Billing & Monitoring

Question 1

Cloudwatch intro

Answer 1

Enables you to setup billing alarms.
Will email you if you hit a threshold.
Uses SNS.

Question 2

Cloudwatch detail

Answer 2

Monitoring services to monitor AWS resources and applications that run on AWS.
	• Compute
		○ EC2 instance
			○ CPU
			○ Network
			○ Disk
			○ Status check
			○ Monitors every 5 minutes but can be 1 minute with detailed monitoring
		○ Autoscaling groups
		○ ELB
		○ Route53 health checks
	• Storage and content delivery
		○ EBS volume
		○ Storage gateways
		○ CloudFront
Alarm can be set to monitor spending on AWS account
All about performance.

Question 3

Config

Answer 3

Provides detailed view of the configuration of AWS resources in your AWS account.
Includes how resources are related to one another and how they were configured in the past.
Can see how relationships have changed over time.
All about resource configuration.

Question 4

Macie

Answer 4

Security Server that uses ML and NLP to discover, classify, and protect sensitive S3 data.
• Uses AI to recognize which S3 data contains PII
• Dashboards, reporting, alerts
• Works with data in S3
• Can analyze CloudTrail logs
• Great for PCI-DSS (payment on website) and preventing ID theft

Question 5

IAM Identity Access Management

Answer 5

• Centralized control of AWS
  
  • Shares access to AWS
  • Granular Permissions
  • Identity Federations (include FB/Linkedin)
  • MFA
  • Temporary access for users/devices/services
  • Password rotation policy
  • Integrates with other AWS services
  • PCI DSS compliance framework
  • Global account/service (only need to create user/policy once as it is global and not per region.
  • Root account as full perms/complete admin access

Question 6

IAM Key terminology

Answer 6

• User: End users like people/orgs. New users have no perms when made.
• Groups: Collection of users who inherit perms of group.
• Policies: Made of policy documents in JSON format that give perms for user/group/role. Different policies suited for different job functions
• Roles: Create roles to assign to AWS resources. One service use another service.
○ Perms to IAM user in another account
○ Application on EC2 that needs actions on another AWS resource
○ AWS service that needs to act on resources in your account
○ Attach policy
○ Unique role name.
○ More secure; allow you to access instances through roles without sharing secret keys/ID’s.
○ Easier to manage.
○ Roles are universal.

Question 7

IAM initial setup

Answer 7

• Delete root access keys
	• Activate MFA on root
	• Create individual IAM users
		○ Has username; access type (console/programmatic); password/password type
		○ Add user to group 
		○ Username, pw, access key id, secret access key, console login link. Send to user
	• Use groups to assign perms
		○ Add policy to group

Question 8

IAM Policies

Answer 8

• JSON doc that defines permissions
• Identity policy: attached to user group or role. Specifies what an identity can do (permissions)
• Resource policy: attached to resource (like S3 bucket or sqsq) to specify who has access to said resource and what they can do.
• Must attach policy to identity or resource
○ Each statement matches an AWS API request (any action you can perform against AWS)
○ Sid: human readable id of what statement does
○ Effect: allow or deny
○ Action: What they can do (dynamodb:Query or dynamodb:PutItem)
○ Resource: which resource it applies to (arn:aws:dynamodb:::table/myTable)

Question 9

IAM Permission Boundaries

Answer 9

• Delegate administration to other users
• Advanced feature for using a managed policy to set max perms that an identity based policy grant to an IAM entity
• Used to prevent privilege escalation or unnecessarily broad permission
• Use cases:
○ Devs creating roles for lambda functions
○ App owners creating roles for EC2 instances
○ Admins creating ad hoc users
○ Even if we give someone admin access we can restrict using permission boundaries.

Question 10

Resources Access Manage (RAM)

Answer 10

• Allows resource sharing between accounts
Can share: app mesh, aurora, codebuild, ec2, ec2 image builder, license manager, resource groups, route53
• Can share a resource without giving access to your subnet so that they can clone it

Question 11

Signed Sign-on (SSO)

Answer 11

Service that helps centrally manage access to AWS accounts and business applications
• Can be 3rd party apps like dropbox, github, office 365, salesforce
○ Or any SAML 2.0 enabled
Security Assertion Markup Language
• Centrally manage accounts
• Use existing corporate identities
• Manage user permissions

Granular account level permissions
• Grant security team admin access to AWS accounts running security tools AND auditor level perms to other accounts

Question 12

IAM AWS Directory Service

Answer 12

• Family of managed services.
  
