Attempt 1

Question 1

SCP is used for

Answer 1

SCP is used to create limited in AWS accounts. For larger account organizations.

SCPs alone are not sufficient to granting permissions to the accounts in your organization. No permissions are granted by an SCP

An SCP defines a guardrail, or sets limits, on the actions that the account’s administrator can delegate to the IAM users and roles in the affected accounts.

The administrator must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to actually grant permissions.

SCPs DON’T GIVE permission - they just control what an account CAN and CANNOT grant via identity policies.

Question 2

Which accounts are affected by SCP policy

Answer 2

Member accounts can only be affected,

MANAGEMENT accounts cannot.

Question 3

SCP are applied to

Answer 3

orginization OU

Question 4

SCP FullAWSAccess

Answer 4

allows by default. need to add deny policy to restrict.

Question 5

SCP Allow LIst

Answer 5

to implement, you will need to remove the FullAWSAccess and by doing that, only the SCP implicit default deny is in place and active. This leave room to explicitly add any allow policy.

Question 6

How does SCP overlaps with Identity Policy?

Answer 6

SCP Limits before the Identity Policy

Question 7

Terminate instance in ASG

Answer 7

terminate-instance-in-auto-scaling-group –instance-id

Following required option
–should-decrement-desired-capacity

–no-should-decrement-desired-capacity

Question 8

ASG process - Launch

Answer 8

Adds instances to the Auto Scaling group when the group scales out, or when Amazon EC2 Auto Scaling chooses to launch instances for other reasons, such as when it adds instances to a warm pool

Question 9

ASG process - Terminate

Answer 9

Removes instances from the Auto Scaling group when the group scales in, or when Amazon EC2 Auto Scaling chooses to terminate instances for other reasons, such as when an instance is terminated for exceeding its maximum lifetime duration or failing a health check.

Question 10

ASG process - AddToLoadBalancer

Answer 10

Adds instances to the attached load balancer target group or Classic Load Balancer when they are launched. For more information, see Use Elastic Load Balancing to distribute traffic across the instances in your Auto Scaling group.

Question 11

ASG process - AlarmNotification

Answer 11

Accepts notifications from CloudWatch alarms that are associated with dynamic scaling policies. For more information, see Dynamic scaling for Amazon EC2 Auto Scaling.

Question 12

ASG process - AZRebalance

Answer 12

Balances the number of EC2 instances in the group evenly across all of the specified Availability Zones when the group becomes unbalanced, for example, when a previously unavailable Availability Zone returns to a healthy state. For more information, see Rebalancing activities.

Question 13

ASG process - HealthCheck

Answer 13

Checks the health of the instances and marks an instance as unhealthy if Amazon EC2 or Elastic Load Balancing tells Amazon EC2 Auto Scaling that the instance is unhealthy. This process can override the health status of an instance that you set manually. For more information, see Health checks for Auto Scaling instances.

Question 14

ASG process - InstanceRefresh

Answer 14

Terminates and replaces instances using the instance refresh feature. For more information, see Replace Auto Scaling instances based on an instance refresh.

Question 15

ASG process - ReplaceUnhealthy

Answer 15

Terminates instances that are marked as unhealthy and then creates new instances to replace them. For more information, see Health checks for Auto Scaling instances.

Question 16

ASG process - ScheduledActions

Answer 16

Performs the scheduled scaling actions that you create or that are created for you when you create an AWS Auto Scaling scaling plan and turn on predictive scaling. For more information, see Scheduled scaling for Amazon EC2 Auto Scaling.

Question 17

Scenario 1: Launch is suspended

Answer 17

AlarmNotification is still active, but your Auto Scaling group can’t initiate scale-out activities for alarms that are in breach.

ScheduledActions is active, but your Auto Scaling group can’t initiate scale-out activities for any scheduled actions that occur.

AZRebalance stops rebalancing the group.
ReplaceUnhealthy continues to terminate unhealthy instances, but does not launch replacements. When you resume the Launch process, Amazon EC2 Auto Scaling immediately replaces any instances that it terminated during the time that Launch was suspended.

InstanceRefresh does not replace instances.

Question 18

Scenario 2: Terminate is suspended

Answer 18

AlarmNotification is still active, but your Auto Scaling group can’t initiate scale-in activities for alarms that are in breach.

ScheduledActions is active, but your Auto Scaling group can’t initiate scale-in activities for any scheduled actions that occur.

AZRebalance is still active but does not function properly. It can launch new instances without terminating the old ones. This could cause your Auto Scaling group to grow up to 10 percent larger than its maximum size, because this is allowed temporarily during rebalancing activities.

Your Auto Scaling group could remain above its maximum size until you resume the Terminate process.
ReplaceUnhealthy is inactive but not HealthCheck. When Terminate resumes, the ReplaceUnhealthy process immediately starts running. If any instances were marked as unhealthy while Terminate was suspended, they are immediately replaced.

InstanceRefresh does not replace instances.

