New Flashcards
S3 - What are the file restrictions in S3?
0bytes to 5TB
Files need to be uploaded in multipart when >5GB
IA: min 128KB and min. duration of 30days
S3 - What are the two types of meta data?
System metadata: last modified, MD5 digest, Content-Type
User Metadata: key-value for user defined tags
S3 - How is an URL for a file in S3 structured?
http://[BUCKET].s3.amazonaws.com/[FILENAME]
S3 - What API actions can be done in S3?
GET, PUT, DELETE, LIST
S3 - How many facilities can fail in S3 at one time?
Two
S3 - What is RRS in S3?
Durability 99.99%
Lower costs
S3 - What are atomic reads for eventual consistent reads?
An old version or the new version will be delivered, but not a mix
S3 - How can access be controlled in S3?
coarse grained: Access Control Lists
fine grained: Bucket Policy, IAM, query-string authentication
S3 - What can be done with Bucket Policies?
Restrict access based on IP-Range, time-of-day, which bucket
S3 - Can you assign a IAM Policy to another account?
No, use roles
S3 - How are static websites structured?
[BUCKET].s3-website-[REGION].amazonaws.com
S3 - What mechanisms can be used to encrypt?
Before sending: Client Side Encryption
In-Flight: SSL
At Rest: SSE-S3, SSE-KMS, SSE-C (All using AES 256bit)
S3 - What is a Range GET?
Get the n-first bytes of S3/Glacier
S3 - What gets logged in S3 Access Logs?
Account/IP Bucket name Time Action (PUT, GET...) Response Code
S3 - How are files stored in Glacier?
Archives (up to 40TB)
Identified with an archive ID (not user defined)
Automatically encrypted
Immutable, cannot be modified
EC2 - What is an EBS optimized instance?
Optimized configuration to take full advantage of EBS storage. Comes with an additional hourly cost
VPC - Can you have more than one Route Table?
Yes
VPC - What is an ENI?
Elastic Network Interface
Can be attached to the Instance
Handles the Security Group
Can have one public and multiple private IPs (>1 -> Dual Homed)
ELB - What Protocols does ELB support?
HTTP
HTTPS
TCP
SSL
ELB - How to use SSL on ELB?
Install the SSL Certificate, which terminates the connection, decryptes the request, then sends it to the backend
If there are multiple websites, you need to use Subject Alternative Name (SAN)
ELB - What is a Listener on the ELB?
Process that checks for a connection request
CNAME, A-Recored e.g.
COnfigured with a protocol and port
ELB - What OSI Levels does ELB use?
Layer 7 for applications (HTTP/HTTPS)
Layer 4 for TCP traffic
ELB - What are the configurable features in ELB? (6)
Idle Connection Timeout Cross Zone Load Balancing Connection Draining Proxy Protocol Sticky Sessions Health Checks
ELB - How can ELB help to keep instances updated?
By terminating long running instances and replace them with fresh AMIs
CloudWatch - Name two types of actions that CW can send an altert/message to?
SNS
AutoScalingGroup
CloudWatch - Can CW aggregate data across regions?
No
CloudWatch - What two metrics are not visible to AWS and need to be send as custom metrics?
Instance memory consumption
Disk metrics
CloudWatch - How can you store logs indefinately?
Store the logs in S3 (else the data is retained by two weeks)
ASG - What are the four scaling plans?
Maintain Current Instance Level
Manual Scaling
Scheduled Scaling
Dynmaic Scaling
ASG - Can the AutoScalingGroup reference a spot and a on-demand instance at the same time?
No
ASG - What service integrates Active Directory?
AWS Directory Service
IAM - What is a principal in IAM?
Is the permanent or temporary right to interact with an AWS resource
IAM - For which three purposes are roles used?
As EC2-Role: Allows to use applications on an instance
As Cross-Account-Access
For Federation: Access granted by external system
IAM - What is a securtiy token and who provides it?
The AWS Security Token Service provides it.
Allows temp. acces for 15min to 36 hrs
IAM - What are ways to assign a policy?
Direcly on the IAM User
As a policy, which is then attached to the user
Directly on a Group
As a policy, which is then attached to a group
IAM - How are permissions handeled?
Per default everything is denied
Only allow -> allow
Only deny -> deny
allow and deny -> deny
Security - What is Storage Device Decommission?
Storage devices that reached the end of life will be decommissioned/destroyed so that no data can be exposed
Security - Does AWS have access to the instance or the OS?
No
Security - Best practise to auto update an instance
Launch the latest AMI
Security - Should you use additional firewalls
In best case: yes, like windows firewall or IPtables
Security - How is EBS being replicated?
At no additional costs, in the SAME Availability Zone
Security - Can you share EBS snapshots and can those be altered by other accounts?
Yes, they can be shared.
But, they cannot be modified by other accounts
Security - Can EBS volumes be encrypted?
Yes, but it requires processing power and therefore to ensure no latency this feature is only possible for more powerful EC2 instances
Security - What is Perfect Forward Secrecy?
Keys used for SSL on the ELB are ephemeral and never stored
Security - How many route tables are in a VPC?
One (or more) per subnet
Security - How many NACLs are in a VPC?
One per routing table
Security - What is a VPG?
