AWS Services

Question 1

AWS CloudTrail

Answer 1

Where- Source IP Address
When- EventTime
Who- User, UserAgent
What- Region, Resource, Action
Detect devloper misconfigurations, malicious actors, automate responses.

Logs all API calls (SDK, CLI) between AWS Services. E.g: who created the bucket? Who deployed that EC2 instance?

With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides Event History (for last 90 days) of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
For more than 90 days -> create a Trail
enables governance, compliance, operational auditing, and risk auditing.

Question 2

AWS Config

Answer 2

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. With Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines. This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.

Question 3

Amazon Inspector

Answer 3

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

Amazon Inspector security assessments help you check for unintended network accessibility of your Amazon EC2 instances and for vulnerabilities on those EC2 instances. Amazon Inspector assessments are offered to you as pre-defined rules packages mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for access to your EC2 instances from the internet, remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers.

Question 4

AWS Trusted Advisor

Answer 4

AWS Trusted Advisor is an online tool that provides you with real-time guidance to help you provision your resources following AWS best practices.

Cost optimization, Performance, Security, Fault Tolerance, Service Quotas.

Question 5

Amazon CloudWatch

Answer 5

It is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), IT managers, and product owners. CloudWatch provides you with data and actionable insights to monitor your applications, respond to system-wide performance changes, and optimize resource utilization. CloudWatch collects monitoring and operational data in the form of logs, metrics, and events. You get a unified view of operational health and gain complete visibility of your AWS resources, applications, and services running on AWS and on-premises. You can use CloudWatch to detect anomalous behaviour in your environments, set alarms, visualize logs and metrics side by side, take automated actions, troubleshoot issues, and discover insights to keep your applications running smoothly.
- collect and store application logs and server operation system logs.
- use CloudTrail to capture API activities and send them to CloudWatch Logs.
- log Route 53 DNS queries into CloudWatch Logs.
- use CloudWatch Logs to retain and archive log data in S3.
- use CloudWatch Logs Insights to interactively search and analyze your log data.

Question 6

Amazon GuardDuty

Answer 6

Amazon GuardDuty is an automated threat detection service that continuously monitors for malicious or unauthorized behaviour to help you protect your AWS accounts and resources.
Uses ML to analyze CloudTrail, VPC Flow & DNS Logs. Uses anomaly detection and integrated threat intelligence to identify and prioritize potential threats.

Question 7

GuardDuty: LOW severity level 3.9 - 1.0

Answer 7

A low severity level indicates suspicious
or malicious activity that was blocked
before it compromised your resource.

No immediate recommended action, but it is worth making note of this information as it may indicate someone is looking for weak points in your network.

Question 8

GuarDuty: MEDIUM severity level 6.9 - 4.0

Answer 8

A medium severity level indicates suspicious activity that deviates from normally observed behavior and, depending on your use case, may be indicative of a resource compromise.

Question 9

GuardDuty: HIGH severity level 8.9 - 7.0

Answer 9

A high severity level indicates that the resource
in question is compromised and is being actively used for unauthorized purposes.

Question 10

AWS CloudFront

Answer 10

Content Delivery Network (CDN).
It is a web service that speeds up the distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations.
When a user requests content that you’re serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.

Question 11

AWS S3 Transfer Acceleration

Answer 11

allows you to generate a URL that can be used by end users to upload files to a nearby edge location.
Now the file can move much faster through the AWS Global Network to the S3 bucket.

Question 12

AWS Global Accelerator

Answer 12

AWS Global Accelerator is a networking service that improves the performance of your users’ traffic by up to 60% using Amazon Web Services’ global network infrastructure. When the internet is congested, AWS Global Accelerator optimizes the path to your application to keep packet loss, jitter, and latency consistently low. It can find the optimal path from the end user to your web servers.
It is deployed within Edge Locations so you send user traffic directly to an Edge Location instead of directly to your web application.

Question 13

AWS ECS Fargate [Computing: Containers]

Answer 13

serverless orchestration container service.
AWS Fargate is a technology that you can use with Amazon ECS to run containers without having to manage servers or clusters of Amazon EC2 instances. With Fargate, you no longer have to provision, configure, or scale clusters of virtual machines to run containers. This removes the need to choose server types, decide when to scale your clusters, or optimize cluster packing.
compatible with both Amazon ECS and Amazon EKS.

Question 14

Amazon ECR [Computing]

Answer 14

ECR is a fully managed container registry offering high-performance hosting, so you can reliably deploy application images and artifacts anywhere.
Amazon ECR supports private repositories with resource-based permissions using AWS IAM.

Question 15

ECS [Computing: ]

Answer 15

container orchestration service that supports Docker containers. Launches a cluster of servers of EC2 instances w/ Docker installed.

Question 16

EKS - Elastic Kubernetes Service [Computing: Containers]

Answer 16

a fully managed Kubernetes (K8) service. K8 is an open-source orchestration software that was created by Google and is generally the standard for managing microservices.

Question 17

Amazon Lightsail [Computing: Virtual Machines]

Answer 17

is the managed virtual server service. (friendly version of EC2)
lt offers easy-to-use virtual private server (VPS) instances, containers, storage, databases, and more at a cost-effective monthly price.

Question 18

AWS Lambda [Computing]

Answer 18

serverless function service. Can run code without provisioning or managing servers.

Question 18

AWS Outposts

Answer 18

physical rack of servers that can be put in your data center. Allows using AWS API & services such as EC2 right in your data center.

Question 19

AWS Wavelength

Answer 19

allows to build & launch your application in a telecom datacenter. Ultra-low latency.

