linux academy Flashcards
EC2 firewalls
Security Groups are the primary firewalls for EC2s. They implicitly deny all traffic. Only traffic explicitly allowed will pass through the SG.
Application load balancer
Layer 7
Message queue service
SQS
Cross account IAM roles
Used to give other AWS accounts access to your resources
IAM groups
group of IAM Users can be assigned to IAM groups and inherit permissions policies associated with the group. Recommended best practice to avoid managing permissions policies for individual AIM Users.
TO turn a private subnet to a public subnet
Associate a custom route table with it that has a route to the Internet Gateway.
Customer master key
Key used by KMS to encrypt and decrypt data keys
Security Token Service (STS)
Used to generate temporary access keys with limited lifetime. Permissions granted come from a role (Assume Role) or IAM User (GetSessionToken).
Open ID connect
Identity layer on top of the Oauth 2.0 protocol used by web identity providers (Facebook, Google, Amazon.com). Authorization tokes from compatible OpenID Connect providers can be used to obtain credentials from STS.
Kinesis Data Streams
Big data service for injesting and storing data of high volume, vareity and velocity in a stream
Redis
In-memory NoSQL database that can be automatically managed by ElastiCache.
Maximum rentention period for RDS manual snapshots
unlimited
Direct connect gateways
allows you to connect from Direct Connect to any VPC in any region except China
AWS WAF
Layer7 firewall
SAML
Security Access Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
7 72
CloudFront
AWS’ Content Delivery Network
Security Group
1) Operates on the instance layer
2) Supports “allow” rules only
3) Is “stateful”, so return traffic request are allowed regardless of rules
4) Evaluates ALL rules before deciding to allow traffic
AWS WAF rules can be applied at
An Application Load Balancer
CloudFront
Default VPC
1) Default VPC is user friendly, allowing you to immediately deploy instances
2) All subnets in a default VPC have an internet gateway attached
3) Each EC2 instance has both a public and a private IP address
4) If you delete the default VPC the only way to get it back is to contact AWS
Stateless firewall
NACLs are an example of a stateless firewall. To allow traffic BOTH inbound and outbound rules are always required.
Shared Tenancy
The default configuration of an EC2 host, where multiple AWS customers can run on the same host.
Private VIF
Virtual Interface from Direct Connect to the Virtual Private Gateway of a VPC
Redshift
A managed service for data warehousing
EFS
Elastic File System - a managed service for NFS
HDFS
Hadoop Distributed File System. Stores data locally on core nodes of an Hadoop Cluster.
VPC flow logs
Logging of accepted and rejected network traffic inside of your VPC
S3 object size limit
5TB
Two supported formats for CloudFormation Templates
JSON and YAML
AWS Shield
DDOS protection
SNS (and also MQ)
PUb sub messaging service
A consultants best friend
Trusted Advisor makes recommendations for Cost Optimization, Fault Tolerance, Performance, Security, and Service Limits
Glacier
Low cost storage for archives
Guard duty
A continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs.
Ephemeral storage
Local disks on host machines are called Instance Store. These are immediately wiped when and EC2 instance is stopped or terminated.
Disaster recover patterns in order of increasing cost
Backup and Restore
Pilot Light
Low Capacity Standby
Multi-site Active-Active
Partition key
Required for each item in a DynamoDB table
Cloud HSM
Dedicated HSM for encryption key management
BGP
Border Gateway Protocol - used to dynamically propagate routes between data centers and VPCs
BGP
Border Gateway Protocol - used to dynamically propagate routes between data centers and VPCs
Transient cluster
EMR cluster that is configured to run steps and then terminate itself upon completion.
Route53
DNS service (named for DNS port number 53)
Security access key
AWS API calls must be signed with API Access Keys which consist of and Access Key ID and Secret Access Key.
Licecycle policies
Rules that automatically transition S3 aging objects into less expensive storage classes including Glacier.
Provisioned IOOPS are needed when
Your application requires consistent IOPs to your EBS volume (eg. a production relational DB).
Five pillars of well architected framework
Security Operational Excellence Reliability Performance Optimization Cost Efficiency
Service that makes best practice recommendations
Trusted Advisor
Eventual consistency
Distributed storage systems are often eventually consistent which means that read requests made immediately after new or updated data may return the old data, or missing data in the case of new items.
