AWS services Flashcards

Key points of each service

1
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

AWS DataSync

A
  • migrate data in a simple and secure way
  • migrate data between on-premise and cloud
  • migrate data between cloud providers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Application Discovery Service

A

Gathering information about their on-premises data centers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

AWS Resource Access Manager (RAM)

A
  • enables you to share AWS resources easily and securely with any AWS account or within your AWS Organization.
  • You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

AWS WAF

A

helps protect your web applications from SQL injection, cross-site scripting attacks (things at HTTP level 7 layer)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

AWS Shield

A

DDoS protection service (infrastructer, layer 3 & 4 network and transport layer)

AWS Shield Advanced - higher level protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AWS Secrets Manager

A
  • protect secrets needed to access your applications, services, and IT resources
  • easily rotate, manage and retrieve credentials, API keys and other secrets
  • secrets are accessed by making an API call to the Secrets Manager API
  • built-in rotation of secrets for RDS, Redshift, DocumentDB
  • encryption at rest
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AWS CloudHSM (Hardware Security Module)

A
  • AWS CloudHSM allows you to generate, store, and manage cryptographic keys securely.
  • helps you meet corporate, contractual, and regulatory compliance requirements for data security by using FIPS 140-2 Level 3 validated HSMs.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AWS KMS (Key Management Store)

A
  • managed service that enables you to easily encrypt your data
  • centrally manage and securely store your keys
  • consists of Customer Managed Keys (CMK) and AWS Managed Keys
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

AWS Certificates Manager

A

Create, store, and renew SSL/TLS X.509 certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AWS GuardDuty

A
  • Intelligent threat detection service
  • Continuously monitors for malicious activity and delivers detailed security findings for visibility and remediation.
  • Monitors AWS accounts, workloads, and data in Amazon S3.

Amazon GuardDuty can generate findings based on suspicious activities such as requests coming from known malicious IP addresses, changing of bucket policies/ACLs to expose an S3 bucket publicly, or suspicious API call patterns that attempt to discover misconfigured bucket permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AWS Trusted Advisor

A

Trusted Advisor is an online resource that helps to reduce cost, increase performance, and improve security by optimizing your AWS environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS Inspector

A
  • automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
  • Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AWS Cognito

A
  • user sign-up, sign-in, and access control to your web and mobile apps quickly and easily.
  • authentication, authorization, and user management for your web and mobile apps.
  • Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Amazon Cognito - Web Identity Federation

A
  • Federation allows users to authenticate with a Web Identity Provider (e.g. Google, Facebook, Amazon).
  • AWS Cognito works with external identity providers that support SAML or OpenID Connect, social identity providers (such as Facebook, Twitter, Amazon)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

AWS Cognito - User Pools and Identity Pools

A
  • User pools are user directories that provide sign-up and sign-in options for your app users.
  • Identity pools enable you to grant your users access to other AWS services.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Active Directory

A

Active Directory (AD) is Microsoft’s proprietary directory service. It runs on Windows Server and enables administrators to manage permissions and access to network resources.

Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done. The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Active Directory Service for Microsoft Active Directory

A
  • Best choice if you have more than 5000 users and/or need a trust relationship set up
  • Runs on Windows Server
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Simple AD (Active Directory)

A
  • An inexpensive Active Directory-compatible service with common directory features.
  • Standalone, fully managed, directory on the AWS cloud.
  • Best choice for less than 5000 users and don’t need advanced AD feature.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

AD Connector (Active Directory)

A
  • AD Connector is a directory gateway for redirecting directory requests to your on-premises Active Directory.
  • AD Connector eliminates the need for directory synchronization and the cost and complexity of hosting a federation infrastructure.
  • Connects your existing on-premises AD to AWS.
  • Best choice when you want to use an existing Active Directory with AWS services.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

AWS IAM (Identity & Access Management)

A

securely control individual and group access to AWS resources

IAM can be used to manage:
* Users
* Groups
* Access policies
* Roles
* User credentials
* User password policies
* Multi-factor authentication (MFA).
* API keys for programmatic access (CLI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

AWS IAM (Identity & Access Management)

A
  • User is an entity that represents a person or service.
  • Groups are collections of users and have policies attached to them
  • Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests
  • Policies are documents that define permissions and can be applied to users, groups, and roles.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

AWS Security Token Service (STS)

A

AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Cross Account Access

A

Useful for situations where an AWS customer has separate AWS account – for example for development and production resources.

