4.0 - Monitoring, Security, and Pricing

Question 1

List the six pillars of the Well-Architected Framework.

Answer 1

Security
Performance Efficiency
Reliability
Operational Excellence
Cost Optimization
Sustainability

SPROCS

Question 2

What is the purpose of CloudWatch?

Answer 2

To give visibility to cloud resources and apps - can be tracked in dashboards and can trigger alerts

Question 3

What is the purpose of CloudTrail?

Answer 3

Provides accountability for API activity in your account

Question 4

True or false: you need to install the CloudWatch agent on EC2 instances in order to collect certain metrics.

Answer 4

True (free memory, % disk space used, etc.)

Question 5

True or false: CloudWatch log groups are retained indefinitely by default.

Answer 5

True - and that can get pricey

Question 6

What is a tag?

Answer 6

a key-value pair that you can add to any AWS resource

Question 7

What does Systems Manager do?

Answer 7

Allows you to group resources in AWS, on-prem, or other clouds; can take automated actions on resource groups

Question 8

What does Systems Manager Parameter Store do?

Answer 8

Securely stores sensitive data - passwords, DB connection strings, license keys

Question 9

What does AWS Health Dashboard do?

Answer 9

View status of services and regions relevant to the workloads running in your AWS account

Question 10

What does AWS Health API do?

Answer 10

Use it to build your own custom observability platform

Question 11

What does the Trusted Advisor do?

Answer 11

One-stop shop for advice on how your well-architected framework is running.

Question 12

Data encryption, secure CloudTrail, public access, resource provisioning, network security, and protected credentials are all things that should be continually…

Answer 12

audited

Question 13

In addition to Trusted Advisor, another auditing tool provided by AWS is…

Answer 13

AWS Config (which is the backbone of auditing on AWS)

Question 14

True or false: AWS Config enforces adherence to best practices.

Answer 14

False - it will only detect and alert.

Question 15

What does Audit Manager do?

Answer 15

Centralizes audit data from AWS Config, finds root causes, and generates reports

Question 16

AWS offers the Well-Architected Tool, which does what?

Answer 16

Assess your workloads and generates action plans to bring your infrastructure in line with best practices.

Question 17

What is Amazon Connect?

Answer 17

Tool for creating a call/contact center in the cloud

Question 18

What is Amazon Workspaces?

Answer 18

Provisions secure remote desktops

Question 19

What does Amazon AppStream do?

Answer 19

Creates web-based applications (converts software to SaaS)

Question 20

True or false: AWS Config can generate audit reports.

Answer 20

False

Question 21

In the Shared Responsibility Model, the customer is responsible for security ____ the cloud, while AWS is responsible for security _____ the cloud.

Answer 21

in, of

Question 22

With respect to security, what do Managed Services do?

Answer 22

Offload some of the responsibility for security from the customer and onto AWS.

Question 23

What is the primary tool for granular security?

Answer 23

IAM

Question 24

What user has the right to destroy your AWS account?

Answer 24

Root

Question 25

When an IAM user accesses a resource via the CLI, they will authenticate using ______.

Answer 25

Access keys

Question 26

When an IAM user accesses a resource via the AWS console (web browser), they will authenticate using ______.

Answer 26

username & password

Question 27

True or false: long-lasting access keys are a security risk.

Answer 27

True - best practice is to rotate them

Question 28

What three entities can an IAM Policy be applied to?

Answer 28

a user, a group, or a role (AWS resources and applications)

Question 29

IAM roles can use long-lasting access keys.

Answer 29

False - they are rotated by design

Question 30

What does IAM Access Analyzer do?

Answer 30

Identifies and alerts if a resource has external access; validates IAM policies; and generates IAM policies based on usage

Question 31

What does IAM Policy Simulator do?

Answer 31

allows you to test policies before granting them to users, groups, or roles

Question 32

True or false: Data in an S3 bucket is encrypted by default.

Answer 32

True

Question 33

What does Amazon Macie do?

Answer 33

Scans the contents of S3 buckets for PII.

Question 34

True or false: EBS instances are encrypted by default.

Answer 34

False

Question 35

True or false: RDS instances are encrypted by default.

Answer 35

False

Question 36

What tool can be used to encrypt EBS and RDS instances?

Answer 36

Key Management Service (KMS)

Question 37

True or false: You can only encrypt an Amazon RDS DB instance when you create it, not after the DB instance is created.

Answer 37

True. If you need to encrypt an RDS instance later, you need to create a copy of it, and encrypt that.

Question 38

True or false: all traffic within a VPC is encrypted by default.

Answer 38

True

Question 39

What tool provisions, deploys, and renews SSL/TLS certificates?

Answer 39

Certificate Manager

Question 40

What does the Secrets Manager tool do above and beyond the Parameter Store tool?

Answer 40

Automatically rotates passwords

Question 41

True or false: NACLs can filter based on source or destination IP address.

