One Flashcards
What is the shared responsibility model?
AWS is responsible for security AT the cloud
Customer is responsible for security IN the cloud
What is the zero trust model?
Defense in depth approach: applies security controls at all layers of customer’s network.
Three levels of security: network level (VPC, firewall), data encryption, IAM
What is IAM (name and def)
Identity and access management
Tracks, identifies and access in a system
What are IAM policies composed of?
the principals: specifies who permissions are given to,
the actions: specifies what’s being performed,
the resources: specifies which properties are being accessed
What can an IAM policy be applied to?
a principal (identity-based) or a resource (resource-based)
Only some services have resource-based policies. Which are they?
S3, SES, KMS (key mgmt service)
What can be used in addition to VPC to restrict traffic into my network?
Amazon WAF (web application firewall)
What can you use for resource-level security?
security group
What can a security group be attached to?
EC2 instances, RDS instances, Lambda
How many AZ’s does a region contain?
Three or more
What is Rt 53?
a scalable DNS service that translates names into IP addresses (internet protocol) that computers can read, and can route traffic between regions.
Cust can also buy and register domain names here.
Steps to determine the service you need.
- compute service: Do you want VM-based (EC2, Lightsail, Elastic Beanstalk) container-based (ECS, EKS, ?EC2), or serverless (Lambda)?
- Storage service: Do you want block storage (EBS), file system (EFS), object stores (S3), or archival storage (S3 Glacier)?
- Database service: Do you need relational db (RDS or Aurora), non-rel db (DynamoDB), data warehouse (Redshift - for lg scale analysis), data indexing searching?
- Config service
- Cost: Only pay for what you use
Talk about EC2
Elastic Compute Cloud,
flexible, cost effective. AWS manages the physical host machine. Instance can have either Linux or Windows OS. Are scalable.
When cust spins up EC2 instance, they share a host with other instances (multi-tenancy).
What is responsible for sharing the resources between EC2 instances?
hypervisor
What are the EC2 instance types?
- general purpose: a balance of compute, memory, networking
- compute-optimized: high-perf processor for batch processing
- memory-optimized: for high-perf db’s
- accelerated computing: for floating pt # cals, graphics processing, game streaming
- storage-optimized: for high-sequential read/write
Which EC2 instance is best for application servers?
general purpose
Which EC2 instance preloads data and is good for high performance db’s?
memory-optimized
Which EC2 instance is best for apps that have a high IOPS requirement (input/output ops per sec)
storage-optimized
What factors should you consider when choosing a region?
- compliance
- proximity to users
- feature availability
- pricing
How do you prevent downtime?
Run instances in different availability zones in one region.
What is CloudFront?
A CDN (global content delivery network). It pushes cached copies of content from regions to edge locations to get content close to custs quickly, no matter where they are in world. Runs Rt 53 DNS.
What is an AWS Outpost?
mini-region at a cust bldg run and owned by AWS
What is used in AWS for services to interact?
API calls (application programming interface)
What service do you use to create requests to send to AWS API’s to manage resources?
AWS Mgmt Console (browser based) or CLI (use this to script the API calls since it makes the cmd repeatable) or SDKs (software devlopment kits) or Beanstalk or Cloud Formation
What does Rt 53 use to direct traffic to endpoints?
Different routing policies:
- latency-based routing
- geolocation DNS (based on where cust is located)
- geoproximity routing
- weighted round robin
Which service minimizes the effect of DoS and DDos on your apps?
(denial of service and distributed denial of service)
AWS Shield
How many AWS support plans are there, and what are they?
Four:
- basic: free for all AWS custs. No trusted advisor check
- developer: No trusted advisor check
- business: Trusted advisor checks at the lowest cost.
- enterprise: Get TAM (technical acct mgr) and Trusted advisor checks
What is the name for the digital catalog of software?
AWS Marketplace
Which service tracks the metrics of an EC2 instance?
CloudWatch
What is CloudFormation?
AWS CloudFormation is a service that helps you model and set up your AWS resources. You must build the architecture.
What is Elastic BeanStalk?
A deployment tool. You do NOT build the architecture.
If you are an RDS customer, who is responsible for the EC2 instance?
AWS since RDS is a managed service.
Are groups, users, and roles authenticated in IAM?
Groups are NOT authenticated but user and role can be.
In IAM, what can a policy be attached to?
user, group, or role
How far apart are availability zones from each other?
62 miles
What are some services at edge locations?
Rt 53 (DNS), CloudFront (caching), Shield, WAF (firewall)
What are the EBS volume types?
- General Purpose SSD: balances price and perf. Good for most workloads.
