CCP Flashcards
Describe the Shared Responsibility Model
The CUSTOMER is responsible for security in the cloud (customer data, OS, networking, configuration, encryption, client-side data).
AWS is responsible for the security of the cloud (regions, hardware, availability zones, internal networking, storage, database and compute infrastructure).
Describe IAM (Identity and Access Management)?
users and groups only.
groups can only contain user, not other groups.
users can be a part of multiple groups.
What is an IAM Policy?
a JSON snippet that consists of: a generic version, ID to identify the policy, and a statement to allow or deny access applied to a principal (account, user, or role).
Name the 3 options to access AWS
- AWS Management Console: password and MFA
- AWS Command Line Interface (CLI): protected by access keys via CloudShell, terminal, scripts or direct via public APIs
- AWS Software SDK: for embedded within code protected by access keys
What is an access key made of?
Access Key ID = username
Secret Access Key = password
What is an IAM role used for?
Allow an AWS service to perform actions on your behalf
How do you audit user security?
IAM Credential Reports (account-level) and IAM Access Advisor (user level)
General purpose of an EC2 instance
EC2 = Elastic Compute Service = infrastructure as a service
Gives companies the ability to rent virtual machines
what service allows you to store data on virtual machines tied to EC2 instances?
EBS = elastic block store
a network drive (almost like a USB stick) that allows an instances’ data to persist after termination
specific to a single instance and AZ
what service allows you to distribute load across machines
ELB = elastic load balance
what service allows you to scale the services using an auto scaling group
ASG = auto scaling group
what is an EC2 instance made of
AMI (OS) + Instance Size (CPU and RAM) + Storage + security groups + EC2 user data
what is a security group
a firewall attached to the EC2 instance
what is EC2 user data
a script launched at the first start of an instance for additional set up
what is SSH
gives a user the ability to terminal into an EC2 instance usually through port 22
what is a EC2 instance role linked to
IAM role
purchasing options of EC2 instances
on demand
spot
reserved (standard or convertible)
dedicated host
dedicated instance
how do you move an EBS volume to a new AZ
EBS Snapshot
what is an AMI
AMI = Amazon Machine Image
customized operating system (OS) of an EC2 instance built for a specific region with config, monitoring, etc
AMIs can be provided by AWS or make your own to maintain
how do you automate the creation of virtual machines or container images
EC2 Image Builder
what’s an alternative to EC2 Instance, why and potential use cases of alternative
EC2 Instance Store
EC2 instances are naturally larger and slower as Instance Store has a more high performing hardware disk
Good for buffer, cache, scratch data and temport content
what’s an alternative to EBS and why
EFS = Elastic File System
single EFS can be utilized across multiple AZs and mounted (EFS Mount Target) to 100s of EC2. Highly available, scalable and expensive (pay per use)
what is a better storage class for EFS, why and how do you use it
EFS-IA
lowers costs compared to EFS for files not accessed every day
EFS will automatically move files to EFS-IA based on lifecycle policy (i.e., last time the files were accessed)
what are 3 fully managed 3rd party high-performance file systems on AWS
FSx for Windows File Server = Windows-native (on prem and cloud)
FSx for Lustre = high performance computing (HPC), tons of data. great for ML, analytics, video processing, financial modeling, etc
FSx for Net App
high-level description of s3
allows people to store objects (files) into buckets (directories)
names must be globally unique, but are defined at the region level
the files are basically unique keys to access an object within a bucket with versioning if enabled
how do you secure s3 and examples if necessary
user can allow access via API for specific IAM
encrypt object in s3 using encryption keys
resource-based via
- bucket policy for blanket rules for s3 across accounts
- object access control list (ACL) - finer level of security
- bucket access control list (ACL) - less common, but finer than a bucket policy
note: an IAM principal can access s3 object if the users/groups permissions ALLOW it OR the resource policy ALLOWS its AND there no explicit deny
what can be used to host static website and accessible to the internet
S3
s3 versioning is enabled where
enabled at the bucket level you can version files stored in s3 if file has the same key
important to note: any file that is not versioned prior to enabling versioning will have version “null’” and suspending does not delete the pervious versions
what are two types of s3 replication and give uses
first of all versioning must be enabled and you still have to give proper IAM permissions to s3
- CRR = cross region replication. use cases: compliance, lower latency access, replication across accounts
- SRR = same region replication. use cases: log aggregation, live replication between production and test accounts
can files in storage classes can be moved manually or lifecycle policies
yes
attributes of s3 standard - general purpose
Quickly accessible, low latency, high throughput. good for: big data, gaming, content distribution
attributes of s3 infrequent access (IA)
standard-IA: for less frequently accessed data, but requires rapid access when needed, great for DR
one zone-IA: same as above, but in a single AZ, so data is lost if AZ is destroyed, good for secondary backup or data you can recreate
obviously lower cost than s3 standard
what is the lowest cost storage class of s3
glacier storage classes, there are 3 of them:
amazon s3 glacier instant retrieval: millisecond retrieval, great for data accessed once a quarter
amazon s3 glacier flexible retrieval: min storage duration is 90 days
amazon s3 glacier deep archive: for long term, greater than 180 days
how can you automatically move s3 objects to better storage
s3 intelligent tiering. there are no retriviel charges.
