linux academy Flashcards

1
Q

EC2 firewalls

A

Security Groups are the primary firewalls for EC2s. They implicitly deny all traffic. Only traffic explicitly allowed will pass through the SG.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Application load balancer

A

Layer 7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Message queue service

A

SQS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Cross account IAM roles

A

Used to give other AWS accounts access to your resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

IAM groups

A

group of IAM Users can be assigned to IAM groups and inherit permissions policies associated with the group. Recommended best practice to avoid managing permissions policies for individual AIM Users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

TO turn a private subnet to a public subnet

A

Associate a custom route table with it that has a route to the Internet Gateway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Customer master key

A

Key used by KMS to encrypt and decrypt data keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Security Token Service (STS)

A

Used to generate temporary access keys with limited lifetime. Permissions granted come from a role (Assume Role) or IAM User (GetSessionToken).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Open ID connect

A

Identity layer on top of the Oauth 2.0 protocol used by web identity providers (Facebook, Google, Amazon.com). Authorization tokes from compatible OpenID Connect providers can be used to obtain credentials from STS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Kinesis Data Streams

A

Big data service for injesting and storing data of high volume, vareity and velocity in a stream

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Redis

A

In-memory NoSQL database that can be automatically managed by ElastiCache.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Maximum rentention period for RDS manual snapshots

A

unlimited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Direct connect gateways

A

allows you to connect from Direct Connect to any VPC in any region except China

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

AWS WAF

A

Layer7 firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

SAML

A

Security Access Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
7 72

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CloudFront

A

AWS’ Content Delivery Network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Security Group

A

1) Operates on the instance layer
2) Supports “allow” rules only
3) Is “stateful”, so return traffic request are allowed regardless of rules
4) Evaluates ALL rules before deciding to allow traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

AWS WAF rules can be applied at

A

An Application Load Balancer

CloudFront

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Default VPC

A

1) Default VPC is user friendly, allowing you to immediately deploy instances
2) All subnets in a default VPC have an internet gateway attached
3) Each EC2 instance has both a public and a private IP address
4) If you delete the default VPC the only way to get it back is to contact AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Stateless firewall

A

NACLs are an example of a stateless firewall. To allow traffic BOTH inbound and outbound rules are always required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Shared Tenancy

A

The default configuration of an EC2 host, where multiple AWS customers can run on the same host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Private VIF

A

Virtual Interface from Direct Connect to the Virtual Private Gateway of a VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Redshift

A

A managed service for data warehousing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

EFS

A

Elastic File System - a managed service for NFS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

HDFS

A

Hadoop Distributed File System. Stores data locally on core nodes of an Hadoop Cluster.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

VPC flow logs

A

Logging of accepted and rejected network traffic inside of your VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

S3 object size limit

A

5TB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Two supported formats for CloudFormation Templates

A

JSON and YAML

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

AWS Shield

A

DDOS protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

SNS (and also MQ)

A

PUb sub messaging service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

A consultants best friend

A

Trusted Advisor makes recommendations for Cost Optimization, Fault Tolerance, Performance, Security, and Service Limits

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Glacier

A

Low cost storage for archives

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Guard duty

A

A continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Ephemeral storage

A

Local disks on host machines are called Instance Store. These are immediately wiped when and EC2 instance is stopped or terminated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Disaster recover patterns in order of increasing cost

A

Backup and Restore
Pilot Light
Low Capacity Standby
Multi-site Active-Active

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Partition key

A

Required for each item in a DynamoDB table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Cloud HSM

A

Dedicated HSM for encryption key management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

BGP

A

Border Gateway Protocol - used to dynamically propagate routes between data centers and VPCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

BGP

A

Border Gateway Protocol - used to dynamically propagate routes between data centers and VPCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Transient cluster

A

EMR cluster that is configured to run steps and then terminate itself upon completion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Route53

A

DNS service (named for DNS port number 53)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Security access key

