AWS Security - Domain 5 - 50X - QUESTIONS AND ANSWERS

# AWS Security - Domain 5 - 50X - QUESTIONS AND ANSWERS   ## Domain 5: Data Protection ### Task Statement 5.1: Design and implement controls that provide confidentiality and integrity for data in transit. **Knowledge of:** - 5.1.1 TLS concepts - 5.1.2 VPN concepts (for example, IPsec) - 5.1.3 Secure remote access methods (for example, SSH, RDP over Systems Manager Session Manager) - 5.1.4 Systems Manager Session Manager concepts - 5.1.5 How TLS certificates work with various network services and resources (for example, CloudFront, load balancers) **Skills in:** - 5.1.6 Designing secure connectivity between AWS and on-premises networks (for example, by using Direct Connect and VPN gateways) - 5.1.7 Designing mechanisms to require encryption when connecting to resources (for example, Amazon RDS, Amazon Redshift, CloudFront, Amazon S3, Amazon DynamoDB, load balancers, Amazon Elastic File System [Amazon EFS], Amazon API Gateway) - 5.1.8 Requiring TLS for AWS API calls (for example, with Amazon S3) - 5.1.9 Designing mechanisms to forward traffic over secure connections (for example, by using Systems Manager and EC2 Instance Connect) - 5.1.10 Designing cross-Region networking by using private VIFs and public VIFs ### Task Statement 5.2: Design and implement controls that provide confidentiality and integrity for data at rest. **Knowledge of:** - 5.2.1 Encryption technique selection (for example, client-side, server-side, symmetric, asymmetric) - 5.2.2 Integrity-checking techniques (for example, hashing algorithms, digital signatures) - 5.2.3 Resource policies (for example, for DynamoDB, Amazon S3, and AWS Key Management Service [AWS KMS]) - 5.2.4 IAM roles and policies **Skills in:** - 5.2.5 Designing resource policies to restrict access to authorized users (for example, S3 bucket policies, DynamoDB policies) - 5.2.6 Designing mechanisms to prevent unauthorized public access (for example, S3 Block Public Access, prevention of public snapshots and public AMIs) - 5.2.7 Configuring services to activate encryption of data at rest (for example, Amazon S3, Amazon RDS, DynamoDB, Amazon Simple Queue Service [Amazon SQS], Amazon EBS, Amazon EFS) - 5.2.8 Designing mechanisms to protect data integrity by preventing modifications (for example, by using S3 Object Lock, KMS key policies, S3 Glacier Vault Lock, and AWS Backup Vault Lock) - 5.2.9 Designing encryption at rest by using AWS CloudHSM for relational databases (for example, Amazon RDS, RDS Custom, databases on EC2 instances) - 5.2.10 Choosing encryption techniques based on business requirements ### Task Statement 5.3: Design and implement controls to manage the lifecycle of data at rest. **Knowledge of:** - 5.3.1 Lifecycle policies - 5.3.2 Data retention standards **Skills in:** - 5.3.3 Designing S3 Lifecycle mechanisms to retain data for required retention periods (for example, S3 Object Lock, S3 Glacier Vault Lock, S3 Lifecycle policy) - 5.3.4 Designing automatic lifecycle management for AWS services and resources (for example, Amazon S3, EBS volume snapshots, RDS volume snapshots, AMIs, container images, CloudWatch log groups, Amazon Data Lifecycle Manager) - 5.3.5 Establishing schedules and retention for AWS Backup across AWS services ### Task Statement 5.4: Design and implement controls to protect credentials, secrets, and cryptographic key materials. **Knowledge of:** - 5.4.1 Secrets Manager - 5.4.2 Systems Manager Parameter Store - 5.4.3 Usage and management of symmetric keys and asymmetric keys (for example, AWS KMS) **Skills in:** - 5.4.4 Designing management and rotation of secrets for workloads (for example, database access credentials, API keys, IAM access keys, AWS KMS customer managed keys) - 5.4.5 Designing KMS key policies to limit key usage to authorized users - 5.4.6 Establishing mechanisms to import and remove customer-provided key material

There are no comments yet.

Please log in to write the first comment.