
► CloudTrail can be integrated into applications by using the API. ► Events can be viewed in the CloudTrail console. - enable governance and compliance, as well as operational and risk auditing of your AWS account - records actions taken by a user, role, or AWS service as events - records actions taken in the AWS Management Console, AWS CLI, and AWS SDKs and APIs
Which options are security principles that are based on the security pillar of the AWS Well-Architected Framework?
► Prepare for security events. ► Automate security best practices. ► Protect data in transit and data at rest.
What is the purpose of an internet gateway?
► Provide a target within a VPC route table to enable internet-routable traffic. ► Perform network address translation (NAT) for instances that have been assigned public IPV4 addresses.
Amazon S3 Object Lock is a feature that provides protection for scenarios where it's imperative that data is not changed or deleted. What are the two ways to manage object retention with Object Lock?
► Retention periods and legal holds A retention period specifies a fixed period during which an object remains locked. A legal hold provides the same protection as a retention period. Instead, a legal hold remains in place until you explicitly remove it.
What are characteristics of the security principle to prepare for security events?
► Routinely practice incident response through game days. ► Create processes to isolate incidents and restore operations.
Which statement is true about server-side encryption in Amazon S3 with customer-provided keys (SSE-C)?
► The customer retains control of the keys. With SSE-C, the customer manages the keys while Amazon S3 manages the encryption process.
Which statement regarding client-side encryption is true?
► The keys and algorithms are known only to the customer. With client-side encryption, data is stored in an encrypted form, with keys and algorithms known only to the customer.
Which information does AWS CloudTrail NOT capture?
► Time of the origin of the request in your local time. CloudTrail does not capture the local time of origin for the request. The time of the API call is captured in Universal Time Coordinated (UTC). What it DOES capture: - Originating location of the request - Time of the API call - Name of the API called
A company requires that data stored in AWS be encrypted at rest. Which approach would meet this requirement?
► When storing data in Amazon S3, enable server-side encryption. Server-side encryption in Amazon S3 protects data at rest.
Which statement about AWS Identity and Access Management (IAM) is true?
► With IAM, you can grant principals granular access to the console. You can use IAM to grant principals granular access to the console and the AWS service APIs.
Which definition best describes an incident response?
Set of information security policies and procedures that can ne used to identify, contain, and eliminate cyberattacks
Which service can be configured to provide logging about storage use?
Amazon S3
What is a best practice for automation that can assist with providing a reliable and repeatable secure infrastructure?
Implement infrastructure as code
What is a characteristic of Amazon S3 server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS)?
The customer can audit usage of the key.
Which control mechanism is recommended to protect data in transit to Amazon S3 to reduce the risk of unauthorized access or loss?
Use Amazon Virtual Private Cloud (Amazon VPC) endpoints to limit access to the bucket.
Which options are characteristics of the principle of least privilege?
► Grant access only as needed ► Enforce separation of duties
What are the best practices to protect your network?
► Use security groups to control access to resources. Place Amazon EC2 instances in private subnets when they will not regularly need direct access to the internet.
Who is responsible to operate, manage, and control security OF the cloud, according to the AWS shared responsibility model?
AWS
Which AWS service could an administrator use to securely control access to AWS resources for users?
AWS Identity and Access Management (IAM)
An administrator wants to implement a level of protection against distributed denial of service (DDoS) attacks. Which AWS service would meet their need?
AWS Shield
Which service can help users to automate management tasks such as collecting system inventory, applying operating system patches, maintaining up-to-date antivirus definitions, and configuring operating systems and applications at scale?
AWS Systems Manager
Which AWS service is an option that can be used to store and retrieve secrets within an AWS Lambda function?
AWS Systems Manager (AWS Secret Manager???)
Which AWS service evaluates your account by using checks that identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas?
AWS Trusted Advisor
An administrator would like to increase their network protection, and eliminate any potentially unauthorized or malicious activity in their AWS environment. Which AWS service would meet their need?
Amazon GuardDuty
A company set up a VPC with public subnets and route tables. The company wants to be able to use the internet to access information from Amazon EC2 instances in the VPC. Which VPC component would allow communication between instances in their VPC and the internet?
Internet gateway
An administrator wants to increase security by creating an environment where traffic to and from Amazon EC2 instances can be controlled in a stateful manner. Which security feature would meet their needs?
Security groups
Which statement about the benefits of server access logs is true?
Server access logs can provide insights into a customer base.
An IT administrator needs to ensure that data stored in Amazon S3 is encrypted but does not want to manage the encryption keys. Which encryption mechanism meets these requirements?
SSE-S3
According to the shared responsibility model, who is responsible for configuring security group rules to determine which ports are open to an EC2 Linux instance?
