Whose responsibility is it to secure the AWS Cloud?
Only Amazon Web Services
Only you
The World Wide Web Consortium (W3C)
You and AWS share the responsibility.
For which aspects of physical and environmental security is Amazon Web Services responsible?
Fire detection and suppression
Power redundancy
Climate and temperature control in AWS datacenters
All of the above
True or False: The AWS network provides protection against traditional network security issues.
Which AWS service provides centralized management of access and authentication of users administering the services in an AWS account?
AWS Directory Service
AWS Identity and Access Management Service
Amazon Cognito
AWS Config
Which credentials can an IAM user have in order to access AWS services via the AWS Management Console and the AWS Command Line Interface (AWS CLI)? (Choose two.)
Key pair
User name and password
Email address and password
Access keys
True or False: A password policy can be set in IAM that requires at least two lowercase letters and at least two non-alphanumeric characters.
The IAM access keys used to access AWS services via the AWS Command Line Interface (AWS CLI) and/or AWS Software Development Kits (SDK) consist of which two parts?
Access Key ID and password
Public Access Key and Secret Access Key
Access Key ID and Secret Access Key
User name and Public Access Key
Which Multi-Factor Authentication devices does the IAM service support?
Hardware devices (Gemalto)
Virtual MFA applications (for example, Google Authenticator)
Simple Message Service (SMS) (via mobile devices)
Which of the following is true when using AWS Identity and Access Management groups?
IAM users are members of a default user group.
Groups can be nested.
An IAM user can be a member of multiple groups.
IAM roles can be members of a group.
Which of the following is not a best practice for securing an AWS account?
Requiring Multi-Factor Authentication for root-level access
Creating individual IAM users
Monitoring activity on your AWS account
Sharing credentials to provide cross-account access
Which of the following is true when using AWS Key Management Service (AWS KMS)?
All API requests to AWS KMS must be made over HTTP.
Use of keys is protected by access control policies defined and managed by you.
An individual AWS employee can access a Customer Master Key (CMK) and export the CMK in plaintext.
An AWS KMS key can be used globally in any AWS Region
The AWS CloudTrail service provides which of the following?
Logs of the API requests for AWS resources within your account
Information about the IP traffic going to and from network interfaces
Monitoring of the utilization of AWS resources within your account
Information on configuration changes to AWS resources within your AWS account
Amazon CloudWatch Logs enable Amazon CloudWatch to monitor log files. Pattern filtering can be used to analyze the logs and trigger Amazon CloudWatch alarms based on customer specified thresholds. Which types of log files can be sent to Amazon CloudWatch Logs?
Operating system logs
AWS CloudTrail Logs
Access Flow Logs
AWS CloudTrail logs the API requests to AWS resources within your account. Which other AWS service can be used in conjunction with CloudTrail to capture information about changes made to AWS resources in your AWS account?
Auto Scaling
Amazon VPC Flow Logs
AWS Artifact
True or false: Amazon Inspector continuously monitors your AWS account’s configuration against the Well Architected Framework’s best practice recommendations for security.
A workload consisting of Amazon EC2 instances is placed in an Amazon VPC. What feature of VPC can be used to deny network traffic based on IP source address and port number?
Subnets
Security groups
Route tables
Network Access Control Lists
You want to pass traffic securely from your on-premises network to resources in your Amazon VPC. Which type of gateway can be used on the VPC?
Internet Gateway (IGW)
Amazon Virtual Private Cloud endpoint
Virtual Private Gateway
Amazon Virtual Private Cloud peer
To protect data at rest within Amazon DynamoDB, customers can use which of the following?
Client-side encryption
TLS connections
Server-side encryption provided by the Amazon DynamoDB service
Fine-grained access controls
When an Amazon Relational Database Service database instance is run within an Amazon Virtual Private Cloud, which Amazon VPC security features can be used to protect the database instance?
Network ACLs
Private subnets
Which of the following is correct?
Amazon SQS and Amazon SNS encrypt data at rest.
Amazon SQS and Amazon SNS do not encrypt data at rest.
Amazon SQS encrypts data at rest and Amazon SNS does not encrypt data at rest.
Amazon SQS does not encrypt data at rest and Amazon SNS encrypts data at rest.
