Module 9 - Security

Question 1

What is authentication?

Answer 1

The process of verifying the identity of a user or entity through credentials like a username and password combination.

Question 2

What is authorization?

Answer 2

Managing which actions users are permitted to perform in a system or application. This is usually done by granting a user certain access rights and permissions.

Question 3

How is responsibility for security shared between AWS and the customer?

Answer 3

Customers are responsible for the security of their content that is in the AWS cloud.
AWS is responsbile for the security of the AWS cloud, e.g. hardware and global infrastructure.

Question 4

What is the principle of least privilege?

Answer 4

Users, programs and processes should be able to access ONLY the information and resources necessary for their purpose(s) or responsibility (ies).

See also Principle of least privilege in Wikipedia

Question 5

What is AWS Identity and Access Management (IAM)?

Answer 5

A service to securely control access to AWS services and resources. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.

See AWS Identity and Access Management Documentation

Question 6

What is the AWS account root user?

Answer 6

The user account associated with the owner of the AWS account. The root user has permission to do anything they want inside of the account.

Question 7

What is MFA?

Answer 7

Multi-factor Authentication. A security process requiring a user to provide an additional piece of evidence (factor) to authenticate. Also known as two-factor authentication.

See Multi-factor authentication on Wikipedia and MFA in the NIST Glossary

Question 8

True or False

Amazon strongly recommends that MFA is enabled for the AWS account root user

Answer 8

True

Question 9

What is an IAM user?

Answer 9

A person or application, within the owner’s AWS account, that has long-term credentials to access AWS services and resources associated with the owner’s account.

Question 10

In IAM, what are access keys?

Answer 10

Long-term credentials for an IAM user or the AWS account root user.

See Manage access keys for IAM users

Question 11

What are the two parts of an IAM Access key pair?

Answer 11

An access key ID and a secret access key. You must use both the access key ID and secret access key together to authenticate your requests.

See Manage access keys for IAM users

Question 12

Fill in the blank

Access keys can pose an account ____________.

Answer 12

security risk
* Use AWS CloudTrail to monitor access key usage and detect any unauthorized access attempts.
* Set up CloudWatch alarms to notify administrators for denied access attempts to help detect malicious activities.
* Regularly review, update, and delete access keys as needed.

See Manage access keys for IAM users

Question 13

True or False

When you create an IAM user, by default, they have absolutely zero permissions.

Answer 13

True

Question 14

What is an IAM group?

Answer 14

A collection of IAM users. Permission policies can be assigned to an IAM group and all users in the group inherit the permissions.

Question 15

What is an IAM role?

Answer 15

An identity you can assume to gain temporary access to permissions. When someone assumes an IAM role, they abandon all previous permissions they had under a previous role and assume the permissions of the new role.

Question 16

What is an IAM policy?

Answer 16

A JSON document that allows or denies permission to access AWS services and resources.

Question 17

What is an IAM Identity?

Answer 17

IAM identities include IAM users, IAM groups, and IAM roles. An IAM identity can be associated with one or more policies, which determine permissions to access AWS resources.

See IAM Identities

Question 18

What is identity federation?

Answer 18

A system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources.

See Identity federation in AWS and What is federated identity management (FIM)? How does it work?

Question 19

Fill in the blank

Another term for identity federation is ____________.

Answer 19

Federated identity management. A system that allows users to access multiple applications, services, or domains using a single set of credentials.

Question 20

How do IAM roles enable identity federation?

Answer 20

Account owners can federate users into their AWS account, allowing these users to authenticate with a third-party identity provider and then access AWS resources via IAM roles.

See Identity providers and federation into AWS

Question 21

What is AWS IAM Identity Center?

Answer 21

The AWS solution for connecting your workforce users to AWS applications and resources. You can create and manage your users directly in IAM Identity Center or connect with your existing identity provider and federate users.

See What is IAM Identity Center?

Question 22

Fill in the blank

____________ provides a secure way to manage, rotate, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Answer 22

AWS Secrets Manager. Instead of hardcoding credentials in your apps, you can make calls to Secrets Manager to retrieve your credentials whenever needed.

See AWS Secrets Manager Documentation

Question 23

Fill in the blank

____________ helps you centrally view, manage, and operate nodes at scale in AWS, on-premises, and multicloud environments.

Answer 23

AWS Systems Manager

See What is AWS Systems Manager?

Question 24

What is a zero-day attack vector?

Answer 24

An attack that exploits a heretofore unknown security hole.

See What is a zero-day exploit?

Question 25

What is a denial of service (DoS) attack?

Answer 25

A bad actor floods a web application with excessive network traffic. Legitimate customer requests are denied when the web application becomes overloaded and can no longer respond.