how can you analyze who has access to your s3 buckets
IAM Access Analyzer. evaluates s3 buckets, s3 acl, s3 access point policies.
why does the snow family exist?
they’re portable devices to collect and process data at the edge OR migrate data into and out of AWS
to overcome challenges related to limited connectivity, bandwidth, high network costs or connection stability
great for anything that takes more than a week to transfer
what services are a part of the snow family specific to data migration? give an example.
- Snowcone. small portable device to withstand harsh environments. must provide own battery and cables. can be sent back to AWS offline or connect it to internet and use AWS datasync to send data.
- Snowball edge: physical data transfers to move TB or PB. large data cloud migrations, disaster recovery.
- Snowmobile: an actual truck to move exabytes of data. great for anything over 10 PB.
what services are a part of the snow family specific to edge computing? give an example.
- Snowcone. small portable device to withstand harsh environments. must provide own battery and cables. can be sent back to AWS offline or connect it to internet and use AWS datasync to send data.
- Snowball edge: physical data transfers to move TB or PB. large data cloud migrations, disaster recovery.
what is an option to maintain hybrid cloud storage?
AWS storage gateway can be a bridge between on-premise and cloud data.
specifically, onprem file, volumes and tapes can be bridge via storage gateway EBS, s3, glacier
what desktop application do you use to manage snow family devices
OpsHub
What service is a relational database and what query language?
Amazon RDS. SQL.
Why RDS over deploying database on EC2?
Many reasons, but the number 1 is RDS is a managed service which means we don’t have to manage the database, AWS will automate provisioning, OS patching, monitoring dashboards, scaling capability, multi-AZ DR, the list goes on.
storage backed by EBS
what is the one disadvantage of RDS vs EC2
you can’t SSH into your instance
what is aurora? what are the advantages
Amazon’s proprietary RELATIONAL database technology that supports PostgreSQL and MySQL
3-5x improved performance over RDS
there’s also an Amazon Aurora Serverless option that takes no upfront planning, overhead. good for infrequent intermittent, unpredictable workloads
caches are in memory databases with high performance and low latency. what service is useful here?
ElastiCache. Helps reduce load off databases for read intensive workloads.
what service is a high performing non relational database?
DynamoDB is a serverless NoSQL database capable of handling massive workloads with single-digit millisecond latency
How do you improve DynamoDB performance
use a fully managed in-memory cache called DynamoDB Accelerator (DAX)
What database service is great for OLAP (online analytical processing analytics and data warehousing)? and what are some key attributes?
Redshift. Based on PostreSQL.
used for OLAP and not OLTP.
scales to PB of data, which is why Data and BI teams love it.
there is a serverless option for this as well
What service creates Hadoop clusters to analyze and processe a ton of data
Amazon EMR (Elastic MapReduce). Fully managed service for data processing, machine learning, web indexing.
what service queries analyzes s3 objects
Amazon Athena. Serverless query service using standard SQL language.
what is Amazon QuickSight?
serverless machine learning-powered BI service to create interactive dashboards. integrated with RDS, Aurora, Athena, Redshift, S3, etc
what is AWS’s version for MongoDB (nosql database)
DocumentDB. used to store, query, and index JSON data.
what’s a great service to manage graph databases (interconnected network). what are some use cases.
