Introduction to Security and Architecture on AWS Flashcards

1
Q

What must users agree with in order to have an account on the AWS platform?

A

AWS Acceptable Use Policy. It defines acceptable and unacceptable uses of their cloud platform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

“_____________ and _____________ is a shared responsibility between AWS and the customer.” – Amazon Web Services

A

Security and Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who is responsible for access & training for Amazon

employees?

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who is responsible for individual access to cloud

resources and training?

A

Customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who is responsible for global data centers and their underlying network?

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who is responsible for all code deployed onto

cloud infrastructure?

A

Customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who is responsible for patching cloud infrastructure and services?

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who is responsible for patching guest operating systems and custom applications?

A

Customer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 6 pillars of a well-architected framework?

A

SCOOPER

  1. Security - Protecting information and business assets.
  2. Cost Optimization - Achieving minimal costs for the desired value
  3. Operational Excellence - Running and monitoring systems for business
  4. Performance Efficiency - Using resources efficiently to achieve business.
  5. Reliability - Enabling infrastructure to recover from disruptions.
  6. Sustainability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Name two services that provide fault tolerance

A
  1. Simple Queue Service (SQS)

2. Route 53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Name three services that support compliance

A
  1. AWS Config - Continually monitor AWS resources and provides conformance packs for specific compliance standards.
  2. AWS Artifact - Portal that provides self-service access to compliance reports.
  3. Amazon GuardDuty - Provides intelligent threat detection.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

■ Jane’s company is building an application to process credit cards
■ They will be processing cards directly and not through a service
■ Their bank needs a PCI DSS compliance report for AWS
■ Where would Jane go to get the information?

A

AWS Artifact (Self-service access to compliance reports)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

■ Tim’s company is considering a transition to the cloud
■ They store personal information securely in their system
■ Tim’s CTO has asked what the company’s responsibility is for security
■ What would you tell Tim’s CTO?

A

Review the Shared Responsibility Model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

■ Ellen is a solutions architect at a startup
■ They are building a new tool for digital asset management
■ Ellen is curious how to best leverage the capabilities of AWS in this application
■ What resources would you recommend for Ellen and her team?

A

AWS Well Architected Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When granting permission for a user to access AWS resources, granting them the minimum permissions needed to complete their tasks and no more is an example of what principle?

A

Least Privilege Access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

List the 3 three types of IAM identities

A
  1. Users
  2. Groups
  3. Roles
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which IAM identity is an account for a single individual to access AWS resources?

A

Users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which IAM identity allows you to manage permissions for a group of IAM users?

A

Groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which IAM identity enables a user or AWS service to assume permissions for a task?

A

Roles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

List the 5 Amazon Cognito identity providers

A
  1. Google
  2. Amazon
  3. Facebook
  4. Microsoft Active Identity
  5. SAML 2.0 Providers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

■ Sylvia manages a team of DevOps engineers for her company
■ Each member of her team needs to have the same access to cloud systems
■ It is taking her a long time to attach permissions to each user for access
■ What approach would help Sylvia manage the team’s permissions?

A

Use an IAM group for team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

■ Edward works for a startup that is building a mapping visualization tool
■ Their EC2 servers need to access data stored within S3 buckets
■ Edward created a user in IAM for these servers and uploaded keys to the server
■ Is Edward following best practices for this approach? If not, what should he do?

A

No. He should use an IAM role with EC2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

■ William is leading the effort to transition his organization to the cloud
■ His CIO is concerned about securing access to AWS resources with a password
■ He asks William to research approaches for additional security
■ What approach would you recommend to William for this additional security?

A

Use Multi-Factor Authentication (MFA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the name of the hybrid-cloud storage service offered by AWS that integrates cloud storage into a local network?

A

AWS Storage Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the 3 AWS Storage Gateway Volume Types?

A
  1. File Gateway
  2. Tape Gateway
  3. Volume Gateway
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which AWS storage gateway volume type stores files in Amazon S3 while providing cached low latency local access?

A

File Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which AWS storage gateway volume type enables tape backup processes to store data in the cloud on virtual tapes?

