- Barajar
ActivarDesactivar
- Alphabetizar
ActivarDesactivar
- Frente Primero
ActivarDesactivar
- Ambos lados
ActivarDesactivar
- Leer
ActivarDesactivar
Leyendo...
Cómo estudiar sus tarjetas
Teclas de Derecha/Izquierda: Navegar entre tarjetas.tecla derechatecla izquierda
Teclas Arriba/Abajo: Colvea la carta entre frente y dorso.tecla abajotecla arriba
Tecla H: Muestra pista (3er lado).tecla h
Tecla N: Lea el texto en voz.tecla n
Boton play
Boton play
32 Cartas en este set
- Frente
- Atrás
- 3er lado (pista)
|
If you want to centralized logs and no one can edit or delete then thing in ___________ and _________________
|
Organizations, SCPs (Service Control Policies)
Organizations to centralized and SCPs (Service Control Policies) to restrict anyone. |
|
|
what are the best way to have the final say in what you can do in the AWS account?
|
SCPs (Service Control Policies)
|
|
|
Which are the steps to move the management accounts from Firm_a to other organization?
|
*Remove all member accounts from the organization in Firm_A
*Delete the organization in Firm_A *Invite the firm_a management account to join the new organization (firm_B) as a member account. |
|
|
Root -> Project_OU -> DEV_OU
Project_OU is attached to an SCP that prevent deleting VPC Flow Logs Dev_OU has an SCP that allows the action "ec2_DeleteFlowLogs" Are the IAM user/roles in Dev_OU AWS accounts allowed to delete VPC Flow LOGS? |
It is not allowed as the SCP in Project_OU resctricts the action.
Explicit Deny statement in Project_OU overrides any Allow |
|
|
A customer needs corporate IT governance and cost oversight of all AWS resources consumed by its divisions.
Each division has its own AWS account and there is a need to ensure that the security policies are kept in place at the account level. How can you achieve this? |
Use AWS organizations
Use SCP Service Control Policies |
Two services
|
|
A APN (AWS Partner Network) need to audit a AWS account. Which is the step to allow APN could do the audit.
|
Create a cross account IAM Role.
|
|
|
AWS RAM means
|
Resources Access Manager
|
|
|
What can be shared using AWS RAM?
|
Transit Gateway
License Manager Dedicated Hosts VPC subnets Route 53 resolver |
|
|
Are you sharing resources within the same region? What could use?
|
Use RAM
|
|
|
Are you sharing across regions?
|
Use VPC peering
|
|
|
The organization has AWS Organizations for each department and you have access to the master account. You need to manage EC2 Dedicated Hosts centrally, and share host instance with other AWS accounts. How you can accomplish this in the easiest way?
|
Use AWS Resources Access Manager to manage EC2 dedicated hosts and share them with other member accounts.
|
|
|
A company has a Aurora DB. The database is deployed in an AWS account owned by the development team and the account is in AWS Organization A. Now the DB needs to share with AWS Account in Another AWS Organization B.
How we can achieve the requirement? |
In the management AWS account of Organization A, share the database to the AWS account of AWS Organization B in the Resources Access Manager.
|
|
|
Wha is best create cross-account roles or additional IAM users?
|
It is preferred to create cross-accounts roles
|
|
|
Characteristics of Cross-Account Roles
|
Usefull to temporary employees
A role is not permanently |
|
|
What is AWS Config?
|
Is the best way to check what standards are applied to your architecture
|
|
|
Active Directory
Managed Microsoft AD |
This is the entire AD suite. You can easily build out AD in AWS.
|
|
|
Active Directory
AD Connector |
Create a tunnel between AWS and your on-premises AD
|
|
|
Active Directory
Simple AD |
Standalone directory powered by Linux Samba Active Directory-compatible server.
|
|
|
You want to use AWS Managed Microsoft AD and have been asked if users can use it to access services in the on-premises environments?
|
Yes, AWS Managed Microsoft AD can be used as the Active Directory over VPN or Direct Connect
|
|
|
You have a small company running on Windows OS
The company leverage(aprovecha) cloud resources like AWS workspaces and AWS Workmail. You want a fully managed solution to set policies and provide user management. Which of the minimum required AWS Directory Service would you recommend? |
Simple AD for limited functionality and compatibility with desired applications.
|
|
|
Hybrid connectivity on-premise data center & AWS cloud infrastructure.
Team require the same security policies in on-premise and AWS Cloud. which is the design AD service for new applications? |
Use AD connector.
|
|
|
If appear budgeting or controlling spend then think in _________________
|
Cost Explorer
|
|
|
How you can track the spend with Cost Explorer
|
Using tags
|
|
|
Cost explorer could estimate your spend for the upcoming month?
|
Yes
|
|
|
What is the best way to let users know they're getting close to overspending?
|
Using alert with AWS budget
|
|
|
Is possible to alerted on ___________ spend or _____________ spend with AWS Budget
|
current, projected
|
|
|
3 tips for config
|
Standardization: anytime a "rule" need to be set up for an account. Use config to check for compliance.
Automate the response Config offers the ability to automatically remediate problems using Automation documents. Know what changed It will provide you with a history of all your architecure. |
|
|
How would you differentiate the Cognito Identity pool and the federate identity providers?
|
You can choose a federate identity provider to authenticate users and associate a cognito identity pool to authorize the users.
|
|
|
Your company doesn't have a directory service but wants the users to sign in and use the app.
Which is the most cost-efficient? |
Use cognito identity along with a User pool to securely save users profile attributes.
|
|
|
We have a app with AWS cognito identity to expand the availability and ease of signing in to the app, your team is requesting advice on allowing the use of OpenID connect (OIDC) identity providers as additional means of authenticating users and saving the user profile information.
What is your recommendation on OIDC identity providers? |
This is supported, along with social and SAML based identity providers.
|
|
|
Users are complaining that they are getting logout from the console & need to re-login after each hour. Is necessary that the user session is optimum on completing the activity. Which of the following can be set to meet this requirement?
|
Create a custom Permission Set with session duration as 6 hours.
|
|
|
there is a concern that developers could potentially delete production-based EC2. What would you do to help alleviate this concern?
|
*Create a separate AWS account for the developers and limit their actions to the EC2 resources of that account.
*Tag the production instances with production-identify and add resource-level permissions to the developers with a explicit deny on the terminate API call to instance with production tag. |
