Cram Deck

Question 1

Benefits of Cloud Computing

Answer 1

Opex vs. Capex, Running data center, capacity guessing, massive economies of scale, increase speed and agility, global in minutes

Question 2

EC2

Answer 2

Elastic compute cloud. General purpose, compute optimized, memory optimized, accelerated, storage optimized

Question 3

EC2: General Purpose

Answer 3

balance of compute, memory, networking. Application servers, gaming servers, backend servers for enterprise applications, small and medium databases

Question 4

EC2: Compute Optimized

Answer 4

High performance processing. high performance web servers, compute intensive applications servers, and dedicated gaming servers, batch processing workloads that require processing many transactions in a single group

Question 5

EC2: Memory Optimized

Answer 5

fast performance for workloads that process large datasets in memory. workload that requires large amounts of data to be preloaded before running an application. This scenario might be a high performance database or a workload that involves performing real time processing of a large amount of unstructured data.

Question 6

EC2: Accelerated Computing

Answer 6

hardware accelerators, or coprocessors, to perform some functions more efficiently than is possible in software running on CPUs. floating point number calculations, graphics processing, and data pattern matching.

Question 7

EC2: Storage Optimized

Answer 7

require high, sequential read and write access to large datasets on local storage.

distributed file systems, data warehousing applications, and high frequency online transaction processing (OLTP) systems.

Storage optimized instances are designed to deliver tens of thousands of low latency, random IOPS to applications.

Question 8

IOPS

Answer 8

input/output operations per second

performance of a storage device.

Question 9

EC2 Pricing Models

Answer 9

On demand, 
  EC2 savings plans,
  reserved instances, 
  spot instances, 
  dedicated hosts.

Question 10

EC2: On Demand Pricing

Answer 10

short term, irregular workloads that cannot be interrupted.
No upfront costs or minimum contracts apply.
run continuously until stopped
pay for compute time used
applications that have unpredictable usage patterns
not for work lasting > year (use Reserved Instances).

Question 11

EC2: Savings Plans Pricing

Answer 11

1 - 3 year term.

savings of up to 72% over On Demand costs.

Question 12

EC2: Reserved Instances Pricing

Answer 12

Standard, Convertible, Scheduled
Standard & Convertible for 1 - 3 year
Scheduled Reserved Instances for a 1 year term.

greater cost savings with the 3 year option.

Question 13

EC2: Spot Instances Pricing

Answer 13

For flexible start and end times, or that can withstand interruptions.
cost savings at up to 90% vs. On Demand

2-Minute Warning before stop/hibernate/terminate

Question 14

EC2: Dedicated Hosts Pricing

Answer 14

physical servers with Amazon EC2 instance capacity that is fully dedicated to your use.
use your existing per socket, per core, or per VM software licenses.
On Demand Dedicated Hosts and Dedicated Hosts Reservations.
Dedicated Hosts are the most expensive.

Question 15

EC2 Auto Scaling

Answer 15

automatically add or remove Amazon EC2 instances in response to changing application demand.

Dynamic scaling responds to changing demand.
Predictive scaling automatically schedules on predicted demand.
Can set minimum capacity, desired capacity, and maximum capacity

Question 16

Elastic Load Balancing

Answer 16

automatically distributes incoming application traffic across multiple resources, such as Amazon EC2 instances.

Question 17

Amazon SNS

Answer 17

Simple Notification Service is a publish/subscribe service. NS topics, a publisher publishes messages to subscribers. subscribers can be web servers, email addresses, AWS Lambda functions, etc.

Question 18

Amazon SQS

Answer 18

Simple Queue Service.
send, store, and receive messages between software components, without losing messages or requiring other services to be available.

Question 19

Serverless Computing

Answer 19

code runs on servers, but you do not need to provision or manage these servers.
focus more on innovating new products and features instead of maintaining servers.
AWS Lambda, fargate, sqs, sns, s3, etc.

Question 20

AWS Lambda

Answer 20

Run code without provision or manage servers.
pay only for the compute time that you consume.
E.G. automatically resizing uploaded images to the AWS Cloud.

Question 21

Containers

Answer 21

package application code and dependencies into a single object.
can also use containers for processes and workflows in which there are essential requirements for security, reliability, and scalability.