Cross Account Access makes is easier to work productively within a multi-account (or multi-role) AWS environment by making is easy to switch roles within the AWS Management Console.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Identity & Access Management (IAM) Best Practices

A

To secure AWS resources it is recommended that you follow these best practices:

  • Lock away your AWS account root user access keys.
  • Use roles to delegate permissions.
  • Grant least privilege.
  • Get started using permissions with AWS managed policies.
  • Validate your policies.
  • Use customer managed policies instead of inline policies.
  • Use access levels to review IAM permissions.
  • Configure a strong password policy for your users.
  • Enable MFA.
  • Use roles for applications that run on Amazon EC2 instances.
  • Do not share access keys.
  • Rotate credentials regularly.
  • Remove unnecessary credentials.
  • Use policy conditions for extra security.
  • Monitor activity in your AWS account.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Amazon SNS (Simple Notification Service)

A

Fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication

pub/sub functionality provides messaging for high-throughput, push-based, many-to-many use cases

SNS uses a pub-sub model whereby users or applications subscribe to SNS topics.

When subscribing to an SNS topic the following endpoint types are supported:
* HTTP/HTTPS.
* Email/Email-JSON.
* Amazon Kinesis Data Firehose.
* Amazon SQS.
* AWS Lambda.
* Platform application endpoint (mobile push).
SMS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

SNS Fanout

A

Your publisher systems can fanout messages to many subscriber systems including Amazon SQS queues, AWS Lambda functions and HTTPS endpoints, for parallel processing, and Amazon Kinesis Data Firehose.

You can subscribe one or more Amazon SQS queues to an Amazon SNS topic from a list of topics available for the selected queue. When you publish a message to a topic, Amazon SNS sends the message to every subscribed SQS queue. Amazon SQS manages the subscription and any necessary permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Amazon Simple Queue Service (SQS)

A

distributed queue system that enables web service applications to quickly and reliably queue messages

Messages in the queue need to be polled by the consumer (e.g. EC2 instance)

Amazon SQS is pull-based, not push-based (like Amazon SNS).

Messages can be kept in the queue from 1 minute to 14 days.

The default retention period is 4 days.

The SQS queue resolves issues that arise if the producer is producing work faster than the consumer can process it, or if the producer or consumer are only intermittently connected to the network.

You can use an AWS Lambda function to process messages in an Amazon Simple Queue Service (Amazon SQS) queue. Lambda polls the queue and invokes your Lambda function synchronously with an event that contains queue messages.
Lambda reads messages in batches and invokes your function once for each batch.
When your function successfully processes a batch, Lambda deletes its messages from the queue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Dead-Letter Queue

A

dead-letter queue handles message failure (applies to SNS and SQS)

It lets you set aside and isolate messages that can’t be processed correctly to determine why their processing didn’t succeed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Amazon Simple Workflow Service (SWF)

A

Amazon SWF is used for processing background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully managed state tracker and task coordinator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

AWS Step Functions

A

AWS Step Functions can be used to coordinate the components of distributed applications as a series of steps in a visual workflow

This is orchestration (a controller who controls interactions between services) as opposed to choreography (lots of small, independany services working together, loosly coupled)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Amazon OpenSearch

A

It is an open source, distributed search and analytics suite based on Elasticsearch.

Successor to the Amazon Elasticsearch Service

Elasticsearch is a distributed search and analytics engine built on Apache Lucene.

Elasticsearch is a popular search engine commonly used for log analytics, full-text search, security intelligence, business analytics, and operational intelligence use cases.

With OpenSearch you can perform log analytics interactively, perform real-time application monitoring, website search, performance metric analysis and more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

AWS Glue

A
  • Fully-managed, pay-as-you-go, extract, transform, and load (ETL) service that automates the time-consuming steps of data preparation for analytics.
  • Glue can automatically discover both structured and semi-structured data stored in data lakes on Amazon S3, data warehouses in Amazon Redshift, and various databases running on AWS.
  • automatically discovers and profiles data via the Glue Data Catalog, recommends and generates ETL code to transform your source data into target schemas
  • runs the ETL jobs on a fully managed, scale-out Apache Spark environment to load your data into its destination
  • You can create and run an ETL job with a few clicks in the AWS Management Console.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Amazon Athena

A
  • analyze data in Amazon S3 using standard SQL
  • Can use with other services such as Amazon RedShift (data warehouse)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Overview of 4 services

A
  • Athena = query S3 data using SQL
  • RedShift = data warehouse (columnar storage)
  • EMR(Elastic MapReduce) = data processing (big data), running tasks such as machine learning, graph analytics, data transformation, streaming data.
  • Glue = ETL service, transform data from S3 bucket, RedShift, other databases and move to various destinations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Amazon Kinesis

A
  • makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information
  • Data is processed in “shards” – with each shard able to ingest 1000 records per second
  • max default limit of 500 shards that can be increased
  • A record consists of a partition key, sequence number, and data blob (up to 1 MB).
  • Transient data store – default retention of 24 hours but can be configured for up to 7 days.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Kinesis Data Streams