Question 19

Scenario 3: AddToLoadBalancer is suspended

Answer 19

Amazon EC2 Auto Scaling launches the instances but does not add them to the load balancer target group or Classic Load Balancer. When you resume the AddToLoadBalancer process, it resumes adding instances to the load balancer when they are launched. However, it does not add the instances that were launched while this process was suspended. You must register those instances manually.

Question 20

Scenario 4: AlarmNotification is suspended

Answer 20

Amazon EC2 Auto Scaling does not invoke scaling policies when a CloudWatch alarm threshold is in breach. When you resume AlarmNotification, Amazon EC2 Auto Scaling considers policies with alarm thresholds that are currently in breach.

Question 21

Scenario 5: AZRebalance is suspended

Answer 21

Amazon EC2 Auto Scaling does not attempt to redistribute instances after certain events. However, if a scale-out or scale-in event occurs, the scaling process still tries to balance the Availability Zones. For example, during scale out, it launches the instance in the Availability Zone with the fewest instances. If the group becomes unbalanced while AZRebalance is suspended and you resume it, Amazon EC2 Auto Scaling attempts to rebalance the group. It first calls Launch and then Terminate.

Question 22

Scenario 6: HealthCheck is suspended

Answer 22

Amazon EC2 Auto Scaling stops marking instances unhealthy as a result of EC2 and Elastic Load Balancing health checks. Your custom health checks continue to function properly. After you suspend HealthCheck, if you need to, you can manually set the health state of instances in your group and have ReplaceUnhealthy replace them.

Question 23

Scenario 7: InstanceRefresh is suspended

Answer 23

Amazon EC2 Auto Scaling stops replacing instances as a result of an instance refresh. If there is an instance refresh in progress, this pauses the operation without canceling it.

Question 24

Scenario 8: ReplaceUnhealthy is suspended

Answer 24

Amazon EC2 Auto Scaling stops replacing instances that are marked as unhealthy. Instances that fail EC2 or Elastic Load Balancing health checks are still marked as unhealthy. As soon as you resume the ReplaceUnhealthly process, Amazon EC2 Auto Scaling replaces instances that were marked unhealthy while this process was suspended. The ReplaceUnhealthy process calls Terminate first and then Launch.

Question 25

Scenario 9: ScheduledActions is suspended

Answer 25

Amazon EC2 Auto Scaling does not run scheduled actions that are scheduled to run during the suspension period. When you resume ScheduledActions, Amazon EC2 Auto Scaling only considers scheduled actions whose scheduled time has not yet passed.

Question 26

Maximum instance lifetime

Answer 26

When Launch or Terminate are suspended, the maximum instance lifetime feature can’t replace any instances.

Question 27

Spot Instance interruptions

Answer 27

If Terminate is suspended and your Auto Scaling group has Spot Instances, they can still terminate in the event that Spot capacity is no longer available. While Launch is suspended, Amazon EC2 Auto Scaling can’t launch replacement instances from another Spot Instance pool or from the same Spot Instance pool when it is available again.

Question 28

Capacity Rebalancing

Answer 28

If Terminate is suspended and you use Capacity Rebalancing to handle Spot Instance interruptions, the Amazon EC2 Spot service can still terminate instances in the event that Spot capacity is no longer available. If Launch is suspended, Amazon EC2 Auto Scaling can’t launch replacement instances from another Spot Instance pool or from the same Spot Instance pool when it is available again.

Question 29

Attaching and detaching instances

Answer 29

When Launch and Terminate are suspended, you can detach instances that are attached to your Auto Scaling group, but while Launch is suspended, you can’t attach new instances to the group.

Question 30

Standby instances

Answer 30

When Launch and Terminate are suspended, you can put an instance in the Standby state, but while Launch is suspended, you can’t return an instance in the Standby state to service.

Question 31

Tags for AWS Console Organization and Resource Groups

Answer 31

Tags are a great way to organize AWS resources in the AWS Management Console. You can configure tags to be displayed with resources and can search and filter by tag. By default, the AWS Management Console is organized by AWS service. However, the Resource Groups tool allows customers to create a custom console that organizes and consolidates AWS resources based on one or more tags or portions of tags. Using this tool, customers can consolidate and view data for applications that consist of multiple services and resources in one place.

Question 32

Tags for Cost Allocation

Answer 32

AWS Cost Explorer and Cost and Usage Report support the ability to break down AWS costs by
tag. Typically, customers use business tags such as cost center, business unit, or project to associate AWS costs with traditional financial reporting dimensions within their organization.

However, a cost allocation report can include any tag. This allows customers to easily associate costs with technical or security dimensions, such as specific applications, environments, or compliance programs.

Question 33

Tags For Automation

Answer 33

Resource or service-specific tags are often used to filter resources during infrastructure automation activities. Tags can be used to opt into or out of automated tasks, or to identify specific versions of resources to archive, update, or delete. For example, many customers run automated start/stop scripts that turn off development environments during non-business hours to reduce costs. In this scenario, Amazon Elastic Compute Cloud (Amazon EC2) instance tags are a simple way to identify the specific development instances to opt into or out of this process.

Question 34

AWS System Manager

Answer 34

View and Control AWS and On-premises infrastructure

Agent based - Installed on windows and Linux AWS AMI’s

Manages Inventory (instances) & Patch Assets

Run Commands & Manage Desired State

Parameter Store - Configurations and secrets

Securely Connect to EC2 instances, in private VPCs.

Question 35

AWS System Manager Managed Instance Req.

Answer 35

1. ) Agent needs to be pre or manually installed.
2. ) needs instance role attached to instance
3. ) needs network (IGW VPCe) to connect to System Manager.

Question 36

On-Prem System Manager Managed Instance Req.

Answer 36

1. ) Agent needs to be pre or manually installed. ( for both physical or virtual server)
2. ) needs public internet to connect to System Manager.
3. ) Create Manage Instance Activation - needs IAM role, Activation Code, Activation ID

Question 37

AWS System Manager - Run Command

Answer 37

Run commands on managed instances.

Execute command documents on managed instances

which can be executed to individual instances, tags, or resource groups

Command documents can be reused and can have parameters.

No SSH or RDP access required.

Rate Control - Concurrency(How many can run at once) & Error Threshold (How many times can fail)

Output option -S3 or SNS

Eventbridge - can stream logs to display event.

Question 38

SSM Document

Answer 38

Json or YAML documents..

stored within a SSM Document store

Ask for parameters include steps.

Question 39

SSM Command Documents.

Answer 39

Run command, State Manager and Maintenance windows.

Run Command uses command documents to execute commands. State Manager uses command documents to apply a configuration. These actions can be run on one or more targets at any point during the lifecycle of an instance.

Question 40

SSM State Manager

Answer 40

A service that automates the process of keeping your EC2 and hybrid infrastructure in a state that you define.
A State Manager association is a configuration that is assigned to your managed instances.

The configuration defines the state that you want to maintain on your instances. The association also specifies actions to take when applying the configuration.

Question 41

SSM Parameter Store

Answer 41

Provides secure, hierarchical storage for configuration data and secrets management.

You can store values as plain text or encrypted data with SecureString.

Parameters work with Systems Manager capabilities such as Run Command, State Manager, and Automation.

Question 42

SSM Package document

Answer 42

In Distributor, a package is represented by a Systems Manager document. A package document includes attached ZIP archive files that contain software or assets to install on managed instances. Creating a package in Distributor creates the package document.

Question 43

SSM Automation document

Answer 43

Use automation documents when performing common maintenance and deployment tasks such as creating or updating an AMI.

Question 44

SSM Policy document - State Manager

Answer 44

Policy documents enforce a policy on your targets. If the policy document is removed, the policy action no longer happens.

Question 45

SSM Patch Manager

Answer 45

Patch Baseline
_ Defines what should be installed.
- Patch Groups - Groups of resources with in system manager.
- Maintenance windows- times slots which describes when the patching can take place
- run command - base level patching process
- currency and error threeshold.

-compliance - SSM checks the system is successfully patch.

Question 46

SSM Patch Manager - Key Term

Answer 46

predefined patch baselines - Various OS ( you can create your own.

For linux - AWS-[OS]DefaultPatchBaseline, explicitly defined patches

• AWS-AmazonLinux2DefaultPatchBaseline
• AWS-UbuntuDefaultPatchBaseline

For Windows - AWS-DefaultPatchBaseline - Critical update

• AWS-WindowsPredefinedPatchBaseline-OS - Same as above
• AWS-WindowsPredefinedPatchBaseline-OS-Applications - + MS App Updates

Question 47

Flow of patch manager

Answer 47

1. Define 1+ patch Baselines - to define WHAT gets installed
2. ) Create Patch which acts as targets for patch tasks
3. Maintenance windows define a schedule, duration, targets and task.
4. AWS-RunPatchBaseline runes with a baseline and targets

Question 48

SSM inventory

Answer 48

You can configure Inventory to collect the following types of data:

Applications: Application names, publishers, versions, etc.
AWS components: EC2 driver, agents, versions, etc.

Files: Name, size, version, installed date, modification and last accessed times, etc.

Network configuration: IP address, MAC address, DNS, gateway, subnet mask, etc.

Windows updates: Hotfix ID, installed by, installed date, etc.

Instance details: System name, operating systems (OS) name, OS version, DNS, domain, work group, OS architecture, etc.

Services: Name, display name, status, dependent services, service type, start type, etc.

Tags: Tags assigned to your nodes.

Windows Registry: Registry key path, value name, value type, and value.

Windows roles: Name, display name, path, feature type, installed state, etc.

Custom inventory: Metadata that was assigned to a managed node as described in Working with custom inventory.

Question 49

SSM Session Manager

Answer 49

is a fully managed AWS Systems Manager capability. With Session Manager, you can manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, edge devices, and on-premises servers and virtual machines (VMs).

You can use either an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable node management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.

Session Manager also allows you to comply with corporate policies that require controlled access to managed nodes, strict security practices, and fully auditable logs with node access details, while providing end users with simple one-click cross-platform access to your managed nodes.