Security and Compliance

What problem does the Shared Responsibility Model solve?

Clarifies which security responsibilities belong to AWS vs the customer.

What does “security of the cloud” mean?

AWS responsibility for physical data centers, hardware, networking, and infrastructure.

What does “security in the cloud” mean?

Customer responsibility for data, IAM, configurations, and access control.

Is data encryption a customer or AWS responsibility?

Customer responsibility (security in the cloud).

Who is responsible for S3 bucket permissions?

The customer.

What problem does IAM solve?

Controls who can access AWS services and what actions they can perform.

What is an IAM user?

A long-term identity for a person.

What is an IAM role?

A temporary set of permissions assumed by users or services.

Why are roles preferred for applications?

They provide temporary access without storing credentials.

What is an IAM policy?

A JSON document defining allowed or denied actions on resources.

Do IAM policies do anything by themselves?

No. They must be attached to users, groups, or roles.

What does least privilege mean?

Grant only the minimum permissions required to perform a task.

What problem does least privilege reduce?

Blast radius from mistakes or compromised credentials.

What problem does MFA solve?

Protects against stolen or compromised passwords.

Does MFA control what actions are allowed?

No. It only verifies identity.

Which AWS identity should always have MFA enabled?

The root account.

Why is admin access dangerous even with MFA?

MFA authenticates identity but does not limit permissions.

What problem does AWS WAF solve?

Protects web applications from malicious HTTP/HTTPS requests.

What layer does WAF operate at?

Application layer.

What problem does AWS Shield solve?

DDoS attacks and traffic floods.

What does Shield protect primarily?

Availability.

What problem does GuardDuty solve?

Detects suspicious or malicious behavior in an AWS account.

Does GuardDuty block attacks?

No. It detects only.

What data does GuardDuty analyze?

CloudTrail logs, VPC Flow Logs, and DNS logs.

What problem does Amazon Inspector solve?

Finds vulnerabilities and security exposures in workloads.

Is Inspector real-time threat detection?

No. It scans for known vulnerabilities.

What problem does AWS CloudTrail solve?

Records who did what, when, and from where in an AWS account.

What does CloudTrail log?

AWS API calls made by users, roles, or services.

Does CloudTrail prevent malicious actions?

No. It only records actions.

What problem does AWS Config solve?

Tracks resource configurations and configuration changes over time.

Does AWS Config show who made a change?

No. It shows what changed, not who.

Which service helps with compliance and configuration drift?

AWS Config.

What problem does AWS Organizations solve?

Central management of multiple AWS accounts.

What are Organizational Units (OUs)?

Groups of AWS accounts within an organization.

What problem do SCPs solve?

Enforce maximum allowed actions across accounts.

Do SCPs grant permissions?

No. They only restrict.

Can SCPs override IAM permissions?

Yes. Deny always wins.

What problem does AWS Artifact solve?

Provides access to AWS compliance reports and legal agreements.

Does AWS Artifact configure security controls?

No.

Does AWS Artifact make a customer compliant?

No.

What types of documents are found in AWS Artifact?

Audit reports, certifications, compliance documents, agreements.

If the question mentions “web requests” or “HTTP attacks,” which service applies?

AWS WAF.

If the question mentions “traffic flood” or “availability under attack”?

AWS Shield.

If the question mentions “unusual API activity”?

Amazon GuardDuty.

If customer data is leaked due to misconfigured permissions, who is responsible?

The customer, because it’s security in the cloud.

Does AWS automatically encrypt customer data by default?

No. Customers are responsible for enabling and managing encryption.

If a service is fully managed (SaaS), does customer responsibility disappear?

No. Customers still manage data, access, and compliance.

If an AWS service needs access to another service, what should be used?

An IAM role, not an IAM user.

What always takes precedence in IAM evaluation?

Explicit deny.

Why are IAM groups preferred over assigning policies directly to users?

Easier permission management and reduced risk of errors.

Does MFA reduce blast radius if permissions are excessive?

No. Only least privilege reduces blast radius.

What problem does MFA not solve?

Over-permissioning.

Which service blocks web attacks before they reach the application?

AWS WAF.

Which service protects against traffic floods but not application logic attacks?

AWS Shield.

Which service detects suspicious behavior but does not block it?

Amazon GuardDuty.

If an admin is blocked from performing an action even though IAM allows it, what caused this?

A Service Control Policy (SCP).

If an auditor asks for proof AWS meets compliance standards, which service is used?

AWS Artifact.

What problem does AWS KMS solve?

Centralized creation and management of encryption keys used to encrypt data across AWS services.

What is “encryption at rest” in AWS?

Encrypting stored data on disks or storage services such as EBS, S3, or RDS using keys managed by KMS or the service.

What is “encryption in transit” in AWS?

