Skip to content

Aws Security

← Back to all decks

63 cards — 🟢 18 easy | 🟡 25 medium | 🔴 14 hard

🟢 Easy (18)

1. What is AWS ACM (Certificate Manager) and how does it manage TLS certificates?

Show answer Amazon definition: "AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources."

Learn more [here](https://aws.amazon.com/certificate-manager)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

2. What is AWS Key Management Service (KMS)?

Show answer AWS definition: "KMS makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications."
More on KMS [here](https://aws.amazon.com/kms)

Remember: KMS = Key Management Service. Manages encryption keys for S3, EBS, RDS, etc. Envelope encryption: KMS key encrypts a data key, data key encrypts your data.

3. What is AWS IAM and how does it manage access to AWS resources?

Show answer AWS Identity and Access Management (IAM) is the service for managing access to AWS resources. It allows you to create users, groups, and roles, and define permissions through policies to securely control who can do what on which resources.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

4. What is AWS Service Catalog?

Show answer Amazon definition: "AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS."

Learn more [here](https://aws.amazon.com/servicecatalog)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

5. What is AWS CloudHSM?

Show answer Amazon definition: "AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud."

Learn more [here](https://aws.amazon.com/cloudhsm)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

6. What is AWS Artifact?

Show answer AWS definition: "AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements."

Read more about it [here](https://aws.amazon.com/artifact)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

7. What is "AWS Organizations"?

Show answer AWS definition: "AWS Organizations helps you centrally govern your environment as you grow and scale your workloads on AWS."

Read more on Organizations [here](https://aws.amazon.com/organizations)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

8. What is Amazon Cloud Directory?

Show answer Amazon definition: "Amazon Cloud Directory is a highly available multi-tenant directory-based store in AWS. These directories scale automatically to hundreds of millions of objects as needed for applications."

Learn more [here](https://docs.aws.amazon.com/clouddirectory/latest/developerguide/what_is_cloud_directory.html)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

9. What is the AWS Cloud Adoption Framework (CAF)?

Show answer Amazon definition: "AWS Professional Services created the AWS Cloud Adoption Framework (AWS CAF) to help organizations design and travel an accelerated path to successful cloud adoption. "

Learn more [here](https://aws.amazon.com/professional-services/CAF)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

10. What is AWS CloudTrail?

Show answer AWS definition: "AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account."

Read more on CloudTrail [here](https://aws.amazon.com/cloudtrail)

Remember: CloudTrail logs all AWS API calls — the 'security camera' for your AWS account. Enable in all regions, send to a centralized S3 bucket with Object Lock for tamper resistance.

11. What is AWS Acceptable Use Policy?

Show answer It describes prohibited uses of the web services offered by AWS.
More on AWS Acceptable Use Policy [here](https://aws.amazon.com/aup)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

12. What is AWS Shield and how does it protect against DDoS attacks?

Show answer AWS definition: "AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS."

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

13. What is IAM? What are some of its features?

Show answer In short, it's used for managing users, groups, access policies & roles
Full explanation can be found [here](https://aws.amazon.com/iam)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

14. What is the shared responsibility model? What AWS is responsible for and what the user is responsible for based on the shared responsibility model?

Show answer The shared responsibility model defines what the customer is responsible for and what AWS is responsible for.

More on the shared responsibility model [here](https://aws.amazon.com/compliance/shared-responsibility-model)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

15. What is Amazon Cognito?

Show answer Amazon definition: "Amazon Cognito handles user authentication and authorization for your web and mobile apps."

Learn more [here](https://docs.aws.amazon.com/cognito/index.html)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

16. What is "IAM"?

Show answer Identity and Access Management, used to control access to resources.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

17. What is AWS Config and how does it track resource compliance?

Show answer Amazon definition: "AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources."

Learn more [here](https://aws.amazon.com/config)

Remember: AWS Config continuously evaluates resource configurations against rules. Detects drift and non-compliance. Use conformance packs for frameworks like CIS, PCI-DSS.

18. What is AWS Inspector?

Show answer AWS definition: "Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.""

Learn more [here](https://aws.amazon.com/inspector)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

🟡 Medium (25)

1. What security tools AWS IAM provides?

Show answer * IAM Credentials Report: lists all the account users and the status of their credentials
* IAM Access Advisor: Shows service permissions granted to a user and information on when he accessed these services the last time

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

2. Which service would you use for centrally manage billing, control access, compliance, and security across multiple AWS accounts?

