CCSF AWS Cloud Practitioner Flashcards

Question 1

Q

How many bits is an IPv4 address, and what does an IPv4 address look like?

Answer

A

An IPv4 address is 32 bits long. It consists of four numbers separated by periods, with each number ranging from 0 to 255. For example: 192.168.1.100.

4 by . 0 to 255

Question 2

Q

MATSGRM”

Each letter represents a key use of “por”:

Answer

A

MATSGRM”

Each letter represents a key use of “por”:

M: Movimiento (movement: through, along, around, by, about)
A: Apoyo (support: for, in favor of)
T: Tiempo y duración (time and duration: during, for)
S: Soporte (agent after a passive verb: by)
G: Gratitud o disculpa (gratitude or apology: for)
R: Razón (cause or reason: because of)
M: Medios de transporte (means of transportation: by)

Question 3

Q

“PRDET”

Each letter represents a key use of “para”:

Answer

A

P: Propósito (purpose: in order to, for the purpose of)
R: Recipiente (recipient: for, directed to)
D: Dirección (direction: to a specific place)
E: Especificar tiempo (specific time: for, by)
T: Tener contraste inesperado (unexpected contrast: for)

Question 4

Q

How many bits is an IPv6 address, and what does an IPv6 address look like?

Answer

A

An IPv6 address is 128 bits long. It consists of eight groups of four hexadecimal digits, separated by colons. For example: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

8 x 4 Hex w :

Question 5

Q

What does a CIDR notation show, and what does it look like?

Answer

A

CIDR (Classless Inter-Domain Routing) notation shows the number of bits used for the network portion of an IP address. It is represented as the IP address followed by a slash and the number of network bits. For example: 192.168.1.0/24.

Network Portion of IP address //////

Question 6

Q

What does a CIDR notation show, and what does it look like?

Answer

A

How CIDR Notation Works
Network and Host Bits
CIDR divides the IP address into two parts:
Network Prefix: Identifies the network. The length of the network prefix is specified by the number after the slash.
Host Identifier: Identifies individual devices within the network.
Subnet Mask
The subnet mask for /24 is 255.255.255.0, which corresponds to the binary representation of the network prefix.

Network Portion of IP address //////

Question 7

Q

Photo. What does a CIDR notation show, and what does it look like?

Question 8

Q

CIDR IN AWS
What does a CIDR notation show, and what does it look like?

Answer

A

CIDR in AWS
In AWS, CIDR notation is used extensively to define IP address ranges for Virtual Private Clouds (VPCs) and subnets. Here are some key points:
VPC CIDR Block: When creating a VPC, you specify a CIDR block, such as 10.0.0.0/16, which provides 65,536 IP addresses.
Subnet CIDR Block: Within a VPC, you can create subnets with smaller CIDR blocks, such as 10.0.1.0/24, which provides 256 IP addresses.
Example in AWS
VPC CIDR Block: 10.0.0.0/16
This allows for 65,536 IP addresses.
Subnet CIDR Block: 10.0.1.0/24
This allows for 256 IP addresses within the VPC.

Question 9

Q

Wha the OSI model, how many layers are there, and which layers does Amazon handle and which layers does the customer handle?

Answer

A

The OSI (Open Systems Interconnection) model is a conceptual framework that standardizes communication functions into 7 layers. Amazon handles the physical (layer 1), data link (layer 2), network (layer 3), and some transport (layer 4) layers. Customers handle the remaining layers: session (layer 5), presentation (layer 6), and application (layer 7).

Transport Layer End to End

Question 10

Q

Photo. What is the OSI model, how many layers are there, and which layers does Amazon handle and which layers does the customer handle?
DR DRE inter host.
Segment E to E Packet Frame Bit

Question 11

Q

IPv6 address Purpose details 1

Answer

A

Larger Address Space: IPv6 provides a significantly larger address space compared to IPv4, which is crucial as the internet continues to grow and the number of connected devices increases. This helps in managing large-scale deployments and future-proofing infrastructure.
Dual Stack and IPv6-Only Configurations: AWS supports both dual stack (IPv4 and IPv6) and IPv6-only configurations. This flexibility allows for seamless communication between IPv4 and IPv6 resources within the same VPC infrastructure, facilitating easier network management and transition to IPv6.
Enhanced Networking for Kubernetes: For services like Amazon Elastic Kubernetes Service (EKS), IPv6 helps in managing large-scale Kubernetes clusters by providing a unique IP address for each pod, which is essential due to the limited IPv4 address space.

Question 12

Q

IPv6 address Purpose details 2
Macie for PII, IPAM BYOIPv6, DNS 4 and 6

Answer

A

Improved Security and Compliance: IPv6 addresses are supported in AWS Identity and Access Management (IAM) policies and Amazon Macie for personally identifiable information (PII), enhancing security and compliance capabilities.
Optimized IP Address Management: AWS services like Amazon VPC IP Address Manager (IPAM) allow for optimal allocation and management of IPv6 address space, which simplifies routing and security posture management. This is particularly useful for organizations bringing their own IPv6 address space (BYOIPv6).
DNS Resolution: Services like Amazon Route 53 Resolver support dual-stack and IPv6-only configurations, enabling seamless DNS query resolution for both IPv4 and IPv6 addresses. This is crucial for maintaining connectivity and service availability in mixed or transitioning environments.
In summary, IPv6 addresses in AWS provide a scalable, secure, and efficient way to manage network resources, support large-scale deployments, and ensure future readiness as the demand for IP addresses continues to grow.

