Domain 1

Question 1

IAM

Answer 1

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. It enables you to manage users and their permissions within your AWS account.

Question 2

IAM Decision Policy Logic (3)

Answer 2

Default Deny: By default, all requests are denied. This principle implies that no action is allowed unless explicitly granted.

Explicit Allow: If a policy explicitly allows a request, the request is permitted. IAM evaluates all applicable policies, including identity-based policies, resource-based policies, and any applicable service control policies (SCPs).

Explicit Deny: If any policy explicitly denies a request, the request is denied, regardless of any explicit allows. Explicit denies take precedence over any allows.

Question 3

4 IAM Policy Types

Answer 3

Identity-Based Policies: These are attached to users, groups, or roles and define what actions those identities can perform on specified resources.

Resource-Based Policies: These are attached directly to resources (e.g., S3 buckets) and specify who can access those resources and what actions they can perform.

Service Control Policies (SCPs): Used in AWS Organizations to manage permissions across multiple AWS accounts.

Permissions Boundaries: Specify the maximum permissions that a user or role can have.

Question 4

AWS SSO

Answer 4

AWS Single Sign-On (AWS SSO) is a cloud-based service that simplifies the management of SSO access to AWS accounts and business applications.

Question 5

STS

Answer 5

AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or federated users.

Question 6

Control Tower

Answer 6

AWS Control Tower is a service that provides an easy way to set up and govern a secure, multi-account AWS environment based on best practices.

Question 7

Cognito

Answer 7

Amazon Cognito is a service provided by AWS that simplifies user authentication for web and mobile applications.

With federated identities, Cognito allows you to authorize users from different identity providers

Question 8

Guard Duty

Answer 8

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious or unauthorized behavior.

Question 9

Macie

Answer 9

Amazon Macie is a fully managed data security and privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS.

Question 10

Shield

Answer 10

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

Question 11

AWS WAF

Answer 11

AWS WAF (Web Application Firewall) is a cloud-based security service that helps protect web applications from common web exploits and attacks that could affect application availability, compromise security, or consume excessive resources.

Question 12

Secrets Manager

Answer 12

AWS Secrets Manager is a managed service that helps you securely store, manage, and retrieve sensitive information, such as database credentials, API keys, and other secrets.

Question 13

KMS

Answer 13

AWS Key Management Service (KMS) is a managed service that enables you to create and control cryptographic keys used to secure your data across AWS services and applications.

Question 14

Certificate Manager

Answer 14

AWS Certificate Manager (ACM) is a service that simplifies the process of provisioning, managing, and deploying Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

Question 15

Storage Services (name 7 keys services)

Answer 15

S3
EBS
EFS
FSx
Glacier and S3 Glacier Deep Archive
Storage Gateway
Backup
S3 outposts

Question 16

Encryption Key Services (name 6)

Answer 16

KMS - Creating and controlling cryptographic keys

HSM - Dedicated hardware security modules. Good for higher level of compliance.

Certificate Manager - Manages SSL/TLS certificates for encrypting data in transit, although it doesn’t directly manage encryption keys like KMS or CloudHSM.

Encryption at Rest - Many AWS services integrate with KMS to offer encryption at rest, where data is automatically encrypted using keys managed by KMS.

Envelope Encryption - A method used in AWS where data is encrypted using a data encryption key (DEK), and the DEK itself is encrypted using a key encryption key (KEK) stored in KMS.
This method allows for efficient encryption and decryption of large amounts of data, minimizing the need to interact with KMS directly for every encryption or decryption operation.

Client Side Encryption - In some scenarios, encryption can be handled by the application itself before data is sent to AWS, using encryption keys that you manage.
AWS provides tools such as the AWS Encryption SDK to assist with client-side encryption.

Question 17

Key Rotation

Answer 17

AWS key rotation is a process that involves periodically updating cryptographic keys to enhance security and reduce the risk of unauthorized access to encrypted data.

KMS - Rotated automatic every year

Manual rotation - Option as well

Question 18

Certificate Renewals

Answer 18

AWS Certificate Manager (ACM) simplifies the management of SSL/TLS certificates by automating the renewal process for certificates issued by ACM.

Sometimes manual is needed

Question 19

VPC

Answer 19

Amazon Virtual Private Cloud (VPC) is a service that allows you to provision a logically isolated section of the AWS cloud where you can launch and manage AWS resources in a virtual network that you define.

