CCSF AWS Cloud Practitioner Flashcards
1
Q
How many bits is an IPv4 address, and what does an IPv4 address look like?
A
An IPv4 address is 32 bits long. It consists of four numbers separated by periods, with each number ranging from 0 to 255. For example: 192.168.1.100.
4 by . 0 to 255
2
Q
MATSGRM”
Each letter represents a key use of “por”:
A
MATSGRM”
Each letter represents a key use of “por”:
M: Movimiento (movement: through, along, around, by, about)
A: Apoyo (support: for, in favor of)
T: Tiempo y duración (time and duration: during, for)
S: Soporte (agent after a passive verb: by)
G: Gratitud o disculpa (gratitude or apology: for)
R: Razón (cause or reason: because of)
M: Medios de transporte (means of transportation: by)
3
Q
“PRDET”
Each letter represents a key use of “para”:
A
P: Propósito (purpose: in order to, for the purpose of)
R: Recipiente (recipient: for, directed to)
D: Dirección (direction: to a specific place)
E: Especificar tiempo (specific time: for, by)
T: Tener contraste inesperado (unexpected contrast: for)
4
Q
How many bits is an IPv6 address, and what does an IPv6 address look like?
A
An IPv6 address is 128 bits long. It consists of eight groups of four hexadecimal digits, separated by colons. For example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.
8 x 4 Hex w :
5
Q
What does a CIDR notation show, and what does it look like?
A
CIDR (Classless Inter-Domain Routing) notation shows the number of bits used for the network portion of an IP address. It is represented as the IP address followed by a slash and the number of network bits. For example: 192.168.1.0/24.
Network Portion of IP address //////
6
Q
What does a CIDR notation show, and what does it look like?
A
How CIDR Notation Works
Network and Host Bits
CIDR divides the IP address into two parts:
Network Prefix: Identifies the network. The length of the network prefix is specified by the number after the slash.
Host Identifier: Identifies individual devices within the network.
Subnet Mask
The subnet mask for /24 is 255.255.255.0, which corresponds to the binary representation of the network prefix.
Network Portion of IP address //////
7
Q
Photo. What does a CIDR notation show, and what does it look like?
A
Photo
8
Q
CIDR IN AWS
What does a CIDR notation show, and what does it look like?
A
CIDR in AWS
In AWS, CIDR notation is used extensively to define IP address ranges for Virtual Private Clouds (VPCs) and subnets. Here are some key points:
VPC CIDR Block: When creating a VPC, you specify a CIDR block, such as 10.0.0.0/16, which provides 65,536 IP addresses.
Subnet CIDR Block: Within a VPC, you can create subnets with smaller CIDR blocks, such as 10.0.1.0/24, which provides 256 IP addresses.
Example in AWS
VPC CIDR Block: 10.0.0.0/16
This allows for 65,536 IP addresses.
Subnet CIDR Block: 10.0.1.0/24
This allows for 256 IP addresses within the VPC.
9
Q
Wha the OSI model, how many layers are there, and which layers does Amazon handle and which layers does the customer handle?
A
The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes communication functions into 7 layers. Amazon handles the physical (layer 1), data link (layer 2), network (layer 3), and some transport (layer 4) layers. Customers handle the remaining layers: session (layer 5), presentation (layer 6), and application (layer 7).
Transport Layer End to End
10
Q
Photo. What is the OSI model, how many layers are there, and which layers does Amazon handle and which layers does the customer handle?
DR DRE inter host.
Segment E to E Packet Frame Bit
A
Photo
11
Q
IPv6 address Purpose details 1
A
Larger Address Space: IPv6 provides a significantly larger address space compared to IPv4, which is crucial as the internet continues to grow and the number of connected devices increases. This helps in managing large-scale deployments and future-proofing infrastructure.
Dual Stack and IPv6-Only Configurations: AWS supports both dual stack (IPv4 and IPv6) and IPv6-only configurations. This flexibility allows for seamless communication between IPv4 and IPv6 resources within the same VPC infrastructure, facilitating easier network management and transition to IPv6.
Enhanced Networking for Kubernetes: For services like Amazon Elastic Kubernetes Service (EKS), IPv6 helps in managing large-scale Kubernetes clusters by providing a unique IP address for each pod, which is essential due to the limited IPv4 address space.
12
Q
IPv6 address Purpose details 2
Macie for PII, IPAM BYOIPv6, DNS 4 and 6
A
Improved Security and Compliance: IPv6 addresses are supported in AWS Identity and Access Management (IAM) policies and Amazon Macie for personally identifiable information (PII), enhancing security and compliance capabilities.
Optimized IP Address Management: AWS services like Amazon VPC IP Address Manager (IPAM) allow for optimal allocation and management of IPv6 address space, which simplifies routing and security posture management. This is particularly useful for organizations bringing their own IPv6 address space (BYOIPv6).
DNS Resolution: Services like Amazon Route 53 Resolver support dual-stack and IPv6-only configurations, enabling seamless DNS query resolution for both IPv4 and IPv6 addresses. This is crucial for maintaining connectivity and service availability in mixed or transitioning environments.
In summary, IPv6 addresses in AWS provide a scalable, secure, and efficient way to manage network resources, support large-scale deployments, and ensure future readiness as the demand for IP addresses continues to grow.
13
Q
PHOTO ipv 6 kubernete pod
A
14
Q
What is Amazon VPC?
range subnets route table NTWK gateway
A
Amazon Virtual Private Cloud (VPC) is a virtual network that closely resembles a traditional data center network. It allows you to launch AWS resources in a logically isolated environment with defined IP address ranges, subnets, routing tables, and network gateways.
logically isolated environment with defined IP address ranges, subnets, routing tables, and network gateways.