A

Tape Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which AWS storage gateway volume type provides cloud-based iSCSI volumes to local applications?

A

Volume Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

AWS _____________ is an automated data transfer service that uses an optimized protocol for high-speed synchronization to the cloud.

A

DataSync

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

AWS Glue is a managed ________, _________, and __________ service.

A

Extract, Transform, Load (ETL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Amazon EMR provides ________ cloud processing using popular tools.

A

Big-Data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

AWS Data Pipeline is a _______ __________ _________ service across AWS services.

A

data workflow orchestration

33
Q

AWS Glue supports data in which four AWS data storage services?

A
  1. Amazon RDS
  2. Amazon DynamoDB
  3. Amazon Redshift
  4. Amazon S3
34
Q

List the six open-source tools supported in Amazon EMR.

A
  1. Apache Spark
  2. Apache Hive
  3. Apache HBase
  4. Apache Flink
  5. Apache Hudi
  6. Presto
35
Q

List the 5 data storage services that integrate with AWS Data Pipeline.

A
  1. Amazon S3
  2. Amazon EMR (Elastic Map Reduce)
  3. Amazon Redshift
  4. Amazon DynamoDB
  5. Amazon RDS
36
Q

Which Amazon service enables serverless querying of large-scale data stored within Amazon S3 using standard SQL queries?

A

Amazon Athena

37
Q

Amazon ___________ is a fully managed Business Intelligence (BI) service enabling self-service data
dashboards for data stored in the cloud

A

Quicksight

38
Q

Amazon ___________ is a managed search service for custom applications.

A

CloudSearch

39
Q

Amazon __________ is a computer vision service powered by Machine Learning.

A

Rekognition

40
Q

Amazon __________ is a text translation service powered by machine Learning.

A

Translate

41
Q

Amazon ___________ is a speech to text solution using Machine learning

A

Transcribe

42
Q

■ Ruth is a data scientist for a financial services company
■ Large-scale data set needs to be processed before analysis
■ Ruth doesn’t want to manage servers but just wants to define processing
■ What service would you recommend to Ruth?

A

AWS Glue

43
Q

■ Jessi is a member of the IT team for a biotech company
■ She is currently working to identify an approach for controlled lab access
■ She wants leverage AI to determine access based on facial imaging
■ Is there an AWS service that can help with this approach?

A

Amazon Rekognition

44
Q

■ Roger’s company sells custom services around machine learning
■ His head of sales is trying to find a great way to visualize their sales data
■ This data is currently stored in Redshift as their data warehouse
■ What AWS service would allow this access to the data by non-technical resources?

A

Amazon Quicksight

45
Q

List the four recommended AWS architectures for disaster recovery in order from lowest cost/complexity to highest cost/complexity.

A
  1. Backup and Restore
  2. Pilot Light
  3. Warm Standby
  4. Multi-site
46
Q

The time it takes to get your systems back up and running to the ideal business state after a disaster recovery event is called ___________.

A

Recovery Time Objective (RTO)

47
Q

The amount of data loss (in terms of time) for a production system during a disaster recovery event is called _____________.

A

Recovery Point Objective (RPO)

48
Q

■ Roger’s company runs several production workloads in AWS
■ Roger is tasked with architecting the disaster recovering approach
■ His organization wants there to be a seamless transition during an event
■ Which disaster recovery approach would Roger’s company use for this?

A

Multi-site

49
Q

■ Jennifer’s company is a startup
■ They do not currently have a disaster recovery approach
■ In this case, minimizing cost is more critical than minimizing RTO
■ What disaster recovery approach would you recommend to Jennifer?

A

Backup and Restore

50
Q

■ Eliza is documenting her company’s disaster recovery approach
■ They keep a few key servers up an running in AWS in case of an event
■ These servers have smaller instance types than what production would need
■ Which disaster recovery approach most closely matches this scenario?

A

Pilot Light

51
Q

__________ scaling is when you “scale up” your instance type to a larger instance type with additional resources.

A

Vertical

52
Q

__________ scaling is when you “scale out” and add additional instances to handle the demand of your application

A

Horizontal

53
Q

What defines the instance configuration for an Amazon EC2 auto-scaling group?

