ACG Exam Tips - student feedback

Question 1

What is Kinesis

Answer 1

Look for language in questions:
If they say big data think Kinesis
if they say BI, think Redshift
if they say big data processing think Elastic Map Reduce

Service for real time processing of streaming data at massive scale. Configure producers to send data to a Kinesis Stream

Way to consume big data

Question 2

EBS Backed vs Instance Store

Answer 2

On the exam, look for long term storage and think EBS backed. For short term think instance store volumes

EBS backed volumes are persistent
Instance Store backed volumes are ephemeral

EBS volumes can be detached and reattached to other EC2 instances

EBS volumes can be stopped and data will be persist
instance store volumes can’t be stopped without losing data.

Question 3

What is opsworks

Answer 3

orchestration service that uses Chef

For exam, just look for terms like chef, recipes or cookbooks and associate them with OpsWorks

Question 4

Elastic Transcoder

Answer 4

cloud based media transcoding

has presets for common formats, does that for you

pricing based on minutes transcoded and resolution

Question 5

3 SWF Actors

Answer 5

Workflow Starters - app that initiates a workflow. ie. commence website

Deciders - control flow of activity tasks in the workflow execution

Activity Workers - carry out activity tasks

Question 6

How to query metadata to get public IP addresses

Answer 6

curl http://169.254.169.254/latest/meta-data

get http://169.254.169.254/latest/meta-data

Question 7

AWS Organizations

Answer 7

Account management service that lets you consolidate multiple AWS accounts for central management

2 feature sets:
consolidated billing
all features

Have an Organization with OU’s under it, with AWS accounts associated to them

Question 8

Consolidated billing

Answer 8

paying account with linked accounts (ie dev, production, back office)

Monthly bill reflects each linked account

paying account can’t access resources of the linked accounts

linked accounts (limit of 20) are independent

Question 9

advantages of consolidated billing

Answer 9

one bill per account
volume pricing discount
unused reserved instances for EC2 applied across the group
east to track charges, allocate costs

Question 10

consolidated billing best practices

Answer 10

enable MFA and strong password on root account

use paying account only for billing

Question 11

how many linked accounts by default

Answer 11

20, can request more

Question 12

billing alerts for linked accounts

Answer 12

when monitoring is enabled for paying account, billing data for linked accounts included

can create billing alerts for individual accounts

Question 13

Describe Cloud trail in terms of logging for multiple AWS accounts

Answer 13

is per account and enabled per region

can consolidate the logs between accounts using an S3 bucket and cloud trail

1. turn on cloud trail in paying account
2. create bucket policy allowing cross-account access
3. turn on cloud trail in all accounts and use bucket in paying account

Question 14

What is Cross Account Access?

Answer 14

lets you easily work with a multi-account AWS environment by letting you easily switch roles in the AWS Console

Can sign into console with your IAM username, then switch to manage other account without having to enter another name and password

Question 15

Steps required to implement Cross Account Access

Answer 15

Identity account numbers
Create a group in IAM, and a user for it (Dev, John)
Log into production account, create new policy
create the cross account role
apply new policy to the role
login to the developer account, create new policy there
apply new policy to the developer group
log in as John
switch accounts

Question 16

AWS Document for creating Cross Account Access

Answer 16

Create IAM role in the AWS account that users want to sign into (Prod). (need the account ID)

Give users in the original account (Dev) permissions to assume the role in the target account (Prod)

Create a script allowing user to sign into the Prod account console

Question 17

Tag overview

Answer 17

Tags can be inherited, ie from autoscaling, cloud formation, elastic beanstalk

Tags can be nested

Tags are metadata

Question 18

resource groups overview

Answer 18

let you group resources using tags

contain info like region, name, health checks

contain specific details:
IP addresses, port configs, DB engine types

Question 19

One big big benefit of Resource Groups

Answer 19

great for tracking who is using what

Question 20

tag editor

Answer 20

lets you view all resources both tagged and untagged

Question 21

VPC Peering overview

Answer 21

connection between two VPC’s letting you route between them with private IP addresses

Can only peer within a single region

Can peer with a VPC in another account

peering connection is not a gateway or VPN. It uses the existing VPC infrastructure

No single point of failure for peering

Question 22

is transitive peering supported in VPC peering?

Answer 22

no

Question 23

can overlapping IP blocks use VPC peering?

Answer 23

no

Question 24

Direct Connect benefits

Answer 24

reduce costs with large amounts of traffic

increase reliability

increase bandwidth

Question 25

Direct Connect vs VPN

Answer 25

VPN can be setup quickly, generally low bandwidth and more variability

Direct Connect like a leased line. It is a dedicated line to a peering facility where it cross connects to AWS

Can take weeks, months to set up

Question 26

Direct Connect bandwidths available

Answer 26

1 Gb
10 Gb

sub 1Gb available through AWS direct connect partners

Question 27

Direct connect vlan tagging

Answer 27

Direct connect uses 802.1q vlan tagging, allows you to reach multiple parts of AWS network over one link

Question 28

(STS) Security Token Service

Answer 28

grants users limited, temporary access to AWS resources

Users come from 3 sources

1. Federation (SAML, typically with AD)
2. Federation with mobile apps
3. Cross-Account access

Question 29

STS Key Terms

Answer 29

Federation
combining list of users in one domain with another one

Identity Broker
Service that allows you to take identity from A and federate it to B
Usually you have to create your own

identity store
service like AD, facebook, google, etc

identities
user in an identity store

Question 30

do you usually have to create your own identity broker?