15
Q
Photo Mnemonic. What is the OSI model, how many layers are there, and which layers does Amazon handle and which layers does the customer handle?
A
Photo Mnemonic
16
Q
IPv6 address Purpose
NODE OR INTERFACE
A
To identify and locate a network interface on a computer or network node in computer networks using IPv6.
17
Q
Photo with more context. What is the OSI model, how many layers are there, and which layers does Amazon handle and which layers does the customer handle?
A
Photo with more context.
18
Q
IPv6 address Successor Of
A
Internet Protocol version 4 (IPv4)
19
Q
IPv6 address Address Size
REV
EC2, VPC, and Route 53
A
128 bits
Hexadecimal Notation: Each hexadecimal digit represents 4 bits, so 8 groups of 4 hexadecimal digits each make up a total of 128 bits. IPv6 provides improved routing and network autoconfiguration capabilities.
20
Q
What is Amazon VPC? Photo
EC2 ENI SUB PRIVATE LINK AWS
SUBNET /VPC
A
Photo
21
Q
IPv6 address Significant Difference
A
Has a vastly enlarged address space compared to IPv4.
22
Q
IPv6 address Function in Packet?
Routing Header with Source and Destination
A
IP addresses are used in the packet header to indicate the source and destination, guiding IP packet routing to other networks.
23
Q
IPv6 address Function in Packet?
3 x 3 x 2
Routing Header with Source and Destination
A
24
Q
IPv6 address Use in Networking
HEADER SOURCE DESTINATION
A
Part of the packet header to identify source and destination of packets in a network.
25
What does Amazon VPC allow you to select or enable?
| IP SUBNET NTWK GATEWAY ROUTE TABLE SECURITY
Amazon VPC allows you to select or enable IP address ranges, create subnets, configure route tables, network gateways, and security settings. It enables you to launch AWS resources in a logically isolated virtual network that you define.
26
How many regions and how many availability zones can a VPC span?
AZs not Multiple Regions
A VPC spans all Availability Zones within a single AWS region. It cannot span multiple regions.
27
What is a subnet, and how can they be classified?
PP VPN ISO
A subnet is a range of IP addresses in your VPC. Subnets can be classified as public, private, VPN-only, or isolated based on their routing configuration and access to the internet or other networks.
28
How many availability zones can a subnet span?
Subnet = 1AZ not multiple
A subnet must reside entirely within one Availability Zone and cannot span multiple zones.
29
Can you change an address range after you create the VPC?
You can add additional cider but mod or delete
Once a VPC has been created, you cannot change the original address range. You can add additional CIDR blocks to the VPC, but you cannot modify or delete the original CIDR block
30
What is the difference between a public subnet and a private subnet?
| PUB= RT TO IG / PRIV=NO IG EC TO NAT GATEWAY NAT INSTANCE
A public subnet is associated with a route table that has a route to an Internet Gateway, allowing instances in the subnet to communicate directly with the internet. A private subnet does not have a route to an Internet Gateway, and instances in the subnet can only access the internet through a NAT gateway or NAT instance in a public subnet.
31
What is the smallest and what is the largest IPv4 CIDR block that you may use?
The smallest IPv4 CIDR block you can use is a /28, which provides 16 IP addresses. The largest IPv4 CIDR block you can use is a /16, which provides 65,536 IP addresses.
32
How many IP addresses within a CIDR block are reserved for AWS use and not available to the customer?
AWS reserves 5 IP addresses within each subnet CIDR block. These addresses are not available for use by the customer.
33
What are the reserved addresses and what are they used for?
The reserved addresses are: 1. Network address (first IP) 2. VPC router (second IP) 3. DNS server (third IP) 4. Future use (fourth IP) 5. Network broadcast address (last IP). These addresses are used for network management and internal AWS operations.
34
What is an elastic IP address, and what is the benefit of using an elastic IP address?
Static public ipv4 dynamic MASK Failure
An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing. It allows you to mask the failure of an instance by rapidly remapping the address to another instance in your VPC. This provides a consistent IP address for your resources, even if you need to replace or restart instances
35
What is an elastic network interface?
An Elastic Network Interface (ENI) is a virtual network interface card that you can attach to an instance in a VPC. It allows you to connect your instances to a VPC securely and can include attributes such as a primary private IPv4 address, one or more secondary private IPv4 addresses, one Elastic IP address per private IPv4 address, a MAC address, and one or more security groups.
36
What is a route table and what are the 2 designations or columns that each route table has?
DT iP range and gateway and network interface.
A route table is a set of rules, called routes, that determine where network traffic is directed. Each route table has two key designations: the destination (the range of IP addresses where you want traffic to go) and the target (the gateway, network interface, or connection through which to send the destination traffic).
37
Does a subnet require a route table, and how many route tables can be associated with each subnet?
Yes, each subnet in a VPC must be associated with a route table. A subnet can only be associated with one route table at a time.
38
Can the same route table be used by another subnet?
Yes, the same route table can be associated with multiple subnets within the same VPC.
39
When you use the VPC wizard, what are the 4 VPC configuration options and when is each configuration most appropriate?
2 web application and backend 3hardware vpn on premise to cloud. 4 private backend service.
The 4 VPC configuration options are: 1. VPC with a Single Public Subnet: Suitable for simple web applications. 2. VPC with Public and Private Subnets: Ideal for web applications that require backend servers in private subnets. 3. VPC with Public and Private Subnets and Hardware VPN Access: Used for extending your on-premises network to the cloud. 4. VPC with a Private Subnet Only and Hardware VPN Access: Suitable for private, backend services that do not need direct internet access.
40
What is an Internet gateway (igw)?
An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It supports both IPv4 and IPv6 traffic and provides a target in your VPC route tables for internet-routable traffic
41
What 2 things are needed in order to make a subnet public?
