AWS-SA-2020 Flashcards
What AWS functionality is used to move S3 data from one storage class to another
Life cycle policies
s3 durability
11 x 9
For all s3 storage classed how my zones are data stored in?
3 except for single zone s3
what should you use for hot or fast backup
IA standard (infrequent access, fast)
srr vs crr
same region replication vs cross region
when to use crr
compliance, latency (users in different locations), ops efficiency (compute clusters in different locations)
before setting up cross region replication you must
enable versioning
If object locking is enabled can you use regional replication?
yes
What types of access control exists for s3?
ACLs, bucked policy, iam
s3 standard replication to # of az?
3 availability zone replication
s3 intelligent does what
moves data to the most cost-effective access tier
s3 one zone ia
also s3 IA
one zone, used to be RRS, costs 20% less than standard IA vs
s3 IA is multi zone (3)
Glacier AZ, cost, retrieval
Multiple AZ, retrieve in minutes or hours, low cost
Glacier deep dive details
lowest cost, accessed 1,2x per year compliance types, 12 hours, 3 AZ
for cross region replication to work + what happens to new/old/deleted files
1 versioning must be enabled on both
2 existing files not auto replicated, new will
3 deletes not replicated
object vs block and which is s3
object = files, block = os, s3 is object
bucket names are
are universal, unique
4 types of at rest encryption
s3 managed keys (sse-s3 / aes-256
aws key mgt - sse-kms
server side w/client keys sse-c
or client side and upload
transfer accelerator uses
edge locations to speed up transfer
What is cloudfront
content delivery network - simple api that allows files to be delivered to end-users using a global network of edge locations
What are the main logical components of AWS IAM?
Users, Groups, Roles, Permission Policies
Can a user assume a role in another account?
Yes, a user can assume a role in another account by calling assume-role using the CLI or using the Web console switch role function. With the CLI asume-role requires an –role-arn and a –role-service-name.
From an IAM perspective, what should I do with the root user first thing after setting up a new account?
- Remove the access key.
- Set an extremely secure password on the root user.
- Do not use the root password only;y in emergencies
- Enable MFA and lock away the security key.
List the EC2 instance categories?
Spot Instance, On-Demand Instances, Reserved Instances.
3 types of LB
app - intelligent
network - performance
basic - easy
x-forwarded-for
if you need the ip of end user
instances reported by ELB are reported as
inService, out of service
LB have their own DNS name but never
never an IP
sticky sessions can be set with these types of lb
classic, application (target group level)
cross-zone lb
balancing across AZ
path pattern
route based on path (images or content, different paths)
multi-az vs read replicas
az is for DR, Read replicas for performance
Cloudformation is
script cloud environment - Create Your AWS Stack From a Recipe
Quickstart cloudformation
templates already built to create environments
Elastic Beanstalk is for
developers can upload code and elatic beanstalk handles deployment, scaling,etc
SQS is
decouple components, stores messages in que
acts as buffer
pull not pushed
types of sqs queues
standard - unlimited transactions per second
fifo - exactly once, first in/out 300ps
SQS retention period
default 4 days
can be 1min to 14 days
sqs visibility timeout
re appears if ec2 doesn’t delete after pickup
SWF is
SWF as a fully-managed state tracker and task coordinator that runs background jobs
SNS
web notifications
push, delivers messages to subscribers
elastic transcoder is
converts media files to other formats
api gateway can access
can access ec2 or serverless
api gw features
cache, auto scale, can throttle for attacks, cloudwatch logging
What is CORS
allows webpages to talk to resources in another domain
what if you get “Origin policy cannot be read at remote source”
enable CORS API GW
Kinesis is used for
streaming data
3 types of Kinesis & define
Streams - endpoints stream and its stored in shards
Firehose - no storage, need to process asap
Analytics - analyzes streams/firehose and stores data
Cognito is
AWS web ID federation
cognito user vs identity pools
cognito aws user - registration, accounts
identity - grants IAM roles
lambda is
compute service, upload code and go
very cheap, scales out auto (not up)
