Cloud Security Specialty -2

How can you enforce HTPS access to S3 bucket?

"Effect" : "Deny" "Principal" : { "AWS" : "*" } "Action" : "S3:GetObject" "Condition" : { "Bool" : { "aws:SecureTransport" : false } }

How can you enforce access from IP range to S3 bucket?

"Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::examplebucket/*", "Condition": { "NotIpAddress": {"aws:SourceIp": "54.240.143.0/24"}, }

Size limit of IAM Policy and Bucket Policy

- 2KB for IAM User Policy - 5KB for IAM Group Policy - 10KB for IAM Role Policy - 20KB for Bucket Policy

CloudHSM Certificates

- AWS Root Certificate - Manufacturer Root Certificate - AWS Hardware Certificate - Manufacturer Hardware Certificate - HSM Certificate - Cluster CSR

An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK.Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below- Ad

- Add permission to read the SSM parameter to the EC2 instance role. - Add permission to use the KMS keys to decrypt to the EC2 instance role.

In CRR, what is replicated?

- Any new objects created after enabling the replication. - In addition to unencrypted objects, it replicates the encrypted objects using S3 managed keys or AWS KMS managed keys, but it has to explicitly be enabled. - Replicates metadata, tags and ACL updates. - Replicates objects where the bucket owner has minimum privilege to READ and READ_ACP. - Delete market is replicated but all the underlying versions will remain as it is.

in CRR, what is NOT replicated?

- Anything created before CRR was turned on. - Objects created with SSE using customer provided SSE-C encryption keys. - Objects created with SSE using AWS KMS kms unless you explicitly enable this option. - Objects in source bucket where the bucket owner doesn't have required access to the underlying object. - Deletes of particular Version of an object. This is a security mechanism.

What AWS SageMaker does?

- Build : Connects to different AWS services and transform data in SageMaker notebooks. - Train : Use AWS SageMaker's algorithms and frameworks or bring your own distributed training. to build the model. - Tune : It automatically tunes your model by adjusting multiple combinations of algorithm parameters. - Deploy : Once training is completed, models can be deployed to Amazon SageMaker endpoints, for realtime predictions.

Your organization is preparing for a security assessment of your use of AWS. In preparation for this assessment, which three IAM best practices should you consider implementing?

- Create individual IAM users for everyone in your organization. - Configure MFA on the root account and for privileged IAM users. - Assign IAM users and groups configured with policies granting least privilege access. https://aws.amazon.com/whitepapers/aws-security-best-practices/

Tasks that developers or data scientists generally do with ML

- Data Pre-Processing - Selecting Algorithm and Framework - Train and Tune the model - Integrate and deploy

A company has an existing AWS account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account. Choose 3 answers from the options given below.

- Delete the access key of Root account. - Confirm MFA to a secure device - Change the password of the root account.

What are AWS Outposts Services available>?

- ECS, - EKS, - EMR - RDS

AWS Certified Security

- Incident Response - Logging and Monitoring - Infrastructure Security - Identity & Access Management - Data Security

What steps will you take when a person with root privileges leaves the firm?

- Reset the password, - Recreate access and secret access key - Delete and recreate new MFA. - Also check other user accounts to see if they are valid.

When to use IAM policies vs. S3 Bucket policies Use IAM policies if:

- You need to control access to AWS services other than S3. IAM policies will be easier to manage since you can centrally manage all of your permissions in IAM, instead of spreading them between IAM and S3. - You have numerous S3 buckets each with different permissions requirements. IAM policies will be easier to manage since you don't have to define a large number of S3 bucket policies and can instead rely on fewer, more detailed IAM policies. - You prefer to keep access control policies in the IAM environment.

12 Factor - Codebase

- You should track your code in Version Control System such as GIT. - Developers can work on code by checking out the code into their development environment. - Storing code in the Version Control System enables your team to collaborate with audit trail of the changes in the code. - At any given time the source of truth is the code in Version Control System. - Code in repository is what gets built, tested, and deployed. - It is a systemic way of resolving conflicts, ability to roll back etc. - it proces a place from which to do CI/CD.

