All Flashcards
IAM Best Practices
MFA
Strong Password policy
Create individual Users instead of using root
Use roles for EC2 instances
Web Application Firewall (WAF)
Protects against common attack patterns
SQLi
XSS
Shield
DDOS protection service
Shield Standard
Always on
Free
Shield Advance
Provides enhanced protections and 24/7 access to AWS experts for a fee
Protects
CloudFront
Route53
Elastic Load Balancing
AWS Global Accelerator
Macie
helps you discover and protect sensitive data
Uses Machine Learning
Evaluates S3
uncovers PII - Personally Identifiable Information
Config
Track configuration over time
Delivers configuration history to S3
Notifications via Simple Notification Services (SNS) of every configuration change
Guard Duty
intelligent threat detection system that uncovers unauthorized behavior
uses machine learning
Built in for EC2, S3 & IAM
Reviews CloudTrail, VPC Flow Logs, and DNS logs
Inspector
works with EC2 instances to uncover and report vulnerabilities.
Agent installed on EC2
Report vulnerabilities found
Checks access from the internet, remote root login, vulnerable software versions, etc
AWS Management Console
You’re able to configure and manage your instances via a web browser.
Secure Shell (SSH)
SSH allows you to establish a secure connection to your instance from your local laptop.
EC2 Instance Connect (EIC)
EIC allows you to use IAM policies to control SSH access to your instances, removing the need to manage SSH keys.
AWS Systems Manager
Systems Manager allows you to manage your EC2 instances via a web browser or the AWS CLI.
EC2 Pricing - On Demand
Fixed price - billed down to the second.
No contract, pay for only what you used
low cost without any upfront payment or long term commitment
Application Unpredictable workload that can’t be interrupted
Application under development
Workload will NOT run longer than a year
EC2 Pricing - Reserved Instances
Application steady state usage -
Can commit to 1 to 3 years
Pay upfront for discount on On-Demand prices
application requires capacity reservations
EC2 Pricing - Dedicated Hosts
Paying for physical server
Bring your own server bound license like Microsoft or Oracle
have regulatory or corporate compliance around tenancy models
EC2 Pricing - Savings Plans
commit to COMPUTE usage (measured per HOUR) for 1 or 3 years
Lower bill across multiple computing services
Flexibility to change computer services, instance types, operating systems, or regions
Horizontal Scaling
Horizontal scaling (or scaling out) adds or replaces instances
Vertical Scaling
Vertical scaling (or scaling up) upgrades an existing instance.
Amazon Machine Images (AMI)
You can use a preconfigured template called an Amazon Machine Image (AMI) to launch your instance.
Free Tier
750 computer hours per month
Auto Scaling
Auto Scaling improves the availability of your applications, and don’t confuse it with load balancing.
Auto Scaling
Auto Scaling improves the availability of your applications, and don’t confuse it with load balancing.
Lamda Features
- Supports popular programming languages like Java, Go, PowerShell, Node.js, C#, Python, and Ruby.
- You author code using your favorite development environment or via the console.
- Lambda can execute your code in response to events.
- Lambda functions have a 15-minute timeout.
Lamda Features
- Supports popular programming languages like Java, Go, PowerShell, Node.js, C#, Python, and Ruby.
- You author code using your favorite development environment or via the console.
- Lambda can execute your code in response to events.
- Lambda functions have a 15-minute timeout.
Lamda Pricing
Compute time - only pay for compute time used
Request count - a request is counted each time it starts execution (test invoked in console counts as well)
Free tier - 1 mm request each month
Lamda Pricing
Compute time - only pay for compute time used
Request count - a request is counted each time it starts execution (test invoked in console counts as well)
Free tier - 1 mm request each month (always free even after free usage tier expires)
AWS Fargate
Manage containers like dockers
Scales automatically
Serverless
Amazon Lightsail
Deploy preconfigured applications, like WordPress websites
Includes a virtual machine, SSD-based storage, data transfer, DNS management, and a static IP
Simple screens for people with no cloud experience
Provides a low, predictable monthly fee, as low as $3.50
AWS Outpost
you to run cloud services in your internal data center.
