Fundamentals: IAM EC Flashcards

1
Q

region

A

cluster of data centres.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Most AWS services are region-skoped

A

you can use a service in a specific region. If you use the same service in another region, you will not have your data being replicated or synchronized. So you will have to recreate your data in a different region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

availability zones

A

each region can have many of them, 3, 2 or 6 usually. 6 is max
ap-southeast-2a
ap-southeast-2b

each is one or more discrete data centres with redundant power, networking and connectivity

they are separate from each other and isolated from disasters, but they are connected with high-bandwidth, ultra-low latency networking

Anything that ends with a letter is an AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

EC2 vs IAM

A

EC2 regional service

IAM global service, no selection of region required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

region table

A

shows which services are available in which region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

IAM

A

Identity and access management: users, groups, roles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

root account

A

account with which you create your AWS account, should never be used afterwards or shared, has the most power
only for initial setup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

IAM policies

A
written in JSON, define what
- users
- groups
- roles
can or cannot do

a user can belong to one or more groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

users inherit permissions

A

from groups. We can add permissions to both users and groups, but it is better to assign them only to groups, these will be inherited by users anyway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

roles are only

A

for internal usage within AWS resources and services. Roles are given to machines whereas Users are for physical persons

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

IAM has a global view meaning

A

users, groups and roles are defined across regions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

MFA

A

multifactor authentication for root account and users, recommended

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

managed policies

A

pre-defined policies created by IAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

least privilege principle

A

best practice to give minimal permissions for users to perform their jobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

IAM federation

A

big enterprises usually integrate their own repo of users (Active Directory) with IAM, so users can log into AWS with their company credentials
uses SAML standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

one IAM user

A

per physical person

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

one IAM role

A

per application

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

EC2 capabilities

A
  1. launch virtual machines in the cloud
  2. store data on virtual drives (EBS)
  3. distribute load across machines (ELB = load balancing)
  4. scaling the services using an auto-scaling group (ASG)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

AMI

A

Amazon machine image

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Subnet in EC2 config says

A

if you’ve created your own VPC, you can define your own IP address range and create subnets, create subnets, configure route tables, and configure network gateways.
So if you’ve done this - in the dropdown you’ll see a list of configured subnets to choose from (subnet = range of IP addresses in your VPC that can be used to isolate different EC2 resources from each other or from the internet. Network gateway has IP through which the subnet is accessible from the outside world)

If you haven’t done that, Amazon has assigned a default VPC to you, and in this list you can select an AZ (availability zone) you are going to have VM in

Each subnet resides in only one AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

VPC

A

virtual private cloud

if you’ve created your own VPC, you can define your own IP address range and create subnets, create subnets, configure route tables, and configure network gateways.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Storage of EC2 machine is

A

EBS volume

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

To ssh into the launched machine

A
  1. you need to configure security group defined with type ssh before launching the machine
  2. you need to define a key pair just before launching to use it to access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

EC2 instance connect

A

allows you to connect to your EC2 instance directly from browser in any OS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

security groups

A
  1. the fundamental of network security on AWS
  2. control how traffic is allowed into or out of our EC2 machines
  3. acting as Firewall on EC2 instances
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

security groups has these 3 things

A

inboud rules
outbound rules
tags (just key-value pairs)

here you can for ex., define inbound rule to allow connection on port 22, then you can ssh into your instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

you can find the link to the security groups associated with your EC2 instance

A

if you select the instance in the list and got tab Description below. Also available on the left panel under Network and Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

security groups regulate

A
  1. access to ports
  2. authorized IP ranges - IP4 and IP6
  3. control inbound traffic (from other to the instance)
  4. control outbound (from instance to the other)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

relationship between security groups and instances

A

is many to many

one SG can be attached to many instances
one instance can have multiple SGs

SGs are outside the EC2 instance, not running on it, it’s an outside firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

security groups are locked to down

A

to the combination of region and VPC

so if you switch to another region or another VPC - you have to recreate your SGs

it’s good to maintain one SG for ssh access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

by default all inbound traffic is

A

blocked

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

by default all outbound traffic is

A

authorized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Communication between EC2 instances and security groups