Question 22

Amazon ECS

Answer 22

Elastic Container Service.
highly scalable, high performance container management system that enables you to run and scale containerized applications on AWS.
supports Docker containers.

Question 23

Amazon EKS

Answer 23

Elastic Kubernetes Service. fully managed service that you can use to run Kubernetes on AWS.

Question 24

Kubernetes

Answer 24

open source software that enables you to deploy and manage containerized applications at scale. A large community of volunteers maintains Kubernetes, and AWS actively works together with the Kubernetes community.

Question 25

AWS Fargate

Answer 25

serverless compute engine for containers. It works with both Amazon ECS and Amazon EKS. do not need to provision or manage servers. AWS Fargate manages your server infrastructure for you.

Question 26

AWS Regions

Answer 26

consists of multiple, isolated, and physically separate AZ’s within a geographic area. 24 regions today. Select based on compliance, proximity, available services, pricing.

Question 27

AWS AZs

Answer 27

Availability Zones. 77 globally. is a single data center or a group of data centers within a Region. located tens of miles apart from each other, close for low latency between AZs, but distant enough to reduce the chance disaster affects multiple AZs.

Question 28

Edge Locations

Answer 28

a site that Amazon CloudFront uses to store cached copies of your content

Question 29

AWS Management Console

Answer 29

a web based interface for accessing and managing AWS services. can also use the AWS Console mobile application. Multiple identities can stay logged into the AWS Console mobile app at the same time.

Question 30

AWS Command Line Interface

Answer 30

enables you to control multiple AWS services directly from the command line within one tool. AWS CLI is available for users on Windows, macOS, and Linux. Can automate the actions that your services and applications perform through scripts.

Question 31

AWS SDK

Answer 31

Software Development Kits. use AWS services through an API designed for your programming language or platform. Supported programming languages include C++, Java, .NET, and more.

Question 32

AWS Elastic Beanstalk

Answer 32

you provide code and configuration settings for web apps, and Elastic Beanstalk deploys the resources necessary to perform the following tasks: Adjust capacity, load balancing, automatic scaling, application health monitoring.

Question 33

AWS CloudFormation

Answer 33

treat your infrastructure as code. you can build an environment by writing lines of code instead of using the AWS Management Console to individually provision resources..

Question 34

Amazon VPC

Answer 34

Virtual Private Cloud. A networking service. enables you to provision an isolated section of the AWS Cloud. VPCs connected via IG, VPG, AWS DC. Resources in VPC organized into subnets.

Question 35

IG

Answer 35

Internet Gateway. A connection between a VPC and the internet.

Question 36

VPG

Answer 36

Virtual Private Gateway. allows protected internet traffic from approved networks into VPC. enables virtual private network (VPN) connection.

Question 37

AWS DC

Answer 37

Direct Connect. establish a dedicated private connection between your data center and a VPC.

Question 38

Subnets

Answer 38

Public and Private subnets. Networking organization within VPC.

Question 39

ACL

Answer 39

Access Control List. Virtual firewall in VPC. checks packet permissions for subnets. Default allows all in/out traffic. Custom network ACLs in/out denied until rules added. All ACLs Explicit Deny… if no matching rule, is denied.

Question 40

Stateless Filtering

Answer 40

Network ACLs perform stateless packet filtering. They remember nothing and check packets that cross the subnet border each way: inbound and outbound.

Question 41

Security Groups

Answer 41

a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance. By default, a security group denies all inbound traffic and allows all outbound traffic. Multiple Amazon EC2 instances within a subnet can be same SG or different SGs.

Question 42

Stateful Filtering

Answer 42

Security groups perform stateful packet filtering. They remember previous decisions made for incoming packets.

Question 43

DNS

Answer 43

Domain Name System. Phone book for the internt. Matches domain names with IP addresses.

Question 44

Amazon Route 53

Answer 44

Is a DNS web service. Connects user requests to infrastructure running in AWS. Can register domain names with R53 and transfer DNS records for existing domain names managed by other domain registrars.

Question 45

Amazon EBS

Answer 45

Elastic block store.
block level storage for EC2.
if EC2 instance terminated, data on EBS volume remains available.
incremental backups of EBS volumes via creating Amazon EBS snapshots.
Single AZ.