Question 20

VMWare Cloud on AWS

Answer 20

manage on-premise virtual machines as EC2 instances using VMWare.

Question 21

AWS Local Zones

Answer 21

edge datacenters located outside of an AWS region - use AWS closer to the end user destination.

Question 22

Amazon Macie

Answer 22

data security service that continuously monitors S3 data access activity
for anomalies, and generates detailed alerts on detecting any risk of unauthorized access or inadvertent data leaks. Uses ML.

Question 23

AWS Shield

Answer 23

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

Question 24

Amazon Macie Alerts

Answer 24

Anonymized Access, Config Compliance, Credential Loss, Data Compliance, File Hosting, Identity Enumeration, Information Loss, Location Anomaly, Open Permissions, Privilege Escalation, Ransomware, Service Disruption, Suspicious Access

Question 25

AWS VPN

Answer 25

establish a secure and private tunnel from your network or device to the AWS global network.
1) AWS Site-to-Site VPN 2) AWS Client VPN

Question 26

AWS WAF

Answer 26

protects your web applications from common web exploits. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.
E.g.: create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.

Question 27

AWS KMS

Answer 27

create & control encryption keys.
Multi-tenant HSM. FIPS 140-2 Level 2.
uses Envelope Encryption.

Question 28

AWS CloudHSM

Answer 28

service that automates provisioning, software patching, high availability & backups.
FIPS 140-2 Level 3 validated hardware.
Integrate w/ PKCS#11, JCE - Java Cryptography Extensions, Microsoft CryptoNG (CNG) libraries

Question 29

AWS License Manager

Question 30

AWS X-Ray

Answer 30

a distributed tracing system. to pinpoint issues with your microservices.
See how data moves from one app to another, how long it took to move, and if it failed to move forward.

Question 31

CloudWatch Alarms

Answer 31

monitors a CloudWatch Metric based on a defined threshold.

Question 32

CloudWatch Logs - Log Streams

Answer 32

A log stream is a sequence of events from an application or instance being monitored.
Lambda, RDS, EC2, Glue

Question 33

CloudWatch Logs - Log Events

Answer 33

Represents a single event in a log file.
Log Events can be seen within a Log Stream.

Question 34

CloudWatch Logs - Log Insights

Question 35

CloudWatch Metrics

Answer 35

time ordered set of data points.
It’s a variable monitored over time.

Question 36

Amazon RDS

Question 37

Amazon DynamoDB

Answer 37

is a key-value and document database that delivers single-digit millisecond performance at any scale. fully managed, multiregion, multimaster database with built-in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second.

Question 38

Amazon Timestream

Answer 38

a fast, scalable, fully managed time series database service for IoT and operational applications that makes it easy to store and analyze trillions of events per day at 1/10th the cost of relational databases.

Question 39

Amazon Quantum Ledger Database (QLDB)

Answer 39

a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log ‎owned by a central trusted authority. Amazon QLDB tracks each and every application data change and maintains a complete and verifiable history of changes over time.

Question 40

EBS - Elastic Block Store

Answer 40

(EBS) is an easy to use, high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale. A broad range of workloads, such as relational and non-relational databases, enterprise applications, containerized applications, big data analytics engines, file systems, and media workflows are widely deployed on Amazon EBS.

Question 41

Amazon EFS - Elastic File System

Answer 41

EFS) provides a simple, scalable, elastic file system for Linux-based workloads for use with AWS Cloud services and on-premises resources. Amazon EFS is well suited to support a broad spectrum of use cases from highly parallelized, scale-out workloads that require the highest possible throughput to single-threaded, latency-sensitive workloads. Use cases such as lift-and-shift enterprise applications, big data analytics, web serving and content management, application development and testing, media and entertainment workflows, database backups, and container storage.

Question 42

Amazon Redshift

Answer 42

extends data warehouse queries to your data lake, with no loading required. You can run analytic queries against petabytes of data stored locally in Redshift, and directly against exabytes of data stored in Amazon S3.
It is simple to set up, automates most of your administrative tasks, and delivers fast performance at any scale.

Question 43

Amazon Athena

Answer 43

an interactive query service to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.

Question 44

Amazon Simple Storage Service - S3

Answer 44

an object storage service that offers industry-leading scalability, data availability, security, and performance. This means customers of all sizes and industries can use it to store and protect any amount of data for a range of use cases, such as websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics.

Question 45

Amazon S3 Glacier

Answer 45

Amazon S3 Glacier is a secure, durable, and extremely low-cost cloud storage service for data archiving and long-term backup. It is designed to deliver 99.999999999% durability, and provides comprehensive security and compliance capabilities that can help meet even the most stringent regulatory requirements.

Question 46

AWS Snowball

Answer 46

a petabyte-scale data transport solution that uses devices designed to be secure to transfer large amounts of data into and out of the AWS Cloud. Snowball devices use tamper-resistant enclosures, 256-bit encryption, and an industry-standard Trusted Platform Module (TPM) designed to ensure both security and full chain-of-custody for your data.
1 peta = 1,024 terabytes (TB)

Question 47

AWS Snowmobile

Answer 47

an Exabyte-scale data transfer service used to move extremely large amounts of data to AWS. You can transfer up to 100PB per Snowmobile, a 45-foot long ruggedized shipping container, pulled by a semi-trailer truck. Snowmobile makes it easy to move massive volumes of data to the cloud, including video libraries, image repositories, or even a complete data center migration.
1EB = 1024PB

Question 48

Amazon API Gateway

Answer 48

Amazon API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a “front door” for applications to access data, business logic, or functionality from your backend services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, any web application, or real-time communication applications.