Professional Documents
Culture Documents
Amazon AWS Trusted AWS AWS Amazon Amazon Amazon AWS Secrets
Macie Advisor Config CloudTrail CloudWatch Cognito GuardDuty Manager
Serverless Computing
No servers to
Pay by usage
manage
Serverless
Computing
Concepts Built-in scale
Built-in high-
availability
Amazon API
Gateway
• Create a unified API that acts
as a “front door” for
applications.
• Access data, business logic, or
functionality from your back-
end services.
• RESTful APIs, HTTP APIs and
REST APIs, as well as an option
to create WebSocket APIs.
• Amazon API Gateway provides
throttling at multiple levels.
• API Gateway can process hundreds of thousands of
concurrent API calls.
• API Gateway and Lambda create application-facing
serverless infrastructure.
• Private API endpoints can be accessed from a VPC
API Cheat using an interface VPC endpoint.
Sheet • API requests can be throttled to prevent
overloading your backend services.
• API Gateway logs track performance metrics for the
backend, including API calls, latency, and error
rates.
No services, EC2 instances to manage – focus on
creating functions
AWS Lambda
Bring your own code- Node.js, Java, Ruby, Python, C#,
Go
• Amazon API Create RESTful APIs that can be accessed over HTTPS use
Lambda functions to access backend AWS services.
Know
Service (SQS) (FIFO, Standard) applications
Message
New Order
e
nticat
Authe t token
1 and g
e
Exchange for
tokens for
App
2 AWS temp
credentials
Amazon Cognito
Identity Pool
Access AWS
services with
AWS temp
credentials 3
Organizational
Control Policy
Organizational
Unit Dev Test Prod
OU OU OU
AWS Accounts
A1 A2 A3 A3
AWS Resources
Service Control Policy (SCP)
• Filters that allow only the specified services and actions to be used in the AWS account where
the SCP has been assigned.
• SCP’s override attached IAM policies.
Identity-based policy
Effective
Organizations SCP Permissions
Sharing Resource with How can we share resources
Metrics / Events /
Alarms Rules
EC2 Logs
SMS
AWS
Config
Alarm SNS Lambda
VPC Flow
Logs
• Monitor your system and applications using existing system,
application, and custom log files
• Can be used for real-time application and system
CloudWatch monitoring
• Log files are kept indefinitely
Logs • CloudTrail logs can be sent to CloudWatch logs for real-
time monitoring
• Metric filters can evaluate CloudTrail logs for specific
terms or values
• Performance monitoring • Auditing
• Log events for AWS service • Log API activity for AWS
CloudWatch operations service activities
Application Load
Balancer Web App Amazon RDS
AWS WAF
Filtering rule
Control access to IAM Users Automatically rotate keys Re-enable disabled keys
and roles
Audit use of keys Temporarily disable keys Create keys with unique alias
AWS GuardDuty
Continual Analysis of Important Stuff
CloudTrail CloudTrail APIs VPC Flow Logs DNS Logs and S3 Bucket access
requests
GuardDuty Integration
Get notified when resources are Use historical data for auditing and
created or modified compliance
$
Cost
Performance Security Fault Tolerance Service Limits
Optimization
AWS Certificate Manager
• Provision, manage, and deploy public
and private SSL / TLS certificates used
AWS Certificate Manager with AWS services and AWS-hosted
websites and applications.
• Certificates can be deployed on ELB
load balancers, Amazon CloudFront
distributions, AWS Elastic Beanstalk,
and APIs hosted on Amazon API
Gateway.
• Public certificates: ELB port 443 traffic,
CloudFront distributions, and public-
facing APIs hosted by Amazon API
Gateway all use public certificates.
• Private certificates: Delegated private
certificates are managed by a AWS
Certificate Manager hosted private CA .
• Imported certificates: Third-party
certificates can be imported into AWS
Certificate Manager.
