Introduction to Security and Architecture on AWS Flashcards by Paul Schlenker

What must users agree with in order to have an account on the AWS platform?

AWS Acceptable Use Policy. It defines acceptable and unacceptable uses of their cloud platform.

How well did you know this?

Not at all

Perfectly

“_____________ and _____________ is a shared responsibility between AWS and the customer.” – Amazon Web Services

Security and Compliance

How well did you know this?

Not at all

Perfectly

Who is responsible for access & training for Amazon

employees?

AWS

How well did you know this?

Not at all

Perfectly

Who is responsible for individual access to cloud

resources and training?

Customer

How well did you know this?

Not at all

Perfectly

Who is responsible for global data centers and their underlying network?

AWS

How well did you know this?

Not at all

Perfectly

Who is responsible for all code deployed onto

cloud infrastructure?

Customer

How well did you know this?

Not at all

Perfectly

Who is responsible for patching cloud infrastructure and services?

AWS

How well did you know this?

Not at all

Perfectly

Who is responsible for patching guest operating systems and custom applications?

Customer

How well did you know this?

Not at all

Perfectly

What are the 6 pillars of a well-architected framework?

SCOOPER

Security - Protecting information and business assets.
Cost Optimization - Achieving minimal costs for the desired value
Operational Excellence - Running and monitoring systems for business
Performance Efficiency - Using resources efficiently to achieve business.
Reliability - Enabling infrastructure to recover from disruptions.
Sustainability

How well did you know this?

Not at all

Perfectly

Name two services that provide fault tolerance

Simple Queue Service (SQS)

2. Route 53

How well did you know this?

Not at all

Perfectly

Name three services that support compliance

AWS Config - Continually monitor AWS resources and provides conformance packs for specific compliance standards.
AWS Artifact - Portal that provides self-service access to compliance reports.
Amazon GuardDuty - Provides intelligent threat detection.

How well did you know this?

Not at all

Perfectly

■ Jane’s company is building an application to process credit cards
■ They will be processing cards directly and not through a service
■ Their bank needs a PCI DSS compliance report for AWS
■ Where would Jane go to get the information?

AWS Artifact (Self-service access to compliance reports)

How well did you know this?

Not at all

Perfectly

■ Tim’s company is considering a transition to the cloud
■ They store personal information securely in their system
■ Tim’s CTO has asked what the company’s responsibility is for security
■ What would you tell Tim’s CTO?

Review the Shared Responsibility Model

How well did you know this?

Not at all

Perfectly

■ Ellen is a solutions architect at a startup
■ They are building a new tool for digital asset management
■ Ellen is curious how to best leverage the capabilities of AWS in this application
■ What resources would you recommend for Ellen and her team?

AWS Well Architected Framework

How well did you know this?

Not at all

Perfectly

When granting permission for a user to access AWS resources, granting them the minimum permissions needed to complete their tasks and no more is an example of what principle?

Least Privilege Access

How well did you know this?

Not at all

Perfectly

List the 3 three types of IAM identities

Users
Groups
Roles

How well did you know this?

Not at all

Perfectly

Which IAM identity is an account for a single individual to access AWS resources?

Users

How well did you know this?

Not at all

Perfectly

Which IAM identity allows you to manage permissions for a group of IAM users?

Groups

How well did you know this?

Not at all

Perfectly

Which IAM identity enables a user or AWS service to assume permissions for a task?

Roles

How well did you know this?

Not at all

Perfectly

List the 5 Amazon Cognito identity providers

Google
Amazon
Facebook
Microsoft Active Identity
SAML 2.0 Providers

How well did you know this?

Not at all

Perfectly

■ Sylvia manages a team of DevOps engineers for her company
■ Each member of her team needs to have the same access to cloud systems
■ It is taking her a long time to attach permissions to each user for access
■ What approach would help Sylvia manage the team’s permissions?

Use an IAM group for team

How well did you know this?

Not at all

Perfectly

■ Edward works for a startup that is building a mapping visualization tool
■ Their EC2 servers need to access data stored within S3 buckets
■ Edward created a user in IAM for these servers and uploaded keys to the server
■ Is Edward following best practices for this approach? If not, what should he do?

