Introduction to Security & Architecture on AWS

Question 1

Acceptable Use Policy

Answer 1

AWS’s policy for acceptable and unacceptable uses of their cloud platform. All users must agree with this policy to have an account on the platform.

Examples:

• Sending unsolicited mass emails is prohibited
• Hosting or distributing harmful content is prohibited
• Penetration tests are allowed for a list of specific services

Question 2

Least Privilege Access

Answer 2

When granting permission for a user to access AWS resources, you should grant them the minimum permissions needed to complete their tasks and no more.

Question 3

Shared Responsibility Summary

Answer 3

AWS Responsibility:
AWS is responsible for the security of the cloud

Customer Responsibility:
Customer is responsible for security in the cloud

Question 4

AWS Responsibility

Answer 4

Access & Training for Amazon Employees

Global Data Centers & Underlying Network

Hardware for Global Infrastructure

Configuration Management for Infrastructure

Patching Cloud Infrastructure & Services

Question 5

Customer Responsibility

Answer 5

Individual Access to Cloud Resources & Training

Data Security & Encryption (both in transit and at rest)

Operating System, Network, and Firewall Configuration

All Code Deployed onto Cloud Infrastructure

Patching guest OS and custom applications

Question 6

Pillars of the Well-architected Framework

Answer 6

Cost Optimization
- Achieving minimal costs for the desired value
Operational Excellence
- Running and monitoring systems for business value
Performance Efficiency
- Using resources efficiently to achieve business value
Reliability
- Enabling infrastructure to recover from disruptions
Security
- Protecting information and business assets

Question 7

Reliability on AWS

Answer 7

Fault Tolerance
Being able to support the failure of components within your architecture

High Availability
Keeping your entire solution running in the expected manner despite issues that may occur

Question 8

Common Compliance Standards

Answer 8

PCI-DSS
- Compliance standard for processing credit cards
HIPAA
- Compliance standard for healthcare data
SOC 1, SOC 2, SOC 3
- Third-party reviews of operational processes
FedRAMP
- Standards for US government data handling
ISO 27018
- Standard for handling PII

Question 9

Compliance Services

Answer 9

AWS Config
- Provides conformance packs for standards
AWS Artifact
- Provides self-service access to reports
Amazon GuardDuty
- Provides intelligent threat detection

Question 10

Jane’s company is building an application to process credit cards

They will be processing cards directly and not through a service

Their bank needs a PCI DSS compliance report for AWS

Where would Jane go to get the information?

Answer 10

Solution: AWS Artifact

Question 11

Tim’s company is considering a transition to the cloud

They store personal information securely in their system

Tim’s CTO has asked what the company’s responsibility is for security

What would you tell Tim’s CTO?

Answer 11

Solution: Review the Shared Responsibility Model

Question 12

Ellen is a solutions architect at a startup

They are building a new tool for digital asset management

Ellen is curious how to best leverage the capabilities of AWS in this application

What resources would you recommend for Ellen and her team?

Answer 12

Solution: AWS Well Architected Framework

Question 13

What portal provides self-service access to compliance reports?

Answer 13

AWS Artifact

Question 14

What service continually monitor AWS resources and provides conformance packs for specific compliance standards?

Answer 14

AWS Config

Question 15

What service provides intelligent threat detection?

Answer 15

AWS GuardDuty

Question 16

AWS Identity & Access Management (IAM)

Answer 16

Service that controls access to AWS resources

Using the service is free

Manages both authentication and authorization

Supports identity federation through SAML providers including Active Directory

Question 17

AWS IAM Identities

Answer 17

Users
Account for a single individual to access AWS resources

Groups
Allows you to manage permissions for a group of IAM users

Roles
Enables a user or AWS service to assume permissions for a task

Question 18

Policies in AWS IAM

Answer 18

A JSON document that defines permissions for an AWS IAM identity (principal)

Defines both the AWS services that the identity can access and what actions can be taken on that service

Can be either customer managed or managed by AWS

Question 19

AWS IAM Best Practices

Answer 19

Multi-Factor Authentication
Provides additional security with either a physical or virtual device that generates a token for login

Least Privilege Access
Users should only be granted access to AWS resources that are required for their current tasks

Question 20

Amazon Cognito overview

Answer 20

A managed service that enables you to handle
authentication and aspects of authorization for your
custom web and mobile applications through AWS

Question 21

Amazon Cognito details

Answer 21

User directory service for custom applications

Provides UI components for many platforms

Provides security capabilities to control account access

Enables controlled access to AWS resources

Can work with social and enterprise identity providers

Question 22

Amazon Cognito Identity Providers

Answer 22

• Google
• Amazon
• Facebook
• Microsoft Active Directory
• SAML 2.0 Providers

Question 23

Sylvia manages a team of DevOps engineers for her company

Each member of her team needs to have the same access to cloud systems

It is taking her a long time to attach permissions to each user for access

What approach would help Sylvia manage the team’s permissions?