Question 13

Q

PHOTO ipv 6 kubernete pod

Question 14

Q

What is Amazon VPC?

range subnets route table NTWK gateway

Answer

A

Amazon Virtual Private Cloud (VPC) is a virtual network that closely resembles a traditional data center network. It allows you to launch AWS resources in a logically isolated environment with defined IP address ranges, subnets, routing tables, and network gateways.

logically isolated environment with defined IP address ranges, subnets, routing tables, and network gateways.

Question 15

Q

Photo Mnemonic. What is the OSI model, how many layers are there, and which layers does Amazon handle and which layers does the customer handle?

Answer

A

Photo Mnemonic

Question 16

Q

IPv6 address Purpose

NODE OR INTERFACE

Answer

A

To identify and locate a network interface on a computer or network node in computer networks using IPv6.

Question 17

Q

Photo with more context. What is the OSI model, how many layers are there, and which layers does Amazon handle and which layers does the customer handle?

Answer

A

Photo with more context.

Question 18

Q

IPv6 address Successor Of

Answer

A

Internet Protocol version 4 (IPv4)

Question 19

Q

IPv6 address Address Size
REV
EC2, VPC, and Route 53

Answer

A

128 bits
Hexadecimal Notation: Each hexadecimal digit represents 4 bits, so 8 groups of 4 hexadecimal digits each make up a total of 128 bits. IPv6 provides improved routing and network autoconfiguration capabilities.

Question 20

Q

What is Amazon VPC? Photo

EC2 ENI SUB PRIVATE LINK AWS
SUBNET /VPC

Question 21

Q

IPv6 address Significant Difference

Answer

A

Has a vastly enlarged address space compared to IPv4.

Question 22

Q

IPv6 address Function in Packet?

Routing Header with Source and Destination

Answer

A

IP addresses are used in the packet header to indicate the source and destination, guiding IP packet routing to other networks.

Question 23

Q

IPv6 address Function in Packet?
3 x 3 x 2
Routing Header with Source and Destination

Question 24

Q

IPv6 address Use in Networking

HEADER SOURCE DESTINATION

Answer

A

Part of the packet header to identify source and destination of packets in a network.

Question 25

Q

What does Amazon VPC allow you to select or enable?

IP SUBNET NTWK GATEWAY ROUTE TABLE SECURITY

Answer

A

Amazon VPC allows you to select or enable IP address ranges, create subnets, configure route tables, network gateways, and security settings. It enables you to launch AWS resources in a logically isolated virtual network that you define.

Question 26

Q

How many regions and how many availability zones can a VPC span?

AZs not Multiple Regions

Answer

A

A VPC spans all Availability Zones within a single AWS region. It cannot span multiple regions.

Question 27

Q

What is a subnet, and how can they be classified?
PP VPN ISO

Answer

A

A subnet is a range of IP addresses in your VPC. Subnets can be classified as public, private, VPN-only, or isolated based on their routing configuration and access to the internet or other networks.

Question 28

Q

How many availability zones can a subnet span?

Subnet = 1AZ not multiple

Answer

A

A subnet must reside entirely within one Availability Zone and cannot span multiple zones.

Question 29

Q

Can you change an address range after you create the VPC?

You can add additional cider but mod or delete

Answer

A

Once a VPC has been created, you cannot change the original address range. You can add additional CIDR blocks to the VPC, but you cannot modify or delete the original CIDR block

Question 30

Q

What is the difference between a public subnet and a private subnet?

PUB= RT TO IG / PRIV=NO IG EC TO NAT GATEWAY NAT INSTANCE

Answer

A

A public subnet is associated with a route table that has a route to an Internet Gateway, allowing instances in the subnet to communicate directly with the internet. A private subnet does not have a route to an Internet Gateway, and instances in the subnet can only access the internet through a NAT gateway or NAT instance in a public subnet.

Question 31

Q

What is the smallest and what is the largest IPv4 CIDR block that you may use?

Answer

A

The smallest IPv4 CIDR block you can use is a /28, which provides 16 IP addresses. The largest IPv4 CIDR block you can use is a /16, which provides 65,536 IP addresses.

Question 32

Q

How many IP addresses within a CIDR block are reserved for AWS use and not available to the customer?

Answer

A

AWS reserves 5 IP addresses within each subnet CIDR block. These addresses are not available for use by the customer.

Question 33

Q

What are the reserved addresses and what are they used for?

Answer

A

The reserved addresses are: 1. Network address (first IP) 2. VPC router (second IP) 3. DNS server (third IP) 4. Future use (fourth IP) 5. Network broadcast address (last IP). These addresses are used for network management and internal AWS operations.

Question 34

Q

What is an elastic IP address, and what is the benefit of using an elastic IP address?

Static public ipv4 dynamic MASK Failure

Answer

A

An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing. It allows you to mask the failure of an instance by rapidly remapping the address to another instance in your VPC. This provides a consistent IP address for your resources, even if you need to replace or restart instances

Question 35

Q

What is an elastic network interface?

Answer

A

An Elastic Network Interface (ENI) is a virtual network interface card that you can attach to an instance in a VPC. It allows you to connect your instances to a VPC securely and can include attributes such as a primary private IPv4 address, one or more secondary private IPv4 addresses, one Elastic IP address per private IPv4 address, a MAC address, and one or more security groups.

