AWS : Cloud Practitioner Exam — Part 2
A Quick Review about Security
Part 2 : Security (25% of exam)
- Understand AWS shared responsibility model
- Understand AWS identity & access management
- Understand AWS security best practices
1. Which of the following tasks are the responsibility of the AWS ?
AWS responsibility “Security of the Cloud”
This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
- Physical data centers audit & security
- Disk Disposal
- Cable Patching
2. Which of the following tasks are the responsibility of the AWS customer ?
Customer responsibility “Security in the Cloud”
The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall.
- Network Access Control Lists
- Data Encryption
- Customers that deploy an Amazon EC2 instance are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.
3. Which of the following represents a responsibility of both customer and AWS ?
- Awareness & Training — AWS trains AWS employees, but a customer must train their own employees.
- Patch Management — AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications (in Amazon EC2).
4. You are worried about users’ account security and you would like to add security to IAM users. Which of the following can help ?
- implement MFA (Multi-Factor Authentication)
- increase password strength
- define expiration interval
- delete root account access key
5. Following AWS best practices, how would you apply the same level of permissions to a large number of users ?
- Instead of defining permissions for individual IAM users, it’s usually more convenient to create groups that relate to job functions (administrators, developers, accounting, etc.)
- Next, define the relevant permissions for each group.
- Finally, assign IAM users to those groups. All the users in an IAM group inherit the permissions assigned to the group. That way, you can make changes for everyone in a group in just one place.
- As people move around in your company, you can simply change what IAM group their IAM user belongs to.
6. Which of the following would you use in order to secure EC2 instances ?
- When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups.
- Network Access Control List is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up Network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
7. Which of the following options is the most secure and recommended way to call AWS services through an API, from an EC2 instance ?
An IAM role is an IAM identity that you can create in your account that has specific permissions
An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it.
When you assume a role, it provides you with temporary security credentials for your role session. An application or a service offered by AWS (like Amazon EC2) can assume a role by requesting temporary security credentials for a role with which to make programmatic requests to AWS.
You use a role this way so that you don’t have to share or maintain long-term security credentials (for example, by creating an IAM user) for each entity that requires access to a resource.
8. Which of the following options best describes “Principle of Least Privilege” in AWS ?
Granting only the permissions required to perform a task
9. Which of the following AWS services can assist you auditing your infrastructure in AWS from a security perspective ?
AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS
10. What should a customer do in order to run vulnerability and penetration testing on their AWS infrastructure?
AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for some pre-approved services.
11. Which of the following IAM entities is associated with an access key ID and a secret access key when using AWS CLI?
IAM user
12. You decide to create a backup of your running EC2 instance and move it to S3. You can give EC2 the necessary permissions to access AWS S3 in order to perform this action automatically.
What would you need to configure on EC2 instance in order to facilitate this to happen?
Access Key and Secret Key
13. You decide to store your static website through an AWS bucket. What would you use to make the bucket public accessible?
Bucket policies
14. Which of the following entities has control over the data in an AWS Account ?
AWS Account Owner
15. Which of the following Compliance certifications highlight that AWS has met the standards required to store medical records in US ?
HIPAA
16. Which of the following represent AWS security design principles ?
- Enable logging & traceability
- Implement the principle of least privilege everywhere
- Apply security at all layers
Related Articles
- AWS Cloud Certified Practitioner Exam — Part 1
- AWS Cloud Certified Practitioner Exam — Part 2
- AWS Cloud Certified Practitioner Exam — Part 3
- AWS Cloud Certified Practitioner Exam — Part 4