A
  • real-time processing of streaming big data.
  • stores data for later processing by applications (key difference to Firehose which delivers data directly to AWS services).
  • data is captured and stores for processing in shards
  • each shard can support up to 1000 PUT records per second
  • records of a stream are accessible for up to 24 hours from the time they are added to the stream (can be raised to 7 days by enabling extended data retention).
  • Splitting increases the number of shards in your stream and therefore increases the data capacity of the stream.
  • Splitting increases the cost of your stream (you pay per-shard).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Kinesis Data Firehouse

A
  • easiest way to load streaming data into data stores and analytics tools.
  • Captures, transforms, and loads streaming data
  • Kinesis Data Streams can be used as the source(s) to Kinesis Data Firehose
  • You can configure Kinesis Data Firehose to transform your data before delivering it.
  • With Kinesis Data Firehose you don’t need to write an application or manage resources
  • Each delivery stream stores data records for up to 24 hours.
  • Data can be delivered to S3, RedShift, ElasticSearch, Splunk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Kinesis Data Streams vs Firehouse

A

Streams - Allows you to write custom consumers
Firehouse - Simplifies data transforming and data storing

Streams - Guarantees order delivery
Firehouse - Messages can be delivered more than once as the order is not guaranteed

Streams - Failure block the shard until succession or expiration
Firehouse - It has a built-in retry mechanism for each delivery

Streams - Allows you to set the number of shard
Firehouse - Allows you to set the data volume. Shards are managed by the service

Streams - It supports multiple types of consumers along with multiple consumers
Firehouse - Stream can only have one destination

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

SQS vs SNS vs Kinesis

A

SQS:
* Consumers pull data.
* Messages still persist in the queue after being read. An API call to delete the message from the queue is required after successfull receipt of the message from the consumer.
* One consumer by default only possible
* No need to provision throughput.
* No ordering guarantee (except with FIFO queues).
* Individual message delay.

SNS:
* Push data to many subscribers.
* Up to 10,000,000 subscribers.
* Data is not persisted (lost if not deleted).
* Pub/sub.
* Up to 10,000,000 topics.
* No need to provision throughput.
* Integrates with SQS for fan-out architecture pattern.

Kinesis:
* Consumers pull data.
* As many consumers as you need.
* Possible to replay data.
* Meant for real-time big data, analytics, and ETL.
* Ordering at the shard level.
* Data expires after X days.
* Must provision throughput.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Amazon Elastic MapReduce (EMR)

A
  • big data processing and analysis.
  • web service that enables businesses, researchers, data analysts, and developers to process vast amounts of data
  • EMR utilizes a hosted Hadoop framework running on Amazon EC2 and Amazon S3
  • With EMR you can run petabyte-scale analysis at less than half of the cost of traditional on-premises solutions and over 3x faster than standard Apache Spark
  • Most used for log analysis, financial analysis, or extract, translate and loading (ETL) activitie
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

AWS Elastic Transcoder

A
  • convert (or “transcode”) video and audio files from their source format into versions that will playback on devices like smartphones, tablets and PCs.
  • Picks up files from an input S3 bucket and saves the output to an output S3 bucket.
  • You are charged based on the duration of the content and the resolution or format of the media
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

AWS Systems Manager

A
  • AWS Systems Manager is a central hub to control and view your entire AWS infrastructure
    *
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

AWS Config

A
  • AWS Config continually assesses, audits, and evaluates the configurations and relationships of your resources on AWS, on premises, and on other clouds.
  • enables security and governance
  • AWS Config records point-in-time configuration details for your AWS resources as Configuration Items
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

AWS CloudFormation

A
  • allows you to manage, configure and provision your AWS infrastructure as code
  • Resources are defined using a CloudFormation template
  • Supports YAML or JSON
46
Q

AWS CloudFormation key concepts

A
  • Templates = The JSON or YAML text file that contains the instructions for building out the AWS environment
  • Stacks = The entire environment described by the template and created, updated, and deleted as a single unit
  • StackSets = AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation
  • Change Sets = A summary of proposed changes to your stack that will allow you to see how those changes might impact your existing resources before implementing them
  • Templates = The JSON or YAML text file that contains the instructions for building out the AWS environment
47
Q

AWS Storage Gateway

A
  • AWS Storage Gateway is a set of hybrid cloud storage services that provide on-premises access to virtually unlimited cloud storage.
  • Storage Gateway optimizes data transfer to AWS by sending only changed data and compressing data.
  • AWS with Storage Gateway, it is not suitable for transferring large sets of data to AWS. Storage Gateway is mainly used in providing low-latency access to data by caching frequently accessed data on-premises while storing archive data securely and durably in Amazon cloud storage services. Use AWS DataSync for large datasets.
48
Q

AWS OpsWorks

A

AWS OpsWorks is a configuration management service that provides managed instances of these two open-source tools (Chef and Puppet).

