AWS Cloud Practicioner Flashcards

Question

Systems Manager

Answer 1

Helps to manage large scale server fleets (or even multi account resources), and multiple applications running on them

Answer 2

Allows to connect EC2 instances (similar to EC2 Instance connect just more advanced) from the browser

Answer 3

Non managed alternative of System Manager. It uses Puppet or Chef for platform automation. (Helps to manage large scale server fleets (or even multi account resources), and multiple applications running on them)

Answer 4

creates configurable “templates” (using CloudFormation)

Answer 5

creates templates for serverless & container related tasks (subset of service catalog, they can be combined)

Answer 6

pre built (application) templates created by AWS

Answer 7

Cloud watch collects application logs Cloud watch also allows to see different metrics (cpu utilisation, number of uploaded files etc.)

Answer 8

Flow logs are capturing all incoming and outgoing IP traffic of a, VPC/Subnet It can be exported to CloudWatch

Answer 9

It is possible to set up dashboards in the CloudWatch (aggregating multiple charts in the same page)

Answer 10

When a metrics (bytes stored in the bucket, cpu utilisation etc.) reaches a condition (5gb, 95% etc.) an alarm is triggered (SNS notification sent, auto scale triggered)

Answer 11

If we install CloudWatch Agent on an EC2 instance it allows more detailed logging

Answer 12

Follow data flowing trough your applications

Answer 13

put users into a user group and give/take permissions to ALL of them

Answer 14

giving permissions to a service (fe to access another service)

Answer 15

a single permission

Answer 16

group of permissions

Answer 17

a more powerful way to allow signing in into multiple aws accounts

Answer 18

he built in support for Microsoft Active Directory

Answer 19

allows to follow the actions of the user accounts (who created/modified a resource/configuration), literally an uncleanable “history”

Answer 20

allows to automatically detect suspicious activities (powered by machine learning)

Answer 21

forces compliance on services (shows if some resource is not compient) - enforcing compliance

Answer 22

download compliance reports (for example GDPR) - showing that AWS is compliant

Answer 23

generating Compliance reports (about your own implementations) - showing that you are compliant

Answer 24

scans containers and EC2 instances to discover vulnerabilities (like unpatched software backdoor) - preventive

Answer 25

investigating incidents (like CloudTrail, but not just for users but for instances too) - when the problem happened

Answer 26

Web Application Firewall - attachable to some services (like cloud front distributions) block requests based on their metadata (detecting an sql injection fe.)

Answer 27

managed firewall provided by AWS, it protects entire networks (like NACL on steroids)

Answer 28

a centralised service to manage firewalls

Answer 29

protection agains DDoS attacks

Answer 30

Key Manage Service - data encryption, managed key storage (all services have a built in support, you just need to enable it)

Answer 31

Cloud Hardware Security Module - data encryption, custom key storage

Answer 32

Aws Certificate Manager - transfer encryption, get and use ssl certificates to en-/decrypt all incoming/outgoing data

Answer 33

built in support for storing secrets (credentials) hidden from most of the users

Answer 34

scans S3 buckets to discover vulnerabilities (like unprotected sensitive data fe. username/password pairs), or unintentionally public sensitive data

Answer 35

Central dashboard for the other security services: * GuardDuty * Inspector * Macie * IAM access analyser * Firewall manager * System manager

Answer 36

Generates a csv report about all users and their credentials (not the concrete values)

Answer 37

Shows which policies a user have, and when was it used last time

Answer 38

Shows which are potential unwanted (too much) policies of a user

Answer 39

Amazon Machine Image - image of a “VM” (OS + pre built software

Answer 40

Scripts (shell/bash commands) executed on startup of the EC2 instance (optional)

Answer 41

Online "SSH" from the browser (like the AWS web console)

Answer 42

Pay what you use

Answer 43

Discounted, but lower priority (you get it if there is free capacity, but AWS will take it away if somebody else needs it, and pays more)

Answer 44

Paying in advance for a year (for a minimal amount of compute power, every instance have a concrete amount of compute power required) getting a discount, but paying at least that amount even if you are not using it

Answer 45

Paying in advance, and specifying the concrete instance types (fe. “5* t2.micro”) similar to savings plan, but even less flexible

Answer 46

Dedicated hosts - renting a complete server (fe. compliance reasons, performance)

Answer 47

Guarantees that there will be an instance available, but you pay “reservation fee”

Answer 48

Allows the user to divide a complex tasks into steps Defines how the steps can call each other (Azure Logic App)

Answer 49

Serverless Container Execution Environment

Answer 50

Instructions (code) to create a container from an image and run it

Answer 51

A running task (container)

Answer 52

Elastic Container Registry is a managed container registry (like Docker Hub)

Answer 53

Tool to run batch operations A batch operations requires running multiple complex workflows, sometimes involving multiple systems on regular (daily, monthly) basis

Answer 54

Uses Machine Learning to analyse the CloudWatch metrics of the compute services, and helps to optimise them (giving suggestions to upscale or downscale)

Answer 55

Elastic Block Store - It is possible to add hard drives (volumes) to EC2 instances on start or later.

