AWS Deck 1 Flashcards
1
Q
What does S3 stand for?
A
Simple Storage Service
2
Q
How much data can be stored without worry of underlying storage infrastructure with regards to S3?
A
Unlimited
3
Q
How many AZ’s can S3 replicate data across?
A
At least 3 to ensure 99.99% availability and 11’ 9s of durability
4
Q
What can objects contain? What are they like?
A
Data. They are like files.
5
Q
What size can objects be?
A
Anywhere from 0 Bytes to 5 Terabytes
6
Q
What do buckets tend to contain?
A
Objects
7
Q
What can buckets contain that can in turn contain objects?
A
Folders
8
Q
Bucket names are unique across all AWS accounts. True or False?
A
True
9
Q
What are bucket names similar to?
A
Domain names
10
Q
When you upload a file to S3 successfully, what will you receive?
A
An HTTP 200 code
11
Q
What can objects be moved between?
A
Storage Classes
12
Q
Objects cant be deleted automatically based on a schedule. True or False?
A
False
13
Q
What do objects give?
A
Version ID’s
14
Q
When new objects are uploaded the old objects are kept. True or False?
A
True
15
Q
Is is possible to access limited object versions or any object versions?
A
Any
16
Q
What happens when you delete an object?
A
The previous object is restored
17
Q
Can versioning ever truly be turned off once it is turned on? Explain
A
No, it can only be suspended
18
Q
Where can you only turn MFA Delete on from?
A
The AWS CLI
19
Q
What is the only thing a root account can delete?
A
Objects
20
Q
All new buckets are public by default. True or False? Explain
A
False, they are private by default
21
Q
What can be turned on to track operations performed on objects?
A
Logging
22
Q
How is access control configured? Explain how.
A
By using bucket policies and Access Control Lists
23
Q
What are bucket policies exactly?
A
JSON documents which let you write complex control access
24
Q
ACL’s are what method? What do you grant access to?
A
Legacy method (not deprecated). Grant access to objects and buckets with simple actions
25
What two "snow" things are a rugged container? What do they contain?
Snowball and Snowball Edge. Contain a storage device
26
What is a snowmobile?
A 45 foot long ruggedized shipping container, pulled by a semi-trailer truck
27
What scale migration is snowball and snowball edge for?
Peta-scale migration
28
What type of migration is snowmobile for?
Exabyte-scale migration
29
Why would someone use snowball vs having to transfer 100TB of data over high speed internet?
Snowball is 1/5th the cost
30
What is the speed comparison of transferring data when it comes to high speed internet vs. snowball?
It would take 100 days to transfer over 100TB of data vs. snowball where it would take less than a week.
31
How many sizes does snowball come in? How much usable space per size?
50TB - 42TB of usable space. 80TB - 72TB of usable space.
32
How many sizes does snowball edge come in? How much usable space per size?
100TB - 83TB of usable space. 100TB Clustered - 45TB per node
33
What size does snowmobile come in?
100PB (petabytes)
34
What two things can you do using snowball or snowmobile regarding data?
Import or export data
35
What things can you import into with regards to "snow"?
S3 or Glacier
36
What can snowball edge undertake?
Local processing and edge-computing workloads
37
How can snowball edge be used regarding "clusters"?
Can be used in a cluster in groups of 5-10 devices
38
What do VPC endpoints help keep traffic between?
AWS services within the AWS network
39
How many kinds of VPC endpoints are there? What are their names?
Two kinds. Interface endpoints and Gateway endpoints
40
What is the difference between interface endpoints and gateway endpoints?
Interface costs money, gateway is free
41
Elastic Network Interface (ENI) and Private IP (powered by AWS PrivateLink), are associated with what endpoint?
Interface
42
Gateway endpoints is a target for what?
A specific route in your route table
43
Interface Endpoints dont support a lot of AWS services. True or False?
False
44
What two things does Gateway Endpoint only support?
DynamoDB and S3
45
What do VPC Flow Logs monitor?
In-and-Out traffic of your network interfaces within your VPC
46
What 3 levels can the Flow Logs be turned on?
VPC, Subnet and Network Interface Level
47
VPC flow logs cannot be tagged like other AWS Resources? True or False?
True
48
Is it possible to change the configuration of a flow log after its created?
No
49
You cannot enable flow logs for VPC's which are peered with your VPC unless it is in the same account. True or False?
True
50
What can VPC Flow Logs be delivered to?
S3 or CloudWatch Logs
51
VPC flows log contain the source and what addresses?
Destination IP addresses
52
Is all instance traffic monitored?
Only some is not monitored
53
Instance Traffic that is not monitored is as follows:
Instance traffic generated by contacting the AWS DNS server, Windows license activation traffic from instances, Traffic to and from the instance metadata address (169.254,169.254), DHCP traffic, Any traffic to the reserved IP address of the default VPC router.
