Access & Networking Control Flashcards
What is the purpose of EC2 Instance Metadata?
To allow an EC2 instance to learn about itself, such as instance ID, without needing IAM permissions.
What is the URL for EC2 Instance Metadata?
http://169.254.169.254/latest/meta-data
Can you retrieve IAM policy from EC2 metadata?
No, only IAM Role name is available, not the policy.
What is the difference between metadata and user data on EC2?
Metadata is instance information; user data is a launch script run once at boot.
What is the difference between IMDSv1 and IMDSv2?
IMDSv1 allows direct metadata access; IMDSv2 requires a session token for improved security.
How do you use MFA with the AWS CLI?
Use the STS GetSessionToken API to generate temporary credentials.
What is the command to get temporary credentials using MFA in AWS CLI?
aws sts get-session-token –serial-number <mfa-arn> --token-code <code> --duration-seconds 3600</code></mfa-arn>
Which programming languages are supported by AWS SDK?
Java, .NET, Node.js, PHP, Python (boto3), Go, Ruby, C++.
Which SDK does AWS CLI use internally?
Python SDK - boto3.
What region is used by default if not configured in SDK?
us-east-1.
What is Exponential Backoff used for in AWS?
To handle intermittent throttling errors with retries after increasing delays.
What should you do for consistent API throttling?
Request a service limit increase.
What are example API rate limits in AWS?
EC2 DescribeInstances: 100 calls/sec; S3 GET: 5500 per second per prefix.
What is the AWS CLI credentials provider chain order?
- CLI options 2. Env vars 3. CLI credentials file 4. CLI config file 5. ECS container creds 6. EC2 instance profile.
What is the AWS SDK default credentials provider chain?
- Java properties 2. Env vars 3. Credentials file 4. ECS container creds 5. EC2 instance profile.
In a scenario where environment variables are used on an EC2 instance, why might it override instance profile permissions?
Because environment variables have higher priority in the credentials provider chain.
What is the top AWS credential management best practice?
Never store AWS credentials in your code.
How should credentials be managed inside AWS?
Use IAM roles: EC2 roles, Lambda roles, ECS roles.
How should credentials be managed outside AWS?
Use environment variables or named profiles.
What is SigV4 in AWS?
It’s the signing process used to authenticate AWS HTTP requests.
When do you need to manually use SigV4?
When making direct HTTP API calls without the SDK or CLI.
Do AWS CLI and SDK sign requests automatically with SigV4?
Yes, they handle the signing process automatically.
What is a VPC?
A Virtual Private Cloud, a private network in AWS to deploy resources.
What is a subnet?
A partition of a VPC’s network; tied to an Availability Zone.
What is the difference between public and private subnets?
Public subnets can access the internet; private subnets cannot.
What component allows subnets to access the internet?
Internet Gateway for public subnets; NAT Gateway for private subnets.
What is an Internet Gateway?
Allows instances in a VPC to connect to the internet.
What is a NAT Gateway?
Allows instances in private subnets to access the internet while remaining unreachable from it.
What is a NACL?
A subnet-level firewall that allows or denies traffic.
What is a Security Group?
An instance-level firewall that only allows traffic.
How do NACLs and Security Groups differ?
NACLs are stateless and support DENY rules; Security Groups are stateful and support only ALLOW rules.
What is the purpose of VPC Flow Logs?
To capture information about IP traffic going to and from network interfaces in a VPC.
Where can VPC Flow Logs send data?
Amazon S3, CloudWatch Logs, or Kinesis Data Firehose.
What is VPC Peering?
A private connection between two VPCs using the AWS network.
Can VPC peering be transitive?
No, VPC peering is not transitive.
What is a VPC Endpoint?
Allows private access to AWS services from your VPC.
What are the two types of VPC Endpoints?
Gateway (for S3/DynamoDB) and Interface (for other services).
What is Site-to-Site VPN?
Encrypted VPN over the internet connecting on-premises to AWS.
What is AWS Direct Connect?
A private, fast, secure physical connection from on-premises to AWS.
Which connection goes over the public internet?
Site-to-Site VPN.
Which connection is private and takes longer to set up?
AWS Direct Connect.
What is a NAT Gateway used for?
Providing internet access to private subnets.
What are NACLs and where are they applied?
Network Access Control Lists applied at the subnet level.
What are Security Groups and where are they applied?
Instance-level firewalls applied to EC2 or ENI.
What are VPC Flow Logs used for?
Monitoring IP traffic and troubleshooting network issues.
Can you peer VPCs with overlapping CIDRs?
No, VPC peering requires non-overlapping CIDR blocks.
What does LAMP stand for?
Linux, Apache, MySQL, PHP.
Where does Apache run in the LAMP stack?
On EC2, serving as the web server.
Where is the database hosted in a typical LAMP architecture on AWS?
Amazon RDS with MySQL.
Which AWS service can be added for caching in LAMP?
Amazon ElastiCache.
Where is application logic and data stored in EC2?
On an EBS volume (root or additional).
