AWS Quest 1 Level 2 Flashcards
what is a “Root User”?
a single sign-in identity that has complete access to all AWS services and resource in an account
what are some Root User powers?
change your account settings restore IAM user permissions activate IAM access to the Billing and Cost Management console view tax invoices close your AWS account change your AWS Support plan cancel your AWS Support plan see IAM for AWS Support register as a seller configure an Amazon S2 bucket Multi-Factor Authentication Delete edit or delete an Amazon S3 bucket policy sign up for GovCLoud
should you use the Root User as the main account?
no
create an IAM user for yourself, give yourself admin rights, and don’t touch Root User for routine tasks
can you create rotate, disable or delete access keys for your AWS account Root User?
yes
how long is an Access Key?
20 digits, and it is alphanumeric
how many Access Keys can you have for each IAM user?
2
what does IAM stand for?
Identity and Access Management
how many Access Keys can you assign to each Root User?
2
how should you handle security for your IAM accounts?
assign permissions to groups and then assign users to groups
what level of security should each user have?
the lowest level of security necessary to accomplish the task
what kind of policies are designed to provide permissions for many common use cases?
AWS Managed Policies
they are created and administered by AWS
they have their own Amazon Resource Name (ARN) that includes the policy name
who updates AWS Managed Policies?
only AWS
who updates Custom Managed Policies?
you do, through your AWS account
what is an Inline Policy?
it’s a policy that is stuck to, or embedded into, an IAM identity
name the 5 AWS Managed Policy features
- reusable: use it on any user, group, or role
- central change management: a change on the policy will update the permission of everyone who has the policy
- versioning and rolling back: changing a Custom Managed Policy changes the whole thing. It is not overwritten, the whole policy changes in one swipe
- delegating permissions management: you can create admins to manage your policies, and limited admins to manage other policies
- automatic updates for AWS Managed Policies: updates are automatically made and applied for you
what is a feature of an Inline Policy?
you control the policies down to the person and the line. but if you had such a special permission, when you delete something, it goes away forever
how can you grant permissions in AWS?
you can assign them individually or by groups
how do groups receive permission?
by attaching a policy document
what script are policies written in?
JSON JavaScript Object Notation
what is a Role?
it is a job identifier
what is an AWS Service Role?
it is a role that a service assumes to perform actions in your account on your behalf
what is an AWS service role for an Elastic Cloud Computing (EC2) instance?
it is a role for an instance running on ECS, and the instance performs certain tasks in your account
what is an AWS service-linked role?
a unique type of service role that is linked directly to an AWS service
what does Role Chaining allow?
Role Chaining allows you to grant additional roles for up to one hour at a time
how long is the permission granted for AssuemRole?
12 hours
how do you grant permissions to users in a different account?
Delegate a role to a trusted account,
be careful, delegated users drop all their permissions while they are in the delegated role
what is Federation?
it is the creation of a trust relationship between an external identity provider and AWS, like Facebook. You can link identity login to a trusted site
how can you simplify your billing into a single payment method?
organize your accounts under one Root Account
name 4 benefits of organizing accounts into Organizational Units
- administer all accounts as a single unit
- you can organize everything into a tree-like structure
- an Organizational Unit can control other Organizational Units
- you can set policies for parent OUs and the policy will enact on all of the child OUs
what kind of account do you use to create the organization?
Management Account
what kind of account is responsible for paying all charges that are accrued by the member accounts?
Management Account
name 6 things you can do with a Management Account
- create accounts in the organization
- invite other existing accounts to the organization
- remove accounts from the organization
- manage invitations
- apply policies to entities within the organization
- enable integration with supported AWS services to provide functionality across all of the accounts in the organization
the process of asking another account to join your organization is called what?
Invitation
what kind of account can issue an invitation?
Management Account
what kind of policy specifies the services and actions that users and roles can use within accounts?
Service Control Policies (SCP)
do Permissions overstep Service Control Policies (SCPs)?
no
how does an Allow List work?
an Allow List assumes that all actions are denied except actions specified on the Allow List
how does a Deny List work?
a Deny List assumes that all actions are allowed except actions specified on the Deny List
what policy do you opt-out from in order to not share customer content with AWS
Artificial Intelligence (AI) services opt-out
what policy do you use to configure and deploy backup plans for your resources?
Backup Policy
what type of policy helps you standardize tags across resources across all of the accounts in your organization?
Tag Policy
name 4 benefits from using the Consolidated Billing Feature
- one bill for multiple accounts
- easy tracking: track the charges across multiple accounts and download the combined cost and usage data
- combined usage: combine the usage of all accounts in order to receive volume pricing discounts
- no extra fee: Consolidated Billing is free to use
what has an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time?
AWS Cost Explorer
name 4 ways to manage your costs with AWS Budgets.
- set an alert to notify you when you meet a fixed spending target, or if you are forecasted to meet a spending target. this can be set to help you stay within a free tier of AWS services
- set a monthly budget with a variable spending target
- set a monthly cost budget across your entire account
- set a daily utilization or coverage budget to track your Reserved Instances or Savings Plans
how many times a day is AWS Budgets updated?
up to 3 times a day
name 6 types of AWS Budgets
- Cost budgets
- Usage budgets
- RI utilization budgets
- RU coverage budgets
- Savings Plans utilization budgets
- Savings Plans coverage budgets
which budget plans how much you want to spend on a service?
Cost budget
which budget plans how much you want to use on one or more services?
Usage budget
which budget lets you define a usage threshold and receive alerts when the usage falls below that threshold?
RI utilization budgets or
Savings Plans utilization budgets
which budget lets you receive alerts when the number of instance hours falls below a certain threshold?
RI coverage budgets or
Savings Plans coverage budgets
can you disable data collection after you enable billing alerts?
no, but you can delete any billing alarms that you created
what is the name of a fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication?
Amazon Simple Notification Service (SNS)
what are 4 benefits of using Amazon SNS?
- send messages to millions of users
- messages are sent and re-sent for multiple, geographically separated servers and data centers
- SNS uses Amazon Cloud, so messages scale with you
- messages will always be sent in the correct order
how much does SNS cost?
- $0.50 per 1 million SNS requests
- $0.06 per 100,000 notification deliveries over HTTP
- $2.00 per 100,000 notification deliveries over email
what is the billing cycle for SNS?
the first day to the last day of the month
do SNS prices include taxes?
no
in what order are SNS messages delivered?
in the order they were published, unless there is a network issue
can SNS messages be deleted?
no
what can you use to explore AWS services and create an estimate for the cost of your use cases on AWS?
AWS Pricing Calculator
what are 5 common oversights that customers make that can drive up their Cloud spending?
- orphaned resources. These forgotten instances just keep running in the background and consume resources
- misconfigured storage resources. Holding on to data that is useless, or putting data in the wrong type of storage (putting a low-use data into SSD instead of Glacier)
- over-provisioned resources. Resourced do not need over-provisioning since AWS can scale with your growth
- incorrect pricing plans. are you using a pricing plan that best aligns with your usage?
- overlooking newer technologies. New technologies are made to improve efficiency and productivity. It is good practice to seek new, efficient tools to reduce Total Cost of Ownership (TCO)