Guard Duty So guard duty is a very special service that’s kind of hard to understand because we don’t have to do much. But it is an intelligent threat discovery, basically meant to protect your AWS accounts. That means that it’s going to run some analysis in the background. You don’t have to do anything. It will use the logs that’s available to it and it will just make sure that it’s protecting you against malicious usage. So it will use a machine learning algorithm, animal detection, and third party…

AWS Inspector Okay, so now let’s talk about AWS Inspector. So this is only for easy two instances and that is very important. The exam will trick you into saying could you use Inspector on RDS? The answer is no, you cannot. The only way you can use Inspector is on EC two instances. So what does Inspector do? Well, it helps you analyze the known vulnerabilities or the unintended network accessibility on your EC two instances only. Why? Because you need to install an Inspector agent and you need…

Section Introduction Welcome to this section around Security and compliance. This section is one of the hardest going into the Sysaps exam because we’re going to learn about new technologies. All of them have a lot of different names such as Inspector Hsm, Waf, Trusted Advisor, Guard Duty, etc. Etc. Now, in this section, I wanted to make things easy, so we’ll go over them one by one, and I will try to include a hands on where possible.  Also at the end of this section, I have a whole…

Exam Preparation – Section Introduction Okay, so congratulations on making it this far. You’ve probably learned a lot of things by now. I just want to take a step back and make sure we have covered everything we need to know for the exam. So let’s look how far we’ve gone on the learning journey. And for this, we’ll explore this AWS link, which describes what the exam is about. So we are on the Certified Sys Ups Administrator Associate web page, and this is where we can just look…

Egress Only Internet Gateway Let’s talk about egress only Internet gateway. So egress means outgoing, and outgoing only Internet gateway kind of hints at what it does. But let’s be very, very clear. Egress only Internet gateway works only for Ipv Six. So if you have an Ipv Four instance, that does just not apply to it. So an egress only Internet gateway makes us think of a nut, but Nat is for Ipv Four. So egress only Internet gateway is the same as a Nat, but for Ipv Six,…

Bastion Hosts So let’s talk about Bastion Host. So this is the diagram. We have our Bastion Host users. We Ssh into the Bastion Host, which is in a public subnet. And then from the Bastion Host we’re able to Ssh into other Linux instances. So the Bastion Host is used to Ssh into private instances and it sits in the public subnets. And the reason we do this is that’s because the public subnet is connected to all the other private subnets, what we need to do is make…

VPC Flow Logs + Athena So now let’s talk about flow logs. Flow logs helps you capture information about the IP traffic that’s going within your interfaces. And you have three kinds of flow logs. You have the Vpc flow log and that applies to everything within your Vpc. You have the subnet flow logs which applies to something just within your subnet. And then you have the Elastic Network Interface flow log just for one network interface. So overall if you define a VPC flow log then it’s going…

VPC Peering So now let’s talk about Vpc peering. And Vpc peering allows you to connect to Vpc privately, directly, using Aws’s network and to make them behave as if they were in the same network. For this, you need to have non overlapping Cider. So be very careful when you create your Ciders and your Vpc, make sure there are different, make sure they don’t overlap. So let’s take an example. We have Vpc A and Vpc and we want them to be connected somehow. We have to create…

DNS Resolution Options & Route 53 Private Zones Let’s quickly talk about DNS resolution. In a VPC there are two very important settings and the exam may ask you about them. The first one is Enable DNS Support and that is a DNS resolution setting and the default is true and it helps decide if the DNS resolution is supported for the Vpc. That means that if it’s true, there is an 80 s DNS server that will be queried automatically as a primary DNS at. There’s a second setting…

NAT Instances We have our instances in our public subnet that have Internet connectivity thanks to the Internet gateway. But for our instances in our private subnet, they cannot access the Internet. If they were to access it through the Internet gateway, they would also be directly accessible from the Internet. So for this, we need a better solution. And that solution is a Nut. Nat stands for Network Address Translation. Now nat comes into flavor. It comes with Nat instances, which is really outdated, not recommended, but still can…