AWS Deck 1 Flashcards
What does S3 stand for?
Simple Storage Service
How much data can be stored without worry of underlying storage infrastructure with regards to S3?
Unlimited
How many AZ’s can S3 replicate data across?
At least 3 to ensure 99.99% availability and 11’ 9s of durability
What can objects contain? What are they like?
Data. They are like files.
What size can objects be?
Anywhere from 0 Bytes to 5 Terabytes
What do buckets tend to contain?
Objects
What can buckets contain that can in turn contain objects?
Folders
Bucket names are unique across all AWS accounts. True or False?
True
What are bucket names similar to?
Domain names
When you upload a file to S3 successfully, what will you receive?
An HTTP 200 code
What can objects be moved between?
Storage Classes
Objects cant be deleted automatically based on a schedule. True or False?
False
What do objects give?
Version ID’s
When new objects are uploaded the old objects are kept. True or False?
True
Is is possible to access limited object versions or any object versions?
Any
What happens when you delete an object?
The previous object is restored
Can versioning ever truly be turned off once it is turned on? Explain
No, it can only be suspended
Where can you only turn MFA Delete on from?
The AWS CLI
What is the only thing a root account can delete?
Objects
All new buckets are public by default. True or False? Explain
False, they are private by default
What can be turned on to track operations performed on objects?
Logging
How is access control configured? Explain how.
By using bucket policies and Access Control Lists
What are bucket policies exactly?
JSON documents which let you write complex control access
ACL’s are what method? What do you grant access to?
Legacy method (not deprecated). Grant access to objects and buckets with simple actions
What two “snow” things are a rugged container? What do they contain?
Snowball and Snowball Edge. Contain a storage device
What is a snowmobile?
A 45 foot long ruggedized shipping container, pulled by a semi-trailer truck
What scale migration is snowball and snowball edge for?
Peta-scale migration
What type of migration is snowmobile for?
Exabyte-scale migration
Why would someone use snowball vs having to transfer 100TB of data over high speed internet?
Snowball is 1/5th the cost
What is the speed comparison of transferring data when it comes to high speed internet vs. snowball?
It would take 100 days to transfer over 100TB of data vs. snowball where it would take less than a week.
How many sizes does snowball come in? How much usable space per size?
50TB - 42TB of usable space. 80TB - 72TB of usable space.
How many sizes does snowball edge come in? How much usable space per size?
100TB - 83TB of usable space. 100TB Clustered - 45TB per node
What size does snowmobile come in?
100PB (petabytes)
What two things can you do using snowball or snowmobile regarding data?
Import or export data
What things can you import into with regards to “snow”?
S3 or Glacier
What can snowball edge undertake?
Local processing and edge-computing workloads
How can snowball edge be used regarding “clusters”?
Can be used in a cluster in groups of 5-10 devices
What do VPC endpoints help keep traffic between?
AWS services within the AWS network
How many kinds of VPC endpoints are there? What are their names?
Two kinds. Interface endpoints and Gateway endpoints
What is the difference between interface endpoints and gateway endpoints?
Interface costs money, gateway is free
Elastic Network Interface (ENI) and Private IP (powered by AWS PrivateLink), are associated with what endpoint?
Interface
Gateway endpoints is a target for what?
A specific route in your route table
Interface Endpoints dont support a lot of AWS services. True or False?
False
What two things does Gateway Endpoint only support?
DynamoDB and S3
What do VPC Flow Logs monitor?
In-and-Out traffic of your network interfaces within your VPC
What 3 levels can the Flow Logs be turned on?
VPC, Subnet and Network Interface Level
VPC flow logs cannot be tagged like other AWS Resources? True or False?
True
Is it possible to change the configuration of a flow log after its created?
No
You cannot enable flow logs for VPC’s which are peered with your VPC unless it is in the same account. True or False?
True
What can VPC Flow Logs be delivered to?
S3 or CloudWatch Logs
VPC flows log contain the source and what addresses?
Destination IP addresses
Is all instance traffic monitored?
Only some is not monitored
Instance Traffic that is not monitored is as follows:
Instance traffic generated by contacting the AWS DNS server, Windows license activation traffic from instances, Traffic to and from the instance metadata address (169.254,169.254), DHCP traffic, Any traffic to the reserved IP address of the default VPC router.
What does NACL stand for?
Network Access Control List
VPC’s are automatically given a default NACL. True or False?
True
Do VPC’s automatically given a default NACL allow all out and inbound traffic?