No. He should use an IAM role with EC2

How well did you know this?

Not at all

Perfectly

■ William is leading the effort to transition his organization to the cloud
■ His CIO is concerned about securing access to AWS resources with a password
■ He asks William to research approaches for additional security
■ What approach would you recommend to William for this additional security?

Use Multi-Factor Authentication (MFA)

How well did you know this?

Not at all

Perfectly

What is the name of the hybrid-cloud storage service offered by AWS that integrates cloud storage into a local network?

AWS Storage Gateway

How well did you know this?

Not at all

Perfectly

What are the 3 AWS Storage Gateway Volume Types?

1. File Gateway 2. Tape Gateway 3. Volume Gateway

Which AWS storage gateway volume type stores files in Amazon S3 while providing cached low latency local access?

File Gateway

Which AWS storage gateway volume type enables tape backup processes to store data in the cloud on virtual tapes?

Tape Gateway

Which AWS storage gateway volume type provides cloud-based iSCSI volumes to local applications?

Volume Gateway

AWS _____________ is an automated data transfer service that uses an optimized protocol for high-speed synchronization to the cloud.

DataSync

AWS Glue is a managed ________, _________, and __________ service.

Extract, Transform, Load (ETL)

Amazon EMR provides ________ cloud processing using popular tools.

Big-Data

AWS Data Pipeline is a _______ __________ _________ service across AWS services.

data workflow orchestration

AWS Glue supports data in which four AWS data storage services?

1. Amazon RDS 2. Amazon DynamoDB 3. Amazon Redshift 4. Amazon S3

List the six open-source tools supported in Amazon EMR.

1. Apache Spark 2. Apache Hive 3. Apache HBase 4. Apache Flink 5. Apache Hudi 6. Presto

List the 5 data storage services that integrate with AWS Data Pipeline.

1. Amazon S3 2. Amazon EMR (Elastic Map Reduce) 3. Amazon Redshift 4. Amazon DynamoDB 5. Amazon RDS

Which Amazon service enables serverless querying of large-scale data stored within Amazon S3 using standard SQL queries?

Amazon Athena

Amazon ___________ is a fully managed Business Intelligence (BI) service enabling self-service data dashboards for data stored in the cloud

Quicksight

Amazon ___________ is a managed search service for custom applications.

CloudSearch

Amazon __________ is a computer vision service powered by Machine Learning.

Rekognition

Amazon __________ is a text translation service powered by machine Learning.

Translate

Amazon ___________ is a speech to text solution using Machine learning

Transcribe

■ Ruth is a data scientist for a financial services company ■ Large-scale data set needs to be processed before analysis ■ Ruth doesn’t want to manage servers but just wants to define processing ■ What service would you recommend to Ruth?

AWS Glue

■ Jessi is a member of the IT team for a biotech company ■ She is currently working to identify an approach for controlled lab access ■ She wants leverage AI to determine access based on facial imaging ■ Is there an AWS service that can help with this approach?

Amazon Rekognition

■ Roger’s company sells custom services around machine learning ■ His head of sales is trying to find a great way to visualize their sales data ■ This data is currently stored in Redshift as their data warehouse ■ What AWS service would allow this access to the data by non-technical resources?

Amazon Quicksight

List the four recommended AWS architectures for disaster recovery in order from lowest cost/complexity to highest cost/complexity.

1. Backup and Restore 2. Pilot Light 3. Warm Standby 4. Multi-site

The time it takes to get your systems back up and running to the ideal business state after a disaster recovery event is called ___________.

Recovery Time Objective (RTO)

The amount of data loss (in terms of time) for a production system during a disaster recovery event is called _____________.

Recovery Point Objective (RPO)

■ Roger’s company runs several production workloads in AWS ■ Roger is tasked with architecting the disaster recovering approach ■ His organization wants there to be a seamless transition during an event ■ Which disaster recovery approach would Roger’s company use for this?

