CP Basic Concepts Flashcards
Cloud Concepts:
What are some key financial benefits of migrating on-prem to AWS?
- Replace upfront capital expenditures (capex) with low variable operational expenditures (opex)
- Reduce the total cost of ownership
Cloud Concepts:
What are the 4 Cloud Architecture Design Principles
- Implement Elasticity
- Think Parallel
- Decouple your components
- Design for failure
Cloud Concepts:
How would you design mission-critical workloads in AWS that must be highly available
Use multiple Availability Zones
Cloud Concepts:
How can you ensure that a change or failure in one component will not cascade to other components?
Loose coupling
Cloud Concepts:
How would you enable your Amazon EC2 instances in the public subnet to connect to the public internet?
Use the Internet Gateway
Cloud Concepts:
How would you enable your EC2 instances in the private subnet to connect to the public internet?
NAT Gateway
Security:
What security management tool would you use to configure your AWS WAF rules across accounts?
AWS Firewall Manager
Security:
If a company needs to download compliance-related documents in AWS like the Service Organization Controls (SOC) reports, where would they go?
AWS Artifact
Security:
How would you improve the security of IAM users?
- Enable multi factor authentication (MFA)
2. Configure a strong password policy
Security:
What is an IAM identity that uses access keys to manage cloud resources via the AWS CLI?
IAM User
Security:
How would you grant temporary access to your AWS resources?
IAM Role
Security:
How would you apply and easily manage common access permissions to a large number of IAM users in AWS?
IAM Group
Security:
How would you grant the required permissions to access your S3 resources?
Bucket Policy and/or User Policy
Security:
If you need to provide temporary AWS credentials for users who have authenticated via their social media logins as well as for guest users who don’t need any authentication, what would you use?
Amazon Cognito Identity Pool
Security:
How would a startup evaluate the newly created IAM policies?
IAM Policy Simulator
Security:
What is a service that discovers, classifies, and protects sensitive data such as personally identifiable information (PII) or intellectual property?
Amazon Macie
Security:
What is a threat detection service that continually monitors for malicious activity to protect your AWS account?
Amazon GuardDuty
Security:
What prevents unauthorized deletion of Amazon S3 objects?
Enabling Multi-Factor Authentication (MFA)
Security:
How would a company control the traffic going in and out of their VPC subnets?
Network Access Control Lists (NACL)
Security:
What acts as a virtual firewall in AWS that controls traffic at the EC2 instance level?
Security Group
Security:
Where would you set up an automated security assessment service to improve the security and compliance of your applications?
Amazon Inspector
Technology:
What would the company use if they need to use the AWS global network to improve availability of deployed applications on AWS using an anycast static IP address?
AWS Global Accelerator
Technology:
If you need to securely transfer hundreds of petabytes of data in/out of AWS cloud, what would you use?
AWS Snowball Edge
Technology:
What is a type of EC2 instance that allows you to use your existing server-bound software licenses?
Dedicated Host
Technology:
What is a service that allows you to continuously monitor and log account activities such as the user actions made from the AWS Management Console and AWS SDKs?
AWS CloudTrail
Technology:
What is a highly available and scalable cloud DNS web service in AWS?
Amazon Route 53
Technology:
How would you store the results of I/O intensive SQL database queries to improve application performance?
Amazon ElastiCache
Technology:
What is a combination of AWS services that allow you to serve static files with lowest possible latency?
Amazon S3
Amazon CloudFront
Technology:
How would you automatically scale the capacity of an AWS cloud resource based on the incoming traffic to improve availability and reduce failures?
AWS Auto Scaling
Technology:
What would a company use to migrate an on-prem MySQL database to Amazon RDS?
AWS Database Migration Service (DMS)
Technology:
How would you automatically transfer your infrequently accessed data in your S3 bucket to a more cost-effective storage class?
S3 Lifecycle Policy
Technology:
What would you use to upload a single object as a set of parts to improve throughput and have a quicker recovery from any network issues?
The Multipart Upload API
Technology:
What would a company use to establish a dedicated connection between their on-premise network and AWS VPC?
AWS Direct Connect
Technology:
What is a Machine Learning service that allows you to add a visual analysis feature to your applications?
Amazon Rekognition
Technology:
What is a source control service that allows you to host Git-based repositories?
AWS CodeCommit
Technology:
What is a service that can trace user requests in your application?
AWS X-Ray
Technology:
What would a company use to retrieve the Instance ID, public keys, and public IP address of their EC2 instance?
Instance Metadata
Technology:
If you need to speed up the content delivery of static assets to your customers around the globe, what would you use?