Hybrid experience
AWS delivers and installs cloud in on prem data center
Access to cloud service and API to develop app on premise
Support workload that needs to remain on premise due to latency or sovereignty needs
AWS Batch
process large workloads in smaller chunks (or batches).
Dynamically provisions instances based on volume
Runs hundreds and thousands of smaller batch processing jobs
Amazon S3 (Simple Storage Service)
*****S3 is a regional service, but bucket names must be globally unique.
Objects (or files) are stored in buckets (or directories).
Essentially unlimited storage that can hold millions of objects per bucket
You can upload objects via the console, the CLI, or programmatically from within code using SDKs.
Objects can be public or private.
You can enable versioning to create multiple versions of your file in order to protect against accidental deletion and to use a previous version
S3 Security
You can set security at the bucket level or individual object level using access control lists (ACLs), bucket policies, or access point policies.
S3 Access Logs
You can use S3 access logs to track the access to your buckets and objects.
S3 Durability and Availability
Durability - 11 9’s
Availability 5 9’s
Storage - S3 Standard
Data Stored across multiple Availability Zone
Recommended for frequently accessed data
Storage - S3 Intelligent Tiering
Automatically moves data to most cost effective storage
Data Stored across multiple Availability Zone
Recommended: data with unknown or changing access pattern
Storage - S3 Standard Infrequent Access (IA)
Data access less frequently but requires RAPID ACCESS
Data Stored across multiple Availability Zone
Recommended for:
Long live data
Infrequent access
Milliseconds access when needed
Storage - S3 One Zone - Infrequent Access (IA)
Less frequently access but require rapid access
Stored across multiple AZ
Cheaper than S3 Standard
Recommended for:
Long-live data
Infrequent access
Millisecond access when needed
Storage - S3 Glacier
Long-term data/archival
Data retrieval takes longer
3 retrieval options:
1-5 minutes
3-5 hours
5-12 hours
Stored across multiple AZ
*Cheap storage option/long term backup
Storage - S3 Glacier Deep Archive
Like S3 Glacier but longer to access
12 hours or 48 hours
Cheapest of all S3 options
Data stored across multiple AZ
Long term data archival - access once or twice a year
retaining data for regulatory compliance
Storage - S3 Outpost
Provides object storage on premise
single storage class
data stored across multiple devices and servers
Data that needs to be kept locally/demanding applications performance needs.
EBS (Elastic Block Storage)
Data persist when instance not running
tied on one AZ
can ONLY be attached to ONE instance in the same AZ
Recommended for:
quick access
Running db on an instance
long term data storage
EC2 Instance Store
storage on disk PHYSICALLY attached to an instance
faster I/O speed
storage is TEMPORARY, when instance stopped, data is loss
Recommended:
Temp storage needs
Data replicated across multiple instances
EFS (Elastic File System)
ONLY supports Linux
More expensive than EBS
Accessible across different AZ zone in the same Region
Recommended:
Main directories for business critical apps
Lift/shift existing enterprise apps
Storage Gateway
Connect on premise/cloud
Supports Hybrid model
Recommended:
Moving backup to clouds
reduce cost for hybrid cloud storage
Low latency access to data
AWS Backup
Integrates with EC2, EBS, EFS
Create backup plan - frequency/retention
CloudFront
**Global distribution of content
**Makes content global or restrict it based on location
Content Delivery Network that delivers data and application globally with low latency
Can stop DDOS attack
*Speeds up delivery of static and dynamic web content
*Use edge location to cache content
Amazon Global Accelerator
***Sends traffic through AWS global network infrastructure
Improve latency/avail on single-region applications
60% performance boost
Automatically re-routes traffic to health regional endpoints.
AWS S3 Transfer Acceleration
***Fast transfer of file over long distance
Use CloudFront globally distributed edge location
Customers around the world can upload to a central bucket
Amazon Virtual Private Cloud (VPC)
A VPC spans Availability Zones in a Region
foundational service that allows you to create a secure private network in the AWS cloud where you launch your resources.