A

AWS API calls must be signed with API Access Keys which consist of and Access Key ID and Secret Access Key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Licecycle policies

A

Rules that automatically transition S3 aging objects into less expensive storage classes including Glacier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Provisioned IOOPS are needed when

A

Your application requires consistent IOPs to your EBS volume (eg. a production relational DB).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Five pillars of well architected framework

A
Security
Operational Excellence
Reliability
Performance Optimization
Cost Efficiency
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Service that makes best practice recommendations

A

Trusted Advisor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Eventual consistency

A

Distributed storage systems are often eventually consistent which means that read requests made immediately after new or updated data may return the old data, or missing data in the case of new items.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Archival storage

A

Glacier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

A/20 VPC contains how many ip addresses

A

This would have 12 bits of addresses which is 4,096. However, every subnet inside of this VPC would take away five from this amount.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Some reasons to use Aurora

A

Continuous Backup
Enterprise-Class performance at much lower cost
Multi-Master
Severless option
Read Replicas with lag of a few milliseconds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Variables in cloud formation template that prompt use rfor values

A

parameters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

AWS organizations

A

Multiple AWS Account management with control over IAM permissions and consolidated billing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Internet Gateway

A

Must be attached to a VPC to receive and send traffic to an Internet address. Another type of gateway is a Virtual Private Gateway, which is used to make a private connection to a data center.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Max retention period for RDS automates snapshots

A

35 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

UserData

A

A script that will automatically execute when an EC2 instance launches. Used for self-configuration. On Linux it is typically a BASH shell script.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Reserved Instance

A

An instance that receives a discount because you agree to pay for it for one or three years.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Burstable instance

A

T instances accumulate CPU credits when operating at a low baseline performance and will burn credits when bursting up to 100% vCPU capacity.
4 11

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

Automated events are triggered by

A

CloudWatch Alarms

Scheduled Actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Dedicated Tenancy

A

An EC2 and VPC option where a host machine will only run the dedicated instances for a single AWS customer account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

A managed service for graph databases

A

Neptune

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

MFA

A

Multi-Factor Authentication can utilize a hardware or virtual device that provides a rotating 6 digit code known as a one-time password (OTP). MFA devices can be associated with Root Users and IAM Users. In order for these users to log in to the console they would need to provide the OTP in addition to their password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

CloudWatch

A

Realtime monitoring of AWS services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

AMI

A

An Amazon Machine Image contains a snapshot of the boot volume and mappings for secondary volumes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

S3 stoarage clases

A

Standard
Standard IA
Single Zone IA
Glacier

65
Q

VPC peering

A

Connect two VPCs without using internet or VPN

66
Q

On demand instance

A

An EC2 instance that is billed by the number of seconds in the running state over a month.

67
Q

Network ACL

A

1) Operates at the subnet boundary
2) Supports ALLOW & DENY rules
3) Stateless, so return traffic must be allowed through an outbound rule
4) Process rules in NUMBER ORDER (lower #’s overrule higher #’s)

68
Q

Cloud watch logs agent

A

Installed on you EC2 instances, streams log files to CloudWatch Logs

69
Q

Trust policy

A

Associated with an IAM Role, a Trust Policy lists the entities that may assume the role.

70
Q

Spot instance

A

Heavily discounted EC2 instance that can be interrupted by AWS when they need the capacity.

71
Q

Health checks can be configured on

A

ELBs
Route 53
Target Groups

72
Q

Stateful firewall

A

Security Groups are examples. Responses to requests are allows allowed through if the request was allowed.

73
Q

SSH key pairs

A

Consist of a public part copied to the Linux instance and a private part provide by the SSH client.

74
Q

EBS optimized

A

A feature of the current generation EC2 instances where a separate network interface is used for communications between the instance and EBS. This is required to consistently achieve the desired IOPs.