Answer 56

The hard disk which is part of the machine running the EC2 instance

Answer 57

Elastic File System - It possible to add a file system to any kind of application (EC2, ECS, Lambda etc.).

Answer 58

A file system optimised for high performance file access workloads

Answer 59

AWS allows to dynamically adjust the capacity of the servers when you have huge load spikes.

Answer 60

Load Balancer, better for web servers (HTTP/HTTPS), more configurable

Answer 61

Load Balancer, better for “just data” (TCP/UDS), very fast

Answer 62

Group of services (instances) which could get a delegated “work” by the load balancer.

Answer 63

“entry points” of the storage, with globally unique name

Answer 64

Similar to security groups for other instances / or IAM policies for users

Answer 65

The alternative of group policies (not recommended)

Answer 66

* Accessed multiple times * Flexible, but expensive

Answer 67

* Accessed occasionally * Cheaper, but reading the files costs extra money

Answer 68

* Nearly never accessed * The cheapest option, but reading the file costs extra money * You need to wait for the file (minutes to days)

Answer 69

* AWS analyses access patterns on the file, and decides which category is the best for it

Answer 70

storing different versions of the file with the same name

Answer 71

moving files to a less expensive storage class after some time, fe. Logs can go to IA after a month, probably nobody opens them anyway

Answer 72

statistic about the files stored on the bucket

Answer 73

making files non changeable/deletable, useful for compliance/legal reasons

Answer 74

making cross bucket replicas, even between buckets in different regions, requires enabled versioning

Answer 75

data automatically encrypted on upload, and decrypted on download

Answer 76

using S3 as a server for hosting a simple static website

Answer 77

Managed SQL Databases (running on an EC2 instance in the background)

Answer 78

Fully PostgreSQL and MySql compatible database optimised for AWS with great scaleability and performance It also have a serverless version

Answer 79

Amazons managed implementation of in memory cache. Supports Redis and Memcache

Answer 80

Managed high performance NoSQL key-value Databases

Answer 81

DynamoDB Accelerator Built in Managed in memory cache for DynamoDB (like ElastiCache for RDS)

Answer 82

key-value db, PERSISTENT in-memory storage

Answer 83

document db, MongoDB compatible

Answer 84

wide column db (flexible column format like Cassandra)

Answer 85

Graph database

Answer 86

Time serve DB

Answer 87

Immutable log data changes (centralised blockchain)

Answer 88

Decentralised blockchain (ethereal compatible)

Answer 89

When we need to store high frequency data (devices/sensors) we can use Kinesis service. We don’t need that middle layer for less frequent data, but for high frequency data we need Kinesis to work as a buffer.

Answer 90

* Storing the data in structured and formatted * It is great for reporting & visualisation * It is queryable (sql based)

Answer 91

Glue is a Serverless Managed Extract/Transform/Load service

Answer 92

Elastic Map Reduce - Non managed Extract/Transform/Load service (you can use the Big Data platform preferred by you, fe. Hadoop)

Answer 93

Athena allows to query the extracted data from S3 / DynamoDB / CloudWatch (or other sources) via SQL (even if they are not an SQL DB)

Answer 94

managed search service to search and analyse the data (runs on an instance in the background), elastic search alternative

Answer 95

can be used to build charts, reports and dashboard

Answer 96

Elastic Container Registry - a managed container registry (like Docker Hub)

Answer 97

Grafana creates live interactive data visualisation, it is a QuickSight alternative

Answer 98

Simple Queue Service - Pull / Push messages via a Queue - Asynchronous processing - Directly triggered from the code

Answer 99

Simple Notification Service - Push messages directly to the subscribers - Synchronous processing - Directly triggered from the code

Answer 100

Listens to events -> triggers actions Synchronous processing Indirectly triggered from the code (the code does not needs to know that the event is listened to and an action is triggered)

Answer 101

Simple Email Service Helps the user to send batch (mass) e-mails.

Answer 102

Registry of (assigned) resource names It makes the creation of a micro service application easier (by registering/naming all the services)

Answer 103

It is a managed serverless RestAPI service (Helps creating RestAPIs without writing code)

Answer 104

It is a managed GraphQL API service (It is a managed GraphQL API service)

Answer 105

Cognito is a managed user authentication service (like the one in firebase)

Answer 106

We can use it to “generate” back end services (for FE developers who have little AWS knowledge).

