IAM | Networking | Security

Question 1

What are subnets used to control? 3

Answer 1

Subnets are used to control network traffic, isolate resources, and define the scope of network communication within your VPC.

Question 2

What is a NAT Gateway?

Answer 2

allows private subnets within your VPC to access the internet while preventing inbound traffic from the internet.

Question 3

Explain how a NAT (Network Address Translation) Gateway works?

Answer 3

Translates private IP addresses of resources in your VPC to public IP addresses, allowing them to communicate with the internet while remaining secure.

Question 4

What is Network Access Control List (NACL) in Amazon VPC?

Answer 4

Stateless firewalls that control inbound and outbound traffic at the subnet level.

Question 5

What is Route 53?

Answer 5

A: Amazon Route 53 is a highly scalable and reliable domain name system (DNS) web service provided by AWS

Question 6

How does route 53 work?

Answer 6

Translates domain names into IP addresses and routes internet traffic to appropriate resources based on DNS records

Such as EC2 instances, load balancers, and S3 buckets etc…

Question 7

What is a policy in IAM?

Answer 7

An IAM policy is a JSON document that defines permissions and specifies what actions are allowed or denied on AWS resources.

Question 8

What can an IAM policy be attached to? 3….

Answer 8

Users: IAM policies can be attached directly to individual IAM users to grant or restrict their access to AWS resources.

Groups: IAM policies can be attached to IAM groups, allowing all users within the group to inherit the permissions defined in the policy.

Roles: IAM policies can be attached to IAM roles, which can then be assumed by users or services to temporarily obtain the permissions granted by the policy.

Question 9

What is IAM access key rotation?

Answer 9

Regularly updating access keys (access key ID and secret access key) associated with IAM users to enhance security.

Question 10

What is the benefit of utilizing key rotation in AWS?

Answer 10

It helps mitigate the risk of unauthorized access and potential misuse of compromised or leaked credentials.

Question 11

The minimum requirement for an IAM policy document consists of the following components: 5

Answer 11

Version
Statement
Effect
Action
Resource

Question 12

What is the function of a statement within an IAM policy document?

Answer 12

The statement defines the permissions and access control rules. At least one statement is required in the policy document.

{
  "Version": "2012-10-17",
  "Statement": [
    {

Question 13

What is the function of Effect, Action, and Resource within an IAM policy document?

Answer 13

Effect: The effect specifies whether the statement allows or denies access.

Action: The action specifies the specific actions or operations that are allowed or denied.

Resource: The resource specifies the AWS resources to which the permissions apply.

Question 14

What is happening within this policy?
~~~
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “AllowS3ReadAccess”,
“Effect”: “Allow”,
“Action”: [
“s3:GetObject”,
“s3:ListBucket”
],
“Resource”: [
“arn:aws:s3:::my-bucket”,
“arn:aws:s3:::my-bucket/*”
]
}
]
}
~~~

Answer 14

In this example, the policy grants the “s3:GetObject” and “s3:ListBucket” actions on the “my-bucket” S3 bucket and its contents.

Question 15

How can you secure data at rest in AWS? 3

Answer 15

Amazon S3 with server-side encryption
Amazon RDS with encryption, and
AWS Key Management Service (KMS) for managing encryption keys.

Question 16

What is AWS CloudTrail?

Answer 16

It records API calls and delivers log files for tracking user activity and detecting security incidents.

Question 17

What does AWS Shield protect against?

Answer 17

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS attacks.

Question 18

What is AWS WAF?

Answer 18

AWS WAF is a web application firewall that protects web applications from common web exploits, such as SQL injection, cross-site scripting (XSS), and HTTP floods.

Question 19

What is Amazon CloudWatch? 4

Answer 19

Monitoring and observability service in AWS that collects
Metrics
Monitors log files
Sets alarms, and
Automates reactions to changes in AWS resources.

Question 20

What function does CloudWatch Logs play in you cloud environment?

Answer 20

CloudWatch help you centralize log data for analysis, troubleshooting, and compliance.

Question 21

Can CloudWatch Logs integrate with other AWS services? Provide an example.

Answer 21

Yes.
For example:
You can export log data from CloudWatch Logs to Amazon S3 for long-term storage

Or to

Amazon Elasticsearch Service for advanced log analytics and visualization.

Question 22

How are logs collected and stored in CloudWatch Logs?

Answer 22

Logs can be collected and sent to CloudWatch Logs using the AWS CLI, SDKs, or agent-based integrations.

