CCP Flashcards

1
Q

Describe the Shared Responsibility Model

A

The CUSTOMER is responsible for security in the cloud (customer data, OS, networking, configuration, encryption, client-side data).

AWS is responsible for the security of the cloud (regions, hardware, availability zones, internal networking, storage, database and compute infrastructure).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe IAM (Identity and Access Management)?

A

users and groups only.

groups can only contain user, not other groups.

users can be a part of multiple groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is an IAM Policy?

A

a JSON snippet that consists of: a generic version, ID to identify the policy, and a statement to allow or deny access applied to a principal (account, user, or role).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Name the 3 options to access AWS

A
  1. AWS Management Console: password and MFA
  2. AWS Command Line Interface (CLI): protected by access keys via CloudShell, terminal, scripts or direct via public APIs
  3. AWS Software SDK: for embedded within code protected by access keys
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is an access key made of?

A

Access Key ID = username
Secret Access Key = password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is an IAM role used for?

A

Allow an AWS service to perform actions on your behalf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you audit user security?

A

IAM Credential Reports (account-level) and IAM Access Advisor (user level)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

General purpose of an EC2 instance

A

EC2 = Elastic Compute Service = infrastructure as a service

Gives companies the ability to rent virtual machines

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what service allows you to store data on virtual machines tied to EC2 instances?

A

EBS = elastic block store

a network drive (almost like a USB stick) that allows an instances’ data to persist after termination

specific to a single instance and AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

what service allows you to distribute load across machines

A

ELB = elastic load balance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

what service allows you to scale the services using an auto scaling group

A

ASG = auto scaling group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what is an EC2 instance made of

A

AMI (OS) + Instance Size (CPU and RAM) + Storage + security groups + EC2 user data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

what is a security group

A

a firewall attached to the EC2 instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

what is EC2 user data

A

a script launched at the first start of an instance for additional set up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

what is SSH

A

gives a user the ability to terminal into an EC2 instance usually through port 22

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

what is a EC2 instance role linked to

A

IAM role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

purchasing options of EC2 instances

A

on demand
spot
reserved (standard or convertible)
dedicated host
dedicated instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

how do you move an EBS volume to a new AZ

A

EBS Snapshot

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

what is an AMI

A

AMI = Amazon Machine Image

customized operating system (OS) of an EC2 instance built for a specific region with config, monitoring, etc

AMIs can be provided by AWS or make your own to maintain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

how do you automate the creation of virtual machines or container images

A

EC2 Image Builder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

what’s an alternative to EC2 Instance, why and potential use cases of alternative

A

EC2 Instance Store

EC2 instances are naturally larger and slower as Instance Store has a more high performing hardware disk

Good for buffer, cache, scratch data and temport content

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

what’s an alternative to EBS and why

A

EFS = Elastic File System

single EFS can be utilized across multiple AZs and mounted (EFS Mount Target) to 100s of EC2. Highly available, scalable and expensive (pay per use)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

what is a better storage class for EFS, why and how do you use it

A

EFS-IA

lowers costs compared to EFS for files not accessed every day

EFS will automatically move files to EFS-IA based on lifecycle policy (i.e., last time the files were accessed)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

what are 3 fully managed 3rd party high-performance file systems on AWS

A

FSx for Windows File Server = Windows-native (on prem and cloud)

FSx for Lustre = high performance computing (HPC), tons of data. great for ML, analytics, video processing, financial modeling, etc

FSx for Net App

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

high-level description of s3

A

allows people to store objects (files) into buckets (directories)

names must be globally unique, but are defined at the region level

the files are basically unique keys to access an object within a bucket with versioning if enabled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

how do you secure s3 and examples if necessary

A

user can allow access via API for specific IAM

encrypt object in s3 using encryption keys

resource-based via
- bucket policy for blanket rules for s3 across accounts
- object access control list (ACL) - finer level of security
- bucket access control list (ACL) - less common, but finer than a bucket policy

note: an IAM principal can access s3 object if the users/groups permissions ALLOW it OR the resource policy ALLOWS its AND there no explicit deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

what can be used to host static website and accessible to the internet

A

S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

s3 versioning is enabled where

A

enabled at the bucket level you can version files stored in s3 if file has the same key

important to note: any file that is not versioned prior to enabling versioning will have version “null’” and suspending does not delete the pervious versions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

what are two types of s3 replication and give uses

A

first of all versioning must be enabled and you still have to give proper IAM permissions to s3

