Introduction to Security and Architecture on AWS

Question 1

What must users agree with in order to have an account on the AWS platform?

Answer 1

AWS Acceptable Use Policy. It defines acceptable and unacceptable uses of their cloud platform.

Question 2

“_____________ and _____________ is a shared responsibility between AWS and the customer.” – Amazon Web Services

Answer 2

Security and Compliance

Question 3

Who is responsible for access & training for Amazon

employees?

Answer 3

AWS

Question 4

Who is responsible for individual access to cloud

resources and training?

Answer 4

Customer

Question 5

Who is responsible for global data centers and their underlying network?

Answer 5

AWS

Question 6

Who is responsible for all code deployed onto

cloud infrastructure?

Answer 6

Customer

Question 7

Who is responsible for patching cloud infrastructure and services?

Answer 7

AWS

Question 8

Who is responsible for patching guest operating systems and custom applications?

Answer 8

Customer

Question 9

What are the 6 pillars of a well-architected framework?

Answer 9

SCOOPER

1. Security - Protecting information and business assets.
2. Cost Optimization - Achieving minimal costs for the desired value
3. Operational Excellence - Running and monitoring systems for business
4. Performance Efficiency - Using resources efficiently to achieve business.
5. Reliability - Enabling infrastructure to recover from disruptions.
6. Sustainability

Question 10

Name two services that provide fault tolerance

Answer 10

1. Simple Queue Service (SQS)

2. Route 53

Question 11

Name three services that support compliance

Answer 11

1. AWS Config - Continually monitor AWS resources and provides conformance packs for specific compliance standards.
2. AWS Artifact - Portal that provides self-service access to compliance reports.
3. Amazon GuardDuty - Provides intelligent threat detection.

Question 12

■ Jane’s company is building an application to process credit cards
■ They will be processing cards directly and not through a service
■ Their bank needs a PCI DSS compliance report for AWS
■ Where would Jane go to get the information?

Answer 12

AWS Artifact (Self-service access to compliance reports)

Question 13

■ Tim’s company is considering a transition to the cloud
■ They store personal information securely in their system
■ Tim’s CTO has asked what the company’s responsibility is for security
■ What would you tell Tim’s CTO?

Answer 13

Review the Shared Responsibility Model

Question 14

■ Ellen is a solutions architect at a startup
■ They are building a new tool for digital asset management
■ Ellen is curious how to best leverage the capabilities of AWS in this application
■ What resources would you recommend for Ellen and her team?

Answer 14

AWS Well Architected Framework

Question 15

When granting permission for a user to access AWS resources, granting them the minimum permissions needed to complete their tasks and no more is an example of what principle?

Answer 15

Least Privilege Access

Question 16

List the 3 three types of IAM identities

Answer 16

1. Users
2. Groups
3. Roles

Question 17

Which IAM identity is an account for a single individual to access AWS resources?

Answer 17

Users

Question 18

Which IAM identity allows you to manage permissions for a group of IAM users?

Answer 18

Groups

Question 19

Which IAM identity enables a user or AWS service to assume permissions for a task?

Answer 19

Roles

Question 20

List the 5 Amazon Cognito identity providers

Answer 20

1. Google
2. Amazon
3. Facebook
4. Microsoft Active Identity
5. SAML 2.0 Providers

Question 21

■ Sylvia manages a team of DevOps engineers for her company
■ Each member of her team needs to have the same access to cloud systems
■ It is taking her a long time to attach permissions to each user for access
■ What approach would help Sylvia manage the team’s permissions?

Answer 21

Use an IAM group for team

Question 22

■ Edward works for a startup that is building a mapping visualization tool
■ Their EC2 servers need to access data stored within S3 buckets
■ Edward created a user in IAM for these servers and uploaded keys to the server
■ Is Edward following best practices for this approach? If not, what should he do?

Answer 22

No. He should use an IAM role with EC2

Question 23

■ William is leading the effort to transition his organization to the cloud
■ His CIO is concerned about securing access to AWS resources with a password
■ He asks William to research approaches for additional security
■ What approach would you recommend to William for this additional security?

Answer 23

Use Multi-Factor Authentication (MFA)

Question 24

What is the name of the hybrid-cloud storage service offered by AWS that integrates cloud storage into a local network?

Answer 24

AWS Storage Gateway

Question 25

What are the 3 AWS Storage Gateway Volume Types?

