AWS Cloud Practitioner > Security, Identity, & Compliance > Flashcards

Security, Identity, & Compliance Flashcards

Apply basic security best practices and understand AWS tools for identity management, access control, and compliance. (50 cards)

Study These Flashcards
1
Q

A company must provide access to AWS resources for their employees.

Which security practices should they follow?

(Select TWO.)

  1. Enable multi-factor authentication for users.
  2. Create IAM policies based on least privilege principles.
  3. Disable password policies and management console access.
  4. Create IAM users in different AWS Regions.
  5. Create IAM Roles and apply them to IAM groups.
A

1. Enable multi-factor authentication for users.
2. Create IAM policies based on least privilege principles.

There are a several security best practices for AWS IAM that are listed in the document shared below. Enabling multi-factor authentication is a best practice to require a second factor of authentication when logging in. Another best practice is to grant least privilege access when configuring users and password policies.

  • Disable password policies and management console access is incorrect. This is not a security best practice. There is no need to disable management console access and password policies should be used.
  • Create IAM users in different AWS Regions is incorrect. You cannot create IAM users in different Regions as the IAM service is a global service.
  • Create IAM Roles and apply them to IAM groups is incorrect. You cannot apply roles to groups, you apply policies to groups.

Reference:
Security best practices in IAM

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which type of credential should a Cloud Practitioner use for programmatic access to AWS resources from the AWS CLI/API?

  1. SSL/TLS certificate
  2. SSH public keys
  3. Access keys
  4. User name and password
A

3. Access keys

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).

Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).

Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.

  • SSL/TLS certificate is incorrect. Certificates are not used by users for authenticating to AWS services.
  • SSH public keys is incorrect. These are used for connections using the SSH protocol.
  • User name and password is incorrect. An IAM user name and password can be used for console access but cannot be used with the CLI or API.

Reference:
Manage access keys for IAM users

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which tasks require the use of the AWS account root user?

(Select TWO.)

  1. Enabling encryption for S3.
  2. Viewing AWS CloudTrail logs.
  3. Changing the account name.
  4. Changing AWS Support plans.
  5. Changing payment currency.
A

3. Changing the account name.
4. Changing AWS Support plans.

Some tasks can only be performed by the root user of an AWS account. This includes changing the account name and changing AWS support plans. For more information view the AWS article referenced below.

  • Enabling encryption for S3 is incorrect. This does not require root.
  • Viewing AWS CloudTrail logs is incorrect. This does not require root.
  • Changing payment currency is incorrect. This does not require root.

Reference:
AWS security credentials

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which AWS service can a company use to discover and protect sensitive data that is stored in Amazon S3 buckets?

  1. Amazon GuardDuty
  2. AWS Policy Generator
  3. Amazon Detective
  4. Amazon Macie
A

4. Amazon Macie

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Amazon Macie automates the discovery of sensitive data at scale and lowers the cost of protecting your data.

Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations.

Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII).

  • Amazon GuardDuty is incorrect. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
  • AWS Policy Generator is incorrect. The AWS Policy Generator is a tool that enables you to create policies that control access to Amazon Web Services (AWS) products and resources.
  • Amazon Detective is incorrect. Amazon Detective automatically processes terabytes of event data records about IP traffic, AWS management operations, and malicious or unauthorized activity.

Reference:
Amazon Macie

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which AWS service or feature can assist with protecting a website that is hosted outside of AWS?

  1. Amazon VPC route tables
  2. Amazon EC2 security groups
  3. Amazon VPC network ACLs
  4. AWS Web Application Firewall (WAF)
A

4. AWS Web Application Firewall (WAF)

AWS WAF can be used to protect on-premises resources if they are deployed behind an Application Load Balancer (ALB). In this scenario the on-premises website servers are added to a target group by IP address. The ALB has a WAF WebACL attached to it and distributes connections to the on-premises website.

  • Amazon VPC route tables is incorrect. A route table cannot be used for protecting resources running outside AWS.
  • Amazon EC2 security groups is incorrect. Security groups can only be attached to EC2 instances.
  • Amazon VPC network ACLs is incorrect. Network ACLs only filter traffic entering and leaving a VPC subnet.

Reference:
AWS WAF features

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A company is deploying an application in the AWS Cloud. How can they secure the application?

(Select TWO.)

  1. Enable encryption for the application data at rest.
  2. Configure public access for the AWS services used by the application.
  3. Enable monitoring by turning off encryption for data in transit.
  4. Limit access privileges according to the principal of least privilege.
  5. Provide full admin access to developer and operations staff.
A

1. Enable encryption for the application data at rest.
4. Limit access privileges according to the principal of least privilege.

In this scenario the company must apply best practice principals for securing their application. Enabling encryption for data at rest is definitely a good practice and data in transit should also be encrypted where possible as well. It is also a good practice to limit access privileges according to the principal of least privilege. This means limiting privileges to those required to perform a specific role.

