Domain 3: Design Secure Applications and Architectures

Question 1

IAM- User Access Types

Answer 1

• Programmatic Access

- Management Console Access

Question 2

IAM- Users

Answer 2

Entity you create in AWS which you can use to login to the AWS console or access API’s through the AWS CLI using Access keys

Question 3

IAM- Roles

Answer 3

• Used for resources to interact with other resources,

- The policy assigned to it can decide who or what services get permission to do the actions you described.

Question 4

NACL

Answer 4

Network Access Control List

• Tied to subnet
• Stateless
• Supports allow and deny rules

Question 5

Security Groups

Answer 5

• Tied to an instance
• Statefull
• Supports allow rules only

Question 6

Stateless

Answer 6

changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

Question 7

Statefull

Answer 7

This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened

Question 8

AWS WAF

Answer 8

• Web Application Firewall,
• lets you monitor web requests that are forwarded to an Amazon API Gateway, an Amazon CloudFront distribution, or an Application Load Balancer.
• You can protect those resources based on conditions that you specify, such as the IP addresses that the requests originate from.

Question 9

AWS Shield

Answer 9

Distributed Denial of Service Protection

• Standard
• Advanced

Question 10

AWS Shield- Standard

Answer 10

• Automatically applied

- Free

Question 11

AWS Shield- Advanced

Answer 11

• Access to DDoS Response Team
• Cost protection
• Visibility
• Customizable protection
• 3000/M

Question 12

AWS Firewall Manager

Answer 12

Central management of firewall rules across accounts and applications
-100/m

Question 13

AWS KMS

Answer 13

• Key Management Service,

- makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services.

Question 14

AWS KMS- Types

Answer 14

• AWS Managed
• Customer Managed (CMK)
• Customer Managed, imported key material

Question 15

AWS KMS- AWS Managed

Answer 15

• Rotates automatically every 3 years
• You cannot manage rotation yourself
• Managed keys cannot be deleted

Question 16

AWS KMS- CMK

Answer 16

Customer Managed Keys

• Rotates once a year automatically
• On-demand manually
• Create a new CMK and manually change your applications to aliases to use the new CMK
• You control the rotation frequency
• Keys can be deleted

Question 17

AWS KMS- Imported Key Material

Answer 17

• No automatic rotation
• Manual rotation
• Create new CMK and update your applications to use the new CMK or key Alias

Question 18

AWS Cloud HSM

Answer 18

• Hardware Security Module,

- Uses dedicated HSM instances within the AWS cloud to encrypt and protect data

Question 19

AWS VPC

Answer 19

• Virtual Private Cloud,
• Provides multiple network connectivity options for you to use, depending on your current network designs and requirements.
• These connectivity options include using either the internet or an AWS Direct Connect connection as the network backbone and terminating the connection into AWS or user-managed network endpoints.

Question 20

AWS CloudTrail

Answer 20

you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

Question 21

AWS CloudTrail Benefits

Answer 21

• Simplify your compliance by automatically recording and storing event logs for actions made within your AWS account
• Increases visibility into your user and resource activity by recording AWS Management Console actions and API calls
• Track and automatically respond to account activity threatening the security of your AWS resources