udemy 3

Question 1

SCP

Answer 1

service control policies, manage across accounts. apply to groups or OUs

allowlist or blocklist
need explicit allows

Question 2

IAM conditions

Answer 2

aws sourceip: restrict client calls from source

Question 3

resource based polies

Answer 3

sms sqs lamda cloudwath logs api calls

Question 4

IAM role

Answer 4

kinesis, systems manager, run command, ecs task

Question 5

IAM Permission boundaries

Answer 5

for uses and roles, not goups. sets maximum permissions for a user

Question 6

AWS Identity Center

Answer 6

Single sign on. SAML 2.0 integration. multiple aws account logins.

Question 7

AD flavors

Answer 7

Ms AD
AD Conector (direct connect)
AD Simple no on prem

Question 8

Control tower

Answer 8

govern multi-accounts using organizations

preventive guardrails using scps
detecitive : compliance using config

Question 9

KMS

Answer 9

Encryption Keys managed by AWS
can be audited by cloudtrail
requires policies: default or custom

Question 10

KMS Key Types

Answer 10

Symmetric: One key AES-256 always encrypt
Assymetric: public encrypt, private decrypt

Question 11

S3 encryption

Answer 11

SSE-s3 encrypted objects are replicated by default
SSE-C: can be replicated, but not by default.
SSE:KMS has to be specified at bucket level target. enable replication (multi region decrypted and encrypted)

Question 12

Sharing an AMI between accounts

Answer 12

Change the launch permission
Share the KMS key
Role or permisson to use key KMS side to encrypt or dencrypt.

Question 13

SSM Parameter Store

Answer 13

Secure for configurations and secretes
serverless
version tracking
IAM
EventBridge
(Secrets mngr difference: you can rotate and force a rotate)
RDS Auroa
Multi-region secrets

Question 14

Sheild, shiel Advanced vs. WAF

Answer 14

Shield: layer 3 and 4
WAF : layer 7 (no NLB)
advanced: 24/7 shield advanced team: auto applies WAF rules at layer 7

Question 15

Inspector

Answer 15

EC2 instances, Lambda, and ECR: sends findings into security hub and eventbridge

looks for vulnerabiliites

Question 16

CIDR
192.168.0.0-192168.0.255
(256 IPs b/c 0-255)

192.168.0.0/16
192.168/255/255

Answer 16

/32 no octet can change
/24 last octet can change
/16 last two octets can change
/8 last 3 octets can change
/0 all octets can change

Question 17

Private IPs

Answer 17

10.0.0.0-10.255.255.255 (private)
172.16.0.0/12 AEP private IPs
192.168.0.0/16 (private IP home)

Question 18

bastion host

Answer 18

security group set up allow public inbound from internet on port 22 restriceted to CIDR

private: allows the bastion host or private IP

A bastion host is a publicly accessible host that allows traffic to connect to it. Then, an additional connection is made from the bastion host into a private subnet and the hosts within that subnet.

Question 19

RTO
RPO

Answer 19

Recovery time objective (when you recover) how much downtime?
Revover point objective (how often run backups)

Question 20

Backup and Restore

Answer 20

High RPO
recreate and restore
cost of storing backups

Question 21

Pilot Light

Answer 21

small app version is always running in the cloud. all other systems get added on in time of recovery

Question 22

warm standby

Answer 22

full sytem up and running but minimal size.

Question 23

Multi site

Answer 23

expensive and active active setup

Question 24

ENA

Answer 24

Elastic Network Adaptor (speeds eC2 for high computing)
EFA: same but only for Linux must be used with AWS Parallell cluster

Question 25

SES

Answer 25

Simple Emailing Service

Question 26

Pinpoint

Answer 26

inbound/outbound marketing communication service

Question 27

SSM session manager service

Answer 27

session into ec2 without opening port 22

Question 28

appflow

Answer 28

SaaS to AWS (salesforce for example) int redshift or s3 etc.

Question 29

amplify

Answer 29

web and mobile app tool

Question 30

7 pillars

Answer 30

operational excellence security reliability Performance efficiency cost optimization sustainability