Attach and update
To make a subnet public, you need to: 1. Attach an Internet Gateway (IGW) to your VPC. 2. Update the subnet's route table to include a route to the Internet Gateway.
42
What is a Network Address Translation (NAT) gateway (nat-gw)?
Private to public but nit vice versa for instances
A NAT gateway is a managed service that allows instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances.
43
Where does a nat-gw live and what else do you need to associate with the nat-gw?
A NAT gateway must be created in a public subnet. You also need to associate an Elastic IP address with the NAT gateway to enable internet access.
44
What is VPC sharing and what is used to permit sharing? (note: within 1 VPC)
Create resources in central VPC via RAM
VPC sharing allows multiple AWS accounts to create their application resources (such as EC2 instances) in shared, centrally managed VPCs. AWS Resource Access Manager (RAM) is used to permit sharing.
45
What is VPC peering and what is used to make the connection? (note: between multiple VPCs)
Private requesting and accessing
VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. The connection is made using a VPC peering connection request and acceptance process.
46
What are 2 ways to connect your AWS VPC with your on-premise data center, and what type of gateway and connection are used for each?
DC via VPN gateway
S to S via IPsec customer gateway
1. AWS Direct Connect: Uses a dedicated network connection and a Virtual Private Gateway. 2. AWS Site-to-Site VPN: Uses an IPsec VPN connection and a Customer Gateway
47
What 2 things are needed in order to make a subnet public?
IGW to VPC update subnet route to IG
To make a subnet public, you need to: 1. Attach an Internet Gateway (IGW) to your VPC. 2. Update the subnet's route table to include a route to the Internet Gateway.
48
What is a Network Address Translation (NAT) gateway (nat-gw)?
Private to Public subnets not vice versa
A NAT gateway is a managed service that allows instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances.
49
Where does a nat-gw live and what else do you need to associate with the nat-gw?
Public Sub with elastic IP
A NAT gateway must be created in a public subnet. You also need to associate an Elastic IP address with the NAT gateway to enable internet access.
50
What is VPC sharing and what is used to permit sharing? (note: within 1 VPC)
Multiple accounts create resources apps in shared VPC via RAM.
VPC sharing allows multiple AWS accounts to create their application resources (such as EC2 instances) in shared, centrally managed VPCs. AWS Resource Access Manager (RAM) is used to permit sharing.central
51
What is VPC peering and what is used to make the connection? (note: between multiple VPCs)
2 VPC talk via private via VPC peering connections request and acceptance
VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. The connection is made using a VPC peering connection request and acceptance process.
52
What are 2 ways to connect your AWS VPC with your on-premise data center, and what type of gateway and connection are used for each?
1. AWS Direct Connect: Uses a dedicated network connection and a Virtual Private Gateway. 2. AWS Site-to-Site VPN: Uses an IPsec VPN connection and a Customer Gateway.
53
What is an elastic network interface?
An Elastic Network Interface (ENI) is a virtual network interface card that you can attach to an instance in a VPC. It allows you to connect your instances to a VPC securely and can include attributes such as a primary private IPv4 address, one or more secondary private IPv4 addresses, one Elastic IP address per private IPv4 address, a MAC address, and one or more security groups.
54
What is a route table and what are the 2 designations or columns that each route table has?
A route table is a set of rules, called routes, that determine where network traffic is directed. Each route table has two key designations: the destination (the range of IP addresses where you want traffic to go) and the target (the gateway, network interface, or connection through which to send the destination traffic).
55
Does a subnet require a route table, and how many route tables can be associated with each subnet?
Yes and 1 route table.
Yes, each subnet in a VPC must be associated with a route table. A subnet can only be associated with one route table at a time.
56
Can the same route table be used by another subnet?
Yes, the same route table can be associated with multiple subnets within the same VPC.
57
When you use the VPC wizard, what are the 4 VPC configuration options and when is each configuration most appropriate?
The 4 VPC configuration options are: 1. VPC with a Single Public Subnet: Suitable for simple web applications. 2. VPC with Public and Private Subnets: Ideal for web applications that require backend servers in private subnets. 3. VPC with Public and Private Subnets and Hardware VPN Access: Used for extending your on-premises network to the cloud. 4. VPC with a Private Subnet Only and Hardware VPN Access: Suitable for private, backend services that do not need direct internet access.
58
What is an Internet gateway (igw)?
An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It supports both IPv4 and IPv6 traffic and provides a target in your VPC route tables for internet-routable traffic.
59
What 2 things are needed in order to make a subnet public?
To make a subnet public, you need to: 1. Attach an Internet Gateway (IGW) to your VPC. 2. Update the subnet's route table to include a route to the Internet Gateway.
60
What is a Network Address Translation (NAT) gateway (nat-gw)?
A NAT gateway is a managed service that allows instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances.
61
Where does a nat-gw live and what else do you need to associate with the nat-gw?
A NAT gateway must be created in a public subnet. You also need to associate an Elastic IP address with the NAT gateway to enable internet access.
62
What is VPC sharing and what is used to permit sharing? (note: within 1 VPC)
Mult AWS account to create resources with RAM
VPC sharing allows multiple AWS accounts to create their application resources (such as EC2 instances) in shared, centrally managed VPCs. AWS Resource Access Manager (RAM) is used to permit sharing.
63
What is VPC peering and what is used to make the connection? (note: between multiple VPCs)
Private traffic vpc request and accept
VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. The connection is made using a VPC peering connection request and acceptance process.
64
What are 2 ways to connect your AWS VPC with your on-premise data center, and what type of gateway and connection are used for each?
1. AWS Direct Connect: Uses a dedicated network connection and a Virtual Private Gateway. 2. AWS Site-to-Site VPN: Uses an IPsec VPN connection and a Customer Gateway.