Question 46

Instance Store

Answer 46

temporary block storage for EC2 instance.
physically attached to EC2 host
same lifespan as EC2 instance.
data in instance store lost at EC2 termination.

Question 47

EBS Snapshot

Answer 47

Elastic Block Store incremental backup.

Question 48

Amazon S3

Answer 48

Simple Storage Service
Object level storage in buckets.
Any file type.
Max file size = 5TB.

Question 49

Amazon S3 Classes

Answer 49

Standard, Standard Infrequent Access (S IA), One Zone Infrequent Access (1Z IA), Intelligent Tiering, Glacier, Glacier Deep Archive).

Question 50

S3 Standard

Answer 50

Designed for frequently accessed data, min 3x AZ. websites, content distribution, and data analytics. S3 Standard has a higher cost

Question 51

S3 Standard IA

Answer 51

Ideal for infrequently accessed data, Similar to S3 Standard but has a lower storage price and higher retrieval price. Infrequently accessed, but needs high availability. Min 3x AZs. Lower storage price, higher retrieval price.

Question 52

S3 One Zone IA

Answer 52

Stores data in a single Availability Zone, Has a lower storage price than S3 Standard IA.

Question 53

S3 Intelligent Tiering

Answer 53

Ideal for data with unknown or changing access patterns, Requires a small monthly monitoring and automation fee per object. @ 30 days > IA tier, @ 90 days > archive tier, @180 days, > deep archive tier. If access in IA tier, moves back to Standard.

Question 54

S3 Glacier

Answer 54

Durable (11 Nines of durability)
Lower cost than other s3 products

retrieval:
     Expedited: 1 5 min
     Standard: 3 5 hours
     Bulk: 5 12 hours
  AES 256 encryption
  multiple copies on multiple devices, multiple AZs
  Write once/read many capable

Question 55

S3 Glacier Deep Archive

Answer 55

Durable (11 Nines of durability)
Lowest cost object storage class
retrieval:

 Standard: 12 hours   

 Bulk: 48 hours

 moves copy of data into temporary S3 1Z

Question 56

File Storage

Answer 56

multiple clients (such as users, applications, servers, and so on) can access data that is stored in shared file folders. In this approach, a storage server uses block storage with a local file system to organize files. Clients access data through file paths. ideal for use cases in which a large number of services and resources need to access the same data at the same time.

Question 57

Amazon EFS

Answer 57

Elastic File System
Linux file systems

  in cloud and/or on prem servers (via direct connect or vpn)
  automatically scales with files stored
  2 Performance Modes
     General Purpose, Max I/O
  2 Storage Classes
     Standard, Infrequent Access (IA)

Across multiple AZs
no min fees or setup costs

Question 58

Relational Database

Answer 58

data is stored in a way that relates it to other pieces of data. use structured query language (SQL) to store and query data.

Question 59

Amazon RDS

Answer 59

Relational Database Service. managed service that automates tasks such as hardware provisioning, database setup, patching, and backups. Can integrate with other AWS services (e.g. Lambda).

Question 60

Amazon RDS DB Engines

Answer 60

Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, Microsoft SQL Server

Question 61

Amazon Aurora

Answer 61

enterprise class relational database. It is compatible with MySQL and PostgreSQL. up to five times faster than standard MySQL databases and up to three times faster than standard PostgreSQL databases. replicates six copies of your data across three Availability Zones and continuously backs up your data to Amazon S3.

Question 62

Nonrelational Database

Answer 62

you create tables. A table is a place where you can store and query data. NoSQL. E.g. key value pairs.

Question 63

Amazon DynamoDB

Answer 63

a key value database service. It delivers single digit millisecond performance at any scale. Serverless. Automatic Scaling.

Question 64

Amazon Redshift

Answer 64

a data warehousing service that you can use for big data analytics. It offers the ability to collect data from many sources and helps you to understand relationships and trends across your data.

Question 65

AWS DMS

Answer 65

Database Migration Service. enables you to migrate relational databases, nonrelational databases, and other types of data stores. Move from source to target db. Can be same or different types. Source data operational during migration. Dev and testing, consolidation, replication.

