Section 13.5 - 16.5

Question 1

The billing alarm (e.g. for EC2 instances) in CloudWatch is only available in this region

Answer 1

us-east-1 (Northern Virginia)

Question 2

A user has deleted something; how can we figure out who deleted it and when?

Answer 2

AWS CloudTrail

Question 3

Which AWS provides personalized alerts and remediation guidance when AWS is experiencing events that may impact you?

Which dashboard provides global information on AWS health?

Answer 3

AWS Health Dashboard = personalized info

AWS Service Health Dashboard = Global info

Question 4

This AWS service provides governance, compliance, and risk auditing for your AWS Account

Answer 4

AWS CloudTrail

Question 5

Network ACL (NACL) controls to/from at the ______ level, whereas Security Groups control to/from at the ___ __________ level

Answer 5

subnet; EC2 instance

Question 6

Network ACL has _______/_____, Security groups only have _______

Answer 6

ALLOW/DENY; ALLOW

Question 7

What do Network ACL rules include? What do Security groups rules include?

Answer 7

NACL = IP addresses only, Security groups = IP addresses and other security groups

Question 8

Which AWS firewall is stateful, and what does that mean?

Answer 8

Security groups are stateful, which means return traffic is automatically allowed regardless of rules

Question 9

Which AWS firewall is stateless, and what does that mean?

Answer 9

NACL is stateless, which means return traffic must be allowed by the rules before it is accepted

Question 10

VPC Endpoints are used for what? When is it called a gateway? When is it called an interface?

Answer 10

VPC Endpoints are used for accessing your services privately. It’s called a gateway for S3 and DynamoDB. It’s called an interface for every other service.

Question 11

In order to establish a site-to-site VPN connection between your on-premises DC and AWS, what 2 components are needed?

Answer 11

1. On-premises: there must be a Customer Gateway (CGW)
2. On AWS: there must be a Virtual Private Gateway (VGW)

Question 12

How can you connect hundreds or thousands of VPC together as well as your on-premises infrastructure?

Answer 12

AWS Transit Gateway

Question 13

You need a logically isolated section of AWS, where you can launch AWS resources in a private network that you define. What should you use?

Answer 13

A VPC

Question 14

What DDoS protection is activated by default for every customer?

What provides a higher level of defence and 24/7 access to an AWS DDoS response team?

Answer 14

AWS Shield Standard

AWS Shield Advanced

Question 15

Which AWS service allows you to manage VPC security groups across multiple accounts in an organization?

Answer 15

AWS Firewall Manager

Question 16

What is Amazons policy in regards to pentesting, service attacks, and flooding??

Answer 16

Penetration testing is allowed on certain services, however anything related to an attack (DoS, flooding) is prohibited.

Question 17

What service can help us with in-flight encryption and generate SSL/TLS certificates?

Answer 17

AWS Certificate Manager (CAM)

Question 18

There’s a secret that needs managing/rotating in RDS, what can we use for this?

Answer 18

AWS Secrets Manager

Question 19

I need to ensure my company is following the compliance documentation laid out by Amazon, where can I find it?

Answer 19

AWS Artifact

Question 20

Which service is a good tool to protect you against Cryptocurrency attacks?

Answer 20

AWS GuardDuty

Question 21

What are 4 things that only the root user can do?

Answer 21

1. Change account settings (name, etc.)
2. Close the AWS account
3. Change or cancel the AWS support plan
4. Register as a seller in the Reserved Instance Marketplace