75
Q

File gateway

A

A configuration of Storage Gateway that stores local files in S3 as objects

76
Q

API gateway

A

A service that allows you to front backend API services

77
Q

Macie

A

Security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

78
Q

NACLS apply firewall rules at the …..

A

Subnet Boundary

79
Q

A hot standby secondary instance in a different AZ from the primary. Synchronous Replication. Automatic Failover.

A

The RDS multi-AZ feature provides

80
Q

Ways to offload traffic from RDS datatbase

A

Read Replicas

ElastiCache

81
Q

Subnets cannot span more than one

A

Availability Zone

82
Q

Strong password policy

A

It is the responsibility of the customer to create a strong password policy in IAM. There is none by default.

83
Q

Edge location

A

100+ locations around the world that run edge services such as CloudFront and Route 53.

84
Q

VPCs cannot span more than one

A

region

85
Q

VPC endpoints

A

When added to your VPC allow you to reach public endpoints for AWS services such as DynamoDB and S3 using private addresses.

86
Q

SWF

A

Orchestration tool for managing tasks in sequence

87
Q

services with server side encryption

A

S3, Redshift, EBS, RDS, DynamoDB, SQS, Kinesis, EFS, Elastic Transcoder all integrate with KMS for data encryption/decryption

88
Q

Persistent storage

A

EBS volumes may be configured to have a lifecycle separate from the instance. They are never deleted when an instance stops, but they may be configured to be deleted when an instance terminates.

89
Q

KinesisAgent

A

Java application that will stream files into Kinesis

90
Q

Cost allocation tags

A

Tags used to attribute expenditure

91
Q

Kinesis firehose

A

Service that can store streaming data into S3, Redshift, ElasticSearch, or Splunk

92
Q

Config rules

A

Analyzes configuration changes against rules to determine compliance

93
Q

A network load balancer

A

If you need a Elastic load balancer that can handle massive sudden traffic spikes choose

94
Q

NAT gateway

A

A managed service that provides a way for private instances to go out to the Internet for external content.

95
Q

Custome metrics

A

Metrics that you stream into CloudWatch from your instances such a memory utilization

96
Q

You can add more RAM to an instance by

A

Increasing the size of the instance or selecting a different instance type that offers more RAM (eg. memory optimized instances)

97
Q

EMR

A

Managed hadoop clusters

98
Q

Docker

A

A tool used to create and run applications in containers

99
Q

Obtain instance metadata

A

curl http://169.254.169.254/latest/meta-data/

100
Q

Fault Tolerence

A

A special case of High Availability, usually requiring extra redundancy, to make sure that outages do not result in performance degradation.

101
Q

Three layers that can contain rules are

A

NACL, Security Group, OS. There is also a Layer 7 firewall service known as WAF that can be associated with a CloudFront Distribution or ALB.

102
Q

Elastic IPs

A

EIPs are public IPs that are assigned to an AWS account. They may be associated and removed freely from instances. They are not automatically removed from the instance when it is stopped and started.

103
Q

Hypervisor

A

Application on host machine that allows isolated multiple virtual instances to securely share resources.

104
Q

CloudTrail

A

Logging of API calls to AWS services

105
Q

Stateless Application

A

An application that saves state information in a shared off-instance datastore.

106
Q

DynamoDB

A

A managed NoSQL database service for documents or key values

107
Q

Groups vs roles

A

Credentials in groups are permanent and have to be manually rotated.
Roles use temporary credentials that expire. No risk of permanent credentials

108
Q

Shard

A

Fixed processing capacity
input - 1MB/s
output - 2MB/s

Streams contain shards and can be “resharded” based on data input

109
Q

Lazy loaded

A

When a EBS vol is built from S3 snapshot, files from the block are not immediately loaded unless we try to read them.

