security

Question 1

Well-architected framework

Answer 1

design principles and best practices for running workloads in the cloud.

• Operational Excellence
• Security
• Reliability
• Performance Efficiency
• Cost optimization

Question 2

Operational Excellence

Answer 2

CODECOMMIT
Focuses on creating applications that effectively support production workloads.
-plan for and anticipate failure
-script operations as code
-deploy smaller, reversible changes
-Learn from failure and refine

Question 3

Security

Answer 3

CLOUDTRAIL
Focus on putting mechanisms in place that help protect your systems and data
-Automate security tasks
-encrypt data in transit and at rest
-Assign only the least privilege’s required
-track who did what and when
-ensure security at all application layers

Question 4

Reliability

Answer 4

RDS
Focuses on designing systems that works consistently and recover quickly
-Recover from failure automatically
-Scale horizontally for resilience
-Reduce idle resources
-Manage change through automation
-Test recovery procedures

Question 5

Performance efficiency

Answer 5

LAMBDA
Effectively use of computing resources to meet system and business requirements while removing bottlenecks
-Use serverless architectures first
-Use multi-region deployments
-Delegate tasks to a cloud vendor
-Experiment with virtual resources.

Question 6

Cost Optimization

Answer 6

S3 intelligent -tiering
Focuses on delivering optimum and resilient solutions at the least cost to the user.
-Utilize consumption-based pricing
-Implement cloud financial management
-Measure overall efficiency
-Pay only for resources your application requires.

Question 7

CodeCommit

Answer 7

to enable tracking of code changes and version-control

Cloudformation templates of your infrastructure

Question 8

CloudTrail

Answer 8

You can configure central logging of all actions performed in your account

Question 9

RDS

Answer 9

You can use Multi-AZ Deployments for enhanced availability and reliability of RDS databases

Question 10

Lambda

Answer 10

To run code with zero administration

Question 11

S3 Intelligent-Tiering

Answer 11

automatically move your data between access tiers based on your usage patterns.

Question 12

IAM

Answer 12

Allows you to control access to your AWS Services and resources.

• Helps secure your cloud resources
• You define who has access.
• You define what they can do
• a free global service

Question 13

Identities

Answer 13

WHO can access your resources

• root user
• individual user
• groups-roles

Question 14

Access

Answer 14

WHAT resources they can access

• policies
• aws managed policies
• customer managed policies
• permissions boundaries

Question 15

Authentication

Answer 15

Where you present your identity and provide verification

Question 16

Authorization

Answer 16

Determines which services and resources the authenticated identity has access to.

Question 17

Users

Answer 17

Users are entities that you create in IAM to represent the person or application needing to access your AWS resources.

Question 18

Root user

Answer 18

Created when you first open your AWS account.

• close account
• change email address
• modify support plan

Question 19

Individual users

Answer 19

created in IAM and are used for everyday tasks.

• Perform Administrative tasks
• Access application code
• Launch EC2 instances
• configure databases

Question 20

Applications

Answer 20

You create a user in IAM so you can generate access keys for application running on-premises that needs access to your cloud resources.

Question 21

Principle of least privilege

Answer 21

Giving a user the minimum access required to get the job done

Question 22

Developers

Answer 22

Responsible for building applications

Question 23

Project managers

Answer 23

Responsible for managing the budget

Question 24

CLI

Answer 24

Command line interface.
Allows you to access resources in your AWS account through terminal or command windows. Access keys are needed when using the CLI and can be generated using IAM.

Question 25

Groups

Answer 25

Collection of users of IAM users that helps you apply common access controls to all group members

• -used to group users that perform similar tasks
• access permissions apply to all members of the group
• access is assigned using policies and roles.

Question 26

Administrators

Answer 26

Perform admin tasks like creating new users

Question 27

Developer

Answer 27

Use compute and database services to build applications.

Question 28

Analysts

Answer 28

Run budget and usage reports

Question 29

Roles

Answer 29

Define access permissions and are temporarily assumed by an IAM user or service

• You assume a role to perform a task in a single session.
• Assumed by any user or service that needs it.
• Access is assigned using policies
• You grant users in one AWS account access to resources in another AWS account

Question 30

Policies

Answer 30

you manage permissions for IAM users, groups, and roles by creating a policy document in JSON format and attaching it.

Question 31

Bucket access policy

Answer 31

Add directly to an Amazon S3 bucket to grant IAM users access permissions for the bucket and objects in it.

Question 32

IAM best practices

Answer 32

1. Enable MFA for privilaged users.
2. Always implement strong password policies.
3. Create individual users instead of using root user.
   Shouldn’t use the root user for daily tasks.
4. Use roles for Amazon EC2 instances

Question 33

IAM Credential Report

Answer 33

Lists all users in your account and the status of their various credentials.

• Lists all users and status of passwords, access keys, and MFA devices
• used for auditing and compliance

Question 34

Firewall

Answer 34

prevent unauthorized access to your networks by inspecting incoming and outgoing traffic against security rules you’ve defined.

