Amazon Web Services - CP Flashcards

Question 1

Q

SQS

Answer

A

Simple Queue Services

Question 2

Q

S3

Answer

A

Simple Storage Service

Question 3

Q

EC2

Answer

A

Elastic Compute Cloud

Question 4

Q

CSP

Answer

A

Cloud Service Provider

Question 5

Q

X’tics of CSP

Answer

A

Multiple Cloud Services…
Which can be chained together to form cloud architectures
Accessible via Single Unified API
Utilized metered billing based on usage
Have rich monitoring built in (AWS CloudTrail)
Have an infrastructure as a Service (IaaS)
Offers automation via infrastructure as code (IaC)

Question 6

Q

Tier-1 CSPs

Answer

A

AWS, Microsoft Azure, Google Platform (GCP), Alibaba Cloud

Question 7

Q

Tier-2 (specialization)

Answer

A

IBM Cloud, Oracle Cloud, Rackspace (Openstack)

Question 8

Q

Tier-3 (VPS) offer IaaS

Answer

A

Vultr, Digital Ocean, Linode

Question 9

Q

Magic Quadrant (MQ)

Answer

A

A series of market research reports published by IT consulting firm Gartner that rely on proprietary qualitative data analysis methods to demonstrate market trends, such as direction, maturity and participants.

Question 10

Q

Cloud services for IaaS

Answer

A

Compute
Network
Storage
Databases

Question 11

Q

Example of 4 core cloud services

Answer

A

Compute - EC2 Virtual machines
Storage - EBS Virtual hard drives
Database - RDS SQL databases
Networking and content delivery - VPC Private Cloud Network

Question 12

Q

Dedicated

Answer

A

A physical server wholly utilized by a single customer
Guess your capacity
Overpay for an underutilized server
Can’t vertical scale, you need a manual migration
Replacing a server is very difficult
Limited by host’s OS
Results in conflicts in resource sharing
Guaranteed security, privacy and full utility of underlying resources

Question 13

Q

VMs

Answer

A

Multiple Virtual machines on one machine.
Hypervisor is software layer that lets you run the VMs.
Physical server shared by multiple customers.
Overpay for an underutilized Virtual Machine.
Limited by your Guest OS.
Multiple apps on a single VM can result in conflicts in resource sharing.
Easy to export or import images for migration.
Easy to vertical or horizontal scale.

Question 14

Q

Containers

Answer

A

VM running multiple containers.
Docker Deamon is the name of the software layer that runs multiple containers
Maximize available capacity, cost-effective
Containers share same underlying OS, thus more efficient than multiple VMs
Multiple apps run side-by-side w/o being limited to the same OS requirements and will not cause conflict during resource sharing.

Question 15

Q

Functions

Answer

A

Managed VMs running managed containers.
Serverless Compute
Upload a piece of code, choose the amount of memory and duration.
Responsible for only code and data.
Very cost-effective, only pay for time code is running, VMs only run when there is code to be executed
Cold Starts is a side-effect of this setup

Question 16

Q

Question 17

Q

Question 18

Q

Types of Cloud Computing

Software as a Service

For customers

Product that is run and managed by the service provider. eg. salesforce, Office365, gmail

Question 19

Q

Types of Cloud Computing

Platform as a Service

For Developers

Focus on the deployment and management of your apps. (Heroku, google app engine)

Answer

A

PaaS

Don’t worry about, provisioning, confinguring or understanding the hardw

Question 20

Q

Infrastructure as a Service

For administrators

Basic building blocks for cloud IT. Provides access to networking features, computers and data storage space. Eg. Microsoft Azure, AWS, Oracle

Answer

A

IaaS

Don’t worry about IT staff, data centers and hardware.

Question 21

Q

Cloud Computing Deployment Models

Public Cloud

Everything (the workload or project) is build on the CSP. Eg. Dropbox, Startups, SaaS offerings

Answer

A

Cloud-Native or Cloud First

Question 22

Q

Cloud Computing Deployment Models

Private Cloud

Everything built on company’s data centers. Eg. public sector like government, hospitals, insurance companies.

Answer

A

On-Premise or Openstack

Question 23

Q

Cloud Computing Deployment Models

Hybrid

Using both On-Promise and a Cloud Service Provider
Eg. Banks, FinTech, Investment management, Large professional Service providers like Deloitte, Legacy on-premise.

Answer

A

Both public and private cloud

Question 24

Q

Cloud Computing Deployment Models

Cross-Cloud

Using multiple Cloud Providers. Eg. Anthos

Answer

A

Multi-cloud

Question 25

Q

What is computing Power?

Types of computing

The throughput measured at which a computer can complete computational task.

Answer

A

General computing (xeon CPU Processor; EC2)
GPU Computing (50x faster than traditional CPUs; AWS Inferentiare (Inf1))
Quantum computing (100 million times faster; AWS Bracket via CalTech)

Question 26

Q

Benefits of the cloud

Answer

A

Agility
Pay-as-you go pricing
Economy of scale
Global Reach
Security
Reliability
High availability
Scalabilty
** Elasticity*

Question 27

Q

What is the AWS Global Infrastructure?

Name the resources

Gobally distributed hardware and datacenters physically networked together.

Answer

A

25 Launched Regions
81 Availability zones
108 Direct Connection Locations
275+ Points of presence
11 Local Zone
17 Wavelength Zones

Question 28

Q

Global Infrastrure - Regions

Factors to consider in choosing a region

Geographically distinct locations consisting of 3 Availability Zones (except US-West, 2AZ). New services are avaible first in US-East. All billing information appears in US-EAST-1 (North Virginia). AWS cost varies by region.

Answer

A

Regulatory compliance of the region
AWS cost of services in the region
Availability of AWS services in the region
Distance or latency to end-users

Question 29

Q

Availability Zone

Physical location made up of one or more more datacenters. Datacenter is a secured building that contains hundreds of thousands of computers.

Answer

A

Datacenters within a region are close enough to provide low-latency (<10ms)
Common practice to run workloads in at least 3 AZs to ensure services remain available in case of one or two datacenters fail. (High Availability)
AZs are shown as a Region Code, followed by a letter identifier eg. US-East-1a

Each region generally contain 3 Availability Zones

Question 30

Q

Subnet is associated with an AZ

Never choose the AZ when launching resources. You choose the Subnet which is associated to the AZ.

Answer

A

The US-EAST-1 region has 6AZs (the most AZs of any region)

Question 31

Q

Structure of AWS Region

Answer

A

Region has multiple AZs
An AZ is made up of one or more datacenters
All Azs in AWS Region are interconnected with high-bandwith, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, low-latency networking between
All traffic between AZs is encrypted
AZs are within 100 km (60 miles) of each other.

Question 32

Q

Discuss Fault Tolerance with regard to AWS

Scope of fault domain

Fault domain is a section of a network that is vulnerable to damage if a critical device or system fails. The purpose of a fault domain is that if a failure occurs, it will not cascade outside that domain, limiting the damage possible. Fault domains can be nested inside fault domains.
Fault leve is a collection of fault domains.

Answer

A

specific servers in a rack
an entire rack in a datacenter
an entire room in a dataceter
an entire data center building.

AWS Region would be fault level
AZ would be a fault domain

Scope of fault domain is chosen/defined by Cloud Service Provider like AWS

Question 33

Q

Failure Zone (AZs)

Each Amazon region is designed to be completely isolated from the other Amazon Regions to achieve the greatest possible fault tolerance and stability.

Answer

A

AWS version of a Fault domain
1. AZ are physically separated within a typical metropolitan region and are located in lower risk flood plains.
2. Discrete uninterrupted power supply(UPS) and onsite backup generation facilities
3. Data centers located in different AZ are designed to be supplied by independent substations to reduce the risk of an event on the power grid impacting more than one AZ
4. AZ are all redundantly connected to multiple tier-1-transit providers.

Multi-AZ for High Availablitiy: If an application is partitioned across

Each AZ is designated as an independent failure zone

Question 34

Q

What is the backbone of AWS?

AWS Global Network

Represent the interconnections between AWS Global Infrastructure. Permits rapid mobility between datacenters.

