AWS
Access Keys are digitally signed requests to AWS API's. Keys Pairs are used for sshing
to EC2 instances, and for Cloudfront signed urls. Amazon uses 1024 bit SSH-2 RSA
keys. You can have them generated or upload your own. X509 certificates are only for
SOAP requests to API's. - ANSWERWhat's the difference in Access Keys, Key Pairs,
and X509 certificates?
AWS allows you to have multiple sets of concurrent keys and certificates, allowing you
to roatate them in and out. - ANSWERWhat features allow you to update your access
keys and certificates with no impact to operations?
Requires you to enter a six digit code in addition to username and password. Code is
retrieved from either a hardware or virtual MFA device - likely an app running on a cell
phone. Utiliza by adding the MFA requirement to an IAM policy, then attaching those
policies to IAM users, groups, or resources that support ACL's like S3 buckets, SQS
queues, and SNS topics. - ANSWERWhat is multifactor authentication (MFA)?
Inspects your AWS environment and makes reommendations to save money, improve
performance, or close security gaps. Looks for common errors like leaving certain ports
open, public access to s3 buckets, not turning on cloudtrail, and not using MFA on root
accounts. - ANSWERWhat's Trusted Adviser used for?
Normally, each EC2 instance you launch is randomly assigned a public IP address in
the amazon EC2 address space. VPC allows you to create an isolated portion of the
AWS cloud and launch EC2 instances that have private address in the range of your
choice (10.0.0.0, for instance) - ANSWERWhy use a VPC
EC2 instances running within a VPC inherit all of the security benefits of the VPC (guest
os protection, protection against packet sniffing), but you must create security groups
specifically for your Amazon VPC. amd Amazon EC2 security groups you have created
will not work inside your Amazon VPC. - ANSWERWhat happens to EC2 security
groups when used inside a amazon VPC?
1. Being able to change the security group after the instance is launched
2. Being able to specify any protocol with a standard number, rather than just TCP,
UDP, or ICMP - ANSWERWhat benefits to VPC security groups give you that EC2
security groups do not?
Inbound communication from other members of the same group, and outbound to any. -
ANSWERWhat does the default VPC security group allow by default?
,Stateless traffic filters (must permit traffic in both directions) that apply to all inbound or
outbound traffic from a subnet within a VPC. Ordered list, based on IP protocol, service
port, and source destination IP - ANSWERHow do network acl's work?
It enables private connectivity between the Amazon VPC and another network. Networj
traffic within each virtual private gateway is isolated from neteork traffic within all other
virtual private gateways. You can establish VPN connections to the Virtual Private
Gateway from gateway devices at your premises. Each connection is secured by a pre-
shared key in conjunction with the IP of the customer gateway device. -
ANSWERWhat's the function of a Virtual Private Gateway?
An internet gateway may be attached to an Amazon VPC to enable direct connectivity
to Amazon S3, other AWS services, and the internet. Each instance desiring this access
must either have an elastic IP associated with it or route traffic through a NAT instance.
Additionally, network routes are configured to direct traffic to the internet gateway. -
ANSWERWhat's the function of an Internet Gateway?
An Elastic IP address is a static IP address designed for dynamic cloud computing. An
Elastic IP address is associated with your AWS account. With an Elastic IP address,
you can mask the failure of an instance or software by rapidly remapping the address to
another instance in your account.
An Elastic IP address is a public IP address, which is reachable from the Internet. If
your instance does not have a public IP address, you can associate an Elastic IP
address with your instance to enable communication with the Internet - ANSWERWhat's
the purpose of an elastic IP?
If your Amazon EC2 instances are located inside a private subnet, you will not be able
to connect to them remotely. To connect to your instances, you can set up bastion
servers in the public subnet to act as proxies. For example, you can set up SSH port
forwarders or RDP gateways in the public subnet to proxy the traffic going to your
database servers from your own network - ANSWERWhat's the purpose of a bastion
host?
1. A default subnet is created in each availability zone
2. An internet gateway is created and connected to your default VPC
3. A main route is created for your default VPC with a rule that sends all traffic destined
for the internet to the internet gateway
4. A default security group is created and associated with your default VPC
5. A default ACL is created an associated with your default VPC
6. Default DHCP options set for your AWS account are associated with your default
VPC - ANSWERWhat automatically happens for you when you launch a first time
instance into EC2-VPC (also known as the default VPC)?
