AWS-SA-Pro Flashcards
What are the two most common features of AWS Systems Manager?
- Run Command
- Patch Manager
What is the name of the AWS Systems Manager command that is used for a patch?
AWS-RunPatchBaseline
Which AWS service can you use if you want to migrate Chef and/or Puppet configuration management tools into the cloud?
AWS OpsWorks
Are AMI’s global or region-specific?
Region-specific
AWS OpsWorks is more suited for _______ whereas Elastic Beanstalk is more suited for _______.
AWS OpsWorks is more suited for infrastructure engineers whereas Elastic Beanstalk is more suited for development teams.
How do the key concepts of AWS OpsWorks interrelate (Stacks, Layers, Apps, Recipes, Cookbooks) ?
Stacks = one or more Layers.
Layers = set of EC2 instances grouped by function.
Apps = deployed (from S3) onto the layers.
Recipes = scripts applied to layers.
Cookbooks = collection of recipes that can be stored on GitHub.
How are Amazon GuardDuty & Amazon Inspector different from AWS Shield & AWS WAF?
GuardDuty & Inspector = detection.
Shield & WAF = protection.
Which service creates serverless GraphQL and Pub/Sub APIs?
AWS AppSync
What 4 services can be used with AWS WAF?
(1) CloudFront
(2) ALB
(3) API Gateway
(4) AppSync
Which AWS service scans EC2 instances for vulnerabilities and provides a report of findings?
Amazon Inspector
Which AWS service provides a CVE (common vulnerabilities and exposures) report?
Amazon Inspector
Differences between Amazon Inspector and Amazon GuardDuty?
Inspector scans EC2 instances for vulnerabilities.
GuardDuty scans entire AWS account using ML-based threat detection.
Would you use SAML 2.0 Identity Federation with Google, Facebook, Twitter, etc?
No. Use SAML 2.0 Identity Federation with an Enterprise Identity Provider (used mainly for on-prem IDs to indirectly login to AWS)
What is the difference between Cognito and IAM Identity Center?
Cognito will be used for customer login scenarios and IAM Identity Center will be used for enterprise / workforce login scenarios.
What’s the difference between Cognito User Pools and Identity Pools?
User Pools offer a sign-up or sign-in experience and provide users with a JWT.
Identity Pools offer a way to swap an unauthenticated or authenticated identity for AWS credentials.
Can API Gateway accept JWT’s for authentication?
Yes
How can an AWS admin create predefined products (and IaC templates) that end users can provision without fully accessing the AWS service (e.g. EC2 instances) ?
AWS Service Catalog
VPC Flow Logs can capture metadata for what three items (levels)?
(1) VPC
(2) Subnet
(3) ENI
Do VPC Flow Logs provide real-time data?
No. There is a delay.
What two log destinations can be used with VPC Flow Logs?
(1) S3
(2) CloudWatch logs
Where is a Network Firewall deployed?
At the VPC level
What layer does AWS WAF use?
L7
What is used to configure your WAF rules?
A Web ACL
What is the default Web ACL Capacity Unit (WCU) maximum?
1500
What are the three types of WAF Rule Groups? (Rule Group = reusable set of rules that you can add to a web ACL)
(1) Managed groups
(2) Self-managed groups
(3) Service-owned groups (Shield, Firewall Manager)
AWS WAF can inspect a request body, header, and cookie (among other items). However, what is the limit for how much can be inspected?
8 KiB (or 8192 bytes)
How are you charged for using WAF?
(1) $5 / month / Web ACL
(2) $1 / month / Web ACL Rule
(3) $0.60 / 1 million requests
What layer does AWS Shield Standard protect?
L3 and L4
Does AWS Shield Advanced get automatically applied to your resources?
No, even after paying for it, you still need to explicitly choose how to configure it for your resources.
What are two benefits of AWS Shield Advanced?
(1) DDoS cost protection – service credits are provided if your resources auto-scale in response to a DDoS attack
(2) Health-based detection – Shield Advanced can monitor Route 53 health checks to detect changes in resources and more quickly identify threats / attacks
Which AWS service offers Desktop-As-A-Service (DaaS)?
Amazon Workspaces
Are Amazon Workspaces highly available?
No, they run on EC2 instances inside a single subnet (and therefore AZ).
Which AWS Directory Service is best when you have more than 5000 users, you want it to be highly available (2+ AZs), and you want a trust relationship between on-prem and cloud directory?