  1. CRR = cross region replication. use cases: compliance, lower latency access, replication across accounts
  2. SRR = same region replication. use cases: log aggregation, live replication between production and test accounts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

can files in storage classes can be moved manually or lifecycle policies

A

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

attributes of s3 standard - general purpose

A

Quickly accessible, low latency, high throughput. good for: big data, gaming, content distribution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

attributes of s3 infrequent access (IA)

A

standard-IA: for less frequently accessed data, but requires rapid access when needed, great for DR

one zone-IA: same as above, but in a single AZ, so data is lost if AZ is destroyed, good for secondary backup or data you can recreate

obviously lower cost than s3 standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

what is the lowest cost storage class of s3

A

glacier storage classes, there are 3 of them:

amazon s3 glacier instant retrieval: millisecond retrieval, great for data accessed once a quarter

amazon s3 glacier flexible retrieval: min storage duration is 90 days

amazon s3 glacier deep archive: for long term, greater than 180 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

how can you automatically move s3 objects to better storage

A

s3 intelligent tiering. there are no retriviel charges.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

how can you analyze who has access to your s3 buckets

A

IAM Access Analyzer. evaluates s3 buckets, s3 acl, s3 access point policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

why does the snow family exist?

A

they’re portable devices to collect and process data at the edge OR migrate data into and out of AWS

to overcome challenges related to limited connectivity, bandwidth, high network costs or connection stability

great for anything that takes more than a week to transfer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

what services are a part of the snow family specific to data migration? give an example.

A
  1. Snowcone. small portable device to withstand harsh environments. must provide own battery and cables. can be sent back to AWS offline or connect it to internet and use AWS datasync to send data.
  2. Snowball edge: physical data transfers to move TB or PB. large data cloud migrations, disaster recovery.
  3. Snowmobile: an actual truck to move exabytes of data. great for anything over 10 PB.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

what services are a part of the snow family specific to edge computing? give an example.

A
  1. Snowcone. small portable device to withstand harsh environments. must provide own battery and cables. can be sent back to AWS offline or connect it to internet and use AWS datasync to send data.
  2. Snowball edge: physical data transfers to move TB or PB. large data cloud migrations, disaster recovery.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

what is an option to maintain hybrid cloud storage?

A

AWS storage gateway can be a bridge between on-premise and cloud data.

specifically, onprem file, volumes and tapes can be bridge via storage gateway EBS, s3, glacier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

what desktop application do you use to manage snow family devices

A

OpsHub

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What service is a relational database and what query language?

A

Amazon RDS. SQL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Why RDS over deploying database on EC2?

A

Many reasons, but the number 1 is RDS is a managed service which means we don’t have to manage the database, AWS will automate provisioning, OS patching, monitoring dashboards, scaling capability, multi-AZ DR, the list goes on.

storage backed by EBS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

what is the one disadvantage of RDS vs EC2

A

you can’t SSH into your instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

what is aurora? what are the advantages

A

Amazon’s proprietary RELATIONAL database technology that supports PostgreSQL and MySQL

3-5x improved performance over RDS

there’s also an Amazon Aurora Serverless option that takes no upfront planning, overhead. good for infrequent intermittent, unpredictable workloads

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

caches are in memory databases with high performance and low latency. what service is useful here?

A

ElastiCache. Helps reduce load off databases for read intensive workloads.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

what service is a high performing non relational database?

A

DynamoDB is a serverless NoSQL database capable of handling massive workloads with single-digit millisecond latency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

How do you improve DynamoDB performance

A

use a fully managed in-memory cache called DynamoDB Accelerator (DAX)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What database service is great for OLAP (online analytical processing analytics and data warehousing)? and what are some key attributes?

A

Redshift. Based on PostreSQL.

used for OLAP and not OLTP.

scales to PB of data, which is why Data and BI teams love it.

there is a serverless option for this as well

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What service creates Hadoop clusters to analyze and processe a ton of data

A

Amazon EMR (Elastic MapReduce). Fully managed service for data processing, machine learning, web indexing.

50
Q

what service queries analyzes s3 objects

A

Amazon Athena. Serverless query service using standard SQL language.

51
Q

what is Amazon QuickSight?

A

serverless machine learning-powered BI service to create interactive dashboards. integrated with RDS, Aurora, Athena, Redshift, S3, etc

52
Q

what is AWS’s version for MongoDB (nosql database)

A

DocumentDB. used to store, query, and index JSON data.

53
Q

what’s a great service to manage graph databases (interconnected network). what are some use cases.

A

Amazon Neptune. knowledge graphs (wikipedia), fraud detection, recommendation engines, social networking

54
Q

what is serverless time series database. what is it capable of?

