General Cloud

Question 1

What are contained in regions?

Answer 1

AZs (Availability Zone), each of which contain 1+ data centers

Question 2

What is IAM?

Answer 2

Identity and Access Management, organizes users into groups, assigns policies (JSON) to users/groups

Question 3

What is an EC2 security group?

Answer 3

A firewall. Many to many w/ EC2 instances.

Question 4

What is EBS?

Answer 4

Network drive attached to 1 EC2 instance at a time.

Question 5

What’s the relationship between EC2 instances and EBS volumes?

Answer 5

An EC2 instance can have multiple EBS volumes, but and EBS volume can only attach to 1 EC2 instance.

Question 6

What is CloudFormation?

Answer 6

Infrastructure as code. Code your insrastructure design and AWS will change your config to match it.

Question 7

What is CloudFormation Stack Designer?

Answer 7

Creates diagrams for CloudFormation configurations

Question 8

What is CDK?

Answer 8

Cloud Development Kit. Write CloudFormation configuration in other programming languages. They are compiled to yaml/json.

Question 9

What is Elastic Beanstalk?

Answer 9

Automatically creates/depoys a cloudformation config for your app as single instance (test env), ASG (batch) or LB + ASG (prod web)

Question 10

What kind of monitoring comes with Elastic Beanstalk?

Answer 10

Pushes app health info to CloudWatch

Question 11

What is CodeDeploy?

Answer 11

Can deploy new versions of your applications. Does not use CloudFormation. Works with EC2 instances or on-prem servers.

Question 12

What is CodeDeploy Agent?

Answer 12

Allows you to provision on-prem servers or EC2 instances for use by CodeDeploy.

Question 13

What is CodeCommit?

Answer 13

Amazon’s GitHub. Private integrated w/ AWS services.

Question 14

What is CodeBuild?

Answer 14

Pulls code from Git and runs build script.

Question 15

What is CodePipeline?

Answer 15

Link together AWS and 3rd party build services.

Question 16

What is CodeArtifact?

Answer 16

Artifact management system (Library repo, maven deps)

Question 17

What is CodeStar?

Answer 17

Dashboard. Unified UI to create build pipeline.

Question 18

What is Cloud9?

Answer 18

Cloud IDE.

Question 19

What is SSM?

Answer 19

Systems Manager. Manage EC2 and on-prem systems at scale. Hybrid service. eg. patching automation. SSM agent installed on each server, which allows it to be patched by AWS’ service. Installed by default on Linux and Ubuntu AMI.

Question 20

What is SSM Session Manager?

Answer 20

Can SSH into your EC2 instance w/o opening port 22

Question 21

OpsWorks

Answer 21

Managed Chef & Puppet to perform server configuation or repetitive actions.

Question 22

Which can be used to monitor and check the health of an environment: CodeStar or Beanstalk?

Answer 22

Beanstalk.

Question 23

Is Beanstalk Iaas, Paas or Saas?

Answer 23

Paas

Question 24

What does cloudformation us to describe AWS resources.

Answer 24

JSON or YAML templates

Question 25

Are CloudFormation and Beanstalk free?

Answer 25

Yes, but you have to pay for the underlying resources (eg. EC2 instances)

Question 26

What are global services?

Answer 26

Services that allow your app to be available globally. Route 53, CDN (Content Delivery Network), S3 Transfer Acceleration, Global Accelerator.

Question 27

What is Route 53?

Answer 27

Managed DNS (global service)

Question 28

What is a weighted routing policy in Route 53?

Answer 28

DNS will point certain percentages of traffic distributed across several IPs. Health checks ensure hosts are available.

Question 29

What is latency routing policy in Route 53?

Answer 29

resolved name to IP that will have lowest latency based on user’s location.

Question 30

What is a failover routing policy in Route 53?

Answer 30

Will route to a primary host until a health check fails, then will switch to failover host.

Question 31

What service do you use to register a domain name?

Answer 31

Route 53

Question 32

What is CloudFront?

Answer 32

A CDN. Served from edge locations. Can cache from S3 or any custom http end point.

