Deck 3 Flashcards

1
Q

How many policies per role?

A

2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What to do to avoid storing credentials in EC2 instances?

A

Assign role/s to instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

STS user’s procedence

A

• Federation (AD):
- Uses Security Assertion Markup Language (SAML)
- Grants temporary access based on the users AD credentials (does not need to
be an user in AWS)
• Federation with mobile apps
- Use Facebook / Amazon / Google or other OpenID providers to login
• Cross Account Access:
- Let users from one AWS account access resources in another.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define federation

A

Combining or joining lists of users from one domain to another (Ex: IAM and AD or IAM and Google)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define Identity broker

A

Service that allows you to take an identity from point A and federate it to point B.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define identity store

A

Services that create identities, like AD, Google, Facebook, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define identitie

A

User of a service like Facebook, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Responsibilities in shared security model

A
  • AWS is responsible for securing the underlying infrastructure that supports the cloud (hardware, software, networking and facilities that runs AWS services)
  • You’re responsible for anything you put on the cloud or connect to the cloud.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

User responsability in managed services

A

Account management and user access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does CloudTrail logs?

A

API calls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What AWS does when a storage device has reached the end of its useful life?

A

AWS procedures include a decommissioning process that is designed to prevent data to being exposed (degauss and physically destroyed).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What can customers who require additional layers of network security do?

A
  • VPC private subnet within the AWS cloud

- Use an IPSec VPN device to provide an encrypted tunnel between AWS VPN and your data centre.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS protects networks from?

A
  • DDOS
  • MITM
  • Packet sniffing
  • Port scanning
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Is it possible to perform a vulnerability scan in your AWS resources?

A

Yes, but you have to ask AWS for permision

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS credential types

A

• Passwords: AWS root account and IAM user account to the AWS management console.
• MFA: AWS root account and IAM user account to the AWS management console.
• Access keys: Digitally signed requests to AWS APIs.
• Key Pairs: SSH login to EC2 instances. Cloudfront signed URLs.
• X.509 certificates: Digitally signed SOAP requests to AWS APIs. SSL server
certificates for HTTPS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What can you do to make sure S3 is secure?

A

Create a temporary URL and sent it to the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

To which service is related trusted advisor?

A

IAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is Direct connect?

A

Dedicated network connection from your premises to AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

From where is served route 53?

A

Edge locations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What you should do in order to increase network performance?

A

Increase instance size

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Can EBS throughput vary depending on the size of the instance?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Main difference between NACLs and SGs?

A
  • SGs are stateful

* NACLs are stateless

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How to restore default VPC?

A

Contact AWS to get it back

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

VPC subnet size restrictions

A
  • not bigger than /16
  • not lower than /28
    (then, recommended /16)
25
Q

What is VPC peering?

A

Connect over VPC to another via a direct network route using private IP addresses

26
Q

With which VPCs you can connect via VPC peering?

A
  • VPCs in another AWS account or in the same

- Only VPCs in the same region

27
Q

Is VPC peering transitive?

A

No, it uses a star configuration

28
Q

VPC main components

A
  • IGW (or Virtual Private Gateway)
  • Route tables
  • NACL
  • Subnets
  • SGs
29
Q

How many IGW per VPC?

A

1

30
Q

Does a subnet have a route table when it is created?

A

When you create a subnet, it is automatically associated with the default route table.

31
Q

Steps to build custom VPC

A
  1. Create a VPC. By default, it will create:
    a. Route table
    b. NACL
    c. SG
  2. Create subnets
  3. Create IGW. Attach it to VPC
  4. Create custom route table
  5. Create instances
32
Q

Parameter to disble in NAT instances

A

Disable parameter “Enable source destination check”

33
Q

In which kind of subnet should you put a NAT instance?

A

Public

34
Q

What do you need to use NAT to a private subnet?

A

There must be a route out of the private subnet to the NAT instance

35
Q

Which kind of IP should have a NAT instance?

A

EIP

36
Q

NAT gateways

A
  • Very new
  • Preferred by the enterprise
  • Scale automatically up to 10 Gbps
  • No need to patch
  • Not associated with SGs
  • Automatically assigned a public IP address
  • Remember to update your route tables
  • No need to disable source/destination check
37
Q

In which level operate NACLs and ASGs?

A
  • NACLs: Subnet level (2nd layer)

- SGs: Instance level (1st layer)

38
Q

How are rules evaluated in NACLs and ASGs?

A
  • NACLs: by number order

- SGs: All rules evaluated before allowing traffic

39
Q

How many NACLs per subnet?

A

1

40
Q

Traffic allowed by default on default and custom NACL

A
  • default: all inbound / outbound

- custom: none

41
Q

How many subnets per NACL?

A

Multiple

42
Q

What shoul you you use for blocking a IP address?

A

NACL

43
Q

What do you need to provide HA to your ELB?

A

More than 1 AZ

44
Q

What do you need to provide NAT instance in HA?

A

Tricky to make resilient. You need 1 in each subnet, each with public IP, and you
need to write a script to fail between them, Instead, if possible, use NAT Gateways.

45
Q

Does traffic between AZs have cost?

A

Yes

46
Q

Who executes user data?

A
  • Cloud-init on Linux

* EC2Config service on Windows

47
Q

How many times user data is executed?

A

Once per instance-id by default

48
Q

What does user data do on failure?

A

Exits

49
Q

IP address for instance metadata?

A

169.254.169.254

50
Q

Which family of instances works with credits?

A

T2

51
Q

What control egress rules?

A

Traffic going outside instance

52
Q

What is Trusted advisor?

A

Service that makes recommendations for us

53
Q

What should you use to copy images between regions?

A

EC2 copy-image (traffic cost apply)

54
Q

What is Cost explorer?

A

Service to manage costs

55
Q

What is AWS config?

A

Registers the overal status of your services

56
Q

Which service do roles use to work?

A

STS

57
Q

What is better, double instance size or instance count?

A

Hurry up and go idle A larger instance size can save time and money

58
Q

Is it a good idea to monitor EC2 t2 instances by CPU?

A

No, monitoring instances without credits will show an usage of 20% (or baseline
peformance) aprox