Amazon CloudFront
Technology:
How would you create and deploy infrastructure-as-code templates?
AWS Cloud Formation
Technology:
What would you use to encrypt the log data stored and managed by AWS CloudTrail?
AWS Key Management Service (AWS KMS)
Technology:
What is a database service that can be used to store JSON documents?
Amazon DynamoDB
Billing:
Who is the designated technical point of contact that will maintain an operationally healthy AWS environment?
Technical Account Manager (TAM)
Billing:
What is a tool that inspects your AWS environment and makes recommendations that follow AWS best practices?
AWS Trusted Advisor
Billing:
What would a startup use to estimate their cost of moving their application to AWS?
AWS Pricing Calculator
Billing:
How would you set coverage targets and receive alerts when your utilization drops?
AWS Budgets
Billing:
What is a type of Reserved Instance that allows you to change its instance family, instance type, platform, scope, or tenancy?
Convertible Reserved Instance
Billing:
What lets you take advantage of unused EC2 capacity in the AWS cloud and provide up to a 90% discount?
Spot Instances
Billing:
Where would you go to centrally manage policies and consolidate billing across multiple AWS accounts?
AWS Organizations
Billing:
What is the most cost-efficient storage option for retaining database backups that allow occasional data retrieval in minutes?
Amazon Glacier
Billing:
Where would you forecast future costs and usage of your AWS resources based on your past consumption?
AWS Cost Explorer
Billing:
How would you categorize and track AWS costs on a detailed level?
Cost Allocation tags
Billing:
If a company launched a new VPC that was way beyond the default service limit, what would they do?
Request a service limit decrease in the AWS Support Center
Billing:
What is the most cost-effective option when you purchase a Reserved Instance for a 1-year term?
All Upfront
Billing:
What would you do to combine usage volume discounts of your multiple AWS accounts?
Consolidated Billing
Billing:
Where would you sell your catalog of custom Amazon Machine Images (AMIs) in AWS?
AWS Marketplace
What are valid security group rules?
Security groups accept IP address, address range, and security group ID as either source or destination
Example:
Inbound RDP rule with address range as source
Inbound HTTP rule with security group ID as source
What does Operational Excellence focus on?
Running and monitoring systems to deliver business value and continually improve processes and procedures
What does Performance efficiency focus on?
Ability to use computing resources efficiently to meet system requirements and maintain that as demand and tech evolves.
What is AWS SHield?
It’s a DDoS protection service with always on detection.
2 tiers: standard and advanced
Shield standard is available for all customers no charge
When used with CloudFront and Route 53, infrastructure attacks (level 3 and 4) are protected
What does a security group do?
Acts as a virtual firewall to control inbound and outbound traffic.
They act at the instance level and can have up to 5 security groups assigned to one instance.
Can add rules to control inbound traffic and rules to control outbound traffic.
Describe SNS
Messaging service that can provide topics for high-throughput, push-based, many-to-many messaging.
Can even be used to fan out notifications for SMS and email.
Reserved instances can be bought for which services?
EC2 RDS ElastiCache Redshift DynamoDB
What is an account alias?
Substitute for the account ID in the web address for your account.
What service to be used for static websites?
Amazon S3 lets you host a static website
What service to be used for static websites?
Amazon S3 lets you host a static website
Instance Tags
Own metadata in the form of tags applied to an instance
Multipart Upload API is part of what cloud best practice?
Think Parallel
What does an application load balancer do?
Application Load balancer operates at the request level and can register lambda functions as targets with listener rules to forward requests.
What is an ELB Health Check?
Application load balancer periodically sends requests to test their status as a health check.
Requests are only routed to the healthy targets and must pass one health check to be considered healthy.
If unable to connect to EC2 behind an ELB, it’s because the load balancer has identified it as being unhealthy.
What is AWS Elastic Beanstalk?
Easy to use service to deploy and scale web applications. Can upload code and beanstalk handles deployment.
Capacity provisioning, load balancing, auto-scaling and application health monitoring are covered.
Fastest way to deploy the application on AWS.
How would you connect your AWS VPC network to your local network through an IPsec tunnel?
A VPN gateway in the VPC connected to the Customer Gateway in the on-premise network.
Customer gateway is the anchor on the client side while the virtual private gateway is the anchor on the AWS side.
Can enable access to remote network from VPC by:
- Attach virtual private gateway to VPC
- Create custom route table
- Update security group rules
- Create Site to Site VPN connection
- Configure routing to pass traffic through
Key part is that the Site-to-site VPN supports Internet Protocol Security (IPsec) VPN connections.
