Domain 1 Flashcards

1
Q

IAM

A

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. It enables you to manage users and their permissions within your AWS account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IAM Decision Policy Logic (3)

A

Default Deny: By default, all requests are denied. This principle implies that no action is allowed unless explicitly granted.

Explicit Allow: If a policy explicitly allows a request, the request is permitted. IAM evaluates all applicable policies, including identity-based policies, resource-based policies, and any applicable service control policies (SCPs).

Explicit Deny: If any policy explicitly denies a request, the request is denied, regardless of any explicit allows. Explicit denies take precedence over any allows.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

4 IAM Policy Types

A

Identity-Based Policies: These are attached to users, groups, or roles and define what actions those identities can perform on specified resources.

Resource-Based Policies: These are attached directly to resources (e.g., S3 buckets) and specify who can access those resources and what actions they can perform.

Service Control Policies (SCPs): Used in AWS Organizations to manage permissions across multiple AWS accounts.

Permissions Boundaries: Specify the maximum permissions that a user or role can have.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

AWS SSO

A

AWS Single Sign-On (AWS SSO) is a cloud-based service that simplifies the management of SSO access to AWS accounts and business applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

STS

A

AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or federated users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Control Tower

A

AWS Control Tower is a service that provides an easy way to set up and govern a secure, multi-account AWS environment based on best practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Cognito

A

Amazon Cognito is a service provided by AWS that simplifies user authentication for web and mobile applications.

With federated identities, Cognito allows you to authorize users from different identity providers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Guard Duty

A

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious or unauthorized behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Macie

A

Amazon Macie is a fully managed data security and privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Shield

A

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AWS WAF

A

AWS WAF (Web Application Firewall) is a cloud-based security service that helps protect web applications from common web exploits and attacks that could affect application availability, compromise security, or consume excessive resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Secrets Manager

A

AWS Secrets Manager is a managed service that helps you securely store, manage, and retrieve sensitive information, such as database credentials, API keys, and other secrets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

KMS

A

AWS Key Management Service (KMS) is a managed service that enables you to create and control cryptographic keys used to secure your data across AWS services and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Certificate Manager

A

AWS Certificate Manager (ACM) is a service that simplifies the process of provisioning, managing, and deploying Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Storage Services (name 7 keys services)

A

S3
EBS
EFS
FSx
Glacier and S3 Glacier Deep Archive
Storage Gateway
Backup
S3 outposts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Encryption Key Services (name 6)

A

KMS - Creating and controlling cryptographic keys

HSM - Dedicated hardware security modules. Good for higher level of compliance.

Certificate Manager - Manages SSL/TLS certificates for encrypting data in transit, although it doesn’t directly manage encryption keys like KMS or CloudHSM.

Encryption at Rest - Many AWS services integrate with KMS to offer encryption at rest, where data is automatically encrypted using keys managed by KMS.

Envelope Encryption - A method used in AWS where data is encrypted using a data encryption key (DEK), and the DEK itself is encrypted using a key encryption key (KEK) stored in KMS.
This method allows for efficient encryption and decryption of large amounts of data, minimizing the need to interact with KMS directly for every encryption or decryption operation.

Client Side Encryption - In some scenarios, encryption can be handled by the application itself before data is sent to AWS, using encryption keys that you manage.
AWS provides tools such as the AWS Encryption SDK to assist with client-side encryption.

17
Q

Key Rotation

A

AWS key rotation is a process that involves periodically updating cryptographic keys to enhance security and reduce the risk of unauthorized access to encrypted data.

KMS - Rotated automatic every year

Manual rotation - Option as well

18
Q

Certificate Renewals

A

AWS Certificate Manager (ACM) simplifies the management of SSL/TLS certificates by automating the renewal process for certificates issued by ACM.

Sometimes manual is needed

19
Q

VPC

A

Amazon Virtual Private Cloud (VPC) is a service that allows you to provision a logically isolated section of the AWS cloud where you can launch and manage AWS resources in a virtual network that you define.

20
Q

Security Groups

A

AWS Security Groups are virtual firewalls that control inbound and outbound traffic for resources within an Amazon Virtual Private Cloud (VPC). They provide an essential layer of security for your AWS resources, such as Amazon EC2 instances.

