Introduction to Security & Architecture on AWS

Question 1

Acceptable Use Policy

Answer 1

AWS’s policy for acceptable and unacceptable uses of their cloud platform. All users must agree with this policy to have an account on the platform.

Examples:

• Sending unsolicited mass emails is prohibited
• Hosting or distributing harmful content is prohibited
• Penetration tests are allowed for a list of specific services

Question 2

Least Privilege Access

Answer 2

When granting permission for a user to access AWS resources, you should grant them the minimum permissions needed to complete their tasks and no more.

Question 3

Shared Responsibility Summary

Answer 3

AWS Responsibility:
AWS is responsible for the security of the cloud

Customer Responsibility:
Customer is responsible for security in the cloud

Question 4

AWS Responsibility

Answer 4

Access & Training for Amazon Employees

Global Data Centers & Underlying Network

Hardware for Global Infrastructure

Configuration Management for Infrastructure

Patching Cloud Infrastructure & Services

Question 5

Customer Responsibility

Answer 5

Individual Access to Cloud Resources & Training

Data Security & Encryption (both in transit and at rest)

Operating System, Network, and Firewall Configuration

All Code Deployed onto Cloud Infrastructure

Patching guest OS and custom applications

Question 6

Pillars of the Well-architected Framework

Answer 6

Cost Optimization
- Achieving minimal costs for the desired value
Operational Excellence
- Running and monitoring systems for business value
Performance Efficiency
- Using resources efficiently to achieve business value
Reliability
- Enabling infrastructure to recover from disruptions
Security
- Protecting information and business assets

Question 7

Reliability on AWS

Answer 7

Fault Tolerance
Being able to support the failure of components within your architecture

High Availability
Keeping your entire solution running in the expected manner despite issues that may occur

Question 8

Common Compliance Standards

Answer 8

PCI-DSS
- Compliance standard for processing credit cards
HIPAA
- Compliance standard for healthcare data
SOC 1, SOC 2, SOC 3
- Third-party reviews of operational processes
FedRAMP
- Standards for US government data handling
ISO 27018
- Standard for handling PII

Question 9

Compliance Services

Answer 9

AWS Config
- Provides conformance packs for standards
AWS Artifact
- Provides self-service access to reports
Amazon GuardDuty
- Provides intelligent threat detection

Question 10

Jane’s company is building an application to process credit cards

They will be processing cards directly and not through a service

Their bank needs a PCI DSS compliance report for AWS

Where would Jane go to get the information?

Answer 10

Solution: AWS Artifact

Question 11

Tim’s company is considering a transition to the cloud

They store personal information securely in their system

Tim’s CTO has asked what the company’s responsibility is for security

What would you tell Tim’s CTO?

Answer 11

Solution: Review the Shared Responsibility Model

Question 12

Ellen is a solutions architect at a startup

They are building a new tool for digital asset management

Ellen is curious how to best leverage the capabilities of AWS in this application

What resources would you recommend for Ellen and her team?

Answer 12

Solution: AWS Well Architected Framework

Question 13

What portal provides self-service access to compliance reports?

Answer 13

AWS Artifact

Question 14

What service continually monitor AWS resources and provides conformance packs for specific compliance standards?

Answer 14

AWS Config

Question 15

What service provides intelligent threat detection?

Answer 15

AWS GuardDuty

Question 16

AWS Identity & Access Management (IAM)

Answer 16

Service that controls access to AWS resources

Using the service is free

Manages both authentication and authorization

Supports identity federation through SAML providers including Active Directory

Question 17

AWS IAM Identities

Answer 17

Users
Account for a single individual to access AWS resources

Groups
Allows you to manage permissions for a group of IAM users

Roles
Enables a user or AWS service to assume permissions for a task

Question 18

Policies in AWS IAM

Answer 18

A JSON document that defines permissions for an AWS IAM identity (principal)

Defines both the AWS services that the identity can access and what actions can be taken on that service

Can be either customer managed or managed by AWS

Question 19

AWS IAM Best Practices

Answer 19

Multi-Factor Authentication
Provides additional security with either a physical or virtual device that generates a token for login

Least Privilege Access
Users should only be granted access to AWS resources that are required for their current tasks

Question 20

Amazon Cognito overview

Answer 20

A managed service that enables you to handle
authentication and aspects of authorization for your
custom web and mobile applications through AWS

Question 21

Amazon Cognito details

Answer 21

User directory service for custom applications

Provides UI components for many platforms

Provides security capabilities to control account access

Enables controlled access to AWS resources

Can work with social and enterprise identity providers

Question 22

Amazon Cognito Identity Providers

Answer 22

• Google
• Amazon
• Facebook
• Microsoft Active Directory
• SAML 2.0 Providers

Question 23

Sylvia manages a team of DevOps engineers for her company

Each member of her team needs to have the same access to cloud systems

It is taking her a long time to attach permissions to each user for access

What approach would help Sylvia manage the team’s permissions?