49
Q

AWS CloudTrail

A
  • CloudTrail enables governance, compliance, and operational and risk auditing of your AWS account.
  • CloudTrail provides visibility into user activity by recording actions taken on your account.
50
Q

AWS CloudWatch vs CloudTrail

A

CloudWatch
* monitors your application (application/service actions)
* central monitoring and logging service for AWS. Each AWS Service reports it metrics directly to CloudWatch

CloudTrail
* audit your AWS account (user actions)
* monitors your internal usage of your AWS account. Every user or application changes resources in your account will be monitored.

51
Q

CloudWatch

A
  • Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS.
  • CloudWatch is used to collect and track metrics, collect, and monitor log files, and set alarms.

With CloudWatch you can:
* Gain system-wide visibility into resource utilization.
* Monitor application performance.
* Monitor operational health.

52
Q

SNS vs SQS

A

Amazon SNS is a fully managed pub/sub messaging service. With Amazon SNS, you can use topics to simultaneously distribute messages to multiple subscribing endpoints such as Amazon SQS queues, AWS Lambda functions, HTTP endpoints, email addresses, and mobile devices (SMS, Push).

Amazon SQS is a message queue service used by distributed applications to exchange messages through a polling model. It can be used to decouple sending and receiving components without requiring each component to be concurrently available.

A fanout scenario occurs when a message published to an SNS topic is replicated and pushed to multiple endpoints, such as Amazon SQS queues, HTTP(S) endpoints, and Lambda functions. This allows for parallel asynchronous processing.

53
Q

Amazon Elastic Kubernetes Service (EKS)

A
  • Amazon EKS provisions and scales the Kubernetes control plane, including the API servers and backend persistence layer, across multiple AWS availability zones for high availability and fault tolerance.
  • To migrate the application to a container service, you can use Amazon ECS or Amazon EKS. But the key point in this scenario is a cloud-agnostic and open-source platforms. Take note that Amazon ECS is an AWS proprietary container service. This means that it is not an open-source platform. Amazon EKS is a portable, extensible, and open-source platform for managing containerized workloads and services. Kubernetes is considered cloud-agnostic because it allows you to move your containers to other cloud service providers.
54
Q

AWS Organizations

A

AWS Organization is a service that allows you to manage multiple AWS accounts easily. With this service, you can effectively consolidate billing and manage your resources across multiple accounts.

55
Q

AWS IAM Identity Center

A
  • AWS IAM Identity Center helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications.
  • IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type.
56
Q

Application Load Balancer

A
  • Application Load Balancer operates at the request level (layer 7) HTTP/HTTPS, routing traffic to targets (EC2 instances, containers, IP addresses, and Lambda functions) based on the content of the request
  • Application Load Balancer simplifies and improves the security of your application, by ensuring that the latest SSL/TLS ciphers and protocols are used at all times.
  • ALBs can also route and load balance gRPC traffic between microservices or between gRPC-enabled clients and services
57
Q

Route 53

A

Route 53 is a DNS. Below are some of the routing policies:

Latency Routing
lets Amazon Route 53 serve user requests from the AWS Region that provides the lowest latency. It does not, however, guarantee that users in the same geographic region will be served from the same location.

Geoproximity Routing
lets Amazon Route 53 route traffic to your resources based on the geographic location of your users and your resources. You can also optionally choose to route more traffic or less to a given resource by specifying a value, known as a bias. A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource.

Geolocation Routing
lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from.

Weighted Routing
lets you associate multiple resources with a single domain name (tutorialsdojo.com) or subdomain name (subdomain.tutorialsdojo.com) and choose how much traffic is routed to each resource.

58
Q

Amazon Data Lifecycle Manager

A

You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes. Automating snapshot management helps you to:

– Protect valuable data by enforcing a regular backup schedule.

– Retain backups as required by auditors or internal compliance.

– Reduce storage costs by deleting outdated backups.

Combined with the monitoring features of Amazon CloudWatch Events and AWS CloudTrail, Amazon DLM provides a complete backup solution for EBS volumes at no additional cost.

59
Q

Macie vs GuardDuty

A

Amazon Macie is designed to automatically discover, classify, and protect sensitive data, such as personal identifiable information (PII) and intellectual property. It uses machine learning algorithms to scan and identify sensitive data across AWS services like Amazon S3 buckets.

Amazon GuardDuty is primarily focused on providing intelligent threat detection for AWS accounts and workloads. It helps detect potential security threats by analyzing event logs from various AWS services, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs

Macie cannot detect usage patterns on S3 data. While Amazon Macie is capable of detecting policy changes in S3 buckets, this is not enough to detect unauthorized or suspicious access patterns which is what GuardDuty can do.

