Management, Governance and Billing

Question 1

Audit requests to AWS Organizations for creating new accounts by federated users

Answer 1

use CloudTrail and look for the federated identity user name

Question 2

Employees have created individual AWS accounts not under control. Security team need them in AWS Organizations

Answer 2

Send each account an invitation from the central organization

Question 3

Need to restrict ability to launch specific instance types for a specific team/account

Answer 3

Use an organizations SCP to deny launches unless the instance type is T2, create an IAM group in the account granting access to T2 instances to the relevant users

Question 4

Need to ensure that S3 buckets are NEVER deleted in a production account

Answer 4

Use an SCP to deny the s3:DeleteBucket API action

Question 5

Need to create user-defined cost allocation tags for new account

Answer 5

Use Tag Editor in new account to create user-defined tags and then use the billing and cost management console in the payer account to mark them as cost allocation tags

Question 6

Separate departments must operate in isolation and only use pre-approved services

Answer 6

Use AWS Organizations to create accounts (Organizations API) and SCPs to control the services available for use

Question 7

Developers can manipulate IAM policies/roles and need to block them from some services

Answer 7

Use an SCP to block those services

Question 8

AWS bill is increasing and unauthorized services are being used across accounts

Answer 8

Use AWS Organizations with an SCP to restrict the unauthorized services

Question 9

Configuring AWS SSO for an Organizations master account. Directory created and full access enabled

Answer 9

Next step is to create a permission set and associate with directory users and groups

Question 10

Process to create a custom dashboard in CloudWatch for custom metrics after installing agent on EC2

Answer 10

Create metric filters and select custom metrics

Question 11

Need to test notification settings for CloudWatch alarm with SNS

Answer 11

Use the set-alarm-state CLI command to test

Question 12

App with EC2 and RDS is running slowly and suspected high CPU

Answer 12

Use CloudWatch metrics to examine resource usage

Question 13

Site uses CloudFront and S3. Users accessing content that does not exist or they don’t have access to

Answer 13

Check the 4XXErrorRate metric in CloudWatch to understand the extent of the issue

Question 14

Script generates custom CloudWatch metrics from EC2 instance and clock is configured incorrectly by 30 mins

Answer 14

CloudWatch will accept the custom metric data and record it

Question 15

Need to collect logs from many EC2 instances

Answer 15

Use the unified CloudWatch Agent

Question 16

External auditor needs to check for unauthorized changes to AWS account

Answer 16

Create an IAM user, assign an IAM policy with read access to CloudTrail logs on Amazon S3

Question 17

Need to identify who is creating EIPs and not using them

Answer 17

Use CloudTrail and query logs using Athena to search for EIP address events

Question 18

S3 bucket holds sensitive data. Must monitor object upload / download activity including AWS account and IAM user account of caller and time of API call

Answer 18

Use AWS CloudTrail and enable data event logging

Question 19

Need to record any modifications or deletions of CloudTrail logs in an S3 bucket

Answer 19

Enable CloudTrail log file integrity validation and enabled MFA delete on the bucket

Question 20

Large increase in requests to SQS. Need to determine the source of the calls

Answer 20

Use CloudTrail to audit API calls

Question 21

Need to ensure that S3 buckets have logging enabled without stopping users creating them

Answer 21

Auto remediate with AWS Config managed rule S3_BUCKET_LOGGING_ENABLE

Question 22

Need to provide real-time compliance reporting for security groups to check that port 80 is not being used

Answer 22

Use the AWS Config restricted-common-ports rule and add port 80

Question 23

Company wants to limit the AMIs that are used. Need to review compliance with the policy

Answer 23

Create an AWS Config rule to check that only approved AMIs are used

Question 24

Need to automatically disable access keys that are greater than 90 days old

Answer 24

Use Config rule to identify noncompliant keys and use Systems Manager Automation to remediate

Question 25

Need to address concerns about exposing sensitive data in buckets without restricting ability to create them

Answer 25

Use AWS Config rules to identify public buckets and send SNS notification to security team

Question 26

Need to ensure CloudFormation deployment changes are tracked for governance

Answer 26

Use AWS Config

Question 27

Company needs to verify that specific KMS CMK is used to encrypted EBS volumes

Answer 27

Use AWS Config with the encrypted-volumes managed rule and specify the key ID of the CMK

Question 28

Need to create replica of existing infrastructure in new account. AWS Service Catalog is used

Answer 28

Most efficient option is to share the portfolio with the new accounts and import into those other accounts

Question 29

Users have a specialized EC2 instance config and don’t want to configure EC2 settings but need to launch/terminate instances. Special instance must only be available to them

Answer 29

Use CloudFormation template with AWS Service Catalog portfolio and grant permissions to users

Question 30

Shared portfolio is imported into a second AWS account controlled by a different administrator

Answer 30

Admin can add products from the imported portfolio to a local portfolio

Question 31

Need to monitor costs per user in an account

Answer 31

Activate the createdBy tag and analyze with AWS Cost Explorer

Question 32

How to check for underutilized EC2 instances?

Answer 32

Use AWS Cost Explorer to generate resource optimization recommendations

Question 33

Bill is increasing over time, need to determine the cause of increased cost

Answer 33

Use AWS Cost Explorer

Question 34

Need breakdown of costs per project in a single account using Cost Explorer

Answer 34

Do this by activating cost allocation tags and creating and applying resource tags

Question 35

Need to check that security best practices are being followed for the AWS account root user

Answer 35

Use AWS Trusted Advisor security checks to review configuration of root user

Question 36

Costs rising and need to be alerted when a specific spending limit is forecast to be exceeded

Answer 36

Use AWS Budgets

Question 37

Company needs to track the allocation of reserved instances in consolidated bill

Answer 37

Use the AWS Cost and Usage report

Question 38

Company needs to integrate AWS maintenance events that may affect their resources into an operations dashboard

Answer 38

Use the AWS Health API