Answer

A

1.Edge locations
2.Amazon CloudFront (CDN)
3.AWS Global accelerator, AWS S3 Transfer Acceleration
4.VPC Endpoints

Question 35

Q

Points of Presence (PoP) Resources

Is an intermediate location between an AWS Region and the end user, and this location could be a datacenter or collection of hardware owned by AWS or a trusted partner for content delivery or expediated upload.

Answer

A

Edge locations
Regional Edge Caches

Edge locations are datacenters that hold cached (copy) on the most popular files (eg. web pages, images and videos) so that the delivery of distances to the end users are reduced
Regional Edge Locations are datacenters that hold much larger caches of less-popular files to reduce a full round trip and also to reduce the cost of transfer fees.

Question 36

Q

Global Infrastructure - Point of Presence (PoP)

Tier 1 Network

Is a network that can reach every other network on the internet without purchasing IP transit or paying for peering.

Answer

A

AWS AWs are all redudantly connected to multiple tier-1 transit providers

Question 37

Q

Global Infrasture - PoP

AWS services that use PoPs for content delivery or expediated upload

Answer

A

Amazon CloudFront is a Content Delivery Network (CDN) service
Amazon S3 Tansfer Acceleration
AWS Global Accelerator

Question 38

Q

Global Infrastructure - PoP

Amazon CloudFront

Answer

A

You point your website to CloudFront so that it will route requests to nearest Edge Location cache
Allows you to choose an origin(such as web-server or storage) that will be source of cached
Caches the contents of what origin would return to various Edge Locations around the world.

Question 39

Q

Global Infrastructure - PoP

Amazon S3 Transfer Acceleration

Answer

A

Allows you to generate a special URL that can be used by end users to upload files to a nearby Edge Location.
Once a file is uploaded to an Edge Location, it can move much faster within the AWS Network to reach S3.

Question 40

Q

Global Infrastructure - PoP

AWS Global Accelerator

Answer

A

Can find the optimal path from the end user to your web-servers
Deployed within Edge Locations so you send user traffic to an Edge Location instead of directly to your web-application.

Question 41

Q

AWS Direct Connect

Is a private/dedicated connection between your datacenter, office, co-location and AWS.

Answer

A

Two very-fast network options:
1. Lower Bandwith 50MBps-500MBps
2. Higher Bandwith 1GBps or 10GBps

Helps reduce network costs and increase bandwith throughput(great for high traffic networks).
Provides a more consistent network experiece than a typical internet-based connection. (reliable and secure)

Co-located (aka carrier-hotel) is a data center where equipment, space, and bandwidth are available for rental to retail customers.

Question 42

Q

Direct Connect Locations

Answer

A

Trusted partnered datacenters that you can establish a dedicated high speed, low-latency connection from your on-premise to AWS.

Question 43

Q

Global Infrastructure - Local Zones

Local Zones

Are datacenters located very close to a densely populated area to provide single-digit millisecond low latency performance (eg. 7ms) for that area.

Answer

A

LA, California was first Local Zone to be deployed as a logisticla extension of US-West Region identified by us-west-2-lax-1a
Limited AWS services such as EC2 instance types, EBS, Amanzon FSx, Application Load Balancer, Amazon VPC

Purpose of local zone is the support highly-demanding applications sensitive to latencies: media & entertainment, electronic design automation, ad-Tech, machine learning

Question 44

Q

Global Infrastructure - Wavelength Zones

AWS Wavelenth Zones

Allow for edge-computing on 5G Networks. Applications will have ultra-low latency being as close as possible to the users

Answer

A

You create a subnet tied to a Wavelength Zone and then you can launch Virtual Machines (VMs) to the edge of the targeted 5G Networks.

AWS has partnered with various Telecom companies to utilitze their 5G networks.

Question 45

Q

Global Infrastructure - Data Residency

Data Residency

Is the physical or geographic location of where an organization or cloud resources reside.
Compliance Boundaries is a regulatory compliance (legal requirement) by a government that describes where data and cloud resources are allowed to reside.
Data sovereignty is the jurisdictional control or legal authority that can be asserted over data because it’s physical location is within jurisdiction boundaries.

Answer

A

AWS Config (Policy as Code service)
IAM Policies (Service Control Policy)
AWS Outposts(physical rack of servers)

Question 46

Q

Global Infrastructure - AWS For Government

Public sector

Include public goods and governmental services

Answer

A

Military
law enforcement
infrastructure
public transit
public education
health care
the government itself

AWS achieves this by meeting regulatory compliance programs along with specific governance and security controls.
AWS has special regions for US regulation called GovCloud

Question 47

Q

Gloud Infrastructure - GovCloud(US)

AWS GovCloud Regions

A CSP generally will offer an isolated region to run FedRAMP workloads.

Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Answer

A

Allow customers to host sensitive Controlled Unclassified Information and other types of regulated workloads.
Only operated by employees who are US citizens, on US soil.
Only accessible to US entities and root account holders who pass screening process.

Customers can architect secure cloud solutions that comply with: FedRAMP High baseline, DOJ’s Criminal Justice Information Systems (CJIS)Security Policy, US international traffic in Arm Regulations (ITAR), Export Administration Regulation (EAR), Department of Defense (DoD) Cloud Computing Security Requirements Guide.

Question 48

Q

Global Infrastructure - AWS in China

AWS China

Completely isolated intentionally from AWS Global due to regulatory and compliance requirement in Mainland China
Has its own domain at amazonaws.cn

Answer

A

Chinese Business Licence (ICP license) is required to operate in AWS China Region
Not all services are available in China eg. Route53
Consists of two region namely Ningxia CN-NorthWest-1 operated by NSWCF and Beijing CN-North-1 operated by SINNET
AWS label is banned in China. Thus, it is not shown on the chinese website.

Question 49

Q

Global Infrastructure - Sustainability

AWS Cloud Sustainability Goals

Amazon co-founded the Climate Pledge to achieve Net-Zero Carbon Emissions by 2040 across all of Amazon’s business (this includes AWS)

Answer

A

Powered by100% Renewable Energy by 2025.
Cloud Efficiency: AWS’ infrastructure is 3.6 times more energy efficient than the median of US enterprise data centers surveyed.
Water stewardship: Direct evaporative technology/ non-potable (recycled) water for cooling, on-site water treatment to remove scale-forming minerals and reuse water for more cycles, water efficiency metrics to determine and monitor optimal water use for each AWS Region.

AWS purchases and retires environmental attributes to cover the non-renewable energy for AWS Global Infastructure:
- Renewable Energy Credits (RECs)
- Guarantees of Origin (GOs)

Question 50

Q

Global Infrastructure - AWS Ground Station

AWS Ground Station

Fully managed service that lets you control satelite communications, process data, and scale your operations without having to worry about building or managing your own ground station.

Answer

A

Use cases for Ground station:
* Weather forecasting
* Surface imaging
* Communications
* Video broadcasts

To use Ground Station:
- You schedule a contact (select satelite, start and end time, and the ground location)
- Use the AWS Ground Station EC2 AMI to launch EC2 instances that will uplink and downlink data during the contact or receive downlinked data in an Amazon s3 bucket.

Question 51

Q

Global Infrastructure - AWS Outposts

AWS Outposts

(rack of servers running AWS Infrastructure on your physical location)

Fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hyprid experience.

Answer

A

Server Rack: Frame design to hold and organize IT equipment.
Rack Heights: U stands for “rack units” or “U spaces” which equals to 1.75 inches. Industry standard rack size is 48U (7 Foot Rack). AWS highest full-size rack cage is 42U.

Question 52

Q

Global Infrastructure: AWS Outposts

AWS Outposts comes in 3 form factors

Answer

A

42U: Delivered by AWS to preferred physical site fully assembles. Installed by AWS. Rack needs to be plugged into power and network.
1U: Server that is placed into rack. Suitable for 19” wide x 24” deep cabinets. AWS Graviton2 (up to 64 vCPUs), 128 GiB memory, 4 TB of local NVMe storage
2U: Server that is placed into rack. Suitable for 19” wide x 36” deep cabinets, Intel processor (up to 128 vCPUs), 256 GiB memory

Question 53

Q

Solution Architect vs Cloud Architect

Answer

A

Solutions architect is a role in a technical organization that architects a technical solution using multiple systems via research, documentation and experimentation
Cloud architect is a solutions architect focused on architecting technical solutions using cloud services.

