Misc Flashcards
What does AWS Trusted Advisor makes recommendations for?
Cost Performance Fault Tolerance Security Service Limits
AWS Glue
fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.
AWS Neptune
fully-managed graph database service
How do you create a shared resource with AWS Resource Access Manager
- create a Resource Share
- specify resources
- specify accounts
AWS Resource Access Manager (RAM), describe and how is it billed?
a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization (or OU) or with IAM users and roles
RAM is available to you at no additional charge.
What can be shared in AWS Resource Access Manager?
You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM and more.
Amazon Cognito Identity Pools
Identity pools provide AWS credentials to grant your users access to other AWS services.
Amazon Cognito User Pools
A user pool is a user directory in Amazon Cognito. You can leverage Amazon Cognito User Pools to either provide built-in user management or integrate with external identity providers, such as Facebook, Twitter, Google+, and Amazon.
Features of AWS WAF
Create policy
Block & Filter traffic
Monitor web traffic
AWS WAF
a web application firewall
protects your web applications or APIs against common web exploits and DDOS
controls how traffic reaches your applications with security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define
AWS Organizations
Account management service that enables you to consolidate multiple AWS accounts into an organization that you centrally manage
Accounts can be organized in a hierarchy*
AWS Organizations includes account management and consolidated billing capabilities across accounts
Enables budget management, security guard rails/restrictions, and compliance across accounts
Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance
Amazon GuardDuty
Threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
AWS Shield
a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency. There are two tiers of AWS Shield - Standard and Advanced.
AWS CloudFront
Delivers content to end users with lower latency to edge locations located around the world
Global service
Uses cache at edge location (Edge Cache) to prevent latency
Can serve both dynamic and static content.
AWS Region
Two or more availability zones
User enables and controls data replication across regions
Select a region to store data baed on compliance and network latency requirements
AWS services are available by region; not all regions have same services
Availability Zone
One or more data centers
Designed for fault tolerance
AWS recommends replicating across AZ for resiliency
AWS Fargate
Fargate is a fully managed serverless service for running containers on AWS.
AWS CloudHSM
AWS CloudHSM your keys are held in AWS in a hardware security module.
Amazon CloudWatch
Performance monitoring
Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time.
You can create alarms that watch metrics and send notifications (SNS) or automatically make changes to the resources you are monitoring when a threshold is breached (ASG).
AWS Cloud Trail
Auditing
Logs AWS API calls to account to CloudWatch or S3
Origin Access Identity
Used to restricting access to Amazon S3 content exposed by CloudFront
- Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution.
- Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there.
To migrate accounts between AWS Organizations what is needed?
How do you migrate resources?
Root or IAM access to both the member and master accounts.
Resources will remain under the control of the migrated account.
Amazon Athena
Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.
What are the default metrics CloudWatch collects?
Instance metrics - CPU Util, Network In/Out, Disk Read/Write Ops, Disk Read/Write Bytes, Network Packets In/Out, MetadataNoToken CPU credit metrics Dedicated Host metrics Amazon EBS metrics for Nitro-based instances Status check metrics Traffic mirroring metrics Amazon EC2 metric dimensions Amazon EC2 usage metrics
Cloud Watch vs Cloud Trail
Cloud Watch Performance Monitor Logs events across AWS services e.g. operations High level logging Stores logs indefinitely Alarm History for 14 days
Cloud Trail
Auditing
Logs activity across API calls e.g. activity
Granular or low level logging
Stores logs in S3 or CloudWatch indefinitely
No native alarming, must sent logs to cloud watch and use cloud watch alarm
Both support multiple accounts
AWS API Gateway
Fully managed service that allows you to create, publish, maintain, monitor, and secure APIs at scale
What APIs does AWS API Gateway support?
Stateful Websocket API
Stateless HTTP and REST APIs
HTTP API - low latency cost effective
REST APIs - offer more features
AWS API Gateway Features
- Stateless and stateful APIs
- Authentication using IAM, Lamda authorizer functions and Cognito user pools
- Developer portal for publishing APIs
- Throttles request to your API
- Canary release deployments
- CloudTrail logging and monitoring of API usage/changes
- CloudWatch access and execution logging, set alarms
- API creation with CloudFormation
- Custom domain names
- Integration with AWS WAF and AWS X-Ray
Canary release deployments
allows test and prod deployments and small and random amount of live traffic goes to test
AWS X-Ray
helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture
provides an end-to-end view of requests as they travel through your application, and shows a map of your application’s underlying components
What well architected principle does shield not address AWS Shield?
Shield cannot be used to improve application resiliency to handle spikes in traffic.
AWS Shield Standard
Provides protection for all AWS customers and defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
AWS Shield Advanced
enhanced protections for more sophisticated and larger attacks on EC2, ELB, CloudFront, Global Accelerator, and Route53
supports automatic mitigation in some scenarios and real time notification of suspected DDOS
engage Shield Response Team 24x7
How is AWS Shield billed?
Standard is built in and no additional costs
Advance is 3K per month per organization
You can save by consolidating accounts into an organization, enable Advance in each account and only pay the monthly fee once as along as accounts are under a single consolidated billing and you own all the accounts and resources
What does GuardDuty use as input for continuous monitoring? Why are these inputs used?
- CloudTrail Management Events - monitor AWS accounts
- CloudTrail S3 Data Events - monitor data access
- VPC Flow Logs - monitor network
- DNS Logs - monitor network
How can you take action on Guard Duty identified threats?
Review findings in console and integrate into event management or workflow system or trigger lambda for automated remediation
What are possible actions in AWS GaurdDuty lifecycle?
Enable in console
Suspend the service in general settings - stops analyzing data sources but doesn’t delete findings or configuration
Disable in general settings - delete all remaining data including findings and configuration before relinquishing service permissions and resetting service
How can you limit geographies with WAF?
Use WAF with ALB
Use Geo Match Conditions to allow or deny application access based on geolocation of user
Languages supported by Lambda
Java Go PowerShell Node.js C# Python Ruby provides a Runtime API allowing you to use any additional programming languages to author your functions.
AWS Lambda
AWS Lambda is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you.
runs for up to 15 mins
can be allocated up to 10 gb memory
AWS Lambda Billing
you pay for execution duration rather than server unit
Amazon EventBridge
serverless event bus to build event-driven applications at scale using events generated from your applications, integrated Software-as-a-Service (SaaS) applications, and AWS services
Amazon ECS task definition
required to run Docker containers in Amazon ECS
Amazon Inspector
automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2) and container workloads for software vulnerabilities and unintended network exposure
CloudWatch vs CloudTrail
CloudWatch: “What is happening on AWS?” and logging all the events for a particular service or application.
CloudTrail: “Who did what on AWS?” and the API calls to the service or resource.
CloudTrail logs can be ingested into CloudWatch to monitor and identify your AWS account activity against security threats, and create a governance framework for security best practices.
Languages supported by Elastic Beanstalk?
Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker
AWS Elastic Beanstalk
is an easy-to-use service for deploying and scaling web applications and services
simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time.
How is Elastic Beanstalk billed?
There is no additional charge for Elastic Beanstalk - you pay only for the AWS resources needed to store and run your applications.
AWS WAF integration
ALB
CloudFront
API Gateway
AppSync GraphQL
Lambda core components
Event source - publish events
function - code that runs your function
handler that will recieve the event
IAM role function can assume to run the function
compute resources allocated
delivery timeout
