In the context of AWS Security Best Practices for RDS, if you require encryption or data integrity authentication of data at rest for compliance or other purposes, you can add protection at the _____ using SQL cryptographic functions.
C
Amazon RDS leverages the same secure infrastructure as Amazon EC2. You can use the Amazon RDS service without additional protection, but if you require encryption or data integrity authenti-cation of data at rest for compliance or other purposes, you can add protection at the application layer, or at the platform layer using SQL cryptographic functions.
Reference:
https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf
A root AWS account owner has created three IAM users: Bob, John and Michael. Michael is the IAM administrator. Bob and John are not the super users, but users with some pre-defined policies. John does not have access to modify his password. Thus, he asks Bob to change his password. How can Bob change
John's password?
B
Generally, with IAM users, the password can be modified in two ways. The first option is to define the IAM level policy which allows each user to modify their own passwords. The other option is to create a group and create a policy for the group which can change the passwords of various IAM users.
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/HowToPwdIAMUser.html
You know that AWS Billing and Cost Management integrates with the AWS Identity and Access Management (IAM) service so that you can control who in your organization has access to specific pages on the AWS Billing and Cost Management console. Which of the following items can you control access to in AWS
Billing and Cost Management?
C
In AWS Billing and Cost Management console, you can control access to the following:
- invoices
- detailed information about charges
- account activity
- budgets
- payment methods
- credits
Reference:
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/control-access-billing.html
What does Amazon IAM provide?
B
Amazon IAM provides a mechanism to authenticate users when accessing Amazon Web Services.
AWS Identity and Access Management (IAM) is a web service that helps you securely control ac-cess to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization).
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html
An IAM group is a:
B
Within the IAM service, a group is regarded as a collection of users. You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users.
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html
A group in IAM can contain many users. Can a user belong to multiple groups?
D
In Amazon IAM, a user can belong to up to 10 different groups.
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html
Fill in the blanks: One of the basic characteristics of security groups for your VPC is that you
______ .
C
Security Groups in VPC allow you to specify rules with reference to the protocols and ports through which communications with your instances can be established.
One such rule is that you can specify allow rules, but not deny rules.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
You can configure Amazon CloudFront to deliver access logs per ________ to an Amazon S3 bucket of your choice.
B
If you use a custom origin, you will need to create an Amazon S3 bucket to store your log files in. You can enable CloudFront to deliver access logs per distribution to an Amazon S3 bucket of your choice.
Reference:
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html
ABC (with AWS account ID 111122223333) has created 50 IAM users for its organization's employees. What will be the AWS console URL for these associates?
B
When an organization is using AWS IAM for creating various users and manage their access rights, the IAM user cannot use the login URL http:// aws.amazon.com/console to access AWS manage-ment console. The console login URL for the IAM user will have AWS account ID of that organiza-tion to identify the IAM user belongs to particular account. The AWS console login URL for the IAM user will be https:// <AWS_Account_ID>.signin.aws.amazon.com/ console/. In this case it will be https://111122223333.signin.aws.amazon.com/console/
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/AccountAlias.html
AWS IAM permissions can be assigned in two ways:
B
Permissions can be assigned in two ways: as identity-based or as resource-based. Identity-based, or IAM permissions, are attached to an IAM user, group, or role and let you specify what that user, group, or role can do. For example, you can assign permissions to the IAM user named Bob, stating that he has permission to use the Amazon Elastic Compute Cloud (Amazon EC2) RunInstances ac-tion and that he has permission to get items from an Amazon DynamoDB table named
MyCompa-ny. The user Bob might also be granted access to manage his own IAM security credentials. Identi-ty-based permissions can be managed or inline.
Resource-based permissions are attached to a resource. You can specify resource-based permissions for Amazon S3 buckets, Amazon Glacier vaults, Amazon
SNS topics, Amazon SQS queues, and AWS Key Management Service encryption keys. Resource-based permissions let you specify who has access to the resource and what actions they can perform on it. Resource-based policies are in-line only, not managed.
Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions.html
