Secure Your Data Flashcards

1
Q

EBS volumes

A

Customers responsibility to ensure availability and backup via creating EBS snapshots

Cannot be copied, only replicated using snapshots

When you create a EBS volume based on snapshot, the new volume begins as the exact replica of the original volume that was used to create the snapshot. Replicated volume loads in the background so that you can begin using it immediately

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Snapshots

A

Incremental backups, blocks on the device that have changed after your most recent snapshots are saved

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

AWS config

A

Used to audit, evaluate configurationS of AWS resources. If there are any operational issues, AWS config can be used to retrieve configurational changes made to AWS resources that may have caused the issues

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security Groups

A

Control of inbound traffic. By default, outbound is free by default

INSTANCE LEVEL

After you launch an instance into VPC, you can change the SG associated for this instance at running or stopped state.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Stateful

A

In VPCs, the same port coming in as the port coming out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Stateless

A

VPC access

Does not need to go into the same port (inbound) as the port it exited (outbound)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Network access control list (NACL)

A

Optional security layer tied to a subnet Within a VPC to control inbound & outbound traffic.

SUBNET LEVEL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Amazon inspector

A

Assessment of vulnerabilities

Two packages:

  • network reachability rules package checks network accessibility checks on AWS EC2 instances
  • host assessment rules package checks vulnerabilities on Amazon EC2 instances
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Amazon Macie

A

Managed service which can be used to detect personally identifiable information (PII) such as names and passwords from large amounts of data stored in S3 bucket

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

AWS shield

A

Managed DDOS (distribute denial of service) protection service that safeguards applications running on AWS

Standard is free

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AWS Firewall Manager

A

Security management services that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS orgs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Amazon Guardduty

A

Threat detection service that continuously monitors malicious activities and unauthorised behavoirs to protect your AWS accounts, workloads, and data stored in S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS certificate manager

A

Not a solution for encryption at rest but encryption in transit
Let’s you easily provision, manage, deploy public and private secure sockets layer (SSL)/transport layer security (TLS) certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Server side encryption managed by S3 (SSE-S3)

A

Encryption / decryption at rest but does not offer monitoring capabilities (who/when)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Side server encryption managed by customer (SSE-C)

A

Encryption/decryption at rest but without monitoring capabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Side server encryption managed by KMS (SSE-KMS)

A

Encryption / decryption at rest with monitoring capabilities
Integrated with AWS cloud trail to provide you with logs of all key usage to help meet your regulatory and compliance needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

VPC flow logs

A

Capture IP traffic related info passing through and from network interfaces within the VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

AWS detective

A

Securit service that uses machine learning capabilities on th automatically collected log data to help customers perform efficient and fast security investigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

AWS artifacts

A

Central resource for al, the info about compliance, On demand access to compliance reports at no additional costs

20
Q

AWS accounts

A

Account must be able to operate as a standalone account to be able to be removed from AWS orgs

21
Q

AWS system managers

A

Gives you visibility and control of your infrastructure on AWS to view operational data from multiple AWS services

Allows to automate operational tasks like running commands, managing patches, and configuring servers across AWS cloud and on premise.

22
Q

AWS X-ray

A

Key word: debug & serverless

Analyse and debug Serverless and distributed apps such as those built using micro services architecture. Understand how your app and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors

23
Q

VPC endpoint

A

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

There are two types of VPC endpoints: interface endpoints and gateway endpoints.
An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access services by using private IP addresses.
A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. The following AWS services are supported:
Amazon S3 DynamoDB Exam Alert:
You may see a question around this concept in the exam. Just remember that only S3 and DynamoDB support VPC Endpoint Gateway. All other services that support VPC Endpoints use a VPC Endpoint Interface.

24
Q

AWS Abuse Team

A

The AWS Abuse team can assist you when AWS resources are used to engage in abusive behavior

25
Q

AWS storage gateway & types

A

AWS Storage Gateway is a hybrid cloud storage service that connects your existing on-premises environments with the AWS Cloud.