  • Configure public access for the AWS services used by the application is incorrect. In some cases public access may be required and in that case only the front end service(s) should be configured for public access. Otherwise it would be best to not enable public access.
  • Enable monitoring by turning off encryption for data in transit is incorrect. There is no need to turn off encryption in transit to enable monitoring and this would reduce security.
  • Provide full admin access to developer and operations staff is incorrect. This is not a security best practice; it is better to assign permissions according to the principal of least privilege

Reference:
AWS Cloud Security

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

For what purpose would a Cloud Practitioner access AWS Artifact?

  1. Download configuration details for all AWS resources.
  2. Access training materials for AWS services.
  3. Create a security assessment report for AWS services.
  4. Gain access to AWS security and compliance documents.
A

4. Gain access to AWS security and compliance documents.

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.

Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.

  • Download configuration details for all AWS resources is incorrect. Artifact does not provide this capability.
  • Access training materials for AWS services is incorrect. Artifact does not provide training materials.
  • Create a security assessment report for AWS services is incorrect. Artifact cannot be used for this purpose.

Reference:
AWS Artifact

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are AWS Identity and Access Management (IAM) access keys used for?

  1. Logging in to the AWS Management Console.
  2. Ensuring the integrity of log files.
  3. Making programmatic calls to AWS from AWS APIs.
  4. Enabling encryption in transit for web servers.
A

3. Making programmatic calls to AWS from AWS APIs.

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts:

  • an access key ID (for example, AKIAIOSFODNN7EXAMPLE)
  • a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).

Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.

  • Logging in to the AWS Management Console is incorrect. You use a user name and password for the management console.
  • Ensuring the integrity of log files is incorrect. This is not what access keys are used for.
  • Enabling encryption in transit for web servers is incorrect. SSL/TLS certificates are used for creating encrypted channels using HTTPS.

Reference:
Manage access keys for IAM users

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the best practice for managing AWS IAM access keys?

  1. There is no need to manage access keys.
  2. Customers should rotate access keys regularly.
  3. AWS rotate access keys on a schedule.
  4. Never use access keys, always use IAM roles.
A

2. Customers should rotate access keys regularly.

It is a security best practice to rotate access keys regularly. This practice ensures that if access keys are compromised the security exposure is mitigated.

  • There is no need to manage access keys is incorrect. This is not true; you must rotate access keys.
  • AWS rotate access keys on a schedule is incorrect. AWS do not rotate your access keys.
  • Never use access keys, always use IAM roles is incorrect. It is often better and more secure to use IAM roles for some uses but it is certainly not the case that you should never use access keys.

Reference:
Manage access keys for IAM users

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What can be used to allow an application running on an Amazon EC2 instance to securely store data in an Amazon S3 bucket without using long-term credentials?

  1. AWS Systems Manager
  2. Amazon Connect
  3. AWS IAM role
  4. AWS IAM access key
A

3. AWS IAM role

An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.

  • AWS Systems Manager is incorrect. This service manages Amazon EC2 instances.
  • Amazon Connect is incorrect. This is a contact center service.
  • AWS IAM access key is incorrect. Access keys are considered long-term credentials and therefore should not be embedded on EC2 instances in code. Using a role is more secure

Reference:
IAM roles

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A Cloud Practitioner noticed that IP addresses that are owned by AWS are being used to attempt to flood ports on some of the company’s systems.

To whom should the issue be reported?

  1. AWS Professional Services
  2. AWS Partner Network (APN)
  3. AWS Trust & Safety team
  4. AWS Technical Account Manager (TAM)
A

3. AWS Trust & Safety team

If you suspect that AWS resources are used for abusive purposes, contact the AWS Trust & Safety team using the Report Amazon AWS abuse form, or by contacting abuse@amazonaws.com. Provide all the necessary information, including logs in plaintext, email headers, and so on, when you submit your request.

Reference:
Report AWS Abuse

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A Cloud Practitioner wants to configure the AWS CLI for programmatic access to AWS services. Which credential components are required?

(Select TWO.)

  1. An access key ID
  2. A public key
  3. A secret access key
  4. An IAM Role
  5. A private key
A

1. An access key ID
3. A secret access key

Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK).
Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
Like a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Manage your access keys as securely as you do your user name and password.

  • A public key is incorrect. Public/private keys are used for encryption and are also associated with the key pairs used to authenticate to EC2 instances.
  • A private key is incorrect. Public/private keys are used for encryption and are also associated with the key pairs used to authenticate to EC2 instances.
  • An IAM Role is incorrect. IAM Roles are not used for configuring the CLI for programmatic access. They can be used for delegating access to AWS services and cross-account access.

Reference:
Manage access keys for IAM users

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A user needs an automated security assessment report that will identify unintended network access to Amazon EC2 instances and vulnerabilities on those instances.

Which AWS service will provide this assessment report?

  1. EC2 security groups
  2. AWS Config
  3. Amazon Macie
  4. Amazon Inspector
A

4. Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.

After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

  • EC2 security groups is incorrect. Security groups are instance-level firewalls used for controlling network traffic reaching and leaving EC2 instances.
  • AWS Config is incorrect. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
  • Amazon Macie is incorrect. Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS.

Reference:
Amazon Inspector

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which AWS service helps customers meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware appliances within the AWS Cloud?

