Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Quizzes for Business > Technology

Take the AWS Security Entry Points Knowledge Test

Evaluate Cloud Entry Points and Access Controls

Difficulty: Moderate
Questions: 20
Learning OutcomesStudy Material
Colorful paper art promoting a quiz on AWS Security Entry Points knowledge

Dive into this AWS security quiz to test your understanding of critical entry points in AWS environments. Designed for cloud architects, security engineers, and students, this AWS Security Entry Points Knowledge Test will sharpen your skills in identifying and securing access paths. You'll gain practical insights you can customise in our editor to tailor learning experiences. For broader cloud security practice, explore the AWS Fundamental Services Knowledge Test or challenge yourself with the AWS Compute Knowledge Test . Don't miss other Security Awareness Quiz and browse more quizzes.

Which AWS interface provides a web-based console to manage AWS resources?
AWS Management Console
AWS CLI
AWS SDK
AWS CloudTrail
The AWS Management Console is the web-based interface used to manage AWS resources. The CLI and SDK provide programmatic access, while CloudTrail is used for logging API calls, not for resource management.
Which AWS service records API calls and delivers log files for auditing?
AWS CloudTrail
Amazon CloudWatch
AWS Config
AWS IAM
AWS CloudTrail records and stores API call history for your AWS account, providing an audit trail. CloudWatch collects metrics and logs, AWS Config tracks resource configurations, and IAM manages identities and permissions.
What network component controls inbound and outbound traffic at the instance level?
Security group
Network ACL
Route table
Internet Gateway
Security groups act as virtual firewalls for EC2 instances, controlling both inbound and outbound traffic at the instance level. Network ACLs operate at the subnet level, while route tables and internet gateways perform routing functions.
Which AWS interface allows you to manage services through command-line scripts?
AWS CLI
AWS Management Console
AWS SDK
AWS Systems Manager
The AWS CLI (Command Line Interface) provides a command-line environment for managing AWS services via scripts. The console is web-based, the SDK is for code integration, and Systems Manager handles operations tasks.
What is the default inbound rule for a newly created security group?
Deny all inbound traffic
Allow all inbound traffic
Allow only SSH from anywhere
Deny all outbound traffic
By default, security groups deny all inbound traffic until you add explicit allow rules. Outbound traffic is allowed by default, but inbound connections must be explicitly permitted.
Which AWS entry point can be targeted by SSRF attacks to obtain temporary credentials?
EC2 instance metadata service
S3 pre-signed URLs
VPC endpoint
AWS Directory Service
The EC2 instance metadata service can be reached via HTTP calls from within an instance, and SSRF vulnerabilities can exploit it to retrieve temporary IAM credentials. S3 pre-signed URLs and VPC endpoints serve different purposes.
To ensure that S3 traffic remains within the AWS network, which feature should you use?
Gateway VPC endpoint
NAT Gateway
Internet Gateway
VPC peering
A gateway VPC endpoint for S3 directs traffic to S3 over the AWS network without using the internet. NAT Gateways and Internet Gateways route through public endpoints, while VPC peering is for private inter-VPC communication.
To restrict inbound HTTP traffic at the subnet level, which network ACL configuration is appropriate?
Add a deny rule for port 80 from 0.0.0.0/0
Modify the subnet's route table
Enable AWS WAF
Change the security group associated with the subnet
Network ACLs operate at the subnet level and can explicitly deny port 80 traffic from any source by adding a deny rule. Route tables handle routing, WAF is for application layer filtering, and security groups apply at the instance level.
Which AWS service allows you to centrally inspect and filter VPC traffic at scale?
AWS Network Firewall
AWS WAF
AWS Shield
Amazon GuardDuty
AWS Network Firewall is a managed service that provides stateful, rule-based inspection of VPC traffic at scale. AWS WAF is focused on web application layer traffic, Shield is for DDoS protection, and GuardDuty is for threat detection.
What does the principle of least privilege recommend?
Grant only necessary permissions
Grant all permissions to admins
Deny all permissions by default
Use the root account for routine tasks
The principle of least privilege advises granting users and roles only the permissions they need to perform their tasks. This minimizes the potential blast radius of compromised credentials.
Which service provides detailed IP-level traffic logs for network interfaces?
VPC Flow Logs
CloudWatch Logs
AWS Config
AWS X-Ray
VPC Flow Logs capture information about the IP traffic going to and from network interfaces in your VPC. CloudWatch Logs is a general-purpose logging service, AWS Config records resource state changes, and X-Ray traces application requests.
In an IAM policy, which Effect value explicitly prevents an action?
Deny
Allow
NotApplicable
Audit
The 'Deny' effect in an IAM policy explicitly prevents the specified actions. 'Allow' permits actions, while NotApplicable and Audit are not valid effect values in IAM policy statements.
How can you ensure AWS Config tracks changes to security groups?
Enable AWS Config for EC2 Security Group resource type
Use CloudWatch Alarms on security groups
Enable VPC Flow Logs
Turn on CloudTrail for security group events
AWS Config tracks configuration changes for supported resource types when you enable it for those resources, including EC2 Security Groups. CloudWatch Alarms monitor metrics, VPC Flow Logs record traffic, and CloudTrail logs API calls but not detailed configuration changes.
Which AWS service analyzes CloudTrail events to detect unauthorized access attempts?
Amazon GuardDuty
AWS Inspector
AWS Security Hub
Amazon Macie
Amazon GuardDuty continuously monitors CloudTrail event logs (among other data sources) to detect suspicious or unauthorized activity. Inspector assesses resource vulnerabilities, Security Hub aggregates findings, and Macie focuses on data privacy.
How do you enforce HTTPS-only traffic on an Application Load Balancer?
Configure an HTTPS listener on port 443
Use an HTTP listener on port 80
Enable sticky sessions
Enable connection draining
An HTTPS listener on port 443 with the appropriate SSL/TLS certificate ensures the ALB only accepts encrypted connections. HTTP listeners on port 80 allow unencrypted traffic, and sticky sessions or connection draining do not enforce encryption.
What is an effective method to mitigate SSRF attacks on the EC2 metadata service?
Require IMDSv2 session tokens
Disable the metadata service entirely
Use the instance public IP
Route traffic through a NAT Gateway
IMDSv2 requires session tokens that must be retrieved via a PUT request before accessing metadata, mitigating SSRF exploitation. Disabling the service entirely is impractical for many workloads, and NAT routing does not prevent SSRF.
In AWS Organizations, which mechanism allows imposing entry point restrictions across all member accounts?
Service Control Policies
IAM inline policies
Resource-based policies
AWS CloudFormation StackSets
Service Control Policies (SCPs) in AWS Organizations apply centrally and can restrict or deny actions across member accounts. IAM inline and resource-based policies operate at the account or resource level, and StackSets deploy infrastructure, not enforce permissions.
For deep packet inspection of both ingress and egress traffic in a VPC, which AWS service should you deploy?
AWS Network Firewall
AWS WAF
Security group
VPC Flow Logs
AWS Network Firewall performs stateful, deep packet inspection on both inbound and outbound traffic at the VPC level. AWS WAF handles HTTP/S at the application layer, security groups are basic firewalls, and VPC Flow Logs only record flow metadata.
In IAM policy evaluation, which statement type overrides all allowed permissions?
Explicit Deny
Implicit Deny
Service Control Policy
Resource-based policy
An explicit Deny in any policy immediately overrides any Allow statements during IAM policy evaluation. Implicit Deny happens when no allow is found and does not actively override allows.
To capture both management and data events for S3 and Lambda in CloudTrail, what must you enable?
Data event logging for S3 and Lambda
Management events only
CloudWatch Logs integration
SNS notifications for all events
CloudTrail data events must be explicitly enabled for services like S3 and Lambda to capture object-level and function-level calls. Management events are recorded by default, but data events require separate configuration.
0
{"name":"Which AWS interface provides a web-based console to manage AWS resources?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Which AWS interface provides a web-based console to manage AWS resources?, Which AWS service records API calls and delivers log files for auditing?, What network component controls inbound and outbound traffic at the instance level?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Learning Outcomes

