VPC, Networking, Security and Compliance

Question 1

What is a VPC (Virtual Private Cloud)?

Hint: Think of it as your own private neighborhood in AWS.

Answer 1

A private, isolated network in AWS, like your own “home base” where everything happens.

Question 2

What is a subnet in AWS?

Hint: These are smaller divisions tied to specific Availability Zones.

Answer 2

A specific network partition of a VPC tied to an Availability Zone, like “city blocks” within your neighborhood (VPC).

Question 3

What does an Internet Gateway do?

Hint: It’s the VPC’s way to access the internet.

Answer 3

Provides internet access to the entire VPC, like the “main gate” for your neighborhood.

Question 4

What is the purpose of a NAT Gateway or Instance?

Hint: This allows private subnets to connect to the internet while staying hidden.

Answer 4

Allows private subnets to access the internet without being exposed, like a “backdoor for private blocks.”

Question 5

What is a NACL (Network ACL)?

Hint: A stateless firewall that doesn’t remember previous connections.

Answer 5

A stateless firewall controlling inbound and outbound traffic at the subnet level, acting like a “neighborhood gatekeeper.”

Question 6

How do security groups differ from NACLs?

Hint: These firewalls remember who’s allowed in.

Answer 6

Security groups are stateful firewalls applied at the EC2 or ENI level, acting like “personal bouncers” who remember who’s allowed in.

Question 7

What is VPC Peering?

Hint: A connection between two VPCs with a direct link.

Answer 7

A non-transitive connection between two VPCs with non-overlapping IP ranges, like a “friendship tunnel” between two neighborhoods.

Question 8

What is an Elastic IP?

Hint: A fixed, public IPv4 address that costs if idle.

Answer 8

A fixed public IPv4 address that costs if not used, like a “fixed street address.”

Question 9

What are VPC Endpoints used for?

Hint: Allows access to AWS services within the VPC without the internet.

Answer 9

Provide private access to AWS services within the VPC without going through the internet, like a “private service road.”

Question 10

What is AWS PrivateLink?

Hint: Used to connect to a third-party VPC privately.

Answer 10

Allows private connections to a service in a third-party VPC, like a “private road to another neighborhood.”

Question 11

What are VPC Flow Logs?

Hint: They act like security cameras for your VPC traffic.

Answer 11

Logs all traffic coming in and out of the VPC, like a “security camera” monitoring traffic.

Question 12

What is a Site-to-Site VPN?

Hint: A secure tunnel connecting your data center to AWS.

Answer 12

A secure tunnel over the internet connecting your on-premises data center to AWS, like “tunneling between cities.”

Question 13

What is AWS Client VPN?

Hint: Allows individual computers to access the VPC securely.

Answer 13

A personal VPN that allows individual computers to securely access your VPC, like a “personal VPN” for your neighborhood.

Question 14

What is AWS Direct Connect?

Hint: A faster, private connection from your data center to AWS.

Answer 14

A direct, private connection from your data center to AWS, faster than the public internet, like a “private highway.”

Question 15

What is an AWS Transit Gateway?

Hint: It acts as a central hub to connect multiple VPCs.

Answer 15

A central hub connecting multiple VPCs and on-prem networks, like a “central hub” for connecting neighborhoods.

Question 16

What is AWS responsible for in the Shared Responsibility Model?

Answer 16

AWS is responsible for the security of the cloud, including hardware, software, networking, and managed services like S3 and RDS.

Question 17

What is the customer responsible for in the Shared Responsibility Model?

Answer 17

The customer is responsible for security in the cloud, including management of guest OS, firewall configuration, IAM, and encrypting data.

Question 18

What are some shared controls in the AWS Shared Responsibility Model?

Answer 18

• Patch management
• configuration management
• awareness & training

are shared controls between AWS and customers.

Question 19

What is AWS Shield Standard?

Hint: Think of it as a basic DDoS protection included for free.

Answer 19

Protects against DDoS attacks for websites and applications at no additional cost, safeguarding against SYN/UDP Floods, Reflection attacks, and other layer 3/layer 4 (TCP) attacks.

