Cantrill Slides Flashcards
What are the 5 key features of Cloud Computing?
- On-demand self-service
- Broad network access
- Resource pooling
- Rapid elasticity
- measured service
What is Hybrid Cloud?
Using Public Cloud and Private Cloud
What is private cloud?
Using on-remises cloud, Ie, AWS Outposts
What are the 9 parts of the infrastructure stack?
- Application
- Data
- Runtime
- Container
- O/S
- Virtualisation
- Servers
- Infrastructure
- Facilities
What level of the infrastructure stack is IaaS?
O/S
What level of the infrastructure stack is PaaS?
Runtime
What level of the infrastructure stack is SaaS?
Application
What are the parts of the OSI 7-Layer model?
- Layer 7 - Application (Host Layer)
- Layer 6 - Presentation (Host Layer)
- Layer 5 - Session (Host Layer)
- Layer 4 - Transport (Host Layer)
- Layer 3 - Network (Media Layer)
- Layer 2 - Data Link(Media Layer)
- Layer 1 - Physical (Media Layer)
What are three different network zones?
- “Public Internet” zone
- “AWS Public” zone
- “AWS Private” zone
3 features on AWS Regions
- Geographic separation
- Geopolitical separation
- location control
3 levels of service resilience
- Globally resilient
- region resilient
- AZ resilient
How many accounts and regions can a VPC be within?
1 and 1
What is the default VPC CIDR?
172.31.0.0/16
True or False; Default VPC subnets assign public IPv4 addresses?
True
What … as a Service is EC2?
IaaS
How are on-demand EC2 instances billed?
per second
What 3 things does an AMI contain?
- Permissions
- Root volume
- Block device mapping
In S3 what are the key and values?
Key = name of file
Value = content being stored
4 S3 bucket name rules
- Must be globally unique
- 3 - 63 characters, all lower case, no underscores
- start with a lowercase letter or a number
- can’t be IP formatted e.g. 1.1.1.1
How many S3 buckets can you have?
- 100 soft limit
- 1,000 hard limit per account
How many objects can you have in an S3 bucket?
Unlimited
What type of storage is S3?
Object store
Are S3 buckets mountable?
No
What does CloudWatch do?
Collects and manages operational data
What is High-Availability?
Short: Minimise any outages
Long:
HA aims to ensure an agreed level of operational performance, usually uptime, for a higher than normal period
What is Fault Tolerance (FT)?
Short: Operate through faults
Long: FT is the property that enable a system to continue operating properly in the event of the failure of some (one or more faults within) of its components
What is Disaster Recovery (DR)?
Short: Used when high availability and fault-tolerance don’t work
Long: a set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster
Route53 basic tasks (2):
1- Register domains
2 - Host Zones… managed nameservers
What do A records refer to?
IPv4
What do AAAA records refer to?
IPv6
What are IAM users and when are they used?
IAM Users are an identity used for anything requiring long-term AWS access, e.g. Humans, Applications or Service Accounts
What does an Amazon Resource Name (ARN) do?
Uniquely identify resources within any AWS accounts
What is the max number of IAM users per account?
5,000
How many groups can a IAM user be a member of?
10 groups
What are IAM Groups
IAM Groups are containers for IAM Users
True or False; Group are not a true identity?
True, they can’t be referenced as a principle in a policy
What are Service Control Policies (SCPs)?
- Account permissions boundaries, they limit what the account (including account root user) can do.
- They don’t grant any permissions
Are service control policies allow or deny?
Both
What does CloudTrail do?
Logs API calls/activities as a CloudTrail Event
How long is CloudTrail data stored by default in Event History?
90 days
Is CloudTrail realtime?
No
What is AWS Control Tower?
It provides quick and easy setup of a multi-account environment and orchestrates other AWS services to provide this functionality
What are Control Tower Guard Rails?
They Detect/Mandate rules/standards across all accounts
What is Control Tower Account Factory?
It Automates and Standardises new account creation
What 3 AWS services are used to build AWS Control Tower - Landing Zone?
