With an outline of what you are responsible for from an AWS customer perspective and a refresher of the baseline services that will be discussed throughout the different scenarios in your journey, this first section will conclude with an examination of some of the top risks that your cloud environment can be exposed to. Even […]

CramQuiz Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can. 1. You are the administrator of a hybrid-cloud application that uses S3 as the central store for all the data being shared across the platforms. The Internet users are always directed […]

Quotas As with any other AWS service, AWS Storage Gateway is bound by certain quotas. These quotas can be soft or hard limits constraining the service. Different quotas apply depending on the flavor of storage gateway that you implement. Here is an indication of the main quotas for each different type, but remember to check […]

Security Issues At the top layer of the monitoring and alerting stack are security issues. These issues also encompass a wide range of aspects that need to be determined for each application beforehand. A range of different alerts can be configured for security issues, including but not limited to Large numbers of failed login attempts: […]

Securing S3 objects at rest and in transit In the previous section, you learned about bucket default encryption, which is completely different from object-level encryption. Buckets are not encrypted, whereas objects are. A question may arise here: what is the default bucket encryption? You will learn these concepts in this section. Data during transmission can […]

Summary In this chapter, you reviewed many of the main services used in AWS architecture. These make up the majority of the services that will be part of your day-to-day responsibilities as AWS cloud security engineers and the services that will be referenced in the questions in the exam. Having a baseline knowledge of these […]

CloudFront Design Considerations Design requirements for connecting to AWS CloudFront locations should take geography, technical, and political constraints into consideration. Global Internet connectivity is controlled by the BGP routing protocol that is widely distributed and divided into autonomous systems that are controlled by different entities. This leaves us with little influence on how traffic gets […]

Tape Gateway Tape Gateway offers a virtual tape library (VTL) service backed by storage on Amazon S3 and accessible on-premises through the standard iSCSI protocol. Concretely, Tape Gateway comes either as a preset hardware appliance or as a software appliance that you deploy in your on-premises environment. The software appliance consists of a VM that […]

Important note AWS best practices suggest adding another layer of protection through MFA delete. Accidental bucket deletions can be prevented, and the security of the objects in the bucket is ensured. MFA delete can be enabled or disabled via the console and CLI. As documented in AWS docs, MFA delete requires two forms of authentication together: […]

Reviewing Deviations Using Trusted Advisor As you use Trusted Advisor, over time, you will see that the service begins to highlight potential issues within your account. This section will cover how to review these deviations and how to interpret the severity of the issues found. From within the AWS Management Console, select Trusted Advisor from […]