serverless
aws x-ray
debug lambda
lambda can do global activities like
backup s3 bucket
What can’t trigger lambda
rds, ec2
IAM is universal or regional
Universal
root account
account created when you setup account that has admin access
new users have _ permission
no permissions
new users are assigned a
access key and secret access key to access system - cannot use this to access console
2 types of aws access for user
console and programmatic
s3 file size, and maximum
0 to 5TB, unlimited
s3 namespace is _
universal, global, creates http://xxxname
successful s3 upload
200 ok
how to protect objects in s3
mfa
s3 file fundamentals & components
key - name value - data version id metadata sub resources like acls and torrents
s3 PUTS new ojbects =
read after write (instant)
s3 overwrite PUTS or deletes
eventual consistency
control access to buckets using
bucket ACL or policy
Versioning can be use for backups and w/lifecycle rules
yes
Can versioning use MFA for delete
yes, adds extra security
Lifecycle management summary
moves object between tiers of storage
can be used with versioning
applies to current/past versions
cross-region replication versioning
must be enabled on source and destination bucket
cross-region replication regions must be
unique
what is an edge location, is it read or write
where content is cached
can read and write
CloudFront originates from what AWS services
s3 bucket, ec2 instance, elb, rt53
Cloudfront distribution points are what
collection of edge locations given to CDN
For streaming what does each stand for : WEB vs RTMP
websites vs media streaming
what is snowball & where does it import/export
Petabyte scale transport system, big disk
import/export to s3
termination protection is turned _ by default
off
EBS backed instance default action is for root EBS volume to be _ on termination
deleted
Can root volume of default ami be encrypted
yes
Security group defaults
all inbound traffic blocked, outbound allowed
security groups applied to EC2 max
no max, both directions (EC2 in sec groups)
Can you block a IP using security groups
no
can you set deny rules in a security group
no, they deny all by default
can volumes exist on ebs
yes, its a virtual hard disk
where do snapshots live
s3, like a photo of the disk
what is a snapshot
point in time copy of volume
are snapshots incremental
yes
Should you stop an instance before taking snapshot of the root volume
yes
can you take a snaphot while instance is running
yes, but should only of not root volumes
what can you change for a used ebs volume
can change on the fly
can change type
How to move ec2 volume from one AZ or region to another
take snapshot
create ami
launch ec2 instance in new az
for regions you have to copy the ami to new region first
instance store volumes are sometimes called
ephemeral
instance vs ebs backed - will you lose data
if instance host fails data is gone, ebs will stay
what happens to root volumes on instance termination
they are deleted unless you told aws to keep ebs
are snapshots of encrypted volumes auto encrypted
yes
volumes of restored encrypted snapsots are
encrypted automatically
can you share snaphots
only if they are unencrypted
can you encrypt root devices volumes
yes
If you don’t select encrypt when building, how to encrypt root volume
snapshot
copy snapshot, select encryption
create ami
use ami to create instance
what is cloudwatch
monitors performance
can monitor applications, events, billing, can create notifications
create dashboards, alarms, logs
cloudtrail is all about
auditing
CloudWatch standard vs detailed monitoring time
1 vs 5 min
roles vs storing keys for IAM
roles are much more secure and easier to manage
roles can be assigned to
ec2 instances
are roles universal
yes
how to get info about an instance
curl command, ec2 instance metadata
EFS supports & pay
NFS v 4
pay for what you use, no pre provisioning, up to Petabytes
EFS stored where and consistency is
stored - multiple AZs in region
read after write consistency
3 types of placement groups
clustered - low network latency (ec2 same AZ)
spread - need individual ec2 on separate hardware
partitioned - multiple ec2 instances separate hw
placement group names and regions
must be same region
must have unique name in account
how to move instance into a placement group
instance must be stopped, using cli or sdk (no console)
Elasticache does what and the names of memory types are
improves performances of web apps to speed up databases
memcached, redis
