VPC, Networking, Security and Compliance Flashcards
What is a VPC (Virtual Private Cloud)?
Hint: Think of it as your own private neighborhood in AWS.
A private, isolated network in AWS, like your own “home base” where everything happens.
What is a subnet in AWS?
Hint: These are smaller divisions tied to specific Availability Zones.
A specific network partition of a VPC tied to an Availability Zone, like “city blocks” within your neighborhood (VPC).
What does an Internet Gateway do?
Hint: It’s the VPC’s way to access the internet.
Provides internet access to the entire VPC, like the “main gate” for your neighborhood.
What is the purpose of a NAT Gateway or Instance?
Hint: This allows private subnets to connect to the internet while staying hidden.
Allows private subnets to access the internet without being exposed, like a “backdoor for private blocks.”
What is a NACL (Network ACL)?
Hint: A stateless firewall that doesn’t remember previous connections.
A stateless firewall controlling inbound and outbound traffic at the subnet level, acting like a “neighborhood gatekeeper.”
How do security groups differ from NACLs?
Hint: These firewalls remember who’s allowed in.
Security groups are stateful firewalls applied at the EC2 or ENI level, acting like “personal bouncers” who remember who’s allowed in.
What is VPC Peering?
Hint: A connection between two VPCs with a direct link.
A non-transitive connection between two VPCs with non-overlapping IP ranges, like a “friendship tunnel” between two neighborhoods.
What is an Elastic IP?
Hint: A fixed, public IPv4 address that costs if idle.
A fixed public IPv4 address that costs if not used, like a “fixed street address.”
What are VPC Endpoints used for?
Hint: Allows access to AWS services within the VPC without the internet.
Provide private access to AWS services within the VPC without going through the internet, like a “private service road.”
What is AWS PrivateLink?
Hint: Used to connect to a third-party VPC privately.
Allows private connections to a service in a third-party VPC, like a “private road to another neighborhood.”
What are VPC Flow Logs?
Hint: They act like security cameras for your VPC traffic.
Logs all traffic coming in and out of the VPC, like a “security camera” monitoring traffic.
What is a Site-to-Site VPN?
Hint: A secure tunnel connecting your data center to AWS.
A secure tunnel over the internet connecting your on-premises data center to AWS, like “tunneling between cities.”
What is AWS Client VPN?
Hint: Allows individual computers to access the VPC securely.
A personal VPN that allows individual computers to securely access your VPC, like a “personal VPN” for your neighborhood.
What is AWS Direct Connect?
Hint: A faster, private connection from your data center to AWS.
A direct, private connection from your data center to AWS, faster than the public internet, like a “private highway.”
What is an AWS Transit Gateway?
Hint: It acts as a central hub to connect multiple VPCs.
A central hub connecting multiple VPCs and on-prem networks, like a “central hub” for connecting neighborhoods.
What is AWS responsible for in the Shared Responsibility Model?
AWS is responsible for the security of the cloud, including hardware, software, networking, and managed services like S3 and RDS.
What is the customer responsible for in the Shared Responsibility Model?
The customer is responsible for security in the cloud, including management of guest OS, firewall configuration, IAM, and encrypting data.
What are some shared controls in the AWS Shared Responsibility Model?
- Patch management
- configuration management
- awareness & training
are shared controls between AWS and customers.
What is AWS Shield Standard?
Hint: Think of it as a basic DDoS protection included for free.
Protects against DDoS attacks for websites and applications at no additional cost, safeguarding against SYN/UDP Floods, Reflection attacks, and other layer 3/layer 4 (TCP) attacks.
What is AWS Shield Advanced?
Hint: Premium DDoS protection.
Offers 24/7 premium DDoS protection against more advanced attacks.
What is the purpose of a WAF (Web Application Firewall)?
Hint: Filters incoming requests based on set rules.
A firewall that filters incoming requests based on defined rules, protecting against layer 7 (HTTP) attacks.
How do CloudFront and Route 53 provide availability protection?
Hint: They utilize a global network for attack mitigation.
Provide availability protection using a global edge network and, combined with AWS Shield, offer attack mitigation at the edge.
What is the function of a Network Firewall?
Hint: Protects the entire VPC.
Protects the entire VPC against network attacks, providing protection from layer 3 to layer 7.
What does AWS Firewall Manager do?
Hint: Centralizes management of security rules.
Manages security rules across all accounts in an organization, including VPC Security groups, WAF rules, and Network Firewall rules.
What is AWS KMS (Key Management Service)?
Hint: It’s about managing encryption keys.
A service for managing encryption keys used to encrypt EBS volumes, S3 Buckets, Redshift databases, RDS databases, and EFS drives.
What is AWS CloudHSM?
Hint: Think hardware encryption and customer control.
A hardware encryption service that allows customers to manage their own encryption keys.
What does AWS Certificate Manager do?
Hint: Manages SSL/TLS certificates for your applications.
Provisions, manages, and deploys SSL/TLS certificates for secure web applications.
What is the purpose of AWS Secrets Manager?
Hint: It deals with storing and rotating secrets.
Stores secrets, allows for automated rotation of secrets every X days, and integrates with RDS while encrypting secrets using KMS.
What does AWS Artifact provide access to?
Hint: Think compliance reports for your organization.
Provides access to compliance reports, such as PCI and ISO certifications.
What is AWS GuardDuty?
Hint: Continuous monitoring for malicious activity.
An intelligent threat detection service that continuously monitors for malicious behavior using VPC, DNS, and CloudTrail logs.
What is AWS Inspector used for?
Hint: Finding vulnerabilities in your applications.
A service that finds software vulnerabilities in EC2 instances, ECR images, and Lambda functions.
What is AWS Config?
Hint: It tracks changes and compliance.
Tracks configuration changes and compliance of resources over time, sending alerts through SNS for any changes.
What does AWS Macie do?
Hint: It helps find sensitive data in S3.
Finds sensitive data, such as Personally Identifiable Information (PII), in Amazon S3 buckets.
What is the role of AWS CloudTrail?
Hint: It tracks user activity within your AWS account.
Tracks API calls made by users within an AWS account for auditing purposes.
What is AWS Security Hub?
Hint: Centralizes security findings from multiple accounts.
Gathers security findings from multiple AWS accounts and automates security checks across these accounts.
What does AWS Detective help you with?
Hint: Finding the root cause of security issues.
Helps find the root cause of security issues or suspicious activities within your AWS environment.
What is the purpose of the Abuse service in AWS?
Hint: Reporting illegal or abusive resource usage.
Allows you to report suspected AWS resources used for abusive or illegal purposes, such as spam or DDoS attacks.
What does IAM Access Analyzer do?
Hint: It identifies shared resources externally.
Identifies which AWS resources are shared externally.
What privileges does the root user have?
Hint: Think of it as the ultimate account control.
The root user can
- Change account settings
- Close the AWS account
- Change or cancel the AWS Support plan, - Register as a seller in the Reserved Instance Marketplace.