Question 20

What is AWS Shield Advanced?

Hint: Premium DDoS protection.

Answer 20

Offers 24/7 premium DDoS protection against more advanced attacks.

Question 21

What is the purpose of a WAF (Web Application Firewall)?

Hint: Filters incoming requests based on set rules.

Answer 21

A firewall that filters incoming requests based on defined rules, protecting against layer 7 (HTTP) attacks.

Question 22

How do CloudFront and Route 53 provide availability protection?

Hint: They utilize a global network for attack mitigation.

Answer 22

Provide availability protection using a global edge network and, combined with AWS Shield, offer attack mitigation at the edge.

Question 23

What is the function of a Network Firewall?

Hint: Protects the entire VPC.

Answer 23

Protects the entire VPC against network attacks, providing protection from layer 3 to layer 7.

Question 24

What does AWS Firewall Manager do?

Hint: Centralizes management of security rules.

Answer 24

Manages security rules across all accounts in an organization, including VPC Security groups, WAF rules, and Network Firewall rules.

Question 25

What is AWS KMS (Key Management Service)?

Hint: It’s about managing encryption keys.

Answer 25

A service for managing encryption keys used to encrypt EBS volumes, S3 Buckets, Redshift databases, RDS databases, and EFS drives.

Question 26

What is AWS CloudHSM?

Hint: Think hardware encryption and customer control.

Answer 26

A hardware encryption service that allows customers to manage their own encryption keys.

Question 27

What does AWS Certificate Manager do?

Hint: Manages SSL/TLS certificates for your applications.

Answer 27

Provisions, manages, and deploys SSL/TLS certificates for secure web applications.

Question 28

What is the purpose of AWS Secrets Manager?

Hint: It deals with storing and rotating secrets.

Answer 28

Stores secrets, allows for automated rotation of secrets every X days, and integrates with RDS while encrypting secrets using KMS.

Question 29

What does AWS Artifact provide access to?

Hint: Think compliance reports for your organization.

Answer 29

Provides access to compliance reports, such as PCI and ISO certifications.

Question 30

What is AWS GuardDuty?

Hint: Continuous monitoring for malicious activity.

Answer 30

An intelligent threat detection service that continuously monitors for malicious behavior using VPC, DNS, and CloudTrail logs.

Question 31

What is AWS Inspector used for?

Hint: Finding vulnerabilities in your applications.

Answer 31

A service that finds software vulnerabilities in EC2 instances, ECR images, and Lambda functions.

Question 32

What is AWS Config?

Hint: It tracks changes and compliance.

Answer 32

Tracks configuration changes and compliance of resources over time, sending alerts through SNS for any changes.

Question 33

What does AWS Macie do?

Hint: It helps find sensitive data in S3.

Answer 33

Finds sensitive data, such as Personally Identifiable Information (PII), in Amazon S3 buckets.

Question 34

What is the role of AWS CloudTrail?

Hint: It tracks user activity within your AWS account.

Answer 34

Tracks API calls made by users within an AWS account for auditing purposes.

Question 35

What is AWS Security Hub?

Hint: Centralizes security findings from multiple accounts.

Answer 35

Gathers security findings from multiple AWS accounts and automates security checks across these accounts.

Question 36

What does AWS Detective help you with?

Hint: Finding the root cause of security issues.

Answer 36

Helps find the root cause of security issues or suspicious activities within your AWS environment.

Question 37

What is the purpose of the Abuse service in AWS?

Hint: Reporting illegal or abusive resource usage.

Answer 37

Allows you to report suspected AWS resources used for abusive or illegal purposes, such as spam or DDoS attacks.

Question 38

What does IAM Access Analyzer do?

Hint: It identifies shared resources externally.

Answer 38

Identifies which AWS resources are shared externally.

Question 39

What privileges does the root user have?

Hint: Think of it as the ultimate account control.

Answer 39

The root user can
- Change account settings
- Close the AWS account
- Change or cancel the AWS Support plan, - Register as a seller in the Reserved Instance Marketplace.