54
What does NACL stand for?
Network Access Control List
55
VPC's are automatically given a default NACL. True or False?
True
56
Do VPC's automatically given a default NACL allow all out and inbound traffic?
Yes
57
What must each VPC within a subnet be associated with?
An NACL
58
How many subnets can an NACL be associated with at a time?
1
59
Will associating a subnet with a new NACL remove the previous association?
Yes
60
If an NACL is not explicitly associated with a subnet, will the subnet automatically be associated with the default NACL?
Yes
61
What rules does NACL have?
Inbound and outbound (just like Security Groups)
62
What can rule do?
Either allow or deny traffic (unlike Security Groups which can only allow)
63
Do NACL's have a state? Explain
No, they are stateless (any allowed inbound traffic is also allowed outbound)
64
When an NACL is created, it will allow all traffic by default. True or False?
False, it will deny all traffic.
65
What do NACL's contain? What type of "list"?
A numbered list of rules. They get evaluated in order from lowest to highest.
66
If you needed to block a single IP address, could you via an NACL? (Security Groups cannot deny)
Yes
67
At what level do security groups act as a firewall?
Instance Level
68
Unless it is allowed specifically, what traffic is blocked by default?
Inbound Traffic
69
All __ traffic from the instance is allowed by default
Outbound
70
You can specify the source of the security group traffic to be 3 things, what are they?
IP range, Single IP address or another security group
71
Are security groups stateful, or stateless?
StateFUL (if traffic is allowed inbound it is also allowed outbound)
72
Do any changes made to a security group take effective eventually, or immediately?
Immediately
73
Can EC 2 instances belong to multiple security groups?
Yes
74
Security Groups can contain multiple EC2 instances. True or False?
True
75
What would you need that would allow you to block specific IP addresses with Security Groups?
Network Access Control List (NACL)
76
How many security groups can you have per region?
10,000 (default 25,000)
77
How many inbound and how many outbound rules per security group can you have?
60 inbound, 60 outbound
78
How many security groups can you have associated to an ENI?
16 (default is 5)
79
When creating a NAT instance you must __ on the instance?
Must disable source and destination checks
80
NAT instances must exist in private subnets. True or False? Explain
False, public subnets
81
Should you have a route out or in to a private subnet NAT instance?
Route Out
82
The size of a NAT instance determines what?
How much traffic can be handled
83
High availability (with regards to NAT), can be achieved using what?
Autoscaling Groups, Multiple subnets in different AZ's, and automate failover between them using a script
84
NAT gateways are _______ zone.
Redundant inside an availability...(can survive failure of EC2 instance)
85
How many gateways can you have inside 1 availability zone?
1 NAT gateway (cannot span AZ's)
86
What amount do gateways start at (with regards to NAT topic)?
5GBPS and scales all the way up to 45 GBPS
87
Whats the preferred setup for enterprise systems?
NAT gateways
88
Is there a requirement to patch NAT gateways?
No
89
Is there a need to disable Source/Destination checks for the NAT gateway (unlike NAT instances)?
No
90
NAT gateways are automatically what?
Assigned a public IP address
91
Route Tables for the NAT gateway MUST what?
Be updated
92
If you have resources in multiple AZ's sharing a gateway, what risk do you run? Unless you do what?
You will lose internet access if the Gateway goes down. Unless you create a gateway in each AZ and configure route tables accordingly
93
Identity Access Management is used to manage what?
Access to users and resources
94
What system is IAM?
Universal (*applied to all Regions at the same time)
95
Is IAM a free or paid service?
Free
96
What kind of account is initially created when AWS is set up?
Root Account (full admin.)
97
Do IAM accounts have any permissions by default?
No, they have to be granted
98
What keys do new users get assigned?
Access Key ID and Secret Key (first created when you give them programmatic access.
99
Access Keys are only used for what?
CLI and SDK (cannot access console)
100
Access keys only shown once when created. True or False?
True (if lost, they must be deleted/recreated again)
101
What should always be setup for Root Accounts?
MFA
102
What must individual users do regarding MFA that admins cannot do?
Individual users have to enable it themselves
103
IAM allows what in terms of a password policies?
To set minimum password requirements or rotate passwords
104
IAM identities are what 3 things?
Users, Groups and Roles
105
IAM users are end users who do what?
Log into the console or interact with AWS resources programatically
106
IAM groups are groups that group up your what?
Group up your users so they all share permission levels of the group (ie; Admins, Devs and Auditors)
107
IAM roles Associate what?
Permissions to a Role and then assign this to a User or Groups
108
IAM policies are JSON what?
Documents which grant permission for a specific user, group, or role to access services. Policies are attached to IAM identities
109
Can managed policies be edited?
No (they are provided by AWS)
110
Customer managed policies are created by who? Can they be edited?
The customer and CAN be edited
111
Inline policies are directly attached to who?
The user