Question 36

Q

What is a route table and what are the 2 designations or columns that each route table has?
DT iP range and gateway and network interface.

Answer

A

A route table is a set of rules, called routes, that determine where network traffic is directed. Each route table has two key designations: the destination (the range of IP addresses where you want traffic to go) and the target (the gateway, network interface, or connection through which to send the destination traffic).

Question 37

Q

Does a subnet require a route table, and how many route tables can be associated with each subnet?

Answer

A

Yes, each subnet in a VPC must be associated with a route table. A subnet can only be associated with one route table at a time.

Question 38

Q

Can the same route table be used by another subnet?

Answer

A

Yes, the same route table can be associated with multiple subnets within the same VPC.

Question 39

Q

When you use the VPC wizard, what are the 4 VPC configuration options and when is each configuration most appropriate?
2 web application and backend 3hardware vpn on premise to cloud. 4 private backend service.

Answer

A

The 4 VPC configuration options are: 1. VPC with a Single Public Subnet: Suitable for simple web applications. 2. VPC with Public and Private Subnets: Ideal for web applications that require backend servers in private subnets. 3. VPC with Public and Private Subnets and Hardware VPN Access: Used for extending your on-premises network to the cloud. 4. VPC with a Private Subnet Only and Hardware VPN Access: Suitable for private, backend services that do not need direct internet access.

Question 40

Q

What is an Internet gateway (igw)?

Answer

A

An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It supports both IPv4 and IPv6 traffic and provides a target in your VPC route tables for internet-routable traffic

Question 41

Q

What 2 things are needed in order to make a subnet public?

Attach and update

Answer

A

To make a subnet public, you need to: 1. Attach an Internet Gateway (IGW) to your VPC. 2. Update the subnet’s route table to include a route to the Internet Gateway.

Question 42

Q

What is a Network Address Translation (NAT) gateway (nat-gw)?

Private to public but nit vice versa for instances

Answer

A

A NAT gateway is a managed service that allows instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances.

Question 43

Q

Where does a nat-gw live and what else do you need to associate with the nat-gw?

Answer

A

A NAT gateway must be created in a public subnet. You also need to associate an Elastic IP address with the NAT gateway to enable internet access.

Question 44

Q

What is VPC sharing and what is used to permit sharing? (note: within 1 VPC)

Create resources in central VPC via RAM

Answer

A

VPC sharing allows multiple AWS accounts to create their application resources (such as EC2 instances) in shared, centrally managed VPCs. AWS Resource Access Manager (RAM) is used to permit sharing.

Question 45

Q

What is VPC peering and what is used to make the connection? (note: between multiple VPCs)

Private requesting and accessing

Answer

A

VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. The connection is made using a VPC peering connection request and acceptance process.

Question 46

Q

What are 2 ways to connect your AWS VPC with your on-premise data center, and what type of gateway and connection are used for each?
DC via VPN gateway
S to S via IPsec customer gateway

Answer

A

AWS Direct Connect: Uses a dedicated network connection and a Virtual Private Gateway. 2. AWS Site-to-Site VPN: Uses an IPsec VPN connection and a Customer Gateway

Question 47

Q

What 2 things are needed in order to make a subnet public?

IGW to VPC update subnet route to IG

Answer

A

To make a subnet public, you need to: 1. Attach an Internet Gateway (IGW) to your VPC. 2. Update the subnet’s route table to include a route to the Internet Gateway.

Question 48

Q

What is a Network Address Translation (NAT) gateway (nat-gw)?

Private to Public subnets not vice versa

Answer

A

A NAT gateway is a managed service that allows instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances.

Question 49

Q

Where does a nat-gw live and what else do you need to associate with the nat-gw?

Public Sub with elastic IP

Answer

A

A NAT gateway must be created in a public subnet. You also need to associate an Elastic IP address with the NAT gateway to enable internet access.

Question 50

Q

What is VPC sharing and what is used to permit sharing? (note: within 1 VPC)
Multiple accounts create resources apps in shared VPC via RAM.

Answer

A

VPC sharing allows multiple AWS accounts to create their application resources (such as EC2 instances) in shared, centrally managed VPCs. AWS Resource Access Manager (RAM) is used to permit sharing.central

Question 51

Q

What is VPC peering and what is used to make the connection? (note: between multiple VPCs)
2 VPC talk via private via VPC peering connections request and acceptance

Answer

A

VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. The connection is made using a VPC peering connection request and acceptance process.

Question 52

Q

What are 2 ways to connect your AWS VPC with your on-premise data center, and what type of gateway and connection are used for each?

Answer

A

AWS Direct Connect: Uses a dedicated network connection and a Virtual Private Gateway. 2. AWS Site-to-Site VPN: Uses an IPsec VPN connection and a Customer Gateway.

Question 53

Q

What is an elastic network interface?

Answer

A

An Elastic Network Interface (ENI) is a virtual network interface card that you can attach to an instance in a VPC. It allows you to connect your instances to a VPC securely and can include attributes such as a primary private IPv4 address, one or more secondary private IPv4 addresses, one Elastic IP address per private IPv4 address, a MAC address, and one or more security groups.

Question 54

Q

What is a route table and what are the 2 designations or columns that each route table has?

Answer

A

A route table is a set of rules, called routes, that determine where network traffic is directed. Each route table has two key designations: the destination (the range of IP addresses where you want traffic to go) and the target (the gateway, network interface, or connection through which to send the destination traffic).

