Which service best protects your AWS VPCs?
Use Amazon CloudWatch with VPC flow logs to monitor the IP traffic going to and from network interfaces in your VPC.
Which AWS services would you use for data protection?
Services such as AWS Identity and Access Management (IAM) allow you to securely manage access to AWS services and resources. AWS CloudTrail and Amazon Macie enable compliance, detection, and auditing, while AWS CloudHSM and AWS Key Management Service (KMS)
What AWS service can be used to protect resources at the subnet level of a VPC?
Amazon EC2 security groups can be used to help secure instances within an Amazon VPC. Security groups in a VPC enable you to specify both inbound and outbound network traffic that is allowed to or from each Amazon EC2 instance.
How do I secure access to AWS VPC?
Using VPCs and other networking resources allows you to control network access to and from your AWS resources. Configuring built-in virtual firewalls such as Security Groups and Network ACLs lets you lock down your network and protect against unauthorized access to your resources.
What does AWS GuardDuty do?
Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
Which feature helps secure your Amazon VPC resources by providing isolation at the subnet level?
A network access control list (network ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
Which AWS services features can be used to provide data protection at rest and in transit?
Using services like AWS KMS, AWS CloudHSM, and AWS ACM, customers can implement a comprehensive data at rest and data in transit encryption strategy across their AWS ecosystem to ensure all data of a given classification shares the same security posture.
Does AWS have a data protection officer?
AWS has a security incident monitoring and data breach notification process in place and will notify customers of breaches of AWS’s security without undue delay and in accordance with the AWS GDPR DPA. AWS also gives customers a number of tools to understand who has access to their resources, when, and from where.
What is used to provide security at the virtual instance level in subnets?
Security overview
Security groups and ACLs add security to your subnets and instances: Traffic to and from a subnet can be controlled by Access Control Lists (ACLs). Security Groups can control the traffic at the virtual server instance level.
Which of the following AWS services can be used to connect a company’s on-premises environment to a VPC without using the public internet?
AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet.
What is VPC security Group?
What are security groups in Virtual Private Cloud? A security group is like a virtual firewall. It works much like a traditional firewall does. It consists of a set of rules that can be used to monitor and filter an instance’s incoming and outgoing traffic in a Virtual Private Cloud (VPC) instance.
Which of the following are best practices for security in AWS?
Best practices to help secure your AWS resources
- Create a strong password for your AWS resources.
- Use a group email alias with your AWS account.
- Enable multi-factor authentication.
- Set up AWS IAM users, groups, and roles for daily account access.
- Delete your account’s access keys.
- Enable CloudTrail in all AWS regions.
What is AWS CloudTrail used for?
AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting by tracking user activity and API usage. CloudTrail logs, continuously monitors, and retains account activity related to actions across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.
What is the difference between AWS inspector and GuardDuty?
The difference between Amazon Inspector and Amazon GuardDuty is that the former “checks what happens when you actually get an attack” and the latter “analyzes the actual logs to check if a threat exists”. The purpose of Amazon Inspector is to test whether you are addressing common security risks in the target AWS.
What type of service would the AWS Virtual Private Cloud VPC be considered?
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
Which items can be configured from within the Amazon VPC management console?
The AWS Management Console now supports the Amazon Virtual Private Cloud (VPC). You can now create and manage a VPC and all of the associated resources including subnets, DHCP Options Sets, Customer Gateways, VPN Gateways and the all-important VPN Connection from the comfort of your browser.
Which method can be used to protect sensitive data?
Encryption is ideal for mass protection of data (e.g. an entire data file, table, partition, etc.) against unauthorized users.
Who has control of the data security in an AWS account?
Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions. This customer/AWS shared responsibility model also extends to IT controls.
Which AWS service or feature enables users to encrypt data at rest in Amazon S3?
AES-256 is the technology we use to encrypt data in AWS, including Amazon Simple Storage Service (S3) server-side encryption.
Which of the following information security control should be implemented to protect data at rest and transit?
As mentioned above, one of the most effective data protection methods for both data in transit and data at rest is data encryption.
What are the features in AWS that can ensure data security for your confidential documents?
These data protection features include: Data encryption capabilities available in over 100 AWS services. Flexible key management options using AWS Key Management Service (KMS), allowing customers to choose whether to have AWS manage their encryption keys or enabling customers to keep complete control over their keys.
Which AWS service or feature can assist with protecting a website that is hosted outside of AWS?
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources.
Which of the following can help protect your EC2 instances from DDoS attacks choose two?
Starting today, AWS Shield Advanced can help protect your Amazon EC2 instances and Network Load Balancers against infrastructure-layer Distributed Denial of Service (DDoS) attacks. Enable AWS Shield Advanced on an AWS Elastic IP address and attach the address to an internet-facing EC2 instance or Network Load Balancer.
Which of the following can be used as an additional layer of security to using a user name and password when logging into the AWS console?
Multi-factor authentication (MFA) in AWS is a simple best practice that adds an extra layer of protection on top of your user name and password.
What does network access control does in VPC?