When to use IAM policies vs. S3 Bucket policies Use S3 bucket policies if:

- You want a simple way to grant cross-account access to your S3 environment, without using IAM roles. - Your IAM policies bump up against the size limit (up to 2 kb for users, 5 kb for groups, and 10 kb for roles). S3 supports bucket policies of up 20 kb. - You prefer to keep access control policies in the S3 environment.

An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below

1. A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports. 2. A security group with a rule that allows outgoing traffic on port 443.

You have an EC2 Instance with the following Security configured a) Inbound allowed for ICMP b) Outbound denied for ICMP c) Network ACL allowed for ICMP d) Network ACL denied for ICMP If Flow logs is enabled for the instance , which of the following flow records will be recorded. Choose 3 answers from the options give below

1. An Accept record for the request based on the Security Group 2. An Accept record for the request based on the NACL. 3. A Reject record for the response based on the NACL.

You are trying to use the Systems Manager to patch a set of EC2 systems. Some of the systems are not getting covered in the patching process. Which of the following can be used to troubleshoot the issue? Choose 3 answers from the options given below.

1. Check if the right role is assigned to EC2 instances. 2. Ensure that the SSM agent is running on each EC2 instance. 3. Check the instance status using the Health API.

Your company has just started using AWS and created an AWS account. They are aware of the potential issues when root access is enabled. How can they best safeguard the account when it comes to root access? Choose 2 answers from the options given below

1. Create Admin IAM User with necessary permission. 2. Delete the root access key.

You are designing a connectivity solution between on-premises infrastructure and Amazon VPC. Your servers on-premises will be communicating with your VPC instances. You will be establishing IPSec tunnels over the internet. You will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer gateways. Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above? Choose 4 answers form the options below

1. Data encryption across the internet 2. Protection of data in transit over the internet. 3. Peer identity authentication between VPN Gateway and Customer Gateway. 4. Data integrity protection across the internet.

A company has an existing AWS account and a set of critical resources hosted in that account. The employee who was in-charge of the root account has left the company. What must be now done to secure the account. Choose 3 answers from the options given below.

1. Delete Access Keys for the root account. 2. Confirm MFA account to a secure device. 3. Change the password of root account.

You are trying to use the AWS Systems Manager run command on a set of Instances. The run command is not working on a set of Instances. What can you do to diagnose the issue? Choose 2 answers from the options given below

1. Ensure that SSM agent is running on each EC2 instances. 2. Refer /var/log/amazon/ssm/error.log

An application running on EC2 instances in a VPC must call an external web service via TLS (port 443). The instances run in public subnets.Which configurations below allow the application to function and minimize the exposure of the instances? Select 2 answers from the options given below

1. NACL with rules that allow outgoing traffic on port 443 and incoming traffic on ephemeral ports. 2. A security group with a rule that allows outfoing traffic on port 443. Incorrect - A NACL with a rule that allows outgoing traffic on port 443. Because NACL is stateless and hence incoming and outgoing both need to be defined.

How AWS Outposts works?

1. Order - Order from the AWS Console, select your Outposts configuration consisting of a mix of compute and storage capacity. 2. Install - AWS personnel deliver Outposts to your site, connect Outposts to power, setup network connectivity to AWS Region and your local networks. 3. Launch - Use standard AWS API's or Management Console to launch EC2 instances on your Outposts. 4. Build - Build and run apps using native AWS services running on Outposts or in the AWS Region.

Your company manages thousands of EC2 Instances. There is a mandate to ensure that all servers don't have any critical security flaws. Which of the following can be done to ensure this? Choose 2 answers from the options given below.

1. Use AWS Inspector that finds critical vulnerabilities and flaws and creates detailed report. 2. Use SSM to patch the server.

When you enable automatic key rotation for an existing CMK key where the backing key is managed by AWS , after how long is the key rotated?

365 days

AWS Organizations

AWS Organizations is account management service which allows you to consolidate multiple AWS accounts into an OU that you can manage centrally. - Organize your accounts into groups/OU's for access control - Allows you to apply policy based controls - Service Control Policies. (It is used to create permission boundary) - SCP's can deny access only, they cannot allow. - Provides single payer and centralized cost tracking.

You need to have a requirement to store objects in an S3 bucket with a key that is automatically managed and rotated. Which of the following can be used for this purpose?

AWS SSE-S3. Note - AWS KMS is incorrect as Customer owned CMK's cannot be rotated.

