AWS Cloud Practitioner Essentials T2.4

Questions and Answers

What is the main purpose of AWS Marketplace?

To provide an environment for developing applications.

To find alternative hosting solutions for websites.

To buy and deploy software, including security products. (correct)

To offer training and certification programs for AWS.

Which service is NOT considered a third-party security tool available in AWS Marketplace?

Fortinet Firewall

AWS Systems Manager (correct)

Splunk Security Analytics

Trend Micro Antivirus

Which resource is primarily focused on providing centralized security-related information?

AWS Trusted Advisor

AWS Security Blog

AWS Knowledge Center

AWS Security Center (correct)

What function does the AWS WAF (Web Application Firewall) serve?

It protects web applications from common threats.

How does AWS GuardDuty function in threat detection?

Using machine learning and log analysis.

What is the purpose of AWS Trusted Advisor?

To optimize performance by offering security insights.

Which service helps to identify security issues by analyzing network traffic in a VPC?

VPC Flow Logs

What is a key feature of Security Groups in AWS?

They deny all inbound traffic unless explicitly allowed.

What feature does AWS Systems Manager Patch Manager provide?

Automated patching for EC2 instances.

Which service is responsible for logging and tracking all API activity in an AWS account?

CloudTrail

Which of the following is a distinguishing characteristic of Amazon Macie?

Detection and protection of sensitive data in S3.

What is the primary purpose of AWS Secrets Manager?

Securely store and manage sensitive credentials.

Which of these is NOT a feature of AWS security services?

Automated machine learning for data analysis.

How does Network Access Control Lists (NACLs) evaluate rules?

In numerical order based on the rule number.

What distinguishes AWS IAM from AWS IAM Identity Center?

IAM Identity Center allows single sign-on for managing multiple accounts.

What is a characteristic of NACLs regarding default traffic policy?

They allow all inbound and outbound traffic by default.

Which of the following best describes how Security Groups handle inbound and outbound traffic?

They automatically allow response traffic based on inbound rules.

Which service is NOT primarily used for compliance auditing in AWS?

AWS S3

What would be a suitable use case for NACLs within a VPC?

Block a range of IP addresses from accessing an entire subnet.

Which of the following statements about systems managing encryption keys is true?

KMS can manage both AWS-managed and customer-managed keys.

Study Notes

AWS Security Services

• AWS Marketplace: Online store for deploying software, including security products.
• Third-Party Security Tools: Offer specialized features and advanced security for complex use cases (e.g., Fortinet/Palo Alto firewalls, Trend Micro antivirus).
• Security Information Resources:
  • AWS Knowledge Center: FAQs on security and compliance.
  • AWS Security Center: Central hub for security resources, tools, and best practices.
  • AWS Security Blog: Updates on new services, features, use cases.
  • AWS Documentation: In-depth guides and tutorials for all AWS services.
  • AWS Trusted Advisor: Actionable insights and recommendations for security, cost optimization, and performance.

Security Service Categories

• Infrastructure Security:

  • WAF (Web Application Firewall): Protects web apps from threats (SQL injection, XSS).
  • Shield: Protects against DDoS attacks (Standard and Advanced).
  • Security Groups: Instance-level firewalls controlling traffic to/from EC2 instances.
  • NACLs (Network Access Control Lists): Subnet-level firewalls controlling traffic to/from subnets.
  • AWS Systems Manager Patch Manager: Automates patching of EC2 instances (security updates).
  • VPC Flow Logs: Monitor and analyze network traffic in VPC for security threats and troubleshooting.

• Threat Detection:

  • GuardDuty: Threat detection (machine learning, log analysis).
  • Inspector: Scans EC2 instances and containers for vulnerabilities and unpatched software.
  • Amazon Macie: Detects and protects sensitive data in S3.
  • AWS Trusted Advisor: Identifies exposed S3 buckets and provides security recommendations.

• Identity and Access Management:

  • IAM (Identity and Access Management): Manages user access and permissions for AWS resources.
  • AWS Secrets Manager: Securely stores and rotates secrets (API keys, database credentials).
  • AWS IAM Identity Center: Centralized access to multiple AWS accounts using SSO (Single Sign-On).
  • KMS (Key Management Service): Manages and encrypts data using AWS or customer-managed keys.

• Compliance and Governance:

  • AWS Config: Tracks configuration changes and checks resource compliance.
  • CloudTrail: Logs and tracks all API activity for auditing.
  • Security Hub: Centralized view of security alerts and compliance checks.
  • AWS Audit Manager: Automates evidence collection for compliance audits.

Security Groups vs. NACLs

• Security Groups: Instance-level, stateful, default deny, fine-grained control.
• NACLs: Subnet-level, stateless, default allow, broader control.
• Key Differences:
  • Statefulness: Security Groups are stateful; NACLs are stateless.
  • Scope: Security Groups control individual instances; NACLs control entire subnets.
• Use Cases:
  • Security Groups: Traffic control for specific instances, allowing only specific ports (e.g. HTTP, HTTPS).
  • NACLs: Blocking traffic from specific IPs or ranges for entire subnets.
• Complementary Tools: Both used together for comprehensive security.

Description

This quiz covers the essential AWS Security Services including the AWS Marketplace, third-party security tools, and various security information resources. Learn about the key components like WAF, Shield, and the AWS Security Center that help protect your infrastructure. Test your knowledge on the latest best practices and tools available for securing your AWS environment.