Which actions can you perform in Amazon Route 53 select two connect user requests to infrastructure in AWS and outside of AWS?
Show Security: People may concern if their data are safe on cloud. AWS had designed multiple layers to secure data and services at the highest level. Security is achieved by controlling who can access (authorize) to what services (authenticate). In this Section you will learn how to use the Identity and Access Management (IAM) service to control who can access to what services. Compliance: Certain financial data or health data are sensitive and need to comply with the law. So besides security, this post will cover the compliance. (1) The Root User The root user log in means you enter the email address and password of your AWS account. You will have the full access to all the services. If it is compromised through an attack, the attacker can have the full access to your data. So you need to protect your root user with a password and multi-factor authentication (MFA). You will lock your root access and replace with the functionality of root by setting up IAM users and groups for your day-to-day administration tasks, as shown in Figure (1). You can grant this administrator the “AdministratorAccess” that has the full access to all services. You also want to use MFA for the IAM privileged users who have admin permissions to your AWS account. You probably already use the Multi-factor authentication (MFA) for your gmail accounts as a second layer of security. The MFA sends a temporary digital token to a preset device like your smartphone. Although this is very simple, it is effective because a foreign attacker may not have the device in hand. Figure (1)
The answer is (C). The root account should be used as sparingly as possible.
The answer is (C)
The answers are (C) and (D).
The answer is (A).
The answers are (A) and (C). AWS makes multifactor authentication for AWS users and ensures that you retain complete control and ownership of your data resources that exist in an AWS region. Option (B) is incorrect because of the shared responsibility that the users are responsible for the security.
The answer is (C). You should always use Multifactor Authentication, if possible, especially with privileged users.
The answers are (A) and (B). It is recommended to delete the root user access keys and to use MFA on the account. (2) IAM Users Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology (IT) managers can control user access to critical information within their organizations. An IAM user represents person or service that interacts with AWS. Any activity done by that administrative user is billed to your account. An IAM user consists of a name and a set of credentials. Each person should have his/her own login credentials. When creating a user, you can enable a user to access the resources in two ways: (a) through the AWS Management Console, or (b) programmatically by using the Command Line Interface (AWS CLI) and AWS API. (3) IAM Groups However, if your organization has many users of different needs to the services, it will be hard for the IT manager to authorize one by one. It’s more convenient and scalable to manage permissions for users by group. An IAM group is a collection of users. All users in the group inherit the same permissions or called policies assigned to the group. This makes it easy to give permissions to multiple users at once. IAM groups have many advantages. if your company maintain a website with administrators, developers and account managers working on it. You can create an admin group, a developer group and an account manager group. If your company hires a new developer, you simply create a user name and credential for the person, and add the developer to to the developer group. Note that groups cannot belong to another group.
The answer is (B). (4) Policies A policy is a permission that allows users, specifically IAM identities (users, groups of users, or roles), to do something with the AWS resources. AWS supports six types of policies:
Below are some examples for identity-based policies.
Most policies are stored in AWS as JSON documents like this: When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users (and roles) need to do and then craft policies that allow them to perform only those tasks.
The answer is (D). IAM policies are set up by the users of AWS.
The answer is (B).
The answer is (C).
The answers are (A) and (D). Your administrators can configure AWS programmatically (through CLI) or by using the Management Console. (5) IAM Roles Suppose you have a coffee shop and have fired several employees. You can manage your staff like this: An employee can rotate to different work area depending on the demand. He or she can work at the cash register, or update the inventory system, or take online orders. When an employee switch to a different role, he/she gives up his/her access to one work area and gain access to the next work area. This employee can assume one role at a time. An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. What is the difference between an IAM user and IAM role? An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2. In fact, the IAM roles are often used by applications and services rather than people. In short, an IAM role does not have standard long-term credentials such as a password or access keys associated with it. Instead, an IAM role provides temporary security credentials for the role session. When creating a role, you define a trusted entity — the entity (or beneficiary) that will be trusted to use the role. That entity could be an AWS service (like S3), an identity provided by a third-party federated identity provider (like Google), or a different AWS account.
The answer is (C).
The answer is (C). Option (B) is IAM Groups. Option (D) is incorrect because an IAM role is not an IAM user.
