Management, Governance and Billing Flashcards
(38 cards)
Audit requests to AWS Organizations for creating new accounts by federated users
use CloudTrail and look for the federated identity user name
Employees have created individual AWS accounts not under control. Security team need them in AWS Organizations
Send each account an invitation from the central organization
Need to restrict ability to launch specific instance types for a specific team/account
Use an organizations SCP to deny launches unless the instance type is T2, create an IAM group in the account granting access to T2 instances to the relevant users
Need to ensure that S3 buckets are NEVER deleted in a production account
Use an SCP to deny the s3:DeleteBucket API action
Need to create user-defined cost allocation tags for new account
Use Tag Editor in new account to create user-defined tags and then use the billing and cost management console in the payer account to mark them as cost allocation tags
Separate departments must operate in isolation and only use pre-approved services
Use AWS Organizations to create accounts (Organizations API) and SCPs to control the services available for use
Developers can manipulate IAM policies/roles and need to block them from some services
Use an SCP to block those services
AWS bill is increasing and unauthorized services are being used across accounts
Use AWS Organizations with an SCP to restrict the unauthorized services
Configuring AWS SSO for an Organizations master account. Directory created and full access enabled
Next step is to create a permission set and associate with directory users and groups
Process to create a custom dashboard in CloudWatch for custom metrics after installing agent on EC2
Create metric filters and select custom metrics
Need to test notification settings for CloudWatch alarm with SNS
Use the set-alarm-state CLI command to test
App with EC2 and RDS is running slowly and suspected high CPU
Use CloudWatch metrics to examine resource usage
Site uses CloudFront and S3. Users accessing content that does not exist or they don’t have access to
Check the 4XXErrorRate metric in CloudWatch to understand the extent of the issue
Script generates custom CloudWatch metrics from EC2 instance and clock is configured incorrectly by 30 mins
CloudWatch will accept the custom metric data and record it
Need to collect logs from many EC2 instances
Use the unified CloudWatch Agent
External auditor needs to check for unauthorized changes to AWS account
Create an IAM user, assign an IAM policy with read access to CloudTrail logs on Amazon S3
Need to identify who is creating EIPs and not using them
Use CloudTrail and query logs using Athena to search for EIP address events
S3 bucket holds sensitive data. Must monitor object upload / download activity including AWS account and IAM user account of caller and time of API call
Use AWS CloudTrail and enable data event logging
Need to record any modifications or deletions of CloudTrail logs in an S3 bucket
Enable CloudTrail log file integrity validation and enabled MFA delete on the bucket
Large increase in requests to SQS. Need to determine the source of the calls
Use CloudTrail to audit API calls
Need to ensure that S3 buckets have logging enabled without stopping users creating them
Auto remediate with AWS Config managed rule S3_BUCKET_LOGGING_ENABLE
Need to provide real-time compliance reporting for security groups to check that port 80 is not being used
Use the AWS Config restricted-common-ports rule and add port 80
Company wants to limit the AMIs that are used. Need to review compliance with the policy
Create an AWS Config rule to check that only approved AMIs are used
Need to automatically disable access keys that are greater than 90 days old
Use Config rule to identify noncompliant keys and use Systems Manager Automation to remediate