Web Identity Federation

AWS allows authentication w/ web companies like Facebook, Google, Amazon to verify identity. - Following successful authentication, the user receives an authentication code from the Web ID provider, which they can trade for temporary AWS security credentials allowing them to assume an IAM role. - API: "CallAssumeRolewithWebIdentity"

12 Factor - Admin Processes

Administrative processes usually consist of one-off tasks or timed, repeatable tasks such as generating reports, executing batch scripts, starting database, backups, and migrating schemas.

Which of the below services can be integrated with the AWS Web application firewall service. Choose 2 answers from the options given below

Amazon Cloudfront Application Loadbalancer. https://aws.amazon.com/waf/faq

Amazon Cognito

Amazon Cognito provides Web Identity Federation with the following features. - Sign Up and Sign In to your apps - Access for agues users - Acts as an Identify Broker between your application and Web ID providers, that you don't need to write any additional code. - Synchronizes data for multiple devices. - Recommended for all Mobile applications.

12 Factor - Configuration

Apps sometimes store config as constants in the code, which is violation of 12-facto principle and requires strict separation of config from code. - The internal config doesn not vary between deployes and so it is best to be done with in the code. - The external configuration should be stored in the environment variables (often shortened to env vars). These env vars are easy to change between deploys and hence should be stored as environment variables . Some examples are like - ----- Resource handles to database, Memcached and backing services. Credentials of external services, per deploys values such as canonical hostnames etc.

ConfigMaps

As per 12 factor rules, the environment should be stored in Environment Variables instead of as constant in code. - ConfigMaps bind configuration files, command line arguments, environment variables, port numbers and other configuration artifacts to your Pods. - ConfigMaps allow you to separate your configurations from your Pods and components, which helps you keep your workloads portable, makes their configuration easier to change and manage, and prevents hardcoding configuration data to Pod specifications. - ConfigMaps are useful for storing and sharing non-sensitive unencrypted configuration information. Creating ConfigMaps in Kubernetes # kubectl create configumap [NAME] [DATE]

12 Factor - Dependencies

As principle, there are two considerations for dependencies. 1. Explicit Dependency declaration and - Check these dependencies in Version Control - It enables you to get started with the code quickly in a repeatable way and makes it easy to track changes to dependencies. - Many programming languages offer a way to explicitly declare dependencies, such as pip for Python and Bundler for Ruby. 2. Dependency Isolation. - You should isolate an app and its dependencies by packaging then into a container. - Containers allow you to isolate an app and its dependencies from its environment and ensure that the app works uniformly despite any differences between development and staging environment.

You have several S3 buckets defined in your AWS account. You need to give access to external AWS accounts to these S3 buckets. Which of the following can allow you to define the permissions for the external accounts? Choose 2 answers from the options given below

Bucket Policies and Bucket ACL's. https://d1.awsstatic.com/whitepapers/Security/Security_Storage_Services_Whitepaper.pdf

What is Cloud Computing?

Cloud computing is the on-demand availability of compute resources, databases, storage, content delivery systems etc available on the web. Some features are you Pay as you go, instant availability resources and services, elastic in nature and multi tenancy. In addition, it offers various other managed services to help businesses scale and grow without managing their own datacenters.

CloudHSM - Verifying our certificates

Concatenate the two certificates - AWS Hardware Certificate + AWS Root Certificate. - Manufacturer Hardware CSR + Manufacturer Root CSR - Then run openssl on both to verify its validity. After that you must generate public key through these and then run diff to find if there is any different between the two public keys. Accept it only if these match 100% or else redeploy the cluster.

Which of the following is not a best practice for carrying out a security audit?

Conducting audit on yearly basis is not good practice. It must be conducted when there are new account added, suspect of compromise and changes in the environment.

An auditor needs access to logs that record all API events on AWS. The auditor only needs read-only access to the log files and does not need access to each AWS account. The company has multiple AWS accounts, and the auditor needs access to all the logs for all the accounts. What is the best way to configure access for the auditor to view event logs from all accounts? Choose the correct answer from the options below

Configure Cloudtrail service in each AWS Account and have logs delivered to a single AWS bucket. In the Primary account grant auditor access to that single bucket in the primary account.