Question 54

Q

Terms for cloud architect

Answer

A

Availablility - ability to ensure a service remains available eg. Highly Available (HA)
Scalability - ability to grow rapidly or unimpeded
Elasticity - ability to shrink and grow to meet the demand
Fault Tolerance - ability to prevent a failure
Disaster Recovery - ability to recover from a failure eg. Highly durable

Solutions Architect is guided by the following prompts:
- How secure is this solution? (security)
- How much is this going to cost? (cost)

Question 55

Q

High Availability

Elastic Load Balancer in high availability

High availability is the sbility for service to remain available by ensuring there is no single point of failure and/or ensure a certain level of perfomance

Answer

A

A load balancer allows you to evenly distribute traffic to multiple servers in one or more datacenter. If a datacenter or server becomes unavailable(unhealthy) the load balancer will route the traffic to only available datacenters with servers.

Running your workload across multiple Availability Zones ensures that if 1 or 2 AZs become unavailable your service/ applications remains available.

Question 56

Q

Types of scalability

High Scalability is ability to increase capacity based on the increasing demand of traffic, memory and computing power.

Answer

A

Vertical Scaling: Scaling Up. Upgrade to a bigger server
Horizontal Scaling: Scaling out. Add more servers of the same size

Question 57

Q

High Elasticity

Horizontal Scaling

High elasticity is ability to automatically increase or decrease capacity based on current demand of traffic, memory and computing power.

Answer

A

Scaling out - Add more servers of the same size
Scaling in -Removing underutilized servers of the same size
-Auto Scaling Groups (ASG) is an AWS feature that will automatically add or remove servers based on the scaling rules you define based on metrics.

Vertical scaling is generally hard for traditionsl architecture so you’ll usually only see horizontal scaling described with elasticity.

Question 58

Q

Highly Fault Tolerant

Fail-overs

Highly Faulat Tolerant: Ability for service to ensure there is no single point of failure preventing the chance of failure.

Answer

A

Fail-overs is when you have a plan to shift traffic to a redundant system in case the primary system fails.
A common example is having a copy (secondary) of your database where all ongoing changes are synced. The secondary systen is not in-use until a fail occurs and it becomes the primary database.
RDS Multi-AZ is when you run a duplicate standby database in another Availability Zone in case your primary database fails.

Question 59

Q

High Durability

Disaster Recovery Concerns

High durability is ability to recover from a disaster and to prevent the loss of data. Solutions that recover from a disaster is known as Disaster Recovery (DR)

Answer

A

Do you have a backup?
How fast can you restore that backup?
Does your backup still work?
How do you ensure current live data is not corrupt?

CloudEndure Disaster Recovery continuously replicates your machines into a low-cost staging area in your target AWS account and preferred Region enabling fast and reliable recovery in case of IT data center failures.

Question 60

Q

Business Continuity Plan

A business continuity plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in services

Answer

A

Recovery Point Objective (RPO): How much data are you willing to lose?
Recovery Time Objective: How much time are you willing to go down?

RPO: The maximum acceptable amount of data loss after an unplanned data-loss incident, experessed as an amount time
RTO: The maximum amount of downtime your business can tolerate without incurring a significant loss.

Question 61

Q

Disaster Recovery Options

Mutiple options for recovery that trade cost vs time to recover

Answer

A

Backup & Restore
Pilot Light
Warm Standby
Multi-site Active/active

Question 62

Q

Distract Recovery Options

Backup & Restore

Answer

A

RPO/RTO: Hours
Backup data is restored to new infrastructure.

-Lower priority use cases
-Restore data after event
-Deploy resources after event
- Cost $$

Question 63

Q

Disaster Recovery Options:

Pilot Light

Answer

A

RPO/RTO: 10 mins
Data is replicated to another region with the minimal services running

-Less stringent RTO & RPO
-Core Services
-Start & and scale resources after event
-Cost $$

Question 64

Q

Disaster Recovery Options

Warm Standby

Answer

A

RPO/RTO : Minutes
Scaled down copy of your infrastructure running ready to scale up

-Business Critical Services
-Scale resources after event
- Expensive

Answer 62

A

RPO/RTO: Real-time
Scaled up copy of your infrastructure in another region.

Zero downtime
Net zero loss
Mission critical services
Expensive

Answer 63

A

An API is software that allows two applications/services to talk to each other.
Most common type of API is via HTTP/S requests.
AWS API is an HTTP API and you can interact by sending HTTPS requests, using an application interacting with APIs like Postman

Each AWS service has its own Service Endpoint which you send requests
To authorize you will need to generate a signed request. You make a separate request with your AWS credentials and get back a token.
You need to also provide ACTION and accompanying parameters as the payroad.

Answer 64

A

Web-based unified console to build, manage, and monitor everythig from simple web apps to complex cloud deployments. Clickops refers to performing all system operations via clicks.

Answer 65

A

AWS Services have customized console that can be accessed by searching the service name.
Some AWS Service Console acts as an umbrella console containing many AWS services:
* VPC console
* EC2 console
* Systems Manager console
* SageMaker console
* CloudWatch console

Answer 66

A

-Found by dropping down the current user in the global navigation
-Composed of 12 digits
-Used for login by non-root users, cross-account roles, support cases
-Can also be found under IAM console
-Used when creating policies for users and cross-acount roles

Answer 67

A

-A task automation and configuration management framework. Consits of command-line shell and a scripting language.
-Unlike most shells, which accept and return text, PowerShell is built on top of the .NET Common Language Runtime (CLR), and accepts and returns .NET objects.
-AWS Tools for PowerShell lets you interact with the AWS API via PowerShell Cmdlets
-Cmdlets is a special type of command in PowerShell in the form of capitialized verb-and-noun e.g. New-s3Bucket

Answer 68

A

-Uniquely identify AWS resources
-Require to specify a resource unambigously across all of AWS
-Format is arn:partition:service:region:account-id:resource-type/resource-id

Answer 69

A

IAM Policy ARN Path arn:aws:iam::123456789012:user/Development/product_1234/*

S3 ARN Path arn:aws:s3:::my_corporate_bucket/Development/*

Answer 70

A

1.CLI processes commands to a computer in the form of lines of text.
2.Terminal is a text only interface (input/output environment)
3.Console is a physical computer to physically input information
4. Shell is the command line program that users interact with to input commands. Popular shell programs: Bash, Zsh, PowerShell

Answer 71

A

Allows users to programatically interact with the AWS API via entering single or multi-line commands into a shell or terminal
is a python executable program
Can be installed on Windows, Mac, or Linux/Unix

Answer 72

A

AWS SDK is used to programatically create, modify, delete or interact with AWS resources.
Offered in various programing languages:
Java, Python, Node.js, Ruby, Go, .NET, PHP, JavaScript, C++

Answer 73

A

Preinstalled Tools: AWS CLI, Python, Node.js git, make, pip, sudo, tar, tmux, vim, wget, and zip and more
Storage included: IGB of storage free per AWS region
Saved files & settings: Files saved in home directory available in future sessions for the same AWS region
Shell Environments: Seamlessly switch between bash, PowerShell, Zsh.

Answer 74

A

Write a configuration script to automate creating, updating or destroying cloud infrastructure.
Blueprint of your infrastructure
Allows to easily share, version or inventory cloud your cloud infrastructure
Two main offerings: AWS CloudFormation (CFN) and AWS Cloud Development kit (CDK)
AWS CFN: Declarative (explicit), more verbose with zero chance of mis-configuration, uses scripting languages eg. JSON, YAML, XML
AWS CDK: Imperative (implicit), less verbose with possible misconfiguration, does more than the declarative, uses programming languages eg. Python, JavaScript.

Answer 75

A

Allows writing IaC as either JSON or YAML file
Simply, but can lead to large files or is limited in some regard to creating dynamic or repeatable infrastructure compared to CDK
Can be easier for DevOps Engineers who do not have a background in web programming languages
Important in debugging IaC stacks. CDK generates out CloudFormation.

Answer 76

A

Allows using programming language to write IaC eg. typescript, node.js, python, java, .Net
Powered by cloudFormation (generates out cloudFormation templates)
Has a large library of resuable cloud components called CDK construct
Like CloudFormation, comes with its own CLI
Piplelines to quickly setup CI/CD pipelines for CDK projects
Has a testing framework for unit and integration testing
AWS SDK looks similar to CDK, but key difference is CDK ensures idempotent of your infrastructure.