Question 66

Amazon DocumentDB

Answer 66

a document database service that supports MongoDB workloads.

Question 67

Amazon Neptune

Answer 67

a graph database service. You can use Amazon Neptune to build and run applications that work with highly connected datasets, such as recommendation engines, fraud detection, and knowledge graphs.

Question 68

Amazon QLDB

Answer 68

Quantum Ledger Database is a ledger database service. You can use Amazon QLDB to review a complete history of all the changes that have been made to your application data.

Question 69

Amazon Managed Blockchain

Answer 69

a service that you can use to create and manage blockchain networks with open source frameworks. Blockchain is a distributed ledger system that lets multiple parties run transactions and share data without a central authority.

Question 70

Amazon ElastiCache

Answer 70

a service that adds caching layers on top of your databases to help improve the read times of common requests. It supports two types of data stores: Redis and Memcached.

Question 71

Amazon DAX

Answer 71

DynamoDB Accelerator. an in memory cache for DynamoDB. It helps improve response times from single digit milliseconds to microseconds.

Question 72

Shared Responsibility Model

Answer 72

AWS is responsible for security OF the cloud. Customer responsible for security IN the cloud.

Question 73

AWS IAM

Answer 73

Identity and Access Management.
manage access to AWS services and resources securely.
IAM users, groups, and roles, IAM policies, Multi factor authentication.

Question 74

Root User

Answer 74

email address and password that you used to create your AWS account.
complete access to all the AWS services and resources in the account.
Do not use the root user for everyday tasks.

Question 75

IAM User

Answer 75

an identity in AWS.
person or application that interacts with AWS services and resources
name and credentials for each person who needs to access AWS.
new IAM user in AWS, it has no permissions associated.

Question 76

IAM Policies

Answer 76

a document that allows or denies permissions to AWS services and resources.
customize users’ levels of access to resources.
Follow the security principle of least privilege when granting permissions.

Question 77

IAM Groups

Answer 77

An IAM group is a collection of IAM users. Can assign IAM policies to groups.

Question 78

IAM Roles

Answer 78

An IAM role is an identity that you can assume to gain temporary access to permissions. IAM roles are ideal for situations in which access to services or resources needs to be granted temporarily, instead of long term.

Question 79

MFA

Answer 79

Multi Factor Authentication. Requires a second device (other than U/N and P/W) to authenticate.

Question 80

AWS Organizations

Answer 80

multiple AWS accounts within a central location.
root is parent container for accounts in organization.
Can use Service Control Policies (SCP) to control permissions for AWS accounts in org.
consolidated billing.

Question 81

OUs

Answer 81

Organizational Units.
group accounts into OUs
easier to manage accounts with similar business or security requirements.
policies applied to OU, are inherited by all accounts in the OU
easily isolate workloads or applications that have specific security requirements.

Question 82

AWS Artifact

Answer 82

on demand access to AWS security and compliance reports and select online agreements.
Artifact Agreements and Artifact Reports.

Question 83

AWS Artifact Agreements

Answer 83

Boilerplate agreements to address needs of customers who are subject to specific regulations, such as the Health Insurance Portability and Accountability Act (HIPAA).

Question 84

AWS Artifact Reports

Answer 84

compliance reports from third party auditors.

Question 85

Customer Compliance Center

Answer 85

Customer compliance stories
relate how companies in regulated industries have solved various compliance, governance, and audit challenges.
compliance whitepapers
includes an auditor learning path.

Question 86

DoS Attack

Answer 86

Denial of Service attack.
deliberate attempt to make a website or application unavailable to users.
Originates from a Single Source

Question 87

DDoS Attack

Answer 87

Destributed Denial of Service Attack.

multiple sources are used to start an attack

Question 88

AWS Shield

Answer 88

a service that protects applications against DDoS attacks.

Two tiers: Standard and Advanced

Question 89

AWS Shield Standard

Answer 89

Automatic, no cost protection from common, frequently occurring types of DDoS attacks.
Uses variety of analysis techniques to detect maliciois traffic and mitigate

Question 90

AWS Shield Advanced

Answer 90

paid service
detailed attack diagnostics
detect and mitigate sophisticated DDoS attacks.
Integrates with CloudFRONT, Route 53, ELB, etc.
Can integrate Shield with AWS WAF by writing custom rules.