RDS OLTP flavors
sql, mysql, postgresql, oracle, aurora, mariadb
aws no sql
dynamo db
redshift olap
data warehousing or bus intelligence
RDS runs on
virtual machines that you have no access to
can you patch your rds instance
no, amazon does it
is RDS serverless
no, but there is serverless aurora
read replicas allow
read only copy of database, to improve performance
2 ways to improve DB performance
elasticache and read replicas
read replicas available for following databases
mysql, postgresql, mariadb, oracle, aurora
must have _ turned on to deploy read replicas
automatic backups
you can have up to _ copies of any db
5
Can you have read replicas of read replicas
yes - watch for latency
each read replica will have its own
dns endpoint
can you have read replicas in multi az or region
yes
can you promote read replicas
yes, it breaks replication
2 types of RDS backups
automated - scheduled
snapshots - manually
how to force failover from one az to another for RDS
reboot RDS instance
Encryption at rest supported for which rds
all server RDS options
dynamo db used what kind of disk
ssd storage
dynamo db spread across
3 AZ
dynamo db read options
eventually consistent - over 1 second
strongly consistent - under 1 second
redshift is available in _ azs
1
redshift backups
1-35 days, 1 is default, maintains 3 copies of data in s3
Aurora is
aws own sql compatible with mysql, postgrssql
2 copies stores in min 3 az
can you share aurora snapshots with other accounts
yes
2 types of aurora replicas & what can failover
aurora and mysql
automated failover only w/aurora
aurora backups
on by default
redis is highly available?
yes - multi az
ELBs have IP or DNS name
DNS name only assigned
alias vs cname
alias - naked (always choose alias in exam)
cname - other than naked
can you buy domain names through aws
yes- can take 3 days to register
rt53 simple routing
1 dns record, multiple IP, random order to user
rt53 weighted routing
send to region based on weights we supply
rt53 health checks
removed a record entry until its online and you can send sns notification if one fails
rt53 latency based routing
rt53 chooses lowest latency path
rt53 failover routing
active/passive site - rt53 healthcheck will failover
rt53 geolocation routing
send based on user location
rt53 Geoproximity routing
send users based on location of users and resources, must use rt53 traffic flow
rt53 multi value answers
multiple record sets, same as simple w/health checks
VPC consists of
Internet gateways route tables NACLs Subnets Security groups
1 subnet =
1 availability zone
which can have deny rules - nacls or security groups
nacls
can VPCs have transitive pairing
no
When you creaet a VPC what is created by default
route table, nacl, security group ( no subnets)
how many IPs does AWS reserve in your subnet
5
how many internet gateways per vpc
1
can security groups span vpcs
no
are nat gateways redundant in the AZ
yes
how many nat gateways per AZ
1
NAT GW throughput scales automatically
true
are nat gateways associated with security groups
no
do nat gateways have a public IP
yes
what do you need to do if you add a nat gateway so your ec2’s can talk out
add a route to the nat gw in the route table
if you have resources in multiple AZ that share a nat GW what happens if that AZ goes down
resources in the other AZ will not have a GW, configure a nat gw in all AZ where you have resources
default network ACL default allow
all outbound/inbound
customer network ACLs allow
nothing, denies all
each subnet in your vpc must be associated with a _
ACL, else its assigned to default
can you block IP
yes with NACL
how many NACLs can a subnet be associated with, and vice versa
network ACL to many subnets
subnet to just 1 ACL
NACL rules applied how
in order, lowest number first (so last wins)
How many public subnets to create a LB
2+
can you enable flow logs for peered VPCs
only if the VPC is in your account
can you tag a flow log
no
can you change a flow log
no
what is direct connect
connects your datacenter to aws for high throughput workloads or stable/secure connection
If you have a VPN connection that keeps dropping out due to throughput erros what should you use
direct connect
what is a VPC endpoint
connect VPC to aws services
2 types of VPC endpoints
interface
gateway - s3, dynamo db
If you upload an object using AWS Identity and Access Management (IAM) user or role credentials who owns the object?
the AWS account that the user or role belongs to owns the object.
