AWS pt 2

Question 1

VPC Endpoints

Answer 1

Connect to AWS using a private network
VPC Endpoint Gateway: S3 and DynamoDB
VPC Endpoint Interface: The rest

Question 2

AWS Private Link (v)

Answer 2

Powers AWS endpoints
Most secure and scalable way to expose a service to 1000s of VPCs
Requires NLB/ENI

Question 3

Site to Site VPN

Answer 3

Goes over the public internet
Auto encrypted
On premise (Customer Gateway) and AWS (VP Gateway)

Question 4

Inter

DIrect-Connect

Answer 4

Physical connection between on-premises and VPN
Private and secure

Question 5

AWS Client VPN (v)

Answer 5

• OpenVPN to your private network in AWS and on-premises data center
• **Allows you to connect to your EC2 instances over a private IP **
• Goes over the public internet

Question 6

Transit Gateway

Answer 6

Transitive peering between thousands of VPC and on-premises
One single gateway to provide this functionality
Works with direct connect gateway and VPN connections

Question 7

Shared Responsibility model for security (AWS)

Answer 7

• protecting infrastructure
• managed services like S3 and DynamoDB

Question 8

Shared Responsibility model for security (Customer)

Answer 8

• EC2 instances (management of guest OS: security patches and updates)
• Firewall and network configuration
• IAM
• Encrypting application data

Question 9

Shared control

Answer 9

• Patch management
• Configuration management
• Awareness and training

Question 10

RDS (AWS responsibility)

Answer 10

• manages underlying EC2 instances and disable SSH access
• Automated DB/OS patching
• Audit the underlying instances and disk and guarantee its functions

Question 11

RDS (Your Responsibility)

Answer 11

• Check ports / IP / Security group inbound rules in DB’s SG
• In database user creation and permissions
• Creating a DB with or without public access
• Ensure parameter groups or DB configuration to only allow SSL connections
• DB encryption settings

Question 11

S3 (AWS)

Answer 11

• Guarantee you get unlimited storage
• Guarantee you get encryption
• Ensure the separation of data between customers

Question 12

S3 (You)

Answer 12

• Bucket configuration
• Bucket policy/Public settings
• IAM user roles
• Enable encryption

Question 13

AWS Shield Standard

Answer 13

• DDoS Protection
• Website and applications for all customers at no additional cost
• Cloud Front and Route 53

Question 14

AWS Shield Advanced

Answer 14

24/7 premium DDoS Protection

Question 15

AWS WAF

Answer 15

• Filter specific requests based on the rules
• Layer 7
• Common web exploits
• Deploy ALB, API gateway and CloudFront
• Define Web ACL: Geo-matching, rate based rules, IP addresses, HTTP, URI

Question 16

AWS Network Firewall

Answer 16

• Protect VPC (layers 3-7)
• Inspect all aspects of VPC

Question 17

AWS Firewall Manager (V)

Answer 17

• Manages security rules in all accounts
• Security policies: Manages all security measures

Question 18

Penetration testing

Answer 18

• Clients may conduct penetration testing on 8 services
• DNS walking, DDoS, port flooding is not allowed
• EC2 (NAT Gateways, ELB), RDS, CloudFront, Aurora, API Gateway, Lambda, Lightsail, Elastic Beanstalk

Question 19

AWS KMS

Answer 19

• Opt-in: EBS, S3, Redshift, RDS, EFS
• Automatically enabled: Cloudtrail logs, S3 Glacier, Storage Gateway
• types:
  Customer managed keys, AWS managed keys, AWS owned keys, HSM (Crypto operations are performed within HSM cluster)

Question 20

AWS Certificate Manager

Answer 20

• Lets you deploy SSL/TLS certificate
• Supports public and private TLS certificate
• Automatically renewed

Question 21

AWS secrets manager

Answer 21

• Force rotation of secrets every X days (Lambda)
• Mostly for RDS integration

Question 22

AWS artifact

Answer 22

• On demand access to AWS compliance document and AWS agreements

Question 23

AWS GuardDuty

Answer 23

• Monitors CTS for malicious activity and unauthorized behavior
• VPC flow logs, Cloudtrail logs, S3, EBS and sends to Eventbridge and sent to SNS and Lambda

Question 24

Amazon Inspectors

Answer 24

• Only performs when needed
• For EC2: leverages SSM agent (Access network accessibility, runs OS against vulnerabilities)
• **Container images pushed to Amazon ECR: Access images as they are being pushed **
• For lambda functions: Software vulnerabilities in functions and package dependencies

Question 25

AWS Config

Answer 25

• Checks if anyone has made any changes and return the logs and who did it using CloudTrails, and alerts it too
• Helps record config over time and will be moved to S3
  e.g. security group access changes, bucket policies regarding public access, and how the ALB changes over time
• per region and aggregate across regions and accounts

Question 26

Amazon Macie

Answer 26

• Hides Personally Identifiable information

Question 27

Amazon Security Hub

Answer 27

• Manages security across accounts and automates security checks

Question 28

Amazon Detective

Answer 28

• How these issues and problems occurred
• Finds root cause

Question 29

AWS Abuse

Answer 29

• Report weird activities

Question 30

Root User privileges

Answer 30

• Register as a seller

Question 31

IAM access analyzer (V)

Answer 31

• Create a zone of trust for AWS accounts