Question 20

Security Groups

Answer 20

AWS Security Groups are virtual firewalls that control inbound and outbound traffic for resources within an Amazon Virtual Private Cloud (VPC). They provide an essential layer of security for your AWS resources, such as Amazon EC2 instances.

Question 21

ACL

Answer 21

Network Access Control Lists (ACLs) are a security layer that acts as a firewall for controlling traffic in and out of one or more subnets within a Virtual Private Cloud (VPC). They complement security groups by providing additional network security at the subnet level.

Question 22

NAT Gateway

Answer 22

An AWS NAT (Network Address Translation) Gateway is a managed service that enables instances in a private subnet to connect to the internet or other AWS services, while preventing the internet from initiating connections with those instances.

Question 23

Route Table

Answer 23

An AWS Route Table is an essential component of a Virtual Private Cloud (VPC) that determines how network traffic is directed within your VPC. Each route table contains a set of rules, called routes, that specify the destinations that your network traffic can reach and the paths it should take.

Question 24

CIDR

Answer 24

CIDR, or Classless Inter-Domain Routing, is a method for allocating IP addresses and routing Internet Protocol (IP) packets. CIDR replaces the old system of IP address classification, which divided IP addresses into classes (A, B, C, etc.).

Question 25

Public and Private Subnet

Answer 25

In a Virtual Private Cloud (VPC) on AWS, subnets can be classified as either public or private based on their accessibility to and from the internet.

Use Cases: Public subnets are typically used for resources that need to be accessible from the internet, such as:

Web servers that serve public web pages.
Load balancers that distribute incoming traffic to applications.

Use Cases: Private subnets are used for resources that should not be directly exposed to the internet, such as:

Databases and data stores that hold sensitive information.
Backend servers that handle business logic and are only accessed by other application components.

Question 26

Private Link

Answer 26

AWS PrivateLink is a networking service that enables you to securely access services hosted on AWS without exposing your traffic to the public internet. It allows you to connect to AWS services, third-party services, or your own services in a highly secure and scalable manner.

VPC > AWS Services

Question 27

Cloud Trail

Answer 27

It provides a record of actions taken by a user, role, or an AWS service in your AWS environment.

Question 28

Cloud Watch

Answer 28

Amazon CloudWatch is a comprehensive monitoring and observability service designed to provide actionable insights into AWS resources, applications, and services.

Question 29

AWS Organizations

Answer 29

AWS Organizations is a service that helps you centrally manage and govern multiple AWS accounts. It is designed for use by businesses and enterprises to simplify account management and enforce policies across their AWS environments.

Question 30

Name 3 SSE

Answer 30

SSE-S3 (Server-Side Encryption with Amazon S3-Managed Keys):

With SSE-S3, Amazon S3 encrypts your data at rest using its own encryption keys, managed by Amazon S3.
AES-256 is used for encryption, ensuring strong data protection.
S3 manages all encryption and key management activities, simplifying the process for users who do not want to manage encryption keys themselves.
SSE-KMS (Server-Side Encryption with AWS Key Management Service):

SSE-KMS uses AWS Key Management Service (KMS) to handle key management, providing you with more control over key management compared to SSE-S3.
It allows integration with AWS Identity and Access Management (IAM) to provide fine-grained access control over the use of encryption keys.
Users can create and manage their own customer master keys (CMKs) or use AWS-managed CMKs.
SSE-C (Server-Side Encryption with Customer-Provided Keys):

With SSE-C, you provide your own encryption keys to Amazon S3 for encryption.
AWS manages the encryption and decryption process but does not store the keys. You need to supply the encryption key with each request.
This option gives you full control over the encryption keys, but also requires you to manage the keys securely.

Question 31

Pilot Light

Answer 31

Pilot Light involves maintaining a minimal version of your application running in the cloud. The core infrastructure is kept running and is ready to scale up quickly in the event of a disaster.

Question 32

Warm Standby

Answer 32

Concept: Warm Standby involves running a scaled-down version of a fully functional environment in the cloud. In the event of a disaster, this environment can be scaled up to handle the full production load.

Question 33

Multi Site Active Active

Answer 33

Concept: Multi-Site Active-Active involves running identical fully functional environments in multiple locations (e.g., different AWS regions) simultaneously. Traffic is distributed across all sites.

Question 34

Name available snapshots

Answer 34

EBS
RDS
Aurora
Redshift
Neptune
FSx

Question 35

DELETE

Answer 35

DELETE