Launch resources like EC2 instances inside the VPC
Isolate and protect resources
Internet Gateway
Don’t forget an internet gateway allows traffic to the public internet and peering connects 2 VPCs together.
Amazon Route 53
DNS service that routes users to applications.
***Performs health checks on AWS resources
Domain name registration
Supports hybrid cloud architectures
AWS Direct Connect
Direct Connect is a dedicated physical network connection from your on-premises data center to AWS.
***Supports a hybrid environment
Data travels over a private network
Dedicated physical network connection
AWS VPN
Site-to-Site VPN creates a secure connection between your internal networks and your AWS VPCs.
***Supports a hybrid environment
Similar to Direct Connect, but data travels over the public internet
Data is automatically encrypted
Connects your on-premises data center to AWS
API Gateway
API Gateway allows you to build and manage APIs.
Share data between systems
Integrate with services like Lambda
Amazon Relation Database Service (RDS)
service that makes it easy to launch and manage relational databases.
Supports popular database engines
Offers high availability and fault tolerance using Multi-AZ deployment option
AWS manages the database with automatic software patching, automated backups, operating system maintenance, and more.
Launch read replicas across regions in order to provide enhanced performance and durability
Amazon Aurora
Aurora is a relational database compatible with MySQL and PostgreSQL that was created by AWS
5x faster than normal MySQL and 3x faster than normal PostgreSQL
Scales automatically while providing durability and high availability
Managed by RDS
Amazon DynamoDB
DynamoDB is a fully managed NoSQL key-value and document database.
***NoSQL key-value database
Fully managed and serverless
Non-relational
Scales automatically to massive workloads with fast performance
Amazon DocumentDB
DocumentDB is a fully managed document database that **supports MongoDB.
Fully managed and serverless
Non-relational
Amazon ElastiCache
ElastiCache is a fully managed in-memory datastore compatible with Redis or Memcached.
**In-memory datastore
Data can be lost
Offers high performance and low latency
Amazon Neptune
Neptune is a fully managed graph database that supports highly connected datasets.
***create social media graph
Graph database service
Supports highly connected datasets like social media networks
Fully managed and serverless
Fast and reliable
Database Migration Service (DMS)
DMS helps you migrate databases to or within AWS.
Migrate on-premises databases to AWS
Continuous data replication
Supports homogeneous and heterogeneous migrations
Virtually no downtime
Server Migration Service (SMS)
SMS allows you to migrate on-premises servers to AWS.
Migrates on-premises servers to AWS
Server saved as a new Amazon Machine Image (AMI)
Use AMI to launch servers as EC2 instances
Snowcone
8 terabytes of usable storage
Offline shipping
Online with DataSync
Snowball and Snowball Edge
Petabyte-scale data transport solution
Transfer data in and out
**Cheaper than internet transfer
**Snowball Edge supports EC2 and Lambda
Snowmobile
Multi-petabyte or exabyte scale
Data loaded to S3
Securely transported
DataSync
DataSync allows for online data transfer from on-premises to AWS storage services like S3 or EFS.
Migrates data from on-premises to AWS
Copy data over Direct Connect or the internet
Copy data between AWS storage services
***Replicate data cross-Region or cross-account
Redshift
Redshift is a scalable data warehouse solution.
Handles exabyte-scale data
Amazon Workspace
Amazon WorkSpaces provides a Desktop as a Service (DaaS) solution. https://aws.amazon.com/workspaces/?workspaces-blogs.sort-by=item.additionalFields.createdDate&workspaces-blogs.sort-order=desc
DDOS
Web Application Firewall (WAF)
AWS Shield
Route 53
CloudFront
Shared responsibly model
Under the Shared Responsibility Model, AWS takes responsibility for managing all the hardware (including access, patching, and other maintenance) and software required to deliver the service — which in this case is the EC2 instance. Anything to do with the instance itself is the responsibility of the customer
Platform-as-a-service solution
The platform-as-a-service model removes the need for organizations to manage the underlying infrastructure (usually hardware and operating systems) and allows you to focus on the deployment and management of your applications.
