🃏 Security & Compliance Flashcards

Q: What is a Config conformance pack?

A: A collection of Config rules and remediation actions deployed as a single entity. Aligns with compliance frameworks (CIS, PCI DSS, HIPAA).

Q: How does Security Hub aggregate findings?

A: Collects findings from GuardDuty, Inspector, Config, Macie, Firewall Manager, and third-party tools. Normalizes to ASFF format for unified view.

Q: What is an SCP vs IAM policy?

A: SCP (Service Control Policy) sets maximum permissions for an OU/account in Organizations. IAM policy grants actual permissions. Effective = intersection.

Q: How do you automate secret rotation?

A: Secrets Manager triggers a Lambda function on schedule. Lambda creates new credentials, tests them, and promotes to AWSCURRENT. Native support for RDS.

Q: What is IAM Access Analyzer?

A: Identifies resources shared with external entities (S3 buckets, IAM roles, KMS keys, Lambda, SQS). Generates findings for unintended access.

Q: How does Config auto-remediation work?

A: Config rule detects non-compliance → triggers SSM Automation document as remediation action. Can auto-remediate or require manual approval.

Q: What is a permission boundary?

A: A managed policy that sets the maximum permissions for IAM entities. DevOps teams can create roles without exceeding boundaries set by security.

Q: What is GuardDuty?

A: Threat detection service analyzing VPC Flow Logs, DNS logs, CloudTrail events, S3 data events, and EKS audit logs for suspicious activity.

Q: How do you enforce encryption at rest across accounts?

A: Use SCPs to deny actions without encryption conditions. Config rules detect non-encrypted resources. Auto-remediate or alert.

Q: What is CloudTrail Lake?

A: Managed data lake for CloudTrail events. SQL-based querying across accounts/regions. 7-year retention. Replaces need for custom S3 + Athena pipelines.