A

Launch template

54
Q

What defines the minimum, maximum, and desired number of instances

A

Amazon EC2 Auto-Scaling Group

55
Q

What type of checks do Amazon EC2 auto-scaling groups perform on each instance?

A

Health checks

56
Q

Amazon EC2 auto-scaling groups exist within _________ availability zones in a region

A

one or more

57
Q

Amazon EC2 auto-scaling groups work with ______ and ________ instances

A

On-demand, spot

58
Q

________ ___________ __________ is a service that manages secrets (such as passwords, keys, tokens, etc…) used in your custom applications on AWS. It also supports auto-rotation of credentials on supported AWS services.

A

AWS Secrets Manager

59
Q

In regards to controlling access to EC2 instances, which solution enables firewall-like controls for resources within the VPC?

A

EC2 Security Group

60
Q

In regards to controlling access to EC2 instances, which solution controls inbound and outbound traffic for subnets within the VPC?

A

Network Access Control Lists (ACL’s)

61
Q

In regards to controlling access to EC2 instances, which solution provides secure access to an entire VPC using an encrypted tunnel?

A

AWS VPN

62
Q

Does a security group or ACL control inbound traffic, outbound traffic, or both?

A

Both

63
Q

Which is used to allow or deny traffic: security groups or ACL’s?

A

ACL

64
Q

An EC2 instance can have multiple __________ (security groups or ACL’s) assigned to it

A

Security groups

65
Q

Do security groups or ACL’s work for an entire subnet?

A

ACL’s

66
Q

Do security groups or ACL’s operate at the instance level?

A

Security groups

67
Q

Which security service is a managed DDoS protection service for apps on AWS?

  1. AWS Shield
  2. Amazon Macie
  3. Amazon Inspector
A

AWS Shield

68
Q

Which security service is a data protection service powered by machine learning?

  1. AWS Shield
  2. Amazon Macie
  3. Amazon Inspector
A

Amazon Macie

69
Q

Which security service is an automated security assessment service for EC2 instances?

  1. AWS Shield
  2. Amazon Macie
  3. Amazon Inspector
A

Amazon Inspector

70
Q

Which pre-defined solution is targeted to serve as an organizational service catalog for the cloud?

A

AWS Service Catalog

71
Q

Which pre-defined solution enables third-party ISV’s to offer configurations for the cloud that can be launched in your account?

A

AWS Marketplace

72
Q

______________ is a fully managed source control service using AWS CodeCommit Git.

A

AWS CodeCommit

73
Q

______________ is a fully managed build and continuous integration service on AWS

A

AWS CodeBuild

74
Q

______________ is a fully managed deployment service for applications running on Amazon EC2, AWS Fargate, AWS Lambda, and on-premise servers

A

AWS CodeDeploy

75
Q

______________ is a fully managed continuous delivery service on AWS for automating building, deploying, and testing. Integrates with other developer services

A

AWS CodePipeline

76
Q

______________ is a workflow tool for automatic creation of a continuous delivery pipeline for a custom application using the other developer services

A

AWS CodeStar

77
Q

■ Ellen is a solutions architect at a traditional financial services company
■ They recently transitioned to AWS
■ They want to be sure each department follows best practices
■ They want to create compliant IT services that other departments can use
■ What service would you recommend for Ellen and her team?

A

AWS Service Catalog

78
Q

■ Tim’s company leverages AWS for multiple production workloads
■ Recently they have had downtime due to one of their applications failing on EC2
■ Tim is looking to avoid downtime if an instance stops responding
■ What approach would you recommend for Tim to solve this issue?

A

Create an EC2 Auto-scaling Group alongside an Elastic Load Balancer

79
Q

■ Jane’s company deals with sensitive information from its users
■ They have put reasonable policies in place for data stored in S3
■ Jane is worried if some of those policies accidentally get changed
■ She is also worried of a breach going unnoticed
■ What service would you recommend to Jane and her company?

A

Amazon Macie