Answer 23

Solution: Use an IAM Group for the team

Question 24

Edward works for a startup that is building a mapping visualization tool

Their EC2 servers need to access data stored within S3 buckets

Edward created a user in IAM for these servers and uploaded keys to the server

Is Edward following best practices for this approach? If not, what should he do?

Answer 24

Solution: Use an IAM Role with EC2

Question 25

William is leading the effort to transition his organization to the cloud

His CIO is concerned about securing access to AWS resources with a password

He asks William to research approaches for additional security

What approach would you recommend to William for this additional security?

Answer 25

Solution: Use Multi-factor Authentication (MFA)

Question 26

On-premise Data Integration Services

Answer 26

AWS Storage Gateway
Hybrid-cloud storage service

AWS DataSync
Automated data transfer service

Question 27

AWS Storage Gateway

Answer 27

Integrates cloud storage into your local network

Deployed as a VM or specific hardware appliance

Integrates with S3 and EBS

Supports three different gateway types

• Tape Gateway
• Volume Gateway
• File Gateway

Question 28

AWS Storage Gateway Types

Answer 28

File Gateway
Stores files in Amazon S3 while providing cached low-latency local access

Tape Gateway
Enables tape backup processes to store data in the cloud on virtual tapes

Volume Gateway
Provides cloud based iSCSI volumes to local applications

Question 29

AWS DataSync

Answer 29

Leverages the DataSync agent deployed as a VM on your network

Integrates with S3, EFS, and FSx for Windows File Server on AWS

Greatly improved speed of transfer due to custom protocol and optimizations

Charged per GB of data transferred

Question 30

Data Processing Services

Answer 30

AWS Glue
Managed Extract, Transform, and Load (ETL) Service

Amazon EMR
Big-data cloud processing using popular tools

AWS Data Pipeline
Data workflow orchestration service across AWS services

Question 31

AWS Glue

Answer 31

FULLY managed ETL (extract, transform, and load) service on AWS

Supports data in Amazon RDS, DynamoDB, Redshift, and S3

Supports a serverless model of execution

Question 32

Amazon EMR

Answer 32

Enables big-data processing on Amazon EC2 and S3

Supports popular open-source frameworks and tools

Operates in a clustered environment without additional configuration

Supports many different big-data use cases

Question 33

Supported Amazon EMR Frameworks

Answer 33

Apache Spark 
Apache Hive 
Apache HBase
Apache Flink 
Apache Hudi 
Presto

Question 34

AWS Data Pipeline

Answer 34

Managed ETL (extract, transform, and load) service on AWS

Manages data workflow through AWS services

Supports S3, EMR, Redshift, DynamoDB, and RDS

Can integrate on-premise data stores

Question 35

Data Analysis Services

Answer 35

Amazon Athena
Service that enables querying of data stored in Amazon S3

Amazon Quicksight
Business intelligence service enabling data dashboards

Amazon CloudSearch
Managed search service for custom applications

Question 36

Amazon Athena

Answer 36

Fully-managed serverless service

Enables querying of large-scale data stored within Amazon S3

Queries are written using standard SQL

Charged based on data scanned for query

Question 37

Amazon Quicksight

Answer 37

Fully managed business intelligence service

Enables dynamic data dashboard based on data stored in AWS

Charged on a per-user and per-session pricing model

Multiple versions provided based on needs

Question 38

Amazon CloudSearch

Answer 38

Fully-managed search service on AWS

Support scaling of search infrastructure to meet demand

Charged per hour and instance type of search infrastructure

Enables developers to integrate search
into custom applications

Question 39

AI and Machine Learning Services

Answer 39

Amazon Rekognition
Computer vision service powered by Machine Learning

Amazon Translate
Text translation service powered by Machine Learning

Amazon Transcribe
Speech to text solution using Machine Learning

Question 40

Amazon Rekognition

Answer 40

Fully-managed image and video recognition deep learning service

Identifies objects in images

Identifies objects and actions in videos

Can detect specific people using facial analysis

Supports custom labels for your business objects

Question 41

Amazon Translate

Answer 41

Fully-managed service for translation of text

Currently supports 54 languages

Can perform language identification

Works both in batch and real-time

Question 42

Amazon Transcribe

Answer 42

Fully-managed speech recognition services

Recorded speech is converted into text in custom applications

Includes a specific sub-service for medical use

Supports batch and real-time transcription

Currently supports 31 languages

Question 43

Ruth is a data scientist for a financial services company

Large-scale data set needs to be processed before analysis

Ruth doesn’t want to manage servers but just wants to define processing

What service would you recommend to Ruth?

