Deck 3

Question 1

How many policies per role?

Answer 1

2

Question 2

What to do to avoid storing credentials in EC2 instances?

Answer 2

Assign role/s to instance

Question 3

STS user’s procedence

Answer 3

• Federation (AD):
- Uses Security Assertion Markup Language (SAML)
- Grants temporary access based on the users AD credentials (does not need to
be an user in AWS)
• Federation with mobile apps
- Use Facebook / Amazon / Google or other OpenID providers to login
• Cross Account Access:
- Let users from one AWS account access resources in another.

Question 4

Define federation

Answer 4

Combining or joining lists of users from one domain to another (Ex: IAM and AD or IAM and Google)

Question 5

Define Identity broker

Answer 5

Service that allows you to take an identity from point A and federate it to point B.

Question 6

Define identity store

Answer 6

Services that create identities, like AD, Google, Facebook, etc.

Question 7

Define identitie

Answer 7

User of a service like Facebook, etc.

Question 8

Responsibilities in shared security model

Answer 8

• AWS is responsible for securing the underlying infrastructure that supports the cloud (hardware, software, networking and facilities that runs AWS services)
• You’re responsible for anything you put on the cloud or connect to the cloud.

Question 9

User responsability in managed services

Answer 9

Account management and user access.

Question 10

What does CloudTrail logs?

Answer 10

API calls

Question 11

What AWS does when a storage device has reached the end of its useful life?

Answer 11

AWS procedures include a decommissioning process that is designed to prevent data to being exposed (degauss and physically destroyed).

Question 12

What can customers who require additional layers of network security do?

Answer 12

• VPC private subnet within the AWS cloud

- Use an IPSec VPN device to provide an encrypted tunnel between AWS VPN and your data centre.

Question 13

AWS protects networks from?

Answer 13

• DDOS
• MITM
• Packet sniffing
• Port scanning

Question 14

Is it possible to perform a vulnerability scan in your AWS resources?

Answer 14

Yes, but you have to ask AWS for permision

Question 15

AWS credential types

Answer 15

• Passwords: AWS root account and IAM user account to the AWS management console.
• MFA: AWS root account and IAM user account to the AWS management console.
• Access keys: Digitally signed requests to AWS APIs.
• Key Pairs: SSH login to EC2 instances. Cloudfront signed URLs.
• X.509 certificates: Digitally signed SOAP requests to AWS APIs. SSL server
certificates for HTTPS.

Question 16

What can you do to make sure S3 is secure?

Answer 16

Create a temporary URL and sent it to the user

Question 17

To which service is related trusted advisor?

Answer 17

IAM

Question 18

What is Direct connect?

Answer 18

Dedicated network connection from your premises to AWS

Question 19

From where is served route 53?

Answer 19

Edge locations

Question 20

What you should do in order to increase network performance?

Answer 20

Increase instance size

Question 21

Can EBS throughput vary depending on the size of the instance?

Answer 21

Yes

Question 22

Main difference between NACLs and SGs?

Answer 22

• SGs are stateful

* NACLs are stateless

Question 23

How to restore default VPC?

Answer 23

Contact AWS to get it back

Question 24

VPC subnet size restrictions

Answer 24

• not bigger than /16
• not lower than /28
  (then, recommended /16)

Question 25

What is VPC peering?

Answer 25

Connect over VPC to another via a direct network route using private IP addresses

Question 26

With which VPCs you can connect via VPC peering?

Answer 26

• VPCs in another AWS account or in the same

- Only VPCs in the same region

Question 27

Is VPC peering transitive?

Answer 27

No, it uses a star configuration

Question 28

VPC main components

Answer 28

• IGW (or Virtual Private Gateway)
• Route tables
• NACL
• Subnets
• SGs

Question 29

How many IGW per VPC?

Answer 29

1

Question 30

Does a subnet have a route table when it is created?

Answer 30

When you create a subnet, it is automatically associated with the default route table.

Question 31

Steps to build custom VPC

Answer 31

1. Create a VPC. By default, it will create:
   a. Route table
   b. NACL
   c. SG
2. Create subnets
3. Create IGW. Attach it to VPC
4. Create custom route table
5. Create instances

Question 32

Parameter to disble in NAT instances

Answer 32

Disable parameter “Enable source destination check”

Question 33

In which kind of subnet should you put a NAT instance?

Answer 33

Public

Question 34

What do you need to use NAT to a private subnet?

Answer 34

There must be a route out of the private subnet to the NAT instance

Question 35

Which kind of IP should have a NAT instance?

Answer 35

EIP

Question 36

NAT gateways

Answer 36

• Very new
• Preferred by the enterprise
• Scale automatically up to 10 Gbps
• No need to patch
• Not associated with SGs
• Automatically assigned a public IP address
• Remember to update your route tables
• No need to disable source/destination check

Question 37

In which level operate NACLs and ASGs?

Answer 37

• NACLs: Subnet level (2nd layer)

- SGs: Instance level (1st layer)

Question 38

How are rules evaluated in NACLs and ASGs?

Answer 38

• NACLs: by number order

- SGs: All rules evaluated before allowing traffic

Question 39

How many NACLs per subnet?

Answer 39

1

Question 40

Traffic allowed by default on default and custom NACL

Answer 40

• default: all inbound / outbound

- custom: none

Question 41

How many subnets per NACL?

Answer 41

Multiple

Question 42

What shoul you you use for blocking a IP address?

Answer 42

NACL

Question 43

What do you need to provide HA to your ELB?

Answer 43

More than 1 AZ

Question 44

What do you need to provide NAT instance in HA?

Answer 44

Tricky to make resilient. You need 1 in each subnet, each with public IP, and you
need to write a script to fail between them, Instead, if possible, use NAT Gateways.

Question 45

Does traffic between AZs have cost?

Answer 45

Yes

Question 46

Who executes user data?

Answer 46

• Cloud-init on Linux

* EC2Config service on Windows

Question 47

How many times user data is executed?

Answer 47

Once per instance-id by default

Question 48

What does user data do on failure?

Answer 48

Exits

Question 49

IP address for instance metadata?

Answer 49

169.254.169.254

Question 50

Which family of instances works with credits?

Answer 50

T2

Question 51

What control egress rules?

Answer 51

Traffic going outside instance

Question 52

What is Trusted advisor?

Answer 52

Service that makes recommendations for us

Question 53

What should you use to copy images between regions?

Answer 53

EC2 copy-image (traffic cost apply)

Question 54

What is Cost explorer?

Answer 54

Service to manage costs

Question 55

What is AWS config?

Answer 55

Registers the overal status of your services

Question 56

Which service do roles use to work?

Answer 56

STS

Question 57

What is better, double instance size or instance count?

Answer 57

Hurry up and go idle A larger instance size can save time and money

Question 58

Is it a good idea to monitor EC2 t2 instances by CPU?

Answer 58

No, monitoring instances without credits will show an usage of 20% (or baseline
peformance) aprox