Question 55

Q

Does a subnet require a route table, and how many route tables can be associated with each subnet?
Yes and 1 route table.

Answer

A

Yes, each subnet in a VPC must be associated with a route table. A subnet can only be associated with one route table at a time.

Question 56

Q

Can the same route table be used by another subnet?

Answer

A

Yes, the same route table can be associated with multiple subnets within the same VPC.

Question 57

Q

When you use the VPC wizard, what are the 4 VPC configuration options and when is each configuration most appropriate?

Answer

A

The 4 VPC configuration options are: 1. VPC with a Single Public Subnet: Suitable for simple web applications. 2. VPC with Public and Private Subnets: Ideal for web applications that require backend servers in private subnets. 3. VPC with Public and Private Subnets and Hardware VPN Access: Used for extending your on-premises network to the cloud. 4. VPC with a Private Subnet Only and Hardware VPN Access: Suitable for private, backend services that do not need direct internet access.

Question 58

Q

What is an Internet gateway (igw)?

Answer

A

An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It supports both IPv4 and IPv6 traffic and provides a target in your VPC route tables for internet-routable traffic.

Question 59

Q

What 2 things are needed in order to make a subnet public?

Answer

A

To make a subnet public, you need to: 1. Attach an Internet Gateway (IGW) to your VPC. 2. Update the subnet’s route table to include a route to the Internet Gateway.

Question 60

Q

What is a Network Address Translation (NAT) gateway (nat-gw)?

Answer

A

A NAT gateway is a managed service that allows instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances.

Question 61

Q

Where does a nat-gw live and what else do you need to associate with the nat-gw?

Answer

A

A NAT gateway must be created in a public subnet. You also need to associate an Elastic IP address with the NAT gateway to enable internet access.

Question 62

Q

What is VPC sharing and what is used to permit sharing? (note: within 1 VPC)

Mult AWS account to create resources with RAM

Answer

A

VPC sharing allows multiple AWS accounts to create their application resources (such as EC2 instances) in shared, centrally managed VPCs. AWS Resource Access Manager (RAM) is used to permit sharing.

Question 63

Q

What is VPC peering and what is used to make the connection? (note: between multiple VPCs)

Private traffic vpc request and accept

Answer

A

VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. The connection is made using a VPC peering connection request and acceptance process.

Question 64

Q

What are 2 ways to connect your AWS VPC with your on-premise data center, and what type of gateway and connection are used for each?

Answer

A

AWS Direct Connect: Uses a dedicated network connection and a Virtual Private Gateway. 2. AWS Site-to-Site VPN: Uses an IPsec VPN connection and a Customer Gateway.

Answer 60

A

AWS Direct Connect uses the IEEE 802.1Q VLAN standard for creating virtual local area networks (VLANs).

Answer 61

A

You use a VPC endpoint to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Vpc private connection to AWS services and endpoint services power by AWS Private Link
NO IG NAT VPN DC

Answer 62

A

The two types of endpoints are: 1. Interface Endpoints: Used to connect to services over AWS PrivateLink. 2. Gateway Endpoints: Used for S3 and DynamoDB.

Answer 63

A

Security groups are stateful, meaning that if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. You must define both inbound and outbound traffic rules.

Answer 64

A

Network ACLs act at the subnet level, controlling traffic to and from one or more subnets within a VPC.

Answer 65

A

The default rules for Network ACLs allow all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. Custom Network ACLs start with no inbound or outbound rules, meaning they deny all traffic by default.

Answer 66

A

Network ACLs are stateless, meaning that they do not automatically allow return traffic. You must define both inbound and outbound traffic rules separately.

Answer 67

A

Amazon Route 53 is a scalable and highly available Domain Name System (DNS) web service. It is used to route end-user requests to internet applications hosted on AWS and to manage DNS records for domain names.

Answer 68

A

Route 53 supports several routing policies: Simple, Weighted, Latency-based, Failover, Geolocation, Geoproximity, and Multi-Value Answer. Each routing option differs in how it routes traffic based on factors like health checks, geographic location, latency, and predefined weights

Answer 69

A

An AWS Transit Gateway is a service that enables you to connect your VPCs and on-premises networks through a central hub. It uses a hub-and-spoke topology.

Answer 70

A

The two firewall options are Security Groups and Network Access Control Lists (NACLs).

Answer 71

A

Security groups act at the instance level and are attached to Elastic Network Interfaces (ENIs) associated with instances.

Answer 72

A

The default rule for security groups is to allow all outbound traffic and deny all inbound traffic unless explicitly allowed by a rule.

Answer 73

A

Security groups are stateful, meaning that if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. You must define both inbound and outbound traffic rules

Answer 74

A

Network ACLs act at the subnet level, controlling traffic to and from one or more subnets within a VPC.

Answer 75

A

The default network ACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. Each network ACL also includes a rule whose rule number is an asterisk (*), which denies any traffic that doesn’t match any of the other rules.

Answer 76

A

Network ACLs are stateless, meaning they do not automatically allow return traffic. You must define both inbound and outbound traffic rules separately.

Answer 77

A

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service used for domain registration, DNS routing, and health checking.

Answer 78

A

Route 53 supports several routing policies: Simple, Weighted, Latency-based, Failover, Geolocation, Geoproximity, and Multi-Value Answer. Each routing option differs in how it routes traffic based on factors like health checks, geographic location, latency, and predefined weights.