AWS Directory Service for Microsoft Active Directory
Which AWS service uses schema extensions (remote desktop, Sharepoint, SQL, DFS)?
AWS Directory Service for Microsoft Active Directory
What is the best AWS directory service to use when you don’t want any directory data hosted in AWS?
AD Connector
What is the best AWS directory service for continuous operations if the network link between AWS and on-prem environment fails?
AWS Directory Service for Microsoft Active Directory – because the directory is simultaneously running on AWS EC2 instances in addition to on-prem
What AWS service allows your on-premises active directory to use other directory-compatible AWS services – without any identity data being stored in AWS?
AD Connector
What are the three categories of internet networking zones?
(1) Public Internet
(2) AWS Public Zone
(3) AWS Private Zone (VPCs)
Can DHCP Option Sets be edited?
No, once created they are immutable
When you associate a DHCP Option Set to a VPC, do the changes occur immediately?
No, the changes require a DHCP Renew which takes some time
In every subnet, what is the “subnet+1” IP address reserved for?
The VPC router’s network interface – every VPC router needs an interface in every subnet
What AWS service would you use to provision infrastructure for a contact center?
Amazon Connect – also it is omnichannel (voice + chat)
What AWS service would you use to ingest the following types of data: security cameras, smartphones, cars, drones, audio, thermal, depth, radar.. ?
Kinesis Video Streams
What AWS service will likely be used when the exam mentions GStreamer or RTSP (real-time streaming protocol) ?
Kinesis Video Streams
What AWS service is used for serverless ETL ?
AWS Glue
How many AWS Glue Data Catalogs can you have?
One catalog per region per account
How can you avoid data silos and improve visibility into your data stores across all AWS services?
Use AWS Glue Data Catalog crawlers to discover data
What AWS service provides managed web and mobile application testing using a fleet of real browsers and devices?
AWS Device Farm
What AWS service uses NLP to analyze text?
Amazon Comprehend
What AWS service would you use for intelligent enterprise search capability?
Amazon Kendra
What AWS service uses “slots” as parameters to categorize talking points during a conversation?
Amazon Lex
What routes traffic between subnets and is controlled by the route tables?
VPC Router
Every VPC is created with a _____ that is the default for every subnet in the VPC.
Main route table
How many route tables can a subnet have associated to it?
Only 1
How does a route table prioritize traffic routing when there are multiple matching entries?
The most specific route is prioritized
For a stateless firewall to work smoothly, you often have to ______ all outbound traffic so your server can return the responses to the changing client ephemeral ports.
allow
What AWS component has both “allow” and “deny” rules?
NACL
How are the NACLs and Security Groups different in regards to their default configurations?
NACLs allow all traffic by default.
Security Groups deny all traffic by default.
When you create a Custom NACL, what is the default inbound rule and default outbound rule?
Both are “deny all” rules.
Can Security Groups have explicit deny rules?
No. Only allow rules.
Security Groups are not actually attached to EC2 Instances; they are attached to _____
ENIs (primary network interface of the EC2 instance)
What AWS service would you use when you need single digit millisecond latency and AWS infrastructure physically located closer to your end users?
AWS Local Zones
What AWS service is conceptually just a single AZ that is physically closer to your end users?
AWS Local Zones
What AWS service converts text into “life-like” speech (no translation service) ?
Amazon Polly
What AWS service performs deep learning image and video analysis?
Amazon Rekognition
What AWS service can detect and analyze text in documents such as JPEG, PNG, PDF, or TIFF ?
Amazon Textract
What AWS service can you use to generate predictions based on time-series data?
Amazon Forecast
What service can you conceptually think of as an IDE for ML model lifecycles?
Amazon SageMaker Studio
Which Disaster Recover strategy would be analogous to moving from your current house to building a new backup house from scratch?
Backup & Restore
Which Disaster Recover strategy only runs the bare minimum resources required for a recovery?
Pilot Light
Which Disaster Recover strategy keeps a fully functional copy of your resources running but in a smaller and scaled down capacity than your current infrastructure?
Warm Standby
What keyword is used to describe the main CloudWatch service?
CloudWatch Metrics
How would you capture richer and more detailed metrics for CloudWatch?
Install the CloudWatch agent
What term is used in CloudWatch to define a container for metrics?
