Governance & Security

Question 1

AWS Global Infrastructure

Answer 1

Edge locations and Regional Edge Cache
Local Zones
Availability Zones
Regions

Question 2

AWS Regions

Answer 2

• A region is a geographical area
• Each region consists of 2 or more availability zones
• Isolated from other AWS Regions

Question 3

Availability Zones

Answer 3

• Availability Zones are physically separate and isolated from each
  other
• AZs span one or more data centers
• Each AZ is designed as an independent failure zone

Question 4

Local Zones

Answer 4

• AWS Local Zones place compute, storage, database, and other select
  AWS services closer to end-users
• Extension of an AWS Region where you can run your latency sensitive
  applications

Question 5

Edge Locations and Regional Edge Caches

Answer 5

• Edge locations are Content Delivery Network (CDN) endpoints for
  CloudFront
• There are many more edge locations than regions
• Regional Edge Caches sit between your CloudFront Origin servers and
  the Edge Locations
• A Regional Edge Cache has a larger cache-width than each of the
  individual Edge Locations

Question 6

Advantages of cloud?

Answer 6

• Trade capital expense for variable expense
• Benefit from massive economies of scale
• Stop guessing about capacity
• Increase speed and agility
• Stop spending money running and maintaining data centres
• Go global in minutes

Question 7

IAM Best Practices - General

Answer 7

• Create individual IAM users
• Use groups to assign permissions to IAM users
• Grant least privilege
• Use access levels to review IAM permissions
• Monitor activity in your AWS account

Question 8

IAM Best Practices - Roles

Answer 8

*Use roles for applications that run on Amazon EC2 instances
* Use roles to delegate permissions

Question 9

IAM Best Practices - Policies

Answer 9

• Get started using permissions with AWS managed policies
• Use customer managed policies instead of inline policies
• Use policy conditions for extra security

Question 10

IAM Best Practices - Credential Management

Answer 10

• Lock away your AWS account root user access keys
• Configure a strong password policy for your users
• Enable MFA
• Do not share access keys
• Rotate credentials regularly
• Remove unnecessary credentials

Question 11

Amazon EC2 Metadata and User Data

Answer 11

• User data is data that is supplied by the user at instance
  launch in the form of a script
• Instance metadata is data about your instance that you can use to configure or manage the running instance
• User data and metadata are not encrypted
• Instance metadata is available at
  http://169.254.169.254/latest/meta-data

Question 12

Access keys

Answer 12

• Access keys can be used on EC2 instances to gain permissions
  to other AWS services
• Access keys are stored in plaintext so this is not secure
• Better to use IAM roles whenever possible and avoid access
  keys

Question 13

AWS Organizations

Answer 13

• Allows you to consolidate multiple AWS accounts into an
  organization that you create and centrally manage
• Available in two feature sets:
• Consolidated Billing
• All features
• Includes root accounts and organizational units
• Policies are applied to root accounts or OUs

Question 14

AWS Organization Consolidated billing includes?

Answer 14

• Paying Account – independent and cannot access resources of other
  accounts
• Linked Accounts – all linked accounts are independent

Question 15

AWS Control Tower

Answer 15

• Simplifies the process of creating multi-account environments
• Sets up governance, compliance, and security guardrails for
  you
• Integrates with other services and features to setup the
  environment for you including:
• AWS Organizations, SCPs, OUs, AWS Config, AWS CloudTrail,
  Amazon S3, Amazon SNS, AWS CloudFormation, AWS Service
  Catalog, AWS Single Sign-On (SSO)

Question 16

AWS Systems Manager

Answer 16

• Manages many AWS resources including Amazon EC2, Amazon
  S3, Amazon RDS etc.
• Systems Manager Components:
• Automation – uses documents to run automations
• Run Command – run commands on EC2 instances
• Inventory – gather inventory information
• Patch Manager – manage patching schedules and installation
• Session Manager – connect securely without SSH or RDP
• Parameter Store – store secrets and configuration data securely

Question 17

AWS Service Catalog

Answer 17

• Allows organizations to create and manage catalogs of IT
  services that are approved for use on AWS
• Allows you to centrally manage commonly deployed IT
  services
• IT services can include virtual machine images, servers,
  software, and databases and multi-tier application
  architectures
• Enables users to quickly deploy only the approved IT services
  they need

Question 18

AWS Config

Answer 18

• Fully-managed service for compliance management
• Helps with compliance auditing, security analysis, resource
  change tracking and troubleshooting

Question 19

Trusted Advisor

Answer 19

• Online resource that helps to reduce cost, increase
  performance and improve security by optimizing your AWS
  environment
• Provides real time guidance to help you provision your
  resources following best practices
• Advises you on Cost Optimization, Performance, Security,
  and Fault Tolerance

Question 20

AWS Personal Health Dashboard

Answer 20

• Provides alerts and remediation guidance when AWS is
  experiencing events that may impact you
• Gives you a personalized view into the performance and
  availability of the AWS services underlying your AWS
  resources
• Also provides proactive notification to help you plan for
  scheduled activities

Question 21

Service Health Dashboard

Answer 21

• Shows you current status of AWS services
• Not personalized

Question 22

AWS Directory Services

Answer 22

AWS Directory Service
for Microsoft Active
Directory

AD Connector
Simple AD

Question 23

AWS Directory Service for Microsoft Active Directory - description, use case

Answer 23

Service Description
AWS-managed full Microsoft AD running on Windows Server 2012 R2