A

security groups can reference each other

if we want EC2 instance2 to be able to connect to EC2 instance1 in the same or different VPC, we can

  1. create SG2 and attach to instance2
  2. create a security group SG1 with inbound rule that references security group SG2 (in field Source we put id of SG2 instead of IP)
  3. add SG1 to instance1

the same works for outbound

The peer VPC can be a VPC in your account, or a VPC in another AWS account, but not in another region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

IP4 and IP6

A

AWS supports both

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

public IP

A
  1. the machine can be identified on the internet WWW
  2. must be unique across the whole web. Two machines cannot have the same
  3. can be geo located easily

in AWS you can see public IP of instance on Description tab

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

private IP

A
  1. the machine can only be identified on the private network
  2. the IP must be unique within the private network
  3. two different private networks can have the same IPs
  4. Machines connect to the internet using an internet gateway (proxy)
  5. only a specified range of IPs can be used as private IP

in AWS you can see private IP of instance on Description tab. It doesn’t change when you start and stop the instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

elastic IP

A
  1. when you stop and start your EC2 instance, it can change its public IP
  2. if you need to have a fixed public IP, you need an elastip IP
  3. an elastic IP is a public IP4v IP that you own as long as you dont delete it
  4. you can have 5 elastic IPs on your account (you can ask for more, but uncommon)
  5. you can mask a failure of an instance or software by rapidly remapping the address to another instance in your account (uncommon)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

instead of using elastic IPs

A
  1. avoid using elastic IPs
  2. reflect poor architectural decisions
  3. instead use a random public IP and register a DNS name to it
  4. use Load Balancer and no public IP at all (best!)

Under Network and Security –> Elastic IPs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

to create elastic IP

A
  1. create elastic IP
    go to Network and Security –> Elastic IPs
    - we can use one from Amazon pool
    - you can use your own if you have one on your AWS account
    - customer owned pool
  2. associate it with your EC2 instance

Actions –> Associate elastic IP address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

EC2 user data

A

is used to automate tasks such as:

  • installing updates
  • installing software
  • downloading common files from the internet

run with root permissions, any command will have sudo permissions

the script is only run once at the instance first start

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Create EC2 user data

A

when you create new EC2 instance, in Step3 (Configuring instance details) –> Advanced details –> User data

always add as first line 
#!/bin/bash
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

You pay for an EC2 instance compute component

A

only when it’s in running state

not in stopped state

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

You are getting a permission error exception when trying to SSH into your Linux Instance

A

the key is missing permissions chmod 0400

44
Q

You are getting a network timeout when trying to SSH into your EC2 instance

A

your security group is misconfigured

45
Q

Security groups can reference all of the following except:

A

DNS name

allowed: IP, CIDR, Security Group

46
Q

Types of EC2 instances

A
  1. on-demand instances:
  2. reserved
  3. convertible reserved
  4. schedule reserved
  5. spot instances
  6. dedicated instances
  7. dedicated hosts
47
Q

on-demand instances

A
  • short workload
  • predictable price = pay exactly for what you use, billing per second, after the first minute. You pay for the time between start and stop
  • the highest cost, but no upfront payment
  • but no long-term commitment
  • short-term needs, uninterrupted workloads or
  • when you can’t predict how the application will behave
  • good for elastic workloads
48
Q

reserved instances

A

for minimum 1 year

  • long workloads
  • up to 75% discount compared to on-demand
  • pay upfront for long term commitments
  • reserve specific instance type
  • recommended for steady state usage applications (database)
49
Q

convertible reserved instances

A

long workloads with flexible instances

instead of saying that you want an M4X for one year, say that you want something for one year

a bit more expensive than simple reserved (up to 54% discount)

50
Q

schedule reserved instances

A

require for a fraction of day, month or year
for ex., every Thursday between 3 and 6 p.m.