Namespaces
What is the term that CloudWatch uses to differentiate metrics between distinct EC2 instances?
Dimensions (a name/value pair that is part of the identity of a metric)
What are the two CloudWatch resolutions, which is the default, and what are the time intervals?
- Standard (default): 60 second granularity
- High: 1 second granularity
What CloudWatch feature can be used to view data aggregation over a time period, such as Min, Max, Sum, Average ?
CloudWatch Statistics
How do the three main CloudWatch Logs items interrelate (Log Events, Log Streams, Log Groups) ?
Log Groups contain Log Streams, which contain Log Events, which consist of a timestamp and raw message.
If you use the S3 Export feature of CloudWatch Logs, is the data transferred in real time?
No, it can take up to 12 hours
What integration would you use if you want near-real-time handling of CloudWatch Logs data?
Kinesis Firehose
What integration would you use if you need real-time handling of CloudWatch Logs data?
Lambda functions and/or Kinesis Data Streams
How long are CloudTrail Events stored by default at no cost?
90 days
What are the three different types of CloudTrail Events?
(1) Management Events
(2) Data Events
(3) Insight Events
What type of CloudTrail Events are captured by default?
Management Events, but NOT Data Events
What are the two scopes that can be used when creating a CloudTrail Trail?
(1) One Region
(2) All Regions
How many CloudTrail Trails can you have per Region?
5
How would you capture global service events using CloudTrail for services like IAM, STS, CloudFront ?
This isn’t captured by default, so you would have to create a new CloudTrail Trail. The Trail would log these events into us-east-1 since they are global services.
Does CloudTrail capture events in real-time?
No, it takes approximately 15 minutes.
For CloudTrail, what is the cost to have one Trail for ongoing Management Events delivered to S3 ?
Free
Which AWS service is used to trace user requests through your application to identify bottlenecks and view latency data at each stage of the application?
AWS X-Ray
The following items are two common examples of AWS-generated ___________ ?
(1) aws:createdBy
(2) aws:cloudformation:stack-name
Cost Allocation Tags
After creating a Cost Allocation Tag, is it immediately available?
No, it can take up to 24 hours to be visible and active
After creating a Cost Allocation Tag, does it apply retroactively to your cost reporting?
No, it is not retroactive.
What are the 7 free AWS Trusted Advisor checks for the AWS Basic Support and AWS Developer Support plans?
(1) S3 Bucket Permissions
(2) Security Groups - Specific Ports Unrestricted
(3) IAM Use (i.e. does each account have IAM users and not using root user)
(4) MFA on Root Account
(5) Are EBS Snapshots public?
(6) Are RDS Snapshots public?
(7) 50 service limit checks (80%+ quota utilization)
Which AWS support plans give you access to the AWS Support API to integrate with your applications?
AWS Business Support
AWS Enterprise Support
What CloudWatch Logs feature allows you to stream logging data into different systems?
Subscription Filters
What protocol operates over TCP/179 ?
Border Gateway Protocol (BGP)
What can be conceptually thought of as a network in BGP?
An Autonomous System (AS)
What’s the difference between iBGP and eBGP?
iBGP (internal) deals with routing within an AS.
eBGP (external) deals with routing between AS’s.
In BGP, each AS broadcasts ______ to the other AS’s.
The shortest ASPATH (doesn’t take into account the path performance/latency).
How can you configure AS route tables in BGP to manipulate the routes that each AS broadcasts?
You can use Path Prepending to artificially lengthen certain paths. This will solve the problem of AS’s broadcasting the shortest path without taking into account latency.
What AWS service uses anycast IP addresses, so a customer’s request to the IP address will be routed the closest location?
AWS Global Accelerator
In regards to the OSI layers, how is Global Accelerator different from CloudFront?
CloudFront only uses L7, but Global Accelerator uses L4 (TCP/UDP) and L7.
How are Symmetric Encryption and Asymmetric Encryption different?
Symmetric Encryption is fast but less secure, because both parties use the same key to encrypt/decrypt the data.
Asymmetric Encryption is slower but more secure, because it uses a public key + private key.
IKE (Internet Key Exchange) Phase 1 and IKE Phase 2 are the two main phases of ________.
IPSEC VPNs
What are the two types of VPNs?