Answer 107

Elastic Beanstalk helps to deploy web apps, and general workflows to the cloud in the simplest way. It allows the user to configure everything (computing, storage, db, hosting, load balancing etc.) in a single place It even allows to add Load Balancers and AutoScaling groups (more advanced use cases)

Answer 108

It is a web hosting provider (simple with lots of default options, but little configurability)

Answer 109

AppRunner simplifies deploying containers to the cloud via AWS.

Answer 110

Copilot is a CLI that simplifies container and app creation & deployment to the cloud

Answer 111

Cloud based IDE, it runs on an EC2 instance under the hood

Answer 112

Machine learning based, managed Sonar alternative

Answer 113

Machine learning based cloud infrastructure analizator (Sonar for DevOps)

Answer 114

A private Git repo in the cloud

Answer 115

Managed execution environment (builds the code)

Answer 116

A managed artifact repository Nexus alternative

Answer 117

Allows to deploy code for different target (EC2, ECS, Lambda) with different strategies, manually or automated

Answer 118

A managed Jenkins alternative

Answer 119

A simplified version of Code Pipeline (A managed Jenkins alternative) with lots of pre-configured blueprints

Answer 120

We can create a VPN like setup in the cloud. Region based, every element of the VPC can communicate with each other. Contains subnets.

Answer 121

Inside VPCs we can group our instances into subnets, and control the connectivity of those subnets AZ based (every subnet is in a single AZ) We have two main type of subnets: * Private subnet - only internal network access * Public subnet - internet access However all instances of a VPC can talk to each other, even if they are not on the same subnet

Answer 122

a “fix” (public) IP address

Answer 123

Security Group is like a firewall, controls the incoming and outgoing messages. By default a security group filters the inbound traffic, but allows all outbound traffic. Security Groups are stateful (if a request went out a response for it can come in). Attached to instances. Recommended way of security.

Answer 124

Network ACLs are firewalls for entire subnets. By default NACLs are allowing all inbound and outbound traffic. NACLs are stateless (we need to define rules for requests and responses too) Security Groups are preferred over NACLs

Answer 125

VPC Pairing opens a “channel” between 2 VPCs, aka. allows the instances of the VPCs to communicate with each other like they would be in a single VPC.

Answer 126

Transit gateway does the same as VPC Pairing for multiple VPCs. VPC Pairing opens a “channel” between 2 VPCs, aka. allows the instances of the VPCs to communicate with each other like they would be in a single VPC.

Answer 127

You can create a VPC endpoint, and reach other AWS services (without going trough the global internet).

Answer 128

Amazons "intranet" around the globe. Provides faster and safer way of communication than the "real" internet.

Answer 129

Physical cable based connection between AWS and your data-center. Ultra fast, ultra safe, ultra expensive.

Answer 130

Connecting the (public) subnet to it will give internet access (in and out) to all instances of the subnet

Answer 131

Creates a one way (outgoing requests only) connection for the instances of the (private) subnet

Answer 132

One type of VPC Endpoints, allows instances of a subnet to communicate with the S3 service via AWS PrivateLink.

Answer 133

Domain Name System translates domains to IP addresses. AWS Route 53 is Amazons own managed DNS.

Answer 134

Configuration container, automatically created for every domain. Add new records to the hosted zone to route incoming requests.

Answer 135

Add new records to the hosted zone (to route incoming requests - coming from the internet trough that domain - to one of your services).

Answer 136

CloudFront is the managed CDN service of AWS. If we are trying to access some web hosted content from far away (USA based server from Europe) it can cause high latency. CDN networks are solving this problem by caching the content in various locations in the world, and routing the client to the closest cache (instead of the real server)

Answer 137

Edge Locations are the “caches” used by CloudFront. If we are trying to access some web hosted content from far away (USA based server from Europe) it can cause high latency. CDN networks are solving this problem by caching the content in various locations in the world, and routing the client to the closest cache (instead of the real server)

Answer 138

Improve user traffic performance via the AWS network (instead of the global internet)

Answer 139

Improve network file speed to an AWS edge locations, and forward it via the AWS global network

Answer 140

Amazon Certificate Manager, allows to generally manage ssl certificates (and encryption) between services

Answer 141

* The highest level of abstraction in AWS * There are multiple Regions around the world (us-east-1, west-eu-2 etc.) * Most of the services are region based, there are some exceptions (Global services like billing)

Answer 142

* Every region contains at least 3 availability zones. * They are fully independent (if one AZ goes down the others should remain active) Every AZ contains 1 or more data centres. * Some services are AZ based (like VPCs)

Answer 143

* Edge Locations are the “caches” used by CloudFront.

Answer 144

Small AWS “regions” close to big metropolitan areas * extra fast * limited set of supported services * Extends VPCs

Answer 145

* AWS servers, which you can add to your datacenter * AWS managed infrastructure * Hybrid system * limited set of supported services * Extends VPCs

Answer 146

* AWS servers, embedded into 5G networks (extremely fast) * limited set of supported services * Connectible into other services running in the region