Show answer AWS Organizations

Remember: AWS security services layered defense: IAM (identity), VPC/SG (network), KMS (encryption), GuardDuty (threat detection), CloudTrail (audit), Config (compliance).

Gotcha: the root account is the most powerful and most dangerous. Enable MFA, create an admin IAM user, and lock away root credentials.

3. What would you use to check why certain EC2 instances were terminated?

Show answer AWS CloudTrail — it logs every API call made in your account (who, what, when, from where), so you can audit actions like instance terminations, identify the IAM principal responsible, and feed events into SIEM or alerting tools.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

4. Which service would you use for monitoring malicious activity and unauthorized behavior in regards to AWS accounts and workloads?

Show answer Amazon GuardDuty

Remember: AWS security services layered defense: IAM (identity), VPC/SG (network), KMS (encryption), GuardDuty (threat detection), CloudTrail (audit), Config (compliance).

Gotcha: the root account is the most powerful and most dangerous. Enable MFA, create an admin IAM user, and lock away root credentials.

5. Which service would you use for performing security assessment?

Show answer AWS Inspector — an automated vulnerability management service that continuously scans EC2 instances, container images, and Lambda functions for software vulnerabilities and unintended network exposure, producing prioritized findings.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

6. What are components of IAM ?

Show answer * Users: Individuals needing access to AWS.
* Groups: Collections of users with the same permissions.
* Roles: Define a set of permissions for making AWS service requests.
* Policies: Define permissions and attach them to users, groups, or roles.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

7. What is AWS IAM? Explain IAM Roles and Policies.

Show answer * IAM (Identity and Access Management): It's used to control access to AWS services and resources.
* IAM Roles: Define a set of permissions for making AWS service requests. They're used to grant specific permissions to entities that you trust.
* IAM Policies: These are documents that define permissions. They specify what actions are allowed or denied and on what resources.

Remember: roles = temporary credentials via STS AssumeRole. Use for EC2 instances, Lambda, cross-account access. No long-lived access keys.

8. Which service would you use for web application protection?

Show answer AWS WAF (Web Application Firewall). It filters HTTP/S traffic at the edge using rules for SQL injection, XSS, rate limiting, and IP reputation — attached to ALB, CloudFront, or API Gateway.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

9. What permissions does a new user have?

Show answer Only a login access.

Remember: AWS security services layered defense: IAM (identity), VPC/SG (network), KMS (encryption), GuardDuty (threat detection), CloudTrail (audit), Config (compliance).

Gotcha: the root account is the most powerful and most dangerous. Enable MFA, create an admin IAM user, and lock away root credentials.

10. What statements AWS IAM policies are consist of?

Show answer * Sid: identifier of the statement (optional)
* Effect: allow or deny access
* Action: list of actions (to deny or allow)
* Resource: a list of resources to which the actions are applied
* Principal: role or account or user to which to apply the policy
* Condition: conditions to determine when the policy is applied (optional)

Gotcha: security group rules are additive (allow-only). To deny specific traffic, use NACLs at the subnet level. This distinction trips up many AWS newcomers.

11. True or False? DDoS attack is an example of allowed penetration testing activity

Show answer False. DDoS attacks are explicitly prohibited, even in penetration testing. AWS allows authorized pen testing on specific services (EC2, RDS, Lambda, etc.) but never DDoS.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

12. True or False? AWS Access Key is a type of MFA device used for AWS resources protection

Show answer False. Security key is an example of an MFA device.

Remember: MFA = something you know (password) + something you have (device). Enable on root account first, then all IAM users with console access.

13. True or False? When creating an AWS account, root account is created by default. This is the recommended account to use and share in your organization

Show answer False. Instead of using the root account, you should be creating users and use them.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

14. What's an OU in regards to AWS Organizations?'

Show answer OU (Organizational Units) is a way to group multiple accounts together so you can treat them as a single unit.

By default there is the "Root" OU created in AWS Organizations.

Most of the time OUs are based on functions or common set of controls.

Gotcha: security group rules are additive (allow-only). To deny specific traffic, use NACLs at the subnet level. This distinction trips up many AWS newcomers.

15. Which tool would you use to optimize user permissions by identifying which services he doesn't regularly (or at all) access?