- AWS Organisations
- AWS Config
- AWS CloudFormation
True or False; S3 is private by default?
True
Are bucket policies allow or deny?
Both
What is Key Management Service (KMS)?
- a Regional and Public service
- create, store and manage keys
True or False; with KMS, keys never leave KMS?
True
What is the max data size that can be used for KMS keys?
4KB
True or False; S3 buckets can be encrypted?
False; Buckets aren’t encrypted, objects are
What is the S3 default bucket encryption?
AES256
How are you charged for S3 standard?
- GB/m fee for data stored
- $ per GB for transfer out
- price per 1,000 requests
How many AZs is S3 data replicated over?
3 AZs
When to use S3 standard?
For frequently accessed data which is important and non-replaceable
How are you charged for S3 Standard IA?
per GB data retrieval fee
True or False; S3 Standard IA has a minimum duration charge?
True, 30 days
When to use S3 Standard IA?
For long-lived data, which is important but where access is infrequent
How are you charged for S3 One Zone-IA?
per GB of data retrieval fee
True or False; S3 One Zone-IA has a minimum duration charge?
True, 30 days
When should you use S3 One Zone-IA?
long-lived data which is non-critical and replaceable and where access is infrequent
How are you charged for S3 Glacier Instant?
per GB data retrieval fee
True or False; S3 Glacier instance has a minimum duration charge?
True, 90 days
When should you use S3 Glacier Instant?
for long-lived data, accessed once per quarter with millisecond access
True or False S3 Glacier Flexible object can be made publicly accessible?
False
When should you use S3 Glacier Flexible?
For archival data where frequent or realtime access isn’t needed (eg yearly), with retrieval time of minutes to hours
True or False S3 Glacier Deep Archive object can be made publicly accessible?
False
When should you use S3 Glacier Deep Archive?
For archival data that rarely if ever needs to be accessed - hours or days for retrieval
What is S3 Intelligent Tiering?
Intelligent Tiering monitors and automatically moves any objects not accessed for 30 days to a low cost infrequent access tier, and eventually to archive instant access, archive access or deep archive tiers
True or False; with S3 Intelligent Tiering, as objects are accessed, they are moved back to the frequent access tier?
True
How are you charged for S3 Intelligent Tiering?
monitoring and automation costs per 1,000 objects
When should S3 intelligent tiering be used?
For long-lived data, with changing or unknown patterns
Why use Same Region Replication (SRR)?
- Log aggregation
- Prod & Test sync
- Resilience with strict sovereignity
Why use Cross Region Replication?
- Global Resilience Improvement
- Latency Reduction
For S3 presignedURLs, what permissions are granted?
The permissions match the identity which generated it
True or False; you can create a presignedURL for an object you have no access to?
True
For S3 presignedURLs, what could access denied mean?
the generating ID:
- never had access … or
- doesn’t have access now
What is S3/Glacier Select?
Let’s you use SQL-like statements to select part of the object, pre-filtered by S3. So you don’t need to retrieve the entire object (quicker retrieval and uses less data)
What are S3 Event Notifications?
Notification generated when events occur in a bucket
What is WORM?
Write-Once-Read-Many
True or False; S3 Object Lock requires versioning?
True
True or False; the account root user can modify S3 object that have object lock enabled?
False, the root user can’t adjust, delete or overwrite until retention expires
What does an S3 Legal Hold do?
It locks an object version until the legal hold is removed, no deletes or changes can be made
What are the two types of S3 Object Lock?
- Compliance
- Governance
What is S3 Object Lock Compliance mode?
- Object version can’t be deleted or updated
- Retention period can’t be shortened
- Compliance mode can’t be changed, even by the root user
What is S3 Object Lock Governance mode?
An object version is locked until the retention period expires, except special permissions can be granted allowing lock settings to be adjusted:
s3:BypassGovernanceRetention
What is an Internet Gateway?
A region resilient gateway attached for a VPC that runs from within the AWS Public Zone
