Introduction to Security and Architecture on AWS Flashcards
What must users agree with in order to have an account on the AWS platform?
AWS Acceptable Use Policy. It defines acceptable and unacceptable uses of their cloud platform.
“_____________ and _____________ is a shared responsibility between AWS and the customer.” – Amazon Web Services
Security and Compliance
Who is responsible for access & training for Amazon
employees?
AWS
Who is responsible for individual access to cloud
resources and training?
Customer
Who is responsible for global data centers and their underlying network?
AWS
Who is responsible for all code deployed onto
cloud infrastructure?
Customer
Who is responsible for patching cloud infrastructure and services?
AWS
Who is responsible for patching guest operating systems and custom applications?
Customer
What are the 6 pillars of a well-architected framework?
SCOOPER
- Security - Protecting information and business assets.
- Cost Optimization - Achieving minimal costs for the desired value
- Operational Excellence - Running and monitoring systems for business
- Performance Efficiency - Using resources efficiently to achieve business.
- Reliability - Enabling infrastructure to recover from disruptions.
- Sustainability
Name two services that provide fault tolerance
- Simple Queue Service (SQS)
2. Route 53
Name three services that support compliance
- AWS Config - Continually monitor AWS resources and provides conformance packs for specific compliance standards.
- AWS Artifact - Portal that provides self-service access to compliance reports.
- Amazon GuardDuty - Provides intelligent threat detection.
■ Jane’s company is building an application to process credit cards
■ They will be processing cards directly and not through a service
■ Their bank needs a PCI DSS compliance report for AWS
■ Where would Jane go to get the information?
AWS Artifact (Self-service access to compliance reports)
■ Tim’s company is considering a transition to the cloud
■ They store personal information securely in their system
■ Tim’s CTO has asked what the company’s responsibility is for security
■ What would you tell Tim’s CTO?
Review the Shared Responsibility Model
■ Ellen is a solutions architect at a startup
■ They are building a new tool for digital asset management
■ Ellen is curious how to best leverage the capabilities of AWS in this application
■ What resources would you recommend for Ellen and her team?
AWS Well Architected Framework
When granting permission for a user to access AWS resources, granting them the minimum permissions needed to complete their tasks and no more is an example of what principle?
Least Privilege Access
List the 3 three types of IAM identities
- Users
- Groups
- Roles
Which IAM identity is an account for a single individual to access AWS resources?
Users
Which IAM identity allows you to manage permissions for a group of IAM users?
Groups
Which IAM identity enables a user or AWS service to assume permissions for a task?
Roles
List the 5 Amazon Cognito identity providers
- Amazon
- Microsoft Active Identity
- SAML 2.0 Providers
■ Sylvia manages a team of DevOps engineers for her company
■ Each member of her team needs to have the same access to cloud systems
■ It is taking her a long time to attach permissions to each user for access
■ What approach would help Sylvia manage the team’s permissions?
Use an IAM group for team
■ Edward works for a startup that is building a mapping visualization tool
■ Their EC2 servers need to access data stored within S3 buckets
■ Edward created a user in IAM for these servers and uploaded keys to the server
■ Is Edward following best practices for this approach? If not, what should he do?
No. He should use an IAM role with EC2
■ William is leading the effort to transition his organization to the cloud
■ His CIO is concerned about securing access to AWS resources with a password
■ He asks William to research approaches for additional security
■ What approach would you recommend to William for this additional security?
Use Multi-Factor Authentication (MFA)
What is the name of the hybrid-cloud storage service offered by AWS that integrates cloud storage into a local network?
AWS Storage Gateway
What are the 3 AWS Storage Gateway Volume Types?
- File Gateway
- Tape Gateway
- Volume Gateway
Which AWS storage gateway volume type stores files in Amazon S3 while providing cached low latency local access?
File Gateway
Which AWS storage gateway volume type enables tape backup processes to store data in the cloud on virtual tapes?
Tape Gateway
Which AWS storage gateway volume type provides cloud-based iSCSI volumes to local applications?
Volume Gateway
AWS _____________ is an automated data transfer service that uses an optimized protocol for high-speed synchronization to the cloud.
DataSync
AWS Glue is a managed ________, _________, and __________ service.
Extract, Transform, Load (ETL)
Amazon EMR provides ________ cloud processing using popular tools.
Big-Data
AWS Data Pipeline is a _______ __________ _________ service across AWS services.
data workflow orchestration
AWS Glue supports data in which four AWS data storage services?
- Amazon RDS
- Amazon DynamoDB
- Amazon Redshift
- Amazon S3
List the six open-source tools supported in Amazon EMR.
- Apache Spark
- Apache Hive
- Apache HBase
- Apache Flink
- Apache Hudi
- Presto
List the 5 data storage services that integrate with AWS Data Pipeline.
- Amazon S3
- Amazon EMR (Elastic Map Reduce)
- Amazon Redshift
- Amazon DynamoDB
- Amazon RDS
Which Amazon service enables serverless querying of large-scale data stored within Amazon S3 using standard SQL queries?
Amazon Athena
Amazon ___________ is a fully managed Business Intelligence (BI) service enabling self-service data
dashboards for data stored in the cloud
Quicksight
Amazon ___________ is a managed search service for custom applications.
CloudSearch
Amazon __________ is a computer vision service powered by Machine Learning.
Rekognition
Amazon __________ is a text translation service powered by machine Learning.