60
Q

Elastic Block Store (EBS)

A

An Amazon EBS volume is a durable, block-level storage device that you can attach to a single EC2 instance. You can use EBS volumes as primary storage for data that requires frequent updates, such as the system drive for an instance or storage for a database application. You can also use them for throughput-intensive applications that perform continuous disk scans. EBS volumes persist independently from the running life of an EC2 instance.

Here is a list of important information about EBS Volumes:
* When you create an EBS volume in an Availability Zone, it is automatically replicated within that zone to prevent data loss due to a failure of any single hardware component.
* After you create a volume, you can attach it to any EC2 instance in the same Availability Zone
* Amazon EBS Multi-Attach enables you to attach a single Provisioned IOPS SSD (io1) volume to multiple Nitro-based instances that are in the same Availability Zone. However, other EBS types are not supported.
* An EBS volume is off-instance storage that can persist independently from the life of an instance. You can specify not to terminate the EBS volume when you terminate the EC2 instance during instance creation.
* EBS volumes support live configuration changes while in production which means that you can modify the volume type, volume size, and IOPS capacity without service interruptions.
* Amazon EBS encryption uses 256-bit Advanced Encryption Standard algorithms (AES-256)
* EBS Volumes offer 99.999% SLA.

61
Q

Kinesis Data Steam vs Firehouse

A

Key points:
* Kinesis Data Stream allows consumers to READ streaming data (consumers poll the data)
* Kinesis Firehouse is used to LOAD streaming data to a target destination (consumers received data as they’re subscribed)

Kinesis Data Stream consumers:
* Lambda
* EC2
* Spark on Elastic MapReduce
* Kenisis Data Analytics

Kinesis Data Firehose consumers:
* S3
* RedShift
* ElasticSearch
* Splunk

62
Q

Kinesis Data Steam vs Firehouse

A

Kinesis Data Stream features:
* ingests and stores data streams to be READ by the consumer
* can hold data for up to 365 days
* can replay
* manual scailing

Kinesis Data Firehose features:
* prepares and LOADS the data continously to the destination you choose
* can NOT store data
* no replay
* automatically scales

63
Q

File Gateway

A

File Gateway presents a file-based interface to Amazon S3, which appears as a network file share. It enables you to store and retrieve Amazon S3 objects through standard file storage protocols.

File Gateway allows your existing file-based applications or devices to use secure and durable cloud storage without needing to be modified. With File Gateway, your configured S3 buckets will be available as Network File System (NFS) mount points or Server Message Block (SMB) file shares.

64
Q

Client-side vs Server-side encryption keys

A

Use Server-Side Encryption – You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.

  • Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
  • Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
  • Use Server-Side Encryption with Customer-Provided Keys (SSE-C)

Use Client-Side Encryption – You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

  • Use Client-Side Encryption with AWS KMS–Managed Customer Master Key (CMK)
  • Use Client-Side Encryption Using a Client-Side Master Key
65
Q

AWS Fargate

A

AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). Fargate makes it easy for you to focus on building your applications. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

For microservices architecture: use AWS Fargate on Amazon EKS with Service Auto Scaling to run the containerized app platform

66
Q

AWS Backup

A

AWS Backup is a centralized backup service that makes it easy and cost-effective for you to backup your application data across AWS services in the AWS Cloud, helping you meet your business and regulatory backup compliance requirements.

AWS Backup makes protecting your AWS storage volumes, databases, and file systems simple by providing a central place where you can configure and audit the AWS resources you want to backup, automate backup scheduling, set retention policies, and monitor all recent backup and restore activity.

Note: AWS Aurora has a maximum backup retention period for automated backup is only 35 day. Therefore anything longer than 35 days, use AWS Backup.

67
Q

AWS Database Migration Service

A

AWS Database Migration Service helps you migrate your databases to AWS with virtually no downtime. All data changes to the source database that occur during the migration are continuously replicated to the target, allowing the source database to be fully operational during the migration process.

68
Q

EC2 pricing types

A

$ Spot Instances
* temporary, spare EC2 capacity available at deep discount
* workloads that need a short-term compute boost

$$ Reseved Instances
* capacity reservation purchased on 1 or 3 year term at a discount
* applications with a steady state usage

$$$$ On-Demand
* pay-as-you-go, scaleable
* short-term, variable workloads that cannot be interuppted

$$$$$ Dedicated Host
* fully dedicated physical server
* projects that must meet corporate compliance requirements

69
Q

AWS Service Comparison

A

https://tutorialsdojo.com/comparison-of-aws-services/

72
Q

AWS Transit Gateway

A

AWS Transit Gateway provides a hub and spoke design for connecting VPCs and on-premises networks. You can attach all your hybrid connectivity (VPN and Direct Connect connections) to a single Transit Gateway consolidating and controlling your organization’s entire AWS routing configuration in one place. It also controls how traffic is routed among all the connected spoke networks using route tables. This hub and spoke model simplifies management and reduces operational costs because VPCs only connect to the Transit Gateway to gain access to the connected networks.

