AWS Organizations

Question 1

Master Account

Answer 1

one account controls group policies and single consolidated billing

Question 2

AWS Control Tower

Answer 2

Setup and manage multi-account environments
- provision to conform to governance and policies

Question 3

AWS Support Models

Answer 3

• Basic
• Dev
• Business
• Enterprise

Question 4

Business and Enterprise Support Models

Answer 4

• AWS Shield Advanced: 24/7 support
• AWS IEM: architecture and scaling guidance
• AWS Support API: support calls to access support checks
• Concierge Support
• 15 Trusted Advisor Checks and recommendations

Question 5

Trusted Advisor

Answer 5

real time guidance for provisioning resources w/ AWS best practices

implement checks: optimize the things

Question 6

Identity and Access Management

Answer 6

Secure Control of Resources:
- Authentication and Authorization
- Root User
- PW Policies
- IAM Policies
- IAM Roles

Question 7

Root User

Answer 7

single standalone sign-in identity with total access

Question 8

PW Policies

Answer 8

8-28 chars
pw must be diff to aws account name/email
apply to all users except root

Question 9

Accessing IAM

Answer 9

Maagement console, command line tools, SDKs, HTTPS API

Question 10

IAM Managed Policies

Answer 10

permission set created and administered by AWS

Question 11

Amazon Resource Name

Answer 11

how standalone policies are named

ex: arn:aws:iam::aws:policy/IAMReadOnlyAccess

Question 12

IAM Roles

Answer 12

user, app, or service with assigned permission

temp creds for session lifetime

give outsiders access

Question 13

AWS STS Temp Creds

Answer 13

web service for creating temp creds for validity period

Question 14

How do you create temporary credentials?

Answer 14

w/ CLI or create from your code

Question 15

Access Key

Answer 15

digital signatures performed to give apps outside of AWS access

Question 16

AWS Cognito

Answer 16

AWS SSO

Question 17

Network Access Control (NACLs)

Answer 17

allows for stateless traffic filtering to all traffic on VPC subnet

Question 18

Security Groups

Answer 18

“allow only” firewalls, no explicit deny rules

Question 19

Default Security Group Settings

Answer 19

• comm. b/t all resources w/i SG and all outbound traffic
• return traffic allowed s/ Shield Standard Inspection
• all rules in SG are evaluated

Question 20

Web App Firewall

Answer 20

control and monitor HTTP/HTTPS requests forwarded to CloudFront (CDN), Application Elastic Load balancer, or API Gateway

Question 21

Permissive

Answer 21

allow all requests except ones you designate

Question 22

restrictive

Answer 22

block all requests except ones you designate

Question 23

Matching condition sets

Answer 23

• country of request origin
• originating IPv4 and 6 addressses
• values in HTP request headers
• lengths o URIs, args, fields, field cts
• literal or regex string patterns
• SQL injection code presence
• Cross site scripting code presence
• cross site request forgery code

Question 24

AWS Shield

Answer 24

• DDOS protection
• DoS floods and exploits
• layered defense -NACLs, SG, WAF

Question 25

Amazon Inspector

Answer 25

automated security assessment to enhance security and compliance

Question 26

Guard duty

Answer 26

fully managed threat detection
- looks for anomolies and unauthorized actions
- monitors for zero-day activities
- machine learning and AI algorithms

Question 27

Client Side Encryption

Answer 27

app data encrypted before going to other AWS services

Question 28

Server Side Encryption

Answer 28

data encrypted by service that receives ti

Question 29

AWS KMS

Answer 29

customer master keys - encrypt and decrypt data and generate data keysused outside of AWS