Answer 43

Solution: AWS Glue

Question 44

Jessi is a member of the IT team for a biotech company

She is currently working to identify an approach for controlled lab access

She wants leverage AI to determine access based on facial imaging

Is there an AWS service that can help with this approach?

Answer 44

Solution: Amazon Rekognition

Question 45

Roger’s company sells custom services around machine learning

His head of sales is trying to find a great way to visualize their sales data

This data is currently stored in Redshift as their data warehouse

What AWS service would allow this access to the data by non-technical resources?

Answer 45

Solution: Amazon Quicksight

Question 46

AWS Glue supports data in…

Answer 46

RDS
DynamoDB
Redshift
S3

Question 47

AWS Data Pipeline integrates with…

Answer 47

RDS
DynamoDB
Redshift
S3
EMR

Question 48

Disaster recovery (DR) is…

Answer 48

Preparing for and recovering from a disaster. Any event that has a negative impact on a company’s business continuity or finances could be termed a disaster. This includes hardware or software failure, a network outage, a power outage, physical damage to a building like fire or flooding, human error, or some other significant event.

Question 49

Disaster Recovery Scenarios

Answer 49

Cost and complexity increasing / Recovery time decreasing…

1) Backup and restore
2) Pilot light
3) Warm standby
4) Multi-site

Question 50

Backup and Restore

Answer 50

• Production data is backed up into Amazon S3
• Data can be stored in either standard or archival storage classes
• EBS data can be stored as snapshots in Amazon S3 also
• In a Disaster Recovery event, a process is started to launch new environment
  This approach has the longest recovery time

Question 51

Pilot Light

Answer 51

• Key infrastructure components are kept running in the cloud
• Designed to reduce recovery time over the Backup and Restore approach
• Does incur cost of this infrastructure continually running in the cloud
• AMI’s are prepared for additional systems and can be launched quickly

Question 52

Warm Standby

Answer 52

• A scaled-down version of the full environment is running in the cloud
• Critical systems can be running on less capable instance types
• Instance types and other systems can be ramped up for disaster recovery event
• Does incur cost of this infrastructure continually running in the cloud

Question 53

Multi Site

Answer 53

• Full environment is running in the cloud at all times
• Utilizes instance types needed for production not just recovery
• Provides a near seamless recovery process
• Incurs the most cost over the other approaches

Question 54

Disaster Recovery Approach Considerations

Answer 54

• Recovery Time Objective (RTO)

- Recovery Point Objective (RPO)

Question 55

Recovery Time Objective (RTO)

Answer 55

The time it takes to get your systems back up and
running to the ideal business state after a disaster
recovery event.

Question 56

Recovery Point Objective (RPO)

Answer 56

The amount of data loss (in terms of time) for a

production system during a disaster recovery event.

Question 57

Roger’s company runs several production workloads in AWS

Roger is tasked with architecting the disaster recovering approach

His organization wants there to be a seamless transition during an event

Which disaster recovery approach would Roger’s company use for this?

Answer 57

Solution: Multi Site approach

Question 58

Jennifer’s company is a startup

They do not currently have a disaster recovery approach

In this case, minimizing cost is more critical than minimizing RTO

What disaster recovery approach would you recommend to Jennifer?

Answer 58

Solution: Backup and Restore approach

Question 59

Eliza is documenting her company’s disaster recovery approach

They keep a few key servers up an running in AWS in case of an event

These servers have smaller instance types than what production would need

Which disaster recovery approach most closely matches this scenario?

Answer 59

Solution: Pilot Light approach

Question 60

Scaling on Amazon EC2

Answer 60

Vertical Scaling
You “scale up” your instance type to a larger instance type with additional resources

Horizontal Scaling
You “scale out” and add additional instances to handle the demand of your application

Question 61

Amazon EC2 Horizontal Scaling Services

Answer 61

Auto-scaling Group
Set of EC2 instances with rules for scaling & management

Elastic Load Balancer
Distributes traffic across multiple targets

Question 62

Amazon EC2 Auto-Scaling Group

Answer 62

Launch template defines the instance configuration for the group

Defines the minimum, maximum, and desired number of instances

Performs health checks on each instance

Exists within 1 or more availability zones in a single region

Works with on-demand and spot instances

Question 63

AWS Secrets Manager

Answer 63

Secure way to integrate credentials, API keys, tokens, and other secret content

Integrates natively with RDS, DocumentDB, and Redshift

Can auto-rotate credentials with integrated services

Enables fine-grained access control to secrets

Question 64

Security in Amazon VPC

Answer 64

Security groups
Enables firewall-like controls for resources within the VPC

Network ACL’s
Controls inbound and outbound traffic for subnets within the VPC

AWS VPN
Secure access to an entire VPC using an encrypted tunnel

Question 65

Security Groups

Answer 65

• Serve as a firewall for your EC2 instances
• Control inbound and outbound traffic
• Works at the instance level
• EC2 instances can belong to multiple security groups
• VPC’s have default security groups
• Must be explicitly associated with an EC2 instance
• By default all outbound traffic is allowed

