Exam1-Part3 Flashcards
A company has a web application that uses Amazon CloudFront to distribute its images, videos, and other static contents stored in its S3 bucket to its users around the world. The company has recently introduced a new member-only access feature to some of its high-quality media files. There is a requirement to provide access to multiple private media files only to their paying subscribers without having to change their current URLs.
Which of the following is the most suitable solution that you should implement to satisfy this requirement?
Use Signed Cookies to control who can access the private files in your
CloudFront distribution by modifying your application to determine whether a
user should have access to your content.
For members, send the required SetCookie headers to the viewer which will
unlock the content only to them.
inject sesitive data into ECS
Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in either AWS Secrets Manager secrets or AWS Systems Manager Parameter Store parameters and then referencing them in your container definition.
does ECS support resource based policies?
HELL NO!!
How ECS using the encrypted secrets
create an IAM role and reference it with the task defenition, which allows access to both KMS and the parameter store
Lambda@Edge
Lambda@Edge lets you run Node.js and Python Lambda functions to customize content that CloudFront delivers, executing the functions in AWS locations closer to the viewer which improves performance and reduces latency. The functions run in response to CloudFront events, without provisioning or managing servers.
Optimizing high availability with CloudFront origin failover
You can set up CloudFront with origin failover for scenarios that require high availability. To get started, you create an origin group with two origins: a primary and a secondary. If the primary origin is unavailable, or returns specific HTTP response status codes that indicate a failure, CloudFront automatically switches to the secondary origin.
aws high-available POSIX-compliant shared file system
Amazon Web Services (AWS) offers a high-available POSIX-compliant shared file system called Amazon Elastic File System (EFS)
EFS supports the POSIX (Portable Operating System Interface) standard, which allows applications to access files using familiar POSIX APIs. This ensures compatibility with a wide range of applications and enables seamless integration with existing POSIX-compliant systems.
Enable outbound IPv6 traffic using an egress-only internet gateway
An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.
NAT Gateway and IPv6
While NAT Gateway has a NAT64 feature that translates an IPv6 address to IPv4, it will not prevent inbound IPv6 traffic from reaching the EC2 instance. You have to use the egress-only Internet Gateway instead. Moreover, the AWS Firewall Manager is neither capable of doing traffic inspection nor traffic filtering.
recieving attacks on webapp behind ALB
Amazon GuardDuty is only a threat detection service and cannot directly be integrated with the Application Load Balancer.
Use WAF instead with ALB
aws guard duty vs WAF
AWS GuardDuty is focused on monitoring and detecting threats within your AWS environment, while AWS WAF is designed to protect your web applications from common web-based attacks