Answer 77

A

Is an open-source plugin for VSCode to create, debug, deploy AWS resources
* AWS Explorer: explore a wide range of AWS resources to your linked AWS Account
* AWS CDK Explorer: Allows you to explore your stacks defined by CDK
* Amazon Elastic Container Service: Provides intelliSense for ECS task-definitions files
* Serverless Applications: Create, debug and deploy serverless applications via SAM and CFN

Answer 78

A

Is a key and secret required to have programmatic access to AWS resources when interacting with the AWS API outside of the AWS Management Console
Also known as AWS Credentials
User must be granted access
Should never be shared
Should never be committed to a codebase
Can be active at two at a time
Can be deactivated
Have whatever access a user has to AWS resources
Are stored in ~/.aws/credentials and follow a TOML file format
populate in response to aws configure CLI command

Answer 79

A

Is a large collection of technical documentation on how to use AWS Services.
Found at docs.aws.amazon.com

Answer 80

A

Customer: Configuration of Managed Services or Third-Party Software (Platforms, applications, IAM), Configuration of Virtual infrastructure and Systems (Operating system, network, firewall), Security Configuration of Data (client-side data encryption, server-side encryption, networking traffic protection, customer data). Responsible for security IN the cloud

2.AWS: Software(compute, storage, database, networking), Hardware/Global Infrastructure(regions, AZs, edge locations, physical security) . Responsible for security OF the cloud.

Answer 81

A

On-Premise: Customer (Applications, Data, Runtime, Middleware, OS, Virtualization, Servers, Storage, Networking)
Ifrastructure as a service: Customer (Applications, data, runtime, middleware, OS). AWS responsible for the rest.
Platform as a service Customer (Applications, data). AWS responsible for the rest.
Software as a service: AWS responsible for everything. Eg. Microsoft 360 subscription

Answer 82

A

Infrastructure as a Service (IaaS):
1. Bare Metal: EC2 Bare Metal Instance: Customer (Host OS configuration, hypervisor) AWS (physical machine)
2. Virtual Machine: EC2: Customer (Guest OS configuration, container runtime) AWS (hypervisor, physical machine)
3. Containers: AWS ECS: Customer (configuration of containers, deployment of containers, storage of containers) AWS (OS, hypervisor, container runtime)
Platforms as a Service (PaaS): Managed platform: AWS Elastic Beanstalk: Customer (uploading code, configuration of environment, deployment strategies, configuration of associated services) AWS (servers, OS, Netwoking, Storage, Security)
Software as a Service (SaaS): Content Collaboration: Amazon WorkDocs: Customer (contents of documents, management of files, configuration of sharing access controls) AWS (servers, OS, Networking, Storage, Security)
Function as a Service (FaaS): Functions: AWS Lambda: Customer (upload your code) AWS (Deployment, container runtime, networking, storage, security, physical machine)

Container as a service: Fargate. AWS runs everything!

Answer 83

A

IaaS: Customer responsibility (Content, access policies, usage, deployment, web app secuirty, identity, operations, access and authentication, network security, guest OS, data & content)
PaaS: Customer responsibility (content, access policies, usage, deployment, web app security)
SaaS: Customer responsibility (Content, acess policies, usage)

In all cloud services, AWS is responsible for audit logging, network, storage & encryption, hardened Kernel +IPC, boot and hardware. It takes on more responsibilities based on the cloud service. AWS takes on most responsibilities in SaaS and the least responsiblities in IaaS.

Answer 84

A

Less Responsibility: Serverless/Functions. No more servers, just worry about data and code. Eg. amplify and lambda.

Moderate Responsibility: Microservices/Containers. Mix & match languages, better utilization of resources. Eg. ECS/EKS containers, Fargate Serverless containers.

Most reponsibility: Traditional/VMs. Global workforce is most familiar with this kind of architecture and lots of documentation, frameworks & support. Eg. EC2 IaaS, Elastic Beanstalk PaaS

Answer 85

A

EC2 is highly configurable server where you can choose AMI that affects options such as:
* CPU
* RAM
* Network bandwith
* OS
* Attach multiple hard-drives for storage eg. Elastic Block Store (EBS)

AMI is a predefined configuration for a Virtual Machine.

EC2 is considered the backbone of AWS because the majority of AWS services uses EC2 as their underlying servers. eg.S3, RDS, DynamoDB

Answer 86

A

VM: An emulation of a physical computer using software. eg. EC2 VM, Amazon Lightsail (managed virtual service.”friendly” version of EC2 VM.

Answer 87

A

Containers: Virtualization an OS to run multiple workloads on a single OS instance. Used in micro-service architecture(division of application into smaller applications that talk to each other). eg. ECS (container orchestration service that support Docker containers; launches a cluster of server(s) on EC2 instances with Docker installed),
ECR (respository for container images, images necessary to launch containers) image means saved copy. Repository means storage with version control,
ECS Fargate (severless orchestration container service). AWS manages its underlying server. Pay for running container.
EKS (managed Kubernetes service). K8 is an open-source orchestration software that was created by Google and is generallt the standard for managing microservices.

Answer 88

A

Serverless: when the underlying servers are managed by AWS, you don’t worry or configure servers.
AWS Lambda is a serverless functions service. Run code without provisioning or managing servers.
Basically, upload small pieces of code, choose much memory and how long function is allowed to run before timing out. You are charged based on the runtime of the serverless function rounded to the 100ms.

Answer 89

A

The Nitro System: Combination of dedicated hardware and lightweight hypervisor enabling faster innovation and enhanced security. All new EC2 instance types use the Nitro System.

Nitro cards - specialized cards for VPC, EBS and instance storage and controller card
Nitro security chips - integrated into the motherboard. Protects hardware resources.
Nitro Hypervisor - lightweight hypervisor Memory and CPU allocation Bare Metal-like performance.

Answer 90

A

Bare Metal Instance: EC2 instance that have no hypervisor that run workloads directly on the hardware for maximum performance and control. The M5 and R5 EC2 instances run are bare metal. Bottlerocket is a Linux-based-open-source operation system that is purpose-built by AWS for running containers on VMs or bare metal hosts.

Answer 91

A

A cluster of hundreds of thousands of servers with fast connections between each of them with purpose of boosting computing capacity. Supecomputer abilities.

AWS ParallelCluster is an AWS-supported open source cluster management tool that makes it easy to deploy and manage High Performance Computing (HPC) clusters on AWS.

Answer 92

A

AWS Outposts: physical rack of servers that you can put in your data center, Uses AWS API and Sevices such as EC2 right in your datacenter.

AWS Wavelength: Build and launch applications in a telecom datacenter. Allows for apps to have ultra-low latency by using 5G network and be closest as possible to the end user.

VMWare Cloud on AWS: Manage on-premise VM using VMWare as EC2 instances. Data-center must use VMWare for virtualization.

AWS Local Zones: Edge datacenters located outside of AWS region for proximity of AWS services to end destination.

Answer 93

A

EC2 Spot instances, Reserved Instances and Savings plan: Ways to save on computing, by paying in full or partically, committing to yearly contracts or by being flexible about availability and interruption to computing service.
AWS Batch: Plans, schedules, and executes batch computing workloads across full range of AWS compute services, utilitze spot instances to save money.
AWS Compute Optimizer: Reduce costs and improve performance by using machine learning to analyze previous usage history.
EC2 Autoscaling Groups (ASGs): Automatically adds or remove EC2 servers to meet the current demand or traffic. Savings and meeting capacity needs met by running the specific amount of servers needed.
Elastic Load Balancer (ELB): Distributes traffic to multiple instances, can re-route traffic from unhealthy instance to healthy instances.
AWS Elastic Beanstalk (EB) is for easily deploying web-applications without developer having to worry about setting up and understanding the undelying AWS Services. Similar to Heroku.

Answer 94

A

Elastic Block Store (EBS) - Block. Data split into evenly split blocks directly accessed by the OS supported only by a single write volume. Best for virtual hard drive attached to a VM.
AWS Elastic File Storage (EFS) - File. File is stored with data and metadata. Multiple connections via a network share that supports multiple reads. Writing locks the file. Best for a file-share where multiple users or VMs need access to the same drive.
Amazon Simple Storage Service (S3) - Object. Object is stored with data, metadata and Unique ID. Scales with limited no file limit or storage limit that supports multiple reads and writes (no locks). Best for uploading files. Not intended for high IOPs. Uses HTTP/S, API

Answer 95

A

S3 provides unlimited storage: S3 Console provides interface for upload and access of data.