Question 91

AWS KMS

Answer 91

Key Management Service.
encryption using cryptographic keys.
create, manage, and use cryptographic keys.
control the use of keys across a wide range of services and in your applications.

Question 92

AWS WAF

Answer 92

Web Application Firewall.
monitor network requests that come into your web applications.
Works with CloudFront and Application Load Balancer.
Uses Web ACL.

Question 93

Amazon Inspector

Answer 93

automated security assessments.
prioritizes by severity level, including a detailed description of each security issue and a recommendation for how to fix it.

Question 94

Amazon GuardDuty

Answer 94

intelligent threat detection for AWS infrastructure and resources.
do not have to deploy or manage any additional security software.
continuously analyzes data from multiple AWS sources, including VPC Flow Logs and DNS logs.

Question 95

Amazon CloudWatch

Answer 95

enables you to monitor and manage various metrics and configure alarm actions based on data from those metrics. uses metrics to represent the data points for your resources.

Question 96

Amazon CloudWatch Alarms

Answer 96

automatically perform actions if the value of your metric has gone above or below a predefined threshold.

Question 97

Amazon CloudWatch Dashboard

Answer 97

enables you to access all the metrics for your resources from a single location. customize separate dashboards for different business purposes, applications, or resources.

Question 98

AWS CloudTrail

Answer 98

records API calls for your account. includes the identity of the API caller, the time of the API call, the source IP address of the API caller, and more.

Question 99

AWS CloudTrail Insights

Answer 99

optional feature allows CloudTrail to automatically detect unusual API activities in your AWS account.

Question 100

AWS Trusted Advisor

Answer 100

a web service that inspects your AWS environment and provides real time recommendations in accordance with AWS best practices. five categories: cost optimization, performance, security, fault tolerance, and service limits.

Question 101

AWS Free Tier

Answer 101

Always Free, 12 months free (first 12 months after opening account), Trials (short term product trials).

Question 102

AWS Pricing Principles

Answer 102

Pay for what you use; pay less when you reserve; pay less with volume based discounts when you use more.

Question 103

AWS Billig Dashboard

Answer 103

pay your AWS bill, monitor your usage, and analyze and control your costs. Compare your current month to date balance with the previous month, and get a forecast of the next month based on current usage. View month to date spend by service. View Free Tier usage by service. Access Cost Explorer and create budgets. Purchase and manage Savings Plans. Publish AWS Cost and Usage Reports.

Question 104

Consolidated Billing

Answer 104

receive a single bill for all AWS accounts in your organization. The default maximum number of accounts allowed for an organization is 4, but you can contact AWS Support to increase your quota, if needed. you can review itemized charges incurred by each account. share bulk discount pricing, Savings Plans, and Reserved Instances across the accounts in your organization.

Question 105

AWS Budgets

Answer 105

create budgets to plan your service usage, service costs, and instance reservations. updates three times a day

Question 106

AWS Cost Explorer

Answer 106

enables you to visualize, understand, and manage your AWS costs and usage over time. includes a default report of the costs and usage for your top five cost accruing AWS services. You can apply custom filters and groups

Question 107

AWS Support

Answer 107

Basic, Developer, Business, Enterprise

Question 108

AWS Support: Basic

Answer 108

free for all AWS customers. whitepapers, documentation, and support communities. access to a limited selection of AWS Trusted Advisor checks. can use the AWS Personal Health Dashboard

Question 109

AWS Support: Developer

Answer 109

Best practice guidance, Client side diagnostic tools, Building block architecture support, which consists of guidance for how to use AWS offerings, features, and services together

Question 110

AWS Support: Business

Answer 110

Use case guidance to identify AWS offerings, features, and services that can best support your specific needs, All AWS Trusted Advisor checks, Limited support for third party software, such as common operating systems and application stack components

Question 111

AWS Support: Enterprise

Answer 111

Application architecture guidance, which is a consultative relationship to support your company’s specific use cases and applications, Infrastructure event management: A short term engagement with AWS Support that helps your company gain a better understanding of your use cases. This also provides your company with architectural and scaling guidance. A Technical Account Manager

Question 112

Technical Account Manager (TAM)

Answer 112

With an Enterprise Support plan. Primary POC at AWS. provide guidance, architectural reviews, and ongoing communication with your company as you plan, deploy, and optimize your applications.

