Lesson 19

Quiz: Security & Compliance

15 questions covering Shared Responsibility, IAM, Security Services, Compliance, and Governance

Instructions: Click one option per question for immediate feedback. Target: 13/15 (87%). This quiz covers all security and compliance lessons (0023–0028).

Security & Compliance Quiz

Select one answer per question. You will receive immediate feedback.

1. Under the AWS shared responsibility model, who is responsible for patching the guest operating system on an EC2 instance?

AWS — all operating system patching is AWS's responsibility.The customer — guest OS including patches and updates is a customer responsibility.Both — AWS patches the kernel, customer patches applications.Neither — EC2 instances run AWS-managed serverless containers.

2. Which of the following is the responsibility of AWS, NOT the customer?

Encrypting data at rest in Amazon S3Physical security of data centersConfiguring VPC security groupsManaging IAM user permissions

3. An IAM user has Policy A (allow s3:* on all buckets) and Policy B (explicitly deny s3:DeleteBucket on "prod-data" bucket). Can the user delete the "prod-data" bucket?

Yes — Policy A grants s3:* to all buckets, which includes DeleteBucket.No — explicit deny always overrides any allow.It depends on which policy was attached first.Yes — identity-based policies override resource-based policies.

4. What is the recommended best practice for the AWS account root user?

Use the root user daily for all administrative tasks — it has full permissions.Enable MFA, create an admin IAM user, disable/remove root access keys, and lock away root credentials.Create a policy that removes all root user permissions and restrict it to read-only.Share the root password with the IT team so everyone can use it in emergencies.

5. A security administrator needs to track who terminated an EC2 instance, when it happened, and from which IP address. Which service provides this audit trail?

AWS ConfigAWS CloudTrailAmazon CloudWatchAWS Artifact

6. Which AWS service creates and manages encryption keys using HSMs validated under FIPS 140-2?

AWS ShieldAWS KMSAWS WAFAWS Certificate Manager

7. AWS Shield Standard is automatically enabled for all AWS customers. What does it protect against?

SQL injection and cross-site scripting attacksInfrastructure-layer DDoS attacks such as UDP floods and TCP SYN floodsUnauthorized access to S3 bucketsCompromised IAM user credentials

8. A company wants to block HTTP requests containing SQL injection patterns from reaching their web application. Which service should they deploy?

AWS ShieldAWS WAFNetwork ACLsSecurity Groups

9. An organization manages 20 AWS accounts. They need to prevent the Development OU accounts from launching resources in expensive Regions. What should they use?

IAM policies on each account's root userAn SCP attached to the Development OU in AWS OrganizationsAWS Shield AdvancedA bucket policy on the organization's master account

10. A company requires a user directory that allows app users to sign in with their Google or Facebook accounts and also with their corporate Active Directory credentials. Which service provides this?

AWS IAMAWS OrganizationsAmazon CognitoAWS Directory Service

11. An auditor requests proof that AWS infrastructure complies with ISO 27001 standards. Which AWS service should the customer use to provide this documentation?

AWS ConfigAWS CloudTrailAWS ArtifactAWS Trusted Advisor

12. Which AWS service continuously evaluates whether your EBS volumes are encrypted and flags unencrypted volumes as noncompliant against your internal policies?

AWS CloudTrailAWS ConfigAWS ArtifactAWS Trusted Advisor

13. Which feature provides the simplest way to ensure no S3 buckets in an account are publicly accessible, overriding all other policies?

IAM bucket-level policiesNetwork ACLs on the VPCS3 Block Public AccessAWS WAF

14. A company deploys an application behind an Application Load Balancer. They need to provision an SSL/TLS certificate and ensure it renews automatically. Which service handles this?

AWS KMSAWS Certificate ManagerAWS ConfigAWS IAM

15. Which AWS service provides the DDoS Response Team (DRT) for assistance during active DDoS attacks?

AWS Shield Standard — included free for all customersAWS WAF — included with any WAF web ACLAWS Shield Advanced — requires Business or Enterprise SupportAWS Config — DRT is a Config managed rule

Progress: 0/15 correct (0%). Answer all questions to see the final recommendation.

Ask your teacher: Scoring: 13-15/15 (87%+): Move on to Well-Architected Framework. 11-12/15 (73-80%): Review weak areas. 10/15 or below: Revisit lessons 0023-0028 before continuing. Security is 30% of the exam — strong performance here is critical.

Primary Source: AWS Academy Module 4: AWS Cloud Security (module-4.txt), Module 9: Cloud Architecture (module-9.txt) — Trusted Advisor.