Multi-site

■ Jennifer’s company is a startup ■ They do not currently have a disaster recovery approach ■ In this case, minimizing cost is more critical than minimizing RTO ■ What disaster recovery approach would you recommend to Jennifer?

Backup and Restore

■ Eliza is documenting her company’s disaster recovery approach ■ They keep a few key servers up an running in AWS in case of an event ■ These servers have smaller instance types than what production would need ■ Which disaster recovery approach most closely matches this scenario?

Pilot Light

__________ scaling is when you “scale up” your instance type to a larger instance type with additional resources.

Vertical

__________ scaling is when you “scale out” and add additional instances to handle the demand of your application

Horizontal

What defines the instance configuration for an Amazon EC2 auto-scaling group?

Launch template

What defines the minimum, maximum, and desired number of instances

Amazon EC2 Auto-Scaling Group

What type of checks do Amazon EC2 auto-scaling groups perform on each instance?

Health checks

Amazon EC2 auto-scaling groups exist within _________ availability zones in a region

one or more

Amazon EC2 auto-scaling groups work with ______ and ________ instances

On-demand, spot

________ ___________ __________ is a service that manages secrets (such as passwords, keys, tokens, etc...) used in your custom applications on AWS. It also supports auto-rotation of credentials on supported AWS services.

AWS Secrets Manager

In regards to controlling access to EC2 instances, which solution enables firewall-like controls for resources within the VPC?

EC2 Security Group

In regards to controlling access to EC2 instances, which solution controls inbound and outbound traffic for subnets within the VPC?

Network Access Control Lists (ACL's)

In regards to controlling access to EC2 instances, which solution provides secure access to an entire VPC using an encrypted tunnel?

AWS VPN

Does a security group or ACL control inbound traffic, outbound traffic, or both?

Both

Which is used to allow or deny traffic: security groups or ACL's?

ACL

An EC2 instance can have multiple __________ (security groups or ACL's) assigned to it

Security groups

Do security groups or ACL's work for an entire subnet?

ACL's

Do security groups or ACL's operate at the instance level?

Security groups

Which security service is a managed DDoS protection service for apps on AWS? 1. AWS Shield 2. Amazon Macie 3. Amazon Inspector

AWS Shield

Which security service is a data protection service powered by machine learning? 1. AWS Shield 2. Amazon Macie 3. Amazon Inspector

Amazon Macie

Which security service is an automated security assessment service for EC2 instances? 1. AWS Shield 2. Amazon Macie 3. Amazon Inspector

Amazon Inspector

Which pre-defined solution is targeted to serve as an organizational service catalog for the cloud?

AWS Service Catalog

Which pre-defined solution enables third-party ISV’s to offer configurations for the cloud that can be launched in your account?

AWS Marketplace

______________ is a fully managed source control service using AWS CodeCommit Git.

AWS CodeCommit

______________ is a fully managed build and continuous integration service on AWS

AWS CodeBuild

______________ is a fully managed deployment service for applications running on Amazon EC2, AWS Fargate, AWS Lambda, and on-premise servers

AWS CodeDeploy

______________ is a fully managed continuous delivery service on AWS for automating building, deploying, and testing. Integrates with other developer services

AWS CodePipeline

______________ is a workflow tool for automatic creation of a continuous delivery pipeline for a custom application using the other developer services

AWS CodeStar

■ Ellen is a solutions architect at a traditional financial services company ■ They recently transitioned to AWS ■ They want to be sure each department follows best practices ■ They want to create compliant IT services that other departments can use ■ What service would you recommend for Ellen and her team?

AWS Service Catalog

■ Tim’s company leverages AWS for multiple production workloads ■ Recently they have had downtime due to one of their applications failing on EC2 ■ Tim is looking to avoid downtime if an instance stops responding ■ What approach would you recommend for Tim to solve this issue?

Create an EC2 Auto-scaling Group alongside an Elastic Load Balancer

■ Jane’s company deals with sensitive information from its users ■ They have put reasonable policies in place for data stored in S3 ■ Jane is worried if some of those policies accidentally get changed ■ She is also worried of a breach going unnoticed ■ What service would you recommend to Jane and her company?

Amazon Macie