Virtual Private Gateway, used for private connectivity between VPC and another network
Security - Can CloudFront access be geo restricted?
Yes
Security - Can you grant access to CF, but not the origin S3?
Yes, using the S3 ACL
Security - Describe the four access restriction for S3
IAM Policies: attached to a User
ACL:Read/Write on a bucket level to users or groups
Bucket Policies: permissions to single files or the bucket for users, groups or buckets
Query String Authentication: Temporary access to a pre-sign URL for up to 7 days. Can be combined with additional rules. (Geo, IP..)
Security - Are the meta data in S3 encrypted?
No
Security - How can access to S3 be logged?
Using S3 Access Logs
Security - What is the process to retrieve data from Glacier?
Initiate retrieval job
Wait 3-5 hrs
Data can be accessed with HTTP GET for the full or partial data
Data is available for 24 hrs
Security - What is Storage Gateway and how are files transferred?
Connects on premise data with the cloud.
Used for backups and disaster recovery
Data is asynchronously transferred
Security - How to backup DynamoDB
Using a special template in AWS DataPipeline for copying the tables
Security - Describe the process of RDS snapshots and backups in detail
- Backup - Automatic (Per default enabled) Point in time recovery Allows to restore DB to a specific second up to 5 min of the failure 35 days retention rate
- Snapshots - Manually done Full copy Can be used to create another DB Is using I/O therefore writes are suspended. Should be done in the Multi A/Z standby
Security - How to first-access Linux/Windows instances
Linux: Using the full key pair (presenting the private key)
Windows: Using the private key to decrypt the admin password
Security - Which seven services can use encryption at rest
SEGS RRW
S3 EBS Glacier StorageGateway RDS Redshift Workspaces
CDN - How to create a subdomain?
Create a CNAME record (cdn.example.com) in Route53
CDN - What is a use case for cache behaviour?
Target the caching by file name (.php / .jpg)
CDN - What are the features of cache behavoiur?
Path Pattern Origin Should query strings to forwarded to the origin Must have signed URLs If it needs HTTPS Caching time
CDN - Use cases for CloudFront
Static Websites Dynamic Websites / Applications Widely geographically distributed Large Files Streaming media
CDN - What cases is CloudFront NOT suited for?
Users from a single location
Users from a corporate VPN (if the all have the same IP)
Storage Gateway - Use cases for the three different Storage Gateway types
Cached volumes: expand local hardware
Stored volumes: asynchronous backup
Tape: cost effective use of already used tape licenses
Directory - Use cases for the three Directory Services
AWS Direcotry Service for MS AD (Enterprise): more than 5000 users
Simple AD: Cost effective (<5000 users)
AD Connector: on premise AD service
Security - What are the two services for encrypting with own keys and what are their use cases
KMS & Cloud HSM
Scalable solution for symmetric key distribution and Compliance with processes validated by a third party
CloudTrail - Can you use CT across regions
Yes, the same trails will be used on all regions and then stored in one S3 Bucket
CloudTrail - Use cases for Cloud Trail
External Compliance Audits
Information which service are target for unauthorized access
Kinesis - Difference between Firehose / Streams
Firehose: Storing data in the appropriate system
Kinesis: real time analysis
EMR - Use cases for Elastic Map Reduce
Log processing
Clickstream analysis
Genomics and Life Science
Data Pipeline - What is the Data Pipeline?
Used for scheduled tasks that involve moving data to the appropriate services.
Services can be started/stopped on its behalf, and if a task fails i can be retried.
It is also possible to check for preconditions before the task is started
Import/Export - What are the two methods
Using snowball as a device presented by AWS
Use your own disk
OpsWorks - What is it based on and what does it do?
It is based on Chef.
Creates an application stack that can be deployed
Used to host multi-tier Web Applications and supports continious integration
AWS Config - Use cases
Discovery for all used ressources
Lists all the services used in the past
Used for incidents and troubleshooting
CloudFront - What is the use case for CF Origin Access Ientifier?
Makes sure that the content of a S3 bucket is only accessible with CloudFront
DB - How can Oracle and MS SQL be encrypted?
Using KMS
TDE for Enterprise tier
DB - What are the storage options for RDS?
Magnetic, SSD, SSD IOPS
4GB to 6TB
up to 30.000 IOPS
DB - What is RPO / RTO ?
Recovery Point Objective:
Max. data loss in an event of failure (should be minutes)
Recovery Time Objective:
How long does it take for the recovery to be fully effective
DB - How to scale vertically for writes?
Using partitions or shards
Problem: Client/Application must know in which shard the data is
DB - Which engines support Read Replicas
MySQL
MariaDB
PostgreSQL
Aurora
DB - How to encrypt Redshift
in transit: SSL
At Rest: KMS or CLoudHSM
DB - How to improve read throughput for DynamoDB
Distribute Requests accross range of keys
DB - What is a secondary key in DynamoDB?
Used to further index the database to avoid scan operations
Global Sec. Key: can be created at any time
Local: on partition with the primary key, can only be created when the table is created
DB - How are IOPS generated for DynamoDB?
One Partition can generate 3000 IOPS, scaling would improve this.
But if all reads go to one partition it wold be stuck at 3000
DB - What are DynamoDB Streams?
List of all changes of the last 24h
