AWS Cloud Practitioner Essentials T2.2

Questions and Answers

Which compliance standard is specifically tailored for protecting healthcare data?

• GDPR
• PCI DSS
• C5
• HIPAA (correct)

What is the primary function of AWS Security Hub?

• To block DDoS attacks
• To filter malicious traffic targeting web applications
• To identify vulnerabilities in EC2 applications
• To provide a centralized view of security alerts and posture (correct)

Which AWS service is primarily responsible for detecting threats using machine learning?

• Amazon GuardDuty (correct)
• AWS WAF
• Amazon Inspector
• AWS Shield

What encryption method ensures data is secure while being transferred between systems?

Encryption in Transit (D)

Which AWS service tracks user activity and API calls for auditing purposes?

AWS CloudTrail (A)

In compliance management, who is responsible for securing the operating system and applications on Amazon EC2?

Only the customers (D)

Which of the following encryption tools is used for protecting data stored in AWS services like S3 and EBS?

AWS Key Management Service (KMS) (B)

What is a key advantage of using AWS Config?

To track and record configuration changes (B)

What is the purpose of AWS Audit Manager?

To automate collection of audit evidence for compliance (C)

Which example illustrates a compliance requirement for businesses handling payment card transactions?

PCI DSS (C)

What primary function does AWS Organizations provide in terms of governance?

It manages multiple accounts with centralized governance. (A)

Which of the following statements about encryption in AWS is true?

Both encryption types ensure that only authorized users can access sensitive data. (B)

Which AWS service is responsible for tracking API activity in an AWS account?

AWS CloudTrail (C)

What is the purpose of AWS Artifact?

To download compliance reports and certifications. (D)

Which of the following is NOT a benefit of AWS Cloud Security?

Centralized governance across all AWS services. (C)

What key information does Amazon CloudWatch Logs monitor?

Log files from applications or AWS services. (A)

Which of the following describes Service Control Policies (SCPs) in AWS?

They define access permissions across accounts. (B)

Which AWS logging service captures information about allowed and denied network connections?

VPC Flow Logs (B)

What aspect of AWS compliance is highlighted by the AWS Compliance Center?

It serves as a resource hub for compliance details organized by region and industry. (A)

What is the role of AWS Security Hub in terms of security?

It scales automatically and offers continuous monitoring. (B)

Flashcards

AWS Compliance

Adhering to industry, geographic, and organizational regulations, standards, or frameworks in AWS.

AWS Governance

Setting policies, procedures, and controls to manage resources securely in AWS.

Encryption in Transit

Protecting data during transfer, using methods like HTTPS and TLS.

Encryption at Rest

Protecting stored data by encoding it, like encrypting S3 buckets.

AWS CloudTrail (Log Monitoring Service) and (Governance and Compliance Implementation Service)

Tracks all API activity in your AWS account. Example: Who created or modified an EC2 instance?

Amazon CloudWatch Logs (Log Monitoring Service)

Monitors log files from applications or AWS services. Example: Debugging application errors in EC2 or Lambda functions.

VPC Flow Logs (Log Monitoring Service)

Captures information about network traffic to and from a Virtual Private Cloud (VPC). Example: Analyze allowed and denied network connections.

AWS Config (Log Monitoring Service) and (Governance and Compliance Implementation Service)

Records configuration changes to resources. The feature AWS Config Rules can be used to define and enforce compliance policies for AWS resources. Example: Tracks whether S3 buckets are public or private.

AWS Artifact (Meeting Compliance Service)

Self-service portal for downloading compliance reports and certifications. Example: ISO certifications, SOC reports.

AWS Compliance Center (Meeting Compliance Service)

Resource hub for compliance details organized by region and industry. Allows users to download compliance reports using a link directly to AWS Artifact

Amazon Inspector (Security Service)

Assesses vulnerabilities of applications running on EC2. Example: Identifies vulnerabilities like unpatched software.

AWS Security Hub (Security Service)

Centralizes security alerts and provides security status overview. Example: Detects misconfigured S3 buckets.

AWS Organizations

manage and govern multiple AWS accounts from a single location. it allows the user to Group Accounts: organise accounts into hierarchies using Organizational Units (OUs).

Service Control Policies (SCPs):

policies you can create in AWS Organizations to define access permissions for accounts or groups of accounts (OUs). SCPs control which AWS services and actions are allowed or denied for users, groups, or roles in those accounts.

What are the Benefits of Cloud Security?

Encryption:

Protects sensitive data by encoding it so only authorized users can access it. Two types: Encryption in Transit and Encryption at Rest.

