Flash Cards
What is the most basic essential AWS service?
EC2
What do Serverless services provide?
abstracts away the reality of operating systems, groups and users and permissions, and configuration details to simply perform some service in response to requests. ● They are associated with scalability and elasticity. ● They tend to charge by the individual request. ● They are harder to attack and compromise. ● They have specialized purposes rather than general purpose computing.
Which is preferred serverless or server full services?
Serverless services
What are three ways to buy services?
On-demand, Reserved, Spot
What is on demand buying option?
● With On-Demand you pay for the amount of time that your server is running. (If the server is stopped/off you do not pay.) ● It is expressed in a cost per hour. For example, as of the time of writing these slides, a c4.large costs 3.8¢ per hour to run. ● Costs can be reduced by running the minimal elastic servers needed to meet demand at any particular time, and by turning servers off when they are not needed (for instance, the development environment at the end of the workday).
What is the reserved buying option?
● Pay a larger fee up front to commit to pre-buying an instance for a term of one or three years, at a savings of roughly 40%. ● Costs cannot be reduced after the commitment. ● A wise strategy is to reserve the servers you know will always be on. For example, if you are running an Elastic Beanstalk pool that can scale down to two servers but under periods of high load is allowed to scale as high as 16, purchase two reserved instances since at least two servers will always be running to serve the bare minimum of requests. ● They do not need to consistently be the same two servers.
What is the spot buying option?
● A live bidding auction that asks for your service to only run when the price of computing falls below a certain threshold. ● E.g. I am not interested in paying 3.8¢ per hour for my c4.large to run. Instead I will bid at 3.6¢ per hour. I am willing to wait and possibly have my service not run if computing remains expensive, but if AWS has extra capacity to spare at any given moment, they will auction it off to those who bid highest, and those spot instances will run.
What are some on-demand use cases?
● “I am playing with a new server pool. I don’t know how big it needs to be yet.” ● “I am spinning up a new database from a snapshot so I can run some historical reports on it, then I’ll be deleting it later.” ● “My Elastic Beanstalk server pool can oscillate from two to eight servers in size. It will rarely need the full eight. I’ll buy some of those on-demand so I only pay when they’re necessary.”
What are some reserved use cases?
● “My Elastic Beanstalk pool can oscillate from two to eight servers depending on load. At a minimum, though, there needs to be two servers running to redundantly serve traffic even if demand is low. Since I will always have at least two servers running, I will reserve two instances.” ● “The database server RDS is central to our application and is always on and there is no reason for it to ever turn off or go away. I will reserve one database instance for one year.”
What is a spot use case?
I have a large neural network ML model to train. It is going to cost me approximately $160,000 in computing costs to process the entire training data set. It is not important to me when it gets done but even a slight savings on computing time will be significant. I will ask for servers that only run when the price of compute falls below 2¢ per hour and if it takes months for me to get my turn so be it.”
How many tiers of support are available?
5 tiers
What are the three support interaction methods?
Phone call ○ Email ○ Live Chat with a representative (my favorite) 6
What is trusted Advisor Support?
Automated service that identifies common mistakes or warning signals in your AWS account
What comes with the basic support option?
● Support only covers Customer Service
● Access to basic Trusted Advisor
● Free
● In my experience they can’t help with very much aside from very basic billing.
What is Developer Support?
● $29/mo or 3% of bill, whichever is greater
● 24-hr SLA for general guidance, 12-hour SLA for system impairment
● General Architectural Guidance
● I use this at most of my startups
What is business tier support?
● $100/month or 10% of bill (0-10K) + 7% of bill (10K-80K) + 5% of bill (80K-250K) + 3% of bill (over 250K), whichever is greater ● Full suite of Trusted Advisor checks ● Architectural guidance: Unique to your use-cases ● General guidance: < 24 hours ● System impaired: < 12 hours ● Production system impaired: < 4 hours ● Production system down: < 1 hour
Enterprise On Ramp Tier Support
Pg 71
Enterprise Tier Support
Pg 72
What do all tiers include?
● Some level of Trusted Advisor ● Customer-service-level help via the three communication mediums ● Personal Health Dashboard: it’s an instantiated status.aws.amazon.com that reports specifically on outages that are relevant to the services you use ● Communities ● Documentation ● White Papers
What is the shared responsibility model.
Security and compliance is a shared responsibility between AWS and the customer.
What is AWS Responsibility in shared responsibility model?
● Facility Management ● Personnel Management ● Physical Security of the Datacenter ● Separating compute assets and network traffic so that even on shared hardware, no customers’ data ever crosses lines ● Accurately enforcing those rules which you do specify
What is my responsibility in the shared model?
