Uncategorised

AWS Certified Solutions Architect Exam Guide – Chapter-12

April 29, 2021 comments off

Understand the shared responsibility model. AWS is responsible for securing the underlying infrastructure that supports the cloud, and you’re responsible for anything you put on the cloud or connect to the cloud.

Understand regions and Availability Zones. Each region is completely independent. Each region is designed to be completely isolated from the other regions. This achieves the greatest possible fault tolerance and stability. Regions are a collection of Availability Zones. Each Availability Zone is isolated, but the Availability Zones in a region are connected through low-latency links.

Understand High-Availability System Design within AWS. You should architect your AWS usage to take advantage of multiple regions and Availability Zones. Distributing applications across multiple Availability Zones provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures.

Understand the network security of AWS. Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, ACLs, and configurations to enforce the flow of information to specific information system services.

AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic. These boundary devices employ rule sets, ACLs, and configurations to enforce the flow of information to specific information system services.

AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic. These customer access points are called API endpoints, and they allow HTTPS access, which allows you to establish a secure communication session with your storage or Compute instances within AWS.

Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its own.

Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy. Violations of the AWS Acceptable Use Policy are taken seriously, and every reported violation is investigated.

It is not possible for an Amazon EC2 instance running in promiscuous mode to receive or “sniff” traffic that is intended for a different virtual instance.
Understand the use of credentials on AWS. AWS employs several credentials in order to positively identify a person or authorize an API call to the platform. Credentials include:

  • Passwords
  • AWS root account or IAM user account login to the AWS Management Console
  • Multi-Factor Authentication (MFA)
  • AWS root account or IAM user account login to the AWS Management console
  • Access Keys
  • Digitally signed requests to AWS APIs (using the AWS SDK, CLI, or REST/Query APIs)

Understand the proper use of access keys. Because access keys can be misused if they fall into the wrong hands, AWS encourages you to save them in a safe place and not to embed them in your code. For customers with large fleets of elastically-scaling Amazon EC2 instances, the use of IAM roles can be a more secure and convenient way to manage the distribution of access keys.

Understand the value of AWS CloudTrail. AWS CloudTrail is a web service that records API calls made on your account and delivers log files to your Amazon S3 bucket. AWS CloudTrail’s benefit is visibility into account activity by recording API calls made on your account.

Understand the security features of Amazon EC2. Amazon EC2 uses public-key cryptography to encrypt, and decrypt login information. Public-key cryptography uses a public key to encrypt a piece of data, such as a password, and then the recipient uses the private key to decrypt the data. The public and private keys are known as a key pair.

To log in to your instance, you must create a key pair, specify the name of the key pair when you launch ‘the instance, and provide the private key when you connect to the instance. Linux instances have no password, and you use a key pair to log in using SSH. With Windows instances, you use a key pair to obtain the administrator password and then log in using RDP.

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an Instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all Instances that are associated with the security group.

Understand AWS use of encryption of data in transit. All service endpoints support encryption of data in transit via HTTPS.

Know which services offer encryption of data at rest as a feature. The following services offer a feature to encrypt data at rest:

  • Amazon S3
  • Amazon EBS
  • Amazon Glacier
  • AWS Storage Gateway
  • Amazon RDS
  • Amazon Redshift
  • Amazon WorkSpaces

    Exercises
    The best way to become familiar with the security features of AWS is to do the exercises for each chapter and inspect the security features offered by the service. Take a look at this list of AWS cloud services covered in different chapters and their security features:

Chapter 6, AWS IAM

  • Exercise 6.1: Create an IAM Group
  • Exercise 6.2: Create a Customized Sign-In Link and Password Policy
  • Exercise 6.3: Create an IAM User
  • Exercise 6.4: Create and Use and IAM Role
  • Exercise 6.5: Rotate Keys
  • Exercise 6.6: Set Up MFA
  • Exercise 6.7: Resolve Conflicting Permissions