Answer 25

1. File Gateway
2. Tape Gateway
3. Volume Gateway

Question 26

Which AWS storage gateway volume type stores files in Amazon S3 while providing cached low latency local access?

Answer 26

File Gateway

Question 27

Which AWS storage gateway volume type enables tape backup processes to store data in the cloud on virtual tapes?

Answer 27

Tape Gateway

Question 28

Which AWS storage gateway volume type provides cloud-based iSCSI volumes to local applications?

Answer 28

Volume Gateway

Question 29

AWS _____________ is an automated data transfer service that uses an optimized protocol for high-speed synchronization to the cloud.

Answer 29

DataSync

Question 30

AWS Glue is a managed ________, _________, and __________ service.

Answer 30

Extract, Transform, Load (ETL)

Question 31

Amazon EMR provides ________ cloud processing using popular tools.

Answer 31

Big-Data

Question 32

AWS Data Pipeline is a _______ __________ _________ service across AWS services.

Answer 32

data workflow orchestration

Question 33

AWS Glue supports data in which four AWS data storage services?

Answer 33

1. Amazon RDS
2. Amazon DynamoDB
3. Amazon Redshift
4. Amazon S3

Question 34

List the six open-source tools supported in Amazon EMR.

Answer 34

1. Apache Spark
2. Apache Hive
3. Apache HBase
4. Apache Flink
5. Apache Hudi
6. Presto

Question 35

List the 5 data storage services that integrate with AWS Data Pipeline.

Answer 35

1. Amazon S3
2. Amazon EMR (Elastic Map Reduce)
3. Amazon Redshift
4. Amazon DynamoDB
5. Amazon RDS

Question 36

Which Amazon service enables serverless querying of large-scale data stored within Amazon S3 using standard SQL queries?

Answer 36

Amazon Athena

Question 37

Amazon ___________ is a fully managed Business Intelligence (BI) service enabling self-service data
dashboards for data stored in the cloud

Answer 37

Quicksight

Question 38

Amazon ___________ is a managed search service for custom applications.

Answer 38

CloudSearch

Question 39

Amazon __________ is a computer vision service powered by Machine Learning.

Answer 39

Rekognition

Question 40

Amazon __________ is a text translation service powered by machine Learning.

Answer 40

Translate

Question 41

Amazon ___________ is a speech to text solution using Machine learning

Answer 41

Transcribe

Question 42

■ Ruth is a data scientist for a financial services company
■ Large-scale data set needs to be processed before analysis
■ Ruth doesn’t want to manage servers but just wants to define processing
■ What service would you recommend to Ruth?

Answer 42

AWS Glue

Question 43

■ Jessi is a member of the IT team for a biotech company
■ She is currently working to identify an approach for controlled lab access
■ She wants leverage AI to determine access based on facial imaging
■ Is there an AWS service that can help with this approach?

Answer 43

Amazon Rekognition

Question 44

■ Roger’s company sells custom services around machine learning
■ His head of sales is trying to find a great way to visualize their sales data
■ This data is currently stored in Redshift as their data warehouse
■ What AWS service would allow this access to the data by non-technical resources?

Answer 44

Amazon Quicksight

Question 45

List the four recommended AWS architectures for disaster recovery in order from lowest cost/complexity to highest cost/complexity.

Answer 45

1. Backup and Restore
2. Pilot Light
3. Warm Standby
4. Multi-site

Question 46

The time it takes to get your systems back up and running to the ideal business state after a disaster recovery event is called ___________.

Answer 46

Recovery Time Objective (RTO)

Question 47

The amount of data loss (in terms of time) for a production system during a disaster recovery event is called _____________.

Answer 47

Recovery Point Objective (RPO)

Question 48

■ Roger’s company runs several production workloads in AWS
■ Roger is tasked with architecting the disaster recovering approach
■ His organization wants there to be a seamless transition during an event
■ Which disaster recovery approach would Roger’s company use for this?

Answer 48

Multi-site

Question 49

■ Jennifer’s company is a startup
■ They do not currently have a disaster recovery approach
■ In this case, minimizing cost is more critical than minimizing RTO
■ What disaster recovery approach would you recommend to Jennifer?

Answer 49

Backup and Restore

Question 50

■ Eliza is documenting her company’s disaster recovery approach
■ They keep a few key servers up an running in AWS in case of an event
■ These servers have smaller instance types than what production would need
■ Which disaster recovery approach most closely matches this scenario?