- Provisioned IOPS SSD (solid state drive): good for transactional workloads involving frequent read/write ops with small I/O size (IOPS)
- Throughput-optimized HDD (hard disk drive): good for large streaming workloads where the dominant performance attribute is throughput.
- Previous generation: HDD for workloads with small dataset, accessed infrequently and perf is not of primary importance.
What is an EBS snapshot?
A backup of the EBS volume.
Are EBS volumes and EC2 instances stored on the same hardware?
NO
Describe how to name an S3 bucket.
DNS naming convention:
3-63 chars, no uppercase, must start with letter or number, globally unique.
What is the durability of S3?
11 9’s (99.99999999999%)
Is there an S3 storage limit?
No. But an object can only be up to 5TB
What is S3 versioning?
When versioning is enabled on a bucket, each time an object is uploaded it gets a new, unique version ID.
What is S3 lifecycle policy?
automatic moving of objects from tier to tier (from S3 to IA tier if not used in 30 days)
Which storage service allow reading of a single block of data?
EBS
Which storage service is good for db files?
EBS
What is a stateful security group?
It remembers, so traffic that is allowed in, is also allowed out.
What is an NACL?
network access control list.
Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.
You can create a custom network ACL and associate it with a subnet.
What is CloudWatch?
A service for monitoring resources and apps, logging, alerting and can trigger automation.
What is CloudTrail?
Records API calls to your account. Good for security and compliance auditing.
What does ELB do?
Distributes traffic to healthy EC2 instances ensuring traffic is evenly balanced between the instances.
What are the types of ELB?
- ALB (application load balancer): good for complex traffic routing, operate on layer 7 of the OSI model and directs traffic based on the content of the URL. This is called path-based routing.
- NLB (network load balancer): good for high volume spiky traffic patterns, operate on layer 4 of the OSI model and directs traffic based on the port number.
- CLB (classic load balancer): outdated.
How do you grant access to S3 bucket?
By S3 bucket policies or IAM.
What are the engine choices for RDS?
MS SQL server, Oracle, MySQL, PostgreSQL, MariaDB, Amazon Aurora
Which are the noSQL db’s?
DynamoDB, DocumentDB (json docs), Neptune (graph db, retail websites)
How do you query DynamoDB?
With API calls
Do IAM users, roles and policies are permanent keys?
Users have permanent keys. Roles do not.
What is ARN?
Amazon Resource Name. Everything created in your acct gets an ARN, and is unique.
What is cloud computing?
The on-demand delivery of compute power, db, storage, apps, and other IT resources through a cloud services platform (like AWS) via the internet with pay-as-you-go pricing.
How do you access and manage AWS services?
Through the AWS Mgmt Console
How can you control multiple AWS services with one tool?
Use the AWS CLI (command line interface)
What does serverless mean?
Customer does NOT manage the infrastructure.
What are the five pillars of a well-architected framework?
- cost optimization
- reliability
- operational excellence
- performance efficiency
- security
What are the three types of cloud computing?
- IaaS (infrastructure as a service)
- PaaS (platform as a service)
- SaaS (software as a service)
What are the five pillars of security?
=detective controls
- IAM
- infrastructure protection
- data protection
- incident response
What are the three common types of charges that you can incur in AWS?
compute (usually pay per hour)
storage (usually pay per GB of data)
data out
What are the four support tiers?
- basic: free, no tech support
- developer: during bus hour via em, only one person,
- business: 24-7, unlimited people, one hr response for urgent cases
- enterprise: 15 min response for critical case
What does Trusted Advisor check?
- cost optimization
- security
- fault tolerance
- performance
- service limits
You need to implement an automated service that will scan your AWS environment with the goal of improving security and reducing costs. What service should you use?
Trusted Advisor
Name three key components of Glacier.
Vault, archive, access policy. Buckets are NOT part of glacier. Data is auto encrypted.
For a subnet to be public and send non-local traffic to the internet, you must update the route table of the public subnet and attach what to the VPC that contains the subnet?
internet gateway
Which service provides a view of the performance and availability of your AWS services based upon your requirements?
Personal Health Dashboard
What is the AWS event-driven, serverless compute service?
Lambda
You need a virtual hard disk for your EC2 instance. What should you use?
EBS
What is the URL structure for objects in S3?
https - bucket name - dot - the S3 regional endpoint - / - object name
What service can tell you when you have crossed a billing threshold?
CloudWatch
What is the name for a series of edge locations plus info about how you want content managed as part of a CDN?
a distribution
What service would you use for predictable monthly pricing and allowing for burst above baseline of CPU perf?
Lightsail
Which service provides consistently high CPU perf and costs varying by usage?
EC2
Which is a managed db service that’s 5X faster that a MySQL db?
Aurora
How do you recreate an EBS volume?
recreate the volume from a snapshot.