CloudFront

Content-Delivery Network (CDN) service from AWS to provide low latency connections to remote users.

You have an EBS volume attached to an EC2 Instance which uses KMS for Encryption. Someone has now gone ahead and deleted the Customer Key which was used for the EBS encryption. What should be done to ensure the data can be decrypted.

Copy the data from EBS volume before detaching it from the instance.

Your company is planning on using bastion hosts for administering the servers in AWS. Which of the following is the right way to setup the bastion host from a security perspective?

Correct 1. Bastion Host is used for SSH or RDP into the internal network to access private resources without a VPN. https://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.htmlThe

An application running on EC2 instances must use a username and password to access a database. The developer has stored those secrets in the SSM Parameter Store with type SecureString using the default KMS CMK.Which combination of configuration steps will allow the application to access the secrets via the API? Select 2 answers from the options below

Correct Answer: 1. Add permission to read the SSM parameter to the EC2 instance role. 2. Add permission to use the KMS key to decrpt to the EC2 instance role. Incorrect answers are - Add the EC2 instance role as a trusted service to the SSM service role. - Add permission to use the KMS key to decrypt to the SSM service role.

How can you ensure that instance in an VPC does not use AWS DNS for routing DNS requests. You want to use your own managed DNS instance. How can this be achieved?

Correct Response it: Create new DHCP options set and replace the existing one. DO NOT get confused with "Change the existing DHCP Options set.".

Your development team has started using AWS resources for development purposes. The AWS account has just been created. Your IT Security team is worried about possible leakage of AWS keys. What is the first level of measure that should be taken to protect the AWS account.

Correct answer - Delete the AWS keys for the root account Wrong answer - Restrict access using IAM policies.

You work at a company that makes use of AWS resources. One of the key security policies is to ensure that all data is encrypted both at rest and in transit. Which of the following is not a right implementation which aligns to this policy?

Correct answer is - SSL termination on the ELB. Incorrect - Enabling the sticky session on your load balancer.

A company continually generates sensitive records that it stores in an S3 bucket. All objects in the bucket are encrypted using SSE-KMS using one of the company's CMKs. Company compliance policies require that no more than one month of data be encrypted using the same encryption key.What solution below will meet the company's requirements?

Create Lambda function with monthly CloudWatch event that creates the new CMK and updates the Bucket policy to use the new CMK.

You are building a large-scale confidential documentation web server on AWS and all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use CloudFront to accomplish this. Which of the methods listed below would satisfy the requirements as outlined? Choose an answer from the options below

Create Origin Access Identity for CloudFront and grant access to the S3 object to the OAI.

Every application in a company's portfolio has a separate AWS account for development and production. The security team wants to prevent the root user and all IAM users in the production accounts from accessing a specific set of unneeded services.How can they control this functionality?

Create a Service Control Policy that denies access to the services. Assemble all the account in that OU and apply the policy to that organization unit.

You are part of a business continuity team at a consumer products manufacturer. In scope for the current project is the company web server which serves up static content like product manuals and specification sheets which customers can download. This landscape consists only of a single NGINX web server and 5TB of local attached storage for the static content. In the case of a failover, RTO has been defined as 15 minutes with RPO as 24 hours as the content is only updated a few times a year. Staff reductions and budget constraints for the year mean that you need to carefully evaluate and choose the most cost-effective and most automated solution in the case of a failover. Which of the following would be the most appropriate given the situation?

Create a small pilot-light EC2 instance and configure with NGINX. Configure a CRON job to run every 24 hours that syncs the data from the on-prem web server to the pilot-light EC2 EBS volumes. Configure an Application Load Balancer to direct traffic to the on-prem web server until a health check fails. Then, the ALB will redirect traffic to the pilot light EC2 instances.

A company is planning on using AWS for hosting their applications. They want complete separation and isolation of their production , testing and development environments. Which of the following is an ideal way to design such a setup?

Create separate AWS Account for each of the environment. https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?

Create the IAM Policy that denies the access if it is not from the organization IP address range. ttp://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#iam-policy-example-ec2-two-conditions

You want to track access requests for a particular S3 bucket. How can you achieve this in the easiest possible way?

Enable access logging for the bucket.

Your company has many AWS accounts defined and all are managed via AWS Organizations. One AWS account has an S3 bucket that has critical data. How can it be ensured that only users from that account access the bucket?