Answer 23

Solution: Use an IAM Group for the team

Question 24

Edward works for a startup that is building a mapping visualization tool

Their EC2 servers need to access data stored within S3 buckets

Edward created a user in IAM for these servers and uploaded keys to the server

Is Edward following best practices for this approach? If not, what should he do?

Answer 24

Solution: Use an IAM Role with EC2

Question 25

William is leading the effort to transition his organization to the cloud His CIO is concerned about securing access to AWS resources with a password He asks William to research approaches for additional security What approach would you recommend to William for this additional security?

Answer 25

Solution: Use Multi-factor Authentication (MFA)

Question 26

On-premise Data Integration Services

Answer 26

AWS Storage Gateway Hybrid-cloud storage service AWS DataSync Automated data transfer service

Question 27

AWS Storage Gateway

Answer 27

Integrates cloud storage into your local network Deployed as a VM or specific hardware appliance Integrates with S3 and EBS Supports three different gateway types - Tape Gateway - Volume Gateway - File Gateway

Question 28

AWS Storage Gateway Types

Answer 28

File Gateway Stores files in Amazon S3 while providing cached low-latency local access Tape Gateway Enables tape backup processes to store data in the cloud on virtual tapes Volume Gateway Provides cloud based iSCSI volumes to local applications

Question 29

AWS DataSync

Answer 29

Leverages the DataSync agent deployed as a VM on your network Integrates with S3, EFS, and FSx for Windows File Server on AWS Greatly improved speed of transfer due to custom protocol and optimizations Charged per GB of data transferred

Question 30

Data Processing Services

Answer 30

AWS Glue Managed Extract, Transform, and Load (ETL) Service Amazon EMR Big-data cloud processing using popular tools AWS Data Pipeline Data workflow orchestration service across AWS services

Question 31

AWS Glue

Answer 31

FULLY managed ETL (extract, transform, and load) service on AWS Supports data in Amazon RDS, DynamoDB, Redshift, and S3 Supports a serverless model of execution

Question 32

Amazon EMR

Answer 32

Enables big-data processing on Amazon EC2 and S3 Supports popular open-source frameworks and tools Operates in a clustered environment without additional configuration Supports many different big-data use cases

Question 33

Supported Amazon EMR Frameworks

Answer 33

``` Apache Spark Apache Hive Apache HBase Apache Flink Apache Hudi Presto ```

Question 34

AWS Data Pipeline

Answer 34

Managed ETL (extract, transform, and load) service on AWS Manages data workflow through AWS services Supports S3, EMR, Redshift, DynamoDB, and RDS Can integrate on-premise data stores

Question 35

Data Analysis Services

Answer 35

Amazon Athena Service that enables querying of data stored in Amazon S3 Amazon Quicksight Business intelligence service enabling data dashboards Amazon CloudSearch Managed search service for custom applications

Question 36

Amazon Athena

Answer 36

Fully-managed serverless service Enables querying of large-scale data stored within Amazon S3 Queries are written using standard SQL Charged based on data scanned for query

Question 37

Amazon Quicksight

Answer 37

Fully managed business intelligence service Enables dynamic data dashboard based on data stored in AWS Charged on a per-user and per-session pricing model Multiple versions provided based on needs

Question 38

Amazon CloudSearch

Answer 38

Fully-managed search service on AWS Support scaling of search infrastructure to meet demand Charged per hour and instance type of search infrastructure Enables developers to integrate search into custom applications

Question 39

AI and Machine Learning Services

Answer 39

Amazon Rekognition Computer vision service powered by Machine Learning Amazon Translate Text translation service powered by Machine Learning Amazon Transcribe Speech to text solution using Machine Learning

Question 40

Amazon Rekognition

Answer 40

Fully-managed image and video recognition deep learning service Identifies objects in images Identifies objects and actions in videos Can detect specific people using facial analysis Supports custom labels for your business objects

Question 41

Amazon Translate

Answer 41

Fully-managed service for translation of text Currently supports 54 languages Can perform language identification Works both in batch and real-time

Question 42

Amazon Transcribe

Answer 42

Fully-managed speech recognition services Recorded speech is converted into text in custom applications Includes a specific sub-service for medical use Supports batch and real-time transcription Currently supports 31 languages

Question 43

Ruth is a data scientist for a financial services company Large-scale data set needs to be processed before analysis Ruth doesn’t want to manage servers but just wants to define processing What service would you recommend to Ruth?

Answer 43

Solution: AWS Glue

Question 44

Jessi is a member of the IT team for a biotech company She is currently working to identify an approach for controlled lab access She wants leverage AI to determine access based on facial imaging Is there an AWS service that can help with this approach?

Answer 44

Solution: Amazon Rekognition

Question 45

Roger’s company sells custom services around machine learning His head of sales is trying to find a great way to visualize their sales data This data is currently stored in Redshift as their data warehouse What AWS service would allow this access to the data by non-technical resources?

Answer 45

Solution: Amazon Quicksight

Question 46

AWS Glue supports data in...

Answer 46

RDS DynamoDB Redshift S3

Question 47

AWS Data Pipeline integrates with...

Answer 47