(again - for at least a year)

51
Q

spot instances

A
  • least reliable
  • short workloads resilient to failure (batch jobs or image processing that you can retry or data analysis that you can use with distributed computing)
  • but not running a critical job or databases to be up and running for years
  • for cheap, can lose instances
  • discount of up to 90% compared to on-demand
52
Q

dedicated instances

A
  • no other customers will share your hardware
  • but may share hardware with other instances in the same account
  • no control over instance placement: you can only move the instance placement from hardware after doing a start and a stop
53
Q

dedicated hosts

A
  • book an entire physical server
  • control EC2 instance placement
  • visibility into the underlying sockets / physical cores of the hardware,
  • which is great for licensing purposes - for software that has a complicated licensing model (BYOL) - some licenses will bill you on the number of physical cores in the hardware or number of sockets
  • for companies that have strong compliance and regulatory needs so that you don’t share your hardware with anyone else
  • reservation is for 3 years
  • more expensive
54
Q

Combination of instance types

A

reserved for baseline capacity (for ex., web application that you know should run)

and

for anything unpredictable, based on demand or for peaks - mix of on-spot on on-demand instances based on if you can have failure or not on your workload

55
Q

dedicated hosts and instances: enables the use of dedicated physical servers

56
Q

dedicated hosts and instances: per instance billing

57
Q

dedicated hosts and instances: per host billing

58
Q

dedicated hosts and instances: visibility of sockets, cores, host id

59
Q

dedicated hosts and instances: affinity between host and instance

60
Q

dedicated hosts and instances: targeted instance placement

61
Q

dedicated hosts and instances: automatic instance placement

62
Q

dedicated hosts and instances: add capacity using an allocation request

63
Q

how reserve a spot instance

A
  1. we define a max spot price that we are wiling to pay
  2. get instance while its price is below
  3. the hourly spot price varies based on offer and capacity
  4. when price goes above, you can choose to stop or terminate the instance with a 2 minutes grace period. If you choose to stop you can restart it later when the price goes down

there is another strategy called Spot Block

64
Q

Spot Block (spot instances)

A

block a spot instance for a specified time frame (1-6 hours) without interruptions

65
Q

how to terminate stop instances

A
  1. with spot request you define
    - how many instances you want,
    - the max price you are wiling to pay,
    - the launch specification (AMI)
    - from-until (or infinity)
    - request type: one-time (once the instances are launched, the request just goes away) or persistent (request willl be valid from-until; if your instance is stopped, request goes back into action and will be revalidated later, i. e. the instance will be restarted when possible)

if you cancel the persistent request, it’s not going to terminate any launched instances

so if you want to terminate the instances, first cancel the request. Otherwise, it will re-launch

66
Q

spot fleet

A

a set of spot instances and optionally of on-demand

the fleet will try its best to meet the target capacity with price constraints

  1. define possible launch types, OS, availability zones
  2. the fleet will choose the best and most approprate launch pool for you. When it’s reached your budget or the desired capacity, it will stop launching. The lowest price
67
Q

Strategies to allocate spot instances in the spot fleet

A
  1. lowest price: from the pool with the lowest prices (short workloads, cost optimization)
  2. diversified: distributed across all pools (great for availability and long workloads)
  3. capacityOptimized: pool with the optimal capacity for the number of instances
68
Q

R instance type

A

applications that need a lot of RAM - in-memory caches, in-memory databases

69
Q

C instance type

A

applications that need good CPU -apps that do a lot of computations such as big data

70
Q

M instance type

A

medium, between RAM and CPU.

web app, general

71
Q

I instance type

A

for good I/O (instance storage) - databases, a lot of disk operations

72
Q

G instance type

A

come with GPU and are great for video rendering and machine learning

graphic processing unit

73
Q

T2/T3 instance types

A

burstable instances can be amazing to handle unexpected traffic and getting the insurance that it will be handled correctly. But if your instance runs low on credit all the time, then you probably shouldn’t use T2/T3 (C or M, non-burstable)

overall, when the instance is running, you get good performance, the CPU has OK performance
And then sometimes maybe you need to process something unexpected (a spike in a load for example), your CPU skyrockets and goes to 100%. During these spikes the CPU can do something called a burst (a boost of power). The CPU is very good during that burst.