Question 33

CloudFront vs S3 Cross Region Replication

Answer 33

global edge network // have to setup for each region
files are cache for a // files updated in real time
time (eg. a day)
for static content // dynamic content, fewer regions
cloning whole bucket across rgns

Question 34

What is S3 Transfer Acceleration?

Answer 34

S3 buckets are linked to 1 region. This speed up transfer from other regions to an S3 bucket in a different region. Instead of tranferring over the internet, it’s transferred through the internet to the closest edge location, then over amazon’s network to the othe region.

Question 35

What is the Global Accelerator?

Answer 35

Accelerates traffic to your load balancer from other regions by going through the internet only to the closest edge location and using AWS network for the rest.

Question 36

What is the difference between Global Accelerator and CloudFront?

Answer 36

CloudFront delivers cached static content, Global Accelerator is for dynamic data.

Question 37

What are AWS outposts?

Answer 37

Server racks that offer the same infrastructure/services as AWS for on-prem.

Question 38

What is WaveLength?

Answer 38

Some AWS services available on the edge of 5G networks. Low latency over 5G. Free. Use cases, real-time gaming, video streaming, etc.

Question 39

What are Local Zones?

Answer 39

Extends your AWS region to more locations to get your services closer to end users and reduce latency.

Question 40

What is WAF?

Answer 40

Web Application Firewall

Question 41

What is Shield?

Answer 41

Protects against DDoS.

Question 42

How does cloudfront protect against web attacks?

Answer 42

WAF & Shield

Question 43

What is asynchronous or event based communication between applications?

Answer 43

Messages from app A are put in a queue for app B to pick up.

Question 44

What is SQS?

Answer 44

Standard Queue. Model for decoupling applications (messages queued up). Older than SNS. Processors split messages between them.

Question 45

What is SNS?

Answer 45

Simple Notification Service. Pub/sub model for decoupling applications. Publish to 1 SNS topic and have multiple event subscribers notified. All subscribers will get all messages.

Question 46

What is Kinesis?

Answer 46

Real-time big data streaming.

Question 47

What is MQ?

Answer 47

Managed Apache ActiveMQ. SQS and SNS use Amazon proprietary protocols. If you have to use standard open protocols, use MQ. Not as scalable as Amazon’s.

Question 48

What is CloudWatch?

Answer 48

Monitors metrics (CPU utilization, network in…) for all AWS services. Report through dashboards.

Question 49

What EC2 metrics are available for EC2 instances?

Answer 49

CPU utilization, status checks, network (not RAM)

Question 50

What are CloudWatch alarms?

Answer 50

Trigger notifications for any metric. Can trigger autoscaling, stop/reboot and EC2 instance, send SNS notifications. Billing alarm for if you cost > certain amount.

Question 51

Which region makes CloudWatch billing alarms available?

Answer 51

us-east-1

Question 52

What are CloudWatch Events?

Answer 52

Event on a schedule: ie. Serverless cron job, invokes lamda.

Event Pattern: ie. Root user logs in

Question 53

What is EventBridge?

Answer 53

Basically == CloudWatch
Next evolution of CloudWatch Events.
Default event bus: generated by CloudWatch Events
Partner event bus: receive events from SAAS service or applications (ie. Zendesk, etc.)
Custom event bus: for your own apps

Question 54

What is CloudTrail?

Answer 54

Governance, compliance, audit. Enabled by default. History of events/API calls made w/in AWS account by console, sdk, cli, AWS services. Can direct to CloudWatch or S3. See reads separate from writes.

Question 55

What is CloudTrail Insights?

Answer 55

Costs. Looks at CloudTrail to detect unusual events.

Question 56

How are CloudTrail Events retained?

Answer 56

Events are stored for 90 days. To go farther, log them to S3, then use Athena to anaylyze.

Question 57

What is X-Ray?

Answer 57

Troubleshooting performance, understanding dependencies in a microservice architecture. Find errors and exceptions. Are we meeting SLA?

Question 58

What is CodeGuru?

Answer 58

A ML (Machine Learning) powered service for automated code reviews and app performance recommendations.