The customer is responsible for controlling network access to EC2 instances.
An administrator would like to use a continuous monitoring and assessment service that provides an inventory of AWS resources. Which AWS service would meet their need?
► AWS Config AWS Config continuously captures configuration changes that are associated with your resources. The service can send notifications when changes occur, be used to invoke a Lambda function, and integrate with other AWS services to remediate issues.
Which AWS service is a continuous monitoring and assessment service that provides an inventory of AWS resources and records changes to their configuration?
► AWS Config AWS Config is a continuous monitoring and assessment service that provides an inventory of AWS resources and records changes to the configuration of those resources.
An administrator wants to run continuous assessment checks on their resources. The purpose is to verify that these resources comply with their own security policies, industry best practices, and compliance standards. Which AWS service would meet their need?
► AWS Config By using AWS Config rules, developers can run continuous assessment checks on their resources. The checks verify that the resources comply with their own security policies, industry best practices, and compliance standards.
Which AWS service can be used to generate encryption keys that are protected by FIPS 140-2 validated hardware security modules (HSMs)?
► AWS Key Management Service (AWS KMS) AWS KMS uses HSMs that are FIPS 140-2 compliant to store keys.
Which statement regarding the AWS Single Sign-On service is NOT true?
► AWS SSO provides a decentralized administration experience to define, customize, and assign access, based on common job functions. AWS SSO: - provides a ser portal for users to access all of their assigned AWS accounts or cloud applications. - provides the ability to create or connect identities once and manage access centrally across an AWS organization. - can be flexibly configured to run parallel to or in lieu (instead) of AWS account access management through AWS IAM
An administrator would like help managing complex and time-consuming operations, such as patching software and routing support tickets. Which AWS service would meet their need?
► AWS Step Functions Step Functions is a low-code, visual workflow service that developers use to build distributed application, automate IT and business processes, and build data and machine learning pipelines using AWS services.
How would a system administrator add an additional layer of login security to a user's AWS Management Console?
► Activate multi-factor authentication (MFA). MFA is a simple best practice that adds an extra layer of protection on top of a user name and password. With MFA activated, when a user signs in to the AWS Management Console, they will be prompted for their user name and password (the first factor—what they know). They will also be prompted for an authentication code from their MFA device (the second factor—what they have). Taken together, these multiple factors provide increased security for AWS account settings and resources.
Which AWS service relies on user pools and identity pools?
► Amazon Cognito, which provides authentication, authorization, and user management for mobile and web applications. Amazon Cognito supports direct sign-in through user name and password, and also supports third-party authentication through social identity providers. This is accomplished through the use of user pools and identity pools.
An administrator wants to improve their vulnerability management. They would like to use a service that continuously scans Amazon EC2 instances for software vulnerabilities and unintended network exposure. Which AWS service would meet their need?
► Amazon Inspector Amazon Inspector is a vulnerability management service that continuously scans AWS workloads for vulnerabilities. The service automatically discovers and scans EC2 instances for software vulnerabilities and unintended network exposure.
A machine learning engineer wants a solution that will discover sensitive information that is stored in AWS. The solution should also use natural language processing (NLP) to classify the data and provide business-related insights. Which AWS service would meet their need?
► Amazon Macie Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. Macie recognizes personally identifiable information (PII) such as passport numbers, medical ID numbers, and tax ID numbers.
Which option is considered a best practice to configure long-term access in AWS Identity and Access Management (IAM)?
► Attach IAM policies to IAM groups, and then assign IAM users to the IAM groups. For long-term access, a best practice is to attach IAM policies to IAM groups, and then assign IAM users to these IAM groups. Members of an IAM group inherit the permissions that ae attached to that group.
Which statement about Amazon CloudWatch is true?
► CloudWatch can be used to detect anomalous behavior and invoke other services to take further action. ► It provides the ability to create alarms that watch metrics and sends notifications. You can use CloudWatch to detect anomalous behavior in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.
Security groups are stateful, and network access control lists (ACLs) are stateless. What is the difference between stateful and stateless?
Stateful means that return traffic is automatically allowed. Stateless means that return traffic must be explicitly allowed by rules.
Which security principle involves monitoring alerting, and auditing actions and changes to the environment in real time?
Enable traceability
What is the difference between a security group and network access control list (ACL)?
A security group acts as a virtual firewall for EC2 instances. A network ACL acts as a firewall to control traffic in and out of one or more subnets in a virtual private cloud (VPC).
Which service provides an automated security assessment that helps users to improve the security and compliance of applications that they deploy on AWS?
Amazon Inspector
A cloud administrator needs to store images that are uploaded by users though a mobile application. The solution needs to include security measures to avoid data loss. Which step or steps should they take to protect against unintended user actions?