But if the machine bursts, it utilizes burst credits. If the credits are all gone, the CPU becomes bad. When your load is over, the CPU is stopped bursting, then you gain back credits over time

So if you over-abuse bursts - you will lose the burst and your capacity

you can see peaks in CloudWatch

T2/T3 unlimited have unlimited burst credit balance. You pay extra money if you go over your credit balance, but you don’t lose performance

74
Q

if we want to create our own image (AMI)

A

it’s only for a specific region
and by default private
locked for your account/region

we can make them public and sell in Amazon Marketplace

Can be copied to another region

75
Q

Advantages of custom AMIs

A
  1. pre-installed packages
  2. faster boot time, because no need for ec2 user data at boot time
  3. machine comes configured with monitoring/entrerprise software
  4. security concerns: we need to install some security software
  5. control of maintenance and update of VMs over time
  6. set up Active Directory Integration out of the box
  7. install apps ahead of time (for faster deploys during auto-scale)
  8. use someone else’s AMI optimized for running an app, DB, you can pay by the hour (rent)
76
Q

AMIs can be found in

A

Amazon Marketplace (careful - some may contain malware)

77
Q

AMI storage

A

when you create AMI, it takes space and they live in Amazon S3
but we won’t see them in S3 console

S3 is cheap, durable and resilient to

78
Q

AMI pricing

A

you get charged for the actual space it takes in S3

79
Q

how to create our own image (AMI)

A

you need to launch an instance, install what you need, then right click on intance and Image -> Create Image

All images can be found on the left panel images –> AMIs

If you then right click on AMI, select Launch - the VM will be launched based on this image

80
Q

Cross account AMI copy

A
  1. you can share AMI with another AMI account
  2. It doesn’t change the ownership of AMI. But if they copy your AMI (in another region), they become the owner of that AMI
  3. you can prevent copying AMI -
    - either not grant EBS snapshot access
    - or S3 bucket access

But this does not prevent someone from launching a VM based on your AMI and making their own AMI from it

81
Q

To copy an AMI that was shared with you from another account,

A

the owner must grant you read permissions for the storage that backs the AMI:

  • either the associated EBS snapshot (for EBS-backed AMI)
  • or an associated S3 bucket (for an instance store-backed AMI)
82
Q

ecnrypted AMI copy

A

you can’t copy an encrypted AMI shared with you. If the underlying snapshot and the encryption key were shared with you, you can copy the snapshot while re-encrypting it with a key of your own. You can register this copy as new AMI, because the ownership is yours

83
Q

copy AMI with associated billing product code

A

you can’t copy AMI with associated billing product code

if you get a Windows AMI or AMI from Amazon Marketplace, they will have their billing product

The only way to copy is to launch your own EC2 instance from it and then create a new AMI from this instance

84
Q

To share an AMI

A

right click on AMI and Modify image permissions

you can make it public or private
if private - you can specify the IDs of AWS accounts you want to share with

if I tick the checkbox “Add create volume permissions…”, then the accounts I share with will be allowed to make a copy of AMI
If I don’t - they can still launch instance and make their own AMI, but they can’t copy using the copying utility

this is valid for Marketplace images, you can’t directly copy them

85
Q

placement groups

A

control over EC2 instance placement strategy. The strategy is defined by the placement group

we don’t get direct interaction with AWS hardware, but we let AWS know how we would like instances to be placed compared to one another

under Network and security

86
Q

when you create a placement group, you specify one of the following strategies:

A
  1. cluster
  2. spread
  3. partition
87
Q

cluster placement group strategy

A

clusters instances into a low-latency group in a single AZ

the instances will be grouped together in a low-latency hardware setup within a single AZ

high performance and high risk

can be 10 Gbps bandwidth between instances

all instances on the same rack, i.e. same hardware, same AZ. If the rack fails, all the instances fail at the same time

examples: big data job to be completed very fast
app with requirement of extremely low latency and high network throughput and we are willing to take the risk of failure

