1
Q
What principle should be applied to AWS users, application users, and other clouds and data centers connected to AWS?
A
The principle of least privilege.
2
Q
What is the shared responsibility model in AWS?
A
The customer is responsible for security in the cloud, while AWS is responsible for security of the cloud.
3
Q
What are the core tenets of security in the Well-Architected Framework?
A
Identity and access management, data stewardship and encryption, network security, application security compliance, and security management.
4
Q
Who is responsible for access management in AWS?
A
The customer is responsible for access management in their AWS cloud.
5
Q
What are customers responsible for in terms of operating systems and networking within their AWS account?
A
Customers are responsible for ensuring secure connections to VPC resources, keeping EC2 instances’ operating systems and security patches up to date, and provisioning firewalls to secure their network.
6
Q
What is the principle of least privilege?
A
It is the practice of giving the minimum permissions necessary to complete a task.
7
Q
How can customers offload some security responsibilities using managed services?
A
For instance, customers are responsible for security OS patches and encryption on EC2, but on RDS, these are built-in features.
8
Q
Who is responsible for encryption on AWS?
A
The customer is responsible for client-side encryption, encryption in transit, and encryption at rest.
9
Q
What can IAM policies be applied to?
A
IAM policies can be applied to users, user groups, and IAM roles, which can then be applied to resources or applications.
10
Q
What is encryption in transit and what AWS service helps with it?
A
Encryption in transit revolves around HTTPS, and AWS Certificate Manager helps with obtaining TLS certificates.
11
Q
What is IAM Identity Center used for?
A
IAM Identity Center is used to give users access to AWS resources by leveraging existing single sign-on directories.
12
Q
How is S3 encrypted by default?
A
S3 is encrypted by default using SSE S3 managed keys.
13
Q
What is Macie used for in AWS?
A
Macie is used to scan S3 buckets for sensitive information.
14
Q
How are EBS volumes and RDS instances encrypted?
A
They are encrypted by KMS (Key Management Service).
15
Q
What must you do to encrypt an existing RDS instance?
A
You must create a copy of the existing RDS instance to enable encryption.
- Then you restore the snapshot, modify connections, load balancers.
- Test if the RDS is working as supposed to.
16
Q
What are Parameter Store and Secrets Manager used for?
A
They are used to securely store parameters like login credentials or environment variables, with Secrets Manager also able to automatically rotate those secrets.
17
Q
What does AWS WAF protect against?
A
is a web application firewall service provided by Amazon Web Services. It helps protect web applications from common web-based attacks and provides additional security layers to your applications running on AWS infrastructure.
18
Q
What does AWS Shield protect against?
A
AWS Shield protects against DDoS attacks (Distributed Denial of Service).
19
Q
What does AWS Firewall Manager do?
A
AWS Firewall Manager manages AWS WAF, AWS Shield, and other security settings across multiple accounts.
20
Q
What is AWS Security Hub?
A
AWS Security Hub provides a single-pane view to prioritize and take action on security findings from multiple AWS services.
21
Q
What does AWS Trusted Advisor do?
A
AWS Trusted Advisor provides best practice advice.
22
Q
What does Amazon GuardDuty do?
A
Amazon GuardDuty alerts you if it detects active threats.
23
Q
What does Amazon Detective help with?
A
Amazon Detective helps investigate security events that have already happened.
24
Q
What does Amazon Inspector detect?
A
Amazon Inspector detects workload vulnerabilities, including software and network vulnerabilities.
25
What is AWS Artifact used for?
AWS Artifact is used to download compliance documents to prove compliance and help improve AWS architecture.
26
What is AWS Organizations used for?
AWS Organizations helps manage multiple accounts and enables consolidated billing.
27
What is AWS Control Tower used for?
AWS Control Tower automates best practices in multi-account management.
28
How does AWS Security Hub integrate with AWS Organizations?
AWS Security Hub provides an organization-wide view of security findings and integrates well with AWS Organizations.
29
Your company wants to use machine learning to assist in monitoring for sensitive data such as PII (personally identifiable information) in their S3 buckets. How can they most easily achieve this?
Macie uses machine learning (ML) and pattern matching to discover and help you protect your sensitive data.
30
Which AWS service will protect your AWS resources from DDoS attacks?