S3 Object: Objects contain data like files. Object may consist of: Key (name of the object), Value (data itself made up of a sequence of bytes), Version ID (when versioning enabled, the version of object), Metadata (additonal information attached to the object)

S3 Bucket: Buckets hold objects. Buckets can have folders which in turn hold objects

S3 is a universal namespace so bucket names must be unique (think like having a domain name)

Can store an individual object from 0 Bytes to 5 Terabytes in size.

Answer 96

A

In order of decreasing prices…
S3 standard(default): Fast! 99.99% Availability, 11.9% durability. Replicated across at least three AZs.

S3 Intelligent Tiering: Uses ML to analyze object usage and determine the appropriate storage class. Data is moved to the most cost-effective access tier, without any performance impace or added overhead.

S3 Standard-IA (Infrequent access): Still fast! Cheaper if you access files less than once a month. Additional retrieval fee is applied. 50% less than Standard (reduced availability)

S3 One-Zone-IA: Still fast! Objects only exist in one AZ. Availability (is 99.5%), but cheaper than Standard IA by 20% less (Reduce durability) Data could get destroyed. A retrieval is applied.
(All the above fall under S3 on the AWS mange,ent console)

S3 Glacier: For long-term cold storage. Retrieval of data can take minutes to hours but the off is very cheap storage.

S3 Glacier Deep Archive: The lowest cost storage class. Data retrieval time is 12 hours.

S3 Outposts has its own storage classes

Answer 97

A

Snowcone: Comes in two sizes - 8TB of storage(HD) and 14TB of storage(SSD)
Snowball Edge: Comes generally in two types - Storage optimized (80TB) and Compute optimized (39.5TB)
Snowmobile: 100 PB of storage

All data is delivered to Amazon S3

Answer 98

A

AWS Snow Family: storage devices used to physically migrate large amounts of data to the cloud. Includes Snowcone, Snowball Edge and Snowmobile.

AWS Backup: managed backup service that makes it easy to centralize and automate the backup of data across multiple AWS services eg. EC2, EBS, RDS, DynamoDB, EFS, Storage Gateway. Create backup plans.

CloudEndure Disaster Recovery: Continuously replicates machines into a low-cost staging area in your target AWS account and preferred Region enabling fast and reliable recovery in case of IT data center failures.

Amazon FSx: Feature-rich and highly-performant file system that can be used for Windows (SMB) or Linux (Lustre)

Amazon FSx for Window File Server: Uses SMB protocol and allows mounting of FSx to Windows servers.

Amazon FSx for Lustre uses Linux’s file system and allows mounting FSx to Linux servers.

Answer 99

A

Can be either: (1)Relational databases: structured data that strongly represents tabular data (tables, rows, & columns), can be row-oriented or columnar-oriented. (2) Non-relational databases: semi-structured that may or may not distantly resemble tabular data.

Functionality: (1) specialized language to query (retrieve data) (2) specialized modeling strategies to optimize retrieval for different use cases (3) more fine tune control over the transformation of the data into useful data structures or reports.

Normally a databases infers someone is using a relational row-oriented data store

Answer 100

A

Perform aggregation: aggregation is grouping data eg. find a total or average. Optimized around columns for quick aggregation of column data.

Designed as HOT: means data warehouse can return queries very fast even despite vast amount of data.

Infrequently accessed: means that data warehouses aren’t intended for real-time reporting, but maybe once or twice a day or once a week to generate business and user reports.

Needs to consume data from relational dabases on a regular basis.

Answer 101

A

Key-values stores are dumb and fast. Generally lack features like relationships, indexes and aggregation.

Key-value stores unique key alongside a value

A simple key-value store will interpret this data resembling a dictionary (aka Associative arrays or hash)

A key-value store can resemble tabular data, it does not have to have the consistent columns per row (hence its schemaless)

Due to the simple desigan, NoSQL database can scale well beyond a relational database.

Answer 102

A

A document could be XML but more commonly JSON or JSON-like
Document stores are sub-class of Key-Value stores.
Components of a document store is comparable to that of Relational database, though features do not function similarly.

Answer 103

A

DynamoDB: Serverless NoSQL key-value and document database designed to scale to billions of records with guaranteed consistent data return in at least a second. AWS’ flagship database service that’s scalable, cost effective and fast.

DocumentDB: NoSQL document database compatible with MangoDB database (open-source NoSQL key-value database).

Amazon Keyspaces: Fully managed Apache Cassandra database (an open-source NoSQL key-value columnar store database with additional functionality).

Answer 104

A

RDS supports the ffl SQL Engines:
MySQL: most popular open-source SQL database that was purchased and now owned by Oracle.
MariaDB: Copy of MySQL under a diffrent open-source license.
Postgress (PSQL): Open-source SQL database among developers with rich features over MySQL, but added complexity.
Oracle: Oracle’s proprietary SQL database. Well used by Enterprise companies. Requires a license.
Microsoft SQL Server: Microsoft’s proprietary SQL database. Requires a license.
Aurora: Fully managed database.
(1) Aurora : fully managed database of either MySQL (5x faster) and PSQL(3x faster) database. Used as highly available, durable, scalable and secure relational database for Postgres or MySQL.
(2) Aurora Serverless: Serverless on-demand version of Aurora. Used “when you want ‘most’ of the benefits of Aurora, but can trade to have cold-starts or you don’t have lots of traffic demand”.

RDS on VMware: allows deployment of RDS-supported engines to on-premise datacenter. The datacenter must be using VMware for server virtualization. Used for RDS-managed databases on on-premise datacenter.

Answer 105

A

Intentionally left blank

Answer 106

A

Route Tables: determines where network traffic from subnets are directed

Internet Gateway: Enable access to the internet

NACLs: Acts a firewall at the subnet level

Subnets: Logical partition of an IP network into multiple, smaller network segments.

AZ : Data center of your AWS resources

Region: Geographical location of your network

Answer 107

A

DirectConnect: dedicated gigbait connection from on-premise datacenter to AWS (very fast connection)

AWS Virtual Private Network(VPN): secure connection between on-promise, remote offices, mobile employees.

PrivatLinks (VPC interface endpoints): Keeps traffic within the AWS network and not traverse the internet to keep traffic secure.

Answer 108

A

NACLs: Acts as a virtual firewall at the subnet level. Allow and deny rules )stateless). eg. Block a specific IP address known for abuse.

Security Groups: Acts as a virtual firewall at the instance level. Allow rules only (stateful) eg. Allow and EC2 istance access on port 22 for SSH. You cannot block a single IP address.

Answer 109

A

Instance families are different combinations of CPU, Memory, Storage and Networking capacity.

Instance families allow for choice of appropriate combination of capacity to meet your application’s unique requirements.

Different instance families are different because of the varying hardware used to give them their unique properties.

Commonly instance families are called “Instance Types” but an instance type is a combination of size and family.

General Purpose: A1, T2, T3, T3a, T4g, M4, M5, M5a, M6zn, M6g, M6i, Mac; balance of compute, memory, and networking resources; Use-cases web servers and code repositories.
Compute Optimized: C5, C4, Cba, C5n, C6g, C6gn; ideal for compute bound applications that benefit from high performance processo. Use-cases scientific modeling, dedicated gaming servers and server engines
Memory Optimized: R4, R5, R5a, R5b, R5n, X1, X1e, High Memory z1d; fast performance for workloads that process large data sets in memory. Use-cases in-memory caches, in-memory databases, real time big data analytics.
Accelerated Optimized: P2, P3, P4, G3, G4ad, G4dn, F1, Inf1, VT1; hardware accelerators, or co-processors; Use-cases Machine learning, computational finance, seismic analysis, speech recognition.
Storage Optimized: I3, I3en, D2, D3, D3en, H1; high, sequential read and write access to very large data sets on local storage; Use-cases NoSQL, in-memory or transactional databases warehousing

Answer 110

A

A common pattern for instance sizes:
* nano
* micro
* small
* medium
* large
* xlarge
* 2xlarge
* 4xlarge
* 8xlarge
There are many exceptions to this pattern for sizes eg: c6.metal - is a bare metal machine, c5.9large - is not a power of 2 or even number size.