Question 113

AWS Marketplace

Answer 113

igital catalog that includes thousands of software listings from independent software vendors. You can use AWS Marketplace to find, test, and buy software that runs on AWS. several categories, such as Infrastructure Products, Business Applications, Data Products, and DevOps.

Question 114

AWS CAF

Answer 114

Cloud Adoption Framework. 6 Perspectives. Business, People, Governance, Platform, Security, Operations

Question 115

CAF Business Perspective

Answer 115

ensures that IT aligns with business needs and that IT investments link to key business results. Business managers, Finance managers, Budget owners, Strategy stakeholders

Question 116

CAF People Perspective

Answer 116

supports development of an organization wide change management strategy for successful cloud adoption. Human resources, Staffing, People managers

Question 117

CAF Governance Perspective

Answer 117

focuses on the skills and processes to align IT strategy with business strategy. Chief Information Officer (CIO), Program managers, Enterprise architects, Business analysts, Portfolio managers

Question 118

CAF Platform Perspective

Answer 118

principles and patterns for implementing new solutions on the cloud, and migrating on premises workloads to the cloud. Chief Technology Officer (CTO), IT managers, Solutions architects

Question 119

CAF Security Perspective

Answer 119

ensures that the organization meets security objectives for visibility, auditability, control, and agility. Chief Information Security Officer (CISO), IT security managers, IT security analysts

Question 120

CAF Operations Perspective

Answer 120

helps you to enable, run, use, operate, and recover IT workloads to the level agreed upon with your business stakeholders. IT operations managers, IT support managers

Question 121

Six Strategies for Migration

Answer 121

rehosting, replatforming, refactoring/re architecting, repurchasing, retaining, retiring.

Question 122

Rehosting

Answer 122

lift and shift” involves moving applications without changes.

Question 123

Replatforming

Answer 123

“lift, tinker, and shift,” involves making a few cloud optimizations to realize a tangible benefit. Optimization is achieved without changing the core architecture of the application.

Question 124

Refactoring/re architecting

Answer 124

reimagining how an application is architected and developed by using cloud native features. Refactoring is driven by a strong business need to add features, scale, or performance that would otherwise be difficult to achieve in the application’s existing environment.

Question 125

Repurchasing

Answer 125

moving from a traditional license to a software as a service model.

Question 126

Retaining

Answer 126

keeping applications that are critical for the business in the source environment. This might include applications that require major refactoring before they can be migrated, or, work that can be postponed until a later time.

Question 127

Retiring

Answer 127

removing applications that are no longer needed.

Question 128

AWS Snowcone

Answer 128

small, rugged, and secure edge computing and data transfer device. It features 2 CPUs, 4 GB of memory, and 8 TB of usable storage.

Question 129

AWS Snowball (Storage Optimized)

Answer 129

Storage Optimized: large scale data migrations and recurring transfer workflows, 80TB block/S3, 1TB SSD block, 40v CPU & 80 GiB memory for EC2 sbe1 Instances

Question 130

AWS Snowball (Compute Optimized)

Answer 130

use cases such as machine learning, full motion video analysis, analytics, and local computing stacks. 42TB for S3/EBS, 7.68 TB SSD for EBS, 52 vCBU, 208 GiB memory, optional GPU

Question 131

AWS Snowmobile

Answer 131

exabyte scale data transfer service used to move large amounts of data to AWS. You can transfer up to 100 petabytes of data per Snowmobile, a 45 foot long ruggedized shipping container, pulled by a semi trailer truck.

Question 132

AWS Well Architected Framework

Answer 132

Operational Excellence, Security, Reliability, Performacne Efficiency, Cost optimization

Question 133

Operational Excellence

Answer 133

Run/monitor systems for business value
  organization
  prepare
  operate
  evolve

Question 134

Security Groups

Answer 134

the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies.

