Design Secure Architectures

Question 1

What is true about the default network ACL?

Answer 1

You can add or remove rules from the default network ACL.

The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated. You are able to add and remove your own rules from the default network ACL. However, each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied. You can’t modify or remove this rule.

Question 2

You have a regulatory requirement that the application is secure and you must use a firewall managed by AWS that enables control and visibility over VPC-to-VPC traffic and prevents the VPCs hosting your sensitive application resources from accessing domains using unauthorized protocols. What AWS service would support this?

Answer 2

AWS Network Firewall

The AWS Network Firewall infrastructure is managed by AWS, so you don’t have to worry about building and maintaining your own network security infrastructure. AWS Network Firewall’s stateful firewall can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing your VPCs from accessing domains using an unauthorized protocol. AWS Network Firewall gives you control and visibility of VPC-to-VPC traffic to logically separate networks hosting sensitive applications or line-of-business resources.

Question 3

AWS WAF

Answer 3

AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.

Question 4

AWS Firewall Manager

Answer 4

AWS Firewall Manager is a security management service that allows you to centrally configure and manage AWS WAF, AWS Shield Advanced, and Amazon VPC security groups across your AWS accounts and applications. With Firewall Manager, you can roll out firewall rules across your accounts and resources, making it easier to manage consistent security postures across your entire AWS environment.

Question 5

This service provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. It allows you to access services over a private endpoint within your VPC or via Direct Connect, keeping your traffic off the public internet. This can significantly reduce the risk of exposing sensitive data and improve performance for traffic that doesn’t have to travel over the public internet.

Answer 5

AWS PrivateLink

Question 6

A new S3 bucket has been created which will need to allow roughly a third of all users access to sensitive information in the bucket. What is the most time efficient way to get these users access to the bucket?

Answer 6

Create a new policy which will grant permissions to the bucket. Create a group and attach the policy to that group. Add the users to this group.

Question 7

The application will run on EC2 and will make several requests to AWS services such as S3 and DynamoDB. What is the best way to grant permissions to these other AWS services?

Answer 7

Create an IAM role that you attach to the EC2 instance to give temporary security credentials to applications running on the instance.

Question 8

Amazon S3 can send event notification messages to the following destinations.

Answer 8

Publish event messages to an Amazon Simple Notification Service (Amazon SNS) topic

Publish event messages to an Amazon Simple Queue Service (Amazon SQS) queue Note that if the destination queue or topic is SSE enabled, Amazon S3 will need access to the associated AWS Key Management Service (AWS KMS) customer master key (CMK) to enable message encryption.

Publish event messages to AWS Lambda by invoking a Lambda function and providing the event message as an argument

Question 9

This feature is used to speed up the transfer of files over long distances between your client and your S3 bucket.

Answer 9

Amazon S3 Transfer Acceleration

Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. When you upload a file to your bucket, it first goes to the CloudFront edge location nearest to you and then travels to the S3 bucket over Amazon’s optimized network. Use cases for Transfer Acceleration include:

Large file uploads/downloads where end users are located far from the S3 bucket's region.
Frequent data transfers over long distances.

Question 10

This feature allows you to upload a single large file as a set of smaller parts. After all parts of your object are uploaded, Amazon S3 then combines these parts as a single object.

Answer 10

Multipart Upload

This allows for improved throughput and quick recovery from any network issues. It’s generally recommended for files larger than 100MB. Use cases for Multipart Upload include:

Uploading large files where a single operation might time-out or fail due to network conditions.
Parallelizing uploads, where different parts are uploaded by different threads or even different machines to speed up the process.

Question 11

An audit has determined that this data must be stored in a secured manner and any data stored in the buckets already or data coming into the buckets must be analyzed and alerts sent out flagging improperly stored data. Which AWS service can be used to meet this requirement?

Answer 11

Amazon Macie

Amazon Macie is a fully-managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII). Macie’s alerts, or findings, can be searched and filtered in the AWS Management Console and sent to Amazon CloudWatch Events for easy integration with existing workflow or event management systems, or to be used in combination with AWS services, such as AWS Step Functions to take automated remediation actions.

Question 12

This is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment.

Answer 12

AWS Trusted Advisor

Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.

Question 13

This service assesses applications for exposure, vulnerabilities, and deviations from best practices.

Answer 13

Amazon Inspector:

After performing an assessment, Inspector produces a detailed report with prioritized steps for remediation.

Question 14

This service makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.

Answer 14

Amazon Detective

It automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that helps you to investigate and visualize security issues.

Question 15

This is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads.

Answer 15

Amazon GuardDuty

GuardDuty analyzes and processes VPC Flow Logs and AWS CloudTrail event logs.