Built-in Security:

AWS secures its global infrastructure and offers tools to enhance customer security, such as AWS WAF (Web Application Firewall) and AWS Shield.

Scalability and Automation:

Security services like AWS Security Hub and Amazon GuardDuty scale automatically and provide continuous monitoring.

AWS services that use logs to track and analyze activity in the environment:

AWS CloudTrail (Accounts Logs) - Amazon CloudWatch Logs (Apps and System Logs) - VPC Flow Logs (Network Logs) - AWS Config (Configuration Logs)

Amazon GuardDuty (Security Service)

Detects threats using machine learning and anomaly detection. Example: Identifies unusual login activity.

AWS Shield (Security Service)

Protects against Distributed Denial of Service (DDoS) attacks. Example: Blocks malicious traffic targeting your website.

AWS WAF (Web Application Firewall) (Security Service)

Focuses on protecting web applications by filtering malicious traffic. Example: Blocks fake requests targeting your website.

AWS services that help ensure compliance and governance:

Amazon CloudWatch - AWS CloudTrail - AWS Config - AWS Audit Manager - Access Reports

Amazon CloudWatch (Governance and Compliance Implementation Service)

Monitors resources and applications for performance and security. Example: Set alarms for high CPU usage on EC2 instances.

AWS Audit Manager (Governance and Compliance Implementation Service)

Automates the collection of audit evidence for compliance. Example: Generates reports for a PCI DSS audit.

Access Reports (Governance and Compliance Implementation Service)

Provides a summary of permissions granted to users and roles. Example: Identify users with excessive access to critical resources.

Study Notes

AWS Cloud Security, Governance, and Compliance Concepts

• Compliance in AWS means adhering to industry, geographic, and organizational regulations, standards, or frameworks. AWS provides tools for meeting these requirements (e.g., HIPAA for healthcare data).

AWS Governance

• Governance involves setting policies, procedures, and controls to manage cloud resources securely and efficiently.
• AWS Organizations facilitate centralized management of multiple accounts.
• Service Control Policies (SCPs) define access permissions across accounts.

Cloud Security Benefits

• Encryption: Protects data in transit (e.g., HTTPS, TLS) and at rest (e.g., encrypting S3 buckets).
• Built-in Security: AWS secures its global infrastructure and provides tools like AWS WAF and AWS Shield.
• Scalability and Automation: Security services like AWS Security Hub and Amazon GuardDuty are scalable and provide continuous monitoring.

Logs Associated with Cloud Security

• AWS CloudTrail: Tracks all API activity in an account (e.g., instance creation).
• Amazon CloudWatch Logs: Monitors application and service log files (e.g., app performance).
• VPC Flow Logs: Captures network traffic to and from a VPC (e.g., network connections).
• AWS Config: Records configuration changes to resources (e.g., S3 bucket access).

Identifying AWS Compliance Information

• AWS Artifact: Self-service portal for compliance reports and certifications (e.g., ISO certifications, SOC reports).
• AWS Compliance Center: Resource hub for compliance details organized by region and industry.

Compliance Needs by Location or Industry

• Geographic Compliance: GDPR for EU data, C5 (Germany) for cloud security in Germany.
• Industry Compliance: HIPAA for healthcare, PCI DSS for payment cards.
• Multi-Region Services: Deploy resources in specific regions for local compliance needs.

Securing Resources on AWS

• Amazon Inspector: Assesses application vulnerabilities running on EC2 (e.g., unpatched software).
• AWS Security Hub: Centralizes security alerts and provides a unified security view (e.g., misconfigured S3 buckets).
• Amazon GuardDuty: Detects threats using machine learning and anomaly detection (e.g., unusual login activity).
• AWS Shield: Protects against DDoS attacks (e.g., blocks malicious traffic).
• AWS WAF: Protects web applications by filtering malicious traffic (e.g., blocks fake requests).

Encryption Options

• Encryption in Transit: Data protection during transfer (e.g., HTTPS).
• Encryption at Rest: Data protection in storage (e.g., encrypting S3 objects).
• Customer-Managed Encryption Keys (CMEK): Customers manage their encryption keys using AWS KMS.

Services for Governance and Compliance

• Amazon CloudWatch: Monitors resources and applications for security and performance.
• AWS CloudTrail: Audits user activity and API calls.
• AWS Config: Records and tracks resource configuration changes.
• AWS Audit Manager: Automates audit evidence collection.
• Access Reports: Summarizes user permissions and identifies excessive access.

Compliance Requirements Vary by Service

• Responsibilities differ depending on the service (e.g., EC2 - customer secures OS/applications, AWS manages physical infrastructure; Lambda - AWS manages most security, customers ensure function code security).