Designing Solutions for Organizational Complexity

Question 1

What service is used for AUDIT, assess, evaluate the configuration of AWS resources

Answer 1

AWS Config

Question 2

Access to resources in different account in the form of a list of AWS account ID #’s

As an alternative to using an IAM Role (since a role requires you to give up your user permissions in place of the role permissions)

Answer 2

Cross-account access with a resource based policy

Question 3

If question has AWS Organizations, OU’s, etc and referring to restricting or enforcing permissions to do something, think:

Answer 3

Service Control Policies (SCP’s)

(Most of the time. IAM could still be a possibility so just be careful)

Question 4

you have a Lambda function that might hog the regional concurrency limit for Lambda’s, Fix this how?

Answer 4

Set a reserved concurrency limit for that Lambda function

Question 5

Can SCPs affect service linked roles?

Answer 5

No. SCPs DO NOT affect service linked roles. Service linked roles can’t be restricted by SCPs

Question 6

Which service is used to create SSO for employees of a company that uses Microsoft Active Directory to manage its user accounts

Answer 6

AWS Directory Services for Active Directory

(via trust relationship between on-prem AD domain and AWS Microsoft AD domain in the AWS Cloud)

Question 7

Which service is used for federation to Web and mobile apps running on AWS by authenticating users through social identity providers?

Answer 7

Amazon Cognito

Question 8

Policies that define guardrails within an AWS Organization. They only allow or deny the use of an AWS service

Answer 8

Service Control Policies (SCP’s)

Question 9

Policies attached to principles or resources that grant permissions to AWS resources

Answer 9

Identity based or resource based IAM policies

(Cross-account or otherwise)

Question 10

Incidents with developers in Organization accidentally terminating EC2 instances, EKS clusters, databases, etc. how to solve this?

Answer 10

Think: SCPs, cross account IAM access, OUs

Question 11

Even if a user is granted full administrator permissions with an IAM permission policy, any access that is not explicitly allowed, or that is explicitly denied by the SCPs affecting that account is blocked 

Question 12

What service uses the enable-sharing-with-aws-organizations command

Answer 12

The AWS Resource Access Manager (RAM) CLI

Question 13

To setup tags and enforce tags automatically upon resource creation

Answer 13

Use - the cloudformation resource tags property to apply tags

plus

use AWS service catalog to enforce required tags and tag values 

Plus

IAM policy condition keys like aws:RequestTag and aws:TagKeys

Question 14

Multiple regions, multiple accounts, AWS Organizations, provision/deploy resources, consistency

Answer 14

(IaC) Cloudformation StackSets

Question 15

Centrally orchestrate any Cloudformation enabled service across multiple regions and accounts

Answer 15

AWS Organizations

(in combination with Cloudformation SetStacks)

Question 16

How to Enable Cloudtrail for logging of global service (IAM, STS, CloudFront, Route53) events

Answer 16

Create a trail in CloudTrail with the “enable global services” option selected.

Global Option enabled = pass the includeGlobalServicesEvents flag

Pass the -is-multi-region-trail flag

Question 17

Logging solution to track changes made to EC2, IAM, and RDS resources in all AWS regions

Answer 17

Cloudtrail with the global service option selected

Question 18

Delegate access to AWS resources to 3rd party (such as in the case of 3rd party auditors)

Answer 18

Use External ID in conjunction with IAM role trust policy

Question 19

3rd party Account with high level access suddenly added to AWS Organization without approval

Build a Monitoring solution that notifies of changes to any accounts?

Answer 19

Cloudtrail - capture API calls within the Organization

EventBridge & SNS - notify of administrator level actions

Config to monitor compliance of the Organization via multi account, multi region aggregator

Question 20

Capture information about IP traffic going to and from network interfaces in your VCP.

Diagnose overly restrictive security group rules

Monitor the traffic that is reaching your instances

Capture rejected traffic requests including the source IPs that will be delivered to cloud watch logs groups 

Determine the direction of the traffic to and from the network interfaces 

Answer 20

VPC flow logs

Question 21

Grant access to developers needing to perform application development tasks.

Allow create and configure of various AWS services, view permissions in Organizations

Answer 21

Attach the PowerUserAccess AWS managed policy to the IAM users

Question 22

Use this Route53 policy when you want to configure ACTIVE PASSIVE failover

Answer 22

Failover routing policy

Question 23

Use this route 53 when you want to route traffic based on the location of your users

Answer 23

Geo location routing policy

Question 24

Use this route 53 routing policy when you want to route traffic based on the location of your resources and optionally shift traffic from resources in one location to resources in another

Answer 24

Geo proximity routing policy

Question 25

Use this route 53 routing policy when have resources in multiple regions, and you want to route traffic to the region that provides the best latency 

Answer 25

Latency routing policy 

Question 26

Use this route 53 routing policy when you want to respond to DNS queries with up to eight healthy records selected at random

Answer 26

Multi value answer, routing policy

Question 27

Use this route 53 routing policy to route traffic to multiple resources in proportions that use specify

Answer 27

Weighted routing policy 

Question 28

Users account needs access to resources account. What are the steps to make this happen?

Answer 28

1. Create IAM user in the users account 2. Generate cross account role with needed permissions from the resources account 3. Grant access to the users account from the resources account

Question 29

Make direct connect available to multiple regions for inter region access

Answer 29

Direct connect to VIF to direct connect Gateway to virtual private gateways in each region

Question 30

Create an SCP that restricts launching any AWS resources without a tag

Answer 30

Include the **condition** element in the policy which uses the **ForAllValues** qualifier and the **AWS:TagKeys** condition

Question 31

Convert speech to text, generates subtitles

Answer 31

Amazon transcribe 

Question 32

AWS Workspaces Users can’t log in FSx for Windows File system has reached capacity How to prevent in the future:

Answer 32

Cloudwatch metric monitor **FreeStorageCapacity** of the file system Lambda to increase filesystem capacity using the **update-file-system** command Event bridge to invoke the lambda, when the metric threshold is reached

Question 33

Public identity providers, such as Facebook and Google, etc. use web identity federation with STS and **AssumeRoleWithWebIdentity**

Answer 33

On-premise SAML 2.0 identity providers like Active Directory use federated access and STS BUT do not use **AssumeRoleWithWebIdentity**

Question 34

Act as an intermediary for requests from internal users and servers often caching content to speed up subsequent requests to the Internet Limit, outbound web connections from your VPC to the Internet Provide URL and web content filtering 

Answer 34

Forward proxy server 

Question 35

Don’t want their reserved instance discounts to be shared by the other Business units in the AWS organization 

Answer 35

Turn off the reserved instance, sharing on the master account for all the member accounts

Question 36

To add and manage additional existing AWS accounts to your AWS organization

Answer 36

Send invites to all member accounts from the master account of your organization Create an **OrganizationAccountAccessRoll** IAM roll in the member account and grant permission to the master account to assume the role