  1. AWS Secrets Manager
  2. AWS CloudHSM
  3. AWS Key Management Service (AWS KMS)
  4. AWS Directory Service
A

2. AWS CloudHSM

The AWS CloudHSM service helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS CloudHSM enables you to easily generate and use your own encryption keys on the AWS Cloud.

  • AWS Secrets Manager is incorrect. AWS Secrets Manager enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
  • AWS Key Management Service (AWS KMS) is incorrect. This service is also involved with creating and managing encryption keys but does not use dedicated hardware.
  • AWS Directory Service is incorrect. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.

Reference:
AWS CloudHSM features

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

A Cloud practitioner wants to know if there are services which can protect from DDoS (Distributed Denial of Service) attacks directed at AWS services.

Which AWS service or tool will provide this protection?

  1. Network access control list (ACL)
  2. AWS Shield
  3. Security group
  4. Amazon GuardDuty
A

2. AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection.
There are two tiers of AWS Shield - Standard and Advanced.

  • Network access control list (ACL) is incorrect. Network ACLs exist within a VPC, and act as a stateless firewall for network traffic in and out of your subnets.
  • Security group is incorrect. A Security Group is a Stateful firewall which exists to prevent unwarranted access to any instances running within a VPC.
    Amazon GuardDuty is incorrect. Amazon GuardDuty is an intelligent threat detection service which has nothing to do with Distributed Denial of Service (DDoS) protection.

Reference:
AWS Shield Features

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How can an organization gain access to compliance reports natively through the AWS console?

  1. AWS Security Hub
  2. AWS Identity and Access Management (IAM)
  3. AWS Artifact
  4. AWS Certificate Manager (ACM)
A

3. AWS Artifact

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. You can access the AWS Artifact console to use AWS Artifact to review, accept, and track the status of AWS agreements

  • AWS Identity and Access Management (IAM) is incorrect because IAM is related to administering permissions for Users, Groups and Roles within your account, and is not related to compliance.
  • AWS Security Hub is incorrect. AWS Security Hub is not a compliance service. AWS Security Hub is a cloud security posture management service that automates best practice checks, aggregates alerts, and supports automated remediation.
  • AWS Certificate Manager (ACM) is incorrect as ACM manages SSL certificates, not compliance.

Reference:
What is AWS Artifact?

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A manager is planning to migrate applications to the AWS Cloud and needs to obtain AWS compliance reports.

How can these reports be generated?

  1. Download the reports from AWS Secrets Manager.
  2. Contact the AWS Compliance team.
  3. Create a support ticket with AWS Support.
  4. Download the reports from AWS Artifact.
A

4. Download the reports from AWS Artifact.

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.

Reports available in AWS Artifact include Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.

Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).

  • Contact the AWS Compliance team is incorrect. You do not need to contact anyone at AWS, you can simply download this information.
  • Download the reports from AWS Secrets Manager is incorrect. AWS Secrets Manager is used for storing secrets such as database authentication credentials or license codes. It is not used for storing compliance reports.
  • Create a support ticket with AWS Support is incorrect. You do not need to contact anyone at AWS, you can simply download this information.

Reference:
AWS Artifact

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A company has been using an AWS managed IAM policy for granting permissions to users but needs to add some permissions.

How can this be achieved?

  1. Create a rule in AWS WAF.
  2. Create a custom IAM policy.
  3. Edit the AWS managed policy.
  4. Create a Service Control Policy.
A

2. Create a custom IAM policy.

AWS managed policies cannot be edited so if you need to add permissions to users that are not granted in the policy you must create your own custom IAM policy.

  • Edit the AWS managed policy is incorrect. You cannot edit AWS managed policies.
  • Create a Service Control Policy is incorrect. SCPs are used in AWS Organizations to restrict available permissions. They do not grant permissions.
  • Create a rule in AWS WAF is incorrect. WAF is a web application firewall used for protecting resources from web-based attacks.

Reference:
Define custom IAM permissions with customer managed policies

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which AWS service provides on-demand downloads of AWS security and compliance reports?

  1. AWS Directory Service
  2. AWS Artifact
  3. AWS Trusted Advisor
  4. Amazon Inspector
A

2. AWS Artifact

AWS Artifact is the go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.

Reports available in AWS Artifact include Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.

  • AWS Directory Service is incorrect. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, is an AWS-managed directory service built on actual Microsoft Active Directory and powered by Windows Server 2012 R2.
  • AWS Trusted Advisor is incorrect. AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
  • Amazon Inspector is incorrect. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Reference:
AWS Artifact

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How can an organization track resource inventory and configuration history for the purpose of security and regulatory compliance?

  1. Configure AWS Config with the resource types
  2. Create an Amazon CloudTrail trail
  3. Implement Amazon GuardDuty
  4. Run a report with AWS Artifact
A

1. Configure AWS Config with the resource types

AWS Config is a fully-managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and regulatory compliance.

