Sign up to save your podcasts
Or
Share AWS Security - Domain 5 - 50X - QUESTIONS AND ANSWERS
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
AWS Security - Domain 5 - 50X - QUESTIONS AND ANSWERS
# AWS Security - Domain 5 - 50X - QUESTIONS AND ANSWERS
## Domain 5: Data Protection
### Task Statement 5.1: Design and implement controls that provide confidentiality and integrity for data in transit.
**Knowledge of:**
- 5.1.1 TLS concepts
- 5.1.2 VPN concepts (for example, IPsec)
- 5.1.3 Secure remote access methods (for example, SSH, RDP over Systems Manager Session Manager)
- 5.1.4 Systems Manager Session Manager concepts
- 5.1.5 How TLS certificates work with various network services and resources (for example, CloudFront, load balancers)
**Skills in:**
- 5.1.6 Designing secure connectivity between AWS and on-premises networks (for example, by using Direct Connect and VPN gateways)
- 5.1.7 Designing mechanisms to require encryption when connecting to resources (for example, Amazon RDS, Amazon Redshift, CloudFront, Amazon S3, Amazon DynamoDB, load balancers, Amazon Elastic File System [Amazon EFS], Amazon API Gateway)
- 5.1.8 Requiring TLS for AWS API calls (for example, with Amazon S3)
- 5.1.9 Designing mechanisms to forward traffic over secure connections (for example, by using Systems Manager and EC2 Instance Connect)
- 5.1.10 Designing cross-Region networking by using private VIFs and public VIFs
### Task Statement 5.2: Design and implement controls that provide confidentiality and integrity for data at rest.
**Knowledge of:**
- 5.2.1 Encryption technique selection (for example, client-side, server-side, symmetric, asymmetric)
- 5.2.2 Integrity-checking techniques (for example, hashing algorithms, digital signatures)
- 5.2.3 Resource policies (for example, for DynamoDB, Amazon S3, and AWS Key Management Service [AWS KMS])
- 5.2.4 IAM roles and policies
**Skills in:**
- 5.2.5 Designing resource policies to restrict access to authorized users (for example, S3 bucket policies, DynamoDB policies)
- 5.2.6 Designing mechanisms to prevent unauthorized public access (for example, S3 Block Public Access, prevention of public snapshots and public AMIs)
- 5.2.7 Configuring services to activate encryption of data at rest (for example, Amazon S3, Amazon RDS, DynamoDB, Amazon Simple Queue Service [Amazon SQS], Amazon EBS, Amazon EFS)
- 5.2.8 Designing mechanisms to protect data integrity by preventing modifications (for example, by using S3 Object Lock, KMS key policies, S3 Glacier Vault Lock, and AWS Backup Vault Lock)
- 5.2.9 Designing encryption at rest by using AWS CloudHSM for relational databases (for example, Amazon RDS, RDS Custom, databases on EC2 instances)
- 5.2.10 Choosing encryption techniques based on business requirements
### Task Statement 5.3: Design and implement controls to manage the lifecycle of data at rest.
**Knowledge of:**
- 5.3.1 Lifecycle policies
- 5.3.2 Data retention standards
**Skills in:**
- 5.3.3 Designing S3 Lifecycle mechanisms to retain data for required retention periods (for example, S3 Object Lock, S3 Glacier Vault Lock, S3 Lifecycle policy)
- 5.3.4 Designing automatic lifecycle management for AWS services and resources (for example, Amazon S3, EBS volume snapshots, RDS volume snapshots, AMIs, container images, CloudWatch log groups, Amazon Data Lifecycle Manager)
- 5.3.5 Establishing schedules and retention for AWS Backup across AWS services
### Task Statement 5.4: Design and implement controls to protect credentials, secrets, and cryptographic key materials.
**Knowledge of:**
- 5.4.1 Secrets Manager
- 5.4.2 Systems Manager Parameter Store
- 5.4.3 Usage and management of symmetric keys and asymmetric keys (for example, AWS KMS)
**Skills in:**
- 5.4.4 Designing management and rotation of secrets for workloads (for example, database access credentials, API keys, IAM access keys, AWS KMS customer managed keys)
- 5.4.5 Designing KMS key policies to limit key usage to authorized users
- 5.4.6 Establishing mechanisms to import and remove customer-provided key material
