One Flashcards
What is the shared responsibility model?
AWS is responsible for security AT the cloud
Customer is responsible for security IN the cloud
What is the zero trust model?
Defense in depth approach: applies security controls at all layers of customer’s network.
Three levels of security: network level (VPC, firewall), data encryption, IAM
What is IAM (name and def)
Identity and access management
Tracks, identifies and access in a system
What are IAM policies composed of?
the principals: specifies who permissions are given to,
the actions: specifies what’s being performed,
the resources: specifies which properties are being accessed
What can an IAM policy be applied to?
a principal (identity-based) or a resource (resource-based)
Only some services have resource-based policies. Which are they?
S3, SES, KMS (key mgmt service)
What can be used in addition to VPC to restrict traffic into my network?
Amazon WAF (web application firewall)
What can you use for resource-level security?
security group
What can a security group be attached to?
EC2 instances, RDS instances, Lambda
How many AZ’s does a region contain?
Three or more
What is Rt 53?
a scalable DNS service that translates names into IP addresses (internet protocol) that computers can read, and can route traffic between regions.
Cust can also buy and register domain names here.
Steps to determine the service you need.
- compute service: Do you want VM-based (EC2, Lightsail, Elastic Beanstalk) container-based (ECS, EKS, ?EC2), or serverless (Lambda)?
- Storage service: Do you want block storage (EBS), file system (EFS), object stores (S3), or archival storage (S3 Glacier)?
- Database service: Do you need relational db (RDS or Aurora), non-rel db (DynamoDB), data warehouse (Redshift - for lg scale analysis), data indexing searching?
- Config service
- Cost: Only pay for what you use
Talk about EC2
Elastic Compute Cloud,
flexible, cost effective. AWS manages the physical host machine. Instance can have either Linux or Windows OS. Are scalable.
When cust spins up EC2 instance, they share a host with other instances (multi-tenancy).
What is responsible for sharing the resources between EC2 instances?
hypervisor
What are the EC2 instance types?
- general purpose: a balance of compute, memory, networking
- compute-optimized: high-perf processor for batch processing
- memory-optimized: for high-perf db’s
- accelerated computing: for floating pt # cals, graphics processing, game streaming
- storage-optimized: for high-sequential read/write
Which EC2 instance is best for application servers?
general purpose
Which EC2 instance preloads data and is good for high performance db’s?
memory-optimized
Which EC2 instance is best for apps that have a high IOPS requirement (input/output ops per sec)
storage-optimized
What factors should you consider when choosing a region?
- compliance
- proximity to users
- feature availability
- pricing
How do you prevent downtime?
Run instances in different availability zones in one region.
What is CloudFront?
A CDN (global content delivery network). It pushes cached copies of content from regions to edge locations to get content close to custs quickly, no matter where they are in world. Runs Rt 53 DNS.
What is an AWS Outpost?
mini-region at a cust bldg run and owned by AWS
What is used in AWS for services to interact?
API calls (application programming interface)
What service do you use to create requests to send to AWS API’s to manage resources?
AWS Mgmt Console (browser based) or CLI (use this to script the API calls since it makes the cmd repeatable) or SDKs (software devlopment kits) or Beanstalk or Cloud Formation
What does Rt 53 use to direct traffic to endpoints?
Different routing policies:
- latency-based routing
- geolocation DNS (based on where cust is located)
- geoproximity routing
- weighted round robin
Which service minimizes the effect of DoS and DDos on your apps?
(denial of service and distributed denial of service)
AWS Shield
How many AWS support plans are there, and what are they?
Four:
- basic: free for all AWS custs. No trusted advisor check
- developer: No trusted advisor check
- business: Trusted advisor checks at the lowest cost.
- enterprise: Get TAM (technical acct mgr) and Trusted advisor checks
What is the name for the digital catalog of software?
AWS Marketplace
Which service tracks the metrics of an EC2 instance?
CloudWatch
What is CloudFormation?
AWS CloudFormation is a service that helps you model and set up your AWS resources. You must build the architecture.
What is Elastic BeanStalk?
A deployment tool. You do NOT build the architecture.
If you are an RDS customer, who is responsible for the EC2 instance?
AWS since RDS is a managed service.
Are groups, users, and roles authenticated in IAM?
Groups are NOT authenticated but user and role can be.
In IAM, what can a policy be attached to?
user, group, or role
How far apart are availability zones from each other?
62 miles
What are some services at edge locations?
Rt 53 (DNS), CloudFront (caching), Shield, WAF (firewall)
What are the EBS volume types?
- General Purpose SSD: balances price and perf. Good for most workloads.
- Provisioned IOPS SSD (solid state drive): good for transactional workloads involving frequent read/write ops with small I/O size (IOPS)
- Throughput-optimized HDD (hard disk drive): good for large streaming workloads where the dominant performance attribute is throughput.
