AWS Security and Architecture Services List -

Question 1

Service that enables you to continually monitor your
resources for adherence to best practices

Answer 1

AWS Config

Question 2

Automated security assessment service for EC2
instances

Answer 2

AWS Inspector

Question 3

Managed Distributed Denial of Service (DDoS)
protection service for apps running on AWS

Answer 3

AWS Shield

Question 4

Data classification, protection, and monitoring service
powered by machine learning for Amazon S3 data

Answer 4

Amazon Macie

Question 5

Portal that provides self-service access to AWS
compliance reports and agreements you may have with
AWS

Answer 5

Amazon Artifact

Question 6

Big-data cloud-based tool suite using popular open
source tools including Apache Spark, Apache Hive,
Presto, and many others

Answer 6

Amazon EMR

Question 7

Hybrid-cloud storage service that enables companies to
take advantage of cloud storage on their local networks

Answer 7

Amazon Storage Gateway

Question 8

Managed Distributed Denial of Service (DDoS)
protection service for apps running on AWS

Answer 8

Amazon Shield

Question 9

Data workflow orchestration service that supports
multiple AWS services providing extract, transform, and
load (ETL) capabilities

Answer 9

Amazon Data Pipelines

Question 10

Managed search service for custom applications

Answer 10

Amazon CloudSearch

Question 11

Fully-managed serverless extract, transform, and load
(ETL) service

Answer 11

AWS Glue

Question 12

Hybrid-cloud storage service that enables companies to
take advantage of cloud storage on their local networks

Answer 12

Amazon Storage Gateway

Question 13

Service that enables you to continually monitor your
resources for adherence to best practices

Answer 13

Amazon Config

Question 14

Fully-managed service that continually monitors your
AWS account and resources for potential malicious
behavior and anomalies

Answer 14

Amazon GuardDuty

Question 15

Fully-managed Business Intelligence (BI) service
enabling self-service data dashboards for data stored in
the cloud

Answer 15

Amazon Quicksight

Question 16

Audio transcription service powered by Machine
Learning that can transcribe audio (either streaming or
in batch) in many different languages

Answer 16

Amazon Transcribe

Question 17

Automated security assessment service for EC2
instances

Answer 17

Amazon Inspector

Question 18

Text translation service powered by Machine Learning
that can translate text (either streaming or in batch) into
many different languages. It also provides language
detection.

Answer 18

Amazon Translate

Question 19

User directory service for custom applications that can
also enable access to AWS resources for your custom
applications

Answer 19

Amazon Cognito

Question 20

Computer vision service powered by Machine Learning
that can detect objects in images and video

Answer 20

Amazon Rekognition

Question 21

Service that controls access to AWS resources. This is
where you create IAM users, IAM groups, and roles.
Policies are attached to identities for permission to
access resources.

Answer 21

AWS Identity and
Access Management
(IAM)

Question 22

Automated data transfer service that efficiently transfer
data from your local network into AWS

Answer 22

Amazon DataSync

Question 23

Big-data cloud-based tool suite using popular open
source tools including Apache Spark, Apache Hive,
Presto, and many others.

Answer 23

Amazon EMR

Question 24

Service that enables serverless querying of data stored
within Amazon S3 using standard SQL queries

Answer 24

Amazon Athena

Question 25

a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS

Answer 25

Amazon Macie

Question 26

Use it to continuously monitor and records\ your AWS resource configurations. You can use the service to automate the evaluation and remediation of recorded configurations against desired configurations.

Answer 26

AWS Config

Question 27

is built on a distributed, highly available infrastructure designed for fault tolerant execution of your activities. If failures occur in your activity logic or data sources, this AWS service will automatically retries the activity.

Answer 27

AWS Data Pipeline

Question 28

When you combine AWS Organizations with the capabilities of this AWS service and AWS CloudFormation, you can efficiently manage and automate configuration compliance at scale for hundreds of member accounts.

Answer 28

AWS Config

Question 29

an AWS service that allows you to audit, assess, and evaluate your AWS resource configurations. The service records and evaluates the configurations of your AWS resources against desired configurations, a set of rules, or conformance packs. It’s an optimal service for cloud auditing and asset visibility.