View all episodes
By Brian Byrne# AWS Security - Domain 5 - 50X - QUESTIONS AND ANSWERS
## Domain 5: Data Protection
### Task Statement 5.1: Design and implement controls that provide confidentiality and integrity for data in transit.
**Knowledge of:**
- 5.1.1 TLS concepts
- 5.1.2 VPN concepts (for example, IPsec)
- 5.1.3 Secure remote access methods (for example, SSH, RDP over Systems Manager Session Manager)
- 5.1.4 Systems Manager Session Manager concepts
- 5.1.5 How TLS certificates work with various network services and resources (for example, CloudFront, load balancers)
**Skills in:**
- 5.1.6 Designing secure connectivity between AWS and on-premises networks (for example, by using Direct Connect and VPN gateways)
- 5.1.7 Designing mechanisms to require encryption when connecting to resources (for example, Amazon RDS, Amazon Redshift, CloudFront, Amazon S3, Amazon DynamoDB, load balancers, Amazon Elastic File System [Amazon EFS], Amazon API Gateway)
- 5.1.8 Requiring TLS for AWS API calls (for example, with Amazon S3)
- 5.1.9 Designing mechanisms to forward traffic over secure connections (for example, by using Systems Manager and EC2 Instance Connect)
- 5.1.10 Designing cross-Region networking by using private VIFs and public VIFs
### Task Statement 5.2: Design and implement controls that provide confidentiality and integrity for data at rest.
**Knowledge of:**
- 5.2.1 Encryption technique selection (for example, client-side, server-side, symmetric, asymmetric)
- 5.2.2 Integrity-checking techniques (for example, hashing algorithms, digital signatures)
- 5.2.3 Resource policies (for example, for DynamoDB, Amazon S3, and AWS Key Management Service [AWS KMS])
- 5.2.4 IAM roles and policies
**Skills in:**
- 5.2.5 Designing resource policies to restrict access to authorized users (for example, S3 bucket policies, DynamoDB policies)
- 5.2.6 Designing mechanisms to prevent unauthorized public access (for example, S3 Block Public Access, prevention of public snapshots and public AMIs)
- 5.2.7 Configuring services to activate encryption of data at rest (for example, Amazon S3, Amazon RDS, DynamoDB, Amazon Simple Queue Service [Amazon SQS], Amazon EBS, Amazon EFS)
- 5.2.8 Designing mechanisms to protect data integrity by preventing modifications (for example, by using S3 Object Lock, KMS key policies, S3 Glacier Vault Lock, and AWS Backup Vault Lock)
- 5.2.9 Designing encryption at rest by using AWS CloudHSM for relational databases (for example, Amazon RDS, RDS Custom, databases on EC2 instances)
- 5.2.10 Choosing encryption techniques based on business requirements
### Task Statement 5.3: Design and implement controls to manage the lifecycle of data at rest.
**Knowledge of:**
- 5.3.1 Lifecycle policies
- 5.3.2 Data retention standards
**Skills in:**
- 5.3.3 Designing S3 Lifecycle mechanisms to retain data for required retention periods (for example, S3 Object Lock, S3 Glacier Vault Lock, S3 Lifecycle policy)
- 5.3.4 Designing automatic lifecycle management for AWS services and resources (for example, Amazon S3, EBS volume snapshots, RDS volume snapshots, AMIs, container images, CloudWatch log groups, Amazon Data Lifecycle Manager)
- 5.3.5 Establishing schedules and retention for AWS Backup across AWS services
### Task Statement 5.4: Design and implement controls to protect credentials, secrets, and cryptographic key materials.
**Knowledge of:**
- 5.4.1 Secrets Manager
- 5.4.2 Systems Manager Parameter Store
- 5.4.3 Usage and management of symmetric keys and asymmetric keys (for example, AWS KMS)
**Skills in:**
- 5.4.4 Designing management and rotation of secrets for workloads (for example, database access credentials, API keys, IAM access keys, AWS KMS customer managed keys)
- 5.4.5 Designing KMS key policies to limit key usage to authorized users
- 5.4.6 Establishing mechanisms to import and remove customer-provided key material