Chapter 3, Amazon EC2

  • Exercise 3.1: Launch and Connect to a Linux Instance
  • Exercise 3.2: Launch a Windows Instance with Bootstrapping

Chapter 3, Amazon EBS

  • Exercise 3.8: Launch an Encrypted Volume

Chapter 2, Amazon S3

  • Exercise 2.1: Create an Amazon Simple Storage Service (Amazon S3) Bucket
  • Exercise 2.2: Upload, Make Public, Rename, and Delete Objects in Your Bucket

Chapter 4, Amazon VPC

  • Exercise 4.1: Create a Custom Amazon VPC
  • Exercise 4.2: Create Two Subnets for Your Custom Amazon VPC
  • Exercise 4.3: Connect Your Amazon VPC to the Internet and Establish Routing
  • Exercise 4.4: Launch an Amazon EC2 Instance and Test the Connection to the Internet.

Chapter 7, Amazon RDS

  • Exercise 7.1: Create a MySQL Amazon RDS Instance
  • Exercise 7.2: Simulate a Failover from One AZ to Another

    Review Questions
    Which is an operational process performed by AWS for data security?
  • Advanced Encryption Standard (AES)-256 encryption of data stored on any shared storage device
  • Decommissioning of storage devices using industry-standard practices
  • Background virus scans of Amazon Elastic Block Store (Amazon EBS) volumes and Amazon EBS snapshots
  • Replication of data across multiple AWS regions
  • Secure wiping of Amazon EBS data when an Amazon EBS volume is unmounted

You have launched a Windows Amazon Elastic Compute Cloud (Amazon EC2) instance and specified an Amazon EC2 key pair for the instance at launch. Which of the following accurately describes how to log in to the instance?

  • Use the Amazon EC2 key pair to securely connect to the instance via Secure Shell (SSH).
  • Use your AWS Identity and Access Management (IAM) user X.509 certificate to log in to the instance.
  • Use the Amazon EC2 key pair to decrypt the administrator password and-then securely connect to the instance via Remote Desktop Protocol (RDP) as the administrator.
  • A key pair is not needed. Securely connect to the instance via RDP.

A Database security group controls network access to a database instance that is inside a Virtual Private Cloud (VPC) and by default allows access from?

  • Access from any IP address for the standard ports that the database uses is provided by default.
  • Access from any IP address for any port is provided by default in the DB security group.
  • No access is provided by default, and any access must be explicitly added with a rule to the DB security group.
  • Access for the database connection string is provided by default in the DB securit

Which encryption algorithm is used by Amazon Simple Storage Service (Amazon S3) to encrypt data at rest with Service-Side Encryption (SSE)?

  • Advanced Encryption Standard (AES)-256
  • RSA 1024
  • RSA 2048
  • AES-128

How many access keys may an AWS Identity and Access Management (IAM) user have active at one time?

  • 0
  • 1 
  • 2
  • 3

Which of the following is the name of the security model employed by AWS with its customers?

  • The shared secret model
  • The shared responsibility model
  • The shared secret key model
  • The secret key responsibility model

Which of the following describes the scheme used by an Amazon Redshift cluster leveraging AWS Key Management Service (AWS KMS) to encrypt data-at-rest?

  • Amazon Redshift uses a one-tier, key-based architecture for encryption.
  • Amazon Redshift uses a two-tier, key-based architecture for encryption.
  • Amazon Redshift uses a three-tier, key-based architecture for encryption.
  • Amazon Redshift uses a four-tier, key-based architecture for encryption.

Which of the following Elastic Load Balancing options ensure that the load balancer determines which cipher is used for a Secure Sockets Layer (SSL) connection?

  • Client Server Cipher Suite
  • Server Cipher Only
  • First Server Cipher
  • Server Order Preference

Which technology does Amazon WorkSpaces use to provide data security?

  • Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
  • Advanced Encryption Standard (AES)-256
  • PC-over-IP (PCoIP)
  • AES-128

As a Solutions Architect, how should you architect system on AWS?

