Governance & Security

Question 1

AWS Global Infrastructure

Answer 1

Edge locations and Regional Edge Cache
Local Zones
Availability Zones
Regions

Question 2

AWS Regions

Answer 2

• A region is a geographical area
• Each region consists of 2 or more availability zones
• Isolated from other AWS Regions

Question 3

Availability Zones

Answer 3

• Availability Zones are physically separate and isolated from each
  other
• AZs span one or more data centers
• Each AZ is designed as an independent failure zone

Question 4

Local Zones

Answer 4

• AWS Local Zones place compute, storage, database, and other select
  AWS services closer to end-users
• Extension of an AWS Region where you can run your latency sensitive
  applications

Question 5

Edge Locations and Regional Edge Caches

Answer 5

• Edge locations are Content Delivery Network (CDN) endpoints for
  CloudFront
• There are many more edge locations than regions
• Regional Edge Caches sit between your CloudFront Origin servers and
  the Edge Locations
• A Regional Edge Cache has a larger cache-width than each of the
  individual Edge Locations

Question 6

Advantages of cloud?

Answer 6

• Trade capital expense for variable expense
• Benefit from massive economies of scale
• Stop guessing about capacity
• Increase speed and agility
• Stop spending money running and maintaining data centres
• Go global in minutes

Question 7

IAM Best Practices - General

Answer 7

• Create individual IAM users
• Use groups to assign permissions to IAM users
• Grant least privilege
• Use access levels to review IAM permissions
• Monitor activity in your AWS account

Question 8

IAM Best Practices - Roles

Answer 8

*Use roles for applications that run on Amazon EC2 instances
* Use roles to delegate permissions

Question 9

IAM Best Practices - Policies

Answer 9

• Get started using permissions with AWS managed policies
• Use customer managed policies instead of inline policies
• Use policy conditions for extra security

Question 10

IAM Best Practices - Credential Management

Answer 10

• Lock away your AWS account root user access keys
• Configure a strong password policy for your users
• Enable MFA
• Do not share access keys
• Rotate credentials regularly
• Remove unnecessary credentials

Question 11

Amazon EC2 Metadata and User Data

Answer 11

• User data is data that is supplied by the user at instance
  launch in the form of a script
• Instance metadata is data about your instance that you can use to configure or manage the running instance
• User data and metadata are not encrypted
• Instance metadata is available at
  http://169.254.169.254/latest/meta-data

Question 12

Access keys

Answer 12

• Access keys can be used on EC2 instances to gain permissions
  to other AWS services
• Access keys are stored in plaintext so this is not secure
• Better to use IAM roles whenever possible and avoid access
  keys

Question 13

AWS Organizations

Answer 13

• Allows you to consolidate multiple AWS accounts into an
  organization that you create and centrally manage
• Available in two feature sets:
• Consolidated Billing
• All features
• Includes root accounts and organizational units
• Policies are applied to root accounts or OUs

Question 14

AWS Organization Consolidated billing includes?

Answer 14

• Paying Account – independent and cannot access resources of other
  accounts
• Linked Accounts – all linked accounts are independent

Question 15

AWS Control Tower

Answer 15

• Simplifies the process of creating multi-account environments
• Sets up governance, compliance, and security guardrails for
  you
• Integrates with other services and features to setup the
  environment for you including:
• AWS Organizations, SCPs, OUs, AWS Config, AWS CloudTrail,
  Amazon S3, Amazon SNS, AWS CloudFormation, AWS Service
  Catalog, AWS Single Sign-On (SSO)

Question 16

AWS Systems Manager

Answer 16

• Manages many AWS resources including Amazon EC2, Amazon
  S3, Amazon RDS etc.
• Systems Manager Components:
• Automation – uses documents to run automations
• Run Command – run commands on EC2 instances
• Inventory – gather inventory information
• Patch Manager – manage patching schedules and installation
• Session Manager – connect securely without SSH or RDP
• Parameter Store – store secrets and configuration data securely

Question 17

AWS Service Catalog

Answer 17

• Allows organizations to create and manage catalogs of IT
  services that are approved for use on AWS
• Allows you to centrally manage commonly deployed IT
  services
• IT services can include virtual machine images, servers,
  software, and databases and multi-tier application
  architectures
• Enables users to quickly deploy only the approved IT services
  they need

Question 18

AWS Config

Answer 18

• Fully-managed service for compliance management
• Helps with compliance auditing, security analysis, resource
  change tracking and troubleshooting

Question 19

Trusted Advisor

Answer 19

• Online resource that helps to reduce cost, increase
  performance and improve security by optimizing your AWS
  environment
• Provides real time guidance to help you provision your
  resources following best practices
• Advises you on Cost Optimization, Performance, Security,
  and Fault Tolerance

Question 20

AWS Personal Health Dashboard

Answer 20

• Provides alerts and remediation guidance when AWS is
  experiencing events that may impact you
• Gives you a personalized view into the performance and
  availability of the AWS services underlying your AWS
  resources
• Also provides proactive notification to help you plan for
  scheduled activities

