IAM + EC2 Flashcards
What are the types of elements in IAM?
Users
Groups
Roles
Policies
What are IAM Roles?
Roles are a group of one or more policies that define the permissions of the role.
Roles are used for give aws servicess access to other services. Roles are attached directly to an AWS Resource.
What is an IAM Policy and what does it consist of?
It’s a JSON document. With one ore more statements.
Version
ID
Statement
Statement structure:
sid: statement id
Effect: Allow/Deny.
Principal: Which account, user, or role the statement with the permissions will apply to.
Action: The list of actions that will be allowed or denied.
Resource: The service resource the policy will be applied to.
Condition: parameters to decide if the policy is applied or not.
What can you do in IAM?
Set a password policy and expiration policy
Create users, groups, roles, policies.
Set up MFA
Generate Access Keys
In which ways can you access aws?
Management Console: Through web interface
AWS CLI: Through command line
AWS SDKs: Through code
How do users and groups behave in IAM?
A group cant be a member of another group.
A user inherits policies and permissions from every group he is in.
What is least privilege principle?
You dont give a user or group more privileges than they need.
What monitoring can you do with IAM?
You can make reports of all iam users and status of their credentials.
You can monitor individual users to see when did they last access each service. This is useful to set correct permissions to users. And remove permissions they dont use.
What does EC2 Service consist of?
EC2 instances
EBS Volumes
Instance Store
ELB
ASG: auto scaling group
What is an EC2 instance key pair?
It’s a pair of private and public keys you can use to give access to one or more EC2 instances. You assign one to an instance on creation.
What is ephemereal in an EC2 instance?
It’s instance store storage, and IP addresses. These are lost on stoppage.
What are the different EC2 instance types optimized for?
Memory optimized, storage optimized , compute optimized, general purpose, All with different sizes.
How is the more balanced EC2 instance tpye called?
General Purpose
What is a special feature of security groups in AWS?
You can enable inbound or outbound rules in security groups that are targeted to or from specific security groups, which will be attached to resources like other EC2 instances, load balancers, etc.
What are reserved instances?
You pay for an instance for 1 or 3 years. It’s cheaper cause it’s long term. Up to 72% discount compared to on demand.
You can pay upfront which is cheaper.
What are on demand instances?
You pay per second. Highest cost.
What is savings plan?
Similar to reserved instances but more flexible. You commit to certain amount of usage and save costs long term. 1 or 3 years.
What are Spot instances
Save up to 90% compared to on demand.
You can lose these instances in any point in time.
These instances have a spot price. You need to set a max price and if the spot price goes higher than your max you will lose the instances.
What are EC2 dedicated hosts?
You rent a physical server with certain EC2 capacity.
Good for when your licenses are bound to a physical server.
dedicated host can be on demand or reserved.
This is the most expensive option
What are EC2 dedicated instances?
Instances that run on physical server dedicated to you.
Whats the difference between dedicated hosts and dedicated instances?
Both run instances in servers dedicated to you.
In dedicated instances, the physical server may change.
In dedicated hosts you have control of the underlying hardware. In dedicated instances you dont.
In dedicated instances you pay for the instances but in hosts you pay for the whole host.
What is EC2 capacity reservation?
Reserve an amount of instance capacity for a set period. (You can choose any period ,short or long) You are charged as on demand whether you use the reserved capacity or not.
What are spot fleets?
Spot fleets are a group of spot instances which can optionally include on demand instances.
This option automatically launches spot instances when the spot prices match your max.
What are elastic ips?
It’s a public IP that is persistent through reboots of instances. You can have up to 5 per AWS account.
Elastic IP is usually a poor design choice. It’s preferrable to use an ELB or just DNS names
What are placement groups?
You can create these to control the placement of your EC2 instances within a region. You have 3 options: Cluster, Spread, or Partition.
What are the different kind of placement groups? How does each type work?
Cluster: Places instances in a low latency group within a single AZ.
Spread: Places instances in different AZs, and on different hardware. Is limited to 7 instances per AZ within 1 placement group.
Partition: Similar to spread, but can contain up to 100s of instances. This placement group consists of up to 7 partitons per AZ. The instances in one partition are in different hardware than the instances in the other partitions.
What is an ENI?
Elastic network interface.
A single ENI as a mac address, at least a primary private ipv4 address.
And can contain an elastic public ip and a public ip per private ip.
What are the instance requirements to be able to hibernate?
Root volume must be EBS.
EBS must be encrypted
Ram must be less tan 150GB
EBS volume must have a minimum space for the ram to be written to it.
Note: In hibernation ram is written to the ebs volume.
What is an instance profile?
An instance profile is a container for an EC2 specific IAM Role. It allows the EC2 instance to run with the permissions defined in the role.
An instance profile with the same name is automatically created when you create an IAM Role for EC2.
How can you attach a policy to a IAM user?
You can attach a policy directly to a user, or you can attach it to a group, and users of that group will have the policy attached indirectly.
How do you access the AWS CLI?
You need a user with active access keys.