73
Q

Amazon DynamoDB Accelerator (DAX)

A

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second.

DAX does all the heavy lifting required to add in-memory acceleration to your DynamoDB tables, without requiring developers to manage cache invalidation, data population, or cluster management.

74
Q

AWS Lambda

A

AWS Lambda scales your functions automatically on your behalf. Every time an event notification is received for your function, AWS Lambda quickly locates free capacity within its compute fleet and runs your code. Since your code is stateless, AWS Lambda can start as many copies of your function as needed without lengthy deployment and configuration delays.

75
Q

Amazon API Gateway

A

Amazon API Gateway lets you create an API that acts as a “front door” for applications to access data, business logic, or functionality from your back-end services, such as code running on AWS Lambda.

Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization, and access control, monitoring, and API version management. Amazon API Gateway has no minimum fees or startup costs.

76
Q

Amazon S3 Gateway endpoint

A

VPC endpoints for Amazon S3 simplify access to S3 from within a VPC by providing configurable and highly reliable secure connections to S3 that do not require an internet gateway or Network Address Translation (NAT) device. When you create an S3 VPC endpoint, you can attach an endpoint policy to it that controls access to Amazon S3.

You can use two types of VPC endpoints to access Amazon S3: gateway endpoints and interface endpoints.
* A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your VPC over the AWS network.
* Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on-premises, or from a different AWS Region. Interface endpoints are compatible with gateway endpoints. If you have an existing gateway endpoint in the VPC, you can use both types of endpoints in the same VPC.

77
Q

Amazon FSx

A

Amazon FSx lets you easily and securely backup, archive, or replicate your on-premises file storage to AWS in order to meet regulatory, data retention, or disaster recovery requirements.

Amazon FSx for Windows File Server provides fully managed, highly reliable, and scalable file storage that is accessible over the industry-standard Service Message Block (SMB) protocol. It is built on Windows Server, delivering a wide range of administrative features such as user quotas, end-user file restore, and Microsoft Active Directory (AD) integration. Amazon FSx is accessible from Windows, Linux, and MacOS compute instances and devices. Thousands of compute instances and devices can access a file system concurrently.

78
Q

AWS Database Migration Service (AWS DMS)

A

AWS Database Migration Service (AWS DMS) is a cloud service that makes it easy to migrate relational databases, data warehouses, NoSQL databases, and other types of data stores. You can use AWS DMS to migrate your data into the AWS Cloud or between combinations of cloud and on-premises setups.

With AWS DMS, you can perform one-time migrations, and you can replicate ongoing changes to keep sources and targets in sync. If you want to migrate to a different database engine, you can use the AWS Schema Conversion Tool (AWS SCT) to translate your database schema to the new platform. You then use AWS DMS to migrate the data. Because AWS DMS is a part of the AWS Cloud, you get the cost efficiency, speed to market, security, and flexibility that AWS services offer.

You can use AWS DMS to migrate data to an Amazon DynamoDB table. Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. AWS DMS supports using a relational database or MongoDB as a source.

79
Q

Amazon Elastic MapReduce (EMR)

A

Amazon Elastic MapReduce (EMR) is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. By using these frameworks and related open-source projects such as Apache Hive and Apache Pig, you can process data for analytics purposes and business intelligence workloads. Additionally, you can use Amazon EMR to transform and move large amounts of data into and out of other AWS data stores and databases such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB.

80
Q

S3 Select

A

Amazon S3 Select is designed to help analyze and process data within an object in Amazon S3 buckets, faster and cheaper. It works by providing the ability to retrieve a subset of data from an object in Amazon S3 using simple SQL expressions. Your applications no longer have to use compute resources to scan and filter the data from an object, potentially increasing query performance by up to 400%, and reducing query costs as much as 80%. You simply change your application to use SELECT instead of GET to take advantage of S3 Select.

81
Q

AWS Redshift Spectum

A

Amazon Redshift also includes Redshift Spectrum, allowing you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, ORC, Parquet, RCFile, RegexSerDe, SequenceFile, TextFile, and TSV. Redshift Spectrum automatically scales query compute capacity based on the data being retrieved, so queries against Amazon S3 run fast, regardless of data set size.

82
Q

Aurora Reader Endpoint

A

A reader endpoint for an Aurora DB cluster provides load-balancing support for read-only connections to the DB cluster. Use the reader endpoint for read operations, such as queries.