  1. Identify common AWS service entry points and interfaces.
  2. Evaluate security risks associated with various AWS ingress paths.
  3. Apply best practices for securing network entry points in AWS.
  4. Analyse IAM policies and their impact on access control.
  5. Demonstrate knowledge of AWS ingress and egress configurations.
  6. Master techniques for monitoring and auditing AWS entry points.

Cheat Sheet

  1. Understand the AWS Shared Responsibility Model - Think of AWS as the landlord and you as the tenant: AWS secures the building, while you lock your doors and windows. Grasping this split ensures you know exactly which security chores are on your to-do list. Explore AWS Security Best Practices
  2. Implement the Principle of Least Privilege - Only hand out keys to rooms people actually need to enter. By limiting permissions to just what's necessary, you drastically reduce the chance of accidental or malicious mishaps. Dive into Least Privilege Strategies
  3. Utilize IAM Roles and Policies - Swap long-term credentials for temporary IAM roles to keep things tidy and safe. Craft clear, targeted policies so every user and service has exactly the right access - no more, no less. Master IAM Roles & Policies
  4. Enable Multi-Factor Authentication (MFA) - Add a second lock (like a code from your phone) to your account door. Even if someone guesses your password, they'll still need that extra code to get in - keeping intruders at bay. Set Up MFA Like a Pro
  5. Regularly Rotate Access Keys and Passwords - Treat credentials like milk: they expire! Swapping out keys and passwords every 90 days minimizes risks if they ever leak. Don't forget to update any apps that rely on the old keys. Learn Key Rotation Best Practices
  6. Monitor and Audit AWS Resources - Turn on AWS CloudTrail to keep a running diary of API calls and use AWS Config to snapshot configurations. Spot odd behavior quickly and be the first to respond when things go bump in the cloud. Check Out Monitoring Tips
  7. Encrypt Data in Transit and at Rest - Wrap your data in a cozy blanket of TLS/SSL when it travels and lock it with AWS KMS when it rests. This double-layered approach keeps prying eyes and hands away from your valuable info. Explore Encryption Techniques
  8. Implement Network Security Measures - Build your own private cloud neighborhood (VPC), then guard the gates with security groups and ACLs. This way, only approved traffic strolls through your virtual streets. Discover Network Security Tricks
  9. Regularly Patch and Update Systems - Keep your servers and apps on the latest software diet to avoid nasty security bugs. Use AWS's patch management tools to automate updates and stay ahead of threats. Get Patching Advice
  10. Educate Users on Security Best Practices - Host fun quizzes and share memes about phishing, strong passwords, and suspicious emails. Turning security lessons into engaging activities helps everyone stay sharp and report odd behavior. Boost Your Security Smarts
Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Technology Quizzes

Powered by: Quiz Maker