Secure Your Data

Question 1

EBS volumes

Answer 1

Customers responsibility to ensure availability and backup via creating EBS snapshots

Cannot be copied, only replicated using snapshots

When you create a EBS volume based on snapshot, the new volume begins as the exact replica of the original volume that was used to create the snapshot. Replicated volume loads in the background so that you can begin using it immediately

Question 2

Snapshots

Answer 2

Incremental backups, blocks on the device that have changed after your most recent snapshots are saved

Question 3

AWS config

Answer 3

Used to audit, evaluate configurationS of AWS resources. If there are any operational issues, AWS config can be used to retrieve configurational changes made to AWS resources that may have caused the issues

Question 4

Security Groups

Answer 4

Control of inbound traffic. By default, outbound is free by default

INSTANCE LEVEL

After you launch an instance into VPC, you can change the SG associated for this instance at running or stopped state.

Question 5

Stateful

Answer 5

In VPCs, the same port coming in as the port coming out

Question 6

Stateless

Answer 6

VPC access

Does not need to go into the same port (inbound) as the port it exited (outbound)

Question 7

Network access control list (NACL)

Answer 7

Optional security layer tied to a subnet Within a VPC to control inbound & outbound traffic.

SUBNET LEVEL

Question 8

Amazon inspector

Answer 8

Assessment of vulnerabilities

Two packages:

• network reachability rules package checks network accessibility checks on AWS EC2 instances
• host assessment rules package checks vulnerabilities on Amazon EC2 instances

Question 9

Amazon Macie

Answer 9

Managed service which can be used to detect personally identifiable information (PII) such as names and passwords from large amounts of data stored in S3 bucket

Question 10

AWS shield

Answer 10

Managed DDOS (distribute denial of service) protection service that safeguards applications running on AWS

Standard is free

Question 11

AWS Firewall Manager

Answer 11

Security management services that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS orgs

Question 12

Amazon Guardduty

Answer 12

Threat detection service that continuously monitors malicious activities and unauthorised behavoirs to protect your AWS accounts, workloads, and data stored in S3

Question 13

AWS certificate manager

Answer 13

Not a solution for encryption at rest but encryption in transit
Let’s you easily provision, manage, deploy public and private secure sockets layer (SSL)/transport layer security (TLS) certificates

Question 14

Server side encryption managed by S3 (SSE-S3)

Answer 14

Encryption / decryption at rest but does not offer monitoring capabilities (who/when)

Question 15

Side server encryption managed by customer (SSE-C)

Answer 15

Encryption/decryption at rest but without monitoring capabilities

Question 16

Side server encryption managed by KMS (SSE-KMS)

Answer 16

Encryption / decryption at rest with monitoring capabilities
Integrated with AWS cloud trail to provide you with logs of all key usage to help meet your regulatory and compliance needs

Question 17

VPC flow logs

Answer 17

Capture IP traffic related info passing through and from network interfaces within the VPC

Question 18

AWS detective

Answer 18

Securit service that uses machine learning capabilities on th automatically collected log data to help customers perform efficient and fast security investigations

Question 19

AWS artifacts

Answer 19

Central resource for al, the info about compliance, On demand access to compliance reports at no additional costs

Question 20

AWS accounts

Answer 20

Account must be able to operate as a standalone account to be able to be removed from AWS orgs

Question 21

AWS system managers

Answer 21

Gives you visibility and control of your infrastructure on AWS to view operational data from multiple AWS services

Allows to automate operational tasks like running commands, managing patches, and configuring servers across AWS cloud and on premise.

Question 22

AWS X-ray

Answer 22

Key word: debug & serverless

Analyse and debug Serverless and distributed apps such as those built using micro services architecture. Understand how your app and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors

Question 23

VPC endpoint

Answer 23

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

There are two types of VPC endpoints: interface endpoints and gateway endpoints.
An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access services by using private IP addresses.
A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. The following AWS services are supported:
Amazon S3 DynamoDB Exam Alert:
You may see a question around this concept in the exam. Just remember that only S3 and DynamoDB support VPC Endpoint Gateway. All other services that support VPC Endpoints use a VPC Endpoint Interface.

