Security and Compliance

Question 1

What dictates who is responsible for security on different parts of AWS?

Answer 1

Shared Responsibility Model

Question 2

What is AWS responsible for in the Shared Responsibility Model?

Answer 2

The security of the cloud

- regions, edge locations, AZs, physical buildings, networking components, software/managed services, patching AMIs

Question 3

What are you responsible for in the Shared Responsibility Model?

Answer 3

Security in the cloud

• application data encryption
• securing your account, VPCs, etc.
• patching the guest OS on your EC2 instance
• IAM
• network traffic and firewall configuration
• software that you build or install

Question 4

EC2 Shared Responsibility Model

Answer 4

AWS: EC2 service, patching the host OS, security of the physical host server
You: installed applications, patching the guest OS, security controls

Question 5

Lambda Shared Responsibility Model

Answer 5

AWS: lambda service, language upgrades, underlying infrastructure and dependencies
You: security of the code, storage of sensitive data, IAM

Question 6

How do you report abuse of AWS resources?

Answer 6

rotate your passwords when an incident occurs, then contact the AWS Trust and Safety Team

Question 7

Pillar 1 of the Well-Architected Framework

Answer 7

Operational Excellence
- The ability to support development and run workloads effectively, gain insight into their operations, and to continuously improve supporting processes and procedures to deliver business value.

Question 8

Pillar 2 of the Well-Architected Framework

Answer 8

Security

- putting mechanisms in place that help protect your systems and data

Question 9

Pillar 3 of the Well-Architected Framework

Answer 9

Reliability
- to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.

Question 10

Pillar 4 of the Well-Architected Framework

Answer 10

Performance Efficiency

• effective use of computing resources to meet system and business requirements while removing bottlenecks
• use serverless architures first
• multi-AZ deployments
• delegate tasks to a cloud vendor

Question 11

Pillar 5 of the Well-Architected Framework

Answer 11

Cost Optimization

- delivering optimum and resilient solutions at the least cost to the user

Question 12

What is an example of Operational Excellence?

Answer 12

using CodeCommit to version control your code and IaC

Question 13

what is an example of Security pillar?

Answer 13

configuring central logging using CloudTrail

Question 14

what is an example of the Reliability pillar?

Answer 14

use multi-AZ deployments of RDS databases

Question 15

what is an example of Performance Efficiency

Answer 15

use Lambda without administration overhead

Question 16

what is an example of Cost Optimization pillar?

Answer 16

use S3 intelligent tiering to move data to the most cost-effective storage tier

Question 17

IAM

Answer 17

Identity and Access Management

- a free global service that helps you secure your cloud resources and define who has access to what

Question 18

Identities

Answer 18

who can access your resources

- root user, individual users, groups, roles

Question 19

Access

Answer 19

what resources someone can access

- policies, managed policies, permissions boundaries

Question 20

permissions boundaries

Answer 20

limit the scope of what a user can do

Question 21

root user permissions

Answer 21

• manage your AWS account (close, change support plan, email address, etc.)

Question 22

applications as users

Answer 22

you can create a user with access keys to an on-prem application can access your cloud resources

Question 23

PLP

Answer 23

Principle of Least Privilege

- only giving a user the minimum amount of privileges to do their job

Question 24

access keys

Answer 24

• needed when you use the CLI
• generated by IAM
• public key and private key

Question 25

IAM groups

Answer 25

a collection of IAM users that helps you apply common access controls to all group members

Question 26

EC2 groups

Answer 26

security groups that act as firewalls

Question 27

how is group access assigned?

Answer 27

using policies and roles

Question 28

roles

Answer 28

allow you to delegate access to users or services that normally don’t have access to your organization’s AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls.

Question 29

example use of roles:

Answer 29

attach a role to an EC2 instance for access to S3 so applications running on the instance can assess storage

Question 30

policies

Answer 30

a document in JSON format that defines permissions for IAM users, groups and/or roles

Question 31

Example use case for policies

Answer 31

limit access to an S3 bucket to specific users with a bucket access policy

Question 32

What are some IAM best practices?

Answer 32

1) enable MFA for privileged users
2) implement strong password policies
3) create individual users instead of using root
4) use roles for Ec2 instances for apps running on the instance

Question 33

IAM Credential Report

Answer 33

a list of all users in your account and the status of their credentials. used for auditing and compliance.

Question 34

What does the Well Architected Tool do?

Answer 34

provides recommendations for making your workloads more reliable, secure, efficient, and cost-effective.

Question 35

Component

Answer 35

the code, configuration, and AWS Resources that together deliver against a requirement. A component is often the unit of technical ownership, and is decoupled from other components.

Question 36

Workload

Answer 36

a set of components that together deliver business value. A workload is usually the level of detail that business and technology leaders communicate about.

Question 37

When making architecture trade-offs which two pillars are generally not traded-off?

Answer 37

Security and operational excellence are generally not traded-off against the other pillars.