Which actions can you perform in Amazon Route 53 select two connect user requests to infrastructure in AWS and outside of AWS?

Security: People may concern if their data are safe on cloud. AWS had designed multiple layers to secure data and services at the highest level. Security is achieved by controlling who can access (authorize) to what services (authenticate). In this Section you will learn how to use the Identity and Access Management (IAM) service to control who can access to what services.

Compliance: Certain financial data or health data are sensitive and need to comply with the law. So besides security, this post will cover the compliance.

(1) The Root User

The root user log in means you enter the email address and password of your AWS account. You will have the full access to all the services. If it is compromised through an attack, the attacker can have the full access to your data. So you need to protect your root user with a password and multi-factor authentication (MFA). You will lock your root access and replace with the functionality of root by setting up IAM users and groups for your day-to-day administration tasks, as shown in Figure (1). You can grant this administrator the “AdministratorAccess” that has the full access to all services. You also want to use MFA for the IAM privileged users who have admin permissions to your AWS account.

You probably already use the Multi-factor authentication (MFA) for your gmail accounts as a second layer of security. The MFA sends a temporary digital token to a preset device like your smartphone. Although this is very simple, it is effective because a foreign attacker may not have the device in hand.

(Question) Which of the following is not an element of good security design principles?

(A) Security in depth

(B) Automation

(C) Root account usage

(D) Traceability

The answer is (C). The root account should be used as sparingly as possible.

(Question) How would a system administrator add an additional layer of login security to a user’s AWS Management Console?

(A) Use Amazon Cloud Directory

(B) Audit AWS Identity and Access Management (IAM) roles

(C) Enable multi-factor authentication

(D) Enable AWS CloudTrail

The answer is (C)

(Question) Which of the following should you do to secure your AWS root user? (Select two)

(A) Assign the root user to the “admins” IAM group.

(B) Use the root user for day-to-day administration tasks.

(C) Enable MFA.

(D) Create a strong password.

The answers are (C) and (D).

Which of the following IAM policies is the best choice for the admin user you create in order to replace the root user for day-to-day administration tasks?

(A) AdministratorAccess

(B) AmazonS3FullAccess

(C) AmazonEC2FullAccess

(D) AdminAccess

The answer is (A).

(Question) What are two security advantages of working with AWS? (Choose two)

(A) You can use MFA.

(B) AWS handles security of your compute resources.

(C) You retain complete control and ownership of your data resources in a region.

(D) AWS performs periodic penetration testing against your operating systems.

The answers are (A) and (C). AWS makes multifactor authentication for AWS users and ensures that you retain complete control and ownership of your data resources that exist in an AWS region. Option (B) is incorrect because of the shared responsibility that the users are responsible for the security.

(Question) In a high security environment, what should you do with privileged user accounts?

(A) Store credentials in an S3 bucket

(B) Create roles that mimic the accounts

(C) Use MFA with these accounts

(D) Share the access keys with other accounts that require access

The answer is (C). You should always use Multifactor Authentication, if possible, especially with privileged users.

(Question) What two security measures are recommended for your root user account with AWS? (Choose two.)

(A) Delete the access keys.

(B) Use MFA.

(C) Use the root user account for administration exclusively.

(D) Clone the root user account for redundancy.

The answers are (A) and (B). It is recommended to delete the root user access keys and to use MFA on the account.

(2) IAM Users

Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology (IT) managers can control user access to critical information within their organizations. An IAM user represents person or service that interacts with AWS. Any activity done by that administrative user is billed to your account.

An IAM user consists of a name and a set of credentials. Each person should have his/her own login credentials. When creating a user, you can enable a user to access the resources in two ways: (a) through the AWS Management Console, or (b) programmatically by using the Command Line Interface (AWS CLI) and AWS API.

(3) IAM Groups

However, if your organization has many users of different needs to the services, it will be hard for the IT manager to authorize one by one. It’s more convenient and scalable to manage permissions for users by group. An IAM group is a collection of users. All users in the group inherit the same permissions or called policies assigned to the group. This makes it easy to give permissions to multiple users at once.