● Accurately specifying the rules you wish to be enforced ● Patching the operating systems and software of servers you run ● Protecting and safeguarding customer data
What happens as you move from generalized computing to specialized services
● When you are using general purpose computing (EC2’s which run their own operating systems) you have to keep their OS and software patches and updates; you have to administer users and groups; and manage security groups. ● When you move one level more specialized to a service like RDS (databases-as-a-service) AWS takes over some of this and reduces your exposure.
Where can you find Amazon’s documentation about its half of the Shared Responsibility Model?
Lives in AWS Artifact
What is at-rest encryption?
● Means the data is stored in an encrypted state when it is being left alone on a hard disk or in storage of some kind. ● EBS (Elastic Block Store): enabled via a checkbox ● RDS (Relational Database Service): enabled via a checkbox ● DynamoDB (NoSQL Document Database): enabled via a checkbox
What is in transit encryption?
● Data is automatically encrypted as it leaves any AWS facility ● Data is automatically encrypted when it travels between Availability Zones ● Data sent between certain types of EC2s can be encrypted in transit as it travels through the network within a single availability zone ● Many services such as Lambda and DynamoDB already operate off HTTPS endpoints as it is so they are encrypted in transit too.
Where are all logs generated by the operation of individual AWS services?
Cloud watch
● Logs generated on specific servers need to be collected via Cloudwatch Logs Agent ● Metrics ● Alarms
What three states can alarms be in?
● OK: the metric is below the threshold ● ALARM: the metric is above the threshold ● INSUFFICIENT_DATA: the metric is not being reported (for instance, an AVG metric when there are no events)
What is the difference between cloud watch and Cloud trail?
● CloudTrail logs all configuration changes to AWS resources along with the IAM information of who took the operation. ● CloudTrail needs to be enabled, unlike CloudWatch, which collects logs by default ● CloudWatch would log what happens ON your server; CloudTrail would log what happens TO your server.
What is AWS config?
● AWS Config stores historical data about server configurations and can go back in time to see what a server looked like on a given day. ● It can also track compliance across server
What are reasons not to log in as root?
● Change core account settings like account info ● Delegate the IAM permission to view Billing information ● Changing your root password ● To enable MFA on the root account ● Initially, to create a different IAM user you can use going forward ● Ask for access to restricted regions (GovCloud) ● Close your account
Should root account have mfa enabled?
Yes
What happens with conflicting IAM policies?
Deny takes precedence
IAM Roles
● SUPERCEDE user and group policies ● You become acting “as” the role for as long as it’s assumed ● Preferred in complex setups and for Organizations ● Can be directly attached to servers and services ○ “This EC2 has the right to upload images to S3” ○ “This CodePipeline has the right to deploy CloudFormations”
What are the four tiers AWS services exist at?
● Global ● Regionally Based ● Availability Zone Based ● Edge Based
What is a global service?
one that is effective worldwide, because it would not make sense for the “computing” to happen in a specific place.
● Route 53: the entire point of DNS is to be worldwide ● Cloudfront: it distributes content to edge locations across the globe ● IAM: saying a user does or doesn’t have these rights or can log into the console or is a member of groups is not a region-specific thing
What is a region service?
● A region is a set of datacenters in one area of the globe comprised of several individual availability zones. ● Most abstract and serverless services are regional. ● Sample regions include us-east-1 (Virginia), us-east-2 (Ohio), ap-southeast-2 (Sydney), eu-west2 (London). ● There are two special regions you need to be granted special allowance to: China (which requires its own account and cannot coexist with a non-China account) and US GovCloud.
What are availability zones?
● One or more redundantly connected individual datacenters where things actually run. The specific locations are not disclosed. ● Most services that are serverful (think: devices that have IP addresses) are instantiated on the availability-zone level. ● As an example, us-east-2 (Ohio) has three availability zones: ○ us-east-2a ○ us-east-2b ○ us-east-2c
What is a route table?
● Each subnet has an associated Route Table. A Route Table says where traffic routes to. ● For instance: ○ Route all traffic matching 10.10.1.0/16 locally ○ Route all traffic matching 0.0.0.0/0 to the NAT Gateway
What is a Internet Gateway?
● A two-way configuration that allows traffic in from the public internet and out from the VPC. ● Use with a route table to create publicly accessible resources.
What is a NAT Gateway?
● A one-way virtual appliance that allows traffic from inside the VPC out to the public internet but does not route traffic from the public internet back in. ● Is secretly an EC2 instance.
What is an elastic IP?
A free-standing public IP address that can be associated with different devices without needing to relinquish the IP address should the server change.
What are security groups?
Abstract classifications of servers that can be used in conjunction with EC2s and RDSs to allow some kinds of connections and deny others
