A user is planning to schedule a backup for an existing EBS volume. The user wants the backup to be created through snapshot, and for it to be encrypted. How can the user achieve data encryption with a snapshot?
A
AWS EBS supports encryption of the volume. It also supports creating volumes from existing snap-shots provided the snapshots are created from encrypted volumes. The data at rest, the I/O as well as all the snapshots of the encrypted EBS will also be encrypted. EBS encryption is based on the AES-256 cryptographic algorithm, which is the industry standard.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
What does the Server-side encryption provide in Amazon S3?
B
Server-side encryption is about protecting data at rest. Server-side encryption with Amazon S3-managed encryption keys (SSE-S3) employs strong multi-factor encryption. Amazon S3 encrypts each object with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates.
Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html
The Statement element, of an AWS IAM policy, contains an array of individual statements. Each individual statement is a(n) ______ block enclosed in braces { }.
A
The Statement element, of an IAM policy, contains an array of individual statements. Each individ-ual statement is a JSON block enclosed in braces { }.
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html
You need to set up security for your VPC and you know that Amazon VPC provides two features that you can use to increase security for your VPC: Security groups and network access control lists (ACLs). You start to look into security groups first. Which statement below is incorrect in relation to security groups?
B
Amazon VPC provides two features that you can use to increase security for your VPC:
Security groups--Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level and supports allow rules only.
Network access control lists (ACLs)--Act as a firewall for associated subnets, controlling both in-bound and outbound traffic at the subnet level and supports allow rules and deny rules.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
What does Amazon IAM stand for?
C
Amazon IAM stands for Amazon Identity and Access Management. The "identity" aspect of AWS IAM helps you with the question "Who is that user?", often referred to as authentication.
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html#intro-identity-users
Can you use the AWS Identity and Access Management (IAM) to assign permissions determining who can manage or modify RDS resources?
C
Use AWS Identity and Access Management (IAM) policies to assign permissions that determine who is allowed to manage RDS resources. For example, you can use IAM to determine who is allowed to create, describe, modify, and delete DB instances, tag resources, or modify DB security groups.
Reference:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html
You have been asked to design a layered security solution for protecting your organization's net-work infrastructure. You research several options and decide to deploy a network-level security con-trol appliance, inline, where traffic is intercepted and analyzed prior to being forwarded to its final destination, such as an application server. Which of the following is NOT considered an inline threat protection technology?
D
Many organizations consider layered security to be a best practice for protecting network infrastruc-ture. In the cloud, you can use a combination of Amazon VPC, implicit firewall rules at the hypervi-sor-layer, alongside network access control lists, security groups, host-based firewalls, and IDS/IPS systems to create a layered solution for network security. While security groups, NACLs and host-based firewalls meet the needs of many customers, if you're looking for defense in- depth, you should deploy a network-level security control appliance, and you should do so inline, where traffic is intercepted and analyzed prior to being forwarded to its final destination, such as an application server.
Examples of inline threat protection technologies include the following:
Third-party firewall devices installed on Amazon EC2 instances (also known as soft blades)
Unified threat management (UTM) gateways
Intrusion prevention systems -
Data loss management gateways -
Anomaly detection gateways -
Advanced persistent threat detection gateways
Reference:
https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
Is it possible to protect the connections between your application servers and your MySQL instances using SSL encryption?
B
To further enhance the security of your infrastructure, AWS allows you to SSL encrypt the commu-nications between your EC2 instances and your MySQL instances. Amazon RDS generates an SSL certificate for each DB Instance. Once an encrypted connection is established, data transferred be-tween the DB
Instance and your application will be encrypted during transfer.
Reference:
http://aws.amazon.com/rds/faqs/#53
You need to determine what encryption operations were taken with which key in AWS KMS to ei-ther encrypt or decrypt data in the AWS CodeCommit repository.
Which of the following actions will best help you accomplish this?
A
The encryption context is additional authenticated information AWS KMS uses to check for data integrity. When specified for the encryption operation, it must also be specified in the decryption operation or decryption will fail. AWS CodeCommit uses the AWS CodeCommit repository ID for the encryption context. You can find the repository ID by using the get-repository command or by viewing repository details in the AWS CodeCommit console. Search for the AWS CodeCommit repository ID in AWS CloudTrail logs to understand which encryption operations were taken on which key in AWS KMS to encrypt or decrypt data in the AWS
CodeCommit repository.
Reference:
http://docs.aws.amazon.com/codecommit/latest/userguide/encryption.html
The AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with oth-er AWS services including Amazon EBS, Amazon S3, Amazon Redshift, Elastic Transcoder, Ama-zon WorkMail, and
Amazon RDS to make it simple to encrypt your data with encryption keys that you manage. AWS KMS is also integrated with AWS CloudTrail to provide you with key usage logs to help meet your regulatory and compliance needs. Which of the following types of cryptog-raphy keys is supported by AWS KMS currently?
D
The AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with oth-er AWS services including Amazon EBS, Amazon S3, Amazon Redshift, Elastic Transcoder, Ama-zon WorkMail, and
Amazon RDS to make it simple to encrypt your data with encryption keys that you manage. AWS KMS is also integrated with AWS CloudTrail to provide you with key usage logs to help meet your regulatory and compliance needs. AWS KMS currently supports only sym-metric (private) key cryptography.
Reference:
http://docs.aws.amazon.com/kms/latest/developerguide/crypto-intro.html
