top of page

DevSecOps in AWS

Writer: Adesh NAdesh N
Feb 2, 20237 min read

  1. What is your experience with CICD?

Answer: My experience with CICD includes setting up pipelines for continuous integration and deployment, implementing automated testing and deployment, and integrating security tools such as static analysis and vulnerability scanners into the CICD process.

  1. Can you explain CloudFormation and its use cases?

Answer: CloudFormation is an Amazon Web Services (AWS) service that allows you to automate the process of creating and managing resources in the AWS Cloud. It allows you to define a set of resources and their configuration in a template, which can then be used to create and manage those resources in a repeatable and automated manner. Some common use cases for CloudFormation include infrastructure as code, disaster recovery, and multi-tier application deployments.

  1. What is Amazon Certificate Manager and why is it used?

Answer: Amazon Certificate Manager (ACM) is a service that allows you to easily and securely manage SSL/TLS certificates for your applications. ACM makes it simple to request, manage, and deploy SSL/TLS certificates for use with AWS services such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs hosted on Amazon API Gateway. By using ACM, you can eliminate the time-consuming manual process of acquiring, uploading, and renewing SSL/TLS certificates, and ensure that your applications use only the most secure and up-to-date certificates.

  1. What is Terraform and what is an active-active policy?

Answer: Terraform is an open-source tool for building, changing, and versioning infrastructure safely and efficiently. An active-active policy in Terraform refers to a configuration where multiple instances of an application are running simultaneously in multiple regions or availability zones, with traffic being balanced across the instances. This helps to increase the reliability and availability of the application, as well as provide lower latency for users by serving them from the closest available instance.

  1. Can you explain Elastic Beanstalk and VPC?

Answer: Elastic Beanstalk is an AWS service that makes it easy to deploy, run, and manage web applications and services. A VPC, or Virtual Private Cloud, is a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. When using Elastic Beanstalk, you can configure your application to run inside a VPC, which provides additional security and isolation for your application, as well as the ability to control network access to your application resources.

  1. What is CDK and what are some use cases for it?

Answer: The AWS Cloud Development Kit (CDK) is an open-source software development framework for defining cloud infrastructure as code (IAC) and provisioning it through AWS CloudFormation. Some use cases for the CDK include automating the creation and management of AWS resources, defining infrastructure as code, and making it easy to manage and modify infrastructure.

  1. How do you secure S3 Buckets?

Answer: There are several methods to secure S3 Buckets, including using S3 bucket policies, Access Control Lists (ACLs), and S3 object encryption. Additionally, you can use AWS Identity and Access Management (IAM) policies to control who has access to the bucket and its contents. Other security measures, such as using VPC endpoints, using multi-factor authentication (MFA) for deletes, and versioning, can also be used to further secure S3 Buckets.


  2. What happens when we enable private API endpoint for EKS?

When we enable a private API endpoint for EKS, the API server component of the cluster is no longer publicly accessible. This means that access to the API server is restricted to resources within the virtual private cloud (VPC) and connected networks, rather than being publicly accessible from the internet. This improves the cluster's security by reducing the attack surface and making it more difficult for malicious actors to compromise the cluster.

  • In other words, Enabling private API endpoint for EKS means that the API server endpoint for the EKS cluster will be accessible only within the Amazon VPC where the cluster is deployed. This makes the API server endpoint inaccessible from the public internet, improving the cluster's security.

  1. How do we enable logging for control plane in EKS?

  • To enable logging for the control plane in EKS, you can use CloudWatch Logs Insights or Fluentd. You can configure the logging by adding a cluster logging configuration to the Amazon EKS control plane. This will direct logs to a specific Amazon S3 bucket and/or Amazon CloudWatch Log Group.

  1. Experience with Jfrog and Artifactory

  • The candidate should be able to explain their experience with using Jfrog and Artifactory in their DevSecOps workflows. They should be able to describe how they use these tools for artifact management and repository management, as well as for security-related activities such as vulnerability scanning and remediation.

  • JFrog Artifactory is a binary repository manager used for storing binary artifacts and dependencies.

  • A candidate with experience with Jfrog Artifactory should be familiar with using it to manage packages, libraries, and dependencies for various programming languages, including .NET, Java, and Python.

  • They should also be familiar with integrating Artifactory into continuous integration/continuous delivery (CI/CD) pipelines, and using it for build artifact management.

VPC

  1. What are differences between NACLs and Security Groups in AWS ?

The difference between Network Access Control Lists (NACLs) and Security Groups in Amazon Web Services (AWS) is:

  1. Purpose: NACLs are used to control traffic in and out of subnets within a Virtual Private Cloud (VPC), while Security Groups control traffic to individual instances.

