Which managed AWS service provides real time guidance on AWS security best practices?

Level 12 Level 14

Level 13

Questions 140-160

20 words 0 ignored

Ignore words

Check the boxes below to ignore/unignore words, then click save at the bottom. Ignored words will never appear in any learning session.

All None

Ignore?

Storage hardware,Physical servers

When comparing AWS Cloud with on-premises Total Cost of Ownership, which expenses must be considered?

Managing the VPC network access control lists,Encrypting data in transit and at rest.

Under the shared responsibility model, which of the following tasks are the responsibility of the customer?

Scaling the number of Amazon EC2 instances based on traffic,Resizing Amazon RDS instances as business needs change.

Which scenarios represent the concept of elasticity on AWS?

When there is flexibility in when an application needs to run.

When is it beneficial for a company to use a Spot Instance?

Power consumption of the data center,Labor costs to replace old servers

A company is considering moving its on-premises data center to AWS.What factors should be included in doing a Total Cost of Ownership (TCO) analysis?

Users pay based on the number of requests and consumed compute resources.

How does AWS charge for AWS Lambda?

Act as a virtual firewall for the Amazon EC2 instance.

What function do security groups serve related to Amazon Elastic Compute Cloud (Amazon EC2) instance security?

Which disaster recovery scenario offers the lowest probability of down time?

AWS Total Cost of Ownership (TCO) Calculator

What will help a company perform a cost benefit analysis of migrating to the AWS Cloud?

Linked accounts and consolidated billing

Which of the following provides the ability to share the cost benefits of Reserved Instances across AWS accounts?

A company has multiple AWS accounts and wants to simplify and consolidate its billing process.Which AWS service will achieve this?

A company is designing an application hosted in a single AWS Region serving end-users spread across the world. The company wants to provide the end-users low latency access to the application data. Which of the following services will help fulfill this requirement?

Which of the following deployment models enables customers to fully trade their capital IT expenses for operational expenses?

AWS performs infrastructure discovery scans on the customer’s behalf.

How is asset management on AWS easier than asset management in a physical data center?

Cross-Region read replicas

What feature of Amazon RDS helps to create globally redundant databases?

Using AWS Identity and Access Management (IAM) to grant access only to the resources needed to perform a task is a concept known as:

Create separate accounts for each department.Use tags to associate each instance with a particular department.

Which methods can be used to identify AWS costs by departments?

Configuring the operating system, network, and firewall.

Under the AWS shared responsibility model, customer responsibilities include which one of the following?

Which managed AWS service provides real-time guidance on AWS security best practices?

Which feature adds elasticity to Amazon EC2 instances to handle the changing demand for workloads?

As an AWS customer you inherit all the best practices of AWS policies, architecture, and operational processes.

The AWS Cloud enables a shared responsibility model.

AWS manages security OF the cloud; you are responsible for security IN the cloud.

You retain control of the security you choose to implement to protect your own content, platform, applications, systems, and networks no differently than you would in an on-site data center.

Benefits of AWS Security

Keep Your Data Safe – the AWS infrastructure puts strong safeguards in place to help.
Protect your privacy – All data is stored in highly secure AWS data centers.
Meet Compliance Requirements – AWS manages dozens of compliance programs in its infrastructure. This means that segments of your compliance have already been completed.
Save Money – cut costs by using AWS data centers. Maintain the highest standard of s security without having to manage your own facility.
Scale Quickly – security scales with your AWS Cloud usage. No matter the size of your business, the AWS infrastructure is designed to keep your data safe.

Compliance

AWS Cloud Compliance enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud.

As systems are built on top of AWS Cloud infrastructure, compliance responsibilities will be shared.

Compliance programs include:

Certifications / attestations.
Laws, regulations, and privacy.
Alignments / frameworks.

AWS Artifact

AWS Artifact is your go-to, central resource for compliance-related information that matters to you.

It provides on-demand access to AWS’ security and compliance reports and select online agreements.

Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.

Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).

Amazon GuardDuty

Amazon GuardDuty offers threat detection and continuous security monitoring for malicious or unauthorized behavior to help you protect your AWS accounts and workloads.

Intelligent threat detection service.

Detects account compromise, instance compromise, malicious reconnaissance, and bucket compromise.

Continuous monitoring for events across:

AWS CloudTrail Management Events.
AWS CloudTrail S3 Data Events.
Amazon VPC Flow Logs.
DNS Logs.

AWS WAF & AWS Shield

WAF:

AWS WAF is a web application firewall.
Protects against common exploits that could compromise application availability, compromise security, or consume excessive resources.
WAF lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URIs.
WAF makes it easy to create rules that block common web exploits like SQL injection and cross site scripting.
The rules are known as Web ACLs.

Shield:

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service.
Safeguards web application running on AWS with always-on detection and automatic inline mitigations.
Helps to minimize application downtime and latency.
Two tiers – Standard and Advanced.

AWS Key Management Service (AWS KMS)

AWS Key Management Service gives you centralized control over the encryption keys used to protect your data.

You can create, import, rotate, disable, delete, define usage policies for, and audit the use of encryption keys used to encrypt your data.

AWS Key Management Service is integrated with most other AWS services making it easy to encrypt the data you store in these services with encryption keys you control.

AWS KMS is integrated with AWS CloudTrail which provides you the ability to audit who used which keys, on which resources, and when.

AWS KMS enables developers to easily encrypt data, whether through 1-click encryption in the AWS Management Console or using the AWS SDK to easily add encryption in their application code.