Upload the images Amazon S3 by using presigned URLs. Employ strict bucket policies, and enable S3 Versioning.
A system administrator create a single EC2 instance, and set up network ACLs and the appropriate subnet routing. However, they want to provide an extra layer of security by applying a firewall to control access to and from the EC2 instance. Which action should the system administrator take?
► Configure a security group. A security group acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic.
Which statement regarding client-side encryption is NOT true?
► Data is encrypted at its destination by the application or service that receives the data. What is true: - Your applications encrypts data before sending it to AWS. - The keys and algorithms are known only to you. - Data is stored in its encrypted state.
What is the first step to use the detective control that AWS provides?
► Define your requirements for logs, alerts, and metrics. 1. Define your organizational requirements for logs, alerts, and metrics. 2. Configure service and application logging throughout your workload. 3. Analyze your logs centrally.
A web application uses a fleet of Amazon EC2 instances for both dynamic and static assets. The EC2 instances are in a private subnet, behind a load balancer that is in a public subnet inside the VPC. Which service logs would provide the MOST insight into how users are using the web application?
► Elastic Load Balancing (ELB) access logs ELB access logs capture detailed information about requests sent to a load balancer, and can be used to troubleshoot and analyze traffic on a network.
What is not a best practice to protect compute resources?
► Enable VPC Flow logs down to the subnet level (Logging does not protect your resources from an attack) Best practices: - scanning for vulnerabilities and patching them - automating configuration management and protection - using Amazon Machine Images (AMIs) to create compliant instances - implementing intrusion detection and prevention
Which method would provide identity federaton?
► Implement AWS Single Sign-On (SSO), which supports secure interactions between an identity provider and a service provider. AWS SSO supports identity federation by securely passing information between identity providers and service providers, the two elements of identity federation.
An administrator has decided to use inline policies to improve their organization's security posture. Which statement about inline policies is true?
► Inline policies are an embedded, inherent part of a principal entity such as a user, group, or role. Inline policies are embedded in a principal entity, and are useful to maintain a strict one-to-one relationship between a policy and an entity
Which statements are true for virtual private cloud (VPC)?
► Is a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network. ► Provides the ability to customize your network, including creating a public subnet for your web servers that can access the public internet. ► Gives you control over your virtual networking resources, including selecting the IP address range, creating subnets, and configuring route tables and network gateways.
AWS CloudTrail and Amazon CloudWatch serve specific functions. Which function is indicative of CloudWatch?
► Is useful to detect anomalous behavior, set alarms, and discover insights CloudWatch can help you detect anomalous behavior, such as Amazon EC2 instance deletion, and can alarm you that the action has occurred.
Which statement about logging and log files is true?
► Log files can be used to demonstrate compliance with regulations. Log files are necessary to demonstrate adherence with a number of regulatory measures, including the European Union General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPPA) in the United States.
What are customer security responsibilities according to the AWS shared responsibility model?
► Managing account credentials and policies ► Managing customer data
Which statement about AWS monitoring is true?
► Monitoring is a continuous process. Monitoring is a continuous process, which can greatly assist you in being proactive with issues.
An auditor is reviewing logs during a security audit. What is NOT a common log element that would be available to them?
► Name of the resource owner What is available: - Origin or source of the event - Identity of the resources that were accessed - Date and time of the event
Which method would achieve multi-factor authentication (MFA)?
► Require an access key and an authentication from a hardware device. Requiring an access key (a combination of an access key ID and secret access key) and a hardware MFA device would achieve the goal of MFA. This method introduces an additional element of authentication.
Which statement regarding AWS Identity and Access Management (IAM) policies is true?
► Resource-based policies are attached to resources and grant permission to the principal that is specified in the policy. Resource-based policies are attached to resources and grant permissions to the principle that is specified in the policy.
Which Amazon S3 feature stores objects by using the write-once-read-many (WORM) model?
► S3 Object Lock Object Lock stores objects using the WORM model. This feature can help prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely.
What can be used to control access to an Amazon S3 bucket?
► S3 bucket policies ► Virtual private cloud (VPC) endpoint policies ► AWS Identity and Access Management (IAM) policies
Which types of server-side encryption (SSE) are available for Amazon S3?
► SSE with Amazon S3 managed key (SSE-S3) ► SSE with AWS Key Management Service (AWS KMS) keys (SSE-KMS) ► SSE with customer-provided keys (SSE-C) In Amazon S3, three options are available for server-side encryption, depending on how you choose to manage the encryption keys: SSE-KMS, SSE-C, and SSE-S3.
Which statement about AWS Organizations is true?
► With Organizations, you can attach policies to each OU for fine-grained policy creation and application. With Organizations, you can create fine-grained policies and target them to a single OU or multiple OUs.