  • Create an Amazon CloudTrail trail is incorrect. CloudTrail tracks API activity. This means it is used to monitor who does what on Amazon. It does not provide a resource inventory or configuration history.
  • Implement Amazon GuardDuty is incorrect. Amazon GuardDuty offers threat detection and continuous security monitoring for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.
  • Run a report with AWS Artifact is incorrect. AWS Artifact is used for obtaining on-demand security and compliance reports and select online agreements. This service provides access to AWS security and compliance reports such as SOC and PCI. You don’t use Artifact to track your own resource inventory and configuration history.

Reference:
Setting Up AWS Config with the Console

Save time with our AWS cheat sheets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A security operations engineer needs to implement threat detection and monitoring for malicious or unauthorized behavior. Which service should be used?

  1. AWS Shield
  2. AWS KMS
  3. AWS CloudHSM
  4. AWS GuardDuty
Study These Flashcards
A

4. AWS GuardDuty

Amazon GuardDuty offers threat detection and continuous security monitoring for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.

  • AWS Shield is incorrect. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service.
  • AWS KMS is incorrect. AWS Key Management Service gives you centralized control over the encryption keys used to protect your data.
  • AWS CloudHSM is incorrect. AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.

Reference:
Amazon GuardDuty

Save time with our AWS cheat sheets.

22
Q

Which authentication method is used to authenticate programmatic calls to AWS services?

  1. Console password
  2. Server certificate
  3. Key pair
  4. Access keys
Study These Flashcards
A

4. Access keys

Access keys are a combination of an access key ID and a secret access key. They are used to make programmatic calls to AWS using the API.

  • Console password is incorrect. Console passwords are used for signing users into the AWS Management Console, not for making programmatic calls to AWS services.
  • Server certificate is incorrect. Server certificates can be used to authenticate to some AWS services using HTTPS.
  • Key pair is incorrect. Key pairs should not be confused with access keys. Key pairs are used for authenticating to Amazon EC2 instances.

Reference:
Manage access keys for IAM users

Save time with our AWS cheat sheets.

23
Q

Which IAM entity is associated with an access key ID and secret access key?

  1. IAM Group
  2. IAM Role
  3. IAM Policy
  4. IAM User
Study These Flashcards
A

4. IAM User

An access key ID and secret access key are used to sign programmatic requests to AWS. They are associated with an IAM user.

You cannot associate an access key ID and secret access key with an IAM Group, Role or Policy.

Reference:
AWS security credentials

Save time with our AWS cheat sheets.

24
Q

Which IAM entity can be used for assigning permissions to multiple users?

  1. IAM User
  2. IAM Group
  3. IAM Role
  4. IAM password policy
Study These Flashcards
A

2. IAM Group

Groups are collections of users and have policies attached to them. You can use groups to assign permissions to multiple users. To do this place the users in the group and then create an IAM policy with the correct permissions and attach it to the group.

You do not use an IAM User, Role, or password policy to assign permissions to multiple users.

Reference:
IAM user groups

Save time with our AWS cheat sheets.