65
What type of VLAN standard is used for AWS Direct Connect?
AWS Direct Connect uses the IEEE 802.1Q VLAN standard for creating virtual local area networks (VLANs).
66
When do you use a VPC endpoint (vpcep-id)?
You use a VPC endpoint to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
Vpc private connection to AWS services and endpoint services power by AWS Private Link
NO IG NAT VPN DC
67
What are the 2 types of endpoints?
The two types of endpoints are: 1. Interface Endpoints: Used to connect to services over AWS PrivateLink. 2. Gateway Endpoints: Used for S3 and DynamoDB.
68
Are security groups stateful or stateless and what type of traffic must be defined?
Security groups are stateful, meaning that if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. You must define both inbound and outbound traffic rules.
69
Where does the Network Access Control List (Network ACL) act at?
Network ACLs act at the subnet level, controlling traffic to and from one or more subnets within a VPC.
70
What are the default rules for Network ACLs?
The default rules for Network ACLs allow all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. Custom Network ACLs start with no inbound or outbound rules, meaning they deny all traffic by default.
71
Are Network ACLs stateful or stateless, and what type of traffic must be defined?
Network ACLs are stateless, meaning that they do not automatically allow return traffic. You must define both inbound and outbound traffic rules separately.
72
What is Amazon Route 53 used for?
Amazon Route 53 is a scalable and highly available Domain Name System (DNS) web service. It is used to route end-user requests to internet applications hosted on AWS and to manage DNS records for domain names.
73
What types of routing does Route 53 support and how is each routing option different?
Route 53 supports several routing policies: Simple, Weighted, Latency-based, Failover, Geolocation, Geoproximity, and Multi-Value Answer. Each routing option differs in how it routes traffic based on factors like health checks, geographic location, latency, and predefined weights
74
What is an AWS Transit Gateway, and what topology is used with it?
An AWS Transit Gateway is a service that enables you to connect your VPCs and on-premises networks through a central hub. It uses a hub-and-spoke topology.
75
What are the 2 firewall options to secure traffic coming in and out of your network?
The two firewall options are Security Groups and Network Access Control Lists (NACLs).
76
Where does the security group act at and what specifically do you attach it to?
Security groups act at the instance level and are attached to Elastic Network Interfaces (ENIs) associated with instances.
77
What is the default rule for security groups?
The default rule for security groups is to allow all outbound traffic and deny all inbound traffic unless explicitly allowed by a rule.
78
Are security groups stateful or stateless and what type of traffic must be defined?
Security groups are stateful, meaning that if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. You must define both inbound and outbound traffic rules
79
Where does the Network Access Control List (Network ACL) act at?
Network ACLs act at the subnet level, controlling traffic to and from one or more subnets within a VPC.
80
What are the default rules for Network ACLs?
The default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. Each network ACL also includes a rule whose rule number is an asterisk (*), which denies any traffic that doesn't match any of the other rules.
81
Are Network ACLs stateful or stateless, and what type of traffic must be defined?
Network ACLs are stateless, meaning they do not automatically allow return traffic. You must define both inbound and outbound traffic rules separately.
82
What is Amazon Route 53 used for?
Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service used for domain registration, DNS routing, and health checking.
83
What types of routing does Route 53 support and how is each routing option different?
Route 53 supports several routing policies: Simple, Weighted, Latency-based, Failover, Geolocation, Geoproximity, and Multi-Value Answer. Each routing option differs in how it routes traffic based on factors like health checks, geographic location, latency, and predefined weights.
84
What is Amazon CloudFront, and where in the cloud architecture is CloudFront found?
Amazon CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. CloudFront is found at the edge of the cloud architecture, using a network of edge locations to cache content closer to end-users
85
What is the difference between an edge location and a regional edge cache?
Edge locations are AWS data centers designed to deliver services with the lowest latency possible, caching content closer to users. Regional edge caches have larger cache capacities than individual edge locations, keeping objects in cache longer and reducing the load on origin servers.
86
What are the 3 edge location options?
The three edge location options are: 1. CloudFront Points of Presence (POPs) 2. Regional Edge Caches (RECs) 3. Embedded Points of Presence.
87
What are the 2 types of distributions for CloudFront, and what type of content is found in each distribution?
The two types of distributions for CloudFront are: 1. Web Distribution: Used for websites, including dynamic, static, streaming, and interactive content. 2. RTMP Distribution: Used for media streaming using Adobe Flash Media Server's RTMP protocol.
88
What are the 13 compute services in the compute services category and provide a short description of each.
1. Amazon EC2: Secure and resizable compute capacity in the cloud. 2. Amazon EC2 Spot: Use unused EC2 capacity at a discount. 3. Amazon EC2 Auto Scaling: Automatically add or remove EC2 instances based on conditions. 4. Amazon Lightsail: Easy-to-use virtual servers, storage, and networking. 5. AWS Batch: Fully managed batch processing at any scale. 6. Amazon ECS: Run and manage Docker containers. 7. Amazon EKS: Fully managed Kubernetes service. 8. AWS Fargate: Run containers without managing servers. 9. AWS Lambda: Run code without provisioning or managing servers. 10. AWS Elastic Beanstalk: Deploy and manage web applications. 11. AWS Outposts: Run AWS services on-premises. 12. AWS Wavelength: Deliver ultra-low latency applications for 5G devices. 13. VMware Cloud on AWS: Build a hybrid cloud without custom hardware.
89
What are the 7 compute services that you are expected to know in more detail?
The 7 compute services to know in more detail are: 1. Amazon EC2 2. Amazon ECS 3. Amazon EKS 4. AWS Lambda 5. AWS Fargate 6. AWS Elastic Beanstalk 7. Amazon Lightsail.
90
Which compute services fall under IaaS, serverless computing, container-based computing, and PaaS?
