CCP Flashcards
Describe the Shared Responsibility Model
The CUSTOMER is responsible for security in the cloud (customer data, OS, networking, configuration, encryption, client-side data).
AWS is responsible for the security of the cloud (regions, hardware, availability zones, internal networking, storage, database and compute infrastructure).
Describe IAM (Identity and Access Management)?
users and groups only.
groups can only contain user, not other groups.
users can be a part of multiple groups.
What is an IAM Policy?
a JSON snippet that consists of: a generic version, ID to identify the policy, and a statement to allow or deny access applied to a principal (account, user, or role).
Name the 3 options to access AWS
- AWS Management Console: password and MFA
- AWS Command Line Interface (CLI): protected by access keys via CloudShell, terminal, scripts or direct via public APIs
- AWS Software SDK: for embedded within code protected by access keys
What is an access key made of?
Access Key ID = username
Secret Access Key = password
What is an IAM role used for?
Allow an AWS service to perform actions on your behalf
How do you audit user security?
IAM Credential Reports (account-level) and IAM Access Advisor (user level)
General purpose of an EC2 instance
EC2 = Elastic Compute Service = infrastructure as a service
Gives companies the ability to rent virtual machines
what service allows you to store data on virtual machines tied to EC2 instances?
EBS = elastic block store
a network drive (almost like a USB stick) that allows an instances’ data to persist after termination
specific to a single instance and AZ
what service allows you to distribute load across machines
ELB = elastic load balance
what service allows you to scale the services using an auto scaling group
ASG = auto scaling group
what is an EC2 instance made of
AMI (OS) + Instance Size (CPU and RAM) + Storage + security groups + EC2 user data
what is a security group
a firewall attached to the EC2 instance
what is EC2 user data
a script launched at the first start of an instance for additional set up
what is SSH
gives a user the ability to terminal into an EC2 instance usually through port 22
what is a EC2 instance role linked to
IAM role
purchasing options of EC2 instances
on demand
spot
reserved (standard or convertible)
dedicated host
dedicated instance
how do you move an EBS volume to a new AZ
EBS Snapshot
what is an AMI
AMI = Amazon Machine Image
customized operating system (OS) of an EC2 instance built for a specific region with config, monitoring, etc
AMIs can be provided by AWS or make your own to maintain
how do you automate the creation of virtual machines or container images
EC2 Image Builder
what’s an alternative to EC2 Instance, why and potential use cases of alternative
EC2 Instance Store
EC2 instances are naturally larger and slower as Instance Store has a more high performing hardware disk
Good for buffer, cache, scratch data and temport content
what’s an alternative to EBS and why
EFS = Elastic File System
single EFS can be utilized across multiple AZs and mounted (EFS Mount Target) to 100s of EC2. Highly available, scalable and expensive (pay per use)
what is a better storage class for EFS, why and how do you use it
EFS-IA
lowers costs compared to EFS for files not accessed every day
EFS will automatically move files to EFS-IA based on lifecycle policy (i.e., last time the files were accessed)
what are 3 fully managed 3rd party high-performance file systems on AWS
FSx for Windows File Server = Windows-native (on prem and cloud)
FSx for Lustre = high performance computing (HPC), tons of data. great for ML, analytics, video processing, financial modeling, etc
FSx for Net App
high-level description of s3
allows people to store objects (files) into buckets (directories)
names must be globally unique, but are defined at the region level
the files are basically unique keys to access an object within a bucket with versioning if enabled
how do you secure s3 and examples if necessary
user can allow access via API for specific IAM
encrypt object in s3 using encryption keys
resource-based via
- bucket policy for blanket rules for s3 across accounts
- object access control list (ACL) - finer level of security
- bucket access control list (ACL) - less common, but finer than a bucket policy
note: an IAM principal can access s3 object if the users/groups permissions ALLOW it OR the resource policy ALLOWS its AND there no explicit deny
what can be used to host static website and accessible to the internet
S3
s3 versioning is enabled where
enabled at the bucket level you can version files stored in s3 if file has the same key