Answer 50

Pilot Light

Question 51

__________ scaling is when you “scale up” your instance type to a larger instance type with additional resources.

Answer 51

Vertical

Question 52

__________ scaling is when you “scale out” and add additional instances to handle the demand of your application

Answer 52

Horizontal

Question 53

What defines the instance configuration for an Amazon EC2 auto-scaling group?

Answer 53

Launch template

Question 54

What defines the minimum, maximum, and desired number of instances

Answer 54

Amazon EC2 Auto-Scaling Group

Question 55

What type of checks do Amazon EC2 auto-scaling groups perform on each instance?

Answer 55

Health checks

Question 56

Amazon EC2 auto-scaling groups exist within _________ availability zones in a region

Answer 56

one or more

Question 57

Amazon EC2 auto-scaling groups work with ______ and ________ instances

Answer 57

On-demand, spot

Question 58

________ ___________ __________ is a service that manages secrets (such as passwords, keys, tokens, etc…) used in your custom applications on AWS. It also supports auto-rotation of credentials on supported AWS services.

Answer 58

AWS Secrets Manager

Question 59

In regards to controlling access to EC2 instances, which solution enables firewall-like controls for resources within the VPC?

Answer 59

EC2 Security Group

Question 60

In regards to controlling access to EC2 instances, which solution controls inbound and outbound traffic for subnets within the VPC?

Answer 60

Network Access Control Lists (ACL’s)

Question 61

In regards to controlling access to EC2 instances, which solution provides secure access to an entire VPC using an encrypted tunnel?

Answer 61

AWS VPN

Question 62

Does a security group or ACL control inbound traffic, outbound traffic, or both?

Answer 62

Both

Question 63

Which is used to allow or deny traffic: security groups or ACL’s?

Answer 63

ACL

Question 64

An EC2 instance can have multiple __________ (security groups or ACL’s) assigned to it

Answer 64

Security groups

Question 65

Do security groups or ACL’s work for an entire subnet?

Answer 65

ACL’s

Question 66

Do security groups or ACL’s operate at the instance level?

Answer 66

Security groups

Question 67

Which security service is a managed DDoS protection service for apps on AWS?

1. AWS Shield
2. Amazon Macie
3. Amazon Inspector

Answer 67

AWS Shield

Question 68

Which security service is a data protection service powered by machine learning?

1. AWS Shield
2. Amazon Macie
3. Amazon Inspector

Answer 68

Amazon Macie

Question 69

Which security service is an automated security assessment service for EC2 instances?

1. AWS Shield
2. Amazon Macie
3. Amazon Inspector

Answer 69

Amazon Inspector

Question 70

Which pre-defined solution is targeted to serve as an organizational service catalog for the cloud?

Answer 70

AWS Service Catalog

Question 71

Which pre-defined solution enables third-party ISV’s to offer configurations for the cloud that can be launched in your account?

Answer 71

AWS Marketplace

Question 72

______________ is a fully managed source control service using AWS CodeCommit Git.

Answer 72

AWS CodeCommit

Question 73

______________ is a fully managed build and continuous integration service on AWS

Answer 73

AWS CodeBuild

Question 74

______________ is a fully managed deployment service for applications running on Amazon EC2, AWS Fargate, AWS Lambda, and on-premise servers

Answer 74

AWS CodeDeploy

Question 75

______________ is a fully managed continuous delivery service on AWS for automating building, deploying, and testing. Integrates with other developer services

Answer 75

AWS CodePipeline

Question 76

______________ is a workflow tool for automatic creation of a continuous delivery pipeline for a custom application using the other developer services

Answer 76

AWS CodeStar

Question 77

■ Ellen is a solutions architect at a traditional financial services company
■ They recently transitioned to AWS
■ They want to be sure each department follows best practices
■ They want to create compliant IT services that other departments can use
■ What service would you recommend for Ellen and her team?

Answer 77

AWS Service Catalog

Question 78

■ Tim’s company leverages AWS for multiple production workloads
■ Recently they have had downtime due to one of their applications failing on EC2
■ Tim is looking to avoid downtime if an instance stops responding
■ What approach would you recommend for Tim to solve this issue?

Answer 78

Create an EC2 Auto-scaling Group alongside an Elastic Load Balancer

Question 79

■ Jane’s company deals with sensitive information from its users
■ They have put reasonable policies in place for data stored in S3
■ Jane is worried if some of those policies accidentally get changed
■ She is also worried of a breach going unnoticed
■ What service would you recommend to Jane and her company?

Answer 79

Amazon Macie