Can a subnet span Availability zones?
No, it must reside entirely within one AZ
Which infrastructure corresponds to a VPC’s subnet?
Availability Zone
For EBS, what are SSDs used for?
Small and random IO Operations Best for transactional workloads Best for critical business applications that require sustained IOPS performance Cost is high Dominant performance attribute is IOPS
For EBS, what are HDDs used for?
Large sequential IO operations
Best for large streaming workloads requiring consistent fast throughput
Big data, data warehouses, log processing are good usecases
Best for throughput-oriented storage with volumes of data that are infrequently accessed
Low cost
Dominant attribute is throughput
What can be used to deploy and rollback a web application from git to on-prem server?
AWS OpsWorks
How can RDS production instances be more cost-effective when used for a long period of time?
Go for reserved instances
What is CLoudTrail?
Can log monitor, and keep activity of actions in AWS.
Can automatically record and store data.
Trail applies to all regions in AWS by default but can be specified for a region.
How to create point-in-time backups of EBS volumes?
Backups are stored in S3
Can create EBS Snapshots that are incremental (only latest changes are backed up)
Can backup while EC2 instance is running
What is tied to an AZ where it was launched?
EBS volume can only be attached to instances in the same AZ.
What are zonal services in AWS?
Ec2 instance
EBS Volumes tied to AZs they were launched
What does Amazon Detective do?
Collects log data from AWS and uses ML and graph theory to build linked set of data to conduct faster and more efficient security investigations
What is Amazon Pinpoint?
AWS’s digital user engagement service to measure across channels like email, text, mobile push
Can segment audiences, manage campaigns, scheduling, template management, AB testing, analytics.
What are AWS Step Functions?
They provide serverless orchestration by breaking it into multiple steps with flow and tracking input/outputs.
It maintains application state and stores log of data passed.
Can update workflow independently from business logic
When to use SQS?
To have a durable storage for application events and messages and to decouple parts of system for better fault tolerance
What is used to secure VPC network?
NACL
What do Characteristics do Dedicated Hosts hosts have that Dedicated Instances do not?
Both enable the use of dedicated physical servers
Both have automatic instance placement
Host only has: Per host billing Visibility of sockets, cores, host ID Affinity between a host and instance Targeted Instance placement Adding capacity using an allocation request
What API is used to change AZ, instance size, and networking type for Standard instances?
ModifyReservedInstances API
What API is used to change AZ, instance size, and networking type for Convertible reserved instances?
ExchangeReservedInstancesAPI
What can Convertible Reserved Instances do that Standard Reserved Instances cannot?
Change instance families, operating system, tenancy, and payment option.
Benefit from price reductions
What are services corresponding to File System needs?
Amazon Elastic File Storage since S3 uses a flat name space
What services provide structured data with querying capabilities?
DynamoDB, RDS, or CloudSearch can be paired with S3 to index and query metadata
What services provide storage for rapidly changing data?
Key thing to note is that the solution must take read and write latencies into account.
EBS, RDS, DynamoDB, EFS are all good options
Also, any kind of relational database up and running on EC2 will work for this.
What is good for dynamic website hosting?
Most dynamic websites need some level of database interaction or server-side scripting. Keeping that in mind, using EC2 or EFS will serve this purpose.
Note that S3 is good for static content websites.
How can you monitor estimated AWS charges?
Use CloudWatch alarms
How can you deploy an application to your on-premise servers?
Use OpsWorks and CodeDeploy
What level is a security group at?
At the EC2 level
What level is a NACL?
At the subnet level
What are some key differences between security groups and NACLs?
At the EC2 instance level vs. subnet
Supports “Allow” rules only vs. supports “Allow” and “Deny” rules
Is Stateful (allows return traffic automatically) vs. is stateless (only rules can allow return traffic)
Up to 5 groups per instance, 1 NACL per subnet
Up to 50 rules per security group, 20 rules per NACL
Allows outbound traffic by default, denies outbound traffic by default
Associated with network interfaces, can associate 1 NACL with multiple subnets but only one subnet can only have 1 NACL.
Among storage types (file, object, block), which one is stored redundantly in a single AZ vs multiple?
Block, Amazon EBS
What are some NoSQL data models?
Document Graph key-value In-memory Search
What are the ACID properties that relational databases provide?
Atomicity - transaction required to execute
Consistency - data must conform to the schema
Isolation - concurrent transactions are separate
Durability - Recover from failure to last known state
What are relational databases’ performance most dependent on?