IAM groups have many advantages. if your company maintain a website with administrators, developers and account managers working on it. You can create an admin group, a developer group and an account manager group. If your company hires a new developer, you simply create a user name and credential for the person, and add the developer to to the developer group. Note that groups cannot belong to another group.

(Question) What’s the most efficient method for managing permissions for multiple IAM users?

(A) Assign users requiring similar permissions to IAM roles.

(B) Assign users requiring similar permissions to IAM groups.

(C) Assign IAM users permissions common to others with similar administration responsibilities.

(D) Create roles based on IAM policies, and assign them to IAM users.

The answer is (B).

(4) Policies

A policy is a permission that allows users, specifically IAM identities (users, groups of users, or roles), to do something with the AWS resources. AWS supports six types of policies:

• Identity-based policies: Attach policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.
• Resource-based policies: Attach policies to resources. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies.
• Permissions boundaries: Use a policy that defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions.
• Organizations SCPs (Service Control Policy): Define the maximum permissions for account members of an organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
• Access control lists (ACLs): Control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure.
• Session policies: Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user.

Below are some examples for identity-based policies.

• Allows access during a specific range of dates.
• Allows MFA-authenticated users to manage their own credentials.
• Allows users to manage their own MFA device.
• Allows users to manage their own password.
• Denies access to AWS based on the requested Region.
• Denies access to AWS based on the source IP address.

Most policies are stored in AWS as JSON documents like this:

When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users (and roles) need to do and then craft policies that allow them to perform only those tasks.

(Question) Which of the following is not an example of an Amazon responsibility in the AWS Shared Responsibility model?

(A) Physical security of the data center

(B) Cloud software

(C) Edge locations

(D) IAM policies

The answer is (D). IAM policies are set up by the users of AWS.

(Question) Which statement best describes an IAM policy?

(A) An authentication process that provides an extra layer of protection for your AWS account

(B) A document that grants or denies permissions to AWS services and resources

(C) An identity that you can assume to gain temporary access to permissions

(D) The identity that is established when you first create an AWS account

The answer is (B).

(Question) Which statement best describes the principle of least privilege?

(A) Adding an IAM user into at least one IAM group

(B) Checking a packet’s permissions against an access control list

(C) Granting only the permissions that are needed to perform specific tasks

(D) Performing a denial of service attack that originates from at least one device

The answer is (C).

(Question) What two forms of access can an IAM policy help control for your administrators? (Select two)

(A) Programmatic

(B) Internet based

(C) On-premises based

(D) Management Console

The answers are (A) and (D). Your administrators can configure AWS programmatically (through CLI) or by using the Management Console.

(5) IAM Roles

Suppose you have a coffee shop and have fired several employees. You can manage your staff like this: An employee can rotate to different work area depending on the demand. He or she can work at the cash register, or update the inventory system, or take online orders. When an employee switch to a different role, he/she gives up his/her access to one work area and gain access to the next work area. This employee can assume one role at a time.

An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

What is the difference between an IAM user and IAM role? An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2. In fact, the IAM roles are often used by applications and services rather than people.

In short, an IAM role does not have standard long-term credentials such as a password or access keys associated with it. Instead, an IAM role provides temporary security credentials for the role session.

When creating a role, you define a trusted entity — the entity (or beneficiary) that will be trusted to use the role. That entity could be an AWS service (like S3), an identity provided by a third-party federated identity provider (like Google), or a different AWS account.

(Question) An employee requires temporary access to create several Amazon S3 buckets. Which option would be the best choice for this task?

(A) AWS account root user

(B) IAM group

(C) IAM role

(D) Service control policy (SCP)

The answer is (C).

(Question) What is an IAM role?

(A) A set of permissions allowing access to specified AWS resources

(B) A set of IAM users given permission to access specified AWS resources

(C) Permissions granted a trusted entity over specified AWS resources

(D) Permissions granted an IAM user over specified AWS resources

The answer is (C). Option (B) is IAM Groups. Option (D) is incorrect because an IAM role is not an IAM user.

(Question) What identity in IAM is very similar to a user account but has no credentials associated with it?

(A) Group

(B) Role

(C) Proxy user

(D) Principle

The answer is (B). A role is a powerful alternative to a specific user account. A role is often perfect for use in a scenario where one service must access another service.

