AWS pt 2 Flashcards

1
Q

VPC Endpoints

A

Connect to AWS using a private network
VPC Endpoint Gateway: S3 and DynamoDB
VPC Endpoint Interface: The rest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

AWS Private Link (v)

A

Powers AWS endpoints
Most secure and scalable way to expose a service to 1000s of VPCs
Requires NLB/ENI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Site to Site VPN

A

Goes over the public internet
Auto encrypted
On premise (Customer Gateway) and AWS (VP Gateway)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Inter

DIrect-Connect

A

Physical connection between on-premises and VPN
Private and secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

AWS Client VPN (v)

A
  • OpenVPN to your private network in AWS and on-premises data center
  • **Allows you to connect to your EC2 instances over a private IP **
  • Goes over the public internet
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Transit Gateway

A

Transitive peering between thousands of VPC and on-premises
One single gateway to provide this functionality
Works with direct connect gateway and VPN connections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Shared Responsibility model for security (AWS)

A
  • protecting infrastructure
  • managed services like S3 and DynamoDB
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Shared Responsibility model for security (Customer)

A
  • EC2 instances (management of guest OS: security patches and updates)
  • Firewall and network configuration
  • IAM
  • Encrypting application data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Shared control

A
  • Patch management
  • Configuration management
  • Awareness and training
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

RDS (AWS responsibility)

A
  • manages underlying EC2 instances and disable SSH access
  • Automated DB/OS patching
  • Audit the underlying instances and disk and guarantee its functions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

RDS (Your Responsibility)

A
  • Check ports / IP / Security group inbound rules in DB’s SG
  • In database user creation and permissions
  • Creating a DB with or without public access
  • Ensure parameter groups or DB configuration to only allow SSL connections
  • DB encryption settings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

S3 (AWS)

A
  • Guarantee you get unlimited storage
  • Guarantee you get encryption
  • Ensure the separation of data between customers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

S3 (You)

A
  • Bucket configuration
  • Bucket policy/Public settings
  • IAM user roles
  • Enable encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS Shield Standard

A
  • DDoS Protection
  • Website and applications for all customers at no additional cost
  • Cloud Front and Route 53
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AWS Shield Advanced

A

24/7 premium DDoS Protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS WAF

A
  • Filter specific requests based on the rules
  • Layer 7
  • Common web exploits
  • Deploy ALB, API gateway and CloudFront
  • Define Web ACL: Geo-matching, rate based rules, IP addresses, HTTP, URI
16
Q

AWS Network Firewall

A
  • Protect VPC (layers 3-7)
  • Inspect all aspects of VPC
17
Q

AWS Firewall Manager (V)

A
  • Manages security rules in all accounts
  • Security policies: Manages all security measures
18
Q

Penetration testing

A
  • Clients may conduct penetration testing on 8 services
  • DNS walking, DDoS, port flooding is not allowed
  • EC2 (NAT Gateways, ELB), RDS, CloudFront, Aurora, API Gateway, Lambda, Lightsail, Elastic Beanstalk
19
Q

AWS KMS

A
  • Opt-in: EBS, S3, Redshift, RDS, EFS
  • Automatically enabled: Cloudtrail logs, S3 Glacier, Storage Gateway
  • types:
    Customer managed keys, AWS managed keys, AWS owned keys, HSM (Crypto operations are performed within HSM cluster)
20
Q

AWS Certificate Manager

A
  • Lets you deploy SSL/TLS certificate
  • Supports public and private TLS certificate
  • Automatically renewed
21
Q

AWS secrets manager

A
  • Force rotation of secrets every X days (Lambda)
  • Mostly for RDS integration
22
Q

AWS artifact

A
  • On demand access to AWS compliance document and AWS agreements
23
Q

AWS GuardDuty

A
  • Monitors CTS for malicious activity and unauthorized behavior
  • VPC flow logs, Cloudtrail logs, S3, EBS and sends to Eventbridge and sent to SNS and Lambda
24
Q

Amazon Inspectors

A
  • Only performs when needed
  • For EC2: leverages SSM agent (Access network accessibility, runs OS against vulnerabilities)
  • **Container images pushed to Amazon ECR: Access images as they are being pushed **
  • For lambda functions: Software vulnerabilities in functions and package dependencies
25
Q

AWS Config

A
  • Checks if anyone has made any changes and return the logs and who did it using CloudTrails, and alerts it too
  • Helps record config over time and will be moved to S3
    e.g. security group access changes, bucket policies regarding public access, and how the ALB changes over time
  • per region and aggregate across regions and accounts
26
Q

Amazon Macie

A
  • Hides Personally Identifiable information
27
Q

Amazon Security Hub

A
  • Manages security across accounts and automates security checks
28
Q

Amazon Detective

A
  • How these issues and problems occurred
  • Finds root cause
29
Q

AWS Abuse

A
  • Report weird activities
30
Q

Root User privileges

A
  • Register as a seller
31
Q

IAM access analyzer (V)

A
  • Create a zone of trust for AWS accounts