Unit 2 (Modules 4-5)

Question 1

Amazon GuardDuty

Answer 1

A threat-detection service for your AWS account using machine learning that continuously monitors for malicious activity and unauthorized behavior.

Question 2

Internet Gateway

Answer 2

Bridge for connecting your subnet to the Internet. Subnets are isolated from the internet by default. The Internet Gateway must be explicitly configured. (Used for public subnets.)

Question 3

IAM Policy

Answer 3

A document that defines which resources can be accessed and the level of access to each resource.

Question 4

Encryption of data in Transit

Answer 4

The concept of encrypting data while it is moving across the network – either between internal resources like an EC2 and a database or between the client and the web server. This encryption protects the data from eavesdroppers during the transmission.

Question 5

Actions that can only be completed by the AWS account root user.

Answer 5

1) Updating the account root user password
2) Changing the AWS account email address.
3) Closing the AWS account.
4) Changing the AWS Support plan
5) Restoring an IAM user’s permissions
6) Changing account settings (for example, contact information, allowed Regions)

Question 6

Amazon Route 53

Answer 6

Amazon’s Domain Name System (DNS) web service (resolves DNS names to IP addresses).

Question 7

AWS Site-to-Site VPN

Answer 7

A service that connects your on-premises network (like your company’s data center or office network) to your AWS Virtual Private Cloud (VPC) over an encrypted VPN connection using the public internet.

Question 8

Amazon Macie

Answer 8

A security service that uses machine learning to automatically discover, classify, and protect sensitive data stored in Amazon S3s. Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property.

Question 9

AWS Service Catalog

Answer 9

Enables organizations to create and manage catalogs of IT services that are approved for use. (In this way, you can control what AWS resources your company’s employees have access to – can be controlled by region)

Question 10

AWS Certificate Manager

Answer 10

A service that provisions, manages, and automatically renews SSL/TLS certificates to secure your websites and applications.

Question 11

IAM Group

Answer 11

A collection of IAM users that are granted identical authorization. Users can be in multiple groups. Groups do not nest. There are no default groups; a user needs to be explicitly added to each group they need to be added to.

Question 12

AWS Shield Standard

Answer 12

Provides DDOS protection for CloudFront, Route 53, and Global Accelerator. Enabled at no additional cost.

Question 13

IAM Role

Answer 13

Useful mechanism to grant a set of permissions for making AWS service requests. Useful for an EC2 to assume a role that grants it permission to access a particular S3. In this way, user credentials don’t need to be stored on the server.

Question 14

VPC Peering

Answer 14

A networking connection between two VPCs that allows them to communicate with each other as if they were part of the same network. (A typical use case is connecting different AWS Regions or accounts.)

Question 15

Security Groups

Answer 15

Applied to instances to allow/deny traffic to that instance.

Question 16

SCP

Answer 16

Service Control Policies - AWS Organizations integrate with IAM with service control policies which can restrict which accounts have access to which services and API actions. SCPs essentially limit the permissions that are available in an account that is part of an organization. SCPs can be assigned to individual accounts or to Organizational Units (OUs) which are the interior nodes of the AWS Organizations tree.

Question 17

AWS Shield Advanced

Answer 17

Provides DDOS protection for many services, including EC2s and Elastic IPs. Protects against large, sophisticated attacks. Optional paid service.

Question 18

Elastic Network Interface (ENI)

Answer 18

Is a virtual network card for EC2 instances, specifies the IP address(es) for that instance

Question 19

AWS KMS

Answer 19

AWS Key Management Service - Enables you to create and manage encryption keys. Enables you to control the use of encryption across AWS services and in your applications.

Question 20

Encryption of data at Rest

Answer 20

The concept of encrypting stored data (in a database or in files on a disk) so that if the storage is breached, the thief cannot read the data. Configuring encryption at rest is the responsibility of the customer. Encryption key management is provided by AWS KMS.

Question 21

Amazon Inspector

Answer 21

An automated security assessment service that helps improve the security and compliance of applications that are deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.

Question 22

AWS Artifact

Answer 22

A service that provides on-demand access to AWS compliance reports and security and privacy documentation.

Question 23

IAM User

Answer 23

A person or application that can authenticate with an AWS account.

Question 24

AWS Direct Connect

Answer 24

An alternative to Site-to-Site VPN that instead uses a dedicated, private network connection between your network and AWS. Can provide faster, more consistent performance than sending traffic across the public internet.

Question 25

AWS Transit Gateway

Answer 25

A central hub that connects multiple VPCs and on-premises networks in a scalable and simplified way. Think of it as a cloud router for your AWS environment.

Question 26

Amazon Cognito

Answer 26

Adds user sign-up, sign-in, and access control to your web and mobile applications.

Question 27

Network Access Control Lists (ACLs)

Answer 27

Applied to a subnet to allow/deny traffic entering/leaving the subnet.

Question 28

IAM Best Practices

Answer 28

1) Do not use the AWS account root user except when performing actions that can only be performed by the root user. 2) Enable multi-factor authentication (MFA) and enable a password policy for all users. 3) Use AWS CloudTrail to view all account activity for the last 90 days. 4) Enable a billing report, such as the AWS Cost and Usage Report.

Question 29

Authorization

Answer 29

The process of verifying permissions.

Question 30

Amazon VPC

Answer 30

Enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. A VPC is for a single region.

Question 31

VPC Endpoints

Answer 31

A private connection between your VPC and an AWS service in another VPC that doesn’t require traffic to go over the public internet. Essentially, it allows resources inside your VPC (like EC2 instances) to securely access AWS services privately. (More restrictive than VPC peering as the access is by resource, not to the entire other VPC.)

Question 32

Route Table

Answer 32

Specifies the rules on how traffic (data packets) will be routed based upon their destination IP address.

Question 33

AWS Config

Answer 33

A service that continuously monitors and records your AWS resource configurations and changes to help with compliance and auditing.

Question 34

Network Address Translation (NAT) Gateway

Answer 34

Similar to an internet gateway but allows outbound traffic only. Used for private subnets.

Question 35

Principle of Least Privilege

Answer 35

Grant users the minimum set of permissions that they require to do their jobs. Grant additional permissions as necessary. Following “Principle of Least Privilege” helps to avoid inadvertent security gaps and helps to prevent mistakes.

Question 36

Authentication

Answer 36

The process of verifying identity.

Question 37

VPC Sharing

Answer 37

VPC sharing enables customers to share subnets with other AWS accounts in the same AWS Organization.

Question 38

Subnet

Answer 38

* Range of IP addresses that divide a VPC * Belongs to a single Availability Zone