Fundamentals Flashcards
IAM Policies
allow or deny access to AWS services when attached to IAM User, Group, or Role
(T/F) IAM is global
True
IDP (ID Provider)
IAM - authenticate and authorize (based on policies)
(T/F) IAM is free
True
(T/F) IAM has direct control on federated accounts.
False
Access Keys
Long-Term credentials within IAM users. Used for CLI. Don’t change regularly or automatically. IAM user can have two access keys. Can be created, deleted, inactive, active. Default to active..
Two parts to Access Keys
Key ID and Secret Access Key. Once you get the secret access key, you can’t get it again so WRITE that down
Public Service
Accessed anywhere with Internet
Private Service
Access through VPC
(T/F) Nothing from the Internet can get to the VPC unless it is configured to do so.
True
AWS Zones
Pubic Internet Zone -> AWS Public Zone -> AWS Private Zone
Command Line Interface (CLI) use the region code (ap-southeast-2) whereas the console uses the regions name which looks like…
Asia Pacific (Sydney)
VPC Default is assigned
One account & One Region
Two types of VPC
Default and Custom
(T/F) Custom VPC can have more than one region
True
VPC CIDR
IP Addresses a VPC can use. Default VPC is always the same 172.31.0.0/16
(T/F) Custom VPC can only have one CIDR
False
Default VPC are always configured the same way when it comes to subnets
One subnet in each AZ in the region. Each subnet will have its own CIDR so subnet in AZ one could be 172.31.211.0/20
Each VPC subnet comes with…
Internet Gateway, Security Group, NACL
EC2 Instance
OS Configured for your needs
(T/F) EC2 Instances are private by default
True, need to configure public access
EC2 are AZ resilient which means
If the AZ fails, the instance fails
EC2 On-Demand Billing
By second or hour depending on the OS
EC2 Popular Types of storage
Local host storage or Elastic Block Storage (EBS)
EC2 Lifecycle
Running, Stopped, Terminated
EC2 Running, you pay for
CPU, Memory, Disk (storage), networking
EC2 Stopped, you pay for
Just Disk (storage)
EC2 Terminated, you pay for
Nothing but once it it is terminated it cannot be recreated
Amazon Machine Image (AMI)
Used to create an EC2 instance or created from an EC2 instance. It is the image that configures the stack
AMI Contains three things
Permissions, Root Volume, Block Device Mapping
AMI Permissions
Public - Everyone Allowed
Owner (private) - implicit allow
Explicit - specific AWS accounts allowed
AMI Root volume
Think C:\ in Windows or ROOT in Linux
AMI Block Device Mapping
Which volume is boot and which is data
Connect to EC2 by…
RDP for Windows or SSH for Linux
(T/F) you need a key pair to connect through Linux
True
RDP Port
3389
SSH Port
22
S3
Global storage platform
Regional based/resilient (replicated among AZ in a region)
Public server, unlimited data & multi-user
Think of it as default storage for AWS
Two parts of S3
Objects and Buckets
S3 Object
Files, data, etc.
S3 Bucket
Containers that hold S3 Objects
S3 Objects Two Parts
Object Key (think of it as filename)
Value (content being stored)
S3 Object Value Range
0 - 5 TB
S3 Bucket region?
Has a primary home region that it never leaves unless it is configured to do so
Blast Radius (major disaster) =
Region
(T/F) Bucket names do not need to be globally unique
False, pay attention to trick questions that may ask why you can’t create the bucket name. Bucket names have to be unique across all regions and all AWS accounts
(T/F) S3 buckets can hold unlimited objects and since each object is 0-5TB, you have unlimited storage
True
Flat structure
How S3 is structured, all items are on the root and appear as folders by the naming convention in the S3 Object Key
S3 Bucket names Format
3-63 characters, all lowercase, no underscores, must start with lowercase or number, can be IP formatted
S3 Bucket limit
100 soft limit
1000 hard limit
S3 storage in AWS - object, file, or block?
Object. It is not file or block storage like EFS or EBS.
Can’t mount an S3 bucket (example: G:)
Great for large scale
Great for offloading
Offloading
Input and/or output to many AWS products to S3
ARN
Amazon Resource Name - uniquely reference single service in AWS. Can be with a wildcard.