AWS Shield
31
Your company has decided to split its workloads into multiple AWS accounts, but it still wants to be able to take advantage of consolidated billing. How can it accomplish this?
Use AWS Organizations to manage multiple accounts.
32
Your company want to leverage machine learning to automatically detect security events across your AWS environment. How can they achieve this with the lowest operational overhead?
1. Trusted Advisor
2. Enable Amazon Inspector
3. Enable GuardDuty
4. Enable Detective
While Detective does leverage machine learning, its purpose is primarily investigating security events that have already happened.
Correct Answer
GuardDuty is an intelligent threat detection service that can dynamically detect threats across your AWS account or Organization.
33
Which service can be used to scan for network and software vulnerabilities on your EC2 instances?
1. GuardDuty
2. Detective
3. Trusted Advisor
4. Inspector
Inspector
34
What is the easiest way to ensure that you S3 objects are encrypted at rest?
1. Encrypt the S3 bucket with Secrets Manager.
2. Encrypt the data at rest by applying KMS managed keys.
3. Use Certificate Manager to provision SSL/TLS certificates to encrypt the S3 bucket.
4. S3 buckets are server-side encrypted by default with SSE-S3 managed keys.
S3 buckets are server-side encrypted by default with SSE-S3 managed keys.
35
What can you use to assign granular permissions to users, roles, and groups?
1. KMS
2. IAM Policies
3. Security Token Service (STS)
4. Config Rules
IAM Policies
36
A regulator has requested documentation that proves your AWS solutions can meet GDPR compliance. What service can help with this?
1. AWS Control Tower
2. AWS Cloud Security
3. AWS Artifact
4. Security Hub
AWS Artifact
37
Who is in charge of patching on RDS, dynamoDB, lambda?
AWS is in charged, think of it like a hotel, you dont need to worry about anything.
38
Who is in charge of patching on EC2 instance
Consumer is responsible, think of it as a renting a house. You are provision of the house, but you need to make sure you install a security sysytem.
39
What GDPR stands for? What is it for?
General Data Protection Regulation or GDPR compliant status. To know if your application is following the required regulations depending of your region/location.
40
Where can you find if the GDPR status?
In the AWS Artifact, you have on-demand access to the AWS security and compliance documents and reports.
41
What is AWS security hub?
AWS Security Hub is a central security dashboard in AWS that helps you see, understand, and manage the security posture of all your AWS accounts in one place.
42
What is AWS Shield?
It is an AWS-managed security service that protects your applications from DDoS attacks (Distributed Denial of Service attacks).
AWS Shield Standard (free, enabled by default)
AWS Shield Advanced (paid, stronger protection)
43
What is the main purpose of Amazon CloudWatch?
Amazon CloudWatch is used for monitoring AWS resources and applications. It collects metrics, logs, and performance data to help you understand the health and behavior of your systems.
44
What is AWS CloudTrail used for?
AWS CloudTrail records API calls and events related to AWS resource creation, modification, or deletion. It helps with auditing, security analysis, and tracking who did what in your AWS account.
45
What does AWS Config do?
AWS Config continuously records and evaluates configurations of your AWS resources. It helps you understand how resources are set up, track changes over time, and check if they meet compliance rules.
46
Which service helps you determine who deleted an S3 bucket?
AWS CloudTrail, because it logs API calls including resource deletions and who performed them.
47
Which service would you use to monitor CPU usage on an EC2 instance?
Amazon CloudWatch, because it collects operational metrics like CPU, memory (via agent), disk I/O, and network activity.
48
Which service shows the historical configuration of a security group?
AWS Config, because it stores configuration history and allows you to see exactly how a resource looked at any point in time.
49
Which service would you use to detect a misconfigured S3 bucket that has become public?
AWS Config, especially with compliance rules that check for proper bucket permissions.
50
Which service provides alarms when an application experiences high error rates?
Amazon CloudWatch, because you can create CloudWatch Alarms based on log metrics or service metrics.
51
Which service records all IAM role creation events?
AWS CloudTrail, because it logs identity-related events and resource changes.
52
Which service would you use if you need to prove to auditors that your resources meet compliance requirements (e.g., encryption enabled)?