``` RDS DynamoDB Redshift S3 EMR ```

Question 48

Disaster recovery (DR) is...

Answer 48

Preparing for and recovering from a disaster. Any event that has a negative impact on a company’s business continuity or finances could be termed a disaster. This includes hardware or software failure, a network outage, a power outage, physical damage to a building like fire or flooding, human error, or some other significant event.

Question 49

Disaster Recovery Scenarios

Answer 49

Cost and complexity increasing / Recovery time decreasing... 1) Backup and restore 2) Pilot light 3) Warm standby 4) Multi-site

Question 50

Backup and Restore

Answer 50

- Production data is backed up into Amazon S3 - Data can be stored in either standard or archival storage classes - EBS data can be stored as snapshots in Amazon S3 also - In a Disaster Recovery event, a process is started to launch new environment This approach has the longest recovery time

Question 51

Pilot Light

Answer 51

- Key infrastructure components are kept running in the cloud - Designed to reduce recovery time over the Backup and Restore approach - Does incur cost of this infrastructure continually running in the cloud - AMI’s are prepared for additional systems and can be launched quickly

Question 52

Warm Standby

Answer 52

- A scaled-down version of the full environment is running in the cloud - Critical systems can be running on less capable instance types - Instance types and other systems can be ramped up for disaster recovery event - Does incur cost of this infrastructure continually running in the cloud

Question 53

Multi Site

Answer 53

- Full environment is running in the cloud at all times - Utilizes instance types needed for production not just recovery - Provides a near seamless recovery process - Incurs the most cost over the other approaches

Question 54

Disaster Recovery Approach Considerations

Answer 54

- Recovery Time Objective (RTO) | - Recovery Point Objective (RPO)

Question 55

Recovery Time Objective (RTO)

Answer 55

The time it takes to get your systems back up and running to the ideal business state after a disaster recovery event.

Question 56

Recovery Point Objective (RPO)

Answer 56

The amount of data loss (in terms of time) for a | production system during a disaster recovery event.

Question 57

Roger’s company runs several production workloads in AWS Roger is tasked with architecting the disaster recovering approach His organization wants there to be a seamless transition during an event Which disaster recovery approach would Roger’s company use for this?

Answer 57

Solution: Multi Site approach

Question 58

Jennifer’s company is a startup They do not currently have a disaster recovery approach In this case, minimizing cost is more critical than minimizing RTO What disaster recovery approach would you recommend to Jennifer?

Answer 58

Solution: Backup and Restore approach

Question 59

Eliza is documenting her company’s disaster recovery approach They keep a few key servers up an running in AWS in case of an event These servers have smaller instance types than what production would need Which disaster recovery approach most closely matches this scenario?

Answer 59

Solution: Pilot Light approach

Question 60

Scaling on Amazon EC2

Answer 60

Vertical Scaling You “scale up” your instance type to a larger instance type with additional resources Horizontal Scaling You “scale out” and add additional instances to handle the demand of your application

Question 61

Amazon EC2 Horizontal Scaling Services

Answer 61

Auto-scaling Group Set of EC2 instances with rules for scaling & management Elastic Load Balancer Distributes traffic across multiple targets

Question 62

Amazon EC2 Auto-Scaling Group

Answer 62

Launch template defines the instance configuration for the group Defines the minimum, maximum, and desired number of instances Performs health checks on each instance Exists within 1 or more availability zones in a single region Works with on-demand and spot instances

Question 63

AWS Secrets Manager

Answer 63

Secure way to integrate credentials, API keys, tokens, and other secret content Integrates natively with RDS, DocumentDB, and Redshift Can auto-rotate credentials with integrated services Enables fine-grained access control to secrets

Question 64

Security in Amazon VPC

Answer 64

Security groups Enables firewall-like controls for resources within the VPC Network ACL’s Controls inbound and outbound traffic for subnets within the VPC AWS VPN Secure access to an entire VPC using an encrypted tunnel