110
Q

STS

A

Security Token Service - API End Point which can be called to receive temporary Access Keys.
Made when we want to receive credentials from IAM, directly. Returns the following 4 components
1. Session Token
2. Access ID
3. Secret Access Key
4. Expiration timestamp

111
Q

Cross Account access

A

Granting a different AWS account permissions to access services in your account

112
Q

Storage class in S3

A

Standard Storage Class - 99.99% availability - most expensive
Infrequent Access - 99.9% availability - less expensive than S3
One Zone Infrequent Access - 99.5% availability
Glacier (separate storage service in S3) - cheapest storage option

113
Q

Horizantal scaling

A

Increasing capacity by increasing number of instances

114
Q

AWS nosql engines

A

DynamoDB - Document
ElastiCache - Key Value
Neptune - Graph
HBase on Elastic Map Reduce (EMR)- Column

115
Q

Types of relations database

A

On-Line Transaction Processing (optimized for trasactions most databases like SQL Server, Oracle etc.)
On-Line Analytical Processing (optimized for running queries for data. For ex. data warehouses)

116
Q

Types of ELB

A

Classic ELB on Layer 4
Application ELB on Layer 7
Network ELB on Layer 4

117
Q

displays metadata when logged on to a particular instance

A

http://169.254.169.254/latest/metadata

118
Q

Features of intel Xeon processors

A

AVX - highly parallel HPC
AES-NI - accelerated enc/dec
TurboBoost - overclocking
Transactional Sync Extensions - optimized for multi-threaded
P state C state control - performance and sleep state optimization

119
Q

ELB

A

Elastic Load Balancer. Balances/Distributes the network traffic across the EC2 instances even in different availability zones.
Comes with an own DNS name in the Amazon domain. Can launch in public subnet to allow access to users over the internet or on private subnets as internal load balancers.
Does proactive health check against EC2 instances it routes traffic to.

120
Q

IPV4 and IPV6 in AWS

A

IPv4 has an option of Private and Public addresses
Has 3 sets of addresses for private addresses
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

IPv6 has only Public addresses

121
Q

Types of NoSQL database

A

Column - stored by column (very fast for querying)
Key Value - stored by key value pairs
Document - optimized to store json and txt files
Graph - used by social media application, optimized for relationships

122
Q

Auto scaling

A

Automating the process of adding capacity to the server using API calls

123
Q

CSA terminology

A

High Availability, Fault Tolerance, Scalability, Elasticity, Cost Efficient, Secure

124
Q

EC2 Storage types

A

Instance Storage, EBS (Elastic Block Storage), EFS (Elastic File Share)
Instance Storage - HDDs or SSDs mounted on the host machine. Can be used only by one instance.
EBS - Hosted outside the host machine, need a network connection from EC2 instance to connect ot EBS volume (over a separate EBS optimized n/w interface). Can be used only by one instance.
EFS - Similar to EBS but can be used only by multiple instances instances. Used as File Shares, can’t be used as boot volumes.

125
Q

Security Group

A

Security Groups are the Firewall for EC2. Contains protocols, port #, IP address ranges from where traffic is allowed etc. Each EC2 instance must be a part of at least one security upgrade

126
Q

AWS shield

A

DDoS mitigation service

127
Q

AWS RDS, AWS Redshift

A

Has database engines like Oracle, MySQL, PostgreSQL, MariaDB, SQLSever, Aurora
Redshift is an OLAP that is optimized for analytics

128
Q

parts of an IAM role

A

Permissions and Trust Policy.
Permissions Policy - Grants permissions to certain AWS service APIs.
Trust Policy - specifies entities that can have the permission to assume this role

129
Q

ARN

A

Amazon resource name

130
Q

EC2 components

A

AMI
Instance Type
Network Interface
Storage

131
Q

CAP

A

Consistency Availability Partition

132
Q

IAM role in EC2

A

To assign an IAM role to an EC2 instance, user’s permissions policy must have PassRole permission that allows EC2 instance to assume that role. Then, the instance makes a call to STS and saves the credentials in metadata. The application has access to the credentials, so that it can access other services per the permissions in the Role.

