Security

Question 1

Coupling

Answer 1

Coupling defines the interdependencies or connections between components of systems

Question 2

Loose coupling

Answer 2

Loose coupling helps reduce the risk of cascading failures between components

Loose coupling components are connected but not dependent on one another

Question 3

Tight Coupling

Answer 3

Components are highly dependent on each other

If one fails they all fail

Question 4

Queues

Answer 4

Queues are used to implement loosely coupled systems

Question 5

Simple Queue Service (SQS)

Answer 5

A message queueing service that allows you to build loosely coupled systems

Allows component to component communication using messages

Multiple components (or producers) can add messages to the queue

Messages are processed in an a synchronous manner

Question 6

Simple Notification Service (SNS)

Answer 6

Send email and text messages

Publish messages to a topic

Subscribers receive messages

Allows sending of email and text from your apps

Question 7

Simple Email Service

Answer 7

An email service that allows you to send richly formatted HTML emails from your app

Ideal choice for marketing campaigns or professional emails

Unlike SNS, SES sends HTML formatted emails

Question 8

Cloud Watch

Answer 8

A collection of services that help you monitor & observe your cloud resources

Collect metrics, logs, & events

Detect anomalies in your environment

Set alarms

Visualize logs

Can set high res alarms, monitor app logs, visualize time series data, and trigger an event based on a condition

Question 9

Cloud Trail

Answer 9

Tracks user activity & API calls with in your account

Log and retain account activity

Track activity through the console, SDKs, and CLI

Identify which user made changes

Detect unusual activity in your account

Question 10

Shared Responsibility Model

Answer 10

Outlines your responsibility vs. AWS’s when it comes to security and compliance

Question 11

Well Architected Framework

Answer 11

Describes design principles & best practices for running workloads in the cloud

Question 12

Identity & Access Management (IAM)

Answer 12

Control access to AWS services and resources

Question 13

Shield

Answer 13

Managed distributed denial of service (DDOS) protection service service

Always on detection

Shield standard is free - provides free protection against common & frequently occurring attacks

Shield advanced is paid - provides enhanced protections & 24/7 access to AWS experts

Shield DDOS Protection Supported by:
Cloud Front, Route 53, Elastic Load Balancing, & AWS Global Accelerator

Question 14

Web Application Firewall

Answer 14

WAF helps protect your web apps against common web attacks

Protects against SQL injection

Protects against cross site scripting

Question 15

Macie

Answer 15

Helps discover and protect sensitive data

Uses machine language

Evaluates S3 environment

Discovers PII

Question 16

Config

Answer 16

Allows assessment, auditing, & evaluation of config of resources

Track configuration changes over time

Delivers config history file to S3

Notifications via Simple Notification Service (SNS) of every configuration change

Question 17

Guard Duty

Answer 17

Intelligent threat detection system that uncovers unauthorized behavior

Uses machine learning

Built in detection for EC2, S3, & IAM

Reviews cloud trail, Vpc flow logs & DNS logs

Great for detecting things like unusual API calls which are common techniques for attackers

Question 18

Inspector

Answer 18

Works with EC2 instances to uncover and report vulnerabilities

Agent installed on EC2 instance

Reports vulnerabilities found

Checks access from the internet, remote root login, vulnerable software versions, etc.

Helps identify unintended network access to an EC2 instance via reporting

Question 19

Artifact

Answer 19

Offers on demand access to AWS security & compliance reports

Central repository for compliance reports from 3rd party auditors

Service organization controls (SOC) reports

PCI Reports

Repository for security and compliance reports via self service portal

Question 20

Key Management Service (KMS)

Answer 20

Allows generation and storing of encryption keys

Key generator

Store and control keys

AWS manages encryption keys

Automatically enabled for certain services

Great for encrypting things like EBS storage volumes, can also specify a customer master key

Question 21

Cloud HSM

Answer 21

Hardware Security Module (HSM) used to generate encryption keys

Dedicated hardware for security

Generate & manage your own encryption keys

AWS does not have access to your keys

Great for meeting security and compliance requirements

Question 22

Secrets Manager

Answer 22

Allows management & retrieval of secrets (passwords and keys)

Like Last Pass

Question 23

AWS’s Responsibility in Shared Responsibility Model

Answer 23

Securing their Infrastructure

Question 24

Your Responsibility Shared in the Shared Responsibility Model

Answer 24

Security in the Cloud

Question 25

How to Report Abuse of AWS Resources

Answer 25

Contact AWS Trus & Safety Team using the report Amazon AWS abuse form or by contacting abuse@amazonaws.com

Question 26

5 Pillars: operational Excellence

Answer 26

Focused on creating apps support prod workload Plan for & anticipate failure Deploy smaller reversible changes Script operations as code Learn from failure and refine

Question 27

5 Pillars: Security

Answer 27

Focused on putting mechanisms in place to help protect your systems & data Automate security tasks Assign only the least privileges Encrypt data in & @ rest Track who did what & when Ensure security @ all application layers

Question 28

5 Pillars: Reliability

Answer 28

Focused on designing systems that work consistently & recover quickly Recover from failure automatically Scale horizontally for resilience Reduce idle resources Manage change through automations Test recovery procedures

Question 29

5 Pillars: Performance Efficiency

Answer 29

Focused on effective use of computing resources to meet system and business reps. while removing bottlenecks Use serverless architecture first Use multi-region deployments Delegate tasks to a cloud vendor Experiment with virtual resources

Question 30

5 Pillars: Cost Optimizations

Answer 30

Focused on optimum and resilient solutions at the least cost to the user Utilize consumption based pricing Implement cloud financial management Measure overall efficiency Pay only for your resources your app requires

Question 31

IAM Identities

Answer 31

Who can access your resources Root user Individual users Groups Roles

Question 32

IAM Access

Answer 32

What resources they can access Policies AWS Managed Policies Customer Managed Policies Permissions Boundaries

Question 33

IAM Authentication

Answer 33

Authentication is where you present your identity (username) and provide verification (password) who!

Question 34

IAM Authorization

Answer 34

Determines which services and resources the authenticated identity has access to. What!

Question 35

Users

Answer 35

Users are entities you create in IAM or represent the person or app needing to access your resources Applications can be users (you generate access keys for them for apps running on prem that need access to your cloud resources) You can generate access keys in IAM to access things like AWS CLI

Question 36

Principle of Least Privilege

Answer 36

Involves giving a user the minimum access required to get their job done

Question 37

Groups

Answer 37

A group is a collection of IAM users that helps you apply common access controls to all group members

Question 38

Policies

Answer 38

Manage permission s for IAM users, groups, & roles by creating a policy document in JSON format and attaching it

Question 39

IAM Best Practices

Answer 39

1 enable MFA for privileged users 2 implement strong password policies 3 create individual users instead of using root 4 use roles for Amazon EC2 Instances and apps that run on them

Question 40

IAM Credential Report

Answer 40

Lists all users in your account & the status of their various credentials Lists all users and status of passwords, MFA Devices & access keys Used for auditing and compliance

Question 41

Cognito

Answer 41

Helps control access to mobile & web apps Provides authentication and authorization Helps you manage users Assists user sign up and sign in Great for taking advantage of sign in w/ google, Facebook, options ,etc.

Question 42

Data in Flight

Answer 42

Data moving from one location to another

Question 43

Data at Rest

Answer 43

Data that is inactive or stored for later use