Yes
What must each VPC within a subnet be associated with?
An NACL
How many subnets can an NACL be associated with at a time?
1
Will associating a subnet with a new NACL remove the previous association?
Yes
If an NACL is not explicitly associated with a subnet, will the subnet automatically be associated with the default NACL?
Yes
What rules does NACL have?
Inbound and outbound (just like Security Groups)
What can rule do?
Either allow or deny traffic (unlike Security Groups which can only allow)
Do NACL’s have a state? Explain
No, they are stateless (any allowed inbound traffic is also allowed outbound)
When an NACL is created, it will allow all traffic by default. True or False?
False, it will deny all traffic.
What do NACL’s contain? What type of “list”?
A numbered list of rules. They get evaluated in order from lowest to highest.
If you needed to block a single IP address, could you via an NACL? (Security Groups cannot deny)
Yes
At what level do security groups act as a firewall?
Instance Level
Unless it is allowed specifically, what traffic is blocked by default?
Inbound Traffic
All __ traffic from the instance is allowed by default
Outbound
You can specify the source of the security group traffic to be 3 things, what are they?
IP range, Single IP address or another security group
Are security groups stateful, or stateless?
StateFUL (if traffic is allowed inbound it is also allowed outbound)
Do any changes made to a security group take effective eventually, or immediately?
Immediately
Can EC 2 instances belong to multiple security groups?
Yes
Security Groups can contain multiple EC2 instances. True or False?
True
What would you need that would allow you to block specific IP addresses with Security Groups?
Network Access Control List (NACL)
How many security groups can you have per region?
10,000 (default 25,000)
How many inbound and how many outbound rules per security group can you have?
60 inbound, 60 outbound
How many security groups can you have associated to an ENI?
16 (default is 5)
When creating a NAT instance you must __ on the instance?
Must disable source and destination checks
NAT instances must exist in private subnets. True or False? Explain
False, public subnets
Should you have a route out or in to a private subnet NAT instance?
Route Out
The size of a NAT instance determines what?
How much traffic can be handled
High availability (with regards to NAT), can be achieved using what?
Autoscaling Groups, Multiple subnets in different AZ’s, and automate failover between them using a script
NAT gateways are _______ zone.
Redundant inside an availability…(can survive failure of EC2 instance)
How many gateways can you have inside 1 availability zone?
1 NAT gateway (cannot span AZ’s)
What amount do gateways start at (with regards to NAT topic)?
5GBPS and scales all the way up to 45 GBPS
Whats the preferred setup for enterprise systems?
NAT gateways
Is there a requirement to patch NAT gateways?
No
Is there a need to disable Source/Destination checks for the NAT gateway (unlike NAT instances)?
No
NAT gateways are automatically what?
Assigned a public IP address
Route Tables for the NAT gateway MUST what?
Be updated
If you have resources in multiple AZ’s sharing a gateway, what risk do you run? Unless you do what?
You will lose internet access if the Gateway goes down. Unless you create a gateway in each AZ and configure route tables accordingly
Identity Access Management is used to manage what?
Access to users and resources
What system is IAM?
Universal (*applied to all Regions at the same time)
Is IAM a free or paid service?
Free
What kind of account is initially created when AWS is set up?
Root Account (full admin.)
Do IAM accounts have any permissions by default?
No, they have to be granted
What keys do new users get assigned?
Access Key ID and Secret Key (first created when you give them programmatic access.
Access Keys are only used for what?
CLI and SDK (cannot access console)
Access keys only shown once when created. True or False?
True (if lost, they must be deleted/recreated again)
What should always be setup for Root Accounts?
MFA
What must individual users do regarding MFA that admins cannot do?
Individual users have to enable it themselves
IAM allows what in terms of a password policies?
To set minimum password requirements or rotate passwords
IAM identities are what 3 things?
Users, Groups and Roles
IAM users are end users who do what?
Log into the console or interact with AWS resources programatically
IAM groups are groups that group up your what?
Group up your users so they all share permission levels of the group (ie; Admins, Devs and Auditors)
IAM roles Associate what?
Permissions to a Role and then assign this to a User or Groups
IAM policies are JSON what?
Documents which grant permission for a specific user, group, or role to access services. Policies are attached to IAM identities
Can managed policies be edited?
No (they are provided by AWS)
Customer managed policies are created by who? Can they be edited?
The customer and CAN be edited
Inline policies are directly attached to who?
The user
