AWS Cloud Practitioner Essentials T2.4

Questions and Answers

What is the main purpose of AWS Marketplace?

• To provide an environment for developing applications.
• To find alternative hosting solutions for websites.
• To buy and deploy software, including security products. (correct)
• To offer training and certification programs for AWS.

Which service is NOT considered a third-party security tool available in AWS Marketplace?

• Fortinet Firewall
• AWS Systems Manager (correct)
• Splunk Security Analytics
• Trend Micro Antivirus

Which resource is primarily focused on providing centralized security-related information?

• AWS Trusted Advisor
• AWS Security Blog
• AWS Knowledge Center
• AWS Security Center (correct)

What function does the AWS WAF (Web Application Firewall) serve?

It protects web applications from common threats. (C)

How does AWS GuardDuty function in threat detection?

Using machine learning and log analysis. (D)

What is the purpose of AWS Trusted Advisor?

To optimize performance by offering security insights. (B)

Which service helps to identify security issues by analyzing network traffic in a VPC?

VPC Flow Logs (C)

What is a key feature of Security Groups in AWS?

They deny all inbound traffic unless explicitly allowed. (D)

What feature does AWS Systems Manager Patch Manager provide?

Automated patching for EC2 instances. (A)

Which service is responsible for logging and tracking all API activity in an AWS account?

CloudTrail (A)

Which of the following is a distinguishing characteristic of Amazon Macie?

Detection and protection of sensitive data in S3. (C)

What is the primary purpose of AWS Secrets Manager?

Securely store and manage sensitive credentials. (D)

Which of these is NOT a feature of AWS security services?

Automated machine learning for data analysis. (C)

How does Network Access Control Lists (NACLs) evaluate rules?

In numerical order based on the rule number. (A)

What distinguishes AWS IAM from AWS IAM Identity Center?

IAM Identity Center allows single sign-on for managing multiple accounts. (A)

What is a characteristic of NACLs regarding default traffic policy?

They allow all inbound and outbound traffic by default. (C)

Which of the following best describes how Security Groups handle inbound and outbound traffic?

They automatically allow response traffic based on inbound rules. (C)

Which service is NOT primarily used for compliance auditing in AWS?

AWS S3 (B)

What would be a suitable use case for NACLs within a VPC?

Block a range of IP addresses from accessing an entire subnet. (B)

Which of the following statements about systems managing encryption keys is true?

KMS can manage both AWS-managed and customer-managed keys. (B)

Flashcards

AWS Marketplace

An online store offering third-party software, including security tools.

Third-Party Security Tools

Security products offered outside of AWS for advanced security.

Firewalls (AWS)

Tools that control network traffic to protect your AWS environment.

WAF

Web Application Firewall - protects web apps from attacks like SQL injection and XSS attacks.

Security Groups

Instance-level firewalls controlling traffic to and from EC2 instances.

GuardDuty

AWS threat detection service using machine learning for suspicious activity.

AWS Security Center

Central hub for AWS security resources and tools.

AWS Systems Manager Patch Manager

Automates patching for EC2 instances with security updates.

AWS Trusted Advisor

Provides security recommendations for cost reduction and performance optimization.

AWS Knowledge Center

A library of FAQs for AWS security and compliance information.

IAM (Identity and Access Management)

A service that controls and manages user access and permissions to AWS resources.

AWS Secrets Manager

A service for securely storing and rotating secrets like API keys and database credentials.

AWS IAM Identity Center (Single Sign-On)

A service that allows centralized access to multiple AWS accounts with a single sign-on experience.

KMS (Key Management Service)

A service for managing and encrypting data using AWS or customer-managed keys.

AWS Config

Tracks configuration changes and checks resource compliance with set rules.

CloudTrail

A service that logs and tracks all API activity in your AWS account for auditing purposes.

Security Hub

Provides a centralized view of security alerts and compliance checks from various AWS services.

NACLs (Network Access Control Lists)

Firewalls that control traffic to and from entire subnets in your VPC.

Stateful vs. Stateless Firewalls

Stateful firewalls allow response traffic for approved inbound traffic automatically, while stateless firewalls require explicit rules for both inbound and outbound traffic.

Study Notes

AWS Security Services

• AWS Marketplace: Online store for deploying software, including security products.
• Third-Party Security Tools: Offer specialized features and advanced security for complex use cases (e.g., Fortinet/Palo Alto firewalls, Trend Micro antivirus).
• Security Information Resources:
  • AWS Knowledge Center: FAQs on security and compliance.
  • AWS Security Center: Central hub for security resources, tools, and best practices.
  • AWS Security Blog: Updates on new services, features, use cases.
  • AWS Documentation: In-depth guides and tutorials for all AWS services.
  • AWS Trusted Advisor: Actionable insights and recommendations for security, cost optimization, and performance.

Security Service Categories

• Infrastructure Security:

  • WAF (Web Application Firewall): Protects web apps from threats (SQL injection, XSS).
  • Shield: Protects against DDoS attacks (Standard and Advanced).
  • Security Groups: Instance-level firewalls controlling traffic to/from EC2 instances.
  • NACLs (Network Access Control Lists): Subnet-level firewalls controlling traffic to/from subnets.
  • AWS Systems Manager Patch Manager: Automates patching of EC2 instances (security updates).
  • VPC Flow Logs: Monitor and analyze network traffic in VPC for security threats and troubleshooting.

• Threat Detection:

  • GuardDuty: Threat detection (machine learning, log analysis).
  • Inspector: Scans EC2 instances and containers for vulnerabilities and unpatched software.
  • Amazon Macie: Detects and protects sensitive data in S3.
  • AWS Trusted Advisor: Identifies exposed S3 buckets and provides security recommendations.

• Identity and Access Management:

  • IAM (Identity and Access Management): Manages user access and permissions for AWS resources.
  • AWS Secrets Manager: Securely stores and rotates secrets (API keys, database credentials).
  • AWS IAM Identity Center: Centralized access to multiple AWS accounts using SSO (Single Sign-On).
  • KMS (Key Management Service): Manages and encrypts data using AWS or customer-managed keys.

• Compliance and Governance:

  • AWS Config: Tracks configuration changes and checks resource compliance.
  • CloudTrail: Logs and tracks all API activity for auditing.
  • Security Hub: Centralized view of security alerts and compliance checks.
  • AWS Audit Manager: Automates evidence collection for compliance audits.

Security Groups vs. NACLs

• Security Groups: Instance-level, stateful, default deny, fine-grained control.
• NACLs: Subnet-level, stateless, default allow, broader control.
• Key Differences:
  • Statefulness: Security Groups are stateful; NACLs are stateless.
  • Scope: Security Groups control individual instances; NACLs control entire subnets.
• Use Cases:
  • Security Groups: Traffic control for specific instances, allowing only specific ports (e.g. HTTP, HTTPS).
  • NACLs: Blocking traffic from specific IPs or ranges for entire subnets.
• Complementary Tools: Both used together for comprehensive security.

Description

This quiz covers the essential AWS Security Services including the AWS Marketplace, third-party security tools, and various security information resources. Learn about the key components like WAF, Shield, and the AWS Security Center that help protect your infrastructure. Test your knowledge on the latest best practices and tools available for securing your AWS environment.