IaaS: Amazon EC2, Amazon Lightsail. Serverless Computing: AWS Lambda, AWS Fargate. Container-Based Computing: Amazon ECS, Amazon EKS. PaaS: AWS Elastic Beanstalk, AWS App Runner.
91
What type of servers can you provision with EC2?
With EC2, you can provision various types of servers, including General Purpose, Compute Optimized, Memory Optimized, Storage Optimized, and Accelerated Computing instances. Each type is designed for specific workloads and performance requirements
92
Who controls the configuration and security of the operating system on an EC2 instance?
The customer controls the configuration and security of the operating system on an EC2 instance.
93
What is an AMI?
An Amazon Machine Image (AMI) is a template that contains the software configuration (operating system, application server, and applications) required to launch an instance.
94
How do you control traffic into and out of your EC2 instance?
You control traffic into and out of your EC2 instance using security groups and network access control lists (ACLs).
95
What are the 9 key decisions to make when you create an EC2 instance using the AWS Management Console Launch Instance Wizard?
The 9 key decisions are: 1. Choose an Amazon Machine Image (AMI). 2. Choose an instance type. 3. Configure instance details. 4. Add storage. 5. Add tags. 6. Configure security group. 7. Review instance launch. 8. Select a key pair. 9. Launch the instance.
96
What are the 4 AMI categories available?
The 4 AMI categories are: 1. Quick Start AMIs 2. My AMIs 3. AWS Marketplace AMIs 4. Community AMIs.
97
What does the EC2 instance type determine?
The EC2 instance type determines the hardware of the host computer used for your instance. Each instance type offers different compute, memory, and storage capabilities.
98
What are the instance type categories and how can you tell which instance type category an instance belongs to?
The instance type categories are: 1. General Purpose 2. Compute Optimized 3. Memory Optimized 4. Storage Optimized 5. Accelerated Computing. You can tell which category an instance belongs to by its instance type name, which includes a prefix indicating its category (e.g., t2.micro for General Purpose, c5.large for Compute Optimized)
99
Who controls the configuration and security of the operating system on an EC2 instance?
The customer controls the configuration and security of the operating system on an EC2 instance.
100
What is an AMI?
An Amazon Machine Image (AMI) is a template that contains the software configuration (operating system, application server, and applications) required to launch an instance.
101
How do you control traffic into and out of your EC2 instance?
You control traffic into and out of your EC2 instance using security groups and network access control lists (ACLs).
102
What are the 9 key decisions to make when you create an EC2 instance using the AWS Management Console Launch Instance Wizard?
The 9 key decisions are: 1. Choose an Amazon Machine Image (AMI). 2. Choose an instance type. 3. Configure instance details. 4. Add storage. 5. Add tags. 6. Configure security group. 7. Review instance launch. 8. Select a key pair. 9. Launch the instance.
103
What are the 4 AMI categories available?
The 4 AMI categories are: 1. Quick Start AMIs 2. My AMIs 3. AWS Marketplace AMIs 4. Community AMIs.
104
What does the EC2 instance type determine?
The EC2 instance type determines the hardware of the host computer used for your instance. Each instance type offers different compute, memory, and storage capabilities.
105
What are the instance type categories and how can you tell which instance type category an instance belongs to?
The instance type categories are: 1. General Purpose 2. Compute Optimized 3. Memory Optimized 4. Storage Optimized 5. Accelerated Computing. You can tell which category an instance belongs to by its instance type name, which includes a prefix indicating its category (e.g., t2.micro for General Purpose, c5.large for Compute Optimized)
106
What is Amazon Elastic Block Store (EBS)?
Amazon Elastic Block Store (EBS) is a scalable, high-performance block storage service designed for use with Amazon EC2 for both throughput and transaction-intensive workloads.
107
How does Amazon EBS differ from Amazon EC2 Instance Store (hint: ephemeral)? When would you use each?
Amazon EBS provides persistent storage that remains available even after an instance is stopped or terminated. Amazon EC2 Instance Store provides temporary storage that is deleted when the instance is stopped or terminated. Use EBS for data that needs to persist and Instance Store for temporary data that can be recreated.
108
What other storage options are there that are NOT for the root volume?
Other storage options include Amazon S3, Amazon EFS, and Amazon FSx for Lustre, which can be used for additional storage beyond the root volume.
109
What is a tag and what does a tag consist of?
A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define.
110
What are some benefits of tagging?
Benefits of tagging include improved resource management, cost allocation, and automation. Tags help you organize resources, track costs, and automate workflows by applying policies based on tags
111
What is the default security group rule for outbound traffic?
The default security group rule for outbound traffic allows all outbound traffic.
112
What 2 things must a security rule specify?
A security rule must specify the protocol and the port range.
113
What does a key pair consist of?
A key pair consists of a public key and a private key.
114
What are your 3 options for a key pair that you must select before launching an EC2 instance?
The 3 options for a key pair are: 1. Create a new key pair. 2. Choose an existing key pair. 3. Proceed without a key pair (not recommended).
115
What key pair do you use to securely connect to a Windows EC2 instance?
For a Windows EC2 instance, you use the private key to decrypt the administrator password, which you then use to connect to your instance.
116
What key pair do you use to securely connect to a Linux EC2 instance?
For a Linux EC2 instance, you use the private key to securely SSH into your instance
117
Besides using the Launch Wizard, how else can you launch an EC2 instance?
You can launch an EC2 instance using the AWS CLI, AWS SDKs, AWS CloudFormation, AWS Elastic Beanstalk, AWS OpsWorks, and third-party tools like Terraform and Ansible.
118
What assumptions regarding key pair and security groups are made when using the CLI to launch an EC2 instance?