1. In the default VPC, instances will receive a public and a private IP automatically. In a
normal VPC, will only get private
, 2. DNS names are enabled by default in the default VPC. Not in a normal VPC -
ANSWERSome differences in launching EC2 instances in the default VPC vs a normal
VPC
Gives customers an easy way to distribute content to end users with low latency and
high speed. Delivers dynamic, static, and streaming content using a glocal network of
edge locations. Requests for data are automatically routed to the nearest edge location,
so content is delivered with best possible performance. Optimized to work with S3, EC2,
, ELB, and route 53. Can also work with non AWS orgin servers that store original
versions of files. - ANSWERWhat's the purpose of cloudfront?
You can enable the service's provate content feature. Has 2 components - one controls
how content is delivered from edge locations to viewers on the internet, second controls
how edge locations access objects in Amazon S3. Cloudfront also supports Geo
Restriction, which restricts access to your content based on the geographic location of
your viewers - ANSWERWhat are some of the ways that Cloudfront it secured?
Cloudfront allows you to create one or more "Orgin Access Identities" and associate
these with your distributions. When associated, the distribution will use that identity to
retirve objects from S3. You can then ise S3's ACL feature, which limits access to the
Orgin Access Identity so the original copy of the object is not publicly readable. -
ANSWERHow can you control access to the original copies of your S3 objects when
using Cloudfront?
The service uses a signed URL verification system. Create a public-private key pair,
upload the public key to your account via the console, then configure the CloudFront
distribution to indicate which accounts you would authorize to sign requests. Third, as
you receive requests, you create policy documents indicating the conditions under
which you want CloudFront to serve your content. Feature is optional. Without this
feature, all content delivered will be publicly readable. - ANSWERHow can you control
who is able to download objects from Cloudfront edge locations?
HTTPS is optional. By default, CloudFront will accept requests over both. You can
configure CloudFront to require HTTPS, and you can even require it to allow HTTP for
some objects but require HTTPS for others. - ANSWERBy default, does CloudFront use
HTTP or HTTPS?
Allows you to provision a direct link between your internal network and an AWS region
using a high throughput dedicated connection. You can then create virtual interfaces
directly to the AWS cloud. You procure rackspace within the facility housing the Direct
Connect location and deploy your equipement, then connect to to AWS Direct Connect
using a cross connect. Use 802.1q vlans the partition the connection into multiple virtual
interfaces. Using BGP and MD5 keys. - ANSWERWhat's the use case for Direct
Connect?
Access Keys are digitally signed requests to AWS API's. Keys Pairs are used for sshing
to EC2 instances, and for Cloudfront signed urls. Amazon uses 1024 bit SSH-2 RSA
keys. You can have them generated or upload your own. X509 certificates are only for
SOAP requests to API's. - ANSWERWhat's the difference in Access Keys, Key Pairs,
and X509 certificates?
AWS allows you to have multiple sets of concurrent keys and certificates, allowing you
to roatate them in and out. - ANSWERWhat features allow you to update your access
keys and certificates with no impact to operations?
Requires you to enter a six digit code in addition to username and password. Code is
retrieved from either a hardware or virtual MFA device - likely an app running on a cell
phone. Utiliza by adding the MFA requirement to an IAM policy, then attaching those
policies to IAM users, groups, or resources that support ACL's like S3 buckets, SQS
queues, and SNS topics. - ANSWERWhat is multifactor authentication (MFA)?
Inspects your AWS environment and makes reommendations to save money, improve
performance, or close security gaps. Looks for common errors like leaving certain ports
open, public access to s3 buckets, not turning on cloudtrail, and not using MFA on root
accounts. - ANSWERWhat's Trusted Adviser used for?
Normally, each EC2 instance you launch is randomly assigned a public IP address in
the amazon EC2 address space. VPC allows you to create an isolated portion of the
AWS cloud and launch EC2 instances that have private address in the range of your
choice (10.0.0.0, for instance) - ANSWERWhy use a VPC
EC2 instances running within a VPC inherit all of the security benefits of the VPC (guest
os protection, protection against packet sniffing), but you must create security groups
specifically for your Amazon VPC. amd Amazon EC2 security groups you have created
will not work inside your Amazon VPC. - ANSWERWhat happens to EC2 security
groups when used inside a amazon VPC?
1. Being able to change the security group after the instance is launched
2. Being able to specify any protocol with a standard number, rather than just TCP,
UDP, or ICMP - ANSWERWhat benefits to VPC security groups give you that EC2
security groups do not?
Inbound communication from other members of the same group, and outbound to any. -
ANSWERWhat does the default VPC security group allow by default?
,Stateless traffic filters (must permit traffic in both directions) that apply to all inbound or
outbound traffic from a subnet within a VPC. Ordered list, based on IP protocol, service
port, and source destination IP - ANSWERHow do network acl's work?