Answer 41

False - source IP address only.

Question 42

In addition to NACLs and Security Groups, what service does AWS provide for network security?

Answer 42

AWS Network Firewall

Question 43

What tool provides network protection of public-facing entry points?

Answer 43

AWS Web Application Firewall (WAF)

Question 44

What tool defends specifically against DDoS attacks?

Answer 44

AWS Shield

Question 45

True or False: AWS Shield Standard comes at no cost.

Answer 45

True

Question 46

How does AWS Shield Advanced differ from Shield Standard?

Answer 46

24/7 DDoS response team and other advanced protection

Question 47

Network Firewall, WAF, and Shield can all be managed through what tool?

Answer 47

AWS Firewall Manager

Question 48

What tool supports security and config tools such as Firewall Manager, Guard Duty, Inspector, Macie, Systems Manager, Config, IAM Access Analyzer, and AWS Health?

Answer 48

Security Hub

Question 49

What does Guard Duty do?

Answer 49

Tracks activity logs looking for malicious behavior using machine learning

Question 50

What does Inspector do?

Answer 50

Continually inspects workloads for vulnerabilities and network access

Question 51

Patch Manager is a subsystem of what tool?

Answer 51

Systems Manager

Question 52

The opposite of Guard Duty, what tool detects malicious behavior after the fact?

Answer 52

Amazon Detective

Question 53

What is AWS Cloud Security?

Answer 53

A landing page for finding the latest security-related information

Question 54

Where can you purchase pre-built third-party security solutions?

Answer 54

AWS Marketplace

Question 55

What is an "account" in AWS?

Answer 55

An account is a collection of resources which many users can log into and contribute to

Question 56

What does AWS Organizations do?

Answer 56

Administers multiple AWS accounts, in order to organize and limit access to resources

Question 57

AWS Organizations use ______ to control access.

Answer 57

Service Control Policies

Question 58

What tool automates account creation?

Answer 58

AWS Control Tower

Question 59

What does AWS Artifact do?

Answer 59

It is a repository of compliance documents

Question 60

What does Security Token Service do?

Answer 60

Provides temporary credentials for temporary users (e.g. auditors)

Question 61

Demonstrating regulatory compliance in the cloud is _________ responsibility.

Answer 61

the customer's

Question 62

What does Compute Optimizer do?

Answer 62

Monitors utilization metrics via CloudWatch and provides right-sizing recommendations for EC2 instances.

Question 63

True or false: Lambda has no idle cost.

Answer 63

True

Question 64

When should you use a reserved instance?

Answer 64

Used when workload is predictable and constant over time

Question 65

What is a spot instance?

Answer 65

An instance that's only available when AWS has a surplus; may start or stop unpredictably, but comes at a huge cost savings

Question 66

What are three types of reserved instances?

Answer 66

Standard, convertible, and scheduled

Question 67

What allows you to change an object from one S3 bucket type to another (or expires it)?

Answer 67

S3 Lifecycle Configuration

Question 68

What tool analyzes S3 usage patterns and moves objects to more-appropriate buckets?

Answer 68

S3 Intelligent Tiering

Question 69

What does S3 Storage Lens do?

Answer 69

Examines all of your org-wide S3 buckets and makes recommendations for storage class changes across all of your accounts

Question 70

When creating a storage lifecycle, what is the minimum amount of time between transitioning objects between storage classes?

Answer 70

30 days

Question 71

True or false: when transferring data from the public internet into AWS, there is no charge.

Answer 71

True

Question 72

What is the most expensive type of data transfer?

Answer 72

from AWS to the public internet (roughly 10 cents per gigabyte)

Question 73

True or false: a data transfer between an EC2 instance and an RDS instance in the same AZ is free.

Answer 73

True

Question 74

True or false: a data transfer between an EC2 instance and an RDS instance in a different AZ is free.

Answer 74

False

Question 75

What is the general rule regarding the cost of data transfer?

Answer 75

The farther the data has to travel, the more expensive it will be.

Question 76

What does the Pricing Calculator tool do?

Answer 76

Assesses your potential cloud costs

Question 77

What does the AWS Budgets tool do?

Answer 77

You can set a customized budget and receive SNS alerts when you exceed those thresholds.

Question 78

What does Cost Explorer do?

Answer 78

It is a dashboard/reporting tool where you can track usage and projected expenditure.

Question 79

What do Cost and Usage Reports do?

Answer 79

Gives the most detailed data on your cost and usage history.

Question 80

What does Billing Conductor do?

Answer 80

Allows you to create billing groups within your Organization.

Question 81

Basic, Developer, Business, Enterprise On-Ramp, and Enterprise are categories of what?

Answer 81

AWS Support Plans

Question 82

What is AWS IQ?

Answer 82

a marketplace of freelance consultants who are AWS-certified

Question 83

Who is AWS Activate geared toward?

Answer 83

startups