Format: arn:partition:service:region:account-id:resource-id
For S3 it would be arn:aws:s3:::catgif/ = just the bucket
arn:aws:s3:::catgif/* = access objects in the bucket but not the bucket
Note ::: because there is no region because s3 is global
CloudFormation
Tool that lets you create, update, and delete infrastructure in AWS
Base of CloudFormation
Templates written in either YAML or JSON
CloudFormation Template contains
List of resources
Mandatory component of CloudFormation Templates
Resources - which AWS resources are being spun up
Other CloudFormation Template Components
- Description - free text field
- AWSTemplateFormatVersion - which version, if used Description must be underneath it
- Metadata - control the UI
- Parameters - prompt user for more information
- Mappings - use lookup tables
- Conditions - decision making in the template
- Outputs - created output based on the template running, for example: “AZ Zone 2”
Two steps to CloudFormation Conditions Component
Step 1 = create condition
Step 2 = use condition
Logical Resource (CloudFormation)
Tells AWS what to create. For example: use “instance” for an EC2 instance.
Stack (CloudFormation)
Contains all the logical resources that the template tells it to create.
Created when you take a template and tell CloudFormation to do something with the template.
The whole point of CloudFormation
Any logical resources in the stack, CloudFormation makes a physical resource in your AWS account.
CloudFormation’s job is to keep the logical and phyisical creations in sync.
CloudWatch
Support service used by almost all AWS Services - public service in Public Internet Zone
Three main jobs of CloudWatch
Metrics, Logs, Events
CloudWatch Events activated when?
If something happens (ex. an EC2 Instance Started) AND event scheduling (ex. do this at this time)
CloudWatch Agent
Add functionality to CloudWatch that isn’t gathered natively (CPU usage is native; on-premises logs need CloudWatch Agent)
Namespace (CloudWatch)
Namespace = container for monitoring data. All AWS data goes into a namespace as AWS/SERVICENAME or AWS/EC2. That’s reserved for AWS, you can’t name that. Outside of that you can name it as needed
Metric (CloudWatch)
collection of related data points that is time ordered.
Datapoint (CloudWatch)
consists of two things, timestamp and value. So for CPU utilization 2019-12-03T08:45:45Z and 98.3.
Dimension (CloudWatch)
separate datapoints for different THINGS or PERSPECTIVES within the same metric
Alarm (CloudWatch)
linked to metric and take an action based on that metric (example SNS)
High Availability (HA)
ENSURE an agreed level of operational PERFORMANCE, usually UPTIME, for a HIGHER THAN NORMAL PERIOD
Fault Tolerance (FT)
property that enables a system to CONTINUE OPERATING PROPERLY in the event of the FAILURE OF SOME (one or more faults within) of its COMPONENTS
High Availability (HA) vs. Fault Tolerance (FT)
Fault tolerance is to operate through failure, high availability to maximum uptime
Disaster Recovery (DR)
policies, tools and procedures to ENABLE THE RECOVERY or CONTINUATION of VITAL technology infrastructure and systems FOLLOWING A NATURAL OR HUMAN-INDUCED DISASTER
Route53
Register Domains; Host Zones in managed nameservers it provides; global service; can withstand one or two regional failures and continue to run
Hosted Zones
ZONE FILES in AWS, hosted on four managed name servers; can be PUBLIC or PRIVATE linked to VPC(S); stores records (RECORDSETS)
Nameserver (NS)
record type .com zone to amazon.com zone
A or AAA records
maps host name to IP A=IPv4 AAA=IPv6
CNAME
create the equivalent of DNS shortcuts or Host to Host; create three CNAMEs for FTP, MAIL, WWW and point them all to the server so they go the right place. EXAM ALERT – CNAMES cannot point to an IP only another host name so look out for that!
MX Records
How a server can find a mail server for a domain. MX records have to main parts – priority and value. MX 10 mail; MX 20 mail.other.domain. The dot to the right means it is a fully domain name. Priority says the lower number is picked first so MX 10 mail would be chosen first to deliver mail.
TXT Record
add arbitrary text to a domain think Google Analytics requiring text in the TXT record so it can query it and use it.
TTL
Time to Live. Set on DNS record in seconds. Tells it how long cache records for authoritative source (authoritative answer). If another client queries the same thing, they will get back a non-authoritative answer cached on the resolver server (most likely ISP server) because of TTL. It’s the TTL that may delay switching IP’s, etc.
How many DNS root servers exist?
13
Who manages DNS root servers?
12 different organizations
Type of organisation maintaines the zones for a