AWS pt 2 Flashcards
VPC Endpoints
Connect to AWS using a private network
VPC Endpoint Gateway: S3 and DynamoDB
VPC Endpoint Interface: The rest
AWS Private Link (v)
Powers AWS endpoints
Most secure and scalable way to expose a service to 1000s of VPCs
Requires NLB/ENI
Site to Site VPN
Goes over the public internet
Auto encrypted
On premise (Customer Gateway) and AWS (VP Gateway)
Inter
DIrect-Connect
Physical connection between on-premises and VPN
Private and secure
AWS Client VPN (v)
- OpenVPN to your private network in AWS and on-premises data center
- **Allows you to connect to your EC2 instances over a private IP **
- Goes over the public internet
Transit Gateway
Transitive peering between thousands of VPC and on-premises
One single gateway to provide this functionality
Works with direct connect gateway and VPN connections
Shared Responsibility model for security (AWS)
- protecting infrastructure
- managed services like S3 and DynamoDB
Shared Responsibility model for security (Customer)
- EC2 instances (management of guest OS: security patches and updates)
- Firewall and network configuration
- IAM
- Encrypting application data
Shared control
- Patch management
- Configuration management
- Awareness and training
RDS (AWS responsibility)
- manages underlying EC2 instances and disable SSH access
- Automated DB/OS patching
- Audit the underlying instances and disk and guarantee its functions
RDS (Your Responsibility)
- Check ports / IP / Security group inbound rules in DB’s SG
- In database user creation and permissions
- Creating a DB with or without public access
- Ensure parameter groups or DB configuration to only allow SSL connections
- DB encryption settings
S3 (AWS)
- Guarantee you get unlimited storage
- Guarantee you get encryption
- Ensure the separation of data between customers
S3 (You)
- Bucket configuration
- Bucket policy/Public settings
- IAM user roles
- Enable encryption
AWS Shield Standard
- DDoS Protection
- Website and applications for all customers at no additional cost
- Cloud Front and Route 53
AWS Shield Advanced
24/7 premium DDoS Protection