General Cloud Flashcards
What are contained in regions?
AZs (Availability Zone), each of which contain 1+ data centers
What is IAM?
Identity and Access Management, organizes users into groups, assigns policies (JSON) to users/groups
What is an EC2 security group?
A firewall. Many to many w/ EC2 instances.
What is EBS?
Network drive attached to 1 EC2 instance at a time.
What’s the relationship between EC2 instances and EBS volumes?
An EC2 instance can have multiple EBS volumes, but and EBS volume can only attach to 1 EC2 instance.
What is CloudFormation?
Infrastructure as code. Code your insrastructure design and AWS will change your config to match it.
What is CloudFormation Stack Designer?
Creates diagrams for CloudFormation configurations
What is CDK?
Cloud Development Kit. Write CloudFormation configuration in other programming languages. They are compiled to yaml/json.
What is Elastic Beanstalk?
Automatically creates/depoys a cloudformation config for your app as single instance (test env), ASG (batch) or LB + ASG (prod web)
What kind of monitoring comes with Elastic Beanstalk?
Pushes app health info to CloudWatch
What is CodeDeploy?
Can deploy new versions of your applications. Does not use CloudFormation. Works with EC2 instances or on-prem servers.
What is CodeDeploy Agent?
Allows you to provision on-prem servers or EC2 instances for use by CodeDeploy.
What is CodeCommit?
Amazon’s GitHub. Private integrated w/ AWS services.
What is CodeBuild?
Pulls code from Git and runs build script.
What is CodePipeline?
Link together AWS and 3rd party build services.
What is CodeArtifact?
Artifact management system (Library repo, maven deps)
What is CodeStar?
Dashboard. Unified UI to create build pipeline.
What is Cloud9?
Cloud IDE.
What is SSM?
Systems Manager. Manage EC2 and on-prem systems at scale. Hybrid service. eg. patching automation. SSM agent installed on each server, which allows it to be patched by AWS’ service. Installed by default on Linux and Ubuntu AMI.
What is SSM Session Manager?
Can SSH into your EC2 instance w/o opening port 22
OpsWorks
Managed Chef & Puppet to perform server configuation or repetitive actions.
Which can be used to monitor and check the health of an environment: CodeStar or Beanstalk?
Beanstalk.
Is Beanstalk Iaas, Paas or Saas?
Paas
What does cloudformation us to describe AWS resources.
JSON or YAML templates
Are CloudFormation and Beanstalk free?
Yes, but you have to pay for the underlying resources (eg. EC2 instances)
What are global services?
Services that allow your app to be available globally. Route 53, CDN (Content Delivery Network), S3 Transfer Acceleration, Global Accelerator.
What is Route 53?
Managed DNS (global service)
What is a weighted routing policy in Route 53?
DNS will point certain percentages of traffic distributed across several IPs. Health checks ensure hosts are available.
What is latency routing policy in Route 53?
resolved name to IP that will have lowest latency based on user’s location.
What is a failover routing policy in Route 53?
Will route to a primary host until a health check fails, then will switch to failover host.
What service do you use to register a domain name?
Route 53
What is CloudFront?
A CDN. Served from edge locations. Can cache from S3 or any custom http end point.
CloudFront vs S3 Cross Region Replication
global edge network // have to setup for each region
files are cache for a // files updated in real time
time (eg. a day)
for static content // dynamic content, fewer regions
cloning whole bucket across rgns
What is S3 Transfer Acceleration?
S3 buckets are linked to 1 region. This speed up transfer from other regions to an S3 bucket in a different region. Instead of tranferring over the internet, it’s transferred through the internet to the closest edge location, then over amazon’s network to the othe region.
What is the Global Accelerator?
Accelerates traffic to your load balancer from other regions by going through the internet only to the closest edge location and using AWS network for the rest.
What is the difference between Global Accelerator and CloudFront?
CloudFront delivers cached static content, Global Accelerator is for dynamic data.
What are AWS outposts?
Server racks that offer the same infrastructure/services as AWS for on-prem.
What is WaveLength?
Some AWS services available on the edge of 5G networks. Low latency over 5G. Free. Use cases, real-time gaming, video streaming, etc.
What are Local Zones?
Extends your AWS region to more locations to get your services closer to end users and reduce latency.
What is WAF?
Web Application Firewall
What is Shield?
Protects against DDoS.
How does cloudfront protect against web attacks?
WAF & Shield
What is asynchronous or event based communication between applications?
