Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

1_AWS Certified Associate - UPDATED VERSION - MAIN Concepts > Chapter 20 - Governance > Flashcards

Chapter 20 - Governance Flashcards

1
Q

Service control policies, or SCPs for short

A

SCPs are the only way to restrict root accounts.

  • They have the ultimate and final say
  • They override all other permission sets
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Centralized logs

A

They’re always the right answer when talking about logging.

  • We always want to focus on having a logging solution that centralizes everything into one single bucket or even one single logging account.
  • And CloudTrail offers the ability to centralize all of its logs using AWS Organizations.
  • You never want to spread out your logs to multiple locations because it increases the chances that you’re going to lose some data and it makes it much harder to audit later on.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Config

A

Is your best friend when it comes to standardization.

  • Anytime we need to have a standard and then enforce that standard inside of our AWS account, we want to be thinking Config
  • Config can create that rule to check for is this standard set up correctly
  • Or is somebody violating my best practice
  • Also gives us the ability to see what changed.
  • So it gives us a history of what happened on top of giving us a set of rules and the ability to enforce those rules.

So if you’re seeing as scenario that lays out, oh, we need to take a look at what changed where and when, Config gives you the ability to go back in time and say, oh, that database was provisioned at this date and shut down at this date and can link you to those CloudTrail logs of who actually made those calls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Systems Manager

A

Whenever we find that rule violation, we need to automate that response using those automation documents that Systems Manager provides.

This is going to be your best remediation step.

Another option could be using Lambda and a function that’s written.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Authentication Services

A

We’re using single sign-on Active Directory for internal users and Cognito for external.

  • If you see a question that’s talking about mobile external users, automatically think Cognito.
  • There’s no one solution that’s perfect but we’re using
    • Either single sign-on,
    • On-premise Active Directory,
    • Single sign-on linked to AWS Active Directory
  • If the scenario is laying out a lift and shift into the cloud, we want to pick that managed Microsoft Active Directory.
  • If this migration is talking about leaving Active Directory on-premise, leaving it in that physical data center, you want to think AD Connector to connect back into that physical architecture.
  • Never, ever, ever, and I cannot say that enough, set up credentials where you don’t need them.
  • We always want to use those cross-account roles or even just roles in general, rather than creating IAM credentials we don’t need.
  • Best practice, give them temporary access by the ability to assume a role.
  • Use that to check all of your architecture that’s spread out across multiple accounts.
  • Use roles everywhere.
  • Roles are the best answer when it comes to talk about credential.
  • When you’re doing that cross-account access, use roles.
  • You never want to duplicate user credentials and make them in accounts that shouldn’t be there.
    *
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cost management

A

Make sure that you have tags set up so you can audit your spend

  • You can use Cost Explorer to run those reports
  • You can use Budgets to create budgets
  • Set up those alarms, set up those alerts so you’re being proactive about your cost notifications. Get ahead of the problem.
  • SNS is your friend - On the exam, focus on answers that alert users using SNS that give them that heads up when you’re getting to that 80, 90, 40% threshold whatever is specified on the test.
  • Focus on answers that have that complete resolution that don’t just say there’s a problem, but that identify the problem and then automate solving it.

Automate, automate, automate -

  • If you’re spending too much money, shut things down.
  • Spending too much money, turn stuff off.
  • Eliminate that CloudFormation template.
  • Shut down that architecture and you want to do it using Lambda,
  • Using Automation Documents,
  • Using something that doesn’t require human interaction.
  • Always prefer answers on the exam that include automation especially when it comes to cost.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Trusted Advisor

A
  • It’s good to know that it’s free but if you want the extended set of checks, you have to have a paid support plan
  • because those are going to be the really useful checks.
  • Keep in mind those different areas of focus that Trusted Advisor looks into.
  • On the exam, you will see distractors that paint Trusted Adviser as the end all be all to every sort of auditing issue that you’ll run into. That’s not actually the case.
  • Trusted Advisor can simply tell you when something is wrong
  • But you are going to have to fix the problem.
  • It will not automatically solve the problem by itself.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

EventBridge

A

Use EventBridge to kick off Lambda to solve the problem for you

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

1_AWS Certified Associate - UPDATED VERSION - MAIN Concepts (51 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions