AWS Big Data, Serverless, Security, Automation

Question 1

What are the 3 V’s of big data?

Answer 1

Volume
Variety
Velocity

Question 2

What is Redshift ?

Answer 2

RedShift is a relational data warehousing service for BI applications that can store up to 16 PetaBytes of data, Not highly available and single AZ

Question 3

What is ETL?

Answer 3

Extract Transform Load is a data processing pipeline

Question 4

What is EMR?

Answer 4

Elastic MapReduce is an amazon service for launching EC2 clusters for ETL processing using open-source ETL engines

Question 5

What is Amazon Kensis?

Answer 5

Kinesis is a service for streaming data in real time or near real time.

Question 6

What is the difference between Kensis Firehose and Kensis Streams?

Answer 6

Kensis Firehose is fully managed, automatically scales, Easier to configure but slower and only allows for preconfigured consumers such as S3. Kensis Streams is realtime but requires you to scale the streams manually and develop your own consumers using the Kensis SDK

Question 7

What is Kensis Analytics ?

Answer 7

Kensis analytics allows you to transform your data as it passes through the stream using SQL

Question 8

What is amazon Athena ?

Answer 8

It is a serverless SQL solution that allows you to query data stored in S3. i.e Logs / BI application

Question 9

What is Amazon Glue?

Answer 9

Glue is a serverless ETL service that allows you to process your data without having to worry about EC2 instances and third party software, unlike Elastic MapReduce

Question 10

What is amazon QuickSight?

Answer 10

Amazon Quicksight is a fully managed business intelligence (BI) data visualization service

Question 11

What is amazon data pipeline?

Answer 11

A managed ETL Service that automates movements and transformations of your data

Question 12

What storage integrations does data pipeline support?

Answer 12

DynamoDB
RDS
Redshift
S3

Question 13

What are three key features for amazon data pipeline?

Answer 13

Integrates with EC2 and EMR
Integrates with SNS
Data-driven workflows
automatic-retries

Question 14

What is Amazon MSK?

Answer 14

Amazon managed stream for Kafka is a fully managed service for running and building Apache Kafka data streaming applications

Question 15

What is amazon OpenSearch?

Answer 15

It is a managed service allowing you to run open source search and analytics engines for various use cases it is the successor to amazon ElasticSearch.

Question 16

What is Lambda?

Answer 16

Lambda is a serverless compute service

Question 17

What are the limitations for a Lambda?

Answer 17

10GB Ram
Max 15mins execution time

Question 18

What are five configuration aspects that are vital for Lambda?

Answer 18

1. Runtime
2. Permissions (Defining access to other resources)
3. Networking (Accessing Endpoint for other resources)
4. Resources (CPU, RAM, Maz execution time)
5. Triggers

Question 19

What is AWS Serverless Application Repository?

Answer 19

It is a repository solution for serverless applications which allows you to publish or deploy public or private serverless applications that use lambda compute

Question 20

What is a AWS SAM Template?

Answer 20

AWS Serverless application model template are used to define serverless application stacks and are private by default

Question 21

What is ECR?

Answer 21

Elastic Container Registry is a managed repository to store your OCI repositories, Docker images and intergrates with ECS and EKS

Question 22

What is ECS?

Answer 22

Elastic Container Service is a fully managed AWS service that allows you to run and orchestrate large numbers of containers.

Question 23

What is EKS?

Answer 23

Elastic Kubernetes Service allow you to run a Kubernetes in the AWS cloud

Question 24

What is the difference between EKS and ECS?

Answer 24

ECS is proprietary to amazon therefore it can’t be run on-premises without AWS outposts. ECS provides quicker and easier integration with AWS services

Question 25

What are the compute options for ECS and what are their differences?

Answer 25

1. EC2
2. Fargate

EC2 (Long running) is just a normal server instance and therefore they require the same maintenance that a regular EC2 would require. EC2 pricing model is often cheaper. Fargate (Short running) is a serverless option and removes the need to maintain the guest operating system.

Question 26

What is AWS eventBridge ?

Answer 26

It is a service that allows you to trigger other services (Lambda, SQS, SNS) based on API calls and events. The fastest way to setup events. Used to be cloudWatch Events

Question 27

What is a service you can use to scan your container images for vulnerabilities?

Answer 27

Amazon ECR

Question 28

What is the difference between amazon EKS and EKS-D

Answer 28

EKS-D is Elastic Kubernetes Service Distro and is fully managed by you where as EKS is fully managed by AWS

Question 29

What is Amazon Aurora Serverless?

Answer 29

It is a auto scaling, on demand version of aurora

Question 30

What is a Aurora ACU?

Answer 30

Aurora capacity unit, it is a unit of scale for a aurora serverless deployment and you set a minimum and maximum for you needs. billed per second used

Question 31

What is AWS X-RAY?

Answer 31

It is a AWS service for gaining insights on application requests and responses

Question 32

What is AWS AppSync?

Answer 32

It is a Scalable GraphQL interface for application developers

Question 33

What is DDos?

Answer 33

Denial of service attack

Question 34

What is an example of a layer 4 DDos attack?

Answer 34

SYN floods or NTP amplification attacks

Question 35

What is a common layer 7 attack?

Answer 35

Floods of GET/POST requests

Question 36

What is Cloud Trail?

Answer 36

AWS CloudTrail increases visibility into your user and resource activity by recording AWS management console actions and API Calls.
*After the fact incident investigation
*Near real-time intrusion detection

Question 37

What 6 things does cloud trail track?

Answer 37

1. Metadata around API calls
2. The identity of the API caller
3. The time of the API call
4. The source IP address of the API caller
5. The request parameters
6. The response elements returned by the service

Question 38

What is AWS Shield?

Answer 38

AWS Shield is free DDOS protection and protects against Layer 3 and Layer 4 attacks (SYN/UDP) floods

Question 39

What is the difference between AWS Shield and Shield advanced

Answer 39

Shield advanced provides more sophisticated DDOS protection and a 24/7 response team but costs $3000 USD/month

Question 40

What is AWS WAF?

Answer 40

Web application firewall is a service that allows you to defend against Layer 7 attacks. WAF can block or allow specific countries or IP addresses and can defend against SQL injection and cross-site scripting

Question 41

What is AWS GuardDuty?

Answer 41

Guard duty is a threat detection service that uses machine learning to identify and alert you of malicious behavior.
*Can be across multiple accounts
*Automated response using CloudWatch Events and Lambda
*Unusual API calls
*Calls from known malicious IP

Question 42

What does GuardDuty monitor?

Answer 42

1. Malicious IP addresses
2. CloudTrail Logs
3. VPC Flow Logs
   4 DNS Logs

Question 43

What is AWS Firewall manager?

Answer 43

Firewall manager is a security management service that allows you to centrally set up and manage firewall rules across multiple AWS accounts and applications in AWS organizations.

Question 44

What is the benefits of Firewall Manager?

Answer 44

1. Simplify Management of firewall rules across your accounts
2. Ensure compliance of existing and new applications

Question 45

What is PII and what are some examples?

Answer 45

Personally identifiable information is personal data used to establish an individuals identity.
1. Home address
2, Email address,
3. Date of birth
4. Phone number

Question 46

What is AWS Macie?

Answer 46

Macie is a AWS service that uses machine learning and pattern matching to discover sensitive data stored in s3. PII, PHI (Personal health information) and financial data.
It alerts you to unencrypted bucket
alerts you to public buckets
Great for frameworks like HIPAA and GDPR

Question 47

What is AWS Inspector?

Answer 47

Inspector is a service used to perform vulnerability scans on both EC2 ( host assessments ) and VPCs ( network assessments ). It allows you to run assessments once or, alternatively, run them weekly

Question 48

What is AWS KMS?

Answer 48

AWS Key management service is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. (Shared tenancy of HSM (Hardware security module)

Question 49

What is a HSM?

Answer 49

An HSM is a hardware security module that contains one or more secure cryptoprocessor chips

Question 50

What is a CMK and what is it used for?

Answer 50

A customer master key is a logical representation of a master key. The customer master key contains the key material used to encrypt or decrypt data. You start using AWS KMS by requesting or creating a CMK

Question 51

What are the three ways of generating a CMK?

Answer 51

1. Generated within HSM’s managed by AWS KMS
2. Import your own key material and associate it with a CMK
3. Have a key generated by the AWS CloudHSM-cluster

Question 52

What are the 3 ways to control CMK permissions?

Answer 52

1. Key policies
2. IAM policies with key policies
3. Grants with key policies

Question 53

What is the difference between KMS and CloudHSM?

Answer 53

KMS
Shared tenancy of hardware
Automatic key rotation
Automatic key generation
CloudHSM
Dedicated HSM to you
Full control of hardware
No automatic key rotation
Full control of users, groups, keys, etc

Question 54

What is AWS Secrets Manager?

Answer 54

A service that securely stores, encrypts, and rotates your database credentials and other secrets. API keys, SSH keys, passwords

Question 55

What happens immediately after enabling credential rotation on secrets manager?

Answer 55

Your secrets are rotated and this may cause application with hardcoded secrets to break

Question 56

What is AWS parameter store?

Answer 56

parameter store is a free capability of AWS systems manager that provides, hierarchical storage for data management and secrets management but has a limit of 10000 parameters

Question 57

What is the difference between parameter store and Secrets manager ?

Answer 57

Parameter store is free
Parameter store doesn’t do key rotation
Only Secrets Manager can generate passwords using CloudFormation

Question 58

What are presigned URL’s?

Answer 58

The are urls that you can generate that can give a user timed access to private objects in your S3 bucket

Question 59

What are presigned Cookies?

Answer 59

This can be useful when you want to provide access to multiple private objects in your S3 bucket

Question 60

What is a AWS ARN ?

Answer 60

Amazon resource name

Question 61

What is the form of a ARN?

Answer 61

arn:partition(aws):service(s3):region(us-east-1):account_id(123456789012)

Question 62

What is the difference between a Identity Policy and a Resource Policy?

Answer 62

an Identity policy is usually attached to a human user a resource policy is attached to amazon resources

Question 63

What are IAM Permission boundaries?

Answer 63

This is a feature that allows you to give specific administration rights to other users

Question 64

What is the default behaviour in IAM if a group doesn’t have any policies attached?

Answer 64

Everything is implicitly denied

Question 65

What is AWS Certificate Manager?

Answer 65

Is a free service that allows you to create, manage and deploy public and private SSL certificates for use with other AWS services, Elastic Load Balancer, CloudFront, and API Gateware

Question 66

What is AWS audit manager?

Answer 66

A service that allows you to continually audit your AWS usage to make sure you stay compliant with industry standards and regulations and generate automated reports (HIPAA, GDPR)

Question 67

What is AWS Artifact?

Answer 67

It is a single source you can visit to get the compliance-related information that matters to you, such as AWS security and compliance reports HIPAA, GDPR, PCI

Question 68

What is AWS Cognito?

Answer 68

Cognito provides authentication, authorization, and user management for your web and mobile apps.

Question 69

What is a user pool in cognito?

Answer 69

User directory that provide sign up and sign in options for users of you application

Question 70

What is a Identity pool in cognito?

Answer 70

Allows your users to access other AWS services

Question 71

What is the sign in process for cognito?

Answer 71

1. Authenticate and get tokens
2. Exchange tokens and get AWS credentials
3. Access AWS services using credentials

Question 72

What is amazon detective?

Answer 72

It is a service that operates across multiple AWS services and analyzes the root cause of an event using machine learning and graph theory.

Question 73

What is the difference between amazon detective and amazon inspector?

Answer 73

Inspector is an automated vulnerability management service that continually SCans EC2 and software vulnerabilities. Amazon detective is for finding the root cause of a suspected vulnerability incident

Question 74

What is AWS network firewall?

Answer 74

Network firewall is a managed service that makes it easy to deploy physical firewall protection across your VPCs, it includes a intrusion prevention system (IPS).

Question 75

What does AWS network firewall allow you to do?

Answer 75

1. Filter Internet Traffic
2. Filter Outbound Traffic
3. Inspect VPC-to-VPC traffic

Question 76

What is AWS Security Hub?

Answer 76

Security Hub is a single place to view all your security alerts from services such as GuardDuty, Inspector, Macie and AWS Firewall Manager. It works across multiple accounts

Question 77

What is CloudFormation?

Answer 77

CloudFormation is a service that allows you to define your infrastructure as code

Question 78

What is a CloudFormation Parameter

Answer 78

Theses are values that can be set by the operator during deployment

Question 79

What is a service that allows you to create immutable architecture?

Answer 79

CloudFormation

Question 80

What are the 3 critical sections of a cloudformation template?

Answer 80

1. Mapping: Filling in configuration options based on region
2. Resources: The resources that make up the architecture
3. Parameters: Values that can be provided during deployment

Question 81

What is a common cause for cloud formation template failure?

Answer 81

Hard-coded resource IDs

Question 82

What is Paas?

Answer 82

It is Platform as a service

Question 83

What is Elastic Beanstalk?

Answer 83

Elastic Beanstalk is a one stop solution for deploying applications in AWS. It automates the process of provisioning the resources you need to get your application online

Question 84

What is Elastic Beanstalk?

Answer 84

Elastic Beanstalk is a easy one-stop solution for deploying applications in AWS. It automates the process of provisioning the resources you need to get your application online

Question 85

What is systems manager?

Answer 85

It is a free suite of tools designed to let you view, control and automate both your AWS architecture and on-premisies resources

Question 86

What are automation documents / Run Books?

Answer 86

A runbook defines action that the systems manager performs on your managed instances

Question 87

How do you make a Instance join system manager?

Answer 87

1. Add system manager agent
2. Add system manager permission through role

Question 88

What is patch manager?

Answer 88

A feature that allows system manager to patch your instances

Question 89

What is session manager?

Answer 89

Session managers allows you to easily open remote connections with your instances

Question 90

What is Run Command?

Answer 90

Run Command allows you to execute commands on your instances

Question 91

What are hybrid activations?

Answer 91

Are on-premises system manager deployments