Amazon Neptune. knowledge graphs (wikipedia), fraud detection, recommendation engines, social networking
what is serverless time series database. what is it capable of?
Amazon Timestream. store and analyze trillions of events per day with built-in time series analytics functions (to identify patterns in the data near real-time)
what service provides ledger services
Amazon QLDB (Quantum Ledger Database). immutable review of all changes made to an application over time.
what is a ETL service
AWS Glue. useful for preparing and transforming data for analytics
what service supports quick and secure migration databases to AWS, resilient, self healing
DMS. Database Migration Service.
what is docker? what service comes into play here?
docker = platform to deploy apps that are packaged in containers that can be run on any OS (app will run the same regardless of where they’re run)
Amazon ECS (Elastic Container Service).
How is Fargate different than ECS?
ECS requires the EC2 instances to be created already.
Fargate is serverless. New container into Fargate and Fargate handles the rest.
where do you store docker images on AWS?
Amazon ECR (Elastic Container Registry).
as an alternative to EC2, for short functions?
AWS lambda. no servers to manage, ran on demand with autoscaling and event-driven.
Fully managed serverless service for developers to easily create, publish, maintain, monitor and secure APIs
Amazon API Gateway
For people with little cloud experience, but would like to stand up cloud infra, what would they use?
Amazon Lightsail. great use case of simple web applications. Has high availability, but no auto-scaling and limited aws integrations.
what is cloud formation
a declarative way to outline AWS infrastructure in the order you specify.
no infra as code, each resource is automatically tagged.
there are existing template out there too.
what allows you to define your cloud infrastructure using a familiar language
AWS Cloud Development Kit. offers the ability to deploy infrastructure and application runtime code together.
what is elastic beanstalk
managed service for developers to create end-to-end application. just the application is the responsibility of the developer.
managed service = instance config, os, capacity provisioning, load balancing and auto scaling, application health, etc.
orchestrate steps to have code automatically pushed to production
AWS CodePipeline
hybrid service to automatically deploy applications
AWS CodeDeploy
code repository for developers to store code
CodeCommit
code building service that compiles source code, run testsm and produce packages that are ready to be deploy
AWS CodeBuild
what can be used for artifact management where developers and CodeBuild can retrieve dependencies?
AWS CodeArtifact
Cloud IDE for writing, running and debugging code within the web browser.
AWS Cloud 9
What helps you manage your EC2 and OnPrem systems at scale with no ssh keys or port 22 needed
AWS Systems Manager (SSM).
How do you store secrets, passwords and private config?
AWS Systems Manager Parameter Store
Managed DNS and list the policies
Route53.
Simple
Weighted: distribute traffic across servers
Latency: allow users to talk to the server closest to them
Failover Routing Policy: health check and send traffic to healthy servers
What can prevent DDoS attacks?
AWS CloudFront. Integrated with Shield and AWS Web Application Firewall
Why is AWS CloudFront valuable?
Improves read performance, content is cached at the edge. Great for dynamic content that needs to be available at low-latency in few regions.
describe AWS Outpost
server racks that offer the same AWS infrastructure, services, APIs and tools to build your own applications on-premise.
setup and managed by AWS, but the customer is responsible for the physical rack.
Infrastrucuture deployments embedded within telecommunications providers data centers at the edge of the 5G networks
AWS WaveLength. Bringing AWS services to the edge of the 5G network.
what is a subset of a region called. Give an example.
AWS Local Zone. AWS Region is us-east-1 and the local zones are Boston, Chicago, Dallas, Houston, Miami
if the context of global application architecture, describe the 4 types.