AWS Config, because it offers compliance evaluations and Config Rules to check required configuration standards.
53
CloudWatch, CloudTrail, or Config: Which one detects performance issues?
CloudWatch, because it collects performance metrics such as latency, CPU, and memory.
54
CloudWatch, CloudTrail, or Config: Which one answers “what changed in my environment?”
AWS Config, because it keeps complete configuration history.
55
CloudWatch, CloudTrail, or Config: Which one answers “who made this change?”
AWS CloudTrail, because it logs the identity of the caller.
56
How do CloudWatch and CloudTrail complement each other?
CloudWatch monitors performance, while CloudTrail tracks user actions. Together, they help you identify both what happened and who caused it.
57
If you need to trigger an automatic action when a resource becomes non‑compliant, which service helps?
AWS Config, which supports automatic remediation using SSM Automation documents.
58
Why do you need user and identity management in AWS?
Because not every person needs the same level of access. Identity management ensures users only have the permissions necessary to do their job, following the principle of least privilege.
59
What service do you use to manage user permissions and authentication in AWS?
AWS Identity and Access Management (IAM).
60
What is an AWS account used for?
An AWS account is where:
AWS services are provisioned
Usage logs are stored
Billing occurs
Users log in to access the environment
61
Who controls an AWS account when it is first created?
The root user, which is automatically created with full, unrestricted access.
62
Name ways to protect the AWS root user.
Enable multi-factor authentication (MFA)
Lock away root credentials securely
Rotate root access keys
Do not use root for daily tasks
63
What are some tasks that require the AWS root user?
Changing AWS account settings
Restoring IAM user permissions
Enabling IAM access to Billing
Creating an account alias
64
What is AWS IAM Identity Center recommended for?
Creating administrative users and managing access centrally instead of using the root user.
65
What is an IAM user?
A permanent identity with:
A username
Password
Access keys (optional)
Ability to enable MFA
IAM users are used for long‑term access.
66
What is an IAM group?
A collection of IAM users that inherit the same set of permissions from attached policies.
67
What is an IAM role used for?
IAM roles provide temporary credentials and can be assumed by:
Users
Services (e.g., EC2)
Applications
External identities
Other AWS accounts
68
When should you use an IAM role instead of an IAM user?
Use a role when:
Access should be temporary, not long‑term
An AWS service needs permissions (e.g., EC2 → S3)
You need cross‑account access
Applications require AWS API access without storing credentials
69
Which AWS service provides temporary AWS credentials for social media logins or guest users?
Amazon Cognito Identity Pools.
70
What is the difference between Cognito User Pools and Cognito Identity Pools?
User Pools → User directory and authentication (no unauthenticated access).
Identity Pools → Provide temporary AWS credentials (supports unauthenticated identities).
71
What is a managed IAM policy?
A policy created and maintained by AWS.
72
What is a customer-managed policy?
A customer-managed policy is a standalone IAM policy that you create and manage in your own AWS account.
A JSON permissions policy document that you create, edit, and maintain yourself
Can be attached to multiple users, groups, and roles within your AWS account
73
What tool can you use to test and troubleshoot IAM and resource-based policies?
The IAM Policy Simulator.
74
What is a bucket policy?
A resource-based policy attached directly to an S3 bucket that grants access to:
IAM users
IAM roles
Other AWS accounts
75
How is a bucket policy different from a user policy?
Bucket policy → Attached to the bucket
User policy → Attached to an IAM user
Both grant S3 access but from different directions.
76
What feature can prevent accidental deletion of objects in S3?
MFA Delete — requires MFA for deleting versions of objects.
Requires S3 versioning to be enabled first.
77
What is the purpose of AWS Config in IAM/security context?
To evaluate and track whether AWS resources maintain correct and compliant configurations over time.
78
What is the primary role of a cloud practitioner regarding security solutions?
A cloud practitioner typically does not build security solutions, but instead guides people toward the correct AWS services and resources based on their needs.
79
What types of AWS network security services should you be able to describe at a high level? NEED TO FIND INFORMATION ON THIS
Security Groups
Network Access Control Lists (NACLs)
AWS WAF (Web Application Firewall)
80
What can you use to secure Amazon VPC subnets?
Network Access Control Lists (NACLs) — They act as a firewall that controls traffic entering or leaving a subnet.