When using the CLI to launch an EC2 instance, it is assumed that you have already created a key pair and a security group. You need to specify these when running the aws ec2 run-instances command.
119
What are the minimum commands needed in order to launch an EC2 instance?
The minimum commands needed to launch an EC2 instance are: aws ec2 run-instances --image-id --instance-type --key-name --security-group-ids .
120
What are the different states in the EC2 instance lifecycle?
The different states in the EC2 instance lifecycle are: Pending, Running, Stopping, Stopped, Shutting Down, and Terminated.
121
What are the options for a stopped instance?
For a stopped instance, you can start it again, create an AMI from it, or terminate it.
122
Can you recover a terminated instance?
No, you cannot recover a terminated instance. Once an instance is terminated, it cannot be brought back.
123
If you need a persistent public IP address, what should you use?
You should use an Elastic IP address if you need a persistent public IP address.
124
How many elastic IP addresses per Region are you permitted and can this number be increased?
By default, you are permitted five Elastic IP addresses per Region. This number can be increased by requesting a quota increase through the AWS Service Quotas console
125
What is the IP address in order to review the latest metadata or the latest user data?
The IP address to review the latest metadata or user data is http://169.254.169.254/latest/meta-data/ for IPv4 and http://[fd00:ec2::254]/latest/meta-data/ for IPv6 on Nitro instances.
126
What is Amazon CloudWatch and how long does it maintain historical data?
Amazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events. It maintains historical data for up to 15 months: 1-minute data points for 15 days, 5-minute data points for 63 days, and 1-hour data points for 455 days.
127
What is the difference between CloudWatch basic monitoring and detailed monitoring?
Basic monitoring provides data points at 5-minute intervals for free, while detailed monitoring provides data points at 1-minute intervals and incurs additional charges. Detailed monitoring also offers more fine-grained metrics and aggregated data across groups of instances.
128
Besides using the Launch Wizard, how else can you launch an EC2 instance?
You can launch an EC2 instance using the AWS CLI, AWS SDKs, AWS CloudFormation, AWS Elastic Beanstalk, AWS OpsWorks, and third-party tools like Terraform and Ansible.
129
What assumptions regarding key pair and security groups are made when using the CLI to launch an EC2 instance?
When using the CLI to launch an EC2 instance, it is assumed that you have already created a key pair and a security group. You need to specify these when running the aws ec2 run-instances command.
130
What are the minimum commands needed in order to launch an EC2 instance?
The minimum commands needed to launch an EC2 instance are: aws ec2 run-instances --image-id --instance-type --key-name --security-group-ids .
131
What are the different states in the EC2 instance lifecycle?
The different states in the EC2 instance lifecycle are: Pending, Running, Stopping, Stopped, Shutting Down, and Terminated.
132
What are the options for a stopped instance?
For a stopped instance, you can start it again, create an AMI from it, or terminate it.
133
Can you recover a terminated instance?
No, you cannot recover a terminated instance. Once an instance is terminated, it cannot be brought back.
134
If you need a persistent public IP address, what should you use?
You should use an Elastic IP address if you need a persistent public IP address.
135
How many elastic IP addresses per Region are you permitted and can this number be increased?
By default, you are permitted five Elastic IP addresses per Region. This number can be increased by requesting a quota increase through the AWS Service Quotas console
136
A (Question)
B (Answer)
137
What is the AWS shared responsibility model?
The AWS shared responsibility model is a framework that delineates the security responsibilities between AWS and its customers. AWS is responsible for the security "of" the cloud, while customers are responsible for security "in" the cloud.
138
What does it mean that AWS is responsible for security OF the cloud? List examples.
AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This includes hardware, software, networking, and facilities. Examples: data centers, physical servers, networking equipment, and virtualization layers.
139
What does it mean that the customer is responsible for security IN the cloud? List examples.
Customers are responsible for managing the security of their data and applications within the AWS environment. This includes configuring security settings, managing access controls, and ensuring data encryption. Examples: managing the guest operating system, configuring firewalls, encrypting data, and managing user access.
140
Is data encryption necessary while data moves? Is data encryption necessary while data is at rest? Who is responsible for data encryption?
Yes, data encryption is necessary both while data is in transit and at rest to ensure data confidentiality and integrity. Customers are responsible for implementing data encryption using AWS tools and services.
141
Which AWS services fall under IaaS, PaaS, SaaS?
IaaS: Amazon EC2, Amazon S3, Amazon VPC. PaaS: AWS Elastic Beanstalk, AWS Lambda. SaaS: Amazon WorkMail, Amazon Chime.
142
How does the customer's responsibility change based on use of IaaS, PaaS, or SaaS?
In IaaS, customers are responsible for managing the operating system, applications, data, and runtime. In PaaS, customers manage applications and data, while the provider handles the underlying infrastructure and platform. In SaaS, customers are mainly responsible for managing data and user access, while the provider manages the application and infrastructure.
143
What is IAM and how much does it cost?
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. IAM is free to use; however, some features like IAM Access Analyzer have associated costs. For example, analyzing IAM roles and users costs $0.20 per role or user per month.
144
What 4 things do you define when using IAM?
When using IAM, you define: 1. Users - individual accounts for people or applications. 2. Groups - collections of users with similar permissions. 3. Roles - sets of permissions that can be assumed temporarily by users or services. 4. Policies - documents that define permissions and are attached to users, groups, or roles.
145
Is IAM global or regional?
IAM is a global service. IAM resources, such as users, groups, roles, and policies, are defined globally and can be used across all AWS regions.
146
What is the difference between a user, a group, a policy, and a role?
A user is an individual account with specific permissions. A group is a collection of users that share the same permissions. A policy is a document that defines permissions and can be attached to users, groups, or roles. A role is a set of permissions that can be assumed temporarily by users or services, often used for cross-account access or to grant permissions to AWS services.
