Security & Compliance

Question 1

What is the AWS Shared Responsibility Model?

Answer 1

AWS is responsible for Security OF the Cloud (physical infrastructure, hardware, networking, hypervisor, global infrastructure). The customer is responsible for Security IN the Cloud (data, OS, application, IAM, firewall config, encryption).

Question 2

What is AWS responsible for in the Shared Responsibility Model?

Answer 2

Physical security of data centres, hardware and software infrastructure, networking infrastructure, virtualisation infrastructure, global infrastructure (Regions, AZs, Edge Locations), and managed service operations (e.g. RDS OS/DB patching).

Question 3

What is the customer responsible for in the Shared Responsibility Model?

Answer 3

Customer data, platform/applications/IAM, OS/network/firewall configuration, client-side data encryption, server-side encryption, network traffic protection, security groups and NACLs.

Question 4

In the Shared Responsibility Model, who patches an EC2 OS?

Answer 4

The customer. EC2 is IaaS – AWS manages the physical host and hypervisor only.

Question 5

In the Shared Responsibility Model, who patches an RDS DB engine?

Answer 5

AWS. RDS is a managed (PaaS) service – AWS handles OS and database engine patching.

Question 6

In the Shared Responsibility Model, who manages S3 bucket policies and encryption?

Answer 6

The customer. AWS manages the S3 infrastructure and durability; the customer manages bucket policies, encryption settings, and access control.

Question 7

What is the key rule of the Shared Responsibility Model?

Answer 7

‘If you put it there, you manage it.’ Managed services offload more responsibility to AWS; unmanaged services (like EC2) leave more responsibility with the customer.

Question 8

What is AWS Artifact?

Answer 8

A free self-service portal for on-demand access to AWS compliance reports (SOC, PCI certificates, ISO certifications) and legal agreements like the Business Associate Agreement (BAA) for HIPAA.

Question 9

What compliance frameworks does AWS support?

Answer 9

HIPAA (healthcare), PCI-DSS (payment cards), SOC 1/2/3 (financial/operational audits), ISO 27001 (information security), FedRAMP (US government), GDPR (EU data protection).

Question 10

What is the AWS Compliance Center?

Answer 10

A central location to research cloud-related regulatory requirements, browse country-specific laws, discover how companies solve compliance challenges, and get audit/security checklists.

Question 11

What is AWS Audit Manager?

Answer 11

Continuously collects data to prepare for audits and ensure compliance with regulatory standards. Tracks how resources are configured and records previous configuration states.

Question 12

What are the key security concepts: encryption at rest, encryption in transit, MFA?

Answer 12

Encryption at rest: data encrypted when stored (S3, EBS, RDS all support this). | Encryption in transit: data encrypted while moving (TLS/SSL). | MFA: requires an extra security code from a device/app at login.

Question 13

What is ‘Defence in depth’?

Answer 13

Applying multiple layers of security controls so that if one layer fails, others still protect the system.

Question 14

What is IAM and what does it cost?

Answer 14

Identity and Access Management – controls WHO can do WHAT in your AWS account. It is free to use.

Question 15

What are the 4 core IAM components?

Answer 15

Users – individual accounts for people or applications. | Groups – collections of users that inherit group permissions. | Roles – temporary permissions assumed by trusted entities (no permanent credentials). | Policies – JSON documents defining Allow/Deny permissions on resources.

Question 16

What is an IAM User?

Answer 16

An individual AWS account for a person or application. Has credentials: username/password for console, or Access Key ID + Secret Access Key for CLI/SDK. New users have no permissions by default.

Question 17

What is an IAM Group?

Answer 17

A collection of IAM users. Attach policies to the group and all users in the group inherit those permissions. Example groups: Developers, Admins, Auditors.

Question 18

What is an IAM Role?

Answer 18

An IAM identity with specific permissions that can be assumed temporarily by trusted entities (EC2 instances, Lambda functions, cross-account users, federated users). Uses short-term tokens – no permanent credentials.

Question 19

What is an IAM Policy?

Answer 19

A JSON document that defines Allow or Deny permissions for specific actions on specific AWS resources. Attached to users, groups, or roles.

Question 20

What is the structure of an IAM Policy JSON?

Answer 20

Version, Statement array containing: Effect (Allow/Deny), Action (e.g. s3:GetObject), Resource (e.g. arn:aws:s3:::my-bucket/*).

Question 21

What are the 3 types of IAM policies?

Answer 21

1. AWS Managed – pre-built by AWS (e.g. AdministratorAccess, ReadOnlyAccess) | 2. Customer Managed – custom policies you create | 3. Inline – embedded directly into a specific user, group, or role

Question 22

List the 8 IAM best practices.

Answer 22

1. Lock down root account + enable MFA | 2. Create individual IAM users (not shared) | 3. Use groups to assign permissions | 4. Apply least privilege | 5. Enable MFA for all privileged users | 6. Use roles for applications/services | 7. Rotate credentials regularly | 8. Use IAM Access Analyzer to review permissions

Question 23

What is the Principle of Least Privilege?

Answer 23

Grant identities only the minimum permissions required to perform their job – nothing extra.

Question 24

What is AWS Organizations?

Answer 24

A service for centrally managing multiple AWS accounts. Provides consolidated billing, Organizational Units (OUs) for grouping accounts, and Service Control Policies (SCPs) for guardrails.

Question 25

What is an Organizational Unit (OU) in AWS Organizations?