Archival storage
Glacier
A/20 VPC contains how many ip addresses
This would have 12 bits of addresses which is 4,096. However, every subnet inside of this VPC would take away five from this amount.
Some reasons to use Aurora
Continuous Backup
Enterprise-Class performance at much lower cost
Multi-Master
Severless option
Read Replicas with lag of a few milliseconds
Variables in cloud formation template that prompt use rfor values
parameters
AWS organizations
Multiple AWS Account management with control over IAM permissions and consolidated billing.
Internet Gateway
Must be attached to a VPC to receive and send traffic to an Internet address. Another type of gateway is a Virtual Private Gateway, which is used to make a private connection to a data center.
Max retention period for RDS automates snapshots
35 days
UserData
A script that will automatically execute when an EC2 instance launches. Used for self-configuration. On Linux it is typically a BASH shell script.
Reserved Instance
An instance that receives a discount because you agree to pay for it for one or three years.
Burstable instance
T instances accumulate CPU credits when operating at a low baseline performance and will burn credits when bursting up to 100% vCPU capacity.
4 11
Automated events are triggered by
CloudWatch Alarms
Scheduled Actions
Dedicated Tenancy
An EC2 and VPC option where a host machine will only run the dedicated instances for a single AWS customer account.
A managed service for graph databases
Neptune
MFA
Multi-Factor Authentication can utilize a hardware or virtual device that provides a rotating 6 digit code known as a one-time password (OTP). MFA devices can be associated with Root Users and IAM Users. In order for these users to log in to the console they would need to provide the OTP in addition to their password.
CloudWatch
Realtime monitoring of AWS services
AMI
An Amazon Machine Image contains a snapshot of the boot volume and mappings for secondary volumes.
S3 stoarage clases
Standard
Standard IA
Single Zone IA
Glacier
VPC peering
Connect two VPCs without using internet or VPN
On demand instance
An EC2 instance that is billed by the number of seconds in the running state over a month.
Network ACL
1) Operates at the subnet boundary
2) Supports ALLOW & DENY rules
3) Stateless, so return traffic must be allowed through an outbound rule
4) Process rules in NUMBER ORDER (lower #’s overrule higher #’s)
Cloud watch logs agent
Installed on you EC2 instances, streams log files to CloudWatch Logs
Trust policy
Associated with an IAM Role, a Trust Policy lists the entities that may assume the role.
Spot instance
Heavily discounted EC2 instance that can be interrupted by AWS when they need the capacity.
Health checks can be configured on
ELBs
Route 53
Target Groups
Stateful firewall
Security Groups are examples. Responses to requests are allows allowed through if the request was allowed.
SSH key pairs
Consist of a public part copied to the Linux instance and a private part provide by the SSH client.
EBS optimized
A feature of the current generation EC2 instances where a separate network interface is used for communications between the instance and EBS. This is required to consistently achieve the desired IOPs.
File gateway
A configuration of Storage Gateway that stores local files in S3 as objects
API gateway
A service that allows you to front backend API services
Macie
Security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.
NACLS apply firewall rules at the …..
Subnet Boundary
A hot standby secondary instance in a different AZ from the primary. Synchronous Replication. Automatic Failover.
The RDS multi-AZ feature provides
Ways to offload traffic from RDS datatbase
Read Replicas
ElastiCache
Subnets cannot span more than one
Availability Zone
Strong password policy
It is the responsibility of the customer to create a strong password policy in IAM. There is none by default.
Edge location
100+ locations around the world that run edge services such as CloudFront and Route 53.
VPCs cannot span more than one
region
VPC endpoints
When added to your VPC allow you to reach public endpoints for AWS services such as DynamoDB and S3 using private addresses.
SWF
Orchestration tool for managing tasks in sequence
services with server side encryption
S3, Redshift, EBS, RDS, DynamoDB, SQS, Kinesis, EFS, Elastic Transcoder all integrate with KMS for data encryption/decryption
Persistent storage
EBS volumes may be configured to have a lifecycle separate from the instance. They are never deleted when an instance stops, but they may be configured to be deleted when an instance terminates.
KinesisAgent
Java application that will stream files into Kinesis
Cost allocation tags
Tags used to attribute expenditure
Kinesis firehose
Service that can store streaming data into S3, Redshift, ElasticSearch, or Splunk
Config rules
Analyzes configuration changes against rules to determine compliance
A network load balancer
If you need a Elastic load balancer that can handle massive sudden traffic spikes choose
NAT gateway
A managed service that provides a way for private instances to go out to the Internet for external content.
