linux academy Flashcards
EC2 firewalls
Security Groups are the primary firewalls for EC2s. They implicitly deny all traffic. Only traffic explicitly allowed will pass through the SG.
Application load balancer
Layer 7
Message queue service
SQS
Cross account IAM roles
Used to give other AWS accounts access to your resources
IAM groups
group of IAM Users can be assigned to IAM groups and inherit permissions policies associated with the group. Recommended best practice to avoid managing permissions policies for individual AIM Users.
TO turn a private subnet to a public subnet
Associate a custom route table with it that has a route to the Internet Gateway.
Customer master key
Key used by KMS to encrypt and decrypt data keys
Security Token Service (STS)
Used to generate temporary access keys with limited lifetime. Permissions granted come from a role (Assume Role) or IAM User (GetSessionToken).
Open ID connect
Identity layer on top of the Oauth 2.0 protocol used by web identity providers (Facebook, Google, Amazon.com). Authorization tokes from compatible OpenID Connect providers can be used to obtain credentials from STS.
Kinesis Data Streams
Big data service for injesting and storing data of high volume, vareity and velocity in a stream
Redis
In-memory NoSQL database that can be automatically managed by ElastiCache.
Maximum rentention period for RDS manual snapshots
unlimited
Direct connect gateways
allows you to connect from Direct Connect to any VPC in any region except China
AWS WAF
Layer7 firewall
SAML
Security Access Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
7 72
CloudFront
AWS’ Content Delivery Network
Security Group
1) Operates on the instance layer
2) Supports “allow” rules only
3) Is “stateful”, so return traffic request are allowed regardless of rules
4) Evaluates ALL rules before deciding to allow traffic
AWS WAF rules can be applied at
An Application Load Balancer
CloudFront
Default VPC
1) Default VPC is user friendly, allowing you to immediately deploy instances
2) All subnets in a default VPC have an internet gateway attached
3) Each EC2 instance has both a public and a private IP address
4) If you delete the default VPC the only way to get it back is to contact AWS
Stateless firewall
NACLs are an example of a stateless firewall. To allow traffic BOTH inbound and outbound rules are always required.
Shared Tenancy
The default configuration of an EC2 host, where multiple AWS customers can run on the same host.
Private VIF
Virtual Interface from Direct Connect to the Virtual Private Gateway of a VPC
Redshift
A managed service for data warehousing
EFS
Elastic File System - a managed service for NFS
HDFS
Hadoop Distributed File System. Stores data locally on core nodes of an Hadoop Cluster.
VPC flow logs
Logging of accepted and rejected network traffic inside of your VPC
S3 object size limit
5TB
Two supported formats for CloudFormation Templates
JSON and YAML
AWS Shield
DDOS protection
SNS (and also MQ)
PUb sub messaging service
A consultants best friend
Trusted Advisor makes recommendations for Cost Optimization, Fault Tolerance, Performance, Security, and Service Limits
Glacier
Low cost storage for archives
Guard duty
A continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs.
Ephemeral storage
Local disks on host machines are called Instance Store. These are immediately wiped when and EC2 instance is stopped or terminated.
Disaster recover patterns in order of increasing cost
Backup and Restore
Pilot Light
Low Capacity Standby
Multi-site Active-Active
Partition key
Required for each item in a DynamoDB table
Cloud HSM
Dedicated HSM for encryption key management
BGP
Border Gateway Protocol - used to dynamically propagate routes between data centers and VPCs
BGP
Border Gateway Protocol - used to dynamically propagate routes between data centers and VPCs
Transient cluster
EMR cluster that is configured to run steps and then terminate itself upon completion.
Route53
DNS service (named for DNS port number 53)
Security access key
AWS API calls must be signed with API Access Keys which consist of and Access Key ID and Secret Access Key.
Licecycle policies
Rules that automatically transition S3 aging objects into less expensive storage classes including Glacier.
Provisioned IOOPS are needed when
Your application requires consistent IOPs to your EBS volume (eg. a production relational DB).
Five pillars of well architected framework
Security Operational Excellence Reliability Performance Optimization Cost Efficiency
Service that makes best practice recommendations
Trusted Advisor
Eventual consistency
Distributed storage systems are often eventually consistent which means that read requests made immediately after new or updated data may return the old data, or missing data in the case of new items.
Archival storage
Glacier
A/20 VPC contains how many ip addresses
This would have 12 bits of addresses which is 4,096. However, every subnet inside of this VPC would take away five from this amount.
Some reasons to use Aurora
Continuous Backup
Enterprise-Class performance at much lower cost
Multi-Master
Severless option
Read Replicas with lag of a few milliseconds
Variables in cloud formation template that prompt use rfor values
parameters
AWS organizations
Multiple AWS Account management with control over IAM permissions and consolidated billing.
Internet Gateway
Must be attached to a VPC to receive and send traffic to an Internet address. Another type of gateway is a Virtual Private Gateway, which is used to make a private connection to a data center.
Max retention period for RDS automates snapshots
35 days
UserData
A script that will automatically execute when an EC2 instance launches. Used for self-configuration. On Linux it is typically a BASH shell script.
Reserved Instance
An instance that receives a discount because you agree to pay for it for one or three years.
Burstable instance
T instances accumulate CPU credits when operating at a low baseline performance and will burn credits when bursting up to 100% vCPU capacity.
4 11
Automated events are triggered by
CloudWatch Alarms
Scheduled Actions
Dedicated Tenancy
An EC2 and VPC option where a host machine will only run the dedicated instances for a single AWS customer account.
A managed service for graph databases
Neptune
MFA
Multi-Factor Authentication can utilize a hardware or virtual device that provides a rotating 6 digit code known as a one-time password (OTP). MFA devices can be associated with Root Users and IAM Users. In order for these users to log in to the console they would need to provide the OTP in addition to their password.
CloudWatch
Realtime monitoring of AWS services
AMI
An Amazon Machine Image contains a snapshot of the boot volume and mappings for secondary volumes.