Show answer IAM Access Advisor

Remember: AWS security services layered defense: IAM (identity), VPC/SG (network), KMS (encryption), GuardDuty (threat detection), CloudTrail (audit), Config (compliance).

Gotcha: the root account is the most powerful and most dangerous. Enable MFA, create an admin IAM user, and lock away root credentials.

16. True or False? Users in AWS IAM, can belong only to a single group

Show answer False. Users can belong to multiple groups.

Remember: AWS security services layered defense: IAM (identity), VPC/SG (network), KMS (encryption), GuardDuty (threat detection), CloudTrail (audit), Config (compliance).

Gotcha: the root account is the most powerful and most dangerous. Enable MFA, create an admin IAM user, and lock away root credentials.

17. True or False? EC2 is a regional service

Show answer True. As opposed to IAM for example, which is a global service, EC2 is a regional service.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

18. Using which service, can you add user sign-up, sign-in and access control to mobile and web apps?

Show answer Amazon Cognito. It provides user pools (sign-up/sign-in, MFA, password policies) and identity pools (federated access to AWS resources via temporary credentials).

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

19. Which service would you use to add access control (or sign-up, sign-in forms) to your web/mobile apps?

Show answer Amazon Cognito — a managed identity service that provides sign-up, sign-in, and access control for web and mobile apps. It supports social identity providers, SAML/OIDC federation, and built-in MFA.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

20. For what use cases, EC2 dedicated hosts are useful for?

Show answer * Compliance needs
* When the software license is complex (Bring Your Own License) and doesn't support cloud or multi-tenants
* Regulatory requirements

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

21. What considerations to take when choosing an AWS region for running a new application?

Show answer * Services Availability: not all service (and all their features) are available in every region
* Reduced latency: deploy application in a region that is close to customers
* Compliance: some countries have more strict rules and requirements such as making sure the data stays within the borders of the country or the region. In that case, only specific region can be used for running the application
* Pricing: the pricing might not be consistent across regions so, the price for the same service in different regions might be different.

22. True or False? If a user in AWS is using password for authenticating, he doesn't needs to enable MFA

Show answer False(!). MFA is a great additional security layer to use for authentication.

Remember: MFA = something you know (password) + something you have (device). Enable on root account first, then all IAM users with console access.

23. What are policies in Kubernetes/OPA and how do they enforce governance?

Show answer Policies documents used to give permissions as to what a user, group or role are able to do. Their format is JSON.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

24. Which service would you use if you need managed DDOS protection?

Show answer AWS Shield. Standard tier is free and protects against common L3/L4 DDoS. Advanced ($3k/mo) adds 24/7 DDoS Response Team, cost protection, and enhanced detection for L7.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

25. What type of autoscaling policies are there in AWS ?

Show answer * *Target Tracking*: Scales based on predefined metrics to maintain a target value.
* *Step Scaling*: Scales based on configured steps with different scaling adjustments.
* *Simple/Manual Scaling*: Allows fixed scaling actions manually.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

🔴 Hard (14)

1. What are Service Control Policies and to what service they belong?

Show answer AWS organizations service and the definition by Amazon: "SCPs offer central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines."

Learn more [here](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

2. What is trust relationship in context with IAM ?

Show answer Trust relationship is like a handshake between different identities (services or users) in your office. It defines which accounts or services are allowed to assume a particular IAM role.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

3. what is AWS inspector ? How does it work ?

Show answer Inspector is like a security guard that checks for any weaknesses or problems in your office building's security system. It looks for possible entry points for intruders and suggests ways to strengthen security. Over here It's a service that identifies security vulnerabilities within AWS resources.

Gotcha: security group rules are additive (allow-only). To deny specific traffic, use NACLs at the subnet level. This distinction trips up many AWS newcomers.

4. How does AWS KMS (Key Management Service) work?

Show answer AWS KMS: It's a service for managing cryptographic keys. It uses Hardware Security Modules (HSM) to protect your keys and offers secure key creation, storage, and management.

Remember: KMS = Key Management Service. Manages encryption keys for S3, EBS, RDS, etc. Envelope encryption: KMS key encrypts a data key, data key encrypts your data.