Ensure Bucket Policy has a condition which involves aws:PrincipalOrgID. https://aws.amazon.com/blogs/security/control-access-to-aws-resources-by-using-the-aws-organization-of-iam-principals/

Your company has a hybrid environment , with on-premise servers and servers hosted in the AWS cloud. They are planning to use the Systems Manager for patching servers. Which of the following is a pre-requisite for this to work?

Ensure that the IAM service role is created. https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-service-role.html

You are planning to use AWS Config to check the configuration of the resources in your AWS account. You are planning on using an existing IAM role and using it for the AWS Config resource. Which of the following is required to ensure the AWS config service can work as required?

Ensure that there is a trust policy in place for the AWS Config service withing the role. Incorrect is Ensure that there is a grant policy in place for the AWS Config service within the role. https://docs.aws.amazon.com/config/latest/developerguide/iamrole-permissions.html

12 Factor - Environment Parity

Enterprise apps move across different environments during their development lifecycle. Typically, these environments are development, testing and staging and production. It's a good practice to keep these environments as similar as possible.

12 Factor - Backing Services

Every service that the app use as part of normal operation, such as file system, database, caching service, message queues, should be accessed as a service and externalized in the configuration. - This approach helps decoupling of code with backing resources.

What is the purpose of access key and secret access key?

For programmatic access to AWS environment.

Security Token Service (STS)

Grants users limited and temporary access to AWS resources. Operation 1. Users login and password is passed to Identity Broker. 2. The Identity broker passes it to Identity provider like LDAP, Active Directory etc and gets a token based on its validity. 3. Then the Identify Broker call the new GetFederationToken function using IAM credentials. This call includes IAM Policy and a duration that specifies the permission to be granted to the temporary security credentials. 4. The Security Token Service confirms that the policy of the IAM user making call to GetFederationToken gives permission to create new tokens and then returns four values to the application. Access Key, Secret Access Key, Token and a duration.

An application running on EC2 instances in a VPC must access sensitive data in the data center. The access must be encrypted in transit and have consistent low latency. Which hybrid architecture will meet these requirements?

Have VPN over Direct Connect between VPC and Data center.

What are different AWS Policies?

IAM Policy S3 Bucket Policy SQS Topic Policy SNS Policy

Cognito Identity Pools

Identity Pools enables you to create unique identity for your users and authenticate them with identity providers. With an identity, you can obtain temporary , limited-privilege AWS credentials to access other AWS services.

If you're still unsure of which to use, consider which audit question is most important to you:

If you're more interested in "What can this user do in AWS?" then IAM policies are probably the way to go. You can easily answer this by looking up an IAM user and then examining their IAM policies to see what rights they have. If you're more interested in "Who can access this S3 bucket?" then S3 bucket policies will likely suit you better. You can easily answer this by looking up a bucket and examining the bucket policy.

12 Factor - Port Binding

In non cloud environments, app are written to run in app containers such as GlassFish, Apache Tomcat and Apache HTTP Server. In contrast, the 12 factor app don't rely on external app containers. Instead they bundle the web server library as a part of the app itself. The container must listen for requests on 0.0.0.0 on the port defined by the PORT environment variable. In Cloud Run container instances, the PORT environment variable is always set to 8080, but for portability reasons, your code should not hardcode this value. https://www.oreilly.com/content/port-binding-in-cloud-native-apps/

Why do we need 12 factor apps?

In order to build Cloud Native Applications a set of best practices - Called 12 Factor Applications. 1. For maximum scalability and Agility 2. Enhanced Resiliency 3. Facilitates Continuous Integration 4. Supports Containerization and 5. Supports portability across infrastructure.

How Instances are Managed?

Instances are the basic building blocks of App Engine, providing all the resources needed to successfully host your application. At any given time your application can be running on one or many instances with requests being spread across all of them. Each instance includes a security layer to ensure that instances cannot inadvertently affect each other. There are two types of instances dynamic and resident. Dynamic instances starts up and shuts down automatically based on current needs, however the resident instances run all the times.

Container Analysis

It can provide vulnerability information for the images in Container Registry.