Answer 29

AWS Config

Question 30

This AWS service creates a finding when it discovers a software vulnerability or network configuration issue. A finding describes the vulnerability, identifies the affected resource, rates the severity of the vulnerability, and provides remediation guidance.

Answer 30

Amazon Inspector

Question 31

What are some common Trusted Advisor Security checks the developer and business support plans have access to?

Answer 31

Amazon EBS Public Snapshots

Amazon RDS Public Snapshots

Amazon S3 Bucket Permissions

IAM Use

MFA on Root Account

Security Groups – Specific Ports Unrestricted

Question 32

What are some Service Level Trusted Advisor checks

Answer 32

There are many … this is only SOME of them
Auto Scaling Groups
Auto Scaling Launch Configurations
CloudFormation Stacks
DynamoDB Read Capacity
DynamoDB Write Capacity
EBS Active Snapshots
EBS Cold HDD (sc1) Volume Storage
EC2 On-Demand Instances
EC2 Reserved Instance Leases
EC2-Classic Elastic IP Addresses
EC2-VPC Elastic IP Address
ELB Application Load Balancers
RDS Total Storage Quota
Route 53 Traffic Policies

Question 33

What does the “Auto scaling groups” trusted advisor check look at?

Answer 33

Auto Scaling Groups
Description
Checks for usage that is more than 80% of the Auto Scaling Groups quota.

Question 34

What does the “EBS Active Snapshots’ trusted advisor check look at?

Answer 34

EBS Active Snapshots
Description
Checks for usage that is more than 80% of the EBS active snapshots quota.

Question 35

What does the “EBS General Purpose SSD (gp2) Volume Storage” trusted advisor check look for ?

Answer 35

EBS General Purpose SSD (gp2) Volume Storage
Description
Checks for usage that is more than 80% of the EBS General Purpose SSD (gp2) volume storage quota.

Question 36

What does the trusted advisor check “IAM Use” look at?

Answer 36

Checks for your use of IAM. You can use IAM to create users, groups, and roles in AWS. You can also use permissions to control access to AWS resources. This check is intended to discourage the use of root access by checking for existence of at least one IAM user. You can ignore the alert if you are following best practice of centralizing identities and configuring users in an external identity provider or AWS IAM Identity Center (successor to AWS Single Sign-On).

Question 37

How do roles for Amazon EC2 instances work?

Answer 37

a developer runs an application on an Amazon EC2 instance that requires access to the S3 bucket named photos.
An administrator creates the Get-pics service role and attaches the role to the Amazon EC2 instance. The role includes a permissions policy that grants read-only access to the specified S3 bucket. It also includes a trust policy that allows the Amazon EC2 instance to assume the role and retrieve the temporary credentials.
When the application runs on the instance, it can use the role’s temporary credentials to access the photos bucket.
The administrator doesn’t have to grant the developer permission to access the photos bucket, and the developer never has to share or manage credentials.

Question 38

What is a Service Control Policy (SCP)?

Answer 38

WS Service Control Policies or AWS SCPs are a set of rules that allow you to set permissions on the AWS resources that are being used for all AWS accounts within your AWS Organization.

You can enable Service Control Policies and attach them to an AWS account or Organizational Unit (OU).

To be able to start using AWS Service Control Policies you need to enable AWS Organizations first in the AWS Console

Question 39

What is Amazon GuardDuty?

Answer 39

Amazon GuardDuty is a security monitoring service that analyzes and processes Foundational data sources, such as AWS CloudTrail management events, AWS CloudTrail event logs, VPC flow logs, and DNS logs. It also processes Features such as Kubernetes audit logs, RDS login activity, S3 logs, EBS volumes, Runtime monitoring, and Lambda network activity logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected, potentially unauthorized, and malicious activity within your AWS environment. This can include issues like escalation of privileges, use of exposed credentials, or communication with malicious IP addresses, domains, presence of malware on your Amazon EC2 instances and container workloads, or discovery of unusual patterns of login events on your database. For example, GuardDuty can detect compromised EC2 instances and container workloads serving malware, or mining bitcoin. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a Region that hasn’t been used before, or unusual API calls like a password policy change to reduce password strength.

Question 40

How does GuardDuty present the findings?