5. What is the AWS Well-Architected Framework and its importance?

Show answer The AWS Well-Architected Framework provides best practices across six pillars:

1. **Operational Excellence**: Automate changes, respond to events, define standards
2. **Security**: Protect data, systems, and assets. IAM, encryption, detection
3. **Reliability**: Recover from failures, meet demand. Multi-AZ, auto-scaling
4. **Performance Efficiency**: Use resources efficiently. Right-size, monitor
5. **Cost Optimization**: Avoid unnecessary costs. Reserved instances, right-sizing
6. **Sustainability**: Minimize environmental impact

Use the Well-Architected Tool in AWS Console to review workloads against these pillars.

Gotcha: security group rules are additive (allow-only). To deny specific traffic, use NACLs at the subnet level. This distinction trips up many AWS newcomers.

6. How to secure instances in AWS?

Show answer * Instance IAM roles should have minimal permissions needed. You don't want an instance-level incident to become an account-level incident
* Use "AWS System Manager Session Manager" for SSH
* Using latest OS images with your instances

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

7. Explain "Shared Controls" in regards to the shared responsibility model

Show answer AWS definition: "apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services"

Learn more about it [here](https://aws.amazon.com/compliance/shared-responsibility-model)

Gotcha: security group rules are additive (allow-only). To deny specific traffic, use NACLs at the subnet level. This distinction trips up many AWS newcomers.

8. Explain the AWS Secrets Manager and its role in security.

Show answer Secrets Manager: It's a service for managing sensitive information such as passwords, API keys, and other secrets.
Security Role: It helps protect sensitive data by controlling access and enabling rotation of secrets for enhanced security. projects/knowledge/interview/aws/449-explain-the-aws-secrets-manager-and-its-role-in-se.txt

Remember: Secrets Manager = automatic secret rotation + retrieval via API. Supports RDS credentials, API keys, and custom secrets. Costs $0.40/secret/month.

9. What are some best practices regarding IAM in AWS?

Show answer * Delete root account access keys and don't use root account regularly
* Create IAM user for any physical user. Don't share users.
* Apply "least privilege principle": give users only the permissions they need, nothing more than that.
* Set up MFA and consider enforcing using it
* Make use of groups to assign permissions ( user -> group -> permissions )

Gotcha: security group rules are additive (allow-only). To deny specific traffic, use NACLs at the subnet level. This distinction trips up many AWS newcomers.

10. what is AWS control tower ?

Show answer Think of Control Tower as the manager of all your office buildings (AWS accounts). It helps set up and govern multiple accounts following security best practices and compliance requirements. It's a service that sets up and governs a secure, multi-account AWS environment.

Gotcha: security group rules are additive (allow-only). To deny specific traffic, use NACLs at the subnet level. This distinction trips up many AWS newcomers.

11. How does assume role works ?

Show answer Assume role is when one identity temporarily wears another identity’s hat to access specific resources, with permission. It's used to temporarily grant permissions to an IAM user, role, or AWS service.

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.

12. Explain AWS CloudTrail and its role in AWS security.

Show answer CloudTrail: It's a service for logging and monitoring AWS API calls for auditing and security analysis.
Role in Security: CloudTrail provides a record of actions taken by a user, role, or an AWS service for security and compliance needs. projects/knowledge/interview/aws/442-explain-aws-cloudtrail-and-its-role-in-aws-securit.txt

Remember: CloudTrail logs all AWS API calls — the 'security camera' for your AWS account. Enable in all regions, send to a centralized S3 bucket with Object Lock for tamper resistance.

13. What is securityHub ? How does it work ?

Show answer SecurityHub is like a supervisor overlooking security measures across your office buildings (AWS accounts). It collects and prioritizes security findings to help you manage and improve security. It provides a comprehensive view of the security state of AWS resources. Majorly when you enable AWS inspector, it sends data to securityHub automatically.

Gotcha: security group rules are additive (allow-only). To deny specific traffic, use NACLs at the subnet level. This distinction trips up many AWS newcomers.

14. You try to run EC2 commands in an EC2 instance you've just created but it fails due to missing credentials. What would you do?

Show answer DO NOT configure AWS credentials on the instance (this means anyone else in your account would be able to use and see your credentials).
The best practice is to attach an IAM role with sufficient permissions (like `IAMReadOnlyAccess`)

Remember: AWS follows the shared responsibility model: AWS secures the infrastructure; you secure your configurations, data, and access policies.