Answer 111

A

For t2.small, price is $0.023/hr ($16.79/mo)
For t2.medium, price is $0.0464/hr ($33.87)

Answer 112

A

Differences:
1. Isolation: Dedicated Instance involves instance isolation. Dedicated Hosts involves physical server isolation.
2. Billing: Dedicated instance uses per instance billing (+2 per region fee). Dedicated Host uses per hosts billing.
3. Visibility of Physical x’tics: Dedicated instance has no visibilities. Dedicated hosts have socket, cores, host ID.
4. Affinity b/n a host and instance: Dedicated instance has no affinity. Dedicated hosts consistently deploy the same instances to the same physical server.
5. Targeted instance placement: Dedicated instance have no control. Dedicated hosts have additional control over instance placement on physical server.
6. Automatic instance placement: Both dedicated instance and dedicated hosts have automatic instance placement.
7. Add capacity using an allocation request: Dedicated instance does not allow addition of capacity using an allocation request. Dedicated hosts allow addition of capacity using an allocation request.

Answer 113

A

On-demand (least commitment)
* low cost and flexible
* only pay per hour or the second
* cannot be interrupted
* for first time apps

Spot up to 90% discount (Biggest Savings)
* request spare computing capacity
* flexible start and end times
* can handle interruptions (server randomly stopping and starting)
* for non-critical background jobs

Reserved up to 75% off (Best long-term)
* steady state or predictable usage
* commit to EC2 over a 1 or 3 year term
* can resell unused reserved instances

Dedicated (most expensive)
* Dedicated servers
* can be on-demand or reserved or spot
* When you need a guarantee of isolate hardware (enterprise requirements)

AWS Savings Pan: Another way to save, but can be used for more than just EC2.

Answer 114

A

Dedicated host tenancy: Control of the physical attributes of server
Dedicated Instance tenancy: Server lives at one specific location in the cloud.
Default tenancy: Server lives in a specific location until reboot.

Answer 115

A

When one launches an EC2 instance, it is by default using on-demand pricing. No upfron payment or long-term commitment. Charged by the second (minimum of 60 seconds) or the hour

On-Demand: For applications where the workload is for short-term, spikey, or unpredictable. Used for development of new app or running experiment.

Answer 116

A

Term : the longer the term the greater the savings.
* Commit 1-3 year contract. Reserved instances do not renew automatically
* Upon expiration, instance use on-demand with no interruption to service

Class: The less flexible the greater the savings
* Standard: Up to 75% reduced pricing compared to on-demand. Can modify RI Attributes
* Convertible: Up to 54% reduced pricing compared to on-demand. Can exchange RI based on RI Attributes if greater or equal in value
* Scheduled: AWS no longer offer scheduled RI

Payment Options: The greater upfront the great the savings
* All Upfront: Full payment is made at the start of the term
* Partial Upfront: A portion of the cost must be paid upfront and the remaining hours in the term are billed at a discounted hourly rate
* No Upfront: Billed a discounted hourly rate for every hour within the term, regardless of whether the Reserved Instance is being used.

RIs can be shared between multiple accounts within an AWS Organization. Unused RIs can be sold in the Reserved Instance Marketplace.

Answer 117

A

RI Attributes:
1. Instance types: For example, m4.large. This is composed of the instance family (for example, m4) and the instance size (eg. large).
2. Region: The Region in which the Reserved Instance is purchased.
3. Tenancy: Whether instance runs on shared (default) or single-tenant (dedicated) hardware.
4. Platform: The operating system eg. Windows or Linux/Unix

Answer 118

A

Regional RI: purchase for a region
* Does not reserve capacity
* RI discount applies to instance usage in any AZ in the region
* RI discount applies to instance usage within the instance family, regardless or size. Only supported on Amazon Linux/Unix. Reserved Instances with default tenancy.

Zonal RI: purchase for an Availability Zone
* Reserves capacity in the specified Availability Zone
* RI discount applies to instance in the selected AZ (No AZ Flexibility)
* No instance size flexibility, RI discounts applies to instance usage for the specified instance type and size only.

Answer 119

A

Regional Limits:
* You cannot exceed your running on-demand Instance limit by purchasing regional Reserve Instances. The default on-demand Instance limit is 20.
* Before purchasing RI ensure on-demand limit is equal to or greater than RI intended to purchase

Zonal Limits:
* Can exceed running on-demand Instance limit by puchasing zonal Reserved Instances
* If you already have 20 running on-demand instances, and you purchase 20 zonal Reserved instances, you can launch a further 20 on-demand instances that match the specifications of zonal reserved instances

Answer 120

A

Capacity Reservation: a service of EC2 that allows request of EC2 instance type for a specific region or AZ

The reserved capacity is charged at the selected type’s on-demand rate whether an instance is running in it or not.

You can also use regional reserved instances with capacity reservations to benefit from billing discounts.

Answer 121

A

Standard RI
RI attributes can be modified:
* Change the AZ within same region
* Change the scope of the Zonal RI to Regional RI or vise versa
* Change the instance size (Linux/Unix only, default tenancy)
* Change network from EC2-Classic to VPC and vise versa
Can’t be exchanged
Can be bought or sold in the RI Marketplace

Convertible RI
RI attributes can’t be modified (you perform an excahange)
Can be exchanged during the term for another Convertible RI with new RI attributes, including:
* instance family
* instance type
* platform
* scope
* tenancy
Can’t be bought or sold in the RI Marketplace.

Answer 122

A

Reserved instances can be sold after they have been active for at least 30 days and once AWS has received the upfront payment (if applicable)
One must have a US bank account to sell Reserved Instances on the Reserved Instance Marketplace.
There must be at least one month remaining in the term of the Reserved Instance listed.
One will retain the pricing and capacity benefit of reservation until it’s sold and the transaction is complete.
Company name (and address upon reques) will be shared with the buyer for tax purposes.
A seller can set only the upfront price for a Reserved Instance. The usage price and other configuration (eg. instance type, AZ, platform) will remain the same as when the Reserved Instance was initially purchased.
The term length will be rounded down to the nearest month. For example, a reservation with 9 months and 15 days remaining will appear as 9 months on the Reserved Instance Marketplace.
One can sell up to $20, 000 in Reserved Instances per year, if you need to sell more Reserved Instances.
Reserved Instances in the GovCloud region cannot be sold on the Reserved Instance Marketplace.

Answer 123

A

Designed for applications that have flexible start and end times or applications that are only feasible at very low compute costs.

AWS Batch: an easy and convenient way to use Spot pricing.

Termination Conditions
* Instances can be terminated by AWS at anytime
* If your instance is terminated by AWS, you don’t get charged for a partial hour of usage.
* If you terminate an instance you will still be charged for any hour that it ran.

Answer 124

A

Multi-Tenant: When multiple customers run workloads on the same hardware. Virtual Isolation is what seperate customers.

Single Tenant: When a single customer has dedicated hardware.Physical Isolation is what separates customers.

Dedicated can be offered for:
* On-demand
* Reserved (up to 60% savings)
* Spot (up to 90% savings)
* Choose tenancy during EC2 launch

Enterprises and Large Organizations may have security concerns or obligations about sharing the same hardware with other AWS customers.

Answer 125

A

3 types of savings plans:
* Compute Savings Plans
* EC2 Instance Savings Plans
* SageMaker Savings Plan

Choose two different terms:
* 1-year
* 3-year

Choose the following payment:
* All Upfront
* Partial Upfront
* No Upfront

Answer 126

A

Compute: Compute Savings Plans provide the most flexibility and help to reduce cost up to 66%. Plans automatically appy to EC2 instance usage, AWS Fargate, and AWS Lamba service usage regardless of instance family, size, AZ, region, OS, or tenancy.
EC2 Instances: Provide lowest prices, offering savings up to 72% in exchange for commitment to usage of individual instane family in a region. Automatically reduces your cost on the selected instance family in that region regardless of AZ, size, OS or tenancy. Provides flexibility to change usage between instances within a family in that region.
SageMaker: Helps reduce SageMaker costs by up to 64%. Automatically apply SageMaker use regardless of instance family, size, component, or AWS region.

