Introduction to Security and Architecture on AWS Flashcards
What must users agree with in order to have an account on the AWS platform?
AWS Acceptable Use Policy. It defines acceptable and unacceptable uses of their cloud platform.
“_____________ and _____________ is a shared responsibility between AWS and the customer.” – Amazon Web Services
Security and Compliance
Who is responsible for access & training for Amazon
employees?
AWS
Who is responsible for individual access to cloud
resources and training?
Customer
Who is responsible for global data centers and their underlying network?
AWS
Who is responsible for all code deployed onto
cloud infrastructure?
Customer
Who is responsible for patching cloud infrastructure and services?
AWS
Who is responsible for patching guest operating systems and custom applications?
Customer
What are the 6 pillars of a well-architected framework?
SCOOPER
- Security - Protecting information and business assets.
- Cost Optimization - Achieving minimal costs for the desired value
- Operational Excellence - Running and monitoring systems for business
- Performance Efficiency - Using resources efficiently to achieve business.
- Reliability - Enabling infrastructure to recover from disruptions.
- Sustainability
Name two services that provide fault tolerance
- Simple Queue Service (SQS)
2. Route 53
Name three services that support compliance
- AWS Config - Continually monitor AWS resources and provides conformance packs for specific compliance standards.
- AWS Artifact - Portal that provides self-service access to compliance reports.
- Amazon GuardDuty - Provides intelligent threat detection.
■ Jane’s company is building an application to process credit cards
■ They will be processing cards directly and not through a service
■ Their bank needs a PCI DSS compliance report for AWS
■ Where would Jane go to get the information?
AWS Artifact (Self-service access to compliance reports)
■ Tim’s company is considering a transition to the cloud
■ They store personal information securely in their system
■ Tim’s CTO has asked what the company’s responsibility is for security
■ What would you tell Tim’s CTO?
Review the Shared Responsibility Model
■ Ellen is a solutions architect at a startup
■ They are building a new tool for digital asset management
■ Ellen is curious how to best leverage the capabilities of AWS in this application
■ What resources would you recommend for Ellen and her team?
AWS Well Architected Framework
When granting permission for a user to access AWS resources, granting them the minimum permissions needed to complete their tasks and no more is an example of what principle?
Least Privilege Access
List the 3 three types of IAM identities
- Users
- Groups
- Roles
Which IAM identity is an account for a single individual to access AWS resources?
Users
Which IAM identity allows you to manage permissions for a group of IAM users?
Groups
Which IAM identity enables a user or AWS service to assume permissions for a task?
Roles
List the 5 Amazon Cognito identity providers
- Amazon
- Microsoft Active Identity
- SAML 2.0 Providers
■ Sylvia manages a team of DevOps engineers for her company
■ Each member of her team needs to have the same access to cloud systems
■ It is taking her a long time to attach permissions to each user for access
■ What approach would help Sylvia manage the team’s permissions?
Use an IAM group for team
■ Edward works for a startup that is building a mapping visualization tool
■ Their EC2 servers need to access data stored within S3 buckets
■ Edward created a user in IAM for these servers and uploaded keys to the server
■ Is Edward following best practices for this approach? If not, what should he do?
No. He should use an IAM role with EC2
■ William is leading the effort to transition his organization to the cloud
■ His CIO is concerned about securing access to AWS resources with a password
■ He asks William to research approaches for additional security
■ What approach would you recommend to William for this additional security?
Use Multi-Factor Authentication (MFA)
What is the name of the hybrid-cloud storage service offered by AWS that integrates cloud storage into a local network?
AWS Storage Gateway
What are the 3 AWS Storage Gateway Volume Types?
- File Gateway
- Tape Gateway
- Volume Gateway
Which AWS storage gateway volume type stores files in Amazon S3 while providing cached low latency local access?
File Gateway
Which AWS storage gateway volume type enables tape backup processes to store data in the cloud on virtual tapes?
Tape Gateway
Which AWS storage gateway volume type provides cloud-based iSCSI volumes to local applications?
Volume Gateway
AWS _____________ is an automated data transfer service that uses an optimized protocol for high-speed synchronization to the cloud.
DataSync
AWS Glue is a managed ________, _________, and __________ service.
Extract, Transform, Load (ETL)
Amazon EMR provides ________ cloud processing using popular tools.
Big-Data