Question 16

A fully managed service that uses machine learning (ML) to identify potentially fraudulent activities in real-time, such as online payment fraud and the creation of fake accounts.

Answer 16

AWS Fraud Detector

It would typically be used in customer-facing applications, such as e-commerce platforms or financial services, to detect fraudulent transactions or account registrations.

Question 17

You have configured a VPC with both a public and a private subnet. You need to deploy a web server and a database. You want the web server to be accessed from the Internet by customers. Which is the proper configuration for this architecture?

Answer 17

Web server in public subnet, database in private subnet.

In a best-practice VPC architecture, you launch the web servers or elastic load balancers in the public subnet and the database servers in the private subnet.

Question 18

How many security groups can be attached to an EC2 instance?

Answer 18

You can assign up to five security groups to the instance.

Question 19

A single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports or select online agreements.

Answer 19

AWS Artifact

Question 20

You work for an organization that has multiple AWS accounts in multiple regions and multiple applications. You have been tasked with making sure that all your firewall rules across these multiple accounts and regions are consistent. You need to do this as quickly and efficiently as possible. Which AWS service would help you achieve this?

Answer 20

AWS Firewall Manager

AWS Firewall Manager is a security management service in a single pane of glass. This allows you to centrally set up and manage firewall rules across multiple AWS accounts and applications in AWS Organizations.

Question 21

You work for an online cloud education provider that provides hands-on labs for training students. Recently, you noticed a spike in CPU activity for one of your EC2 instances and you suspect it is being used to mine bitcoin rather than for educational purposes. Somehow, your production environment has been compromised and you need to quickly identify the root cause of this compromise. Which AWS service would be best suited to identify the root cause?

Answer 21

Amazon Detective

Using Amazon Detective, you can analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.

Question 22

If you don’t explicitly associate a subnet with a network ACL, the subnet is…

Answer 22

The subnet is automatically associated with the default network ACL.

Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

Question 23

What is true of the default security group?

Answer 23

You can’t delete this group, however, you can change the group’s rules.

Your VPC includes a default security group. You can’t delete this group, however, you can change the group’s rules. The procedure is the same as modifying any other security group.

Question 24

You work for an online education company that offers a 7-day unlimited access free trial for all new users. You discover that someone has been taking advantage of this and has created a script to register a new user every time the 7-day trial ends. They also use this script to download large amounts of video files, which they then put up on popular pirate websites. You need to find a way to automate the detection of fraud like this using machine learning and artificial intelligence. Which AWS service would best suit this?

Answer 24

Amazon Fraud Detector

Amazon Fraud Detector is an AWS AI service that is built to detect fraud in your data.

Question 25

What differentiates a public subnet from a private subnet?

Answer 25

If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet.

A public subnet is a subnet that’s associated with a route table that has a route to an internet gateway.

Question 26

Recent worldwide events have dictated that you perform your duties as a Solutions Architect from home. You need to be able to manage several EC2 instances while working from home and have been testing the ability to SSH into these instances. One instance in particular has been a problem and you cannot SSH into this instance. What should you check first to troubleshoot this issue?

Answer 26

Make sure that the security group for the instance allows inbound on port 22 from your home IP address

A rule that allows access to TCP port 22 (SSH) from your home IP address enables you to SSH into the instances associated with the security group.

Question 27

What port allows SSH?

Answer 27

TCP port 22 (SSH)

Question 28

What are two key concepts regarding subnets?

Answer 28

Every subnet you create is associated with the main route table for the VPC.

Each subnet maps to a single Availability Zone.

Question 29

A new startup company decides to use AWS to host their web application. They configure a VPC as well as two subnets within the VPC. They also attach an internet gateway to the VPC. In the first subnet, they create the EC2 instance which will host their web application. They finish the configuration by making the application accessible from the Internet. The second subnet has an instance hosting a smaller, secondary application. But this application is not currently accessible from the Internet. What could be potential problems?

Answer 29

The EC2 instance does not have a public IP address.

The second subnet does not have a route in the route table to the internet gateway.

Question 30

To enable access to or from the internet for instances in a subnet in a VPC, you must do the following:

Answer 30

Attach an internet gateway to your VPC.

Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway. If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a private subnet.

Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).

Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.

Question 31

What level do security groups act at?

Answer 31

Security groups act at the instance level, not the subnet level.

Question 32

Can you specify deny rules in a security group?

Answer 32

No, you can only specify allow rules in a security group.

Question 33

Can you specify separate rules for inbound and outbound traffic in a security group?

Answer 33

Yes, you can specify separate rules for inbound and outbound traffic in a security group.

Question 34

Does a newly created security group have any inbound rules by default?

Answer 34

No, a newly created security group has no inbound rules by default.