EC2 - Block network access
Security group - The security group acts as a virtual firewall to protect the EC2 instance.
Cannot perform any Amazon RDS actions on the Clients table.
Create an identity-based policy. & Add the user to the group that has the necessary permission policy.
By default, an IAM user can’t access anything in the AWS account. So, the inability to perform the RDS actions on the Clients table is not a technical or password issue. To grant access, you would need to create an identity-based policy.
What real-time guidance does Trusted Advisor provide?
Low utilization on EC2 instances
S3 bucket permissions for public access
Exposed access keys
Which content fields does CloudTrail track when a user accesses the AWS Management Console
Region
Username
What allows you to restrict access to an entire S3 bucket
Bucket policies - Bucket policies allow you to control access to entire buckets.
Which of the following can be specified as an origin when creating a CloudFront distribution
S3 Bucket
Elastic Load Balancer
Domain Name
What benefits can CloudFront bring to your e-commerce website
Increased application availability
Protection against network and application layer attacks via WAF
Lower latency for customers of your e-commerce website
You are trying out AWS on a trial basis and need to deploy an application without having to configure servers. Which AWS service can you use?
Elastic Beanstalk
Elastic Beanstalk allows you to deploy your web applications and web services to AWS. https://aws.amazon.com/elasticbeanstalk/
Which of the following engines are classified as relational databases on AWS
Aurora
MariaDB
After experiencing unusual behavior in your AWS account, you need to determine if there are any issues with AWS that may be affecting your account. What section of the AWS Management Console helps you inspect account alerts and find remediation guidance for your account?
AWS Personal Health Dashboard
AWS Personal Health Dashboard gives you a personalized view of the status of services and resources used by your applications.
Which of the following database migrations are classified as heterogeneous
Oracle to Amazon Aurora PostgreSQL
Microsoft SQL Server to Amazon Aurora PostgreSQL
Which AWS service would enable you to view the spending distribution in 1 of your AWS accounts?
AWS Cost Explorer
Cost Explorer allows you to visualize and forecast your costs and usage over time.
An independent developer needs help with monitoring service limits to ensure they don’t exceed free-tier usage on their account. Which services will help them monitor service limits?
Trusted Advisor - Trusted Advisor has a service limit dashboard that helps you monitor service limits.
CloudWatch - CloudWatch Alarms can be used to determine the percentage of utilization versus the limit.
Inspector
Inspector works with EC2 instances to uncover and report vulnerabilities.
Your company is considering migrating its data center to the cloud. Which of the following is an advantage of the AWS Cloud over an on-premises data center?
Replace upfront capital expenses with low variable costs.
All the hardware purchased upfront for a data center will be replaced by resources that are variable in nature with low upfront costs. https://d1.awsstatic.com/whitepapers/introduction-to-aws-cloud-economics-final.pdf
A company would like to reduce operational overhead when operating AWS infrastructure. Which service can help them do this?
Managed Services
Managed Services helps you efficiently operate your AWS infrastructure and reduces operational risks and overhead.
A small software company is starting to work with the AWS Cloud. Which service will allow them to find, test, buy, and deploy software that runs on AWS?
AWS Marketplace
Marketplace is a digital catalog of prebuilt solutions you can purchase or license. You may also use it to sell solutions to others. https://aws.amazon.com/marketplace?aws=hp
You are managing the company’s AWS account. The current support plan is Basic, but you would like to begin using Infrastructure Event Management. What support plan (that already includes Infrastructure Event Management without an additional fee) should you upgrade to?
Upgrade to Enterprise plan.
AWS Infrastructure Event Management is a structured program available to Enterprise Support customers (and Business Support customers for an additional fee) that helps you plan for large-scale events, such as product or application launches, infrastructure migrations, and marketing events. https://aws.amazon.com/premiumsupport/programs/iem/#:~:text=AWS%20Infrastructure%20Event%20Management%20is,infrastructure%20migrations%2C%20and%20marketing%20events.