Protecting data as it moves over networks using protocols like TLS/HTTPS between clients and AWS services.

Who is responsible for deciding when to encrypt data in AWS?

The customer, as part of security in the cloud and their compliance requirements.

What is a customer managed CMK in KMS?

A key that the customer creates, configures, rotates, and deletes, giving them more control than AWS‑managed keys.

What does AWS‑managed key (aws/service key) mean?

A key automatically created and managed by AWS on your behalf for a specific service.

What problem do security groups solve?

They act as stateful virtual firewalls at the instance level to control inbound and outbound traffic.

What problem do network ACLs (NACLs) solve?

They provide stateless, rule‑based control of traffic at the subnet level.

Are security groups stateful or stateless?

Stateful; return traffic is automatically allowed.

Are NACLs stateful or stateless?

Stateless; you must explicitly allow traffic in both directions.

If the exam mentions controlling traffic at the subnet boundary, which construct is likely correct?

A network ACL.

What is the difference between an AWS‑managed and a customer‑managed policy?

AWS‑managed policies are created and maintained by AWS, while customer‑managed policies are created and maintained by the customer for fine‑grained control.

What is an inline IAM policy?

A policy embedded directly into a single user, group, or role instead of being reusable.

What problem do IAM password policies solve?

They enforce minimum password complexity and rotation requirements for IAM users.

What are access keys used for?

Programmatic access to AWS via the CLI, SDKs, or APIs.

Name one task only the root user can perform.

Closing the AWS account or changing the AWS support plan.

Besides MFA, what is a best practice to protect the root user?

Do not use it for daily tasks; create an admin IAM user and lock away root credentials.

What problem does IAM Identity Center (AWS SSO) solve?

Centralized single sign‑on access to multiple AWS accounts and applications using existing identities.

What problem does AWS Security Hub solve?

Provides a central view of security findings and compliance status across AWS accounts and services.

Does Security Hub block attacks by itself?

No. It aggregates and prioritizes findings from other security tools.

What problem does Amazon Macie solve?

Automatically discovers and classifies sensitive data such as PII in Amazon S3.

What problem does Amazon Detective solve?

Helps investigate and visualize security events using data from GuardDuty, CloudTrail, and VPC Flow Logs.

What problem does AWS Firewall Manager solve?

Centrally manages and enforces firewall policies (WAF, Shield, VPC security) across multiple accounts.

What problem does AWS Trusted Advisor solve?

Provides best‑practice checks including security, cost, performance, and fault tolerance recommendations.

Which service provides security and compliance best‑practice checks such as open security groups?

AWS Trusted Advisor.

Which service provides a consolidated dashboard of findings from GuardDuty, Macie, Inspector, and Config?

AWS Security Hub.

What problem does Amazon CloudWatch Logs solve?

Collects and stores log files from applications and AWS services for monitoring and troubleshooting.

What problem does Amazon Detective solve after an alert from GuardDuty?

It enables deeper investigation into the root cause and context of the suspicious activity.

If you need a full security incident timeline combining GuardDuty, CloudTrail, and VPC logs, which service helps?

Amazon Detective.

What problem does AWS Control Tower solve?

Sets up and governs a secure multi‑account AWS environment with built‑in guardrails.

What are Control Tower guardrails?

Preconfigured policies that enforce security, compliance, and operational best practices across accounts.

How do Control Tower and Organizations relate?

Control Tower builds on AWS Organizations to create and manage a governed multi‑account landing zone.

What problem does AWS Audit Manager solve?

Automates the collection of evidence for audits to help demonstrate compliance.

How does Audit Manager differ from Artifact?

Artifact provides AWS’s own compliance reports, while Audit Manager helps customers collect evidence for their own audits.

Name examples of compliance standards AWS supports with documentation in Artifact.

ISO 27001, SOC 1/2/3, PCI DSS, HIPAA, FedRAMP, and GDPR‑related materials.

Where can you find best‑practice security guidance from AWS experts?

The AWS Security Blog and AWS Security Center.

If a question mentions “sensitive data discovery in S3” or “PII detection,” which service is it pointing to?

Amazon Macie.

If a question mentions “central security findings from multiple services,” which service fits best?

AWS Security Hub.

If a question mentions “investigate GuardDuty findings in more detail,” which service is implied?

Amazon Detective.

If a question mentions “central firewall and WAF policy across many accounts,” which service applies?

AWS Firewall Manager.

If a question mentions “automated evidence collection for audits,” which service applies?

AWS Audit Manager.

If a question mentions “best‑practice checks including public S3 buckets and open security groups,” which service applies?

AWS Trusted Advisor.

How does customer responsibility change between EC2 and RDS?

With EC2, customers manage OS, patches, and app security; with RDS, AWS manages the database software and OS, while customers manage data, users, and DB‑level security.