Answer 79

A

Amazon CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. CloudFront is found at the edge of the cloud architecture, using a network of edge locations to cache content closer to end-users

Answer 80

A

Edge locations are AWS data centers designed to deliver services with the lowest latency possible, caching content closer to users. Regional edge caches have larger cache capacities than individual edge locations, keeping objects in cache longer and reducing the load on origin servers.

Answer 81

A

The three edge location options are: 1. CloudFront Points of Presence (POPs) 2. Regional Edge Caches (RECs) 3. Embedded Points of Presence.

Answer 82

A

The two types of distributions for CloudFront are: 1. Web Distribution: Used for websites, including dynamic, static, streaming, and interactive content. 2. RTMP Distribution: Used for media streaming using Adobe Flash Media Server’s RTMP protocol.

Answer 83

A

Amazon EC2: Secure and resizable compute capacity in the cloud. 2. Amazon EC2 Spot: Use unused EC2 capacity at a discount. 3. Amazon EC2 Auto Scaling: Automatically add or remove EC2 instances based on conditions. 4. Amazon Lightsail: Easy-to-use virtual servers, storage, and networking. 5. AWS Batch: Fully managed batch processing at any scale. 6. Amazon ECS: Run and manage Docker containers. 7. Amazon EKS: Fully managed Kubernetes service. 8. AWS Fargate: Run containers without managing servers. 9. AWS Lambda: Run code without provisioning or managing servers. 10. AWS Elastic Beanstalk: Deploy and manage web applications. 11. AWS Outposts: Run AWS services on-premises. 12. AWS Wavelength: Deliver ultra-low latency applications for 5G devices. 13. VMware Cloud on AWS: Build a hybrid cloud without custom hardware.

Answer 84

A

The 7 compute services to know in more detail are: 1. Amazon EC2 2. Amazon ECS 3. Amazon EKS 4. AWS Lambda 5. AWS Fargate 6. AWS Elastic Beanstalk 7. Amazon Lightsail.

Answer 85

A

IaaS: Amazon EC2, Amazon Lightsail. Serverless Computing: AWS Lambda, AWS Fargate. Container-Based Computing: Amazon ECS, Amazon EKS. PaaS: AWS Elastic Beanstalk, AWS App Runner.

Answer 86

A

With EC2, you can provision various types of servers, including General Purpose, Compute Optimized, Memory Optimized, Storage Optimized, and Accelerated Computing instances. Each type is designed for specific workloads and performance requirements

Answer 87

A

The customer controls the configuration and security of the operating system on an EC2 instance.

Answer 88

A

An Amazon Machine Image (AMI) is a template that contains the software configuration (operating system, application server, and applications) required to launch an instance.

Answer 89

A

You control traffic into and out of your EC2 instance using security groups and network access control lists (ACLs).

Answer 90

A

The 9 key decisions are: 1. Choose an Amazon Machine Image (AMI). 2. Choose an instance type. 3. Configure instance details. 4. Add storage. 5. Add tags. 6. Configure security group. 7. Review instance launch. 8. Select a key pair. 9. Launch the instance.

Answer 91

A

The 4 AMI categories are: 1. Quick Start AMIs 2. My AMIs 3. AWS Marketplace AMIs 4. Community AMIs.

Answer 92

A

The EC2 instance type determines the hardware of the host computer used for your instance. Each instance type offers different compute, memory, and storage capabilities.

Answer 93

A

The instance type categories are: 1. General Purpose 2. Compute Optimized 3. Memory Optimized 4. Storage Optimized 5. Accelerated Computing. You can tell which category an instance belongs to by its instance type name, which includes a prefix indicating its category (e.g., t2.micro for General Purpose, c5.large for Compute Optimized)

Answer 94

A

The customer controls the configuration and security of the operating system on an EC2 instance.

Answer 95

A

An Amazon Machine Image (AMI) is a template that contains the software configuration (operating system, application server, and applications) required to launch an instance.

Answer 96

A

You control traffic into and out of your EC2 instance using security groups and network access control lists (ACLs).

Answer 97

A

The 9 key decisions are: 1. Choose an Amazon Machine Image (AMI). 2. Choose an instance type. 3. Configure instance details. 4. Add storage. 5. Add tags. 6. Configure security group. 7. Review instance launch. 8. Select a key pair. 9. Launch the instance.

Answer 98

A

The 4 AMI categories are: 1. Quick Start AMIs 2. My AMIs 3. AWS Marketplace AMIs 4. Community AMIs.

Answer 99

A

The EC2 instance type determines the hardware of the host computer used for your instance. Each instance type offers different compute, memory, and storage capabilities.

Answer 100

A

The instance type categories are: 1. General Purpose 2. Compute Optimized 3. Memory Optimized 4. Storage Optimized 5. Accelerated Computing. You can tell which category an instance belongs to by its instance type name, which includes a prefix indicating its category (e.g., t2.micro for General Purpose, c5.large for Compute Optimized)

Answer 101

A

Amazon Elastic Block Store (EBS) is a scalable, high-performance block storage service designed for use with Amazon EC2 for both throughput and transaction-intensive workloads.

Answer 102

A

Amazon EBS provides persistent storage that remains available even after an instance is stopped or terminated. Amazon EC2 Instance Store provides temporary storage that is deleted when the instance is stopped or terminated. Use EBS for data that needs to persist and Instance Store for temporary data that can be recreated.