Answer 30

yes

Question 31

Scenario for setting up Identity Broker to authenticate an EC2 application in a VPC to an Active Director over a VPN, so application can write to S3

Answer 31

user enters account and password

app calls Identity Broker which captures credentials

ID Broker uses LDAP to validate the credentials

ID Broker uses IAM credentials to call new GetFederationToken Function. Includes an IAM policy, duration and policy for permissions to be granted

STS confirms policy of IAM user making the call gives the permission to create new tokens and then gives 4 values to application
access key, secret access key, token and token lifetime

ID Broker returns temp credentials to app

app uses temp credential to make requests to S3

S3 uses IAM to verify credentials

IAM allows S3 to perform requested operation

Question 32

Federate Active Directory with AWS

Answer 32

User brows to AD Federated Services website

Sign-on page authenticates user against AT

Users’s browser gets SAML assertion in form of authentication response from ADFS

User’s browser posts the SAML assertion to AWS sign-on endpoint. Sign-on uses “AssumeRoleWithSAML API to get temporary credentials and creates a sign-on URL for the console

User’s browser receives sign-on URL and is redirected to the console

Question 33

AWS Workspaces (read FAQ)

Answer 33

A VDI, cloud based replacement for desktops

User can login with existing AD credentials if integrated with AD

But don’t need AD domain.

Also don’t need AWS account to login to workspaces

workspaces are persistent

by default users given local admin rights

Question 34

ECS and Docker Part 1 - what is docker?

Answer 34

It packages software into standard units called Containers

They let you package application code, configurations and dependencies into building blocks, providing consistency efficiency

Question 35

VM vs Container

Answer 35

Each VM has to have a guest OS

Container doesn’t have a guest OS, only dependencies

Docker gains higher density because of this

Question 36

Container benefits

Answer 36

reduces dependencies

increased consistency from dev - test - qa - prod

containers don’t affect each other

increased portability

Question 37

Docker components

Answer 37

Docker image - like an ISO or AMI but has only files required to boot container

Docker Container - isolated application platform

Layers / Union File System -

Docker File - images built from base images, contains instructions

Docker daemon / engine -

Docker client - interface to the docker engine

Docker registries / hubs - host images for people to share

Question 38

Elastic Container Service

Answer 38

ECS eliminates need for your own container management system, or worry about scaling your infrastructure

Regional Service you can use in one or more AZ’s to schedule placement of containers across your cluster

ECS can create a consistent deployment and build experience, manage and scale workloads and build application architectures

Question 39

What is a Docker Image?

Answer 39

read only template with instructions for creating a docker container

like cloudformation

Collection of root filesystem changes and execution parameters for use in a container runtime

It’s created from a docker file that specifies components to install

Question 40

What is ECR - EC2 Container Registry?

Answer 40

Managed AWS Docker Registry Service (AWS Docker Hub)

Question 41

What are ECS Task definitions?

Answer 41

text files in JSON format describing one or more containers that form your application

Describes a docker container in JSON

Question 42

ECS Services

Answer 42

lets you run and maintain instances in an ECS cluster

Like Auto-Scaling Groups but for ECS

Question 43

ECS Clusters

Answer 43

grouping of container instances you can place tasks on.

Contain multipole container instance types

region specific

can only be part of one cluster at a time

Can use IAM polices to manage access

Question 44

ECS Scheduling

Answer 44

Service Scheduler
ensures specified number of tasks are constantly running. Reschedules tasks if they fail

Custom Scheduler
create own schedulers, use 3rd party schedulers

Question 45

ECS Container Agent

Answer 45

lets container instances connect to your cluster

Can install on any EC2 Linux instance that supports ECS specification

Question 46

ECS Secirotu

Answer 46

IAM Roles control EC2 instance access to ECS. ECS tasks use IAM to access services, resources

Security Groups at host level, not task or container level

Configure OS of EC2 instances in ECS cluster

Question 47

ECS Soft Limits

Answer 47

Clusters per region = 1000
Instances per cluster = 1000
Services per cluster = 500

Question 48

ECS Hard Limits

Answer 48

One load balancer per service
1000 tasks per service
10 containers per task definition
10 tasks per instance (hosts)

Question 49

ECS Exam Tips 1

Answer 49

ECS - AWS managed EC2 containers

Containers = method of OS virtualization

Containers created from read-only template called image

Image has instructions for creating the container

Images stored in a registry like AWS ECR or DockerHub

Question 50

ECS Exam Tips 2

Answer 50

Task Definition required to run containers in ECS

Task Definitions are JSON files describing containers (CPU, RAM, etc)

Task Definitions are like cloud formation templates

ECS Services lets you run and maintain “desired count” of instances in an ECS cluster

Services are like AutoScaling Groups for ECS

ECS Cluster is logical grouping of container instances you can put tasks on

Question 51

ECS Exam Tips 3

Answer 51

clusters can have multipole container instance types

clusters are region specific

container instances can only be part of one cluster at a time

can create IAM policies for clusters

Schedule ECS 2 ways: Service or Customer

ECS agent (linux only) connects EC2 instances to ECS cluster

IAM and ECS for access control

Security Groups work at instance not container or task level