Answer 127

A

What is the Primary Security Perimeter?
Primary or new security perimeter defines the first line of defense and its security controls that protect a company’s cloud resources and assests

Network-Centric: (Old-Way)
Traditional security focused on firewalls and VPNs since there were few employees or workstations outside the office or they were in specific remote offices.

Identity-Centric: (Neww-way): Bring-your-own-device, remote workstations is much more common, we can’t trust if the employee is in a secure location, we have identity-based secuity controls like MFA, or poroviding provisional access based on the level of risk from where, when, and what a user wants to access.
Identity-

Answer 128

A

A collection of AWS Services can be setup to intelligent-ish detection of identity concerns but requires expert knowledge.

AWS CloudTrail: Tracks all API calls

Amazon GuardDuty: Detects suspicious or malicious activity (threats) based on CloudTrail and other logs.

Amazon Detective: Used to analyze, investigate and quickly identify security issues (can ingest findings from Guard Duty)

Answer 129

A

For example: Azure Active Directory has a Real-time and calculated risk detection based more data points than AWS eg: Device and application, time of day, location, MFA turned on, what’s being accessed; and the security controls, verifications or logic restriction is much more robust.

Third-Party Identity solutions with more intelligent security controls for real-time detection:
1. Azure Active Directory (Azure AD)
2. Google BeyondCorp
3. JumpCloud

These third-party services can be accessed on the cloud by using AWS Single Sign on (SSO) as the path to your AWS resources.

Answer 130

A

A directory service is shared information infrastructure for locating, managing, administering and organizing resources: volumes, folders, files, printers, users, groups, devices, telephone numbers, other objects.

A directory service is a critical component of network operating system.

A directory server (name server) is a server which provides a directory service.

Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object.

Well known directory services:
1. Domain Name Service (the directory service for the internet)
2. Microsoft Active Directory: Azure Active Directory
3. Apache Directory Server
4. Oracle Internet Directory (OID)
5. OpenLDAP
6. Cloud Identity
7. JumpCloud

Answer 131

A

It is organized into forest that contains domain linked to child domains that form the tree. Each child domain consist of organization units which contains multiple users.

Answer 132

A

Federated Identity: a method of linking a user’s identity across multiple separate identity management systems.

OpenID: Open standard and decentralized authentication protocol. Eg. be able to login into a different social medial platform using a Google or Facebook account. OpenID is about providing who are you.

OAuth2.0: Industry-standard protocol for authorization OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and servies providers. Oauth is about granting acces to functionality.

SAML: Security Assertion Markup Language is an open standard for exchanging authentication and authorization between an identity provider and a service provider. An important use case for SAML is Single-Sign-On via web browser.

Answer 133

A

SSO allows IT departments to administrator a single identity that can access many machines and cloud services.

Azure Active Directory –SAML – SSO

Login for SSO is seamless, where once a user is logged into their primary directory, as soon as they utilitze this software they are not presented with a login screen.

Answer 134

A

A common use of LDAP is to provide a central place to store usernames and passwords

LAPD enables for same-sign on. Same sign-on allows users to single ID and password, but they have to enter it in every time they want to login.

Why use LDAP when SSO is more convenient?
Most SSO systems are using LDAP
LDAP was not designed natively to work with web-applications.
Some systems only support integration with LDAP and not SSO.

Answer 135

A

MFA protects against people who have stolen your password.

MFA is an option in most cloud providers and even social media websites such as Facebook.

Answer 136

A

A security key can resemble a memory stick. When your finger makes contact with a button of exposed metal on the device, it will generate and autofill a security token.

A popular brand of security key is an Yubikey:
- works out of the box with Gmail, Facebook, and hundreds more
- supports FIDO2/WebAuthn, U2F
- waterproof and crush resistant
- USB-A and NFC dual connectors on a single key

Answer 137

A

IAM Identities:
IAM Users: End users who log into the console or interact with AWS resources programmatically or via clicking UI interfaces

IAM Groups: Group up your Users so they all share permission levels of the group eg. Administrators, Developers, Auditors

IAM Roles: Roles grant AWS resoures permission to specific AWS API actions Associate policies to a ROle and then assign it to an AWS resource.

Answer 138

A

Version policy language version
Statement: container for the policy element you are allowed to have multiples
Sid(optional): a way of labeling your statements
Effect: Set whether the poliy will Allow or Deny
Action: lost of actions that the policy allows or denies
Principal: account, user, role, or federated user to which you would like to allow or deny access
Resource: the resource to which the action(s) applies
Condition (optional): circumstances under which the policy grants permission

Answer 139

A

Just-Enough-Access (JEA): Permitting only the exact actions for the identity to perform a task

Just-in-Time (JIT): Permitting the smallest length of duration an indentity can use permissions

ConsoleMe: an open-source Netflix projects to self-serve short-lived IAM policies so an end user can access AWS resources while enforcing JEA and JIT.

Risk-based adaptive policies: each attempt to access a resource generates a risk score of how likely the request is to be from a compromised source. The risk score could be based on many factors eg. device, user location, IP address what is being accessed and when.

AWS at the time of this recording does not have Risk-based adaptive policies built into IAM.

Answer 140

A

AWS Account Root User : special user who is created at the time of AWS account creation:
1. The Root User account uses an Email and Password to login. A regular user has to provide the Account ID/Alias, Username and Passoword
2. The Root User account cannot be deleted.
3. The Root User account has full permissions to the account and its permission cannot be limited. You cannot use IAM policies to explicitly deny the root user access to resources. You can only use an AWS Organizations service control policy (SCP) to limit permissions of the root user.
4. There can only be one Root user per AWS account.
5. The root user is instead for very specific and specialized tasks that are infrequently or rarely performed. An AWS Root Account should not be used for daily or common tasks.
6. Its strongly recommended to never use Root User Access Keys
7. Its strongly recommended to turn on MFA for the Root User.

Answer 141

A

Change your account settings - Includes the account name, email address, root user password, and root user access keys. Other account settings, such as contact information, payment currency preference, and Regions, do not require root user credentials.
Restore IAM user permissions - If the only IAM administrator accidentally revokes their own permissions, you can sign in as the root user to edit policies and restore those permissions.
Activate IAM access to the Billing and Cost Management console.
View certain tax invoices
Close AWS account
Change or cancel AWS Support plan
Regiser as a seller in the Reserved Instance Marketplace.
Enable MFA Delete on an S3 Bucket.
Edit or delete an Amazon S3 bucket policy that includes an invalid VPC ID or endpoint ID.
Sign up for GovCloud

Answer 142

A

1.Choose your identity source: AWS account, AWS applications, SAML applications.
2.Managed User Permissions Centrally: AWS account, AWS applications, SAML applications
3.Users get Single Click Access

Answer 143

A

Cloud workloads encourage systems and services to be loosely coupled and so AWS has many service for the specific purpose of application integration.

The common systems or design patterns utilized for Application Integration generally are:
queueing, streaming, pub/sub, API gateways, state machine, event bus.

Answer 144

A

Simple Queueing Service (SQS): Fully managed queuing service that enables decoupling and scales microservices, distributed systems, and severless applications.
Use case: Need to queue up transaction emails to be sent. eg. Signup, reset password.

Answer 145

A

Amazon Kinesis: AWS fully managed solution for collecting, processing, and analyzing streaming data in the cloud.

Answer 146

A

Publisher have no knowledge of identity of scubscribers

Subscribers do not pull for messages

Messagers are instead automatically and immediately pushed to subscribers.

Messages and events are interchangeable terms in pub/sub.

Answer 147

A

Publishers: AWS SDK, AWS CLI, CloudWatch, AWS Service
Event bus: SNS topics, message filtering & fanout
SUbscribers: Lambda, SQS, Email, HTTP/S

Answer 148

A

Amazon API Gateway: creating secure API in cloud environment at any scale. Create APIs that act as front door for applications to access data, business logic, or functionality from back-end-services.