Answer 25

A logical grouping of AWS accounts within an Organisation (e.g. Dev, Prod, Finance OUs). SCPs and billing can be applied at the OU level.

Question 26

What are Service Control Policies (SCPs)?

Answer 26

Permission guardrails applied at the root, OU, or account level in AWS Organizations. They restrict the maximum available permissions – they do NOT grant permissions. They do NOT affect the management account.

Question 27

What are the benefits of AWS Organizations consolidated billing?

Answer 27

Single payment method for all accounts; volume discounts apply across the combined usage; Reserved Instances and Savings Plans can be shared org-wide.

Question 28

What does Amazon GuardDuty do?

Answer 28

Intelligent threat detection using ML. Monitors CloudTrail logs, VPC Flow Logs, and DNS logs to identify threats like cryptocurrency mining, unusual API calls, and compromised instances.

Question 29

What does Amazon Inspector do?

Answer 29

Automated security assessments of EC2 instances, container images in ECR, and Lambda functions. Continuously scans for software vulnerabilities and undesired network exposure. Produces findings when vulnerabilities are found.

Question 30

What does AWS Macie do?

Answer 30

Uses ML to automatically discover, classify, and protect sensitive data (PII) stored in Amazon S3. Scans S3 buckets and produces findings for sensitive data.

Question 31

What does AWS CloudTrail record?

Answer 31

All API calls (management events, data events, insights events) made in your AWS account – who did what, when, and from where. Logs stored in an S3 bucket. Event history available for last 90 days without a trail.

Question 32

What are the 3 types of CloudTrail events?

Answer 32

Management Events: create/modify/delete operations on resources. | Data Events: object-level activity (S3 GetObject, Lambda Invoke). | Insights Events: detect unusual activity patterns.

Question 33

What does AWS Config do?

Answer 33

Assesses, audits, and evaluates the configuration of AWS resources over time. Configuration history tracks changes. Rules evaluate compliance (e.g. 'all S3 buckets must have encryption'). Supports auto-remediation.

Question 34

What is AWS Security Hub?

Answer 34

A central security findings aggregator and compliance dashboard. Ingests data from Config, GuardDuty, Inspector, Firewall Manager, etc. Performs validation against AWS security best practices.

Question 35

What is Amazon Detective?

Answer 35

Analyses and investigates root causes of security findings. Ingests VPC Flow Logs, CloudTrail, and GuardDuty findings. Uses ML and statistical analysis to create visualisations showing resource behaviour over time.

Question 36

What is AWS Shield?

Answer 36

DDoS protection. Shield Standard is free for all customers. Shield Advanced is paid and provides additional protection, 24/7 DDoS response team, and cost protection.

Question 37

What is AWS WAF (Web Application Firewall)?

Answer 37

Monitors HTTP requests and protects web apps from common exploits like SQL injection and XSS. Uses web ACL rules defining what to monitor (IP, country, request size) and actions (Allow, Block, Count, CAPTCHA). Protects CloudFront, ALB, API Gateway, AppSync, Cognito.

Question 38

What is AWS Network Firewall?

Answer 38

A stateful managed network firewall and intrusion detection/prevention service for VPCs. Monitors traffic going into and out of a VPC.

Question 39

What is the difference between a Security Group and a Network ACL (NACL)?

Answer 39

Security Group: instance-level firewall, stateful (return traffic auto-allowed), allow rules only, all rules evaluated simultaneously. | NACL: subnet-level firewall, stateless (return traffic must be explicitly allowed), both allow and deny rules, rules evaluated in numbered order (lowest first).

Question 40

What are VPC Flow Logs?

Answer 40

Capture information about IP traffic going to and from network interfaces in a VPC. Used for security analysis and troubleshooting.

Question 41

What is AWS KMS?

Answer 41

Key Management Service – create and manage cryptographic keys used to encrypt/decrypt data. Provides granular access control and supports key rotation.

Question 42

What is AWS Secrets Manager?

Answer 42

Stores, rotates, and retrieves secrets (passwords, API keys, DB credentials). Eliminates hard-coded credentials in code. Supports automatic rotation schedules. Having short-term secrets reduces compromise risk.

Question 43

What is AWS Certificate Manager (ACM)?

Answer 43

Provisions, manages, and deploys public and private SSL/TLS certificates for AWS websites and applications. Can generate certificates for ELB and API Gateway without purchasing from a third party.

Question 44

What is AWS IAM Identity Center (formerly SSO)?

Answer 44

Centrally manages single sign-on (SSO) access across multiple AWS accounts and applications. Simplifies managing users across an AWS Organization.

Question 45

What is AWS CloudHSM?

Answer 45

Provides a hardware security module (HSM) in the cloud. All cryptographic keys are securely stored on the HSM and never leave the device. Helps minimise the risk of key leakage.

Question 46

What is AWS Firewall Manager?

Answer 46

Manages security services (WAF rules, security groups, network firewall) across multiple AWS accounts. Configure rules once and apply them across all accounts in the organisation.

Question 47

What is AWS Resource Access Manager?

Answer 47

Securely shares AWS resources across accounts, organisations, and OUs. Create a resource once and share it with other accounts without duplicating it.

Question 48

What is AWS Private Certificate Authority?

Answer 48

A managed private CA that issues certificates for authenticating internal users, computers, and applications. Certificates are trusted only within your organisation, not on the public internet.