Answer 103

A

Other storage options include Amazon S3, Amazon EFS, and Amazon FSx for Lustre, which can be used for additional storage beyond the root volume.

Answer 104

A

A tag is a label that you assign to an AWS resource. Each tag consists of a key and an optional value, both of which you define.

Answer 105

A

Benefits of tagging include improved resource management, cost allocation, and automation. Tags help you organize resources, track costs, and automate workflows by applying policies based on tags

Answer 106

A

The default security group rule for outbound traffic allows all outbound traffic.

Answer 107

A

A security rule must specify the protocol and the port range.

Answer 108

A

A key pair consists of a public key and a private key.

Answer 109

A

The 3 options for a key pair are: 1. Create a new key pair. 2. Choose an existing key pair. 3. Proceed without a key pair (not recommended).

Answer 110

A

For a Windows EC2 instance, you use the private key to decrypt the administrator password, which you then use to connect to your instance.

Answer 111

A

For a Linux EC2 instance, you use the private key to securely SSH into your instance

Answer 112

A

You can launch an EC2 instance using the AWS CLI, AWS SDKs, AWS CloudFormation, AWS Elastic Beanstalk, AWS OpsWorks, and third-party tools like Terraform and Ansible.

Answer 113

A

When using the CLI to launch an EC2 instance, it is assumed that you have already created a key pair and a security group. You need to specify these when running the aws ec2 run-instances command.

Answer 114

A

The minimum commands needed to launch an EC2 instance are: aws ec2 run-instances –image-id –instance-type –key-name –security-group-ids .

Answer 115

A

The different states in the EC2 instance lifecycle are: Pending, Running, Stopping, Stopped, Shutting Down, and Terminated.

Answer 116

A

For a stopped instance, you can start it again, create an AMI from it, or terminate it.

Answer 117

A

No, you cannot recover a terminated instance. Once an instance is terminated, it cannot be brought back.

Answer 118

A

You should use an Elastic IP address if you need a persistent public IP address.

Answer 119

A

By default, you are permitted five Elastic IP addresses per Region. This number can be increased by requesting a quota increase through the AWS Service Quotas console

Answer 120

A

The IP address to review the latest metadata or user data is http://169.254.169.254/latest/meta-data/ for IPv4 and http://[fd00:ec2::254]/latest/meta-data/ for IPv6 on Nitro instances.

Answer 121

A

Amazon CloudWatch is a monitoring and observability service that collects monitoring and operational data in the form of logs, metrics, and events. It maintains historical data for up to 15 months: 1-minute data points for 15 days, 5-minute data points for 63 days, and 1-hour data points for 455 days.

Answer 122

A

Basic monitoring provides data points at 5-minute intervals for free, while detailed monitoring provides data points at 1-minute intervals and incurs additional charges. Detailed monitoring also offers more fine-grained metrics and aggregated data across groups of instances.

Answer 123

A

You can launch an EC2 instance using the AWS CLI, AWS SDKs, AWS CloudFormation, AWS Elastic Beanstalk, AWS OpsWorks, and third-party tools like Terraform and Ansible.

Answer 124

A

When using the CLI to launch an EC2 instance, it is assumed that you have already created a key pair and a security group. You need to specify these when running the aws ec2 run-instances command.

Answer 125

A

The minimum commands needed to launch an EC2 instance are: aws ec2 run-instances –image-id –instance-type –key-name –security-group-ids .

Answer 126

A

The different states in the EC2 instance lifecycle are: Pending, Running, Stopping, Stopped, Shutting Down, and Terminated.

Answer 127

A

For a stopped instance, you can start it again, create an AMI from it, or terminate it.

Answer 128

A

No, you cannot recover a terminated instance. Once an instance is terminated, it cannot be brought back.

Answer 129

A

You should use an Elastic IP address if you need a persistent public IP address.

Answer 130

A

By default, you are permitted five Elastic IP addresses per Region. This number can be increased by requesting a quota increase through the AWS Service Quotas console

Answer 131

A

B (Answer)

Answer 132

A

The AWS shared responsibility model is a framework that delineates the security responsibilities between AWS and its customers. AWS is responsible for the security “of” the cloud, while customers are responsible for security “in” the cloud.

Answer 133

A

AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This includes hardware, software, networking, and facilities. Examples: data centers, physical servers, networking equipment, and virtualization layers.

Answer 134

A

Customers are responsible for managing the security of their data and applications within the AWS environment. This includes configuring security settings, managing access controls, and ensuring data encryption. Examples: managing the guest operating system, configuring firewalls, encrypting data, and managing user access.

Answer 135

A

Yes, data encryption is necessary both while data is in transit and at rest to ensure data confidentiality and integrity. Customers are responsible for implementing data encryption using AWS tools and services.

Answer 136

A

IaaS: Amazon EC2, Amazon S3, Amazon VPC. PaaS: AWS Elastic Beanstalk, AWS Lambda. SaaS: Amazon WorkMail, Amazon Chime.

Answer 137

A

In IaaS, customers are responsible for managing the operating system, applications, data, and runtime. In PaaS, customers manage applications and data, while the provider handles the underlying infrastructure and platform. In SaaS, customers are mainly responsible for managing data and user access, while the provider manages the application and infrastructure.

Answer 138

A

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. IAM is free to use; however, some features like IAM Access Analyzer have associated costs. For example, analyzing IAM roles and users costs $0.20 per role or user per month.