Question 24

AWS Abuse Team

Answer 24

The AWS Abuse team can assist you when AWS resources are used to engage in abusive behavior

Question 25

AWS storage gateway & types

Answer 25

AWS Storage Gateway is a hybrid cloud storage service that connects your existing on-premises environments with the AWS Cloud. 3 types of gateways: tape, file, volume

Question 26

Customer managed CMK

Answer 26

customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data. These are created and managed by the AWS customer. Access to these can be controlled using the AWS IAM service

Question 27

IAM user

Answer 27

IAM User Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). As a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Access Keys are secret, just like a password. You should never share them.

Question 28

IAM role

Answer 28

An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

Question 29

IAM GROUP

Answer 29

collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

Question 30

AWS policy

Answer 30

manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.

Question 31

AWS service health dashboard

Answer 31

AWS Service Health Dashboard publishes most up-to-the-minute information on the status and availability of all AWS services in tabular form for all Regions that AWS is present in. You can check on this page https://status.aws.amazon.com/ to get current status information.

Question 32

AWS personal health dashboard

Answer 32

AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. With Personal Health Dashboard, alerts are triggered by changes in the health of your AWS resources, giving you event visibility, and guidance to help quickly diagnose and resolve issues.

Question 33

Internet gateway

Answer 33

Connection between VPC and internet, allows pubic traffic fro, the internet to access VPC

Question 34

Virtual private gateway

Answer 34

Establish virtual private network (VPN) connection between your VPC and private network such as an on premise data Center or internal corporate network Allows traffic e into the VPC only if coming from an approved network

Question 35

AWS direct connect

Answer 35

Service that enables you to establish a dedicated private connection between your data Center and VPC Reduce network costs and increase bandwidth traveling through your network

Question 36

Basic support

Answer 36

``` 24/7 customer support Documentation White paper Support forums AWS trusted advisor AWS personal health dashboard Free ```

Question 37

Developer support

Answer 37

Basic support 7 core checks trusted advisor Email access to email support - 24 hour response time Less than 12 response time if systems are down Unrestricted number of technical support cases for 1 primary contact Best practice guidance Client side diagnostic tools Building block architecture support which consists of guidance on how to use AWS offerings features and services together Pay by the month Require no long term contracts

Question 38

Business support

Answer 38

Basic + developer AWS trusted advisor for all suite of checks Direct phone access to support team General guidance <24 hours System impaired <12 hours 4 hour SLA if production system is Impaired 1 hour if production system down Unrestricted number of technical support cases for unlimited contacts Pay by the month Require no long term contracts 1 hour SLA if production system is down Infrastructure event management ie global blitzes or massive events (extra fee) Use case guidance Limited support for third party software like common operating system and apps stack components

Question 39

Enterprise support

Answer 39

``` Mission critical workloads All tiers previous General guidance <24 hours System impaired <12 hours Production system Impaired < 4 hours Production system down <1 hour 15 min SLA for response time for biz critical workloads Dedicated TAM to coordinate access to programs and AWS experts Unrestricted number of technical support cases for unlimited contacts Pay by the month Require no long term contracts Consultative review based on your apps App architecture guidance to support company specific use cases and apps Access to self paced labs training Concierge support team Infrastructure event management ```

Question 40

Technical account manager

Answer 40

(TAM) Part of concierge support team Specialise in proactively monitoring environment and assisting in optimisation Reviews (infra management, well architected, etc)

Question 41

AWS monitoron

Answer 41

ML service used for detecting abnormal industrial machine Behavior and enables to implement predictive maintenance

Question 42

Amazon textract

Answer 42

Extract printed text and handwriting from virtually any document. Requirement is to use natural language processing to find insights and relationships in the doc

Question 43

Amazon comprehend

Answer 43

Natural language processing service that uses ML to find meaning and insights in text

Question 44

AWS server migration services (SMS)

Answer 44

Agentless service which makes it easy and fast to migrate thousands of on premises workloads (VMs) to AWS Automate track and schedule incremental replications of live server volumes

Question 45

AWS database migration service (DMS)

Answer 45

Migrating databases from on premise to AWS

Question 46

AWS Migration hub

Answer 46

Monitor application migrations

Question 47

How to connect to an EC2 instance ?

Answer 47

``` Secure shell (SSH) - common tool to connect to linux servers Session manager - fully managed AWS system manager capability that lets you manage your EC2 instances, on premise instances, and VMs via interactive one click browser shell or through AWS CLI EC2 instance connect - connect to your Linux instance using browser based client ```