The answer is (B). A role is a powerful alternative to a specific user account. A role is often perfect for use in a scenario where one service must access another service. (6) When to use an IAM user, IAM group, or IAM role? An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM group is primarily a management convenience to manage the same set of permissions for a set of IAM users. An IAM role is an AWS IAM entity with permissions to make AWS service requests. IAM roles cannot make direct requests to AWS services; they are meant to be assumed by authorized entities, such as IAM users, applications, or AWS services such as EC2. Use IAM roles to delegate access within or between AWS accounts. Remember, an “IAM user” is different from a regular customer “user”. For example, your company website is managed by your company’s “IAM users” in order to serve the regular customers, the “users”. (7) Federated Access Your company may already manage a corporate user directory or user identifies outside of AWS. If those users need to work with AWS resources (or work with applications that access those resources), then those users also need AWS security credentials. It does not make sense to re-create IAM users in your AWS account. You can use an IAM role to specify permissions for users whose identity is federated from your organization or a third-party identity provider (IdP). With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. Or here is another use case for federated users. If you create a mobile app game that stores data in AWS S3, the app needs security credentials (AWS access keys) in order to programmatically sign in to AWS. You are strongly advised not to embed or distribute long-term AWS credentials with apps, which can be downloaded by a user. The right way to do is to create your app that requests temporary AWS security credentials dynamically using web identity federation. The supplied temporary credentials map to an AWS role that has only the permissions needed to perform the tasks required by the mobile app. Federation is becoming more and more popular. You might access an AWS resource after being successfully authenticated by a social media domain, for example. With web identity federation, users of your app can sign in using an external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. You can integrate third-party standards like the Security Assertion Markup Language 2.0 (SAML) or Microsoft’s Active Directory into your infrastructure. This lets you use users’ existing login sessions to add single sign-on (SSO) across your AWS infrastructure.
The answer is (A).
The answer is (D). (7) Encryption You should always consider encrypting your data for any data managed by an AWS service like Relational Database Service (RDS), DynamoDB databases, or Elastic Block Store (EBS). AWS provides a number of enterprise-strength encryption tools that are conveniently and effectively integrated into relevant services. An encryption key is a data file that controls an object’s cryptographic transformation. It is managed by the AWS Key Management Service (KMS). When you select to encrypt an AWS resource, KMS will apply encryption using a customer master key (CMK) that’s been generated especially for your account. The encryption for S3 is similar and there are several ways:
The answer is (C). Encryption ensures that AWS data cannot be understood by someone who might acquire the data. (8) Getting the Credential Reports You can generate and download a credential report in a comma-separated values (CSV) file that lists all users in your account and the status of their various credentials, including passwords, access keys, when each of the users logged in, and whether MFA devices are activated. The credential report is helpful for IT audit and compliance. You can generate a credential report as often as once every four hours. When you request a report, IAM first checks whether a report for the AWS account has been generated within the past four hours. If so, the most recent report is downloaded. The best practice is to regularly download the credential report.
The answer is (D). (9) Compliance (AWS Artifact) Certain financial data, health data or employment data should meet the regulatory standards required by your industry and government. How do you know which data element need to be compliant with the regulation? AWS Artifact is a central resource for any compliance-related information. AWS calls a regulatory document an artifact, and the AWS Artifact is the portal to all the documentation. Reports available in AWS Artifact include the Service Organization Control (SOC) reports, the Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA). The Service Organization Control (SOC) reports can be used by AWS customers in the United States to attest to AWS infrastructure compliance with data accountability standards like Sarbanes–Oxley. Remember the Sarbanes-Oxley Act is a United States federal law that set a strict requirements to prevent fraud for all U.S. public company boards, management and public accounting firms. So the SOC reports can help you design secure and reliable credit card transaction applications.
The answer is (B).
The answers are (A) and (E).
The answer is (C). AWS Artifact is your go-to central resource for compliance-related information that matters to you. It provides on-demand access to AWS’s security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. (10) AWS Attestation IT standards consist of Certifications and Attestations, Laws, Regulations and Privacy, and Alignments and Frameworks. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. AWS customers remain responsible for complying with applicable compliance laws, regulations and privacy programs. Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function.