88
Q

spread placement group strategy

A

your instances are going to be spread across different hardware
restriction: you can only have 7 EC2 instance per placement group per AZ

for critical applications, instance failures must be isolated from one another
minimize failure risk, maximizes availability

89
Q

partition placement group strategy

A

you want to spread your instances but across many different partitions, which rely on different sets of racks of hardware within an AZ

so if one partition fails, all of the instances on it fail, but a partition is isolated from another partition’s failure

AWS defines a number of partitions within the group and scatters the group instances across these partitions. Instance gets access to the partition info as metadata

The partitions share a common availability zone, but do not share hardware. In fact, each partition resides within a different rack in the AWS datacenter.

provide hardware redundancy, you can scale to hundreds of EC2 instances per group, is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka, HDFS, HBase.

distributed big data applications

90
Q

ENI

A

Elastic Network interfaces

a logical component in a VPC that represents a virtual network card. They give EC2 instances access to the network

accessible under Network and Security –> Network interfaces or on the instance

one instance can have multiple ENIs

91
Q

ENI can have the following attributes

A
  1. primary private IPv4 (eth0)
  2. one or more secondary IPv4 (eth1)
  3. an elastic IPv4 per private IPv4
  4. one public IPv4
  5. one or more security groups attached to ENI
  6. MAC address
92
Q

you can create ENIs independently

A

from your EC2 instances and attach them on-the-fly or move them from EC2 instances for failover

but bound to a specific AZ

93
Q

what happens with data when we start or stop our instances

A

if we stop an instance, its data is left intact until the next start if that’s an EBS volume

if we terminate - any data on our EBS volumes that is root that is also set up to be destroyed alongside our instances is going to be lost

but if it’s an EBS volume attached as a secondary drive and it’s not meant to be destroyed when your instance is being terminated - you will keep the data

94
Q

On instance start

A

first start: OS boots, EC2 User data script is run

following starts: OS boots up

then your application starts, caches get warmed up, this takes time

95
Q

EC2 Hibernate

A

the in-memory (RAM) state is preserved, all data in RAM preserved

when you restart instance after hibernating it, the instance boot is going to be much faster because the OS has not been stopped, the OS will be up

the state of the RAM is dumped into a file onto the root EBS volume. This volume must be encrypted

96
Q

Use cases for EC2 Hibernate

A
  1. keep long running processing
  2. you need to save RAM state
  3. you have services that take a lot of time to initialize
97
Q

EC2 Hibernate current limitations

A
  1. does not support all instance families
  2. the instance RAM size cannot be bigger than 150 gigabytes
  3. no support for bare metal instances
  4. not all AMI
  5. root volume must be encrypted EBS, not instance store, large enough
  6. only on-demand and reserved instances
  7. cannot be hibernated more than 60 days
98
Q

EC2 Hibernate how to create

A
  1. you create an instance as normally, but have to select the type supported by hibernate
  2. in step 3 in Shutdown behavior select Stop, then you’ll Stop hibernate behavior - tick checkbox
99
Q

t2.micro

A

is free tier

100
Q

You are getting started with AWS and your manager wants things to remain simple yet secure. He wants the management of engineers to be easy, and not re-invent the wheel every time someone joins your company. What will you do?

A

create multiple IAM users and groups, assign policies to groups

new users will be added to groups

101
Q

You pay for an EC2 instance compute component only when

A

it is in running state

102
Q

You plan on running an open-source MongoDB database year-round on EC2. Which instance launch mode should you choose?

A

reserved instances

103
Q

You are launching an EC2 instance in us-east-1. It works well, so you decide to deploy your script in us-west-1 as well. There, the script does not work and fails with “ami not found” error. What’s the problem?

A

AMI is region locked and the same ID cannot be used across regions

104
Q

You would like to deploy a database technology and the vendor license bills you based on the physical cores and underlying network socket visibility. Which EC2 launch modes allow you to get visibility into them?

A

dedicated hosts

105
Q

You are running a critical workload of three hours per week, on Monday. As a solutions architect, which EC2 Instance Launch Type should you choose to maximize the cost savings while ensuring the application stability?

A

scheduled reserved instances