Amazon Macie
Key Features of Amazon Macie
• Automated security classification of data access patterns
• Monitor data usage for anomalies
• Proactive data loss through data visibility
• Custom report and alert management
Discover and Classify S3 Data
Full name
Source
Encrypted RSA private key Swift codes Email
code
Credit card
numbers
Regex
Amazon Macie Assigns Risk
Credential Location
loss anomaly
What We Covered: • Serverless Computing
• Stateless Designs
• AWS Organizations
• CloudWatch and CloudTrail
• Key Management Service
• AWS Secrets Manager
• AWS Cognito
• AWS Trusted Advisor
• AWS Config
• AWS Macie
• AWS CloudFormation / Service
Catalog
Question 1
A bug seems to have been introduced to the latest Lambda function. You would
like to review the function logs to see what is going wrong. Where are the function
logs stored?
A: AWS S3
B: CloudTrail
C: CloudWatch logs
D: Syslog
Answer
A bug seems to have been introduced to the latest Lambda function. You would
like to review the function logs to see what is going wrong. Where are the function
logs stored?
A: AWS S3
B: CloudTrail
C: CloudWatch logs
D: Syslog
Question 2
What are the services available to assist in data encryption? Choose two answers.
A. API activity cannot be monitored for all AWS regions, just the region that was
initially selected.
B. Create a custom CloudTrail trail and accept the default settings.
C. Create a custom trail for a single AWS region. Use CloudFormation to enable the
custom trail for regions as they are added.
D. Create a custom CloudTrail for each AWS region. Use AWS Config to check for
new AWS regions.
Answer
How can API activity be monitored for all AWS regions?
A. API activity cannot be monitored for all AWS regions, just the region that was
initially selected.
B. Create a custom CloudTrail trail and accept the default settings.
C. Create a custom trail for a single AWS region. Use CloudFormation to enable the
custom trail for regions as they are added.
D. Create a custom CloudTrail for each AWS region. Use AWS Config to check for
new AWS regions.
Question 4
A production application hosted on EC2 instances needs to be monitored for
performance using the CloudWatch metric CPU utilization. When the defined
threshold has been breached, what is the next step that should happen?
A. Store files in an SQS queue for further processing by a fleet of EC2 instances.
B. Use S3 buckets using event notifications to invoke a Lambda function to review for compliance.
C. Store files in EBS storage.
D. Store files in a DynamoDB table with triggers to call a Lambda function to review for compliance.
Question 7
Which of the following AWS services offers automated deployment of other AWS
services?
A. AWS CodeDeploy
B. AWS CodeBuild
C. AWS Elastic Beanstalk
D. AWS CloudFormation
Answer
Which of the following AWS services offers automated deployment of other AWS
services?
A. AWS CodeDeploy
B. AWS CodeBuild
C. AWS Elastic Beanstalk
D. AWS CloudFormation
You are deploying a public-facing application load balancer that is
going to receive incoming Internet traffic on port 443. What AWS
service should be used to host your security certificates?
C. AWS Secrets
D. Cloud HSM
You are deploying a public-facing application load balancer that
is going to receive incoming Internet traffic on port 443. What
AWS service should be used to host your security certificates?
D. Cloud HSM
Question 9
Two years ago, the graphics department moved its operations to AWS. Last year application
development was moved to AWS. The accounting department is now moving to AWS. Compliance
requirements dictate that each department must use its own AWS account.
How can the charges for the AWS services used for each AWS account be consolidated into one
bill?
A. Use AWS Control Tower to control access to resources for all new administrative accounts.
B. Create IAM policies defining developers with the ability to create subnets and resources on
subnets. Assign security policies to the associated development IAM groups.
C. Use AWS Resource Access Manager to share subnet resources with other member accounts.
D. Create a service control policy and assign it to the master account in the AWS Organization tree.
Answer
Your company has deployed AWS Organizations to manage the multiple AWS accounts currently
being used. You want to share specific database resources deployed in subnets for test and dev
environments for multiple AWS accounts. What utility can help you achieve this goal?
A. Use AWS Control Tower to control access to resources for all new administrative accounts.
B. Create IAM policies defining developers with the ability to create subnets and resources on
subnets. Assign security policies to the associated development IAM groups.
C. Use AWS Resource Access Manager to share subnet resources with other member accounts.
D. Create a service control policy and assign it to the master account in the AWS Organization tree.