The disk subsystem along with optimization of queries, indexes, and table structure.
What are NoSQL databases’ performance most dependent on?
Hardware cluster size, network latency, calling application
How do relational databases scale vs. NoSQL?
Relational scale up by increasing compute of hardware and scale out by adding replicas
NoSQL are partitionable via key-value access patterns and scale out using distributed architecture
How are NoSQL databases’ interfaced with?
Object-based APIs to store and retrieve in-memory data structures using partition keys.
What are NoSQL databases particularly a good choice for?
High throughput, low-latency use-cases that scale horizontally beyond a single instance.
Which RDS engine lets you bring your own license?
Oracle
What does AWS automatically handle for you?
- Securing AWS data centers from environmental hazards
- Introducing updates and patches to EC2 hypervisors
Note that web application firewall, guest operating system patching, or replicating data between AZs is not automatically handled.
Expense shifting when moving to the cloud?
Capital expense traded for variable expense
Why are AZs separated by a meaningful distance from each other?
To keep them as far apart from each other in case of a disaster
If many customers time out from the website when running an auto-scaling group of EC2 instances and the group has stopped adding new instances, which of the Trusted Advisor categories will give more insight on this?
Performance - helps improve speed and responsiveness of applications
Service Limits - shows when usage is more than 80% of the service limit. The number of instances may have hit a limit and therefore no more are being provisioned.
Note that Fault Tolerance highlights redundancy shortfalls, service limits, and over-utilized resources
What is a good disaster recovery precaution when launching dynamic web applications with mission-critical workloads that need to be available all the time?
Launch applications in 2 different regions to prevent downtime during regional outages
What makes it easier to set up the entire dev and CD toolchain for coding, building, testing, and deploying application code?
CodeStar. It even has integrated issue tracking by JIRA.
Code Pipeline helps automate release pipelines but doesn’t provide an entire dev and CD toolchain.
What are benefits of using Dynamo DB as the database?
Store unstructured data
Scale size automatically so as to not worry about capacity
Note that AURORA is self healing, not dynamo DB.
What compliance requirement has AWS achieved that allows handling of medical information?
HIPAA
What is PCI DSS?
Set of security standards for credit card information
What is SOC 1?
Report on Controls at a Service Organization for control over financial reporting
What is SOC 2?
Making sure systems are secure, available, processing integrity, confidential, and private.
What actions don’t affect costs in S3?
Uploading objects into S3.
Note that moving objects from one bucket to another does incur costs.
What is S3 Standard-IA for?
Long-lived and infrequently accessed data. Note that IA stands for Infrequent Access.
What is S3 One Zone-IA for?
Same as Standard-IA but for non-critical data since it’s only available in one AZ
What is S3 Reduced Redundancy for?
Frequently accessed but non critical data
What is S3 Intelligent-tiering?
Long-lived data with changing or unknown access patterns
What is S3 Glacier for?
Long-term data with retrieval from minutes to hours
What is S3 Glacier Deep Archive for?
Long term data with retrieval in hours
What are some main differences between IaaS, PaaS, and SaaS?
SaaS: Vendor manages everything but the application.
PaaS: Customers manage data and runtime but everything else is managed by the vendor.
IaaS: Customers now take on Middleware and operating systems as well. However, virtualization, servers, storage, and networking are all managed by AWS.
What is a database that is self-healing with a high throughput?
Amazon Aurora
If a customer wants to further secure his network beyond security groups and NACLs, what can he use?
AWS WAF and Amazon GuardDuty
GuardDuty is a threat detection service that keeps monitoring for threats and analyzes events across CloudTrail, VPC Flow Logs, and DNS logs.
WAF is a web app firewall that protects web apps from threats. Can customize rules that block common attack patterns.
Note that Amazon KMS is just a repo for keys but doesn’t protect from threats.
What can monitor the compliance status of your AWS resources against a set of guidelines?
AWS Config. It records the configurations and lets you automate evaluation of these configs against desired configs.
If a MariaDB RDS instance is known to have high memory consumption during peak hours, what would you do to resolve this issue if its handling write-intensive operations?
Generally, horizontal scaling would work but since this is a database, it will make sense to scale the instance vertically.
Note that scaling databases horizontally is difficult unless there is a proper orchestrator.
What offers better read/write and temporary block level storage for your instance?
Instance Store. It is located on disks that are physically attached to the host computer.
Note that EBS and EFS are persistent storage, not temporary.
What do you inherit from AWS after signing up?
Best practices of AWS policies, architecture, and operational processes