It enables private connectivity between the Amazon VPC and another network. Networj
traffic within each virtual private gateway is isolated from neteork traffic within all other
virtual private gateways. You can establish VPN connections to the Virtual Private
Gateway from gateway devices at your premises. Each connection is secured by a pre-
shared key in conjunction with the IP of the customer gateway device. -
ANSWERWhat's the function of a Virtual Private Gateway?
An internet gateway may be attached to an Amazon VPC to enable direct connectivity
to Amazon S3, other AWS services, and the internet. Each instance desiring this access
must either have an elastic IP associated with it or route traffic through a NAT instance.
Additionally, network routes are configured to direct traffic to the internet gateway. -
ANSWERWhat's the function of an Internet Gateway?
An Elastic IP address is a static IP address designed for dynamic cloud computing. An
Elastic IP address is associated with your AWS account. With an Elastic IP address,
you can mask the failure of an instance or software by rapidly remapping the address to
another instance in your account.
An Elastic IP address is a public IP address, which is reachable from the Internet. If
your instance does not have a public IP address, you can associate an Elastic IP
address with your instance to enable communication with the Internet - ANSWERWhat's
the purpose of an elastic IP?
If your Amazon EC2 instances are located inside a private subnet, you will not be able
to connect to them remotely. To connect to your instances, you can set up bastion
servers in the public subnet to act as proxies. For example, you can set up SSH port
forwarders or RDP gateways in the public subnet to proxy the traffic going to your
database servers from your own network - ANSWERWhat's the purpose of a bastion
host?
1. A default subnet is created in each availability zone
2. An internet gateway is created and connected to your default VPC
3. A main route is created for your default VPC with a rule that sends all traffic destined
for the internet to the internet gateway
4. A default security group is created and associated with your default VPC
5. A default ACL is created an associated with your default VPC
6. Default DHCP options set for your AWS account are associated with your default
VPC - ANSWERWhat automatically happens for you when you launch a first time
instance into EC2-VPC (also known as the default VPC)?
1. In the default VPC, instances will receive a public and a private IP automatically. In a
normal VPC, will only get private
, 2. DNS names are enabled by default in the default VPC. Not in a normal VPC -
ANSWERSome differences in launching EC2 instances in the default VPC vs a normal
VPC
Gives customers an easy way to distribute content to end users with low latency and
high speed. Delivers dynamic, static, and streaming content using a glocal network of
edge locations. Requests for data are automatically routed to the nearest edge location,
so content is delivered with best possible performance. Optimized to work with S3, EC2,
, ELB, and route 53. Can also work with non AWS orgin servers that store original
versions of files. - ANSWERWhat's the purpose of cloudfront?
You can enable the service's provate content feature. Has 2 components - one controls
how content is delivered from edge locations to viewers on the internet, second controls
how edge locations access objects in Amazon S3. Cloudfront also supports Geo
Restriction, which restricts access to your content based on the geographic location of
your viewers - ANSWERWhat are some of the ways that Cloudfront it secured?
Cloudfront allows you to create one or more "Orgin Access Identities" and associate
these with your distributions. When associated, the distribution will use that identity to
retirve objects from S3. You can then ise S3's ACL feature, which limits access to the
Orgin Access Identity so the original copy of the object is not publicly readable. -
ANSWERHow can you control access to the original copies of your S3 objects when
using Cloudfront?
The service uses a signed URL verification system. Create a public-private key pair,
upload the public key to your account via the console, then configure the CloudFront
distribution to indicate which accounts you would authorize to sign requests. Third, as
you receive requests, you create policy documents indicating the conditions under
which you want CloudFront to serve your content. Feature is optional. Without this
feature, all content delivered will be publicly readable. - ANSWERHow can you control
who is able to download objects from Cloudfront edge locations?
HTTPS is optional. By default, CloudFront will accept requests over both. You can
configure CloudFront to require HTTPS, and you can even require it to allow HTTP for
some objects but require HTTPS for others. - ANSWERBy default, does CloudFront use
HTTP or HTTPS?
Allows you to provision a direct link between your internal network and an AWS region
using a high throughput dedicated connection. You can then create virtual interfaces
directly to the AWS cloud. You procure rackspace within the facility housing the Direct
Connect location and deploy your equipement, then connect to to AWS Direct Connect
using a cross connect. Use 802.1q vlans the partition the connection into multiple virtual
interfaces. Using BGP and MD5 keys. - ANSWERWhat's the use case for Direct
Connect?