Question 21

Service Health Dashboard

Answer 21

• Shows you current status of AWS services
• Not personalized

Question 22

AWS Directory Services

Answer 22

AWS Directory Service
for Microsoft Active
Directory

AD Connector
Simple AD

Question 23

AWS Directory Service for Microsoft Active Directory - description, use case

Answer 23

Service Description
AWS-managed full Microsoft AD running on Windows Server 2012 R2

Use Case
Enterprises that want hosted Microsoft Active Directory

Question 24

AD Connector - description, use case

Answer 24

AD Connector Allows on-premises users to log into AWS services with their existing AD credentials

Use Case
Single sign-on for on-premises employees

Question 25

Simple AD - description, use case

Answer 25

Low scale, low cost, AD implementation based on Samba Use case: Simple user directory, or you need LDAP compatibility

Question 26

AWS Systems Manager Parameter Store

Answer 26

* Provides secure, hierarchical storage for configuration data management and secrets management * You can store data such as passwords, database strings, and license codes as parameter values * You can store values as plaintext (unencrypted data) or ciphertext (encrypted data) * You can then reference values by using the unique name that you specified when you created the parameter

Question 27

AWS Secrets Manager

Answer 27

* Similar to Parameter Store * Allows native and automatic rotation of keys * Fine-grained permissions * Central auditing for secret rotation

Question 28

AWS Certificate Manager (ACM)

Answer 28

* Create, store and renew SSL/TLS X.509 certificates * Single domains, multiple domain names and wildcards * Integrates with several AWS services including: * Elastic Load Balancing * Amazon CloudFront * AWS Elastic Beanstalk * AWS Nitro Enclaves * AWS CloudFormation

Question 29

AWS Key Management Service (KMS)

Answer 29

* Used for creating and managing encryption keys * Gives you centralized control over the encryption keys used to protect your data * KMS is integrated with most other AWS services * Easy to encrypt the data you store in these services with encryption keys you control

Question 30

AWS CloudHSM

Answer 30

* Cloud-based hardware security module (HSM) * Generate and use your own encryption keys on the AWS Cloud * Manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs * CloudHSM runs in your VPC

Question 31

AWS CloudTrail

Answer 31

* CloudTrail logs API activity for auditing * By default, management events are logged and retained for 90 days * A CloudTrail Trail logs any events to S3 for indefinite retention * Trail can be within Region or all Regions * CloudWatch Events can be triggered based on API calls in CloudTrail * Events can be streamed to CloudWatch Logs

Question 32

VPC Flow Logs

Answer 32

* Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC * Flow log data is stored using Amazon CloudWatch Logs * Flow logs can be created at the following levels: * VPC * Subnet * Network interface

Question 33

Elastic Load Balancing Access Logs

Answer 33

* Capture detailed information about requests sent to the load balancer * Use to analyze traffic patterns and troubleshoot issues * Can identify requester, IP, request type etc. * Can be optionally stored and retained in S3

Question 34

S3 Access Logs

Answer 34

* Provides detailed records for the requests that are made to a bucket * Details include the requester, bucket name, request time, request action, response status, and error code (if applicable) * Disabled by default

Question 35

Amazon Detective

Answer 35

* Analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities * Automatically collects data from AWS resources * Uses machine learning, statistical analysis, and graph theory * Data sources include VPC Flow Logs, CloudTrail, and GuardDuty

Question 36

AWS GuardDuty

Answer 36

* Intelligent threat detection service * Detects account compromise, instance compromise, malicious reconnaissance, and bucket compromise * Continuous monitoring for events across: * AWS CloudTrail Management Events * AWS CloudTrail S3 Data Events * Amazon VPC Flow Logs * DNS Logs

Question 37

Amazon Macie

Answer 37

* Macie is a fully managed data security and data privacy service * Uses machine learning and pattern matching to discover, monitor, and help you protect your sensitive data on Amazon S3 * Macie enables security compliance and preventive security

Question 38

AWS WAF

Answer 38

AWS WAF * AWS WAF is a web application firewall * Create rules that block common web exploits like SQL injection and cross site scripting * The rules are known as Web ACLs

Question 39

AWS Shield

Answer 39

AWS Shield * AWS Shield is a managed Distributed Denial of Service (DDoS) protection service * Safeguards web application running on AWS with always-on detection and automatic inline mitigations

Question 40

AWS Artifact

Answer 40

* AWS Artifact provides on-demand access to AWS’ security and compliance reports and select online agreements * Reports available in AWS Artifact include: * Service Organization Control (SOC) reports * Payment Card Industry (PCI) reports

Question 41

AWS Security Hub

Answer 41

* Provides a comprehensive view of security alerts and security posture across AWS accounts * Aggregates, organizes, and prioritizes security alerts, or findings, from multiple AWS services

Question 42

AWS Security Bulletins

Answer 42

* Security and privacy events affecting AWS services are published (also has an RSS feed)

Question 43

AWS Trust & Safety Team

Answer 43

* Contact the AWS Trust & Safety team if AWS resources are being used for: * Spam * Port scanning * Denial-of-service attacks * Intrusion attempts * Hosting of objectionable or copyrighted content * Distributing malware

Question 44

Penetration Testing

Answer 44

* Penetration testing is the practice of testing one’s own application’s security for vulnerabilities by simulating an attack * AWS allows penetration testing without prior approval for 8 AWS services