(1) Policy-based VPNs (different rules for different types of traffic)
(2) Route-based VPNs (target matching based on prefixes)
With a Site-to-Site VPN, is the Virtual Private Gateway (VGW) highly available?
Yes, behind the scenes there are separate endpoints distributed across AZs.
How would you configure a Site-to-Site VPN to be highly available?
Add a second Customer Gateway (CGW).
What is the AWS Site-to-Site VPN speed limit?
1.25 Gbps
What AWS service would you use to reduce complexity when connecting multiple VPCs and on-prem networks?
AWS Transit Gateway (TGW)
What is the benefit of peering TGW’s?
You can create connections to other AWS Regions either in the same account or also cross-account.
When Transit Gateways (TGWs) are peered, are the routes in each TGW route table automatically shared/propagated between TGWs?
No.
How many peering attachments per TGW?
Up to 50
A ________ is associated with VPCs, Subnets, Internet Gateways (IGW), Virtual Private Gateways (VGW), and Transit Gateways (TGW).
route table
What’s the difference between static routes and dynamic routes in a route table?
Static routes are added manually.
Dynamic routes are propagated into the route table, if this is enabled for a TGW or VGW association.
What could you do to enable better performance for your Site-to-Site VPN?
Use the Accelerated Site-to-Site VPN feature. This utilizes Global Accelerator edge locations.
What would you use for an AWS-managed implementation of OpenVPN, typically as a way for a remote workforce to securely access AWS resources?
Client VPN (different from Site-to-Site VPN)
Is the Split Tunnel feature of AWS Client VPN the default?
No, it must be enabled. Split Tunnel allows your client to retain it’s existing route tables when associating the Client VPN route table onto it.
How are you billed for DX ?
Hourly cost for the port allocation at the DX location.
Outbound data transfer (inbound is free).
Is a DX location owned by AWS ?
No, typically these are regional data centers where AWS has rented equipment.
What are the 3 speed options for a DX connection?
1, 10, or 100 Gbps
How could you secure your DX connection at the L2 level on a hop-by-hop basis?
Use MACsec
Regarding a DX connection (which is a L2 connection), what is used to allow multiple L3 networks to run over the DX ?
Virtual Interfaces (VIFs)
____ VIFs are used to connect to public IPs in AWS Public Zones.
____ VIFs are used to connect to private IPs within AWS VPCs.
____ VIFs are used to integrate DX with Transit Gateways (TGWs).
Public
Private
Transit
An Accelerated Site-to-Site VPN can be used for ____ but not _____.
Can be used for TGW, but not VGW.
When using a Private VIF to run over your DX connection, what is the max number of prefixes that you can advertise to the BGP network?
100
A ______ ____ is layered over a DX connection and runs from on-prem infrastructure to a Virtual Private Gateway (VGW). It must be attached to a VGW within the same region that the DX connection terminates into.
Private VIF
A _____ VIF can access all AWS Regions. There is no region specific limitation like for ______ VIFs.
Public….. Private
What AWS service could you use to connect on-prem infrastructure to multiple VPCs spread across AWS Regions using a single DX connection?
Direct Connect Gateway (DGW)
A Direct Connect Gateway (DGW) can be associated with VPCs & ______, or TGWs & a ______, but not both.
Private VIFs…. Transit VIF
Would you use a DX Link Aggregation Group (LAG) more for speed purposes or for resiliency purposes?
Speed
A DX _____ ____________ _______ is when you utilize multiple DX connections going into a single DX location for faster speeds (parallel data transit).
Link Aggregation Group (LAG)
A DX LAG is capable of using 2 ___ GB ports or 4 ports if they use less than ___ GB.
100
What AWS service is used to register domains and host zones (nameservers)?
Route 53
When you create a Route 53 Hosted Zone, how many nameservers does AWS allocate for your hosted zone?
4
In Route 53, a CNAME record can map a domain to another _______, but not to an ___ _________.
… domain…. IP address
What type of DNS record is used for a server to find the mail server of a specific domain?
MX records
What type of DNS record can be used to prove domain ownership?
TXT records
What DNS feature is used to cache DNS query results?
TTL - depending on how long the TTL is, sometimes a query may not use the most up-to-date IP address and the request will take longer to go through
What is a Route 53 Hosted Zone in simple terms?
It is a DNS database for a domain
What is the difference between CNAME and ALIAS records?