By processing those statements on the read-only Aurora Replicas, this endpoint reduces the overhead on the primary instance. It also helps the cluster to scale the capacity to handle simultaneous SELECT queries, proportional to the number of Aurora Replicas in the cluster. Each Aurora DB cluster has one reader endpoint.

If the cluster contains one or more Aurora Replicas, the reader endpoint load balances each connection request among the Aurora Replicas. In that case, you can only perform read-only statements such as SELECT in that session. If the cluster only contains a primary instance and no Aurora Replicas, the reader endpoint connects to the primary instance. In that case, you can perform write operations through the endpoint.

83
Q

What is a Transit Gateway?

A

A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure. Your data is automatically encrypted and never travels over the public internet.

AWS Transit Gateway deploys an elastic network interface within VPC subnets, which is then used by the transit gateway to route traffic to and from the chosen subnets. You must have at least one subnet for each Availability Zone, which then enables traffic to reach resources in every subnet of that zone.

84
Q

Amazon EventBridge

A

Amazon EventBridge is a service that provides real-time access to changes in data in AWS services, your own applications, and software as a service (SaaS) applications without writing code.

It is a serverless event bus service that you can use to connect your applications with data from a variety of sources.

You can use an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom event pattern and an input transformer to match an AWS Config evaluation rule output as NON_COMPLIANT. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic.

85
Q

AWS Config

A

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time.

You can use AWS Config rules to evaluate the configuration settings of your AWS resources. When AWS Config detects that a resource violates the conditions in one of your rules, AWS Config flags the resource as non-compliant and sends a notification. AWS Config continuously evaluates your resources as they are created, changed, or deleted.

To analyze potential security weaknesses, you need detailed historical information about your AWS resource configurations, such as the AWS Identity and Access Management (IAM) permissions that are granted to your users or the Amazon EC2 security group rules that control access to your resources.

86
Q

AWS Control Tower

A

AWS Control Tower offers the easiest way to set up and govern a secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and it enables governance using controls you can choose from a pre-packaged list.

87
Q

VPC Flow Logs

A

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC

88
Q

AWS Health

A

AWS Health provides ongoing visibility into your resource performance and the availability of your AWS services and accounts. You can use AWS Health events to learn how service and resource changes might affect your applications running on AWS. AWS Health provides relevant and timely information to help you manage events in progress. AWS Health also helps you be aware of and to prepare for planned activities.

You can use Amazon EventBridge to detect and react to AWS Health events. Then, based on the rules that you create, EventBridge invokes one or more target actions when an event matches the values that you specify in a rule. For example, you can use AWS Health to receive email notifications if you have AWS resources in your AWS account that are scheduled for updates, such as Amazon Elastic Compute Cloud (Amazon EC2) instances.

89
Q

Elastic Fabric Adapter (EFA)

A

An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications.

EFA provides lower and more consistent latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems.

90
Q

CloudWatch

A

Amazon CloudWatch agent enables you to collect both system metrics and log files from Amazon EC2 instances and on-premises servers.

CloudWatch monitors:
* CPU utilization
* Network utilization
* Disk performance
* Disk Reads/Writes

Does NOT monitor memory usage. You have to install a CloudWatch agent on EC2 instance to collect and monitor the custom metric (memory usage).

91
Q

CloudWatch basic vs detailed monitoring

A

AWS EC2 Monitoring — 5 min metrics intervals

AWS EC2 Detailed Monitoring — 1 min metrics intervals

CloudWatch Agent running on an EC2 Instance— Detailed metric

92
Q

AWS License Manager

A

AWS License Manager is a service that makes it easier for you to manage your software licenses from software vendors (for example, Microsoft, SAP, Oracle, and IBM) centrally across AWS and your on-premises environments.

You can prevent license usage when the available licenses are exhausted by selecting the “Enforce license limit” option in license configuration. When this limit exceeds, the instance launch is blocked to control overages.

93
Q

EBS Volume Types

A
  • $ Magnetic volume = infrequently accessed data, low cost
  • $$ General Purpose (SSD) = reccomended default choice, suitable for small to mid sized databases
  • $$$ Provisioned IOPS (SSD) = consistency, low latency, designed for performance I/O intensive applications such as large relational or NoSQL databases
94
Q

Server-side encryption key types

A

Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) – Each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data.

Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS) – Similar to SSE-S3, but with some additional benefits and charges for using this service. There are separate permissions for the use of a CMK that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an audit trail that shows when your CMK was used and by whom. Additionally, you can create and manage customer-managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region.

KMS = Key Management Service
CMK = Customer Managed Key

Server-Side Encryption with Customer-Provided Keys (SSE-C) – You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption when you access your objects.