81
What is the difference between NACLs and security groups in terms of where they operate?
NACLs operate at the subnet level.
Security groups operate at the resource level, specifically on the Elastic Network Interface (ENI) of resources like EC2 or RDS.
82
Do NACLs participate in traffic between two EC2 instances inside the same VPC but not crossing a subnet boundary?
No. NACLs only control traffic crossing subnet boundaries. Communication within the same subnet is not affected by NACLs.
83
Are NACLs stateful or stateless? What does that mean?
NACLs are stateless.
This means they see inbound and outbound traffic as separate streams, so:
If you allow inbound traffic, you must also create a matching outbound rule.
Without an outbound rule, return traffic will be blocked.
84
Are security groups stateful or stateless?
Security groups are stateful.
If traffic is allowed inbound, the related outbound traffic is automatically allowed—no separate outbound rule is required.
85
Can security groups explicitly deny traffic?
No. Security groups have a hidden “deny-all” rule, meaning:
Anything not explicitly allowed is denied.
They cannot create explicit deny rules.
If you need explicit deny rules, use NACLs.
86
What types of sources/destinations can security group rules use?
Security group rules can use:
IP addresses
IP ranges
Security group IDs
87
What AWS service allows you to filter web traffic based on conditions like IP addresses, HTTP headers, and custom URLs?
AWS WAF (Web Application Firewall)
It helps block common attack patterns such as:
SQL injection
Cross-site scripting (XSS)
88
Can you perform security assessments and penetration testing on your AWS resources without prior approval?
Yes, but only for certain AWS services.
AWS maintains a list of services where testing is allowed without requesting permission.
89
What AWS services provide recommendations related to security?
AWS Trusted Advisor
Amazon Inspector
90
Where can you find third‑party security tools and software to deploy in your AWS environment?
AWS Marketplace
91
What is AWS Artifact?
AWS Artifact is a self-service portal that provides access to AWS compliance reports and legal agreements.
92
What is AWS Artifact primarily used for?
It is used for compliance, audit, and legal purposes.
93
What are the two main sections of AWS Artifact?
Artifact Reports and Artifact Agreements
94
What can you download from AWS Artifact Reports?
Compliance reports such as SOC, ISO, PCI, and FedRAMP documents.
95
Is AWS Artifact a regional service?
No, AWS Artifact is a global service.
96
Which is which?
Artifact report
Artifact agreement
Artifact report - Paperwork that you are following the rules
Artifact agreement - Signed agreement that you are in compliance
97
AWS config
service that checks all config of your apps to check that they are following the configs you want
98
AWS audit manager
AWS Audit Manager is a service that helps you prepare for audits by:
Automatically collecting evidence from your AWS account
Organizing that evidence against common compliance frameworks
Reducing manual audit preparation work
99
AWS Control Tower
A service you can use to enforce and manage governance rules for security, operations, and compliance at scale across all your organizations and accounts in the AWS Cloud.
100
The AWS Control Tower dashboard
provides continuous oversight to see provisioned accounts across your enterprise. AWS Control Tower also has controls for policy enforcement and can help detect noncompliant resources.
101
The AWS Control Tower Account Factory
A configurable account template that standardizes the provisioning of new accounts.
102
A landing zone related to Governance
It's the enterprise-wide container that holds all of the organizational units (OUs), accounts, users, and resources you want to regulate for compliance.
103
Service Catalog
A service you can use to create, share, and organize AWS services and resources from a curated catalog that you define
104
License Manager
A service that helps you manage your software licenses and fine-tune licensing costs
105
AWS Health
is the go-to data source for events and changes affecting the health of your AWS Cloud resources. It notifies you about service events, planned changes, and account notifications to help you manage and take actions.
106
Trusted Advisor
Helps to align with AWS best practices, prioritize recommendations, and optimize your AWS resources at scale.
107
IAM Access Analyzer
Provides benefits like refining permissions, validating IAM policies, helping you meet your least privilege goals, and automating IAM policy reviews.
Sets fine-grained permissions, verify who can access what, remediate unused access, and refine and remove broad access.
My-Aws-Cloud Practitioner-training CLF-C02
flashcards
Decks in class (10)
# Cards