  • You should architect for least cost.
  • You should architect your AWS usage to take advantage of Amazon Simple Storage Service’s (Amazon S3) durability.
  • You should architect your AWS usage to take advantage of multiple reasons and Availability Zones
  • You should architect with Amazon Elastic Compute Cloud (Amazon EC2) Auto Scaling to ensure capacity is available when needed.

Which security scheme is used by the AWS Multi-Factor Authentication (AWS MFA) token?

  • Time-Based One-Time Password (TOTP)
  • Perfect Forward Secrecy (PFC) 
  • Ephemeral Diffie Hellman (EDH)
  • Split-Key Encryption (SKE)

DynamoDB tables may contain sensitive data that needs to be protected. Which of the following is a way for you to protect DynamoDB table content? (Choose 2 answers)

  • DynamoDB encrypts all data server side by default so nothing is required.
  • DynamoDB can store data encrypted with a client-side encryption library solution before storing the data in DynamoDB.
  • DynamoDB obfuscates all data stored so encryption is not required.
  • DynamoDB can be used with the AWS Key Management Service to encrypt the data before storing the data in DynamoDB.
  • DynamoDB should not be used to store sensitive information requiring protection.

You have launched an Amazon Linux Elastic Compute Cloud (Amazon EC2) instance into EC2-Classic, and the instance has successfully passed the system Status Check and Instance Status Check. You attempt to securely connect to the instance via Secure Shell (SSH) and receive the response, “WARNING: UNPROTECTED PRIVATE KEY FILE,” after which the login fails. Which of the following is the cause of the failed login?

  • You are using the wrong private key.
  • The permissions for the private key are too insecure for the key to be trusted.
  • A security group rule is blocking the connection.
  • A security group rule has not been associated with the private key.

Which of the following public identity providers are supported by Amazon Cognito Identity?

  • Amazon
  • Google
  • Facebook
  • All of the above

Which feature of AWS is designed to permit calls to the platform from an Amazon Elastic Compute Cloud (Amazon EC2) instance without needing access keys placed on the instance?

  • AWS Identity and Access Management (IAM) instance profile
  • IAM groups
  • IAM roles
  • Amazon EC2 key pairs

Which of the following Amazon Virtual Private Cloud (Amazon VPC) elements acts as a stateless firewall?

  • Security group
  • Network Access Control List (ACL)
  • Network Address Translation (NAT) instance
  • An Amazon VPC endpoint

Which of the following is the most recent version of the AWS digital signature calculation process?

  • Signature Version 1
  • Signature Version 2
  • Signature Version 3
  • Signature Version 4

Which of the following is the name of the feature within Amazon Virtual Private Cloud (Amazon VPC) that allows you to launch Amazon Elastic Compute Cloud (Amazon EC2) instances on hardware dedicated to a single customer?

  • Amazon VPC-based tenancy
  • Dedicated tenancy
  • Default tenancy
  • Host-based tenancy

Which of the following describes how Amazon Elastic MapReduce (Amazon EMR) protects access to the cluster?

  • The master node and the slave nodes are launched into an Amazon Virtual Private Cloud (Amazon VPC).
  • The master node supports a Virtual Private Network (VPN) connection from the key specified at cluster launch.
  • The master node is launched into a security group that allows Secure Shell (SSH) and service access, while the slave nodes are launched into a separate security group that only permits communication with the master node.
  • The master node and slave nodes are launched into a security group that allows SSH and service access.

To help prevent data loss due to the failure of any single hardware component, Amazon Elastic Block Storage (Amazon EBS) automatically replicates EBS volume data to which of the following?

  • Amazon EBS replicates EBS volume data within the same Availability Zone in a region.
  • Amazon EBS replicates EBS volume data across other Availability Zones within the same region.
  • Amazon EBS replicates EBS volume data across Availability Zones in the same region and in Availability Zones in one other region.
  • Amazon EBS replicates EBS volume data across Availability Zones in the same region and in Availability Zones in every other region.
Rajesh Kumar
Follow me
Latest posts by Rajesh Kumar (see all)