Translate
Amazon ___________ is a speech to text solution using Machine learning
Transcribe
■ Ruth is a data scientist for a financial services company
■ Large-scale data set needs to be processed before analysis
■ Ruth doesn’t want to manage servers but just wants to define processing
■ What service would you recommend to Ruth?
AWS Glue
■ Jessi is a member of the IT team for a biotech company
■ She is currently working to identify an approach for controlled lab access
■ She wants leverage AI to determine access based on facial imaging
■ Is there an AWS service that can help with this approach?
Amazon Rekognition
■ Roger’s company sells custom services around machine learning
■ His head of sales is trying to find a great way to visualize their sales data
■ This data is currently stored in Redshift as their data warehouse
■ What AWS service would allow this access to the data by non-technical resources?
Amazon Quicksight
List the four recommended AWS architectures for disaster recovery in order from lowest cost/complexity to highest cost/complexity.
- Backup and Restore
- Pilot Light
- Warm Standby
- Multi-site
The time it takes to get your systems back up and running to the ideal business state after a disaster recovery event is called ___________.
Recovery Time Objective (RTO)
The amount of data loss (in terms of time) for a production system during a disaster recovery event is called _____________.
Recovery Point Objective (RPO)
■ Roger’s company runs several production workloads in AWS
■ Roger is tasked with architecting the disaster recovering approach
■ His organization wants there to be a seamless transition during an event
■ Which disaster recovery approach would Roger’s company use for this?
Multi-site
■ Jennifer’s company is a startup
■ They do not currently have a disaster recovery approach
■ In this case, minimizing cost is more critical than minimizing RTO
■ What disaster recovery approach would you recommend to Jennifer?
Backup and Restore
■ Eliza is documenting her company’s disaster recovery approach
■ They keep a few key servers up an running in AWS in case of an event
■ These servers have smaller instance types than what production would need
■ Which disaster recovery approach most closely matches this scenario?
Pilot Light
__________ scaling is when you “scale up” your instance type to a larger instance type with additional resources.
Vertical
__________ scaling is when you “scale out” and add additional instances to handle the demand of your application
Horizontal
What defines the instance configuration for an Amazon EC2 auto-scaling group?
Launch template
What defines the minimum, maximum, and desired number of instances
Amazon EC2 Auto-Scaling Group
What type of checks do Amazon EC2 auto-scaling groups perform on each instance?
Health checks
Amazon EC2 auto-scaling groups exist within _________ availability zones in a region
one or more
Amazon EC2 auto-scaling groups work with ______ and ________ instances
On-demand, spot
________ ___________ __________ is a service that manages secrets (such as passwords, keys, tokens, etc…) used in your custom applications on AWS. It also supports auto-rotation of credentials on supported AWS services.
AWS Secrets Manager
In regards to controlling access to EC2 instances, which solution enables firewall-like controls for resources within the VPC?
EC2 Security Group
In regards to controlling access to EC2 instances, which solution controls inbound and outbound traffic for subnets within the VPC?
Network Access Control Lists (ACL’s)
In regards to controlling access to EC2 instances, which solution provides secure access to an entire VPC using an encrypted tunnel?
AWS VPN
Does a security group or ACL control inbound traffic, outbound traffic, or both?
Both
Which is used to allow or deny traffic: security groups or ACL’s?
ACL
An EC2 instance can have multiple __________ (security groups or ACL’s) assigned to it
Security groups
Do security groups or ACL’s work for an entire subnet?
ACL’s
Do security groups or ACL’s operate at the instance level?
Security groups
Which security service is a managed DDoS protection service for apps on AWS?
- AWS Shield
- Amazon Macie
- Amazon Inspector
AWS Shield
Which security service is a data protection service powered by machine learning?
- AWS Shield
- Amazon Macie
- Amazon Inspector
Amazon Macie
Which security service is an automated security assessment service for EC2 instances?
- AWS Shield
- Amazon Macie
- Amazon Inspector
Amazon Inspector
Which pre-defined solution is targeted to serve as an organizational service catalog for the cloud?
AWS Service Catalog
Which pre-defined solution enables third-party ISV’s to offer configurations for the cloud that can be launched in your account?
AWS Marketplace
______________ is a fully managed source control service using AWS CodeCommit Git.
AWS CodeCommit
______________ is a fully managed build and continuous integration service on AWS
AWS CodeBuild
______________ is a fully managed deployment service for applications running on Amazon EC2, AWS Fargate, AWS Lambda, and on-premise servers
AWS CodeDeploy
______________ is a fully managed continuous delivery service on AWS for automating building, deploying, and testing. Integrates with other developer services
AWS CodePipeline
______________ is a workflow tool for automatic creation of a continuous delivery pipeline for a custom application using the other developer services
AWS CodeStar
■ Ellen is a solutions architect at a traditional financial services company
■ They recently transitioned to AWS
■ They want to be sure each department follows best practices
■ They want to create compliant IT services that other departments can use
■ What service would you recommend for Ellen and her team?
AWS Service Catalog
■ Tim’s company leverages AWS for multiple production workloads
■ Recently they have had downtime due to one of their applications failing on EC2
■ Tim is looking to avoid downtime if an instance stops responding
■ What approach would you recommend for Tim to solve this issue?
Create an EC2 Auto-scaling Group alongside an Elastic Load Balancer
■ Jane’s company deals with sensitive information from its users
■ They have put reasonable policies in place for data stored in S3
■ Jane is worried if some of those policies accidentally get changed
■ She is also worried of a breach going unnoticed
■ What service would you recommend to Jane and her company?
Amazon Macie