95
Q

AWS Application Migration Service (AWS MGN)

A

AWS Application Migration Service (AWS MGN) is the primary migration service recommended for lift-and-shift migrations to AWS.

AWS MGN enables organizations to move applications to AWS without having to make any changes to the applications, their architecture, or the migrated servers.

AWS Application Migration Service minimizes time-intensive, error-prone manual processes by automatically converting your source servers from physical, virtual machines, and cloud infrastructure to run natively on AWS.

96
Q

Gateway endpoint

A

A Gateway endpoint is a type of VPC endpoint that provides reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. Instances in your VPC do not require public IP addresses to communicate with resources in the service.

When you create a Gateway endpoint, you can attach an endpoint policy that controls access to the service to which you are connecting. You can modify the endpoint policy attached to your endpoint and add or remove the route tables used by the endpoint. An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies). It is a separate policy for controlling access from the endpoint to the specified service.

97
Q

Amazon Pinpoint

A

In Amazon Pinpoint, an event is an action that occurs when a user interacts with one of your applications, when you send a message from a campaign or journey, or when you send a transactional SMS or email message. For example, if you send an email message, several events occur:

– When you send the message, a send event occurs.

– When the message reaches the recipient’s inbox, a delivered event occurs.

– When the recipient opens the message, an open event occurs.

You can configure Amazon Pinpoint to send information about events to Amazon Kinesis. The Kinesis platform offers services that you can use to collect, process, and analyze data from AWS services in real time.

98
Q

network access control list (ACL)

A

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

99
Q

How to make S3 bucket public

A

By default, all Amazon S3 resources such as buckets, objects, and related subresources are private, which means that only the AWS account holder (resource owner) that created it has access to the resource. The resource owner can optionally grant access permissions to others by writing an access policy. In S3, you also set the permissions of the object during upload to make it public.

  • Configure the S3 bucket policy to set all objects to public read.
  • Grant public read access to the object when uploading it using the S3 Console.
100
Q

Amazon Elastic Block Store volumes

A
  • Snapshots are automatically encrypted.
  • All data moving between the volume and the instance are encrypted.

Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance that is in the same Availability Zone. EBS volumes that are attached to an EC2 instance are exposed as storage volumes that persist independently from the life of the instance.

101
Q

EC2 Scailing support

A

Amazon EC2 Auto Scaling supports the following types of scaling policies:

Target tracking scaling – Increase or decrease the current capacity of the group based on a target value for a specific metric. This is similar to the way that your thermostat maintains the temperature of your home – you select a temperature and the thermostat does the rest.

Step scaling – Increase or decrease the current capacity of the group based on a set of scaling adjustments, known as step adjustments, that vary based on the size of the alarm breach.

Simple scaling – Increase or decrease the current capacity of the group based on a single scaling adjustment.

102
Q

Amazon Pinpoint

A

Amazon Pinpoint is an AWS service that you can use to engage with your customers across multiple messaging channels. You can use Amazon Pinpoint to send push notifications, in-app notifications, emails, text messages, voice messages, and messages over custom channels.

In Amazon Pinpoint, an event is an action that occurs when a user interacts with one of your applications, when you send a message from a campaign or journey, or when you send a transactional SMS or email message

103
Q

AWS Trust Advisor

A

AWS Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment.

AWS Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.

104
Q

Amazon Polly & Amazon Lex

A

Amazon Polly converts text inputs to speech.

Amazon Lex is a service for building conversational interfaces using voice and text (chatbot).

105
Q

Amazon Elastic File System

A

Amazon Elastic File System (EFS) is designed to provide serverless, fully elastic file storage that lets you share file data without provisioning or managing storage capacity and performance.

Choose this when questions ask about best storage solution that “allows concurrent connections from multiple EC2 instances”.

106
Q

Enhanced Networking

A
  • When you need a higher packet per second (PPS) performance
  • When you need a consistently lower inter-instance latencies
107
Q

Port connections

A

Port 22 = SSH
Port 3389 = TCP and UDP (remote desktop)
Port 3306 = MySQL

108
Q

Route53, NLB and ALB

A

Network Load Balancer and Application Load Balancer can only distrubte traffic within their respective regions and not other regions.

Route53 is best used instead to balance the incoming load to two or more AWS regions more effectively.

109
Q

AWS Artifact

A

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.

Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).

110
Q

POSIX-compliant shared file system.

A

Use Amazon Elastic File System (EFS)

111
Q

VPC stuff

A

Internet Gateway is used for instances in the public subnet to have accessibility to the Internet

NAT Gateway allows instances in the private subnet to gain access to the Internet, but not vice versa

VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services

Transit Gateway is used for interconnecting VPCs and on-premises networks through a central hub