25
Which service can be used to easily create multiple accounts? 1. AWS IAM 2. AWS CloudFormation 3. AWS Organizations 4. Amazon Connect
**3.** AWS Organizations ## Footnote AWS Organizations can be used for automating AWS account creation via the Organizations API. * AWS IAM is incorrect. You cannot use IAM for creating accounts. * AWS CloudFormation is incorrect. You could theoretically use AWS CloudFormation to automate the account creation along with some scripting, but that is certainly not an easy way to reach this result. * Amazon Connect is incorrect. Amazon Connect is a self-service, cloud-based contact center service that makes it easy for businesses to deliver better customer service at a lower cost. **References:** * [Creating a member account in an organization with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html) * [How to Use AWS Organizations to Automate End-to-End Account Creation](https://aws.amazon.com/blogs/security/how-to-use-aws-organizations-to-automate-end-to-end-account-creation/) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-billing-and-pricing/).
26
Which IAM entity can be used for assigning permissions to AWS services? 1. IAM Access Key ID and Secret Access Key 2. IAM Policy 3. IAM Role 4. Security Token Service (STS)
**3.** IAM Role ## Footnote With IAM Roles you can delegate permissions to resources for users and services without using permanent credentials (e.g. username and password). To do so you can create a role and assign an IAM policy to the role that has the permissions required. * IAM Access Key ID and Secret Access Key is incorrect. An access key ID and secret access key are assigned to IAM users and used for programmatic access using the API or CLI. * IAM Policy is incorrect. An IAM policy is a policy document that is used to define permissions that can be applied to users, groups and roles. You don’t apply the policy to the service, you apply it to the role. The role is then used to assign permissions to the AWS service. * Security Token Service (STS) is incorrect. This service is used for gaining temporary security credentials. **Reference:** [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/).
27
A company currently uses a Security Assertion Markup Language (SAML) based application to log in to third-party business applications and would like to have this hosted in AWS using managed services. **Which AWS service will meet this requirement?** 1. AWS Identity and Access Management (IAM). 2. Amazon Cognito. 3. AWS Single Sign-On. 4. AWS CLI.
**2.** Amazon Cognito. ## Footnote Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect. * AWS Identity and Access Management (IAM is incorrect. Although it is related to granting permissions, IAM is specifically used to grant access to users within an AWS account. Amazon Cognito is a managed identity providing services which gives third party access to your applications. * AWS Single Sign-On is incorrect. AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization and doesn’t use SAML. * AWS CLI is incorrect. The AWS Command Line Interface (AWS CLI) is a unified tool to manage your AWS services from the command line of your desktop. It has nothing to do with SAML or authentication. **Reference:** [Amazon Cognito](https://aws.amazon.com/cognito/) Save time with our [AWS cheat sheets](https://digitalcloud.training/aws-security-services/).
28
An organization recently migrated to AWS and wants to enable intelligent threat protection and continuous monitoring across all its accounts. **Which AWS service should the company use to achieve this goal?** 1. Amazon Macie 2. Amazon GuardDuty 3. AWS Shield 4. Amazon Detective
**2.** Amazon GuardDuty ## Footnote Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. * Amazon Macie is incorrect, as Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. It does not have anything to do with Amazon GuardDuty. * AWS Shield is incorrect. AWS Shield is a managed DDoS prevention and mitigation service, and it doesn’t provide intelligent threat detection on an account-by-account basis. * Amazon Detective is incorrect. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations - but does not actively detect threats. **Reference:** [Amazon GuardDuty](https://aws.amazon.com/guardduty/) Save time with our [AWS cheat sheets](https://digitalcloud.training/aws-security-services/).
29
Are there any AWS services or features that will identify and search for externally shared AWS resources? 1. Amazon OpenSearch Service (Amazon Elasticsearch Service). 2. AWS Control Tower. 3. AWS IAM Access Analyzer. 4. AWS Fargate.
**3.** AWS IAM Access Analyzer. ## Footnote Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. * Amazon OpenSearch Service (Amazon Elasticsearch Service) is incorrect. Amazon OpenSearch Service makes it easy for you to perform interactive log analytics, real-time application monitoring, website search, and more. OpenSearch is an open source, distributed search and analytics suite derived from Elasticsearch. It has nothing to do with identifying externally shared resources. * AWS Control Tower is incorrect. AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. This is a governance service and is not related to Identity and Access Management. * AWS Fargate is incorrect. AWS Fargate is a serverless, pay-as-you-go compute engine that lets you focus on building applications without managing servers. It does not reference Identity and Access management. **Reference:** [Using AWS Identity and Access Management Access Analyzer](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html) Save time with our [AWS cheat sheets](https://digitalcloud.training/aws-security-services/).
30
A new web application is being developed by a company. Logging into the application through a social identity provider is a must have requirement for the company. **Which AWS service will meet these requirements?** 1. AWS Directory Service. 2. Amazon Cognito. 3. AWS Identity and Access Management (IAM). 4. AWS Single Sign-On.
**2.** Amazon Cognito. ## Footnote Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect. * AWS Directory Service is incorrect. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft Active Directory (AD), enables your directory-aware workloads and AWS resources to use managed Active Directory (AD) in AWS. Although it is related to permissions and authorization, it does not * AWS Identity and Access Management (IAM) is incorrect. IAM does not grant permissions to external third parties - only to internal AWS identity. * AWS Single Sign-On is incorrect. AWS Single Sign-On (AWS SSO) is where you create, or connect, your workforce identities in AWS once and manage access centrally across your AWS organization. This does not allow users to login through a social identity provider. **Reference:** [Amazon Cognito](https://aws.amazon.com/cognito/) Save time with our [AWS cheat sheets](https://digitalcloud.training/aws-security-services/).
31