Question 26

What is a **distributed** denial of service (DDoS) attack?

Answer 26

The bad actor floods a web application with network traffic from multiple (lots!) co-opted machines (zombie bots) on the internet.

Question 27

How do security groups protect against denial of service attacks?

Answer 27

Security groups only allow in configured request traffic. And they operate at the AWS network level so they can leverage the capacity of an AWS region to shrug off a massive attack.

Question 28

How does Elastic Load Balancing protect against a denial of service attack?

Answer 28

Because Elastic Load Balancer is a managed service that includes AWS Shield Standard, which automatically protects AWS resources from the most common types of DDoS attacks.

Question 29

How do AWS regions protect against a denial of service attack?

Answer 29

By being big, with lots of capacity. It is massively expensive to overwhelm the enormous capacity of an AWS region.

Question 30

What kind of protection is provided by AWS Shield Standard?

Answer 30

AWS Shield Standard provides protection against a wide range of known DDoS attack vectors and zero-day attack vectors. Shield Standard is provided automatically and at no extra charge when you use AWS. ## Footnote See [How AWS Shield and Shield Advanced work](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html) and [AWS Shield Standard overview](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-standard-summary.html)

Question 31

What is AWS Shield Advanced?

Answer 31

A paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks. ## Footnote See [How AWS Shield and Shield Advanced work](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html) and [AWS Shield Advanced overview](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary.html)

Question 32

What is AWS WAF?

Answer 32

AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources. ## Footnote See [What is AWS WAF?](http://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html#waf-intro)

Question 33

How does AWS WAF provide network security protection?

Answer 33

When a request comes into AWS WAF, it checks the IP address against a web access control list (web ACL). If the request comes from a blocked IP address on the web ACL, AWS WAF denies access. Legitimate requests are allowed access. ## Footnote See [What is AWS WAF?](http://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html#waf-intro)

Question 34

# Fill in the blank In AWS WAF, web ACLs are also now known as ____________.

Answer 34

protection packs ## Footnote See [How AWS WAF works](https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html)

Question 35

# Fill in the blank AWS WAF web ACLs contain ____________ which define criteria for inspecting web requests and specify the action to take on requests that match their criteria.

Answer 35

rules ## Footnote See [How AWS WAF works](https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html)

Question 36

# True or False In AWS WAF, web ACL rules can inspect requests for criteria such as malicious scripts, IP address, country of origin and likely SQL injection.

Answer 36

True ## Footnote See [AWS WAF rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html)

Question 37

Data encryption uses ________ to encrypt and decrypt data, turning plaintext into ciphertext, a randomized set of characters, and vice versa.

Answer 37

cryptographic keys

Question 38

What is encryption at rest?

Answer 38

Encryption of data that is in a single location, e.g. in a database or an S3 bucket.

Question 39

What is encryption in transit?

Answer 39

Encryption of data while it is being transferred from one location to another, e.g. from a database to an application or from one server to another.

Question 40

How is encryption in transit provided?

Answer 40

By using SSL/TLS certificates to establish encrypted network connections.

Question 41

# True or false By default, all new Amazon S3 buckets have encryption configured.

Answer 41

True. And all uploaded objects are encrypted at rest.

Question 42

Can Amazon EBS volumes be encrypted at rest?

Answer 42

Yes, including both boot and data volumes of an EC2 instance.

Question 43

# True or false Server-side encryption at rest is enabled on all DynamoDB table data.

Answer 43

True. Using encryption keys stored in AWS Key Management Service (AWS KMS).

Question 44

What is AWS Key Management Service (KMS)?

Answer 44

An encryption and key management service that makes it easy for you to create and control the keys used to encrypt and sign your data. ## Footnote See [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)

Question 45

Do encryption keys ever leave AWS KMS unencrypted?

Answer 45

No. To use or manage your KMS keys, you interact with AWS KMS. ## Footnote See [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html)

Question 46

What is Amazon Macie?

Answer 46

A data security service that discovers sensitive data by using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks. ## Footnote See [What is Amazon Macie?](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.html)

Question 47

# Fill in the blank You can use Amazon Macie to assess your security ___________.

Answer 47

posture

Question 48

What is AWS Certificate Manager (ACM)?

Answer 48

AWS Certificate Manager (ACM) helps you to provision, manage, and renew publicly trusted SSL/TLS certificates on AWS based websites. (SSL/TLS certificates provide data encryption in transit.) ## Footnote See [AWS Certificate Manager Documentation](https://docs.aws.amazon.com/acm/)

Question 49

Name five (5) Amazon services related to **detection** of, and **response** to, security events.