Reviewer: On check-in, it will check for bugs or performance improvements.

Profiler: Checks for bugs or performance improvements in production.

Question 59

What is Service Health Dashboard?

Answer 59

Shows health for all services in all regions. AWS services in general.

Question 60

What is the personal health dashboard?

Answer 60

Shows health of only services that affect you.

Question 61

What is VPC?

Answer 61

Virtual Private Cloud. Can partition into Subnets (each associated w/ an AZ). Can make subnets public or private. Use Route Tables to allow/deny access.

Question 62

What is a VPC Public Gateway?

Answer 62

An EC2 instance in a public subnet can use an IGW (Internet Gateway) to get to the internet. An instance in a private subnet can use a NAT gateway (AWS managed) or NAT instance (self-managed) that is created in the public subnet to get to the IGW and then the internet.

Question 63

What is a Network ACL?

Answer 63

Firewall controls traffic from/to subnet

Question 64

What are the 2 ways to protect your subnet?

Answer 64

NACL (subnet level) or Security Groups (EC2 level)

Question 65

What are VPC Flow Logs?

Answer 65

Can see IP traffic going to your VPC, subnet or elastic network interface and AWS traffic from AWS services.

Question 66

What is VPC Peering?

Answer 66

2 subnets will act as if they’re on the same network. Allows 2 VPCs to communicate, but a third party must be added to both to see both.

Question 67

What are VPC Endpoints?

Answer 67

If you want things in your subnet to communicate w/ AWS services. Use a gateway for S3/DynamoDB and an interface for anything else.

Question 68

What is Site VPN and Direct Connect?

Answer 68

Site VPN: VPN from on-prem to AWS. Direct Connect (DX): create a physical connection to AWS.

Question 69

Whare are CGW and VGW?

Answer 69

For site-to-site VPN.

on-prem –> CGW (Customer Gateway) –> VGW (Virtual Private Gateway) –> AWS subnet

Question 70

What is Transit Gateway?

Answer 70

Connect 100,000s of VPCS w/ on-prem. All talk just to the gateway which routes.

Question 71

Do Security Groups and NACL both offer ALLOW and DENY rules?

Answer 71

NACL is both, Security groups are ALLOW only

Question 72

What is shield?

Answer 72

Shield Standard = Free protection against DDOS attacks

Shield Advanced = Costs, further protection

Question 73

What tools are available to guard against DDOS attacks?

Answer 73

Standard Shield, Advanced Shield, WAF (web application firewall), Cloudfront and Route 53 (protection at edge locations), use autoscaling

Question 74

What options for encryption keys?

Answer 74

KMS (Key Management Service) = AWS managed keys, CloudHSM (Cloud Hardware Security Module) = AWS provides hardware, you manage keys

Question 75

What types of encryption keys are available?

Answer 75

Customer Managed CMK (Customer Master Key), AWS managed CMK, AWS owned CMK, CloudHSM Keys

Question 76

What is ACM?

Answer 76

AWS Certificate Manager, inflight encryption via SSL/TLS certs (eg. https at the load balancer, http to the server)

Question 77

What is Secrets Manager?

Answer 77

Stores password and rotate every x days. Automate generation and integrated w/ RDS

Question 78

What is AWS Artifact?

Answer 78

Access compliance reports and agreements.

Question 79

What is GuardDuty?

Answer 79

Intelligent threat discovery. Machine learning and 3rd party data to detect anomalys. Dedicated “finding” for cryptocurrency attacks. Works on CloudTrail logs, VPC flow logs, DNS logs and Kubernetes Audit Logs.

Question 80

What is Inspector?

Answer 80

Automated Security Assessments. Can analyze EC2 instances or containers pushed to ECR.

Question 81

What is config?

Answer 81

Records auditing and recording data for compliance. Can alert via SNS.

Question 82

What is Macie?

Answer 82

Data security and privacy service. Alert you to PII.

Question 83

What is Security Hub?

Answer 83

Central service to check security across several AWS account. Integrates from GuardDuty, Inspector, Macie, IAM… etc. Config service must be enabled.

Question 84

What is Amazon Detective?