3 types of gateways: tape, file, volume

26
Q

Customer managed CMK

A

customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data. These are created and managed by the AWS customer. Access to these can be controlled using the AWS IAM service

27
Q

IAM user

A

IAM User
Access keys are long-term credentials for an IAM user or the AWS account root user. You can use access keys to sign programmatic requests to the AWS CLI or AWS API (directly or using the AWS SDK). Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). As a user name and password, you must use both the access key ID and secret access key together to authenticate your requests. Access Keys are secret, just like a password. You should never share them.

28
Q

IAM role

A

An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

29
Q

IAM GROUP

A

collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

30
Q

AWS policy

A

manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.

31
Q

AWS service health dashboard

A

AWS Service Health Dashboard publishes most up-to-the-minute information on the status and availability of all AWS services in tabular form for all Regions that AWS is present in. You can check on this page https://status.aws.amazon.com/ to get current status information.

32
Q

AWS personal health dashboard

A

AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. With Personal

Health Dashboard, alerts are triggered by changes in the health of your AWS resources, giving you event visibility, and guidance to help quickly diagnose and resolve issues.

33
Q

Internet gateway

A

Connection between VPC and internet, allows pubic traffic fro, the internet to access VPC

34
Q

Virtual private gateway

A

Establish virtual private network (VPN) connection between your VPC and private network such as an on premise data Center or internal corporate network

Allows traffic e into the VPC only if coming from an approved network

35
Q

AWS direct connect

A

Service that enables you to establish a dedicated private connection between your data Center and VPC

Reduce network costs and increase bandwidth traveling through your network

36
Q

Basic support

A
24/7 customer support 
Documentation 
White paper 
Support forums
AWS trusted advisor 
AWS personal health dashboard
Free
37
Q

Developer support

A

Basic support
7 core checks trusted advisor
Email access to email support - 24 hour response time
Less than 12 response time if systems are down
Unrestricted number of technical support cases for 1 primary contact
Best practice guidance
Client side diagnostic tools
Building block architecture support which consists of guidance on how to use AWS offerings features and services together
Pay by the month
Require no long term contracts

38
Q

Business support

A

Basic + developer
AWS trusted advisor for all suite of checks
Direct phone access to support team
General guidance <24 hours
System impaired <12 hours
4 hour SLA if production system is Impaired
1 hour if production system down
Unrestricted number of technical support cases for unlimited contacts
Pay by the month
Require no long term contracts

1 hour SLA if production system is down
Infrastructure event management ie global blitzes or massive events (extra fee)
Use case guidance
Limited support for third party software like common operating system and apps stack components

39
Q

Enterprise support

A
Mission critical workloads
All tiers previous 
General guidance <24 hours
System impaired <12 hours
Production system Impaired < 4 hours 
Production system down <1 hour
15 min SLA for response time for biz critical workloads
Dedicated TAM to coordinate access to programs and AWS experts
Unrestricted number of technical support cases for unlimited contacts 
Pay by the month
Require no long term contracts 
Consultative review based on your apps
App architecture guidance to support company specific use cases and apps
Access to self paced labs training 
Concierge support team
Infrastructure event management
40
Q

Technical account manager

A

(TAM)

Part of concierge support team
Specialise in proactively monitoring environment and assisting in optimisation
Reviews (infra management, well architected, etc)

41
Q

AWS monitoron

A

ML service used for detecting abnormal industrial machine Behavior and enables to implement predictive maintenance

42
Q

Amazon textract

A

Extract printed text and handwriting from virtually any document. Requirement is to use natural language processing to find insights and relationships in the doc

43
Q

Amazon comprehend

A

Natural language processing service that uses ML to find meaning and insights in text

44
Q

AWS server migration services (SMS)

A

Agentless service which makes it easy and fast to migrate thousands of on premises workloads (VMs) to AWS
Automate track and schedule incremental replications of live server volumes

45
Q

AWS database migration service (DMS)

A

Migrating databases from on premise to AWS

46
Q

AWS Migration hub

A

Monitor application migrations

47
Q

How to connect to an EC2 instance ?

A
Secure shell (SSH) - common tool to connect to linux servers 
Session manager - fully managed AWS system manager capability that lets you manage your EC2 instances, on premise instances, and VMs  via interactive one click browser shell or through AWS CLI
EC2 instance connect - connect to your Linux instance using browser based client