Answer 139

A

When using IAM, you define: 1. Users - individual accounts for people or applications. 2. Groups - collections of users with similar permissions. 3. Roles - sets of permissions that can be assumed temporarily by users or services. 4. Policies - documents that define permissions and are attached to users, groups, or roles.

Answer 140

A

IAM is a global service. IAM resources, such as users, groups, roles, and policies, are defined globally and can be used across all AWS regions.

Answer 141

A

A user is an individual account with specific permissions. A group is a collection of users that share the same permissions. A policy is a document that defines permissions and can be attached to users, groups, or roles. A role is a set of permissions that can be assumed temporarily by users or services, often used for cross-account access or to grant permissions to AWS services.

Answer 142

A

The two types of access are programmatic access and AWS Management Console access. Programmatic access requires an access key ID and a secret access key. AWS Management Console access requires a username and password.

Answer 143

A

A key pair is made up of a public key and a private key. The public key is used to encrypt data, and the private key is used to decrypt data.

Answer 144

A

Multi-Factor Authentication (MFA) is an additional layer of security used to verify a user’s identity. Three ways to generate an MFA code are: 1. Virtual MFA device (e.g., Google Authenticator). 2. Hardware MFA device (e.g., YubiKey). 3. SMS text message.

Answer 145

A

The default authorization in AWS is “deny all.” This means that by default, all requests are denied unless explicitly allowed by a policy.

Answer 146

A

The principle of least privilege means granting users and systems the minimum level of access—or permissions—necessary to perform their job functions. This reduces the risk of accidental or malicious actions.

Answer 147

A

Implicit access or denial means that access is not specifically granted or denied, and by default, it is denied. Explicit access or denial means that access is specifically granted or denied by a rule or policy. For example, an explicit deny rule disallows any traffic that isn’t explicitly allowed, while implicit deny is the default behavior of denying all traffic unless explicitly allowed.

Answer 148

A

A security policy is written using JSON (JavaScript Object Notation).

Answer 149

A

The two types of policies are identity-based policies and resource-based policies. Identity-based policies are attached to IAM identities (users, groups, or roles), while resource-based policies are attached to AWS resources.

Answer 150

A

The Deny statement takes precedence over the Allow statement. An explicit deny in any policy overrides any allows.

Answer 151

A

An action can only take place with an explicit Allow permission; otherwise, the action is an implicit Deny.

Answer 152

A

An action can only take place with an explicit Allow permission; otherwise, the action is an implicit Deny.

Answer 153

A

An IAM group is a collection of IAM users and is used to manage permissions for multiple users. An IAM user is an individual account with specific credentials and permissions. Groups do not have their own credentials, whereas users do.

Answer 154

A

Yes, a user can belong to multiple IAM groups.

Answer 155

A

No, IAM groups cannot be nested within other groups.

Answer 156

A

IAM Roles can be assumed by IAM users, applications, or AWS services. The access is temporary and defined by the session duration specified in the role’s trust policy.

Answer 157

A

To log into the Root User account, you need the email address associated with the AWS account and the root user password.

Answer 158

A

Tasks that can only be done with the Root User account include changing account settings (e.g., account name, email address, root user password, and root user access keys), restoring IAM user permissions, activating IAM access to the Billing and Cost Management console, viewing certain tax invoices, closing your AWS account, changing your AWS Support plan, registering as a seller in the Reserved Instance Marketplace, and configuring MFA delete for S3 buckets.

Answer 159

A

You should create an IAM user with administrative privileges for day-to-day tasks. This IAM user can manage services, AWS users, and policies without using the root account. The root account should be reserved for tasks that require root user credentials.

Answer 160

A

After creating an IAM user account and assigning the necessary permissions, you should delete the root user access keys to enhance security. This minimizes the risk of the root account being compromised.

Answer 161

A

Both the root user account and IAM user accounts should require MFA. The three ways to generate an MFA code are: 1. Virtual MFA device (e.g., Google Authenticator). 2. Hardware MFA device (e.g., YubiKey). 3. FIDO security key.

Answer 162

A

AWS CloudTrail is a service that enables operational and risk auditing, governance, and compliance of your AWS account. It records actions taken by users, roles, or AWS services as events, which include actions taken in the AWS Management Console, AWS CLI, and AWS SDKs and APIs. CloudTrail provides event history, CloudTrail Lake for long-term storage and analysis, and integration with other AWS services for monitoring and alerting

Answer 163

A

AWS CloudTrail provides a free event history of the past 90 days of account activity. For more comprehensive logging, such as creating trails or using CloudTrail Lake, costs are incurred based on the amount of data ingested and stored, as well as the retention period selected.

Answer 164

A

To maintain CloudTrail information beyond the standard 90 days, you can create a trail that delivers log files to an Amazon S3 bucket. You can also use CloudTrail Lake to store and analyze events for up to 3,653 days (about 10 years) with the One-year extendable retention pricing option, or up to 2,557 days (about 7 years) with the Seven-year retention pricing option.

Answer 165

A

AWS Organizations provides several benefits including: centralized management of policies across multiple AWS accounts, automated account creation, governance of access to AWS services, resources, and regions, auditing for compliance, and resource sharing across accounts.