important to note: any file that is not versioned prior to enabling versioning will have version “null’” and suspending does not delete the pervious versions
what are two types of s3 replication and give uses
first of all versioning must be enabled and you still have to give proper IAM permissions to s3
- CRR = cross region replication. use cases: compliance, lower latency access, replication across accounts
- SRR = same region replication. use cases: log aggregation, live replication between production and test accounts
can files in storage classes can be moved manually or lifecycle policies
yes
attributes of s3 standard - general purpose
Quickly accessible, low latency, high throughput. good for: big data, gaming, content distribution
attributes of s3 infrequent access (IA)
standard-IA: for less frequently accessed data, but requires rapid access when needed, great for DR
one zone-IA: same as above, but in a single AZ, so data is lost if AZ is destroyed, good for secondary backup or data you can recreate
obviously lower cost than s3 standard
what is the lowest cost storage class of s3
glacier storage classes, there are 3 of them:
amazon s3 glacier instant retrieval: millisecond retrieval, great for data accessed once a quarter
amazon s3 glacier flexible retrieval: min storage duration is 90 days
amazon s3 glacier deep archive: for long term, greater than 180 days
how can you automatically move s3 objects to better storage
s3 intelligent tiering. there are no retriviel charges.
how can you analyze who has access to your s3 buckets
IAM Access Analyzer. evaluates s3 buckets, s3 acl, s3 access point policies.
why does the snow family exist?
they’re portable devices to collect and process data at the edge OR migrate data into and out of AWS
to overcome challenges related to limited connectivity, bandwidth, high network costs or connection stability
great for anything that takes more than a week to transfer
what services are a part of the snow family specific to data migration? give an example.
- Snowcone. small portable device to withstand harsh environments. must provide own battery and cables. can be sent back to AWS offline or connect it to internet and use AWS datasync to send data.
- Snowball edge: physical data transfers to move TB or PB. large data cloud migrations, disaster recovery.
- Snowmobile: an actual truck to move exabytes of data. great for anything over 10 PB.
what services are a part of the snow family specific to edge computing? give an example.
- Snowcone. small portable device to withstand harsh environments. must provide own battery and cables. can be sent back to AWS offline or connect it to internet and use AWS datasync to send data.
- Snowball edge: physical data transfers to move TB or PB. large data cloud migrations, disaster recovery.
what is an option to maintain hybrid cloud storage?
AWS storage gateway can be a bridge between on-premise and cloud data.
specifically, onprem file, volumes and tapes can be bridge via storage gateway EBS, s3, glacier
what desktop application do you use to manage snow family devices
OpsHub
What service is a relational database and what query language?
Amazon RDS. SQL.
Why RDS over deploying database on EC2?
Many reasons, but the number 1 is RDS is a managed service which means we don’t have to manage the database, AWS will automate provisioning, OS patching, monitoring dashboards, scaling capability, multi-AZ DR, the list goes on.
storage backed by EBS
what is the one disadvantage of RDS vs EC2
you can’t SSH into your instance
what is aurora? what are the advantages
Amazon’s proprietary RELATIONAL database technology that supports PostgreSQL and MySQL
3-5x improved performance over RDS
there’s also an Amazon Aurora Serverless option that takes no upfront planning, overhead. good for infrequent intermittent, unpredictable workloads
caches are in memory databases with high performance and low latency. what service is useful here?
ElastiCache. Helps reduce load off databases for read intensive workloads.
what service is a high performing non relational database?
DynamoDB is a serverless NoSQL database capable of handling massive workloads with single-digit millisecond latency
How do you improve DynamoDB performance
use a fully managed in-memory cache called DynamoDB Accelerator (DAX)
What database service is great for OLAP (online analytical processing analytics and data warehousing)? and what are some key attributes?
Redshift. Based on PostreSQL.
used for OLAP and not OLTP.
scales to PB of data, which is why Data and BI teams love it.
there is a serverless option for this as well