Management, Governance and Billing Flashcards
Audit requests to AWS Organizations for creating new accounts by federated users
use CloudTrail and look for the federated identity user name
Employees have created individual AWS accounts not under control. Security team need them in AWS Organizations
Send each account an invitation from the central organization
Need to restrict ability to launch specific instance types for a specific team/account
Use an organizations SCP to deny launches unless the instance type is T2, create an IAM group in the account granting access to T2 instances to the relevant users
Need to ensure that S3 buckets are NEVER deleted in a production account
Use an SCP to deny the s3:DeleteBucket API action
Need to create user-defined cost allocation tags for new account
Use Tag Editor in new account to create user-defined tags and then use the billing and cost management console in the payer account to mark them as cost allocation tags
Separate departments must operate in isolation and only use pre-approved services
Use AWS Organizations to create accounts (Organizations API) and SCPs to control the services available for use
Developers can manipulate IAM policies/roles and need to block them from some services
Use an SCP to block those services
AWS bill is increasing and unauthorized services are being used across accounts
Use AWS Organizations with an SCP to restrict the unauthorized services
Configuring AWS SSO for an Organizations master account. Directory created and full access enabled
Next step is to create a permission set and associate with directory users and groups
Process to create a custom dashboard in CloudWatch for custom metrics after installing agent on EC2
Create metric filters and select custom metrics
Need to test notification settings for CloudWatch alarm with SNS
Use the set-alarm-state CLI command to test
App with EC2 and RDS is running slowly and suspected high CPU
Use CloudWatch metrics to examine resource usage
Site uses CloudFront and S3. Users accessing content that does not exist or they don’t have access to
Check the 4XXErrorRate metric in CloudWatch to understand the extent of the issue
Script generates custom CloudWatch metrics from EC2 instance and clock is configured incorrectly by 30 mins
CloudWatch will accept the custom metric data and record it
Need to collect logs from many EC2 instances
Use the unified CloudWatch Agent
External auditor needs to check for unauthorized changes to AWS account
Create an IAM user, assign an IAM policy with read access to CloudTrail logs on Amazon S3
Need to identify who is creating EIPs and not using them
Use CloudTrail and query logs using Athena to search for EIP address events
S3 bucket holds sensitive data. Must monitor object upload / download activity including AWS account and IAM user account of caller and time of API call
Use AWS CloudTrail and enable data event logging
Need to record any modifications or deletions of CloudTrail logs in an S3 bucket
Enable CloudTrail log file integrity validation and enabled MFA delete on the bucket
Large increase in requests to SQS. Need to determine the source of the calls
Use CloudTrail to audit API calls
Need to ensure that S3 buckets have logging enabled without stopping users creating them
Auto remediate with AWS Config managed rule S3_BUCKET_LOGGING_ENABLE
Need to provide real-time compliance reporting for security groups to check that port 80 is not being used
Use the AWS Config restricted-common-ports rule and add port 80
Company wants to limit the AMIs that are used. Need to review compliance with the policy
Create an AWS Config rule to check that only approved AMIs are used
Need to automatically disable access keys that are greater than 90 days old
Use Config rule to identify noncompliant keys and use Systems Manager Automation to remediate
Need to address concerns about exposing sensitive data in buckets without restricting ability to create them
Use AWS Config rules to identify public buckets and send SNS notification to security team
Need to ensure CloudFormation deployment changes are tracked for governance
Use AWS Config
Company needs to verify that specific KMS CMK is used to encrypted EBS volumes
Use AWS Config with the encrypted-volumes managed rule and specify the key ID of the CMK
Need to create replica of existing infrastructure in new account. AWS Service Catalog is used
Most efficient option is to share the portfolio with the new accounts and import into those other accounts
Users have a specialized EC2 instance config and don’t want to configure EC2 settings but need to launch/terminate instances. Special instance must only be available to them
Use CloudFormation template with AWS Service Catalog portfolio and grant permissions to users
Shared portfolio is imported into a second AWS account controlled by a different administrator
Admin can add products from the imported portfolio to a local portfolio
Need to monitor costs per user in an account
Activate the createdBy tag and analyze with AWS Cost Explorer
How to check for underutilized EC2 instances?
Use AWS Cost Explorer to generate resource optimization recommendations
Bill is increasing over time, need to determine the cause of increased cost
Use AWS Cost Explorer
Need breakdown of costs per project in a single account using Cost Explorer
Do this by activating cost allocation tags and creating and applying resource tags
Need to check that security best practices are being followed for the AWS account root user
Use AWS Trusted Advisor security checks to review configuration of root user
Costs rising and need to be alerted when a specific spending limit is forecast to be exceeded
Use AWS Budgets
Company needs to track the allocation of reserved instances in consolidated bill
Use the AWS Cost and Usage report
Company needs to integrate AWS maintenance events that may affect their resources into an operations dashboard
Use the AWS Health API