Answer 40

GuardDuty informs you of the status of your AWS environment by producing security findings that you can view in the GuardDuty console or through Amazon EventBridge. GuardDuty also provides support for you to export your findings to an Amazon Simple Storage Service (S3) bucket, and integrate with other services such as AWS Security Hub and Detective.

Question 41

What are the ways you can work with Amazon GuardDuty?

Answer 41

GuardDuty console
https://console.aws.amazon.com/guardduty

The console is a browser-based interface to access and use GuardDuty. The GuardDuty console provides access to your GuardDuty account, data, and resources.

AWS command line tools
With AWS command line tools, you can issue commands at your system’s command line to perform GuardDuty tasks and AWS tasks. The command line tools are useful if you want to build scripts that perform tasks.

For information about installing and using AWS CLI, see AWS Command Line Interface User Guide. To view the available AWS CLI commands for GuardDuty, see CLI command reference.

GuardDuty HTTPS API
You can access GuardDuty and AWS programmatically by using the GuardDuty HTTPS API, which lets you issue HTTPS requests directly to the service. For more information, see the GuardDuty API Reference.

AWS SDKs
AWS provides software development kits (SDKs) that consist of libraries and sample code for various programming languages and platforms (Java, Python, Ruby, .NET, iOS, Android, and more). The SDKs provide a convenient way to create programmatic access to GuardDuty. For information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.

Question 42

What are the security levels for a GuardDuty finding?

Answer 42

Each GuardDuty finding has an assigned severity level and value that reflects the potential risk the finding could have to your network as determined by our security engineers. The value of the severity can fall anywhere within the 0.1 to 8.9 range, with higher values indicating greater security risk. To help you determine a response to a potential security issue that is highlighted by a finding, GuardDuty breaks down this range into, High, Medium, and Low severity levels.

Question 43

How can you use Amazon GuardDuty to protect your S3 objects?

Answer 43

S3 protection enables Amazon GuardDuty to monitor object-level API operations to identify potential security risks for data within your S3 buckets.

GuardDuty monitors threats against your Amazon S3 resources by analyzing AWS CloudTrail management events and CloudTrail S3 data events. These data sources monitor different kinds of activity, for example, CloudTrail management events for S3 include operations that list or configure S3 buckets, such as ListBuckets, DeleteBuckets, and PutBucketReplication. Examples of data events for S3 include object-level API operations, such as GetObject, ListObjects, DeleteObject, and PutObject.

GuardDuty monitoring of CloudTrail management events is on by default for all accounts that have enabled GuardDuty and is not configurable. CloudTrail S3 data event logs are a configurable data source in GuardDuty. By default, S3 protection is enabled for new detectors, for accounts created before the addition of S3 protection this data source must be enabled manually. The processes for enabling or disabling S3 data event monitoring is covered in this topic.

We strongly recommend that you enable S3 protection in GuardDuty. If the feature is disabled, GuardDuty is unable to fully monitor or generate findings for suspicious access to data stored in your S3 buckets.

Question 44

Which types of budgets can you set?

Answer 44

You can create the following types of budgets:

Cost budgets – Plan how much you want to spend on a service.

Usage budgets – Plan how much you want to use one or more services.

RI utilization budgets – Define a utilization threshold and receive alerts when your RI usage falls below that threshold. This lets you see if your RIs are unused or under-utilized.

RI coverage budgets – Define a coverage threshold and receive alerts when the number of your instance hours that are covered by RIs fall below that threshold. This lets you see how much of your instance usage is covered by a reservation.

Savings Plans utilization budgets – Define a utilization threshold and receive alerts when the usage of your Savings Plans falls below that threshold. This lets you see if your Savings Plans are unused or under-utilized.

Savings Plans coverage budgets – Define a coverage threshold and receive alerts when your Savings Plans eligible usage that is covered by Savings Plans fall below that threshold. This lets you see how much of your instance usage is covered by Savings Plans.

Question 45

How to add MFA for root account?

Answer 45

In Identity and Access Management, hit Manage MFA
Under MFA tab hit activate MFA
Choose virtual for mobile devices
Choose a compatible app
Scan QR code with app
Enter in the 2 codes that are provided from the app