Question 35

WAF

Answer 35

Web application firewall.
Protects apps against common attack patterns
-Protects against SQL injection
-protects against cross-site scripting.

IRL: Deploy web application directly to EC2 instance. You can also deploy WAF on cloudfront as part of you CDN solution to block malicious traffic

Question 36

DDos

Answer 36

Distributed denial of service.

DDos attach causes traffic jam on a website or web application in attempt to cause it to crash.

Question 37

Shield

Answer 37

a managed ddos protection service.

• Always-on detection
• Shield standard is free
• shield advanced is a paid service

Question 38

Shield Standard

Answer 38

Provides free protection against common and frequent occurring attacks

Question 39

Shield Advanced

Answer 39

Provides enhanced protections and 24/7 access to AWS experts for a fee

Question 40

DDos Protection via shield advanced is supported on several services

Answer 40

• Cloudfront
• Route53
• Elastic load balancing
• AWS Global accelerator.

Question 41

Macie

Answer 41

Helps discover and protect sensitive data.

• Uses machine learning
• evaluates s3 environment
• uncovers PII (personal identifiable identifications)

Question 42

Config

Answer 42

Allows you to asses, audit, and evaluate the configurations of your resources.

• Track configuration changes over time.
• Delivers configuration history file to S3
• Notifications via SNS of every configuration change
• Allows you to record configuration changes with your EC2 instances. You can view network, software and OS configuration changes, system-level updates

Question 43

GuardDuty

Answer 43

An intelligent threat detection system that uncovers unauthorized behavior
-uses machine learning
-built-in detection for EC2, S3, and IAM
-Reviews Cloudtrail, VPC flow logs, and DNS logs
IRW: anomaly detection feature evaluates all API requests in your account and identifies events that are associated with common techniques used by attackers.

Question 44

Inspector

Answer 44

Works with EC2 instances to uncover and report vulnerabilities.
-Agent installed on EC2 instances (only works for EC2 instances)
-Reports vulnerabilities found
-Checks access from the internet, remote root login, vulnerable software versions
IRW: has several built in rules to access your EC2 instances to find vulnerabilities and report them prioritized by level of severity

Question 45

Artifact

Answer 45

Offers on-demand access to AWS security and compliance reports.
-Central repository for compliance reports from third-party auditors.
-Service organization controls (SOC) reports
-Payment card industry (PCI) reports.
IRW: provides a central repository for AWS’s security and compliance reports via self-service portal.

Question 46

Cognito

Answer 46

Helps you control access to mobile and web applications.

-provides authentication and authorization.
-Helps you manage users
-Assist with user sign up and sign in to mobile or web app.
IRW: provides functionality that allows your users to sign in to your application through social media accounts like facebook or google.

Question 47

data in flight

Answer 47

data that is moving from one location to another

Question 48

data at rest

Answer 48

Data that is inactive or stored for later use

Question 49

KMS

Answer 49

Key management service (KMS).
Allows you to generate and store encryption keys
-Key generator
-Store and control keys
-AWS manages encryption keys
-automatically enabled for certain services.
IRW: When you create a encrypted Amazon EBS volume, you are able to specify a KMS customer master key.

Question 50

CloudHSM

Answer 50

a hardware security module (HSM) used to generate encryption keys
-Dedicated hardware for security
-generate and manage your own encryption keys
-AWS does not have access to your keys
IRW: Allows you to meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware in the cloud.

Question 51

Secrets Manager

Answer 51

Allows you to manage and retrieve secrets (password or keys).
-rotate, manage and retrieve secrets
-encrypt secrets at rest
-integrates with services like RDS, Redshift and DocumentDB
IRW: Allows you to retrieve database credentials with a call to secrets Manager APIs, removing the need to hardcode sensative information in plain tedxt within your application code.

Question 52

Fault tolerance

Answer 52

Property that e4nables a system to continue to operating properly in the event of the failure of one or more components

Question 53

Firewall

Answer 53

a type of software that either allows or blocks certain kinds of internet traffic to pass through it

Question 54

Folder

Answer 54

Any “subfolder” created in a bucket

Question 55

High Availability

Answer 55

refers to systems that are durable and likely to operate continuously without failure for a long time

Question 56

organizations

Answer 56

Access manage billing and access to multiple AWS accounts in one user interface

Question 57

Publishers

Answer 57

Human/alarm/event that gives the SNS message to be sent

Question 58

RDS

Answer 58

relational database service.

SQL database service that provides a wide range of SQL database options to select from

Question 59

subnet

Answer 59

a subsection of a network and generally includes all the computers in specific region

Question 60

subscriptions

Answer 60

endpoints to which a topic sends messages

Question 61

Topic

Answer 61

how you label and group different endpoints to which you send messages

Question 62

Trusted advisor

Answer 62

service that “advises” and help you optimize apsects of your aws account

Question 63

Elastic beanstalk

Answer 63

service for deploying and scaling web applications and services developed with java, net, php, node.js