Answer 84

Deeper analysis, finding root cause.

Question 85

How can you report abuse?

Answer 85

Can report spam, port scanning, DDOS, intrusion attempts, malware… etc. Email them or fill out abuse form online.

Question 86

What actions can only be performed by root user?

Answer 86

Change account settings, certain tax invoices, close your account, change or cancel support plan, register as a seller in the Reserved Instance Martetplace, enable MFA on S3 bucket, sign up for gov cloud.

Question 87

What is Rekognition?

Answer 87

Find objects, people, text, scenes in images and video. Can be used for user verification or people counting.

Question 88

What is Transcribe?

Answer 88

Converts speech to text. Automate closed captioning, transcribe customer service calls.

Question 89

What is Polly?

Answer 89

Turn text to speech.

Question 90

What is Translate?

Answer 90

Language translation.

Question 91

What is Lex and Connect?

Answer 91

Lex == tech powers Alexa. Can build chatbots, call center bots
Connect == virtual contact center

Question 92

What is Comprehend?

Answer 92

NLP (Natual Language Processing)

Question 93

What is SageMaker

Answer 93

Build ML (Machine Learning) models

Question 94

What is Forecast?

Answer 94

Forecasting based on past data.

Question 95

What is Kendra?

Answer 95

Document Search Service, Googling your own documents.

Question 96

What is Personalize?

Answer 96

Personalized recommendations. eg. suggestions to buy based on past purchases.

Question 97

What is Textract?

Answer 97

Image to text. eg. extract data from driver’s license.

Question 98

What is Organizations?

Answer 98

Manage multiple accounts. Single payment for all accounts. Automate account creation. Restrict account privileges using Service Control Policies.

Question 99

What are (SCPs) Service Control Policies?

Answer 99

White/blacklist IAM actions at OU or Account level. Applied to all users and roles of account (except master account).

Question 100

What is Control Tower?

Answer 100

Setup and manage multi-account environment. Creates Organization and SCPs.

Question 101

What are the free services?

Answer 101

IAM, VPC, Consolidated Billing, Elastic Beanstalk, CloudFormation, Auto Scaling Groups. Have to pay for resources these services use.

Question 102

How is EC2 pricing computed?

Answer 102

On-demand, Reserved (1 or 3 year commitment, up to 75% discount), Spot (bid for unused capacity, up to 90% discount), Dedicated (reserve for 1 or 3 years)

Question 103

How is Lambda/ECS pricing computed?

Answer 103

Lambda (per call/duration), ECS (only $ for underlying resources), Farget (vCPU and memory)

Question 104

How is S3/EFS pricing computed?

Answer 104

Storage class (Standard, Infrequent Access, One-Zone IA, Intelligent Tiering, Glacier, Glacier Deep Archive. $ for # and size of objects. Pay per request to retrieve and pay for transfer OUT.

Question 105

How is EBS pricing computed?

Answer 105

Volume type, storage amount, IOPS (I/O per second), snapshots and outbout transfer.

Question 106

How is RDS pricing computed?

Answer 106

Per hour billing, engine, size, memory, additional storage, requests/month, transfer OUT. Can reserve instances for 1 or 3 years. If multi-AZ, $ for 1 instance/AZ.

Question 107

What are billing costing tools?

Answer 107

Estimating: Pricing calculator, Tracking: Billing dashboard, Cost allocation tags, Cost and usage reports, Cost explorer, Monitoring: Billing alarms, Budgets.

Question 108

What tool can you use to forcast cost/usage up to 12 months?

Answer 108

Cost Explorer

Question 109

On what 5 categories does Trusted Advisor recommend?

Answer 109

Cost Optimization, Performance, Security, Fault Tolerance, Service Limits.

Question 110

What are 7 core checks on Trusted Advisor Support Plans?

Answer 110

Basic/Developer Support plan: S3 bucket permission, Security Groups - Specific Ports Unrestricted, IAM Use, MFA on Root Account, EBS public snapshots, RDS public snapshots, service limits.
Business/Enterprice Support plan: all from basic + cloudwatch alarms and programmatic access.