Custome metrics
Metrics that you stream into CloudWatch from your instances such a memory utilization
You can add more RAM to an instance by
Increasing the size of the instance or selecting a different instance type that offers more RAM (eg. memory optimized instances)
EMR
Managed hadoop clusters
Docker
A tool used to create and run applications in containers
Obtain instance metadata
curl http://169.254.169.254/latest/meta-data/
Fault Tolerence
A special case of High Availability, usually requiring extra redundancy, to make sure that outages do not result in performance degradation.
Three layers that can contain rules are
NACL, Security Group, OS. There is also a Layer 7 firewall service known as WAF that can be associated with a CloudFront Distribution or ALB.
Elastic IPs
EIPs are public IPs that are assigned to an AWS account. They may be associated and removed freely from instances. They are not automatically removed from the instance when it is stopped and started.
Hypervisor
Application on host machine that allows isolated multiple virtual instances to securely share resources.
CloudTrail
Logging of API calls to AWS services
Stateless Application
An application that saves state information in a shared off-instance datastore.
DynamoDB
A managed NoSQL database service for documents or key values
Groups vs roles
Credentials in groups are permanent and have to be manually rotated.
Roles use temporary credentials that expire. No risk of permanent credentials
Shard
Fixed processing capacity
input - 1MB/s
output - 2MB/s
Streams contain shards and can be “resharded” based on data input
Lazy loaded
When a EBS vol is built from S3 snapshot, files from the block are not immediately loaded unless we try to read them.
STS
Security Token Service - API End Point which can be called to receive temporary Access Keys.
Made when we want to receive credentials from IAM, directly. Returns the following 4 components
1. Session Token
2. Access ID
3. Secret Access Key
4. Expiration timestamp
Cross Account access
Granting a different AWS account permissions to access services in your account
Storage class in S3
Standard Storage Class - 99.99% availability - most expensive
Infrequent Access - 99.9% availability - less expensive than S3
One Zone Infrequent Access - 99.5% availability
Glacier (separate storage service in S3) - cheapest storage option
Horizantal scaling
Increasing capacity by increasing number of instances
AWS nosql engines
DynamoDB - Document
ElastiCache - Key Value
Neptune - Graph
HBase on Elastic Map Reduce (EMR)- Column
Types of relations database
On-Line Transaction Processing (optimized for trasactions most databases like SQL Server, Oracle etc.)
On-Line Analytical Processing (optimized for running queries for data. For ex. data warehouses)
Types of ELB
Classic ELB on Layer 4
Application ELB on Layer 7
Network ELB on Layer 4
displays metadata when logged on to a particular instance
http://169.254.169.254/latest/metadata
Features of intel Xeon processors
AVX - highly parallel HPC
AES-NI - accelerated enc/dec
TurboBoost - overclocking
Transactional Sync Extensions - optimized for multi-threaded
P state C state control - performance and sleep state optimization
ELB
Elastic Load Balancer. Balances/Distributes the network traffic across the EC2 instances even in different availability zones.
Comes with an own DNS name in the Amazon domain. Can launch in public subnet to allow access to users over the internet or on private subnets as internal load balancers.
Does proactive health check against EC2 instances it routes traffic to.
IPV4 and IPV6 in AWS
IPv4 has an option of Private and Public addresses
Has 3 sets of addresses for private addresses
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
IPv6 has only Public addresses
Types of NoSQL database
Column - stored by column (very fast for querying)
Key Value - stored by key value pairs
Document - optimized to store json and txt files
Graph - used by social media application, optimized for relationships
Auto scaling
Automating the process of adding capacity to the server using API calls
CSA terminology
High Availability, Fault Tolerance, Scalability, Elasticity, Cost Efficient, Secure
EC2 Storage types
Instance Storage, EBS (Elastic Block Storage), EFS (Elastic File Share)
Instance Storage - HDDs or SSDs mounted on the host machine. Can be used only by one instance.
EBS - Hosted outside the host machine, need a network connection from EC2 instance to connect ot EBS volume (over a separate EBS optimized n/w interface). Can be used only by one instance.
EFS - Similar to EBS but can be used only by multiple instances instances. Used as File Shares, can’t be used as boot volumes.