Answer 166

A

SCPs are used to set permission boundaries and restrict actions at the organizational or organizational unit (OU) level, but they do not grant permissions. IAM policies, on the other hand, are used to grant specific permissions to users, groups, or roles within an individual AWS account. SCPs can override IAM policies by denying actions even if they are allowed by IAM policies.

Answer 167

A

SCPs can be attached to the root of the organization, organizational units (OUs), or individual member accounts within AWS Organizations. They apply to all accounts under the element to which they are attached

Answer 168

A

Service Control Policies (SCPs) can be attached to the root of the organization, organizational units (OUs), or individual member accounts within AWS Organizations. They apply to all accounts under the element to which they are attached.

Answer 169

A

AWS Key Management Service (KMS) is a service that allows you to create and manage cryptographic keys for encrypting and decrypting data. It provides centralized control over keys used to protect data across AWS services and in your applications.

Answer 170

A

Amazon Cognito is an identity service that allows you to add user sign-up, sign-in, and access control to your web and mobile apps. It provides user directories, authentication, and authorization capabilities.

Answer 171

A

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties. Amazon Cognito supports SAML identity providers, allowing users to sign in to your app through a SAML-compliant IdP like Active Directory.

Answer 172

A

A federated user is a user whose identity and attributes are stored and managed externally in an identity provider (IdP), but can be granted controlled access to resources within an organization or service provider (SP) through federation.

Answer 173

A

AWS Shield is a managed DDoS protection service. AWS Shield Standard is included at no additional cost, while AWS Shield Advanced provides enhanced protection for a monthly fee of $3,000 per organization plus data transfer fees.

Answer 174

A

To contact the AWS Shield Response Team (SRT) for assistance during a DDoS attack, you must have a Business or Enterprise support plan with AWS.

Answer 175

A

Data at rest refers to data that is stored physically on computer data storage in any digital form, such as cloud storage, file hosting services, databases, data warehouses, spreadsheets, archives, tapes, off-site or cloud backups, and mobile devices. It includes both structured and unstructured data that is not actively moving or being accessed.

Answer 176

A

Data in transit, also referred to as data in motion or data in flight, is data that is being transmitted over a network or communication channel between source and destination. This includes data sent between computers, servers, or other devices over a local area network (LAN), wide area network (WAN), or the internet.

Answer 177

A

AWS Certificate Manager (ACM) manages SSL/TLS X.509 certificates, which are used to secure data in transit for AWS websites and applications. These certificates can secure singular domain names, multiple specific domain names, wildcard domains, or combinations of these.

Answer 178

A

As of April 2023, all newly created Amazon S3 buckets have the S3 Block Public Access setting turned on by default. This setting blocks public access to the bucket and objects, ensuring that only authorized users or services can access the data.

Answer 179

A

Amazon S3 provides several tools for controlling access to S3 buckets and objects, including: 1. Bucket Policies 2. IAM Policies 3. Access Control Lists (ACLs) 4. S3 Block Public Access 5. S3 Object Ownership.

Answer 180

A

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It provides a detailed view of the configuration of resources in your AWS account, including how they are related to one another and how they were configured in the past. AWS Config helps with compliance auditing, security analysis, resource change tracking, and troubleshooting

Answer 181

A

AWS Artifact is a self-service audit artifact retrieval portal that provides on-demand access to AWS’ compliance reports and agreements, such as AWS ISO certifications, Payment Card Industry (PCI) reports, and Service Organization Control (SOC) reports. It helps customers demonstrate the security and compliance of AWS infrastructure and services.

Answer 182

A

HIPAA: Health Insurance Portability and Accountability Act, focuses on protecting health information. PCI DSS: Payment Card Industry Data Security Standard, secures payment card transactions. SOC: Service Organization Control, reports on internal controls over financial reporting. ISO: International Organization for Standardization, sets international standards for various industries. GDPR: General Data Protection Regulation, protects personal data of EU residents.

Answer 183

A

AWS’ Compliance programs cover a wide range of standards and regulations, including certifications and attestations (e.g., ISO 27001, SOC 1, SOC 2), laws and regulations (e.g., HIPAA, GDPR, FedRAMP), and alignments and frameworks (e.g., NIST, CSA). These programs help customers meet global compliance requirements and maintain security and privacy of their data

Answer 184

A

Data housed physically on computer data storage, including cloud storage, databases, data warehouses, and mobile devices.

Answer 185

A

Includes both structured and unstructured data.

Answer 186

A

Subject to threats from hackers, malicious threats, and physical theft of the data storage media.

Answer 187

A

Security measures include password protection, data encryption, or a combination of both.

Answer 188

A

Complements ‘data in use’ and ‘data in transit’, defining the three states of digital data.

Answer 189

A

Means of linking a person’s electronic identity and attributes, stored across multiple distinct identity management systems.

Answer 190

A

Related to single sign-on (SSO), where a user’s authentication is trusted across multiple IT systems or organizations. SSO is a subset of federated identity management.

Answer 191

A

Enables the portability of identity information across autonomous security domains, allowing users of one domain to securely access data or systems of another domain seamlessly.

Answer 192

A

Emerged as a response to evolving identity management challenges, particularly those associated with cross-company, cross-domain access due to the integration of the Internet into personal and business life.

Answer 193

A

Includes user-controlled or user-centric scenarios, as well as enterprise-controlled or business-to-business scenarios.

Brainscape's Knowledge GenomeTM

CCSF AWS Cloud Practitioner Flashcards

Brainscape's Knowledge Genome^TM