The answers are (B) and (C).Third-party and independent organizations provide the attestations for AWS. (10) AWS Shield A denial-of-service (DoS) attack is a deliberate attempt to make a website or application unavailable to users. Multiple sources can be used to start an attack that aims to make a website or application unavailable. This can come from a group of attackers, or even a single attacker. This becomes a distributed denial-of-service (DDoS) attack. AWS Shield is a protection service for Distributed Denial of Service (DDoS). AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield — Standard and Advanced.
The answer is (D). (10.1) AWS Shield Standard AWS Shield Standard automatically protects all AWS customers at no cost. It protects your AWS resources from the most common, frequently occurring types of DDoS attacks. As network traffic comes into your applications, AWS Shield Standard uses a variety of analysis techniques to detect malicious traffic in real time and automatically mitigates it. (10.2) AWS Shield Advanced AWS Shield Advanced is a paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks. It also integrates with other services such as Amazon CloudFront, Amazon Route 53, and Elastic Load Balancing. (11) AWS Key Management Service (AWS KMS) AWS Key Management Service (AWS KMS) lets you to perform encryption operations through the use of cryptographic keys. (12) AWS Web Application Firewall (WAF) AWS WAF is a web application firewall that lets you monitor network requests that come into your web applications. It works together with Amazon CloudFront and an Application Load Balancer.
The answer is (C). The firewalling in AWS web hosting designs lets the security measure to be implemented at all layers of the design. (13) Amazon Inspector Amazon Inspector helps to improve the security and compliance of applications by running automated security assessments. (14) Amazon GuardDuty Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following Data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. (15) AWS Acceptable User Policy (AUP) The Acceptable Use Policy governs your use of the services offered by Amazon Web Services.
The answer is (D).
The answer is (C). The AWS Acceptable Use Policy (along with other agreements governing the use of AWS) can be found on the AWS website. If you have any questions about how your use case aligns with AWS policies, consult a legal advisor. AWS Support cannot provide legal advice regarding your use of Amazon Web Services.
The answer is (E). You can request permission from AWS to doing penetration testing on your resources. Currently, the permitted resources are EC2, RDS, Aurora, CloudFront, API Gateway, Lambda, Lightsail, and DNS Zone Walking. (16) National Institute of Standards and Technology (NIST) The National Institute of Standards and Technology (NIST) 800–53 security controls are generally applicable to US Federal Information Systems. Federal Information Systems typically must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems. Characteristics of Cloud Computing as per NIST:
The answer is (D). NIST defines cloud computing using several common characteristics. Dedicated hardware is possible with AWS and cloud implementations, but this is not common and not one of the common characteristics that NIST defines. (17) AWS Organization AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts. When you create an organization, AWS Organizations automatically creates a root, which is the parent container for all the accounts in your organization. (17.1) Service Control Policies (SCPs) In AWS Organizations, you can centrally control permissions for the accounts in your organization by using service control policies (SCPs). SCPs enable you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access. (17.2) Organizational Units In AWS Organizations, you can group accounts into organizational units (OUs) to make it easier to manage accounts with similar business or security requirements. When you apply a policy to an OU, all the accounts in the OU automatically inherit the permissions specified in the policy. By organizing separate accounts into OUs, you can more easily isolate workloads or applications that have specific security requirements.
The answers are (C) and (E). Which actions can you perform in Amazon Route 53 select to?You can use Route 53 to perform three main functions in any combination: domain registration, DNS routing, and health checking. Your website needs a name, such as example.com. Route 53 lets you register a name for your website or web application, known as a domain name.
Which actions can you perform in Amazon Route 53 select two quizlet?An Alias record can map one DNS name to another Amazon Route 53 DNS name. 2.. Route 53 record sets with weighted routing policy.. Route 53 record sets with latency based routing policy.. Auto Scaling with scheduled scaling actions set.. Elastic Load Balancing with health checks enabled.. Which of the following does Amazon Route 53 effectively connect user requests to?Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. Route 53 connects user requests to internet applications running on AWS or on-premises.
Does Route 53 can be used to route users to infrastructure outside of AWS?AWS Route 53 connects requests to the infrastructure running in AWS. These requests include AWS ELB, Amazon EC2 instances, or Amazon S3 buckets. In addition to this, AWS Route 53 is also used to route users to infrastructure outside of AWS.
|