Single, Single: single region, single az
Single, Multi: single region, multi az
Multi, Active-Passive: Multi region, read/write and read only for some servers
Multi, Active-Active: Multi region, read/write everywhere
what are the three different cloud integration patterns to decouple your applications
- Amazon SQS: queue model, messages deleted after they’re read with FIFO
- Amazon SNS: pub/sub model, perfect for sending one message to many receivers
- Kinesis: real-time streaming
they all can scale independently of your application
what if a company is migrating to the cloud and don’t want to use SQS or SBS, what else could they use to run on-prem servers?
Amazon MQ. a managed message broker service for RabbitMQ and ActiveMQ
what provides metrics and alarms for every service in AWS
Amazon CloudWatch and Amazon CloudWatch Alarms
How could you collect EC2 log for cloud and onprem servers?
Amazon Cloudwatch Logs
Conceptually, what is Amazon EventBridge
It gives customers the ability to respond to schedule batch jobs, create event pattern to react to something, trigger lambda functions or respond to 3rd party tools.
what service provides API governance, compliance and audit capability for AWS account
AWS CloudTrail
What service gives you tracing and visual analysis of your applications?
AWS X-ray
how could a company automated (ML) code reviews and application performance recommendations
Amazon CodeGuru: CodeReviewer (review code) and CodeProfiler (examine runtime behavior of applications)
what is the difference between AWS health dashboard and Account health dashboard
AWS health dashboard: status of all AWS services across all regions
AWS Account health dashboard: AWS events that impact infrastructure only
How would you provide internet access to a VPC
Internet Gateway
How would you provide an instance or private subnet internet access?
NAT Gateway / Instance
What does a NACL provide?
stateless rules, almost like a firewall for inbound and outbound traffic
what is a firewall that operates at the EC2 instance level or ENI (Elastic Network Interface)?
Security Group
How do you connect two VPCs?
VPC Peering, non overlapping IP ranges, non transitive
What is Elastic IP?
fixed public IPv4, ongoing cost if not in-use
how do you provide a VPC access to AWS services?
VPC Endpoints
if a company wants to connect to a 3rd party vpc what would you use?
PrivateLink
how do you connect over a public internet between onprem DC and AWS
Site-to-Site VPN
If you want to connect your computer via openVPN into your VPC what would you use
ClientVPN
If you want direct private connection to AWS what would you use
DirectConnect
If you wanted to connect thousands of VPC and onprem networks together what would you use
Transit Gateway
how do you protect the entire VPC
AWS Network Firewall and manage them with AWS Firewall Manager (rules for all accounts in AWS)
aws managed service for encryption keys. and what is the alternative:?
AWS KMS (customer-managed or aws managed)
alternative: CloudHSM, keys generated from your own hardware device
what is amazon guard duty
uses ML algorithms for anomaly detection
if there are finding, use eventbridge to send notifications or trigger lambda functions
how would you run automated security assessments? and what are the limits
Amazon Inspector and can report findings/score to SecurityHub or EventBridge
only for EC2 instances, container images and lambda functions
how would you audit and record compliance of AWS resources per region?
AWS Config. records configuration and changes over time.
can be stored in s3 and analyzed by athena
true or false. Macie is an ML and pattern matching to discover and protect your sensitive data in AWS.
true.
what service can be used oto identify the root cause of security issues or suspicious activities
Amazon Detective
Not worth creating cards for, but review ML section link included below
https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20245410#content
how do you set up multiple accounts at a time
ControlTower
what is trusted advsior
a service that analyzes our aws accounts and provides recommendations for the following:
- cost optimization
- performance
- security
- fault tolerance
- service limits
- operational excellence
part of the business and enterprise support plan
Not worth creating cards for, but review Billing section link included below
https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20245410#content
how can you grant temporary limited-privileges credentials to access aws resources?
AWS Security Token Service (STS)
how would you create access for external users
Amazon Cognito
SSO for AWS
AWS IAM identity center
Virutal Desktops
Amazon WorkSpaces
stream an application without provisioning infrastructure
Amazon AppStream 2.0, not need for virtual desktop
store and synchronize web and mobile apps and make use of GraphQL
Amazon AppSync
how could you have a done-for-you full stack web and mobile application
AWS Amplify
a drag-and-drop interface to design and build severless applications
AWS Application Composer
fully managed service to test you web and mobile apps
AWS Device Farm