Question 65

Security Groups

Answer 65

- Serve as a firewall for your EC2 instances - Control inbound and outbound traffic - Works at the instance level - EC2 instances can belong to multiple security groups - VPC’s have default security groups - Must be explicitly associated with an EC2 instance - By default all outbound traffic is allowed

Question 66

Network ACL

Answer 66

- Works at the subnet level with an VPC - Enables you to allow and deny traffic - Each VPC has a default ACL that allows all inbound and outbound traffic - Custom ACL’s deny all traffic until rules are added

Question 67

AWS VPN

Answer 67

Creates an encrypted tunnel into your VPC Can be used to connect your data center or even individual client machines Supported in two services: - Site-to-site VPN - Client VPN

Question 68

Security Services

Answer 68

AWS Shield Managed DDoS protection service for apps on AWS Amazon Macie Data protection service powered by machine learning Amazon Inspector Automated security assessment service for EC2 instances

Question 69

Distributed Denial of Service (DDoS)

Answer 69

A type of attack where a server or group of servers are flooded with more traffic than they can handle in a coordinated effort to bring the system down

Question 70

AWS Shield

Answer 70

Provides protection against DDoS attacks for apps running on AWS Enables on-going threat detection and mitigation Has two different service levels: - Standard - Advanced

Question 71

Amazon Macie

Answer 71

- Utilizes machine learning to analyze data stored in Amazon S3 - It can detect personal information and intellectual property in S3 - Provides dashboards that show how the data is being stored and accessed - Enables alerts if it detects anything unusual about data access

Question 72

Amazon Inspector

Answer 72

Enables scanning of Amazon EC2 instances for security vulnerabilities Charged by instance per assessment run Two types of rules packages: - Network reachability assessment - Host assessment

Question 73

Deploying Pre-defined Solutions on AWS

Answer 73

AWS Service Catalog Managed catalog of IT services on AWS for an organization AWS Marketplace Catalog of software to run on AWS from third-party providers

Question 74

AWS Service Catalog

Answer 74

- Targeted to serve as an organizational service catalog for the cloud - Can include single server image to multi-tier custom applications - Enables organizations to leverage services that meet compliance - Supports a lifecycle for services released in the catalog

Question 75

AWS Marketplace

Answer 75

- Curated catalog of third-party solutions for customers to run on AWS - Provides AMI’s, CloudFormation stacks, and SaaS based solutions - Enables different pricing options to overcome licensing in the cloud - Charges appear on your AWS bill

Question 76

AWS Developer Services

Answer 76

``` AWS CodeCommit AWS CodeBuild AWS CodeDeploy AWS CodePipeline AWS CodeStar ```

Question 77

AWS CodeCommit

Answer 77

- Managed source control service - Utilizes Git for repositories - Control access with IAM policies - Serves as an alternative to Github and Bitbucket

Question 78

AWS CodeBuild

Answer 78

- Fully managed build and continuous integration service on AWS - Don’t have to worry about maintaining infrastructure - Charged per minute for compute resources you utilize

Question 79

AWS CodeDeploy

Answer 79

- Managed deployment service for deploying your custom applications - Deploys to Amazon EC2, AWS Fargate, AWS Lambda, and on-premise servers - Provides dashboard for deployments in the AWS Console

Question 80

AWS CodePipeline

Answer 80

- Fully-managed continuous delivery service on AWS - Provides the capabilities to automate building, testing, and deploying - Integrates with other developer tools as well as Github

Question 81

AWS CodeStar

Answer 81

- Workflow tool that automates the use of the other developer services - Creates a complete continuous delivery toolchain for a custom application - Provides custom dashboards and configurations in the AWS Console - You only are charged for the other services you leverage

Question 82

Ellen is a solutions architect at a traditional financial services company They recently transitioned to AWS They want to be sure each department follows best practices They want to create compliant IT services that other departments can use What service would you recommend for Ellen and her team?

Answer 82

Solution: AWS Service Catalog

Question 83

Tim’s company leverages AWS for multiple production workloads Recently they have had downtime due to one of their applications failing on EC2 Tim is looking to avoid downtime if an instance stops responding What approach would you recommend for Tim to solve this issue?

Answer 83

Solution: Create an EC2 Auto-scaling Group alongside an Elastic Load Balancer

Question 84

Jane’s company deals with sensitive information from its users They have put reasonable policies in place for data stored in S3 Jane is worried if some of those policies accidentally get changed She is also worried of a breach going unnoticed What service would you recommend to Jane and her company?

Answer 84

Solution: Amazon Macie