- Previous generation: HDD for workloads with small dataset, accessed infrequently and perf is not of primary importance.
What is an EBS snapshot?
A backup of the EBS volume.
Are EBS volumes and EC2 instances stored on the same hardware?
NO
Describe how to name an S3 bucket.
DNS naming convention:
3-63 chars, no uppercase, must start with letter or number, globally unique.
What is the durability of S3?
11 9’s (99.99999999999%)
Is there an S3 storage limit?
No. But an object can only be up to 5TB
What is S3 versioning?
When versioning is enabled on a bucket, each time an object is uploaded it gets a new, unique version ID.
What is S3 lifecycle policy?
automatic moving of objects from tier to tier (from S3 to IA tier if not used in 30 days)
Which storage service allow reading of a single block of data?
EBS
Which storage service is good for db files?
EBS
What is a stateful security group?
It remembers, so traffic that is allowed in, is also allowed out.
What is an NACL?
network access control list.
Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.
You can create a custom network ACL and associate it with a subnet.
What is CloudWatch?
A service for monitoring resources and apps, logging, alerting and can trigger automation.
What is CloudTrail?
Records API calls to your account. Good for security and compliance auditing.
What does ELB do?
Distributes traffic to healthy EC2 instances ensuring traffic is evenly balanced between the instances.
What are the types of ELB?
- ALB (application load balancer): good for complex traffic routing, operate on layer 7 of the OSI model and directs traffic based on the content of the URL. This is called path-based routing.
- NLB (network load balancer): good for high volume spiky traffic patterns, operate on layer 4 of the OSI model and directs traffic based on the port number.
- CLB (classic load balancer): outdated.
How do you grant access to S3 bucket?
By S3 bucket policies or IAM.
What are the engine choices for RDS?
MS SQL server, Oracle, MySQL, PostgreSQL, MariaDB, Amazon Aurora
Which are the noSQL db’s?
DynamoDB, DocumentDB (json docs), Neptune (graph db, retail websites)
How do you query DynamoDB?
With API calls
Do IAM users, roles and policies are permanent keys?
Users have permanent keys. Roles do not.
What is ARN?
Amazon Resource Name. Everything created in your acct gets an ARN, and is unique.
What is cloud computing?
The on-demand delivery of compute power, db, storage, apps, and other IT resources through a cloud services platform (like AWS) via the internet with pay-as-you-go pricing.
How do you access and manage AWS services?
Through the AWS Mgmt Console
How can you control multiple AWS services with one tool?
Use the AWS CLI (command line interface)
What does serverless mean?
Customer does NOT manage the infrastructure.
What are the five pillars of a well-architected framework?
- cost optimization
- reliability
- operational excellence
- performance efficiency
- security
What are the three types of cloud computing?
- IaaS (infrastructure as a service)
- PaaS (platform as a service)
- SaaS (software as a service)
What are the five pillars of security?
=detective controls
- IAM
- infrastructure protection
- data protection
- incident response
What are the three common types of charges that you can incur in AWS?
compute (usually pay per hour)
storage (usually pay per GB of data)
data out
What are the four support tiers?
- basic: free, no tech support
- developer: during bus hour via em, only one person,
- business: 24-7, unlimited people, one hr response for urgent cases
- enterprise: 15 min response for critical case
What does Trusted Advisor check?
- cost optimization
- security
- fault tolerance
- performance
- service limits
You need to implement an automated service that will scan your AWS environment with the goal of improving security and reducing costs. What service should you use?
Trusted Advisor
Name three key components of Glacier.
Vault, archive, access policy. Buckets are NOT part of glacier. Data is auto encrypted.
For a subnet to be public and send non-local traffic to the internet, you must update the route table of the public subnet and attach what to the VPC that contains the subnet?
internet gateway
Which service provides a view of the performance and availability of your AWS services based upon your requirements?
Personal Health Dashboard
What is the AWS event-driven, serverless compute service?
Lambda
You need a virtual hard disk for your EC2 instance. What should you use?
EBS
What is the URL structure for objects in S3?
https - bucket name - dot - the S3 regional endpoint - / - object name
What service can tell you when you have crossed a billing threshold?
CloudWatch
What is the name for a series of edge locations plus info about how you want content managed as part of a CDN?
a distribution
What service would you use for predictable monthly pricing and allowing for burst above baseline of CPU perf?
Lightsail
Which service provides consistently high CPU perf and costs varying by usage?
EC2
Which is a managed db service that’s 5X faster that a MySQL db?
Aurora
How do you recreate an EBS volume?
recreate the volume from a snapshot.
What are edge locations responsible for?
hosting CloudFront (CDN)