Answer 149

A

AWS Step Functions:
-Coordinate multiple AWS services into a severless workflow
-A graphical console to visualize the components of application as a series of steps
-Automatically triggers and tracks each step, and retries when there are errors, so your application executes in order and as expected, every time
-Logs the state of each step, so when things go wrong, one can diagnose and debug problems quickly

Answer 150

A

Event Bus: Holds event data, defines rules on an event bus to react to events.
Default Event Bus: AWS account has a default event bus
Custom Event Bus: Scoped to multiple accounts or other AWS accounts
SaaS Event Bus: Scoped with Third party SaaS Providers

Producers: AWS services that emit events

Partner Sources: Are third-party apps that can emit events to an event bus

Events: Data emitted by services, JSON objects that travel (stream) within the event bus.

Rules: Determines what events to capture and pass to targets. (100 Rules per bus)

Targets: AWS Services that consume events (5 targets per rule)

Answer 151

A

VM use hypervisor, containers use docker deamon

Answer 152

A

Monolithic Architecture: one app which is responsible for everything. Functionality is tightly coupled.

Microservice Architecture: multiple apps which are each responsible for one thing. Functionality is isolate and stateless.

Answer 153

A

Kubernetes is commonly K8; The 8 represent the remaining letters “ubernete”
The advantage of Kubernettes over Docker is the ability to run containers distributed across multiple VMs
A unique component of Kubernettes are Pods. A pod is a group of one more containers with shared storage, network resources and other shared settings.
Kubernettes is ideally for microservice architectures where a company has tens to hundreds of services they need to manage.

Answer 154

A

Docker was the popularized open-source container platform. When people think of container, they think of Docker.

Docker CLI - CLI commands to download, upload, build, run and debug containers
Dockerfile - a configuration file on how to provision a container
Docker Compose - a tool and configuration file working with multiple containers
Docker Swarm - an orchestration tool for managing deployed multi-containers architectures
Dockerhub - public online repository for containers published by the community for download.

The Open Container Initiative (OCI): an open governance structure for creating open industry standards around container formats and runtime. Docker established the OCI and it is now maintained by the Linux Foundation.

Docker has been losing favor with developers due to their handling of introducing a paid open-source model and alternative like Podman are growing.

Answer 155

A

Primary Services:
1. Elastic Container Service (ECS): No cold starts, self-managed EC2
2. AWS Fargate: More robust than lambda, scale to zero cost, AWS-Managed EC2
3. Elastic Kubernetes Services (EKS): Open source; avoid vendor lock-in
4. AWS Lambda: Only think about code, short running tasks, can deploy custom containers

Provisioning & Deployment:
1. Elastic Benstalk(EB): ECS on training wheels, platform as a service
2. App Runner: Platform as a service, specifically for container
3. AWS Copilot CLI: build, release and operate production ready containerized applications on AWS App Runner, Amazon ECS, and AWS Fargate.

Suppoting Services:
1. Elastic container registry (ECR): Repos for your docker images.
2. X-ray: Analyze and debug between microservices
3. Step Functions: Stitch together lambdas and ECS tasks

Answer 156

A

Root Account User: a single sign-in-identity that has complete access to all AWS services and resources in an account. Each account has a Root Account User.

Organazation Units: a group of AWS accounts within an organization which can also contain other organization units - creating a heirachy

Service Control Policies: give central control over the allowed permissions for all accounts in your organization, helping to ensure your accounts stay within your organization’s guidelines

AWS Organizations must be turned on, once turned it cannot be turned off. One can create as many AWS accounts as possible, one account will be the Master/Root Account

AWS account is not the same as a User Account.

Answer 157

A

Landing zone: A landing zone is a baseline environment following well-architected and best practices to start launching production ready workloads. Eg. AWS SSO enabled, central logging for AWS CloudTrail, cross-account security auditing

Account Factory:
-automates provisioning of new accounts in your organization
-standardize the provisioning of new accounts with pre-approved account configurations
-configure your account factory with pre-approved netwok configuration and region selections
-enable self-service for your builders to configure and provision new accounts using AWS Service catalog.

Guardrails: pre-packaged governance rules for security, operations, and compliance that customers can select and apply enterprise-wide or to specific groups of accounts.

AWS control tower is the replacement for retired AWS Landing Zones.

Answer 158

A

Change management in the context of cloud infrastructure: is the formal process to monitor, enforce and remediate changes.

Complian-as-code (CaC): is when we utilize programming to automate the monitoring, enforcing, and remediating changes to stay compliant with compliance programs or expected configuration

When should AWS Config be used?
-Resource to stay configured a specific way for compliance
-Keep track of configuration changes to resources.
-A list of all resources within a region
-Analyze potential security weakness, you need detailed historical information.

Answer 159

A

A Quick Start is composed of 3 parts:
1. A reference architecture for the deployment
2. AWS CloudFormation templates that automates and configure the deployment
3. A deployment guide explaining the architecture and implementation in detail.

Most QuickStart reference deployments enable you to spin up a fully functional architecture in less than an hour!

Answer 160

A

Tag allos you to organize resources in the ff ways:
1. Resources management: specific workloads, environments eg. Developer Environments
2. Cost management and optimization: cost tracking, budgets, alerts
3. Operations management: Business commitments and SLA operations eg. Mission-critical services
4. Security: classification of data and security impact
5. Governance and regulatory compliance
6. Automation
7. Workload optimization

Tag Examples:
Dept = Finance
Status = Approved
Team = compliance
Environment = production
Project = enterprise
location = Canada

Answer 161

A

Helps you organize and consolidate information based on your project and the resources that you use.

Resource groups can display detailes about a group of resource based on metrics, alarms, configuration settings.

At any time, one can modify the settings of your resources groups to change.

Resource Groups appears in the Global Console Header and under Systems Manager.

Answer 162

A

Amazon Connet: virtual call center service. Can create workflow to route callers, record phone calls, manage a queue of callers. Based on the same proven system used by the Amazon customer service teams.

Workspaces: virtual remote desktop serivice. Secure manage service for provisioning either Windows of Linux desktops in just few minutes which quickly scales up to thousands of desktops.

WorkDocs: shared collaboration service. A centralized storage to share content and files. Similar to Microsoft Sharepoint. Think of it as a shared folder where the company has ownership.

Chime: video-confrence service. It is similar to zoom or skype. One can screenshare, have multiple poeple on the call. It is secure by default and can show you a calendary of upcoming calls.

WorkMail: managed business email, contacts, and calendar service with support for existing desktop and mobile client applications. (IMAP). SImilar to Gmail or Exchange.

Pinpoint: a marketing campaign management service. It is used for sending targeted email via SMS, push notifications, and voice messages. One can perform A/B testing or create journeys (complex email response workflows)

Simple Email Service (SES): transactional email service. You can integrate SES into your application to send emails. Can create common template, track open-rates, keep track of your reputatuon.

Quicksight: a Buisiness Intelligence (BI) service. Connect multiple data sources and quickly visualize data in the form of graphs with littel to no programming knowledge.

Answer 163

A

Elastic Beanstalk (EB): a platform as a service (PaaS) to easily deploy web-applications. EB provision varios AWS services including EC2, S3, SNS, CloudWatch, EC2, Autoscaling groups, and ELB. If you’ve ever used Heroku, it is the AWS equivalent.

AWS OpsWorks: configuration management service that also provides managed instances of the open-source configuration managed software chef and puppet.

CloudFormation: infrastructure modeling and provisioning service. Automate the provisioning of AWS services by writing CloudFormation templates in either JSON or YAML files. This is known as infrastructure as code (IaC).

AWS Quickstarts: pre-made packages that can launch and configure AWS compute, network, storage and other service required to deploy a workload on AWS.

AWS Marketplace: digital catalogue of thousands of software listings from independent software vendors one can use to find, buy, test and deploy software.

AWS Amplify : a mobile and web-application framework that will provision multiple AWS service as your backend.

AWS app runner: A fully managed service that makes it easy for developers to quickly deploy containerized web applications and APIs at scale with no prior infrastructure experience required.

AWS Copilot: a CLI that enables customers to quickly launch and easily manage containerized applications on AWS.

AWS CodeStar: provides a unified user interface, enabling you to easily manage your software development activities in oneplace. Easily launch common types of stacks eg. LAMP

AWS Cloud Development kit (CDK): infrastructure as code (IaC) tool. Allows you to use your favoritye programming language. Generates out CloudFormation as the means for IaC.

Brainscape's Knowledge GenomeTM

Amazon Web Services - CP Flashcards

Brainscape's Knowledge Genome^TM