AWS Outposts

It is a fully managed service that extends AWS infrastructure, services, API's and tools to virtually any datacenter, colo sites or on-premises facility for truly consistent hybrid experience. AWS Outposts is ideal for workloads that require low latency access to on-premises systems, local data processing, or local data storage. Benefits are: - Run AWS Services on premises - Store and process data on premises - Truly consistent hybrid experience - Fully managed infrastructure

What is CRR?

It is cross region replication of S3 buckets. - It uses SSL for replication - it doesn't require any bucket and IAM policies - It is one to one mapping - once the object is replicated, it cannot be replicated again. Requirements: - Source and Target buckets must have versioning enabled. - S3 must have permission to replicate objects on your behalf. - Each object owner must provide access to the Bucket owner minimum READ and READ_ACP permission. - IAM Role must have permissions to replicate objects in the destination bucket. - There is option to change the ownership to the destination Bucket owner.

12 Factor - Build Release Run

It is important to separate the software deployment process into three distinct stages: Build, release and run. - The build stage is a transform which converts a code repo into an executable bundle known as a build. Using a version of the code at a commit specified by the deployment process, the build stage fetches vendors dependencies and compiles binaries and assets. - The release stage takes the build produced by the build stage and combines it with the deploy's current config. The resulting release contains both the build and the config and is ready for immediate execution in the execution environment. - The run stage (also known as "runtime") runs the app in the execution environment, by launching some set of the app's processes against a selected release.

A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption SSE-C., which of the below mentioned statements is true?

It is possible to use different keys for different version of the same object. https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html

What is the result of the following bucket policy?{"Statement": [{"Sid": "Sid1","Action": "s3:*","Effect": "Allow","Resource": "arn:aws:s3:::mybucket/*.","Principal": {‌{"AWS": ["arn:aws:iam::111111111:user/mark"]}}}, {"Sid": "Sid2","Action": "s3:*","Effect": "Deny","Resource": "arn:aws:s3:::mybucket/*","Principal": {"AWS": ["*"]}}]} Choose the correct answer:

It will deny all the request to the bucket mybucket.

12 Factor - Logs

Logs provide you with awareness of the health of your apps. It's important to decouple the collection, processing and analysis of logs from the core logic of the app. Decoupling logging is particularly useful when your apps require dynamic scaling and are running on public clouds, because it eliminates overhead of managing the storage location for logs and aggregation from distributed VM's.

CloudHSM

Meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud; see also HSM and KMS - Security

You have a bucket and a VPC defined in AWS. You need to ensure that the bucket can only be accessed by the VPC endpoint. How can you accomplish this?

Modify bucket policy to allow access for VPC endpoint.

Nitro Systems

Powering Next-Gen EC2 Instances to reduce cost to customers and deliver added benefits like increased security. Traditionally, Hypervisor protect the physical hardware, bios, cpu, storage, networking etc. With the Nitro System, the split these functions and offload it to dedicated hardware and software and reduce costs by delivering practically all of the resources of a service to your instances. The Nitro System comes with 3 family cards - Nitro Cards are IO accelerator for VPC Networking, EBS, Instance Storage, System Controller. - Nitro Security Chip - Integrated into motherboard to protect hardware resources. Security functions are offloaded to dedicated hardware. - Nitro Hypervisor - It is lightweight hypervisor that manages memory and CPU allocation and delivers performance that is indistinguishable from bare metal.

Your company has a requirement to monitor all root user activity. How can this best be achieved? Choose 2 answers from the options given below. Each answer forms part of the solution

Right answers are: - Create Cloudwatch Event Rule - Use a Lambda function. Incorrect answers are: - Create Cloudwatch logs rule - Use Cloudtrail API call

Container Registry

Single place for your team to manage container images and perform vulnerability analysis. - You can apply fine grained access control to the container images. - Existing CI/CD integrations use these registries for automated pipelines. - You can push images to respective registry, and then pull images using an HTTP endpoint from any machine.

EC2 Instance Types

TMC 'R GID - Tiny - General Purpose Burstable T3 Series - Medium - General Purpose . M5, M5d - Compute Optimized . C5, C5d - Memory Optimized . R5, R5d - Graphics Optimized - GPU, G4 - I/O Optimized - Speed Storage . i3en - Dense Storage

Which of the following is the correct sequence of how KMS manages the keys when used along with the Redshift cluster service.