  • Connect AWS resources with on-premise AD
  • Standalone directory in the cloud
  • Use preexisting corporate credentials
  • Single sign on to any domain-joined EC2 instance and not per instance

Question 13

IAM AWS Active Directory

Answer 13

• On premise directory services
  
  • Hierarchical DB of users, groups, computers, trees, forests
  • Apply Group policies to managed users and devices
  • LDAP (lightweight directory access protocol and DNS)
  • Supports kerberos, LDAP, NTLM authentication
  • Highly available

Question 14

Cognito

Answer 14

IS the federated thing
Brokers between app and FB to give temp credentials allowing IAM role access.
Provides Cognito with web-identity federation
• Sign up/sign in to apps
• Access for guest users
• Acts as identity broker between your app and Web ID providers
Recommended approach is User authenticates with FB who gives them auth token to Cognito who responds and grants access to AWS environment. Cognito uses Push Sync to push updates and sync user data across multiple devices. Uses SNS to send notifications.
• User pools used to manage sign-up/sign-in function for mobile/apps. Users can sign in directly using user pool or using FB etc.
○ Cognito acts as identity broker between identity provider and AWS.
○ Successful authentication generates JSON web tokens.
• Identity pools provide credentials to AWS resources like S3 or DynamoDB

Question 15

Organizations

Answer 15

central location to manage AWS accounts. As company grows there should be separation of duties.
• Centralized management of all accounts using SCP (Service Control Policies to give maximum permissions applied to OU or individual account).
• Apply policy to an Organizational Unit (OU).
• Consolidated billing for all member accounts through primary account. Bulk discounts. Hierarchical grouping of accounts.
• Create multiple accounts through AWS Organizations. Invite another email.
With AWS Organizations, you can use either the consolidated billing features or all the offered features. If you create an organization with consolidated billing features only, you can later enable all features.

Question 16

Organizations Use Case

Answer 16

Automate the creation of AWS accounts and categorize workloads using groups
Implement and enforce audit and compliance policies
Provide tools and access for your security teams while encouraging development
Share common resources across accounts

Question 17

CloudTrail

Answer 17

API Auditing tool. Every single request gets logged in CloudTrail engine.
Which operator, when, where, what was response.
Saves logs indefinitely in S3 buckets. Updated on CloudTrail typically after 15 minutes.

CloudTrail increases visibility into your user and resource activity by recording AWS Management console actions and API calls. You can identify which user and accounts called AWS, the source IP address from which the calls were made, and when the calls were made.

Question 18

CloudWatch Use case

Answer 18

CloudWatch allows monitoring of infrastructure and applications in real time using metrics (variables tied to your resources) like CPU utilization of EC2 instance.
• Access all info from central location;
• visibility across apps/infrastructure;
• reduce MTTR (mean time to resolution) and TCO (total cost of ownership);
• drive insights to optimize resources.

Question 19

AWS Trusted Advisor

Answer 19

Trusted Advisor helps you optimize your entire AWS environment in real time following AWS best practices. It helps you optimize cost, fault-tolerance, and more.
Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. It provides real-time guidance to help you provision your resources following AWS best practices. It advises on Cost Optimization, performance, Security and Fault Tolerance
1. Core checks & Recommendations: Free upto 7
2. Full trusted advisor: Business & Enterprise

Question 20

Trusted Advisor Dashboard

Answer 20

Dashboard include
	• Cost optimization
	• Performance
	• Security
	• Fault tolerance
       Service limits

Question 21

Inspector

Answer 21

AWS Inspector assesses the security and compliance of your EC2 instances.

Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, it produces a detailed list of findings prioritized by level of severity. Reports are available via the Amazon Inspector console or API. It’s an agent installed on your EC2 instance.

Question 22

Cost and Usage

Answer 22

Contain a comprehensive sets of cost and usage data. While they can help break down costs in regular reports, they don’t provide a notification when you have crossed a billing threshold.
easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time. Used to explore costs after they have been incurred.
Provides cost optimization recommendations.

Question 23

Budgets

Answer 23

AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. Used to budget before costs have been incurred.

Question 24

Resource Access Manager

Answer 24

Allows resource sharing between multiple AWS accounts
Can share: app mesh, aurora, codebuild, ec2, ec2 image builder, license manager, resource groups, route53
Can share a resource without giving access to your subnet so that they can clone it

Question 25

Firewall Manager

Answer 25

AWS Firewall manager makes it possible to manage VPC security groups, AWS Shield Advanced, and WAF rules on one platform even across multiple AWS accounts.

Question 26

Cost Explorer

Answer 26

You create a forecast by selecting a future time range for your report. For more information, see Choosing time ranges for the data that you want to view. The following section discusses the accuracy of the forecasts created by Cost Explorer and how to read them.

A forecast is a prediction of how much you will use AWS services over the forecast time period that you selected, based on your past usage. Forecasting provides an estimate of what your AWS bill will be and enables you to use alarms and budgets for amounts that you’re predicted to use. Because forecasts are predictions, the forecasted billing amounts are estimated and might differ from your actual charges for each statement period.