What can be assigned to an IAM user? (Select TWO.) 1. An access key ID and secret access key 2. An SSL/TLS certificate 3. A key pair 4. A password for logging into Linux 5. A password for access to the management console
**1.** An access key ID and secret access key **5.** A password for access to the management console ## Footnote An IAM user is an entity that represents a person or service. Users can be assigned an access key ID and secret access key for programmatic access to the AWS API, CLI, SDK, and other development tools and a password for access to the management console. * An SSL/TLS certificate is incorrect. You cannot assign an SSL/TLS certificate to a user. * A key pair is incorrect. Key pairs are used with Amazon EC2 as a method of using public key encryption to securely access EC2 instances. * A password for logging into Linux is incorrect. You cannot assign an IAM user with a password for logging into a Linux instance. **Reference:** [IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/).
32
The AWS acceptable use policy for penetration testing allows? 1. Customers to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for selected services 2. Customers to carry out security assessments or penetration tests against their AWS infrastructure after obtaining authorization from AWS 3. AWS to perform penetration testing against customer resources without notification 4. Authorized security assessors to perform penetration tests against any AWS customer without authorization
**1.** Customers to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for selected services ## Footnote AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for the following eight services: 1. Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers 2. Amazon RDS 3. Amazon CloudFront. 4. Amazon Aurora. 5. Amazon API Gateways 6. AWS Lambda and Lambda Edge functions 7. Amazon LightSail resources 8. Amazon Elastic Beanstalk environments * Customers to carry out security assessments or penetration tests against their AWS infrastructure after obtaining authorization from AWS is incorrect as you do not need authorization. * AWS to perform penetration testing against customer resources without notification is incorrect as AWS will not perform penetration testing on customer resources. * Authorized security assessors to perform penetration tests against any AWS customer without authorization is incorrect. This is not something that is authorized **Reference:** [Penetration Testing](https://aws.amazon.com/security/penetration-testing/) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/cloud-security/).
33
Which service can be used to assign a policy to a group? 1. AWS IAM 2. Amazon Cognito 3. Amazon STS 4. AWS Shield
**1.** AWS IAM ## Footnote IAM is used to securely control individual and group access to AWS resources. Groups are collections of users and have policies attached to them. You can use IAM to attach a policy to a group * Amazon Cognito is incorrect. Amazon Cognito is used for authentication using mobile apps * AWS STS is incorrect. The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users) * AWS Shield is incorrect. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. **Reference:** [What is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/).
34
Which AWS service lets you add user sign up, sign-in and access control to web and mobile apps? 1. AWS Artifact 2. Amazon Cognito 3. AWS CloudHSM 4. AWS Directory Service
**2.** Amazon Cognito ## Footnote Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0. * AWS Artifact is incorrect. AWS Artifact is your go-to, central resource for compliance-related information that matters to you. * AWS CloudHSM is incorrect. AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud * AWS Directory Service is incorrect. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. **Reference:** [Amazon Cognito](https://aws.amazon.com/cognito/) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/additional-aws-services-tools/).
35
Which of the following security related activities are AWS customers responsible for? (Select TWO.) 1. Secure disposal of faulty disk drives 2. Implementing data center access controls 3. Installing patches on network devices 4. Installing patches on Windows operating systems 5. Implementing IAM password policies
**4.** Installing patches on Windows operating systems **5.** Implementing IAM password policies ## Footnote Customers are responsible for configuring their own IAM password policies and installing operating system patches on Amazon EC2 instances. AWS are responsible for installing patches on physical hardware devices, data center access controls and secure disposal of disk drives * Secure disposal of faulty disk drives is incorrect as this is an AWS responsibility. * Implementing data center access controls is incorrect as this is an AWS responsibility. * Installing patches on network devices is incorrect as this is an AWS responsibility. **Reference:** [Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-shared-responsibility-model/).
36
Which feature of AWS IAM enables you to identify unnecessary permissions that have been assigned to users? 1. Role Advisor 2. Access Advisor 3. Permissions Advisor 4. Group Advisor
**2.** Access Advisor ## Footnote The IAM console provides information about when IAM users and roles last attempted to access AWS services. This information is called service last accessed data. This data can help you identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege. That means granting the minimum permissions required to perform a specific task. You can find the data on the Access Advisor tab in the IAM console by examining the detail view for any IAM user, group, role, or managed policy. * Role Advisor is incorrect as this is not a valid feature. * Permissions Advisor is incorrect as this is not a valid feature. * Group Advisor is incorrect as this is not a valid feature. **Reference:** [Refine permissions in AWS using last accessed information](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/).
37
What does an organization need to do to move to another AWS region? 1. Just start deploying resources in the additional region 2. Create a separate IAM account for that region 3. Apply for another AWS account in that region 4. Submit an application to extend their account to the additional region
**1.** Just start deploying resources in the additional region ## Footnote You don’t need to do anything except start deploying resources in the new region. With the AWS cloud you can use any region around the world at any time. There is no need for a separate account, and IAM is a global service. * Create a separate IAM account for that region is incorrect as IAM is a global service. * Apply for another AWS account in that region is incorrect as you can use IAM across Regions and do not need another account. * Submit an application to extend their account to the additional region is incorrect as you do not need to extend accounts across Regions. **Reference:** [AWS Identity and Access Management (IAM) FAQs](https://aws.amazon.com/iam/faqs/) Save time with our AWS cheat sheets: * [AWS Identity and Access Management](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/). * [AWS Global Infrastructure](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-global-infrastructure/)
38