CNAME maps name–>name (does not support apex)
ALIAS maps name–>name (does support apex)
What is the main limitation of Route 53 Simple Routing?
doesn’t support health checks
Which Route 53 routing policy improves availability but is NOT a replacement for load balancing?
Route 53 Multi Value Routing
Which Route 53 routing policy would you use to optimize performance and user experience?
Route 53 Latency-Based Routing
Which Route 53 routing policy checks for records based on the state, country, and continent?
Route 53 Geolocation Routing
Which Route 53 routing policy routes based on physical distance and includes a bias value?
Route 53 Geoproximity Routing
When using a Route 53 Private Hosted Zone, what two attributes need to be set to “true” ?
- enableDnsHostnames
- enableDnsSupport
What AWS service can you use to track changes that are made to your resources?
AWS Config
Can you deploy an application to your on-prem servers using Elastic Beanstalk?
No
_________ multi-master DB instances are confined to the same region, whereas _________ multi-master DB instances allow read/write to any region.
Aurora… DynamoDB Global Tables…
_________ is a serverless Database-Table-as-a-Service (DBaaS), whereas _________ is NOT serverless and is a Database-Server-as-a-Service (DBSaaS).
DynamoDB…. Amazon RDS…
Each DynamoDB table item (conceptually, a row) can have a max size of _____ KB.
400
Does an ELB provide you with an IP address or a DNS name to use?
ELB only provides you with a DNS name
How does AWS incentivize customers to use ALIAS records for mapping from a DNS name to an AWS resource?
They do not charge for this. It is free.
For DNS resolution, you would use _____ records to map www.example.com to an IPv4 address.
A
Can the Management Account of an AWS Organization be restricted with a Service Control Policy (SCP) ?
No. SCPs do not affect the Management Account.
Do SCPs affect service-linked roles?
No. Service-linked roles will still work normally even with an SCP attached.
Would you use Amazon Macie to scan your CodeCommit repositories for secret keys?
No, Amazon Macie is generally used for scanning S3 buckets.
How many subnets can you have per VPC?
Default is 200
Can a Security Group block a specific IP address?
No, because Security Groups block all inbound traffic by default and only use allow rules.
How many IAM users can you have per account? Can this quota be changed?
5000…. No, this is a hard limit.
What could you set up to ensure your AWS Service Quotas don’t end up restricting your application as its demand grows?
You could create CloudWatch Alarms to notify you when you’re approaching your Service Quotas. Then you can request a quota increase before your application hits the quota ceiling.
Permissions Boundaries can be applied to ________ or ________.
IAM Users… IAM Roles
What are the 6 sequential items that are checked when determining allow/deny status for anything within the SAME AWS account?
- Check for any “Explicit Deny” rules
- SCPs
- Resource Policies
- Permissions Boundaries
- Session Policies (only applicable for “assumeRole” situations)
- Identity Policies
AWS Resource Access Manager allows AWS resources to be shared from one account to another AWS _________, _________, or _________.
Account… Organizational Unit (OU)… Organization
Is there a cost for using AWS Resource Access Manager?
No cost.
Are AZ’s always mapped to the same physical data centers, when comparing two accounts? For example, would “us-east-1a” for account A always match “us-east-1a” for account B?
No. AWS rotates how the AZ’s are mapped to the physical data centers.
Solution = AZ ID’s… These ARE consistent across accounts.
When sharing AWS resources using AWS Resource Access Manager between accounts WITHIN the same organization, does the recipient account need to manually accept the invite?
No, the recipient account automatically accepts the invitation.
When sharing AWS resources using AWS Resource Access Manager between accounts across DIFFERENT organizations, does the recipient account need to manually accept the invite?
Yes.
When using a Shared Services VPC with AWS Resource Access Manager, can the participant accounts provision services into the Shared Services VPC?
Yes
When using a Shared Services VPC with AWS Resource Access Manager, can the account that owns/shares the VPC delete or modify resources created by the participant accounts?
No. Ownership of a provisioned resource by a participant account remains with that participant account.
VPC Peering allows shared access to ______ VPC resources, whereas AWS PrivateLink only allows access (via interface endpoints) to a ________ VPC service/application.
all ….. specific
Does a VPC Gateway Endpoint go into a specific subnet or specific AZ?
Neither, a VPC Gateway Endpoint is used across all AZ’s in a region.
Then you can define which subnets will have the Gateway Endpoint prefix added into their route tables.
