🃏 Governance & Compliance Flashcards

Q: What is the difference between preventive and detective controls?

A: Preventive: stop actions before they happen (SCPs, permission boundaries). Detective: identify violations after they occur (Config rules, Security Hub). Use both for defense-in-depth.

Q: What are common SCP deny patterns?

A: Deny leaving organization, deny disabling CloudTrail/GuardDuty/Config, deny access to unused regions, deny root user actions, enforce S3 encryption.

Q: What is Control Tower guardrail?

A: A governance rule implemented as either an SCP (preventive) or Config rule (detective). Applied at OU level. Mandatory, strongly recommended, or elective.

Q: What is a Config aggregator?

A: Collects Config data from multiple accounts/regions into a single account. Provides organization-wide compliance dashboard without deploying rules per account.

Q: What is Firewall Manager prerequisite?

A: Requires AWS Organizations with all features enabled, a Firewall Manager administrator account, and Config enabled in all managed accounts.

Q: How do you enforce MFA for specific operations?

A: IAM policy condition: aws:MultiFactorAuthPresent = true. Or deny if NOT MFA-authenticated. Common for S3 delete, IAM changes, and billing.

Q: What is Audit Manager?

A: Automates evidence collection for compliance audits (SOC 2, PCI, HIPAA). Maps AWS usage data to compliance framework controls automatically.

Q: What is the delegated administrator pattern?

A: Management account delegates service administration (GuardDuty, Security Hub, etc.) to a security account. Avoids over-using the management account.

Q: How do you enforce encryption everywhere?

A: SCPs deny unencrypted actions, Config rules detect unencrypted resources, default encryption on services (S3, EBS, RDS), and auto-remediation for violations.

Q: What is Service Catalog for security?

A: Pre-approved CloudFormation templates (products) that teams can launch. Ensures resources meet security baselines. Constraint: launch role, tag, notification.