A

Amazon Timestream. store and analyze trillions of events per day with built-in time series analytics functions (to identify patterns in the data near real-time)

55
Q

what service provides ledger services

A

Amazon QLDB (Quantum Ledger Database). immutable review of all changes made to an application over time.

56
Q

what is a ETL service

A

AWS Glue. useful for preparing and transforming data for analytics

57
Q

what service supports quick and secure migration databases to AWS, resilient, self healing

A

DMS. Database Migration Service.

58
Q

what is docker? what service comes into play here?

A

docker = platform to deploy apps that are packaged in containers that can be run on any OS (app will run the same regardless of where they’re run)

Amazon ECS (Elastic Container Service).

59
Q

How is Fargate different than ECS?

A

ECS requires the EC2 instances to be created already.

Fargate is serverless. New container into Fargate and Fargate handles the rest.

60
Q

where do you store docker images on AWS?

A

Amazon ECR (Elastic Container Registry).

61
Q

as an alternative to EC2, for short functions?

A

AWS lambda. no servers to manage, ran on demand with autoscaling and event-driven.

62
Q

Fully managed serverless service for developers to easily create, publish, maintain, monitor and secure APIs

A

Amazon API Gateway

63
Q

For people with little cloud experience, but would like to stand up cloud infra, what would they use?

A

Amazon Lightsail. great use case of simple web applications. Has high availability, but no auto-scaling and limited aws integrations.

64
Q

what is cloud formation

A

a declarative way to outline AWS infrastructure in the order you specify.

no infra as code, each resource is automatically tagged.

there are existing template out there too.

65
Q

what allows you to define your cloud infrastructure using a familiar language

A

AWS Cloud Development Kit. offers the ability to deploy infrastructure and application runtime code together.

66
Q

what is elastic beanstalk

A

managed service for developers to create end-to-end application. just the application is the responsibility of the developer.

managed service = instance config, os, capacity provisioning, load balancing and auto scaling, application health, etc.

67
Q

orchestrate steps to have code automatically pushed to production

A

AWS CodePipeline

67
Q

hybrid service to automatically deploy applications

A

AWS CodeDeploy

68
Q

code repository for developers to store code

A

CodeCommit

68
Q

code building service that compiles source code, run testsm and produce packages that are ready to be deploy

A

AWS CodeBuild

69
Q

what can be used for artifact management where developers and CodeBuild can retrieve dependencies?

A

AWS CodeArtifact

70
Q

Cloud IDE for writing, running and debugging code within the web browser.

A

AWS Cloud 9

71
Q

What helps you manage your EC2 and OnPrem systems at scale with no ssh keys or port 22 needed

A

AWS Systems Manager (SSM).

72
Q

How do you store secrets, passwords and private config?

A

AWS Systems Manager Parameter Store

73
Q

Managed DNS and list the policies

A

Route53.

Simple

Weighted: distribute traffic across servers

Latency: allow users to talk to the server closest to them

Failover Routing Policy: health check and send traffic to healthy servers

74
Q

What can prevent DDoS attacks?

A

AWS CloudFront. Integrated with Shield and AWS Web Application Firewall

75
Q

Why is AWS CloudFront valuable?

A

Improves read performance, content is cached at the edge. Great for dynamic content that needs to be available at low-latency in few regions.

76
Q

describe AWS Outpost

A

server racks that offer the same AWS infrastructure, services, APIs and tools to build your own applications on-premise.

setup and managed by AWS, but the customer is responsible for the physical rack.

77
Q

Infrastrucuture deployments embedded within telecommunications providers data centers at the edge of the 5G networks

A

AWS WaveLength. Bringing AWS services to the edge of the 5G network.

78
Q

what is a subset of a region called. Give an example.

A

AWS Local Zone. AWS Region is us-east-1 and the local zones are Boston, Chicago, Dallas, Houston, Miami

79
Q

if the context of global application architecture, describe the 4 types.

A

Single, Single: single region, single az

Single, Multi: single region, multi az

Multi, Active-Passive: Multi region, read/write and read only for some servers

Multi, Active-Active: Multi region, read/write everywhere

80
Q

what are the three different cloud integration patterns to decouple your applications

A
  1. Amazon SQS: queue model, messages deleted after they’re read with FIFO
  2. Amazon SNS: pub/sub model, perfect for sending one message to many receivers
  3. Kinesis: real-time streaming

they all can scale independently of your application

81
Q

what if a company is migrating to the cloud and don’t want to use SQS or SBS, what else could they use to run on-prem servers?