What does an organization need to do in Amazon IAM to enable user access to services being launched in new region? 1. Nothing, IAM is global 2. Enable global mode in IAM to provision the required access 3. Update the user accounts to allow access from another region 4. Create new user accounts in the new region
**1.** Nothing, IAM is global ## Footnote IAM is used to securely control individual and group access to AWS resources. IAM is universal (global) and does not apply to regions. * Enable global mode in IAM to provision the required access is incorrect as you do not need to do anything to use IAM globally. * Update the user accounts to allow access from another region is incorrect as you don’t need to update user accounts. * Create new user accounts in the new region is incorrect as IAM is global. **Reference:** [What is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/).
39
An organization has multiple AWS accounts and uses a mixture of on-demand and reserved instances. One account has a considerable amount of unused reserved instances. How can the organization reduce their costs? (Select TWO.) 1. Create an AWS Organization configuration linking the accounts 2. Use Spot instances instead 3. Redeem their reserved instances 4. Setup consolidated billing between the accounts 5. Switch to using placement groups
**1.** Create an AWS Organization configuration linking the accounts **4.** Setup consolidated billing between the accounts ## Footnote AWS organizations allow you to consolidate multiple AWS accounts into an organization that you create and centrally manage. Unused reserved instances (RIs) for EC2 are applied across the group so the organization can utilize their unused reserved instance instead of consuming on-demand instances which will lower their costs. * Use Spot instances instead is incorrect. Spot instance pricing is variable so it is not guaranteed to lower the cost and it is not suitable for workloads that cannot be unexpectedly terminated by AWS. * Redeem their reserved instances is incorrect. You cannot redeem your reserved instances. You can sell them on the AWS marketplace, however. * Switch to using placement groups is incorrect. Using placement groups will not lower their costs. **Reference:** [What is AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-billing-and-pricing/).
40
A system administrator discovers that several Amazon EC2 instances have been terminated. It is the responsibility of the system administrator to identify the user or AWS API call that terminated these instances. **Which AWS service should the system administrator use to meet this requirement?** 1. AWS Trusted Advisor 2. AWS CloudTrail 3. Amazon Inspector 4. Amazon Detective
**2.** AWS CloudTrail ## Footnote AWS CloudTrail tracks API calls that are made within a particular AWS account. it will track the API call made, the IP address it originated from and which IAM principal initiated the action. * AWS Trusted Advisor is incorrect. AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas. You can then follow the check recommendations to optimize your services and resources. * Amazon Inspector is incorrect. Inspector is a fully managed vulnerability assessment tool, which doesn’t track who is performing what actions within an account. * Amazon Detective is incorrect. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations. It does not however track API calls within an account. **Reference:** [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) Save time with our [AWS cheat sheets](https://digitalcloud.training/aws-security-services/).
41
When an Amazon EC2 instance is stopped, which of the following AWS services can be used to identify the user who stopped it? 1. AWS CloudTrail 2. Amazon Inspector 3. Amazon CloudWatch 4. VPC Flow Logs
**1.** AWS CloudTrail ## Footnote AWS CloudTrail tracks API calls that are made within a particular AWS account. it will track the API call made, the IP address it originated from and which IAM principal initiated the action and in this case will capture who stopped an EC2 instance. * Amazon Inspector is incorrect. Inspector is a fully managed vulnerability assessment tool and does not investigate who initiated any API call. * Amazon CloudWatch is incorrect. Amazon CloudWatch is a monitoring and observability service which does not track API calls made within the account. * VPC Flow Logs is incorrect. VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. **Reference:** [AWS CloudTrail](https://aws.amazon.com/cloudtrail/) Save time with our [AWS cheat sheets](https://digitalcloud.training/aws-security-services/).
42
In AWS IAM, what are the characteristics of users and groups? (Select TWO.) 1. Groups can be nested and can contain other groups. 2. A user can be a member of multiple groups. 3. Groups can contain users only and cannot be nested. 4. A user can only be a member of a single group at one time. 5. All new users are automatically added to a default group.
**2.** A user can be a member of multiple groups. **3.** Groups can contain users only and cannot be nested. ## Footnote In IAM, a user can be a member of multiple groups. One IAM user can be a part of a maximum of 5 groups. Also Groups are a flat hierarchy of users with similar permissions, and you cannot place a group within another group. * Groups can be nested and can contain other groups is incorrect. This is also explained above. * A user can only be a member of a single group at one time is incorrect. A user group can contain many users, and a user can belong to multiple user groups. * All new users are automatically added to a default group is incorrect. Users do not have to be added to any group and can exist simply as users. **Reference:** [IAM user groups](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) Save time with our [AWS cheat sheets](https://digitalcloud.training/aws-security-services/).
43
Which AWS service monitors AWS accounts continuously for malicious activity and unauthorized behavior? 1. Amazon Macie 2. AWS Config 3. Amazon GuardDuty 4. Amazon Inspector
**3.** Amazon GuardDuty ## Footnote Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. * Amazon Macie is incorrect. Amazon Macie helps identify PII data within S3 Bucket and does not detect threats. * AWS Config is incorrect. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. It does not detect threats. * Amazon Inspector is incorrect also as Inspector is a fully managed vulnerability assessment tool - it doesn’t detect threat. **Reference:** [Amazon GuardDuty](https://aws.amazon.com/guardduty/) Save time with our [AWS cheat sheets](https://digitalcloud.training/aws-security-services/).
44
What AWS service offers managed DDoS protection? 1. AWS Firewall Manager 2. AWS Shield 3. Amazon GuardDuty 4. Amazon Inspector