What type of endpoint provides private access to S3 and/or DynamoDB ?
VPC Gateway Endpoint
Can VPC Gateway Endpoints access services in other regions?
No, they are a regional service.
AWS Internet Gateways are conceptually attached to the perimeter of a _________.
VPC
Does your default VPC come with an Internet Gateway?
Yes. Also it comes with a public subnet in each AZ.
A VPC ______ Endpoint allows private access to the AWS Public Zone services (S3, DynamoDB) without using an Internet Gateway or NAT Gateway.
Gateway
In Amazon ECS, you cannot attach security groups to the ECS Tasks when using the _____ networking mode.
bridge or host
In Amazon ECS, which networking mode assigns an ENI and a private IPv4 address to each ECS Task?
awsvpc (this provides more control than the “bridge” networking mode)
Are certificates from AWS Certificate Manager regional or global?
Regional. If multiple regions are desired, you must request a certificate for each region.
st1 and sc1 are examples of _______ EBS volumes and they have a _______ (high/low) max IOPS count.
HDD… low…
To troubleshoot constantly failing EC2 instances in an ASG, are you able to suspend the “Terminate” process of the ASG?
Yes.
Even if you enable EC2 instance protection for an EC2 instance, the ______ still has the ability to terminate an EC2 instance that it has created.
ASG
For an Amazon SQS Queue, the _______ attribute specifies the number of times a message is delivered to the queue before being moved to a dead-letter queue.
maxReceiveCount
A VPC ________ Endpoint goes into a specific subnet whereas a VPC ________ Endpoint is used across all AZ’s in a region.
Inferface… Gateway…
Network access to a VPC ________ Endpoint can be controlled with a Security Group (b/c it is within a subnet within a VPC) whereas a VPC ________ Endpoint cannot.
Inferface… Gateway…
Which type of VPC endpoint uses DNS for its routing?
VPC Interface Endpoint
VPC ________ Endpoints use prefix lists and route tables, whereas VPC ________ Endpoints use DNS.
Gateway… Interface…
When deploying resources into a public subnet, does the resource need to have a public IP address?
No, you can choose to only assign a private IP address to your resources, even in public subnets.
Can a public (aka internet-facing) ALB communicate with instances inside a private subnet?
Yes, as long as the ALB is running from a public subnet.
Can the Fargate deployment type run on AWS Outposts?
No.
______ allow us to run multiple L3 networks over the L2 Direct Connect.
VIFs
A VIF uses a ______ Peering Session + _______.
BGP… VLAN
When creating a site-to-site VPN connection, specify ________ routing if your customer gateway device supports BGP.
dynamic (as opposed to static)
Would you use AWS X-Ray to help plan a migration?
No, it is used to debug production applications.
A Network ACL can filter requests based on _______ but not ________.
IP addresses… URLs
A _______ server acts as an intermediary between the client and the server, effectively functioning like a firewall/filter.
proxy
What enables private connections to AWS services without using public IPs, and uses AWS PrivateLink under the hood?
Interface Endpoints
Metric Filters and Subscription Filters are components of which AWS service?
CloudWatch Logs
Management Events and Data Events are components of which AWS service?
CloudTrail
Which AWS services can be directly accessed through Gateway Endpoints?
S3 and DynamoDB
How does traffic routing work with Gateway Endpoints in a VPC?
Gateway Endpoints are added as a target for a specific route in your VPC route table
When generating an S3 Presigned URL, what permissions get embedded into the link?
The permissions will match those of the IAM user who created the link.
Is it a good practice to generate an S3 Presigned URL using an IAM role?
No, because the IAM role will generally expire faster than the URL and then the URL will not work.
What AWS service could you use to simplify access to S3 (for example, providing different departments with their own S3 URL each containing separate permissions policies)?
S3 Access Points
What CLI command would you use to set up an S3 Access Point?
create-access-point
Does S3 Object Lock require versioning to be enabled on the bucket?
Yes. Thus, it is actually the object versions, rather than the object, that are being locked.
What are the two types of S3 Object Lock?
(1) S3 Object Lock - Retention
— compliance mode: immutable
— governance mode: some changes allowed
(2) S3 Object Lock - Legal Hold
— on/off switch: prevents deletion
What service can be used to monitor and discover sensitive data in S3 (for example, PII) ?
Amazon Macie