Module 6: Security

Question 1

Shared Responsibility Model

Answer 1

AWS is responsible for some parts of the environment (security of the cloud) and the customer is responsible for other parts (security in the cloud).

Question 2

Customers (Security in the Cloud)

Answer 2

• Customers are responsible for the security of everything that they create and put in the cloud.
• Maintain complete control over the content stored on AWS, which AWS services are used, and who has access.

Question 3

AWS (Security of the Cloud)

Answer 3

• Operates, manages, and controls the components at all layers of infrastructure.
• Responsible for protecting the global infrastructure that runs all the services offered in the AWS Cloud.

Question 4

AWS Identity and Access Management (IAM)

Answer 4

Enables you to manage access to AWS services and resources securely.

Question 5

IAM Users

Answer 5

• Represents the person or application that interacts with AWS services and resources.
• Consists of name and credentials.
• By default it has no permissions associated with it when created.

Question 6

IAM Policy

Answer 6

A document that allows or denies permissions to AWS services and resources.

Question 7

IAM Group

Answer 7

A collection of IAM users.

Question 8

IAM Role

Answer 8

• An identity that you can assume to gain temporary access to permissions.
• Before an entity can switch roles, they must be granted permissions to switch to the role.
• All permissions of the previous role are abandoned and the permissions of the new role are assumed.

Question 9

AWS Organizations

Answer 9

• Used to consolidate and manage multiple AWS accounts within a central location.
• Accounts ca be grouped into organization units to make it easier to manage accounts with similar business or security requirements.

Question 10

Service Control Policies (SCPs)

Answer 10

Enable you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.

Question 11

AWS Artifact

Answer 11

A service that provides on-demand access to AWS security and compliance reports and select online agreements.

Question 12

AWS Artifact Agreements

Answer 12

Agreements can be reviewed, accepted, and managed for an individual account or all accounts in AWS Organizations.

Question 13

AWS Artifact Reports

Answer 13

Provide compliances reports from third-party auditors.

Question 14

Customer Compliance Center

Answer 14

Contains resources to help you learn more about AWS compliance.

Question 15

Denial-of-Service (DoS) Attack

Answer 15

A deliberate attempt to make a website or application unavailable to users.

Question 16

Distributed Denial-of-Service (DDoS) Attack

Answer 16

• Multiple sources are used to start an attack that aims to make a website or application unavailable.
• A single attacker can use multiple infected computers knows as “bots” to send excessive traffic to a website or application.

Question 17

AWS Shield

Answer 17

A service that protects applications against DDoS attacks.

Question 18

AWS Shield Standard

Answer 18

• Automatically protects all AWS customers at no cost.

- Protects AWS resources from the most common, frequently occurring types of DDoS attacks.

Question 19

AWS Shield Advanced

Answer 19

• A paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks.
• Can integrate it with AWS WAF by writing custom rules to mitigate complex DDoS attacks.

Question 20

AWS Key Management Service (AWS KMS)

Answer 20

Enables you to perform encryption operations through the use of cryptographic keys.

Question 21

AWS WAF

Answer 21

• A web application firewall that lets you monitor requests that come into your web applications.
• Does this by using a web access control list (ACL) to protect resources.

Question 22

Amazon Inspector

Answer 22

• Helps to improve the security and compliance of applications by running automated security assessments.
• Checks applications for security vulnerabilities and deviations from security best practices.

Question 23

Amazon GuardDuty

Answer 23

• A service that provides intelligent threat detection for your AWS infrastructure and resources.
• Identifies threats by continuously monitoring the network activity and account behavior within your AWS environment.