The Master key encrypts the cluster keys, cluster keys encrypts the database keys and database key encrypts the data encryption keys. https://docs.aws.amazon.com/kms/latest/developerguide/services-redshift.html

What is Origin access identity?

The Origin access identity is required when you want to restrict access to your bucket only through CloudFront.

How to enable cross account access to S3 bucket?

The cross account access can only be provided through Bucket Policy. "Effect":"Allow", "Principal": {"AWS": ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]}, "Action":["s3:PutObject","s3:PutObjectAcl"], "Resource":["arn:aws:s3:::examplebucket/*"],

12 Factor - Processes

The processes should be stateless and should not share data with each other. This allows apps to - Scale up through replication of their processes - Stateless apps also make processes portable across the computing infrastructures. - To achieve this you must explicitly persist any data in an external backing service such as a database.

A company had developed an incident response plan 18 months ago. Regular implementations of the response plan are carried out. No changes have been made to the response plan since its creation. Which of the following is a right statement with regards to the plan?

The response plan doesn't cater the new services.

Company policy requires that all insecure server protocols, such as FTP, Telnet, HTTP, etc be disabled on all servers. The security team would like to regularly check all servers to ensure compliance with this requirement by using a scheduled CloudWatch event to trigger a review of the current infrastructure.What process will check compliance of the company's EC2 instances?

Trigger AWS Config rule that evaluates restricted common ports rule against every EC2 instance. Note - You cannot Query Trusted Advisor, it is a one time advisor. Also, Amazon Inspector is used for finding vulnerabilities with EC2 instance.

If IAM policy has a set of users defined and another set defined in Bucket Policy, which will supersede or what happens if there are conflict between the policies.

Unless there is no explicit Deny, all the users listed in either policies will get access. It is the union of all the policies. Explicit Deny always trumps/Overides the allow. With least privilege principle, , decision ALWAYS defaults to Deny. Similarly, if no method specifies an ALLOW, the the request will be denied.

Your company has an external web site. This web site needs to access the objects in an S3 bucket. Which of the following would allow the web site to access the objects in the most secure manner?

Use AWS:Referer Key in the condition clause for the bucket policy. Incorrect is Grant a role that can be assumed bt the web site. https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

You are creating a Lambda function which will be triggered by a Cloudwatch Event. The data from these events needs to be stored in a DynamoDB table. How should the Lambda function be given access to the DynamoDB table?

Use IAM Role which has permission to the DynamoDB and attach it to the Lambda fuction. Incorrect answer is Create a VPC endpoint for the DynaboDB table. Access the VPC endpoint from the Lambda function. https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model

You company has mandated that all data in AWS be encrypted at rest. How can you achieve this for EBS volumes? Choose 2 answers from the options given below

Use Windows Blocker for Windows based instances. Use Treuencrypt for Linux based instances. https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

A large organization is planning on AWS to host their resources. They have a number of autonomous departments that wish to use AWS. What could be the strategy to adopt for managing the accounts.

Use multiple AWS Account, each account for each department. https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

Your company has an EC2 Instance hosted in AWS. This EC2 Instance hosts an application. Currently this application is experiencing a number of issues. You need to inspect the network packets to see what the type of error that is occurring? Which one of the below steps can help address this issue?

Use network monitoring tool provided by AWS partner. VPC Flowlogs is not the right answer.

Cognito User Pools

User Pools are user directories used to manage sign up and sign in functionality for mobile and web applications. User can sign in directly to the User Pool, or indirectly via and identify provider. Cognito acts as an Identify Broker between the ID provider and AWS. Successful authentication generates a number of JSON Web tokens(JWT's).

What is custom SSL certificate and how can it be used with CloudFront?

When you setup CloudFront distribution, you have choice to use default SSL certificate or custom SSL certificate. If you use cloudfront.net domain name, then use default SSL certificate and when using your own domain name import your own custom certificate through AWS Certificate Manager *ACM( in US East Region or you can use a certificate stored in IAM. These are different certificate than your load balancers.

12 Factor - Concurrency

You should decompose your app into independent processes based on process types such as background, web and worker processes. This enables your app to scale up and down based on individual workload requirements. Most cloud-native apps let you scale on demand.