21
Q

ACL

A

Network Access Control Lists (ACLs) are a security layer that acts as a firewall for controlling traffic in and out of one or more subnets within a Virtual Private Cloud (VPC). They complement security groups by providing additional network security at the subnet level.

22
Q

NAT Gateway

A

An AWS NAT (Network Address Translation) Gateway is a managed service that enables instances in a private subnet to connect to the internet or other AWS services, while preventing the internet from initiating connections with those instances.

23
Q

Route Table

A

An AWS Route Table is an essential component of a Virtual Private Cloud (VPC) that determines how network traffic is directed within your VPC. Each route table contains a set of rules, called routes, that specify the destinations that your network traffic can reach and the paths it should take.

24
Q

CIDR

A

CIDR, or Classless Inter-Domain Routing, is a method for allocating IP addresses and routing Internet Protocol (IP) packets. CIDR replaces the old system of IP address classification, which divided IP addresses into classes (A, B, C, etc.).

25
Q

Public and Private Subnet

A

In a Virtual Private Cloud (VPC) on AWS, subnets can be classified as either public or private based on their accessibility to and from the internet.

Use Cases: Public subnets are typically used for resources that need to be accessible from the internet, such as:

Web servers that serve public web pages.
Load balancers that distribute incoming traffic to applications.

Use Cases: Private subnets are used for resources that should not be directly exposed to the internet, such as:

Databases and data stores that hold sensitive information.
Backend servers that handle business logic and are only accessed by other application components.

26
Q

Private Link

A

AWS PrivateLink is a networking service that enables you to securely access services hosted on AWS without exposing your traffic to the public internet. It allows you to connect to AWS services, third-party services, or your own services in a highly secure and scalable manner.

VPC > VPC

27
Q

Cloud Trail

A

It provides a record of actions taken by a user, role, or an AWS service in your AWS environment.

28
Q

Cloud Watch

A

Amazon CloudWatch is a comprehensive monitoring and observability service designed to provide actionable insights into AWS resources, applications, and services.

29
Q

AWS Organizations

A

AWS Organizations is a service that helps you centrally manage and govern multiple AWS accounts. It is designed for use by businesses and enterprises to simplify account management and enforce policies across their AWS environments.

30
Q

Name 3 SSE

A

SSE-S3 (Server-Side Encryption with Amazon S3-Managed Keys):

With SSE-S3, Amazon S3 encrypts your data at rest using its own encryption keys, managed by Amazon S3.
AES-256 is used for encryption, ensuring strong data protection.
S3 manages all encryption and key management activities, simplifying the process for users who do not want to manage encryption keys themselves.
SSE-KMS (Server-Side Encryption with AWS Key Management Service):

SSE-KMS uses AWS Key Management Service (KMS) to handle key management, providing you with more control over key management compared to SSE-S3.
It allows integration with AWS Identity and Access Management (IAM) to provide fine-grained access control over the use of encryption keys.
Users can create and manage their own customer master keys (CMKs) or use AWS-managed CMKs.
SSE-C (Server-Side Encryption with Customer-Provided Keys):

With SSE-C, you provide your own encryption keys to Amazon S3 for encryption.
AWS manages the encryption and decryption process but does not store the keys. You need to supply the encryption key with each request.
This option gives you full control over the encryption keys, but also requires you to manage the keys securely.

31
Q

Pilot Light

A

Pilot Light involves maintaining a minimal version of your application running in the cloud. The core infrastructure is kept running and is ready to scale up quickly in the event of a disaster.

32
Q

Warm Standby

A

Concept: Warm Standby involves running a scaled-down version of a fully functional environment in the cloud. In the event of a disaster, this environment can be scaled up to handle the full production load.

33
Q

Multi Site Active Active

A

Concept: Multi-Site Active-Active involves running identical fully functional environments in multiple locations (e.g., different AWS regions) simultaneously. Traffic is distributed across all sites.

34
Q

Name available snapshots

A

EBS
RDS
Aurora
Redshift
Neptune
FSx

35
Q

DELETE

A

DELETE