Question 135

Reliability

Answer 135

the ability of a system to do the following: Recover from infrastructure or service disruptions, Dynamically acquire computing resources to meet demand, Mitigate disruptions such as misconfigurations or transient network issues

Question 136

Performance Efficiency

Answer 136

the ability to use computing resources efficiently to meet system requirements and to maintain that efficiency as demand changes and technologies evolve.

Question 137

Cost Optimization

Answer 137

the ability to run systems to deliver business value at the lowest price point.

Question 138

Workload

Answer 138

Collection of interrelated applications, infrastructure, policy, governance, and operations running on aws that provide business or operational value.

Question 139

Pillars of Well Architected

Answer 139

operational excellence
  security
  reliability
  performance efficiency
  cost optimization

Question 140

Well Architected: Operational Excellence

Answer 140

organization, priorities & structure
prepare, design for operations
operate, health of workload
evolve, learn from experiences

Question 141

Well Architected: Security

Answer 141

identity & access management
  detection
  infrastructure protection
  data protection
  incident response

Question 142

Well Architected: Reliability

Answer 142

foundations
Workload architecture
change management
failure management

Question 143

Well Architected: Reliability

Answer 143

selection of right resources
review selections periodically
monitor performance of resources
trade offs between performance and efficiency

Question 144

Well Architected: cost optimization

Answer 144

cloud financial management
  spend and usage awareness
  cost effective resources
  manage demand and supply resources
  optimize over time
Achieve critical business outcomes at lowest cost

Question 145

AWS Data Center Security Layers

Answer 145

Perimeter (physical security)
Environmental (force majeure)
Infrastructure (fire, hvac, power)
Data (data protection/destruction policies)

Question 146

User Access Keys

Answer 146

Used for AWS CLI, the AWS SDKs, or direct HTTPS

Each user can have two active access keys

Question 147

EC2 Key Pairs

Answer 147

For SSH or RDP connections to an Amazon Elastic Cloud Compute (EC2) instance.

No identity tracking not best for daily access. Use Active Directory or LDAP routinely.

Question 148

AWS Secrets Manager

Answer 148

centrally manage access secrets for AWS, on premises, and third party services.
database credentials, passwords, third party API keys, and even arbitrary text.
replace hardcoded credentials in your code with an API call to Secrets Manager to retrieve the secret programmatically.
automatically rotate the secret

Question 149

AWS SSO

Answer 149

Single Sign On
Compatible with Microsoft Active Directory
Access multiple AWS accounts

Question 150

AWS Security Token Service (STS)

Answer 150

web service for temporary, limited privilege credentials for IAM users.
used for users taking different role or are being federated.

Question 151

AWS Managed Microsoft AD

Answer 151

AWS Directory Service for Microsoft Active Directory
enables Active Directory in the AWS Cloud.
built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud.

Question 152

AWS Organizations

Answer 152

Centrally manage and enforce policies for multiple AWS accounts.
group accounts into organizational units and use service control policies to centrally control AWS services.
automate the creation of new accounts through APIs
simplify billing w/ single payment method for all accounts in organization w/ consolidated billing.
no additional charge for service

Question 153

Amazon Cognito

Answer 153

add user sign up, sign in, and access controls to your web and mobile apps.
define roles and map users to different roles. User sign in by a third party identity provider, or directly via Amazon Cognito.

Question 154

AWS Detective Controls

Answer 154

capture & collect logs (CloudTrail)
monitoring & notification (CloudWatch)
Auditing (Mgmt Console & CLI): S3, ELB, CloudWatch, CloudTrail, and VPC

Question 155

AWS Config

Answer 155

continuous monitoring and assessment
detect non compliance configurations almost in real time.
view current and historic configurations

Question 156

AWS infrastructure Protection

Answer 156

via Isolation. VPC: subnet routing, ACLs, Security Groups
  App/OS Security w/ AWS Systems Manager
  AWS Firewall Manager
  AWS Direct Connect
  AWS CloudFormation

Question 157

AWS Firewall

Answer 157

centrally configure and manage AWS WAF rules across your accounts and applications

Question 158

AWS Data Protection Concepts

Answer 158

Protection at Rest:
Client side encryption (user managed) &
Server side encryption (AWS managed)

Protection in transit:
HTTPS endpoints using TLS
deploy, and manage public and private certificates used for TLS w/ AWS
IPsec with VPN connectivity into AWS

Question 159

AWS CloudHSM

Answer 159

hardware security modules (HSM) in AWS Cloud. (a computing device that processes cryptographic operations and provides secure storage for cryptographic keys)

Question 160

AWS Certificate Manager (ACM)

Answer 160

creates and manages public SSL/TLS certificates for AWS based websites and applications.