Question 66

Network ACL

Answer 66

• Works at the subnet level with an VPC
• Enables you to allow and deny traffic
• Each VPC has a default ACL that allows all inbound and outbound traffic
• Custom ACL’s deny all traffic until rules are added

Question 67

AWS VPN

Answer 67

Creates an encrypted tunnel into your VPC

Can be used to connect your data center or even individual client machines

Supported in two services:

• Site-to-site VPN
• Client VPN

Question 68

Security Services

Answer 68

AWS Shield
Managed DDoS protection service for apps on AWS

Amazon Macie
Data protection service powered by machine learning

Amazon Inspector
Automated security assessment service for EC2 instances

Question 69

Distributed Denial of Service (DDoS)

Answer 69

A type of attack where a server or group of servers are flooded with more traffic than they can handle in a coordinated effort to bring the system down

Question 70

AWS Shield

Answer 70

Provides protection against DDoS attacks for apps running on AWS

Enables on-going threat detection and mitigation

Has two different service levels:

• Standard
• Advanced

Question 71

Amazon Macie

Answer 71

• Utilizes machine learning to analyze data stored in Amazon S3
• It can detect personal information and intellectual property in S3
• Provides dashboards that show how the data is being stored and accessed
• Enables alerts if it detects anything unusual about data access

Question 72

Amazon Inspector

Answer 72

Enables scanning of Amazon EC2 instances for security vulnerabilities

Charged by instance per assessment run

Two types of rules packages:

• Network reachability assessment
• Host assessment

Question 73

Deploying Pre-defined Solutions on AWS

Answer 73

AWS Service Catalog
Managed catalog of IT services on AWS for
an organization

AWS Marketplace
Catalog of software to run on AWS from third-party providers

Question 74

AWS Service Catalog

Answer 74

• Targeted to serve as an organizational service catalog for the cloud
• Can include single server image to multi-tier custom applications
• Enables organizations to leverage services that meet compliance
• Supports a lifecycle for services released in the catalog

Question 75

AWS Marketplace

Answer 75

• Curated catalog of third-party solutions for customers to run on AWS
• Provides AMI’s, CloudFormation stacks, and SaaS based solutions
• Enables different pricing options to overcome licensing in the cloud
• Charges appear on your AWS bill

Question 76

AWS Developer Services

Answer 76

AWS CodeCommit
AWS CodeBuild
AWS CodeDeploy
AWS CodePipeline
AWS CodeStar

Question 77

AWS CodeCommit

Answer 77

• Managed source control service
• Utilizes Git for repositories
• Control access with IAM policies
• Serves as an alternative to Github and Bitbucket

Question 78

AWS CodeBuild

Answer 78

• Fully managed build and continuous integration service on AWS
• Don’t have to worry about maintaining infrastructure
• Charged per minute for compute resources you utilize

Question 79

AWS CodeDeploy

Answer 79

• Managed deployment service for deploying your custom applications
• Deploys to Amazon EC2, AWS Fargate, AWS Lambda, and on-premise servers
• Provides dashboard for deployments in the AWS Console

Question 80

AWS CodePipeline

Answer 80

• Fully-managed continuous delivery service on AWS
• Provides the capabilities to automate building, testing, and deploying
• Integrates with other developer tools as well as Github

Question 81

AWS CodeStar

Answer 81

• Workflow tool that automates the use of the other developer services
• Creates a complete continuous delivery toolchain for a custom application
• Provides custom dashboards and configurations in the AWS Console
• You only are charged for the other services you leverage

Question 82

Ellen is a solutions architect at a traditional financial services company

They recently transitioned to AWS

They want to be sure each department follows best practices

They want to create compliant IT services that other departments can use

What service would you recommend for Ellen and her team?

Answer 82

Solution: AWS Service Catalog

Question 83

Tim’s company leverages AWS for multiple production workloads

Recently they have had downtime due to one of their applications failing on EC2

Tim is looking to avoid downtime if an instance stops responding

What approach would you recommend for Tim to solve this issue?

Answer 83

Solution: Create an EC2 Auto-scaling Group alongside an Elastic Load Balancer

Question 84

Jane’s company deals with sensitive information from its users

They have put reasonable policies in place for data stored in S3

Jane is worried if some of those policies accidentally get changed

She is also worried of a breach going unnoticed

What service would you recommend to Jane and her company?

Answer 84

Solution: Amazon Macie