File gateway types
Volume gateway
Tape Library (backups only)
File gateway
volume gateway has what 2 modes
cached and stored
stored uses EBS snapshots
which storage gateway for object based files
file gateway
are security groups stateful or stateless & meaning
security groups are stateful - incoming rule auto allows outgoing
are NACLs stateful or stateless + meaning
stateless - if you add a rule it doesn’t auto allow the other directions
Maximum dynamodb string size
400kb
List the rt53 routing policies (names only)
simple failover geolocation geoproximity latency multivalue weighted
max instances for spread placement group per AZ
7
can you use 3rd party encryption tools
no
Are security groups global
no, regional only
If you copy a ami to a new region do the tags and iam permissions follow it
no
What is the maximum VisibilityTimeout of an SQS message in a FIFO queue?
12 hours
AWS premium support levels
basic, developer, business, enterprise
What can aws see for cloudwatch in the ec2 instance
For the most part think it can't see inside but... CPU = how much Network in disk read Can't see Memory
what is an elastic IP
static, public ip associated with your AWS account which allows you to rapidly remap to a new instance in case of failure
You create flow logs for these network items
You can create a flow log for a VPC, a subnet, or a network interface
You can create flow logs for network interfaces on these network services
ELB, RDS, Elasiticach, etc
VPC Flow Logs is a feature that enables you to…
capture information about the IP traffic going to and from network interfaces in your VPC.
What are dedicated instances
HW dedicated to single customer
management service that provides managed instances of Chef and Puppet
AWS OpsWorks
Access Keys are used for
API Calls
What do you use to logon to an ec2 instance
key pairs
EBS volume types
General purpose - SSD
Provisioned IOPS - SSD
Throughput optomized - hDD
Cold - HDD
how traffic is shifted from the original AWS Lambda function version to the new AWS Lambda function
Canary, linear, all at once
What is AWS IoT Core
service for Internet of Things
Is all data between gateway appliance and s3 encrypted
yes, SSL
Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which two AWS services?
CloudFront and ELB
what is Server Name Indication (SNI)
host multiple TLS secured applications, each with its own TLS certificate, behind a single load balancer
What is an ENI
Elastic Network Interface - VPC network card, can attached to ec2
snowball vs snowball edge capacity
80 vs 100TB
What is AWS Security Token Service (AWS STS)
the service that you can use to create and provide trusted users with temporary security credentials
Can you use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes
yes
Auto scaling cooldown does what
ensures new ec2 is not launched too soon
default 300 seconds
How are EBS volumes stored and replicated
Single AZ only
Is Redshift fast or slow
fast, scalable, cost effective
what is Pilot light DR
minimal standby architecture
Authenticate to your RDS instance using what IAM ___
IAM DB authentication
set custom budgets that alert you when your costs or usage exceed
AWS budgets
Lambda encrypts using
AWS Key Management Service
S3 Select is an Amazon S3 feature that makes it easy to
retrieve specific data from the contents of an object using simple SQL expressions
Amazon DynamoDB Accelerator (DAX) cab
reduce Amazon DynamoDB response times`
What allows you to establish a trusted relationship between your Active Directory and AWS
AWS connector
To monitor advanced metrics on DB use
Enhanced monitoring
What provides you a managed Hadoop framework to process data across dynamically scalable Amazon EC2 instances
EMR
For Redshift, OLap, to define the number of query queues that are available and how queries are routed
Use WLM work load management
A DynamoDB stream is an _ _ _
Ordered flow of information about changes to items in an Amazon DynamoDB table
CloudFront signed URLs and signed cookies provide the same basic functionality which is what ?
They allow you to control who can access your content
Which ec2 instance will be removed first from a scale in on auto scale groups
wherever there are the most in AZ ECs, then oldest
Use Amazon MQ instead of SQS when you are
moving messaging with existing apps to cloud quickly
If you will get bursts of traffic on your API gateway use _
Throttling
What protects against DDOS attached
AWS Shield
Instances that you launch into a default subnet receive what IP(s)
public and private
What to use when data must be stored in a columnar fashion
Redshift
Max IOPS SSD
32000
Retrieval types to use/purchase to speed things up
provisioned and expedited
Do SQS standard queues preserve the order of message?
yes
What is a scheduled reserved instance
It allows you to reserve instances for a specific time period at a cheaper rate than on demand when using a 1 year term