147
What are the 2 types of access and what is required by each in order to authenticate?
The two types of access are programmatic access and AWS Management Console access. Programmatic access requires an access key ID and a secret access key. AWS Management Console access requires a username and password.
148
What is a key pair made up of?
A key pair is made up of a public key and a private key. The public key is used to encrypt data, and the private key is used to decrypt data.
149
What is MFA and what are 3 ways to generate a MFA code?
Multi-Factor Authentication (MFA) is an additional layer of security used to verify a user's identity. Three ways to generate an MFA code are: 1. Virtual MFA device (e.g., Google Authenticator). 2. Hardware MFA device (e.g., YubiKey). 3. SMS text message.
150
What is the default authorization?
The default authorization in AWS is "deny all." This means that by default, all requests are denied unless explicitly allowed by a policy.
151
What does the principle of least privilege mean?
The principle of least privilege means granting users and systems the minimum level of access—or permissions—necessary to perform their job functions. This reduces the risk of accidental or malicious actions.
152
What is the difference between IMPLICIT access or denial and EXPLICIT access or denial?
Implicit access or denial means that access is not specifically granted or denied, and by default, it is denied. Explicit access or denial means that access is specifically granted or denied by a rule or policy. For example, an explicit deny rule disallows any traffic that isn't explicitly allowed, while implicit deny is the default behavior of denying all traffic unless explicitly allowed.
153
A security policy is written using which language?
A security policy is written using JSON (JavaScript Object Notation).
154
What are the 2 types of policies?
The two types of policies are identity-based policies and resource-based policies. Identity-based policies are attached to IAM identities (users, groups, or roles), while resource-based policies are attached to AWS resources.
155
If there is a conflict between a Deny statement (i.e. for a resource) and an Allow statement (i.e. for a user), which statement takes precedence?
The Deny statement takes precedence over the Allow statement. An explicit deny in any policy overrides any allows.
156
An action can only take place with an _______ Allow permission otherwise the action is an _______ Deny.
An action can only take place with an explicit Allow permission; otherwise, the action is an implicit Deny.
157
An action can only take place with an _______ Allow permission otherwise the action is an _______ Deny.
An action can only take place with an explicit Allow permission; otherwise, the action is an implicit Deny.
158
How is an IAM group different from an IAM user?
An IAM group is a collection of IAM users and is used to manage permissions for multiple users. An IAM user is an individual account with specific credentials and permissions. Groups do not have their own credentials, whereas users do.
159
Can a user belong to multiple groups?
Yes, a user can belong to multiple IAM groups.
160
Can a group be nested within another group?
No, IAM groups cannot be nested within other groups.
161
Who gets access through IAM Roles and for how long?
IAM Roles can be assumed by IAM users, applications, or AWS services. The access is temporary and defined by the session duration specified in the role's trust policy.
162
What is needed to log into the Root User account?
To log into the Root User account, you need the email address associated with the AWS account and the root user password.
163
What tasks can only be done with the Root User account?
Tasks that can only be done with the Root User account include changing account settings (e.g., account name, email address, root user password, and root user access keys), restoring IAM user permissions, activating IAM access to the Billing and Cost Management console, viewing certain tax invoices, closing your AWS account, changing your AWS Support plan, registering as a seller in the Reserved Instance Marketplace, and configuring MFA delete for S3 buckets.
164
If you are not supposed to use the Root User for day-to-day interactions, how is someone needing widespread permissions such as yourself (top I.T. personnel) supposed to access and manage services, AWS users, and policies?
You should create an IAM user with administrative privileges for day-to-day tasks. This IAM user can manage services, AWS users, and policies without using the root account. The root account should be reserved for tasks that require root user credentials.
165
After you create an IAM User account for yourself and place yourself in a group with particular security policies attached to it, what are you supposed to do with the Root User access key?
After creating an IAM user account and assigning the necessary permissions, you should delete the root user access keys to enhance security. This minimizes the risk of the root account being compromised.
166
Which accounts should require MFA and what are the 3 ways to generate an MFA code?
Both the root user account and IAM user accounts should require MFA. The three ways to generate an MFA code are: 1. Virtual MFA device (e.g., Google Authenticator). 2. Hardware MFA device (e.g., YubiKey). 3. FIDO security key.
167
What is AWS CloudTrail?
AWS CloudTrail is a service that enables operational and risk auditing, governance, and compliance of your AWS account. It records actions taken by users, roles, or AWS services as events, which include actions taken in the AWS Management Console, AWS CLI, and AWS SDKs and APIs. CloudTrail provides event history, CloudTrail Lake for long-term storage and analysis, and integration with other AWS services for monitoring and alerting
168
How much does AWS CloudTrail cost and how many days of account activity is kept?
AWS CloudTrail provides a free event history of the past 90 days of account activity. For more comprehensive logging, such as creating trails or using CloudTrail Lake, costs are incurred based on the amount of data ingested and stored, as well as the retention period selected.
169
How can you maintain CloudTrail information beyond the standard time period?
To maintain CloudTrail information beyond the standard 90 days, you can create a trail that delivers log files to an Amazon S3 bucket. You can also use CloudTrail Lake to store and analyze events for up to 3,653 days (about 10 years) with the One-year extendable retention pricing option, or up to 2,557 days (about 7 years) with the Seven-year retention pricing option.
170
Besides AWS Organizations handling centralized billing, what other service benefits do AWS Organizations provide?
AWS Organizations provides several benefits including: centralized management of policies across multiple AWS accounts, automated account creation, governance of access to AWS services, resources, and regions, auditing for compliance, and resource sharing across accounts.
171
How are Service Control Policies (SCP) different than IAM permissions policies?