  2. Granularity: NACLs operate at the subnet level, while Security Groups operate at the instance level.

  3. Rules: NACLs have both inbound and outbound rules, while Security Groups only have inbound rules.

  4. Order of Operations: Security Groups are evaluated before NACLs, so if a request is denied by a Security Group, it won't be evaluated by the NACL.

  5. Stateful: NACLs are stateless, meaning that return traffic must be explicitly allowed. Security Groups, on the other hand, are stateful, meaning that return traffic is automatically allowed if the initial traffic was allowed.

In general, NACLs should be used for more broad network security controls, while Security Groups should be used for more granular instance-level security controls.



What is PrivateLink? What are its different types?

  • AWS PrivateLink is a networking feature that enables Amazon VPC customers to privately access services over an Amazon VPC endpoint, rather than over the internet. There are two types of PrivateLink: Interface Endpoints and Gateway Endpoints.

  1. What are the types of load balancers AWS offers and how do they differ?

  • AWS offers three types of load balancers: Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer. The main difference between them is the level at which they operate and the type of traffic they can handle. ALBs are best suited for application-level load balancing, NLBs are optimized for network-level load balancing, and Classic Load Balancers are best suited for legacy applications.

IAM

  1. What is a condition context key?

  • A condition context key is a key-value pair that can be used to define conditions in IAM policies. Condition context keys provide additional context that can be used to enforce fine-grained permissions. For example, you could use a condition context key to specify the number of API calls an IAM user is allowed to make in a given period.

  1. If I wanted to set up federation into an AWS account, what are some of the ways I could do it?

  • There are several ways to set up federation into an AWS account: using the AWS Management Console, using the AWS CLI, and using the AWS API. The most common method is to use the AWS Management Console to create an identity provider in your organization's identity system and then configure AWS to trust the identity provider.

  1. What are some of the differences between users and roles in AWS IAM?

  • In AWS IAM, users are AWS identities that are created within your AWS account. Users can be assigned permissions directly or through groups. Roles, on the other hand, are a way to grant AWS services and other AWS accounts access to AWS resources within your AWS account.

##Bash vs. Python

  • Bash is a shell scripting language typically used for automating tasks and running commands in a Unix or Linux environment.

  • Python is a high-level programming language used for various purposes, including web development, data analysis, machine learning, and more.

  • One key difference between bash and python is that bash is a scripting language, whereas Python is a general-purpose programming language.

  • Bash is generally easier to learn and use for simple tasks, while Python is more powerful and flexible for complex tasks.

##Cron Task Scheduling

  • If a scheduled task in cron is now running an hour off from when it used to, it is likely due to a change in the system time.

  • To resolve the issue, check the system time and make any necessary adjustments, or update the cron job to take into account any changes to the system time.


Networking

  1. What are ports?

    • Ports are communication endpoint identifiers for networked devices. They are used to differentiate between different services and applications running on a single device.


  1. What is the difference between an A record and a CNAME record?

    • A record (Address Record) maps a domain name to an IP address. It is used to specify the IP address of a host.

    • CNAME (Canonical Name Record) maps a domain name to another domain name. It is used to specify an alias for a domain name, rather than an IP address.


  1. What is the difference between TCP and UDP?

    • TCP (Transmission Control Protocol) is a connection-oriented protocol that ensures reliable delivery of data by establishing a connection between the sender and the receiver. It requires acknowledgment of data receipt before the next packet is sent.

    • UDP (User Datagram Protocol) is a connectionless protocol that does not establish a connection and does not ensure reliable delivery of data. It is faster and more efficient, but data can be lost or delivered out of order.


  1. What are some egress routing options I have in AWS?

    • Some egress routing options in AWS include:

      • VPC Peering

      • VPC Endpoints

      • AWS Direct Connect

      • Internet Gateway



  1. What are some ingress routing options I have in AWS?

    • Some ingress routing options in AWS include:

      • Elastic Load Balancer (ELB)

      • Network Load Balancer (NLB)

      • Application Load Balancer (ALB)

      • Classic Load Balancer (CLB)



  1. How would I perform transitive routing across VPCs in AWS?

    • Transitive routing across VPCs can be performed using VPC Peering. This allows communication between instances in different VPCs by creating a direct network connection between them. Alternatively, you can route traffic from one VPC to another through a Virtual Private Gateway or a Direct Connect Gateway.




 
 
 

Recent Posts

See All

Azure Game

✅ Designing Distributed Systems https://lnkd.in/ducStwZq ✅ Succeeding with AI: How to Make AI Work for Your Business...

 
 
 

System Design Thinking

System Design Thinking is an essential aspect of technical architecture and engineering roles, as it involves designing complex systems...

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page