(6) When to use an IAM user, IAM group, or IAM role?

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM group is primarily a management convenience to manage the same set of permissions for a set of IAM users. An IAM role is an AWS IAM entity with permissions to make AWS service requests. IAM roles cannot make direct requests to AWS services; they are meant to be assumed by authorized entities, such as IAM users, applications, or AWS services such as EC2. Use IAM roles to delegate access within or between AWS accounts. Remember, an “IAM user” is different from a regular customer “user”. For example, your company website is managed by your company’s “IAM users” in order to serve the regular customers, the “users”.

(7) Federated Access

Your company may already manage a corporate user directory or user identifies outside of AWS. If those users need to work with AWS resources (or work with applications that access those resources), then those users also need AWS security credentials. It does not make sense to re-create IAM users in your AWS account. You can use an IAM role to specify permissions for users whose identity is federated from your organization or a third-party identity provider (IdP). With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account.

Or here is another use case for federated users. If you create a mobile app game that stores data in AWS S3, the app needs security credentials (AWS access keys) in order to programmatically sign in to AWS. You are strongly advised not to embed or distribute long-term AWS credentials with apps, which can be downloaded by a user. The right way to do is to create your app that requests temporary AWS security credentials dynamically using web identity federation. The supplied temporary credentials map to an AWS role that has only the permissions needed to perform the tasks required by the mobile app. Federation is becoming more and more popular. You might access an AWS resource after being successfully authenticated by a social media domain, for example.

With web identity federation, users of your app can sign in using an external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. You can integrate third-party standards like the Security Assertion Markup Language 2.0 (SAML) or Microsoft’s Active Directory into your infrastructure. This lets you use users’ existing login sessions to add single sign-on (SSO) across your AWS infrastructure.

(Question) What is the primary function of the AWS IAM service?

(A) Identity and access management

(B) Access key management

(C) SSH key pair management

(D) Federated access management

The answer is (A).

(Question) IAM can permit access to accounts that have already been authenticated in another domain or application. What is this called?

(A) Proxy trust

(B) Role sharing

(C) Proxy

(D) Federation

The answer is (D).

(7) Encryption

You should always consider encrypting your data for any data managed by an AWS service like Relational Database Service (RDS), DynamoDB databases, or Elastic Block Store (EBS). AWS provides a number of enterprise-strength encryption tools that are conveniently and effectively integrated into relevant services. An encryption key is a data file that controls an object’s cryptographic transformation. It is managed by the AWS Key Management Service (KMS). When you select to encrypt an AWS resource, KMS will apply encryption using a customer master key (CMK) that’s been generated especially for your account.

The encryption for S3 is similar and there are several ways:

• Server-side encryption: You can have S3 encrypt the objects of a bucket at any time — during or after bucket creation. You can select either S3-managed server-side encryption keys (SSE-S3) or KMS-managed keys (SSE-KMS). You probably will not notice the process because they are all done automatically on the server’s side. What’s the advantage of the server-side encryption? This will prevent the wrong people to access your S3 buckets .
• you also have to worry about the bad guys intercepting those objects while in transit from your local infrastructure (client-side encryption).
• Client-side encryption: It means your data are encrypted before uploaded to S3. This can be done by using either a KMS-managed customer master key or a client- side master key.

(Question) Amazon is interested in offering you high levels of confidentiality with your data in AWS. What is a key technology area that accommodates this?

(A) Authentication

(B) Hashing

(C) Encryption

(D) Fault tolerance

The answer is (C). Encryption ensures that AWS data cannot be understood by someone who might acquire the data.

(8) Getting the Credential Reports

You can generate and download a credential report in a comma-separated values (CSV) file that lists all users in your account and the status of their various credentials, including passwords, access keys, when each of the users logged in, and whether MFA devices are activated. The credential report is helpful for IT audit and compliance.

You can generate a credential report as often as once every four hours. When you request a report, IAM first checks whether a report for the AWS account has been generated within the past four hours. If so, the most recent report is downloaded. The best practice is to regularly download the credential report.

(Question) What information does the IAM credential report provide?

(A) A record of API requests against your account resources

(B) A record of failed password account login attempts

(C) The current state of your account security settings

(D) The current state of security of your IAM users’ access credentials

The answer is (D).