Question 23

What is a CloudWatch log event?

Answer 23

It contains information such as the timestamp, message, and additional metadata associated with the log entry

Question 24

What are CloudWatch Alarms?

Answer 24

CloudWatch Alarms enable you to monitor metrics and trigger actions based on predefined thresholds.

Question 25

What happens when a CloudWatch alarm is triggered?

Answer 25

Alarms can be set to notify you or automatically take actions when metric data breaches the specified threshold.

Question 26

What are CloudWatch metrics?

Answer 26

Data points that measure the behavior and performance of resources such as CPU utilization, network traffic, and request counts.

Question 27

How can you visualize CloudWatch metrics?

Answer 27

CloudWatch Metrics can be visualized using the CloudWatch console, allowing you to create graphs, dashboards, and custom visualizations to monitor and analyze metric data.

Question 28

How can CloudWatch be used for autoscaling?

Answer 28

Scaling policies can be defined to automatically scale resources up or down in response to changes in metrics.

Question 29

What can IAM Policies be assigned to aside from users , groups and roles?

Answer 29

IAM Policies: Can be attached to certain AWS resources like S3 buckets, Lambda functions for fine-grained access control.

Question 30

What is AWS Key Management Service (KMS)?

Answer 30

AWS Key Management Service (KMS) is a managed service that enables you to create and control encryption keys used to encrypt your data and manage their lifecycle.

Question 31

What are customer master keys (CMKs) in AWS KMS?

Answer 31

Customer master keys (CMKs) in AWS KMS are used to encrypt and decrypt data. They can be generated by AWS or imported by customers, providing control over the encryption process.

Question 32

What is AWS KMS key rotation?

Answer 32

Key rotation is the process of automatically or manually replacing an old encryption key with a new one to enhance security.

Question 33

What types of keys can be managed with AWS KMS?

Answer 33

AWS KMS supports both symmetric and asymmetric keys.

Question 34

Explain how a Symmetric keys encrypt and decrypts data?

Answer 34

Symmetric key encryption uses the same key for both encryption and decryption, like a single key to open and close a lockbox.

Question 35

Explain how an Asymmetric keys encrypt and decrypts data?

Answer 35

Asymmetric key encryption uses two different keys: a public key for encryption and a private key for decryption, like using separate keys to lock and unlock a lockbox. This provides a higher level of security because even if someone intercepts the lockbox, they won’t be able to unlock it without the private key.

Question 36

What is the biggest difference between AWS-managed CMKs and customer-managed CMKs?

Answer 36

Customer-managed CMKs provide additional flexibility and control over key management.

Question 37

Q: What are the differences between a Network Load Balancer and Application Load Balancer?

Answer 37

NLB operates at the transport layer
(Layer 4) of the OSI model.
Designed for TCP and UDP.
Distributes traffic using IP addresses and ports

ALB operates at the application layer
(Layer 7) of the OSI model.
Designed for HTTP and HTTPS traffic
Distributes traffic using content-based routing, path-based routing, host-based routing

Question 38

Q: What are the differences between a Network Load Balancer and Application Load Balancer in relation to the type of IP addresses they support?

Answer 38

NLB supports static IP addresses, while ALB provides dynamic IP addresses.

Question 39

What are some scenarios where an NLB should be used? 3

Answer 39

Gaming applications
VoIP services
Large file transfers

Question 40

What are some scenarios where an ALB should be used? 3

Answer 40

Web applications
Microservices, and
API backends.

Question 41

What is a Classic Load Balancer (CLB) and how does it make routing decisions?

Answer 41

A Classic Load Balancer is an AWS load balancing service that distributes incoming traffic across multiple EC2 instances based on either the round-robin or the least connections algorithm.

Question 42

What are the key differences between a CLB and an ALB?

Answer 42

ALB offers more advanced features and flexible routing options compared to CLB. ALB supports content-based routing, path-based routing, host-based routing, and integrated support for containerized applications.

Question 43

What is the listener configuration difference between CLB and ALB?

Answer 43

CLB uses classic load balancer listeners to listen for incoming traffic on specific ports, while ALB uses target groups associated with listeners, allowing for more granular routing based on URL paths or host headers.

Question 44

Real-world use case for NLB:

Answer 44

Balancing traffic for high-performance, latency-sensitive applications such as real-time streaming, where maintaining low latency and high throughput is crucial.