Security Group
Security Groups are the Firewall for EC2. Contains protocols, port #, IP address ranges from where traffic is allowed etc. Each EC2 instance must be a part of at least one security upgrade
AWS shield
DDoS mitigation service
AWS RDS, AWS Redshift
Has database engines like Oracle, MySQL, PostgreSQL, MariaDB, SQLSever, Aurora
Redshift is an OLAP that is optimized for analytics
parts of an IAM role
Permissions and Trust Policy.
Permissions Policy - Grants permissions to certain AWS service APIs.
Trust Policy - specifies entities that can have the permission to assume this role
ARN
Amazon resource name
EC2 components
AMI
Instance Type
Network Interface
Storage
CAP
Consistency Availability Partition
IAM role in EC2
To assign an IAM role to an EC2 instance, user’s permissions policy must have PassRole permission that allows EC2 instance to assume that role. Then, the instance makes a call to STS and saves the credentials in metadata. The application has access to the credentials, so that it can access other services per the permissions in the Role.
Types of kinesis streams
Data is only retained for 24 hours but can be extended to 7days
Video Streams
Data Streams - 1MB blobs
Firehose - stream data and store it in S3, Redshift, Elasticsearch or splunk
Data Analytics - Can run SQL queries against streams
Access to VPC
Users accessing the VPC from the internet can access it only if we attach the VPC to the internet gateway
Benefit of VPC
Network Layer Security. Gives a max of 65536 addresses inside the private cloud.
Reserves 5 addresses from the address list for internal routing purposes
IAM policy
Policy is a document that formally states one or more permissions
By default all permissions are implicitly denied.
Any explicit deny always overrides explicit allow.
Any actions done in AWS console is referred to as
API calls (Application programming interface)
A AWS well architected framework
It consists of 5 pillars:
1) Operational excellence
2) Reliability
3) Security
4) Performance efficiency
5) Cost Optimization
AWS connection tools
1) AWS Management console
2) AWS CLI (Command line interface)
2) AWS SDKs (Software developing kits)
CSA Terminology
1)High availability
2)Fault tolerance
3)Scalability
4)Elasticity
5)Cost efficient
6)Secure
0 15
Default permission
By default any IAM user you create in an AWS account is created with NO access to any AWS service.This is a IMPLICIT DENY rule set on all new IAM users
What are regiounal edge caches
By default any IAM user you create in an AWS account is created with NO access to any AWS service.This is a IMPLICIT DENY rule set on all new IAM users
IAM Manages
The common use of IAM is to manage
1) Users
2) Groups
3) Roles
4) API keys
5) IAM Access policy
6) MFA for individual users
Which of the following support plans gives access to all the checks in the AWS Trusted Advisor service?
business, enterprise, developerm basic
options of disaster recovery type
Multi-site, standby, pilot light, warm standby
What is the preferred method of centrally managing billing, controlling access, compliance, security, and share resources across your AWS accounts
AWS organizations
In the AWS Shared Responsibility Model, which of the following is not your responsibility as the customer?
Decommissioning your data
Can you encrypt metadata in S3
Yes, if you put the metadata in a DynamoDB table and enable encryption during creation.
You receive an alert about an issue between an application and the database servers. What should you check to ensure communication is working
Since the issue is communication between the application and server, you should check security group rules since security groups control access at the instance ENI level.
Which of the following tools can best assist with security compliance
AWS Trusted Advisor, Inspector
AWS Guard Duty
Guard Duty is a threat detection service that monitors your environment for malicious or unauthorized activity.
AWS Inspector
AWS Inspector can check your EC2 instances for common security vulnerabilities.
AWS Trusted Advisor
AWS Trusted Advisor provides real-time guidance to help you provision your resources and environments following AWS best practices and staying within limits.
You have an EC2 instance in your environment that needs access to a DynamoDB table. What option below gives your EC2 instance access to the DynamoDB table?
IAM role
Pick two AWS services that use serverless technology
s3, dynamo db
Reserved Instances
Reserved Instances are reserved for at least a year, so they would not meet the requirement of only being needed for a short period of time, but do provide you with a significant discount (up to 75%) compared to on-demand instance pricing. You have the flexibility to change families, OS types, and tenancies while benefitting from RI pricing when you use Convertible RIs.
Which is the best choice to manage your bills for multiple accounts under one master account
Consolidated billing in AWS Organizations
What resource can you use to learn about AWS architectural and security best practices
AWS whitepapers
What tool is best for forecasting your AWS spending
AWS cost explorer