A company is considering a serverless architecture and wants to build and run applications without having to manage infrastructure. Which AWS services should the company consider using when building applications?
Fargate
Lamba
S3
DynamoDB
EC2 is not serverless
What is a geographical area of the world that is a collection of logically grouped data centers?
A Region is a geographical area of the world that is a collection of data centers logically grouped into Availability Zones.
Availability Zones (AZs) consist of 1 or more physically separated data centers.
A company is developing a new web application that has high availability requirements. How can the company increase availability when deploying the application?
Utilize a multi-Region deployment when deploying the application.
Deploy the application to span across multiple Availability Zones (AZs).
NOT - While CloudFront speeds up the global delivery of static content, it alone doesn’t ensure high availability.
Auto Scaling
The Auto Scaling group can be used to scale out and scale in the instances as the demand dictates. This will save money and avoid having instances sitting idle for long periods of time. AWS Auto Scaling monitors your applications and automatically adjusts your capacity to maintain steady, predictable performance at the lowest possible cost. Using AWS Auto Scaling, it’s easy to set up application scaling for multiple resources across multiple services in minutes. https://aws.amazon.com/autoscaling/
CloudWatch Alarms
A CloudWatch alarm can be set up to monitor CPU utilization and trigger further action. Further action could be an Auto Scaling group adding another EC2 instance and/or using SNS to notify team members of the occurrence.
When configuring an Application Load Balancer (ALB), what step should you take to ensure a highly available architecture?
Configure the load balancer to serve traffic to multiple Availability Zones.
You would set up the load balancer to deliver traffic across multiple Availability Zones
A solutions architect is designing a new application for a customer. In designing the system, the architect recommends that content be cached to reduce latency to the end user. Which piece of the AWS global infrastructure allows for content to be cached and served from the nearest point to the user?
Edge location
An edge location uses cached copies of your content for fast delivery to users. Don’t forget CloudFront speeds up delivery using edge locations.
Which AWS service can help you optimize your AWS environment by giving recommendations to reduce cost, increase performance, and improve security?
AWS Trusted Advisor
Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices. https://aws.amazon.com/premiumsupport/technology/trusted-advisor/
A customer set up an Amazon S3 bucket to accept downloads from their mobile application users. Due to data privacy requirements, the customer needs to automatically and continually scan S3 for the users’ addresses. Which service can do this?
Macie uses machine learning to discover sensitive data stored on Amazon S3. Macie automatically detects a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers.
Athena
While Athena is a query service for S3 that allows the use of standard SQL, Athena does not automatically and continually query S3 for sensitive data.
A customer has created an Administrators group in IAM containing 5 users. What does the customer attach to the group to ensure all the users have the needed administrative access?
IAM policy
Policies can be attached to a group to ensure all users in the group have the same access. AWS even has a managed policy, Administrator Access, you can use.
IAM role
IAM roles are not associated with a specific user or group. Roles are meant to be assumed by anyone who needs it for a temporary period of time.
How would you create and manage access keys for users that need to access AWS services from the AWS Command Line Interface (CLI)?
Identity and Access Management (IAM) - IAM allows you to create and manage access keys for an IAM user.
NOT - Systems Manager - Systems Manager gives you visibility into and control over your AWS resources.
A company wants to provide access to an Amazon S3 bucket to all applications running on a Reserved Instance (RI) that’s been assigned to a specific Availability Zone. What’s the best way to give S3 access to all applications running on the EC2 instance?
Use an instance profile to pass an IAM role with Amazon S3 permissions to the EC2 instance
The company will need to create a role that grants access to S3 and associate it with the instance.
IAM credential report
The IAM credential report lists all the users and the status of their various credentials, including passwords, access keys, server certificates, and MFA devices.
Which of the following is an AWS Well-Architected Framework design principle related to operational excellence?
Deploy smaller, reversible changes.
This is a design principle related to operational excellence. Smaller changes can easily be reverted, if necessary.