Messages from app A are put in a queue for app B to pick up.
What is SQS?
Standard Queue. Model for decoupling applications (messages queued up). Older than SNS. Processors split messages between them.
What is SNS?
Simple Notification Service. Pub/sub model for decoupling applications. Publish to 1 SNS topic and have multiple event subscribers notified. All subscribers will get all messages.
What is Kinesis?
Real-time big data streaming.
What is MQ?
Managed Apache ActiveMQ. SQS and SNS use Amazon proprietary protocols. If you have to use standard open protocols, use MQ. Not as scalable as Amazon’s.
What is CloudWatch?
Monitors metrics (CPU utilization, network in…) for all AWS services. Report through dashboards.
What EC2 metrics are available for EC2 instances?
CPU utilization, status checks, network (not RAM)
What are CloudWatch alarms?
Trigger notifications for any metric. Can trigger autoscaling, stop/reboot and EC2 instance, send SNS notifications. Billing alarm for if you cost > certain amount.
Which region makes CloudWatch billing alarms available?
us-east-1
What are CloudWatch Events?
Event on a schedule: ie. Serverless cron job, invokes lamda.
Event Pattern: ie. Root user logs in
What is EventBridge?
Basically == CloudWatch
Next evolution of CloudWatch Events.
Default event bus: generated by CloudWatch Events
Partner event bus: receive events from SAAS service or applications (ie. Zendesk, etc.)
Custom event bus: for your own apps
What is CloudTrail?
Governance, compliance, audit. Enabled by default. History of events/API calls made w/in AWS account by console, sdk, cli, AWS services. Can direct to CloudWatch or S3. See reads separate from writes.
What is CloudTrail Insights?
Costs. Looks at CloudTrail to detect unusual events.
How are CloudTrail Events retained?
Events are stored for 90 days. To go farther, log them to S3, then use Athena to anaylyze.
What is X-Ray?
Troubleshooting performance, understanding dependencies in a microservice architecture. Find errors and exceptions. Are we meeting SLA?
What is CodeGuru?
A ML (Machine Learning) powered service for automated code reviews and app performance recommendations.
Reviewer: On check-in, it will check for bugs or performance improvements.
Profiler: Checks for bugs or performance improvements in production.
What is Service Health Dashboard?
Shows health for all services in all regions. AWS services in general.
What is the personal health dashboard?
Shows health of only services that affect you.
What is VPC?
Virtual Private Cloud. Can partition into Subnets (each associated w/ an AZ). Can make subnets public or private. Use Route Tables to allow/deny access.
What is a VPC Public Gateway?
An EC2 instance in a public subnet can use an IGW (Internet Gateway) to get to the internet. An instance in a private subnet can use a NAT gateway (AWS managed) or NAT instance (self-managed) that is created in the public subnet to get to the IGW and then the internet.
What is a Network ACL?
Firewall controls traffic from/to subnet
What are the 2 ways to protect your subnet?
NACL (subnet level) or Security Groups (EC2 level)
What are VPC Flow Logs?
Can see IP traffic going to your VPC, subnet or elastic network interface and AWS traffic from AWS services.
What is VPC Peering?
2 subnets will act as if they’re on the same network. Allows 2 VPCs to communicate, but a third party must be added to both to see both.
What are VPC Endpoints?
If you want things in your subnet to communicate w/ AWS services. Use a gateway for S3/DynamoDB and an interface for anything else.
What is Site VPN and Direct Connect?
Site VPN: VPN from on-prem to AWS. Direct Connect (DX): create a physical connection to AWS.
Whare are CGW and VGW?
For site-to-site VPN.
on-prem –> CGW (Customer Gateway) –> VGW (Virtual Private Gateway) –> AWS subnet
What is Transit Gateway?
Connect 100,000s of VPCS w/ on-prem. All talk just to the gateway which routes.
Do Security Groups and NACL both offer ALLOW and DENY rules?
NACL is both, Security groups are ALLOW only
What is shield?
Shield Standard = Free protection against DDOS attacks
Shield Advanced = Costs, further protection
What tools are available to guard against DDOS attacks?
Standard Shield, Advanced Shield, WAF (web application firewall), Cloudfront and Route 53 (protection at edge locations), use autoscaling
What options for encryption keys?
KMS (Key Management Service) = AWS managed keys, CloudHSM (Cloud Hardware Security Module) = AWS provides hardware, you manage keys
What types of encryption keys are available?