AWS CloudHSM

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.

With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.

CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.

AWS Certificate Manager

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks.

AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.

AWS Inspector and AWS Trusted Advisor

AWS Inspector:

Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
Inspector automatically assesses applications for vulnerabilities or deviations from best practices.
Uses an agent installed on EC2 instances.
Instances must be tagged.

AWS Trusted Advisor:

Trusted Advisor is an online resource that helps to reduce cost, increase performance, and improve security by optimizing your AWS environment.
Trusted Advisor provides real time guidance to help you provision your resources following best practices.
Advisor will advise you on Cost Optimization, Performance, Security, and Fault Tolerance.

Trusted Advisor scans your AWS infrastructure and compares is to AWS best practices in five categories:

Cost Optimization.
Performance.
Security.
Fault Tolerance.
Service Limits.

Trusted Advisor comes in two versions.

Core Checks and Recommendations (free):

Access to the 7 core checks to help increase security and performance.
Checks include S3 bucket permissions, Security Groups, IAM use, MFA on root account, EBS public snapshots, RDS public snapshots.

Full Trusted Advisor Benefits (business and enterprise support plans):

Full set of checks to help optimize your entire AWS infrastructure.
Advises on security, performance, cost, fault tolerance and service limits.
Additional benefits include weekly update notifications, alerts, automated actions with CloudWatch and programmatic access using the AWS Support API.

Penetration Testing

Penetration testing is the practice of testing one’s own application’s security for vulnerabilities by simulating an attack.

AWS allows penetration testing. There is a limited set of resources on which penetration testing can be performed.

You do not need permission to perform penetration testing against the following services:

Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers.
Amazon RDS.
Amazon CloudFront.
Amazon Aurora.
Amazon API Gateways.
AWS Lambda and Lambda Edge functions.
Amazon LightSail resources.
Amazon Elastic Beanstalk environments.

You can read the full vulnerability and penetration testing support policy here.

In case an account is or may be compromised, AWS recommend that the following steps are taken:

Change your AWS root account password.
Change all IAM user’s passwords.
Delete or rotate all programmatic (API) access keys.
Delete any resources in your account that you did not create.
Respond to any notifications you received from AWS through the AWS Support Center and/or contact AWS Support to open a support case.

AWS Single Sign-On (AWS SSO)

AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all your AWS accounts and cloud applications.

It helps you manage SSO access and user permissions across all your AWS accounts in AWS Organizations.

AWS SSO also helps you manage access and permissions to commonly used third-party software as a service (SaaS) applications, AWS SSO-integrated applications as well as custom applications that support Security Assertion Markup Language (SAML) 2.0.

AWS SSO includes a user portal where your end-users can find and access all their assigned AWS accounts, cloud applications, and custom applications in one place.

Amazon Cognito

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily.

Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Apple, Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0 and OpenID Connect.

The two main components of AWS Cognito are user pools and identity pools:

User pools are user directories that provide sign-up and sign-in options for your app users.
Identity pools enable you to grant your users access to other AWS services.

You can use identity pools and user pools separately or together.

AWS Directory Services

AWS provides several directory types.

The following three types currently feature on the exam and will be covered on this page:

Active Directory Service for Microsoft Active Directory.
Simple AD.
AD Connector.

As an alternative to the AWS Directory service you can build your own Microsoft AD DCs in the AWS cloud (on EC2).

The table below summarizes the directory services covered on this page as well as a couple of others, and provides some typical use cases:

Directory Service Option	Description	Use Case
AWS Directory Service for Microsoft Active Directory	AWS-managed full Microsoft AD running on Windows Server 2012 R2	Enterprises that want hosted Microsoft AD or you need LDAP for Linux apps
AD Connector	Allows on-premises users to log into AWS services with their existing AD credentials. Also allows EC2 instances to join AD domain	Single sign-on for on-premises employees and for adding EC2 instances to the domain
Simple AD	Low scale, low cost, AD implementation based on Samba	Simple user directory, or you need LDAP compatibility

AWS Systems Manager Parameter Store

Provides secure, hierarchical storage for configuration data management and secrets management.

It is highly scalable, available, and durable.

You can store data such as passwords, database strings, and license codes as parameter values.

You can store values as plaintext (unencrypted data) or ciphertext (encrypted data).

You can then reference values by using the unique name that you specified when you created the parameter.

AWS Secrets Manager

Like Parameter Store.

Allows native and automatic rotation of keys.

Fine-grained permissions.

Central auditing for secret rotation.

AWS Artifact

AWS Artifact is your go-to, central resource for compliance-related information that matters to you.

It provides on-demand access to AWS’ security and compliance reports and select online agreements.

Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).

Which managed service provides real time guidance on AWS security best practices?

AWS Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.

Which AWS Trusted Advisor checks are available to users with AWS Basic Support choose two?

Trusted Advisor Best Practices (Checks) The two Trusted Advisor best practices that are now available to all Amazon Web Services customers are: Service Limits (in the Performance category) and Security Groups - Specific Ports Unrestricted (in the Security category).

Which AWS service should a cloud practitioner use to establish a secure network connection between an on

You can use AWS Direct Connect to establish a private virtual interface from your on-premise network directly to your Amazon VPC, providing you with a private, high bandwidth network connection between your network and your VPC. This connection is private and does not go over the public internet.

There are five design principles for reliability in the cloud: Automatically recover from failure. Test recovery procedures. Scale horizontally to increase aggregate workload availability.