A

Amazon MQ. a managed message broker service for RabbitMQ and ActiveMQ

82
Q

what provides metrics and alarms for every service in AWS

A

Amazon CloudWatch and Amazon CloudWatch Alarms

83
Q

How could you collect EC2 log for cloud and onprem servers?

A

Amazon Cloudwatch Logs

84
Q

Conceptually, what is Amazon EventBridge

A

It gives customers the ability to respond to schedule batch jobs, create event pattern to react to something, trigger lambda functions or respond to 3rd party tools.

85
Q

what service provides API governance, compliance and audit capability for AWS account

A

AWS CloudTrail

86
Q

What service gives you tracing and visual analysis of your applications?

A

AWS X-ray

87
Q

how could a company automated (ML) code reviews and application performance recommendations

A

Amazon CodeGuru: CodeReviewer (review code) and CodeProfiler (examine runtime behavior of applications)

88
Q

what is the difference between AWS health dashboard and Account health dashboard

A

AWS health dashboard: status of all AWS services across all regions

AWS Account health dashboard: AWS events that impact infrastructure only

89
Q

How would you provide internet access to a VPC

A

Internet Gateway

90
Q

How would you provide an instance or private subnet internet access?

A

NAT Gateway / Instance

91
Q

What does a NACL provide?

A

stateless rules, almost like a firewall for inbound and outbound traffic

92
Q

what is a firewall that operates at the EC2 instance level or ENI (Elastic Network Interface)?

A

Security Group

93
Q

How do you connect two VPCs?

A

VPC Peering, non overlapping IP ranges, non transitive

94
Q

What is Elastic IP?

A

fixed public IPv4, ongoing cost if not in-use

95
Q

how do you provide a VPC access to AWS services?

A

VPC Endpoints

96
Q

if a company wants to connect to a 3rd party vpc what would you use?

A

PrivateLink

97
Q

how do you connect over a public internet between onprem DC and AWS

A

Site-to-Site VPN

98
Q

If you want to connect your computer via openVPN into your VPC what would you use

A

ClientVPN

99
Q

If you want direct private connection to AWS what would you use

A

DirectConnect

100
Q

If you wanted to connect thousands of VPC and onprem networks together what would you use

A

Transit Gateway

101
Q

how do you protect the entire VPC

A

AWS Network Firewall and manage them with AWS Firewall Manager (rules for all accounts in AWS)

102
Q

aws managed service for encryption keys. and what is the alternative:?

A

AWS KMS (customer-managed or aws managed)

alternative: CloudHSM, keys generated from your own hardware device

103
Q

what is amazon guard duty

A

uses ML algorithms for anomaly detection

if there are finding, use eventbridge to send notifications or trigger lambda functions

104
Q

how would you run automated security assessments? and what are the limits

A

Amazon Inspector and can report findings/score to SecurityHub or EventBridge

only for EC2 instances, container images and lambda functions

105
Q

how would you audit and record compliance of AWS resources per region?

A

AWS Config. records configuration and changes over time.

can be stored in s3 and analyzed by athena

105
Q

true or false. Macie is an ML and pattern matching to discover and protect your sensitive data in AWS.

A

true.

106
Q

what service can be used oto identify the root cause of security issues or suspicious activities

A

Amazon Detective

107
Q

Not worth creating cards for, but review ML section link included below

A

https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20245410#content

108
Q

how do you set up multiple accounts at a time

A

ControlTower

109
Q

what is trusted advsior

A

a service that analyzes our aws accounts and provides recommendations for the following:

  1. cost optimization
  2. performance
  3. security
  4. fault tolerance
  5. service limits
  6. operational excellence

part of the business and enterprise support plan

110
Q

Not worth creating cards for, but review Billing section link included below

A

https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20245410#content

111
Q

how can you grant temporary limited-privileges credentials to access aws resources?

A

AWS Security Token Service (STS)

112
Q

how would you create access for external users

A

Amazon Cognito

113
Q

SSO for AWS

A

AWS IAM identity center

114
Q

Virutal Desktops

A

Amazon WorkSpaces

115
Q

stream an application without provisioning infrastructure

A

Amazon AppStream 2.0, not need for virtual desktop

116
Q

store and synchronize web and mobile apps and make use of GraphQL

A

Amazon AppSync

117
Q

how could you have a done-for-you full stack web and mobile application

A

AWS Amplify

118
Q

a drag-and-drop interface to design and build severless applications

A

AWS Application Composer

119
Q

fully managed service to test you web and mobile apps

A

AWS Device Farm