133
Q

Types of kinesis streams

A

Data is only retained for 24 hours but can be extended to 7days
Video Streams
Data Streams - 1MB blobs
Firehose - stream data and store it in S3, Redshift, Elasticsearch or splunk
Data Analytics - Can run SQL queries against streams

134
Q

Access to VPC

A

Users accessing the VPC from the internet can access it only if we attach the VPC to the internet gateway

135
Q

Benefit of VPC

A

Network Layer Security. Gives a max of 65536 addresses inside the private cloud.
Reserves 5 addresses from the address list for internal routing purposes

136
Q

IAM policy

A

Policy is a document that formally states one or more permissions

By default all permissions are implicitly denied.
Any explicit deny always overrides explicit allow.

137
Q

Any actions done in AWS console is referred to as

A

API calls (Application programming interface)

138
Q

A AWS well architected framework

A

It consists of 5 pillars:

1) Operational excellence
2) Reliability
3) Security
4) Performance efficiency
5) Cost Optimization

139
Q

AWS connection tools

A

1) AWS Management console
2) AWS CLI (Command line interface)
2) AWS SDKs (Software developing kits)

140
Q

CSA Terminology

A

1)High availability
2)Fault tolerance
3)Scalability
4)Elasticity
5)Cost efficient
6)Secure
0 15

141
Q

Default permission

A

By default any IAM user you create in an AWS account is created with NO access to any AWS service.This is a IMPLICIT DENY rule set on all new IAM users

142
Q

What are regiounal edge caches

A

By default any IAM user you create in an AWS account is created with NO access to any AWS service.This is a IMPLICIT DENY rule set on all new IAM users

143
Q

IAM Manages

A

The common use of IAM is to manage

1) Users
2) Groups
3) Roles
4) API keys
5) IAM Access policy
6) MFA for individual users

144
Q

Which of the following support plans gives access to all the checks in the AWS Trusted Advisor service?

A

business, enterprise, developerm basic

145
Q

options of disaster recovery type

A

Multi-site, standby, pilot light, warm standby

146
Q

What is the preferred method of centrally managing billing, controlling access, compliance, security, and share resources across your AWS accounts

A

AWS organizations

147
Q

In the AWS Shared Responsibility Model, which of the following is not your responsibility as the customer?

A

Decommissioning your data

148
Q

Can you encrypt metadata in S3

A

Yes, if you put the metadata in a DynamoDB table and enable encryption during creation.

149
Q

You receive an alert about an issue between an application and the database servers. What should you check to ensure communication is working

A

Since the issue is communication between the application and server, you should check security group rules since security groups control access at the instance ENI level.

150
Q

Which of the following tools can best assist with security compliance

A

AWS Trusted Advisor, Inspector

151
Q

AWS Guard Duty

A

Guard Duty is a threat detection service that monitors your environment for malicious or unauthorized activity.

152
Q

AWS Inspector

A

AWS Inspector can check your EC2 instances for common security vulnerabilities.

153
Q

AWS Trusted Advisor

A

AWS Trusted Advisor provides real-time guidance to help you provision your resources and environments following AWS best practices and staying within limits.

154
Q

You have an EC2 instance in your environment that needs access to a DynamoDB table. What option below gives your EC2 instance access to the DynamoDB table?

A

IAM role

155
Q

Pick two AWS services that use serverless technology

A

s3, dynamo db

156
Q

Reserved Instances

A

Reserved Instances are reserved for at least a year, so they would not meet the requirement of only being needed for a short period of time, but do provide you with a significant discount (up to 75%) compared to on-demand instance pricing. You have the flexibility to change families, OS types, and tenancies while benefitting from RI pricing when you use Convertible RIs.

157
Q

Which is the best choice to manage your bills for multiple accounts under one master account

A

Consolidated billing in AWS Organizations

158
Q

What resource can you use to learn about AWS architectural and security best practices

A

AWS whitepapers

159
Q

What tool is best for forecasting your AWS spending

A

AWS cost explorer