Network ACL rules. You can add or remove rules from the default network ACL, or create additional network ACLs for your VPC. When you add or remove rules from a network ACL, the changes are automatically applied to the subnets that it’s associated with.
Which AWS service or feature helps link a company’s AWS environment directly to the company’s internal network without using the internet?
AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet.
How do you secure a VPC?
13 AWS VPC Security Best Practices
- Choose the Appropriate VPC Type.
- Choose the Right CIDR Block.
- Use Multi-AZ Deployments.
- Isolate Your Environments.
- Use Security Groups To Control Resource Access.
- Create a Network Access Control List (NACL)
- Use VPC Flow Logs to Monitor IP Traffic.
- Use an Elastic IP For External Communication.
Can we attach security group to VPC?
When you create a VPC, it comes with a default security group. You can create additional security groups for each VPC. You can associate a security group only with resources in the VPC for which it is created. For each security group, you add rules that control the traffic based on protocols and port numbers.
What is the difference between AWS inspector and GuardDuty?
The difference between Amazon Inspector and Amazon GuardDuty is that the former “checks what happens when you actually get an attack” and the latter “analyzes the actual logs to check if a threat exists”. The purpose of Amazon Inspector is to test whether you are addressing common security risks in the target AWS.
What is CloudTrail vs CloudWatch?
Amazon Cloudwatch is a monitoring service that gives you visibility into the performance and health of your AWS resources and applications, whereas AWS Cloudtrail is a service that logs AWS account activity and API usage for risk auditing, compliance and monitoring.
How does AWS Shield standard help protect your environment?
AWS Shield Standard automatically provides protection for web applications running on AWS against the most common, frequently occurring Infrastructure layer attacks like UDP floods, and State exhaustion attacks like TCP SYN floods.
Which AWS service should a cloud practitioner use to establish a secure network connection between an on-premises network and AWS?
AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you create a private connection between AWS and your data center, office, or colocation environment.
Which AWS service enables organizations to create a private link between their data center and an AWS region that doesn’t travel over the public internet?
Amazon VPC enables you to build a virtual network in the AWS cloud – no VPNs, hardware, or physical datacenters required.
Which of the following is supported by VPC networks?
VPC networks support IPv4 and IPv6 unicast addresses. VPC networks do not support broadcast or multicast addresses within the network.
What is AWS VPC What are the main components of AWS VPC?
Virtual Private Cloud (VPC) is a logically isolated network from another virtual network in the AWS cloud where you can launch the AWS resources. It gives all the benefits of the traditional network that you have for your own data center. Resources and applications are accessed through IPv4 or IPv6 in your AWS VPC.
Which of the following are components of Amazon VPC?
Components of Amazon VPC
- amazon-web-services.
- aws-services.
- aws-networking-services.
- amazon-vpc.
Which of the following should be used to improve the security of access to the AWS Management Console choose two?
2) Use multi-factor authentication (MFA)
MFA is the best way to protect accounts from inappropriate access. Always set up MFA on your Root user and AWS Identity and Access Management (IAM) users.
Which AWS service or feature enables users to encrypt data at rest in Amazon?
AWS Key Management Service (KMS) – AWS KMS is a managed service that enables easy creation and control of encryption keys used to encrypt data. KMS uses envelope encryption in which data is encrypted using a data key that is then encrypted using a master key.
Which AWS services provide data encryption by default?
Amazon Location Service provides encryption by default to protect sensitive customer data at rest using AWS owned encryption keys. AWS owned keys — Amazon Location uses these keys by default to automatically encrypt personally identifiable data.
Which is the most important form of protection for sensitive data?
How can I protect Sensitive Data? Encryption is the most effective way to protect your data from unauthorized access.
What are some good data protection techniques?
However, here are 7 of the most effective data security techniques that you can try to secure your data.
- Data encryption.
- Backup and recovery optimization.
- Data masking.
- Row level security.
- Promote transparency and compliance.
- Cyber insurance.
- Work with experts in data.
Which of the following services can you use to discover and protect your sensitive data in AWS?
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
Which AWS services features can be used to provide data protection at rest and in transit?
Using services like AWS KMS, AWS CloudHSM, and AWS ACM, customers can implement a comprehensive data at rest and data in transit encryption strategy across their AWS ecosystem to ensure all data of a given classification shares the same security posture.
Which of the following can help secure your sensitive data in Amazon S3 choose two?
Server-side encryption can help reduce risk to your data by encrypting the data with a key that is stored in a different mechanism than the mechanism that stores the data itself. Amazon S3 provides these server-side encryption options: Server-side encryption with Amazon S3‐managed keys (SSE-S3).
Which AWS service or functionality allows customers to encrypt data stored in Amazon S3 during the storage process?
AES-256 is the technology we use to encrypt data in AWS, including Amazon Simple Storage Service (S3) server-side encryption.
What are the methods to encrypt the data in S3?
S3 Encryption Support
- Amazon S3-managed Encryption Keys (SSE-S3) In this scenario the keys are managed by S3 itself and are only usable for S3 services.
- KMS-managed Encryption Keys (SSE-KMS)
- Customer-provided Encryption Keys (SSE-C)