Answer 49

1. Amazon Macie 2. Amazon Inspector 2. Amazon GuardDuty 3. Amazon Detective 4. Amazon Security Hub

Question 50

# Fill in the name of the Amazon Service ____________ is a security vulnerability assessment service that runs automated security assessments of Amazon EC2 instances, container images in Amazon ECR, and Lambda functions.

Answer 50

**Amazon Inspector**. It produces a detailed list of security **findings**, prioritized by level of security, with recommendations on how to fix the security hole. You can manage findings in the Amazon Inspector console. ## Footnote See [What is Amazon Inspector?](https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html)

Question 51

# Fill in the name of the Amazon Service ____________ is a threat detection service that continuously monitors, analyzes, and processes AWS data sources and logs in your AWS environment.

Answer 51

Amazon GuardDuty. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, file hashes, and machine learning (ML) models to identify suspicious and potentially malicious activity in your AWS environment. ## Footnote See [What is Amazon GuardDuty?](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html)

Question 52

Where can you view GuardDuty findings?

Answer 52

GuardDuty consolidates your security findings across accounts and displays results in the Summary dashboard on the GuardDuty console of the AWS Management Console. You can also retrieve findings through the AWS Security Hub CSPM API, AWS Command Line Interface, or AWS SDK. ## Footnote See [What is Amazon GuardDuty?](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html)

Question 53

# Fill in the name of the Amazon Service ____________ makes it easy to analyze, investigate, and quickly identify the root cause of security findings or suspicious activities.

Answer 53

Amazon Detective ## Footnote See [What is Amazon Detective?](https://docs.aws.amazon.com/detective/latest/userguide/what-is-detective.html)

Question 54

# Fill in the blank Amazon Detective automatically collects log data from your AWS resources. It then uses machine learning, statistical analysis, and graph theory to generate ____________ that help you to conduct faster and more efficient security investigations.

Answer 54

visualizations ## Footnote See [What is Amazon Detective?](https://docs.aws.amazon.com/detective/latest/userguide/what-is-detective.html)

Question 55

# Fill in the name of the Amazon Service ____________ is a unified cloud security solution that prioritizes your critical security issues and helps you respond at scale.

Answer 55

AWS Security Hub. It detects security issues by automatically correlating and enriching security signals from multiple sources, such as Cloud Security Posture Management (CSPM), vulnerability management (Amazon Inspector), sensitive data (Amazon Macie), and threat detection (Amazon GuardDuty). ## Footnote See [Introduction to AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub-v2.html)

Question 56

AWS Security Hub is meant to be used alongside AWS Security Hub ____________.

Answer 56

CSPM, Cloud Security Posture Management ## Footnote See [What are Security Hub and Security Hub CSPM?](https://docs.aws.amazon.com/securityhub/latest/userguide/what-are-securityhub-services.html)

Question 57

# Fill in the blank AWS Security Hub CSPM supports multiple industry security ____________.

Answer 57

standards e.g. from Amazon itself, and from the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS), and the National Institute of Standards and Technology (NIST). ## Footnote See [Introduction to AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)

Question 58

# Fill in the blank Security standards are comprised of security ________.

Answer 58

controls, which each represent a security best practice

Question 59

# Fill in the blank Security Hub CSPM runs checks against security controls and generates control ____________ to help you assess your compliance against security best practices.

Answer 59

findings ## Footnote See [Introduction to AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)

Question 60

# Fill in the blanks Security Hub CSPM also receives findings from other AWS services such as ____________, ____________, and ____________, as well as supported third-party products.

Answer 60

Amazon GuardDuty Amazon Inspector Amazon Macie (This gives you a single view into a variety of security-related issues.) ## Footnote See [Introduction to AWS Security Hub CSPM](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html)

Question 61

In the context of security, what is TTR?

Answer 61

Time to Remediation. TTR measures the duration from incident detection to permanent resolution, ensuring the root cause is fixed and recurrence is prevented.

Question 62

# Fill in the blank Security Hub transforms complex security signals into actionable ____________.

Answer 62

insights Security Hub also includes automated response workflows to accelerate Time to Remediation (TTR). ## Footnote See [Introduction to AWS Security Hub](https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub-v2.html)

Question 63

# Fill in the blank AWS security ____________ provides extensive information on AWS services and best practices related to security.

Answer 63

documentation ## Footnote See [AWS Security Documentation](https://docs.aws.amazon.com/security/) and the [AWS Security Blog](https://aws.amazon.com/blogs/security/)

Question 64

# True or false? The AWS Marketplace provides a digital catalog where you can purchase third-party security software and services that run on AWS.

Answer 64

True. These include: * Threat detection and prevention tools * Identity and access management tools * Data protection tools Compliance and governance tools