ACM can also be used to issue private SSL/TLS X.509 certificates that identify users, computers, applications, services, servers, and other devices internally.

Question 161

Amazon Macie

Answer 161

uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

recognizes sensitive data such as personally identifiable information (PII) or intellectual property.

dashboards and alerts give visibility into data access/movement

Question 162

Security Incident Response

Answer 162

APIs automate incident response tasks
Forensics using EBS snapshots
CloudFormation to quickly create new trusted environment
AWS Step Functions to tie together multiple steps in a forensic/recovery process.

Question 163

AWS Step Functions

Answer 163

coordinate multiple AWS services into serverless workflows.
build and update apps quickly.
design and run workflows that stitch together services such as AWS Lambda and AWS CloudFormation.

Question 164

DDoS Mitigation

Answer 164

Using AWS Edge. Diversifies points of access between services and data accessed via web.
Route 53, CloudFront, Shield

Question 165

AWS Web Application Firewall (WAF)

Answer 165

protects from common web exploits.

customizable web security rules.

Question 166

DAS

Answer 166

Direct Attached Storage
HDD, SSD
physically attached to server

Question 167

SAN

Answer 167

Storage Area Network
centralized block storage
disk arrays, tape storage
usually isolated from LAN (LAN & SAN traffic don’t compete for bandwidth )

Question 168

RAID

Answer 168

Redundant Array of Independent Disks
block storage
works on Amazon EBS (software level RAID)

RAID 5/6 not recommended on EBS, consomes IOPS available

Question 169

Block Storage Downsides

Answer 169

connected to one server at a time (if server goes down, needs be connected to another)

no metadata
pay for all storage within a block whether used or not (EBS scales blocks, not bits)

Question 170

Block Storage Use Cases

Answer 170

backup/recovery
persistent local storage
relational/noSQL databases

data warehousing
enterprise applications
big data processing

Question 171

Amazon EBS Volume Types

Answer 171

SSD Volumes

gp2 (default for EBS)
gp3 (new gen, 20% cheaper than gp2)

io1 (high IOPS)

io2 (faster than io1)

io2 Block Express (fastest)

HDD Volumes
st1 (throughput optimized)
sc1 (cold HDD)

Question 172

Amazon FSx

Answer 172

Managed File Storage System

for Windows:
SSD backed
Native support for NTFS, SMB, Active Directory, DFS
Automatic daily backup
for CRM, ERP, Active Directory, dotnet, home directory, etc.

Lustre
Parallel Distributed File System
high performance for compute intensive apps
ML, modeling, big data, video processing
data on many servers accessible by many compute instances concurrently

Question 173

Object Based Storage

Answer 173

Data stored as objects in a bucket.
Accessed via metadata and unique object ID
Amazon S3

PRO:
  Scalability, durability, cost
CON:
  interface & application compatibility
  performance (slower than file/block storage)

Question 174

Hybrid Data Storage Architectures

Answer 174

typically use cloud storage appliance
Data Cache

Hot Data is frequently read/write

Cold Data: less frequently read/write

Dirty Data: written, not yet uploaded to cloud

Dirty data is uploaded to buffer and then to storage appliance

User reads data from cache. If not there, downloaded from cloud.

Question 175

AWS Storage Gateway

Answer 175

File Gateway Appliance
SMB/NFS integrated

Volume Gateway Appliance
iSCSI integration

Tape Gateway Appliance
virtual tape storage appliance
iSCSI/VTL integration

Question 176

File Transfer Protocols

Amazon File Systems & Storage Gateway
S3
AWS Data Transfer

Answer 176

Amazon FS/Storage Gateway:
iSCSI, NFS, SMB, NTFS

Amazon S3
RESTful API, AWS SDKs

AWS Data Transfer
FTP, SFTP