Customer Managed CMK (Customer Master Key), AWS managed CMK, AWS owned CMK, CloudHSM Keys
What is ACM?
AWS Certificate Manager, inflight encryption via SSL/TLS certs (eg. https at the load balancer, http to the server)
What is Secrets Manager?
Stores password and rotate every x days. Automate generation and integrated w/ RDS
What is AWS Artifact?
Access compliance reports and agreements.
What is GuardDuty?
Intelligent threat discovery. Machine learning and 3rd party data to detect anomalys. Dedicated “finding” for cryptocurrency attacks. Works on CloudTrail logs, VPC flow logs, DNS logs and Kubernetes Audit Logs.
What is Inspector?
Automated Security Assessments. Can analyze EC2 instances or containers pushed to ECR.
What is config?
Records auditing and recording data for compliance. Can alert via SNS.
What is Macie?
Data security and privacy service. Alert you to PII.
What is Security Hub?
Central service to check security across several AWS account. Integrates from GuardDuty, Inspector, Macie, IAM… etc. Config service must be enabled.
What is Amazon Detective?
Deeper analysis, finding root cause.
How can you report abuse?
Can report spam, port scanning, DDOS, intrusion attempts, malware… etc. Email them or fill out abuse form online.
What actions can only be performed by root user?
Change account settings, certain tax invoices, close your account, change or cancel support plan, register as a seller in the Reserved Instance Martetplace, enable MFA on S3 bucket, sign up for gov cloud.
What is Rekognition?
Find objects, people, text, scenes in images and video. Can be used for user verification or people counting.
What is Transcribe?
Converts speech to text. Automate closed captioning, transcribe customer service calls.
What is Polly?
Turn text to speech.
What is Translate?
Language translation.
What is Lex and Connect?
Lex == tech powers Alexa. Can build chatbots, call center bots
Connect == virtual contact center
What is Comprehend?
NLP (Natual Language Processing)
What is SageMaker
Build ML (Machine Learning) models
What is Forecast?
Forecasting based on past data.
What is Kendra?
Document Search Service, Googling your own documents.
What is Personalize?
Personalized recommendations. eg. suggestions to buy based on past purchases.
What is Textract?
Image to text. eg. extract data from driver’s license.
What is Organizations?
Manage multiple accounts. Single payment for all accounts. Automate account creation. Restrict account privileges using Service Control Policies.
What are (SCPs) Service Control Policies?
White/blacklist IAM actions at OU or Account level. Applied to all users and roles of account (except master account).
What is Control Tower?
Setup and manage multi-account environment. Creates Organization and SCPs.
What are the free services?
IAM, VPC, Consolidated Billing, Elastic Beanstalk, CloudFormation, Auto Scaling Groups. Have to pay for resources these services use.
How is EC2 pricing computed?
On-demand, Reserved (1 or 3 year commitment, up to 75% discount), Spot (bid for unused capacity, up to 90% discount), Dedicated (reserve for 1 or 3 years)
How is Lambda/ECS pricing computed?
Lambda (per call/duration), ECS (only $ for underlying resources), Farget (vCPU and memory)
How is S3/EFS pricing computed?
Storage class (Standard, Infrequent Access, One-Zone IA, Intelligent Tiering, Glacier, Glacier Deep Archive. $ for # and size of objects. Pay per request to retrieve and pay for transfer OUT.
How is EBS pricing computed?
Volume type, storage amount, IOPS (I/O per second), snapshots and outbout transfer.
How is RDS pricing computed?
Per hour billing, engine, size, memory, additional storage, requests/month, transfer OUT. Can reserve instances for 1 or 3 years. If multi-AZ, $ for 1 instance/AZ.
What are billing costing tools?
Estimating: Pricing calculator, Tracking: Billing dashboard, Cost allocation tags, Cost and usage reports, Cost explorer, Monitoring: Billing alarms, Budgets.
What tool can you use to forcast cost/usage up to 12 months?
Cost Explorer
On what 5 categories does Trusted Advisor recommend?
Cost Optimization, Performance, Security, Fault Tolerance, Service Limits.
What are 7 core checks on Trusted Advisor Support Plans?
Basic/Developer Support plan: S3 bucket permission, Security Groups - Specific Ports Unrestricted, IAM Use, MFA on Root Account, EBS public snapshots, RDS public snapshots, service limits.
Business/Enterprice Support plan: all from basic + cloudwatch alarms and programmatic access.