(9) Compliance (AWS Artifact)

Certain financial data, health data or employment data should meet the regulatory standards required by your industry and government. How do you know which data element need to be compliant with the regulation? AWS Artifact is a central resource for any compliance-related information. AWS calls a regulatory document an artifact, and the AWS Artifact is the portal to all the documentation. Reports available in AWS Artifact include the Service Organization Control (SOC) reports, the Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA). The Service Organization Control (SOC) reports can be used by AWS customers in the United States to attest to AWS infrastructure compliance with data accountability standards like Sarbanes–Oxley. Remember the Sarbanes-Oxley Act is a United States federal law that set a strict requirements to prevent fraud for all U.S. public company boards, management and public accounting firms. So the SOC reports can help you design secure and reliable credit card transaction applications.

(Question) What is the purpose of the Service Organization Controls (SOC) reports found on AWS Artifact?

(A) They can be used to help you design secure and reliable credit card transaction applications.

(B) They attest to AWS infrastructure compliance with data accountability standards like Sarbanes–Oxley.

(C) They guarantee that all AWS-based applications are, by default, compliant with Sarbanes–Oxley standards.

(D) They’re an official, ongoing risk-assessment profiler for AWS-based deployments.

The answer is (B).

(Question) Which tasks can you complete in AWS Artifact? (Select TWO.)

(A) Access AWS compliance reports on-demand.

(B) Consolidate and manage multiple AWS accounts within a central location.

(C) Create users to enable people and applications to interact with AWS services and resources.

(D) Set permissions for accounts by configuring service control policies (SCPs).

(E) Review, accept, and manage agreements with AWS.

The answers are (A) and (E).

(Question) What is a central resource for compliance-related AWS information?

(A) CodeLearn

(B) Lambda

(C) Artifact

(D) ProtectGuard

The answer is (C). AWS Artifact is your go-to central resource for compliance-related information that matters to you. It provides on-demand access to AWS’s security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls.

(10) AWS Attestation

IT standards consist of Certifications and Attestations, Laws, Regulations and Privacy, and Alignments and Frameworks. Compliance certifications and attestations are assessed by a third-party, independent auditor and result in a certification, audit report, or attestation of compliance. AWS customers remain responsible for complying with applicable compliance laws, regulations and privacy programs. Compliance alignments and frameworks include published security or compliance requirements for a specific purpose, such as a specific industry or function.

(Question) Amazon seeks out attestations from what types of organizations? (Choose two)

(A) Dependent

(B) Independent

(C) Third party

(D) Subsidiary

The answers are (B) and (C).Third-party and independent organizations provide the attestations for AWS.

(10) AWS Shield

A denial-of-service (DoS) attack is a deliberate attempt to make a website or application unavailable to users. Multiple sources can be used to start an attack that aims to make a website or application unavailable. This can come from a group of attackers, or even a single attacker. This becomes a distributed denial-of-service (DDoS) attack.

AWS Shield is a protection service for Distributed Denial of Service (DDoS). AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield — Standard and Advanced.

(Question) Which service helps protect your applications against distributed denial-of-service (DDoS) attacks?

(A) Amazon GuardDuty

(B) Amazon Inspector

(C) AWS Artifact

(D) AWS Shield

The answer is (D).

(10.1) AWS Shield Standard

AWS Shield Standard automatically protects all AWS customers at no cost. It protects your AWS resources from the most common, frequently occurring types of DDoS attacks. As network traffic comes into your applications, AWS Shield Standard uses a variety of analysis techniques to detect malicious traffic in real time and automatically mitigates it.

(10.2) AWS Shield Advanced

AWS Shield Advanced is a paid service that provides detailed attack diagnostics and the ability to detect and mitigate sophisticated DDoS attacks. It also integrates with other services such as Amazon CloudFront, Amazon Route 53, and Elastic Load Balancing.

(11) AWS Key Management Service (AWS KMS)

AWS Key Management Service (AWS KMS) lets you to perform encryption operations through the use of cryptographic keys.

(12) AWS Web Application Firewall (WAF)

AWS WAF is a web application firewall that lets you monitor network requests that come into your web applications. It works together with Amazon CloudFront and an Application Load Balancer.