Use Case
Enterprises that want hosted Microsoft Active Directory

Question 24

AD Connector - description, use case

Answer 24

AD Connector Allows on-premises users to log into AWS services with their existing AD credentials

Use Case
Single sign-on for on-premises employees

Question 25

Simple AD - description, use case

Answer 25

Low scale, low cost, AD implementation based on Samba
Use case: Simple user directory, or you need LDAP compatibility

Question 26

AWS Systems Manager Parameter Store

Answer 26

• Provides secure, hierarchical storage for configuration data
  management and secrets management
• You can store data such as passwords, database strings, and
  license codes as parameter values
• You can store values as plaintext (unencrypted data) or
  ciphertext (encrypted data)
• You can then reference values by using the unique name that
  you specified when you created the parameter

Question 27

AWS Secrets Manager

Answer 27

• Similar to Parameter Store
• Allows native and automatic rotation of keys
• Fine-grained permissions
• Central auditing for secret rotation

Question 28

AWS Certificate Manager (ACM)

Answer 28

• Create, store and renew SSL/TLS X.509 certificates
• Single domains, multiple domain names and wildcards
• Integrates with several AWS services including:
• Elastic Load Balancing
• Amazon CloudFront
• AWS Elastic Beanstalk
• AWS Nitro Enclaves
• AWS CloudFormation

Question 29

AWS Key Management Service (KMS)

Answer 29

• Used for creating and managing encryption keys
• Gives you centralized control over the encryption keys used
  to protect your data
• KMS is integrated with most other AWS services
• Easy to encrypt the data you store in these services with
  encryption keys you control

Question 30

AWS CloudHSM

Answer 30

• Cloud-based hardware security module (HSM)
• Generate and use your own encryption keys on the AWS Cloud
• Manage your own encryption keys using FIPS 140-2 Level 3 validated
  HSMs
• CloudHSM runs in your VPC

Question 31

AWS CloudTrail

Answer 31

• CloudTrail logs API activity for auditing
• By default, management events are logged and retained for
  90 days
• A CloudTrail Trail logs any events to S3 for indefinite
  retention
• Trail can be within Region or all Regions
• CloudWatch Events can be triggered based on API calls in
  CloudTrail
• Events can be streamed to CloudWatch Logs

Question 32

VPC Flow Logs

Answer 32

• Flow Logs capture information about the IP traffic going to
  and from network interfaces in a VPC
• Flow log data is stored using Amazon CloudWatch Logs
• Flow logs can be created at the following levels:
• VPC
• Subnet
• Network interface

Question 33

Elastic Load Balancing Access Logs

Answer 33

• Capture detailed information about requests sent to the load
  balancer
• Use to analyze traffic patterns and troubleshoot issues
• Can identify requester, IP, request type etc.
• Can be optionally stored and retained in S3

Question 34

S3 Access Logs

Answer 34

• Provides detailed records for the requests that are made to a
  bucket
• Details include the requester, bucket name, request time, request
  action, response status, and error code (if applicable)
• Disabled by default

Question 35

Amazon Detective

Answer 35

• Analyze, investigate, and quickly identify the root cause of
  potential security issues or suspicious activities
• Automatically collects data from AWS resources
• Uses machine learning, statistical analysis, and graph theory
• Data sources include VPC Flow Logs, CloudTrail, and
  GuardDuty

Question 36

AWS GuardDuty

Answer 36

• Intelligent threat detection service
• Detects account compromise, instance compromise,
  malicious reconnaissance, and bucket compromise
• Continuous monitoring for events across:
• AWS CloudTrail Management Events
• AWS CloudTrail S3 Data Events
• Amazon VPC Flow Logs
• DNS Logs

Question 37

Amazon Macie

Answer 37

• Macie is a fully managed data security and data privacy
  service
• Uses machine learning and pattern matching to discover,
  monitor, and help you protect your sensitive data on Amazon
  S3
• Macie enables security compliance and preventive security

Question 38

AWS WAF

Answer 38

AWS WAF
* AWS WAF is a web application firewall
* Create rules that block common web exploits like SQL
injection and cross site scripting
* The rules are known as Web ACLs

Question 39

AWS Shield

Answer 39

AWS Shield
* AWS Shield is a managed Distributed Denial of Service
(DDoS) protection service
* Safeguards web application running on AWS with always-on
detection and automatic inline mitigations

Question 40

AWS Artifact

Answer 40

• AWS Artifact provides on-demand access to AWS’ security
  and compliance reports and select online agreements
• Reports available in AWS Artifact include:
• Service Organization Control (SOC) reports
• Payment Card Industry (PCI) reports

Question 41

AWS Security Hub

Answer 41

• Provides a comprehensive view of security alerts and
  security posture across AWS accounts
• Aggregates, organizes, and prioritizes security alerts, or
  findings, from multiple AWS services

Question 42

AWS Security Bulletins

Answer 42

• Security and privacy events affecting AWS services are
  published (also has an RSS feed)

Question 43

AWS Trust & Safety Team

Answer 43

• Contact the AWS Trust & Safety team if AWS resources are
  being used for:
• Spam
• Port scanning
• Denial-of-service attacks
• Intrusion attempts
• Hosting of objectionable or copyrighted content
• Distributing malware

Question 44

Penetration Testing

Answer 44

• Penetration testing is the practice of testing one’s own
  application’s security for vulnerabilities by simulating an
  attack
• AWS allows penetration testing without prior approval for 8
  AWS services