Bash, the Crucial Exams Chat Bot
AI Bot
Security, Compliance & Secrets in Automation Flashcards
CompTIA AutoOps+ AT0-001 Flashcards
Study our Security, Compliance & Secrets in Automation flashcards for the CompTIA AutoOps+ AT0-001 exam with 60+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Benefit of short lived credentials | Reduces window of compromise and forces frequent reauthorization |
| Define ephemeral credentials | Short lived credentials issued for a specific task or session |
| Define secret rotation | Regularly replacing secrets to limit exposure time |
| Example policy engine | Open Policy Agent OPA implements Rego policies for enforcement |
| How to enforce secrets masking | Use redaction in logs and prevent printing secrets in CI output |
| How to handle zero day vulnerabilities | Apply mitigations remove exposure and plan for rapid patching |
| How to maintain audit evidence in automation | Store signed logs and artifacts in tamper resistant storage |
| How to mitigate supply chain risk | Pin dependencies verify signatures and monitor for anomalies |
| How to prove compliance in pipelines | Collect immutable audit logs and generate attestations and reports |
| How to secure secrets in IaC | Avoid hardcoding use secret references and state encryption |
| Principle of least privilege | Grant only the permissions required for a task |
| Purpose of a KMS | Manage and control cryptographic keys and perform crypto operations |
| Purpose of SCA | Scanning dependencies for known vulnerabilities and licenses |
| Risk of secrets in state files | State files can contain plaintext secrets leading to persistent leaks |
| Role of an HSM | A hardware backed module that securely stores keys and executes crypto operations |
| What are dynamic secrets | Credentials generated on demand with automatic expiration |
| What are signed SBOMs | SBOMs that include cryptographic signatures to prove origin and integrity |
| What is a secret vault | A centralized system for storing and controlling access to secrets |
| What is a security policy as code test | Unit test that validates policy logic against sample inputs |
| What is ABAC | Attribute based access control makes decisions using attributes of subjects and resources |
| What is artifact immutability | Once published artifacts cannot be modified ensuring reproducible deployment |
| What is artifact signing | Applying a cryptographic signature to an artifact to prove origin and integrity |
| What is attestation enforcement | Block deployments unless required attestations are present in the pipeline |
| What is automated incident response | Using playbooks to trigger containment and remediation steps automatically |
| What is cache poisoning in builds | Attacker manipulates build caches to inject malicious artifacts |
| What is content trust | A mechanism to verify signatures of container images and artifacts |
| What is continuous compliance | Automated checks that ensure systems remain within policy over time |
| What is CVSS | A scoring system for common vulnerabilities and exposures severity |
| What is CycloneDX | An SBOM standard optimized for security automation and tooling |
| What is dependency tainting | When a vulnerable or malicious dependency infects downstream artifacts |
| What is drift detection | Detecting when deployed infrastructure diverges from declared configuration |
| What is envelope encryption | Encrypting data with a data key which is itself encrypted by a master key |
| What is false positive handling for dependency scanning | Validate alerts triage and tune rules to reduce noise |
| What is immutable infrastructure | Deploying new immutable instances instead of modifying running systems |
| What is in-toto | A framework for supply chain integrity using provenance and attestation |
| What is just in time access | Granting temporary elevated access on demand with auditing |
| What is key rotation window | The maximum allowed lifetime before a key must be replaced |
| What is least privilege for service accounts | Grant minimal roles to service accounts and rotate keys frequently |
| What is policy as code | Defining security and compliance rules in executable policy files |
| What is provenance | Metadata describing the origin chain and build context of an artifact |
| What is RBAC | Role based access control grants permissions based on roles |
| What is reproducible build | A build that results in byte identical artifacts from the same source |
| What is runtime secrets injection | Providing secrets to workloads at runtime via secure agents or sidecars |
| What is SBOM | Software Bill of Materials listing components and their metadata |
| What is secret scanning | Automated detection of secrets in code repositories and artifacts |
| What is secure build isolation | Running builds in ephemeral sandboxed environments with no persistent access |
| What is SPDX | An SBOM standard that describes components and licenses |
| What is supply chain attestation | Evidence that proves steps and actors in the build pipeline |
| What is supply chain compromise detection | Monitoring for unexpected changes in dependencies or provenance |
| What is token scope restriction | Limiting token permissions and lifetime to reduce misuse |
| Why avoid secrets in source control | Increases risk of leakage and persistent exposure |
| Why isolate CI runners | Prevents lateral movement and reduces blast radius from compromised jobs |
| Why log access to secrets | To allow audit investigation and detect suspicious access patterns |
| Why perform vulnerability triage | Prioritize fixes based on exploitability impact and exposure |
| Why require commit signing | Ensures authorship and prevents tampered commits entering the pipeline |
| Why scan IaC templates | To detect insecure configurations before provisioning infrastructure |
| Why test policies in CI | Prevents regressions and enforces compliance before deployment |
| Why use artifact repositories | Provides provenance control artifact immutability and access controls |
| Why use minimal base images | Reduces attack surface and the number of vulnerable packages |
| Why verify signatures in pipelines | Ensures artifacts are untampered and from a trusted source |
Related Study Materials
About the Flashcards
This collection of flashcards helps you master the essential topics for the CompTIA AutoOps+ exam. The deck focuses on core principles of modern application and infrastructure security, enabling you to review key terms, concepts, and best practices. You will find a strong emphasis on software supply chain security, including artifact signing, provenance, and the use of Software Bills of Materials (SBOMs). It also provides a comprehensive overview of secrets management, covering rotation strategies, secret vaults, short-lived credentials, and the importance of avoiding secrets in source control.
Beyond the fundamentals, these flashcards explore advanced concepts that are critical for a secure development lifecycle. This includes implementing Policy as Code (PaC) for automated governance, defining access control with RBAC and ABAC, and applying the principle of least privilege. Other key areas covered are securing Infrastructure as Code (IaC) templates, detecting configuration drift, isolating CI/CD runners, and managing vulnerabilities within your dependencies. This deck is an effective tool for reinforcing your knowledge and preparing for the questions you will encounter on the exam.
Topics covered in this flashcard deck:
- Secrets Management and Rotation
- Software Supply Chain Security
- Policy as Code and Access Control
- Infrastructure as Code (IaC) Security
- Securing CI/CD Pipelines
- Vulnerability and Dependency Scanning