(Question) Where should firewalling be accomplished in a web hosting design in AWS?

(A) At the perimeter

(B) At the core

(C) At all design layers

(D) For all access layer functions

The answer is (C). The firewalling in AWS web hosting designs lets the security measure to be implemented at all layers of the design.

(13) Amazon Inspector

Amazon Inspector helps to improve the security and compliance of applications by running automated security assessments.

(14) Amazon GuardDuty

Amazon GuardDuty is a continuous security monitoring service that analyzes and processes the following Data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, EKS audit logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.

(15) AWS Acceptable User Policy (AUP)

The Acceptable Use Policy governs your use of the services offered by Amazon Web Services.

(Question) Where can a user find information about prohibited actions on the AWS infrastructure?

(A) AWS Trusted Advisor

(B) AWS Identity and Access Management (IAM)

(C) AWS Billing Console

(D) AWS Acceptable Use Policy

The answer is (D).

(Question) Your security team wants information from you on the specifics that are permitted and prohibited against your AWS infrastructure. Where can you find this information?

(A) Trusted Advisor

(B) CloudWatch

(C) AUP

(D) IAM

The answer is (C). The AWS Acceptable Use Policy (along with other agreements governing the use of AWS) can be found on the AWS website. If you have any questions about how your use case aligns with AWS policies, consult a legal advisor. AWS Support cannot provide legal advice regarding your use of Amazon Web Services.

(Question) You are interested in performing penetration testing on your EC2 instances hosted in AWS. Which statement is correct, per the AWS Acceptable Use Policy?

(A) It may be performed by customers against their own instances if performed from EC2 instances.

(B) It is periodically performed by AWS.

(C) It is performed by AWS upon customer request.

(D) It is expressly prohibited under all circumstances.

(E) It may be performed by customers against their own instances with prior authorization from AWS.

The answer is (E). You can request permission from AWS to doing penetration testing on your resources. Currently, the permitted resources are EC2, RDS, Aurora, CloudFront, API Gateway, Lambda, Lightsail, and DNS Zone Walking.

(16) National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) 800–53 security controls are generally applicable to US Federal Information Systems. Federal Information Systems typically must go through a formal assessment and authorization process to ensure sufficient protection of confidentiality, integrity, and availability of information and information systems.

Characteristics of Cloud Computing as per NIST:

• On Demand Self service. Computer services such as Email, Application Network, or Server service can be provided.
• Broad Network Access
• Resource pooling
• Rapid elasticity
• Measured service
• Multi-tenancy

(Question) Which of the following is not a common cloud characteristic, as defined by NIST?

(A) On-demand self-service

(B) Measured service

(C) Broad network access

(D) Dedicated hardware

The answer is (D). NIST defines cloud computing using several common characteristics. Dedicated hardware is possible with AWS and cloud implementations, but this is not common and not one of the common characteristics that NIST defines.

(17) AWS Organization

AWS Organizations helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts.

When you create an organization, AWS Organizations automatically creates a root, which is the parent container for all the accounts in your organization.

(17.1) Service Control Policies (SCPs)

In AWS Organizations, you can centrally control permissions for the accounts in your organization by using service control policies (SCPs). SCPs enable you to place restrictions on the AWS services, resources, and individual API actions that users and roles in each account can access.

(17.2) Organizational Units

In AWS Organizations, you can group accounts into organizational units (OUs) to make it easier to manage accounts with similar business or security requirements. When you apply a policy to an OU, all the accounts in the OU automatically inherit the permissions specified in the policy. By organizing separate accounts into OUs, you can more easily isolate workloads or applications that have specific security requirements.

(Question) You are configuring service control policies (SCPs) in AWS Organizations. Which identities and resources can SCPs be applied to? (Select two)

(A) IAM users

(B) IAM groups

(C) An individual member account

(D) IAM roles

(E) An organizational unit (OU)

The answers are (C) and (E).

Which actions can you perform in Amazon Route 53 select to?

Which actions can you perform in Amazon Route 53 select two quizlet?

Which of the following does Amazon Route 53 effectively connect user requests to?

Does Route 53 can be used to route users to infrastructure outside of AWS?