Deck 3 Flashcards
How many policies per role?
2
What to do to avoid storing credentials in EC2 instances?
Assign role/s to instance
STS user’s procedence
• Federation (AD):
- Uses Security Assertion Markup Language (SAML)
- Grants temporary access based on the users AD credentials (does not need to
be an user in AWS)
• Federation with mobile apps
- Use Facebook / Amazon / Google or other OpenID providers to login
• Cross Account Access:
- Let users from one AWS account access resources in another.
Define federation
Combining or joining lists of users from one domain to another (Ex: IAM and AD or IAM and Google)
Define Identity broker
Service that allows you to take an identity from point A and federate it to point B.
Define identity store
Services that create identities, like AD, Google, Facebook, etc.
Define identitie
User of a service like Facebook, etc.
Responsibilities in shared security model
- AWS is responsible for securing the underlying infrastructure that supports the cloud (hardware, software, networking and facilities that runs AWS services)
- You’re responsible for anything you put on the cloud or connect to the cloud.
User responsability in managed services
Account management and user access.
What does CloudTrail logs?
API calls
What AWS does when a storage device has reached the end of its useful life?
AWS procedures include a decommissioning process that is designed to prevent data to being exposed (degauss and physically destroyed).
What can customers who require additional layers of network security do?
- VPC private subnet within the AWS cloud
- Use an IPSec VPN device to provide an encrypted tunnel between AWS VPN and your data centre.
AWS protects networks from?
- DDOS
- MITM
- Packet sniffing
- Port scanning
Is it possible to perform a vulnerability scan in your AWS resources?
Yes, but you have to ask AWS for permision
AWS credential types
• Passwords: AWS root account and IAM user account to the AWS management console.
• MFA: AWS root account and IAM user account to the AWS management console.
• Access keys: Digitally signed requests to AWS APIs.
• Key Pairs: SSH login to EC2 instances. Cloudfront signed URLs.
• X.509 certificates: Digitally signed SOAP requests to AWS APIs. SSL server
certificates for HTTPS.
What can you do to make sure S3 is secure?
Create a temporary URL and sent it to the user
To which service is related trusted advisor?
IAM
What is Direct connect?
Dedicated network connection from your premises to AWS
From where is served route 53?
Edge locations
What you should do in order to increase network performance?
Increase instance size
Can EBS throughput vary depending on the size of the instance?
Yes
Main difference between NACLs and SGs?
- SGs are stateful
* NACLs are stateless
How to restore default VPC?
Contact AWS to get it back
VPC subnet size restrictions
- not bigger than /16
- not lower than /28
(then, recommended /16)
What is VPC peering?
Connect over VPC to another via a direct network route using private IP addresses
With which VPCs you can connect via VPC peering?
- VPCs in another AWS account or in the same
- Only VPCs in the same region
Is VPC peering transitive?
No, it uses a star configuration
VPC main components
- IGW (or Virtual Private Gateway)
- Route tables
- NACL
- Subnets
- SGs
How many IGW per VPC?
1
Does a subnet have a route table when it is created?
When you create a subnet, it is automatically associated with the default route table.
Steps to build custom VPC
- Create a VPC. By default, it will create:
a. Route table
b. NACL
c. SG - Create subnets
- Create IGW. Attach it to VPC
- Create custom route table
- Create instances
Parameter to disble in NAT instances
Disable parameter “Enable source destination check”
In which kind of subnet should you put a NAT instance?
Public
What do you need to use NAT to a private subnet?
There must be a route out of the private subnet to the NAT instance
Which kind of IP should have a NAT instance?
EIP
NAT gateways
- Very new
- Preferred by the enterprise
- Scale automatically up to 10 Gbps
- No need to patch
- Not associated with SGs
- Automatically assigned a public IP address
- Remember to update your route tables
- No need to disable source/destination check
In which level operate NACLs and ASGs?
- NACLs: Subnet level (2nd layer)
- SGs: Instance level (1st layer)
How are rules evaluated in NACLs and ASGs?
- NACLs: by number order
- SGs: All rules evaluated before allowing traffic
How many NACLs per subnet?
1
Traffic allowed by default on default and custom NACL
- default: all inbound / outbound
- custom: none
How many subnets per NACL?
Multiple
What shoul you you use for blocking a IP address?
NACL
What do you need to provide HA to your ELB?
More than 1 AZ
What do you need to provide NAT instance in HA?
Tricky to make resilient. You need 1 in each subnet, each with public IP, and you
need to write a script to fail between them, Instead, if possible, use NAT Gateways.
Does traffic between AZs have cost?
Yes
Who executes user data?
- Cloud-init on Linux
* EC2Config service on Windows
How many times user data is executed?
Once per instance-id by default
What does user data do on failure?
Exits
IP address for instance metadata?
169.254.169.254
Which family of instances works with credits?
T2
What control egress rules?
Traffic going outside instance
What is Trusted advisor?
Service that makes recommendations for us
What should you use to copy images between regions?
EC2 copy-image (traffic cost apply)
What is Cost explorer?
Service to manage costs
What is AWS config?
Registers the overal status of your services
Which service do roles use to work?
STS
What is better, double instance size or instance count?
Hurry up and go idle A larger instance size can save time and money
Is it a good idea to monitor EC2 t2 instances by CPU?
No, monitoring instances without credits will show an usage of 20% (or baseline
peformance) aprox