**2.** AWS Shield ## Footnote AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced. * AWS Firewall Manager is incorrect. AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and does not protect from DDoS attacks. * Amazon GuardDuty is incorrect. Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. It does not protect you from DDoS attacks. * Amazon Inspector is incorrect also as Inspector is a fully managed vulnerability assessment tool and does not protect from DDoS attacks. **Reference:** [AWS Shield](https://aws.amazon.com/shield/) Save time with our [AWS cheat sheets](https://digitalcloud.training/aws-security-services/).
45
When storing passwords on AWS, what is the MOST secure method? 1. Store passwords in an Amazon S3 bucket. 2. Store passwords as AWS CloudFormation parameters. 3. Store passwords in AWS Storage Gateway. 4. Store passwords in AWS Secrets Manager.
**4.** Store passwords in AWS Secrets Manager. ## Footnote AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. * Store passwords in an Amazon S3 bucket is incorrect. Although you can encrypt information within your S3 bucket, it is not as secure as using AWS Secrets Manager. * Store passwords as AWS CloudFormation parameters is incorrect. Although you can store parameters, it is not the safest and most secure way of storing passwords and doesn’t have the added functionality that AWS Secrets Manager does. * Store passwords in AWS Storage Gateway. is incorrect. Storage Gateway is a hybrid storage service which is not suitable for storing passwords. **Reference:** [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) Save time with our [AWS cheat sheets](https://digitalcloud.training/aws-security-services/).
46
Which AWS service helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards? 1. AWS Config 2. AWS Trusted Advisor 3. AWS Artifact 4. AWS Audit Manager
**4.** AWS Audit Manager ## Footnote AWS Audit Manager is the correct choice because it assists organizations in continuously auditing their AWS usage, facilitating risk assessment and compliance with various regulations and industry standards. It automates evidence collection to make the audit process more efficient and effective. * AWS Config is incorrect because, although it does help in evaluating and auditing configurations of AWS resources, it primarily focuses on resource inventory and change management, not specifically on aiding with risk and compliance assessments through continuous auditing. * AWS Trusted Advisor is incorrect because it provides best practice recommendations to help you follow AWS architectural guidance, but it doesn't offer features specifically designed to continuously audit AWS usage in terms of risk and compliance with regulatory standards. * AWS Artifact is incorrect as it is more about providing on-demand access to AWS' security and compliance reports and select online agreements, rather than helping in the continuous auditing of AWS usage considering risk and compliance assessments. **Reference:** [AWS Audit Manager](https://aws.amazon.com/audit-manager/)
47
What is the name of the online, self-service portal that AWS provides to enable customers to view reports and, such as PCI reports, and accept agreements? 1. AWS Compliance Portal 2. AWS Documentation Portal 3. AWS Artifact 4. AWS DocuFact
**3.** AWS Artifact ## Footnote AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA). * AWS Compliance Portal is incorrect as this is not a real service. * AWS Documentation Portal is incorrect as this is not a real service. * AWS DocuFact is incorrect as this is not a real service. **Reference:** [AWS Artifact]([AWS Artifact](https://aws.amazon.com/artifact/)) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/additional-aws-services-tools/).
48
What are two correct statements about AWS Organizations with consolidated billing? (Select TWO.) 1. Multiple bills are provided per organization 2. One bill provided for multiple accounts 3. Linked accounts lose their management independence 4. Volume pricing discounts applied across multiple accounts 5. CloudTrail can be configured per organization
**2.** One bill provided for multiple accounts **4.** Volume pricing discounts applied across multiple accounts ## Footnote With AWS organizations you create a paying account and linked accounts. One bill is provided for multiple accounts within an organization. Volume pricing discounts can be applied across resources in multiple accounts. * Multiple bills are provided per organization is incorrect as one bill is provided for multiple accounts within an organization. * Linked accounts lose their management independence is incorrect. Linked accounts can still be managed independently. * CloudTrail can be configured per organization is incorrect. CloudTrail is on a per account basis and per region basis but can be aggregated into a single bucket in the paying account. **Reference:** [AWS Organizations](https://aws.amazon.com/organizations/) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-billing-and-pricing/).
49
Which AWS IAM best practice recommends applying the minimum permissions necessary to perform a task when creating IAM policies? 1. Create individual IAM users 2. Use roles to delegate permissions 3. Grant least privilege 4. Enable MFA for privileged users
**3.** Grant least privilege ## Footnote When you create IAM policies, follow the standard security advice of granting least privilege that is, granting only the permissions required to perform a task. Determine what users need to do and then craft policies for them that let the users perform only those tasks. The other answer are all valid best practices but are not related to applying minimum permissions to IAM policies. **Reference:** [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/).
50
What are the benefits of using IAM roles for applications that run on EC2 instances? (Select TWO.) 1. Easier to configure than using storing access keys within the EC2 instance 2. More secure than storing access keys within applications 3. Can apply multiple roles to a single instance 4. It is easier to manage IAM roles 5. Role credentials are permanent
**2.** More secure than storing access keys within applications **4.** It is easier to manage IAM roles ## Footnote Using IAM roles instead of storing credentials within EC2 instances is more secure It is also easier to manage roles. * Easier to configure than using storing access keys within the EC2 instance is incorrect. It is not easier to configure as there are extra steps that need to be completed. * Can apply multiple roles to a single instance is incorrect. You cannot apply multiple roles to a single instance. * Role credentials are permanent is incorrect. Role credentials are temporary, not permanent, and are rotated automatically. **Reference:** [Use an IAM role to grant permissions to applications running on Amazon EC2 instances](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/identity-and-access-management/).
AWS Cloud Practitioner
flashcards
Decks in class (17)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions