You use AWS published API calls to access Amazon EC2 through the network. Clients must support Transport Layer Security (TLS) 1.1 or later. Clients must support TLS 1.2 or later by June 28, 2023. Clients must also support cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes. Show
Additionally, requests must be signed using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary security credentials to sign requests. For more information, see Infrastructure Protection in the Security Pillar – AWS Well-Architected Framework. Network isolationA virtual private cloud (VPC) is a virtual network in your own logically isolated area in the AWS Cloud. Use separate VPCs to isolate infrastructure by workload or organizational entity. A subnet is a range of IP addresses in a VPC. When you launch an instance, you launch it into a subnet in your VPC. Use subnets to isolate the tiers of your application (for example, web, application, and database) within a single VPC. Use private subnets for your instances if they should not be accessed directly from the internet. To call the Amazon EC2 API from your VPC using private IP addresses, use AWS PrivateLink. For more information, see Access Amazon EC2 using an interface VPC endpoint. Isolation on physical hostsDifferent EC2 instances on the same physical host are isolated from each other as though they are on separate physical hosts. The hypervisor isolates CPU and memory, and the instances are provided virtualized disks instead of access to the raw disk devices. When you stop or terminate an instance, the memory allocated to it is scrubbed (set to zero) by the hypervisor before it is allocated to a new instance, and every block of storage is reset. This ensures that your data is not unintentionally exposed to another instance. Network MAC addresses are dynamically assigned to instances by the AWS network infrastructure. IP addresses are either dynamically assigned to instances by the AWS network infrastructure, or assigned by an EC2 administrator through authenticated API requests. The AWS network allows instances to send traffic only from the MAC and IP addresses assigned to them. Otherwise, the traffic is dropped. By default, an instance cannot receive traffic that is not specifically addressed to it. If you need to run network address translation (NAT), routing, or firewall services on your instance, you can disable source/destination checking for the network interface. Controlling network trafficConsider the following options for controlling network traffic to your EC2 instances:
In addition to restricting network access to each Amazon EC2 instance, Amazon VPC supports implementing additional network security controls like in-line gateways, proxy servers, and various network monitoring options. Which AWS service provides infrastructure security?You use AWS published API calls to access Amazon EC2 through the network. Clients must support Transport Layer Security (TLS) 1.1 or later.
Which of the following AWS services can assist you with cost optimization?This section reviews some of the following AWS services and tools, which can provide insights and assist in the cost optimization process: AWS Cost Explorer. AWS Trusted Advisor. AWS Compute Optimizer.
Which of the following should be used to improve the security of access to AWS management Console?MFA is the best way to protect accounts from inappropriate access. Always set up MFA on your Root user and AWS Identity and Access Management (IAM) users.
Which of the following AWS services will help ensure that they have the proper security settings?AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your AWS users, groups, and roles. Using IAM, you can create and manage fine-grained access controls with permissions, specify who can access which services and resources, and under which conditions.
|