SCPs are used to set permission boundaries and restrict actions at the organizational or organizational unit (OU) level, but they do not grant permissions. IAM policies, on the other hand, are used to grant specific permissions to users, groups, or roles within an individual AWS account. SCPs can override IAM policies by denying actions even if they are allowed by IAM policies.
172
Where within AWS Organizations can SCP be attached to?
SCPs can be attached to the root of the organization, organizational units (OUs), or individual member accounts within AWS Organizations. They apply to all accounts under the element to which they are attached
173
Where within AWS Organizations can SCP be attached to?
Service Control Policies (SCPs) can be attached to the root of the organization, organizational units (OUs), or individual member accounts within AWS Organizations. They apply to all accounts under the element to which they are attached.
174
What is AWS KMS?
AWS Key Management Service (KMS) is a service that allows you to create and manage cryptographic keys for encrypting and decrypting data. It provides centralized control over keys used to protect data across AWS services and in your applications.
175
What is Amazon Cognito?
Amazon Cognito is an identity service that allows you to add user sign-up, sign-in, and access control to your web and mobile apps. It provides user directories, authentication, and authorization capabilities.
176
What is SAML and how does it relate to Amazon Cognito?
SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties. Amazon Cognito supports SAML identity providers, allowing users to sign in to your app through a SAML-compliant IdP like Active Directory.
177
What is a federated user?
A federated user is a user whose identity and attributes are stored and managed externally in an identity provider (IdP), but can be granted controlled access to resources within an organization or service provider (SP) through federation.
178
What is AWS Shield and how much does it cost?
AWS Shield is a managed DDoS protection service. AWS Shield Standard is included at no additional cost, while AWS Shield Advanced provides enhanced protection for a monthly fee of $3,000 per organization plus data transfer fees.
179
In order to contact the AWS DDoS response team, what level support plan must you have?
To contact the AWS Shield Response Team (SRT) for assistance during a DDoS attack, you must have a Business or Enterprise support plan with AWS.
180
What is meant by data at rest?
Data at rest refers to data that is stored physically on computer data storage in any digital form, such as cloud storage, file hosting services, databases, data warehouses, spreadsheets, archives, tapes, off-site or cloud backups, and mobile devices. It includes both structured and unstructured data that is not actively moving or being accessed.
181
What is meant by data in transit?
Data in transit, also referred to as data in motion or data in flight, is data that is being transmitted over a network or communication channel between source and destination. This includes data sent between computers, servers, or other devices over a local area network (LAN), wide area network (WAN), or the internet.
182
What type of certificates does AWS Certificate Manager manage and what type of data is it used for?
AWS Certificate Manager (ACM) manages SSL/TLS X.509 certificates, which are used to secure data in transit for AWS websites and applications. These certificates can secure singular domain names, multiple specific domain names, wildcard domains, or combinations of these.
183
What is the default setting for all newly created S3 buckets and objects?
As of April 2023, all newly created Amazon S3 buckets have the S3 Block Public Access setting turned on by default. This setting blocks public access to the bucket and objects, ensuring that only authorized users or services can access the data.
184
What tools can be used for controlling access to S3 data?
Amazon S3 provides several tools for controlling access to S3 buckets and objects, including: 1. Bucket Policies 2. IAM Policies 3. Access Control Lists (ACLs) 4. S3 Block Public Access 5. S3 Object Ownership.
185
What is AWS Config?
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It provides a detailed view of the configuration of resources in your AWS account, including how they are related to one another and how they were configured in the past. AWS Config helps with compliance auditing, security analysis, resource change tracking, and troubleshooting
186
What is AWS Artifact?
AWS Artifact is a self-service audit artifact retrieval portal that provides on-demand access to AWS' compliance reports and agreements, such as AWS ISO certifications, Payment Card Industry (PCI) reports, and Service Organization Control (SOC) reports. It helps customers demonstrate the security and compliance of AWS infrastructure and services.
187
What are HIPAA, PCI DSS, SOC, ISO, and GDPR?
HIPAA: Health Insurance Portability and Accountability Act, focuses on protecting health information. PCI DSS: Payment Card Industry Data Security Standard, secures payment card transactions. SOC: Service Organization Control, reports on internal controls over financial reporting. ISO: International Organization for Standardization, sets international standards for various industries. GDPR: General Data Protection Regulation, protects personal data of EU residents.
188
What types of things does AWS' Compliance programs cover?
AWS' Compliance programs cover a wide range of standards and regulations, including certifications and attestations (e.g., ISO 27001, SOC 1, SOC 2), laws and regulations (e.g., HIPAA, GDPR, FedRAMP), and alignments and frameworks (e.g., NIST, CSA). These programs help customers meet global compliance requirements and maintain security and privacy of their data
189
Data at rest Definition
Data housed physically on computer data storage, including cloud storage, databases, data warehouses, and mobile devices.
190
Data at rest Types of Data
Includes both structured and unstructured data.
191
Data at rest Threats
Subject to threats from hackers, malicious threats, and physical theft of the data storage media.
192
Data at rest Protection Measures
Security measures include password protection, data encryption, or a combination of both.
193
Data at rest Related Terms
Complements 'data in use' and 'data in transit', defining the three states of digital data.
194
Federated identity Definition
Means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
195
Federated identity Relation to SSO
Related to single sign-on (SSO), where a user's authentication is trusted across multiple IT systems or organizations. SSO is a subset of federated identity management.
196
Federated identity Purpose
Enables the portability of identity information across autonomous security domains, allowing users of one domain to securely access data or systems of another domain seamlessly.
197
Federated identity Evolution
Emerged as a response to evolving identity management challenges, particularly those associated with cross-company, cross-domain access due to the integration of the Internet into personal and business life.
198
Federated identity Flavors
Includes user-controlled or user-centric scenarios, as well as enterprise-controlled or business-to-business scenarios.