What are edge locations responsible for?
hosting CloudFront (CDN)
You have a variable workload and only want to pay for the compute time when your code isn’t running. Which service should you use?
Lambda
What allows you to restrict access to individual objects in an S3 bucket?
access control lists
Which type of load balancer uses listeners, targets and target groups?
Application load balancer
Which ELB would be best suited to help you host a website?
ALB
Are S3 buckets private by default?
Yes
You need to allow resources in a private subnet to access the internet. What must be present to enable this access?
NAT Gateway
What allows you to make entire buckets public?
Bucket policy
Your S3 buckets are missing. What should you check?
CloudTrail logs
Which languages can be used to author CloudFormation templates?
JSON and YAML
Are DynamoDB and RDS managed db’s?
Yes
Dynamo DB is noSQL
RDS is SQL
Is Lightsail a PaaS?
yes
Both ALB and Classic use Round Robin strategy to select a node.
True
Which service is best for storing sales data?
Redshift
Which service is bet for providing audit info on your AWS account?
CloudTrail
What is diff between vertical and horiz scaling?
Vertical adds more resources and horiz adds more instances.
How improve perf of online banking portal?
- Use of SSL acceleration and
- Relieve computational overhead on the web erver by offloading https session processes to hardware security modules in an AWS CloudHSM cluster.
A developer wants to automate updating a set of apps. Which service use?
CodeDeploy
Which tool use to forecast AWS spending?
Cost Explorer (free)
What service can automate the creation of new accounts?
Organizations
What is the benefit of running an app across two AZ’s?
It increase the availability of the app.
Describe scalability.
It diverts traffic based on demand, and to instances with the least load.
What is autoscaling?
To scale resources based on demand.
Which service gives the user the ability to group resources across diff regions by app and then collectively view their operational data for monitoring purposes?
systems manager
A company has consistently high throughput and requires no jitter and very low latency between its on-premise and AWC cloud. Which service should it use?
DirectConnect
A website goes viral for a few days and then rapidly declines in popularity. Which storage class and config should you use?
S3 standard and lifecycle policies
You want to host a db server for a min of 1 year. Which would cost least?
partial upfront costs reserved instances
What use for fast, secure img xfers to S3?
S3 Transfer Acceleration
What is term for a user-defined label that has a key-value pair of variable char length. It is assigned to AWS resources?
resource .
These can be edited or removed at any time.
What is the purpose of the ELB?
To distribute traffic to multiple EC2 instances
Which service helps troubleshoot runtime errors?
X-Ray
Best server for university during exam processing time?
serverless Lambda
What disaster recovery deployment has the lowest downtime?
multi-site then warm standby
Use EC2 reserved instance with a spot instance for a predictable workload with brief unpredictable spikes
True
What purpose of API?
It allows developer to work with AWS resources programmatically.
What is purpose of leader node in Redshift?
To receive queries and manage client connections
What is right sizing?
cost saving solution that analyzes data over a period of time to determine and recommend the type of EC2 instance appropriate for your workload.
What are the trusted advisor checks?
cost optimization, performance, security, fault tolerance, service limits
One of a blogger’s articles has gone viral sending a lot of traffic to the blog, and causing poor browsing experience for some reader. How can normal service be restored?
Set up read replicas on the backend RDS instance where the article resides.
What can be done to increase the fault tolerance of an app?
Deploy resources across multiple availability zones.
What can be used a an additional layer of security to using a user name and password when logging into the AWS Console?
MFA (multi-factor authentication)
Which support plan provides 24/7 access, and response time of < 1 hour for bus critical event.
Enterprise
What is name for a geographic location in AWS?
Region
What are two features of RDS that allow for better availability of databases?
Read replicas and Multi-AZ
An EC2 instance where utilization is guaranteed to be consistent for a long period of time. How would you get the lowest cost?
Use reserved instance.
You want to deploy a video-based app. The videos will be accessed by users around the world. Which service should you use to help stream the content in an efficient manner?
CloudFront
Which service allows you to analyze EC2 instances against pre-defined security templates to check for vulnerabilities?
Inspector
Which service can help decouple resources?
SQS
What can you use to spin-up EC2?
Amazon Machine Image
Which service helps you do a cost benefits analysis?
TCO Calculator (total cost of ownership)
What does an EC2 instance in your VPC need in order for the Internet Gateway to route its traffic to the Internet?
Public IP address
Your application needs full-managed storage for OBJECTS. Which service?
S3
Which service is the virtual hard disk?
EBS
What are edge locations responsible for?
Hosting CloudFront (CDN)
Lightsail is an example of PaaS (platform as a service):
True or False
True
What happens when an RDS Master database in a Multi-AZ deployment goes down?
RDS automatically fails over to the standby AZ, which is promoted to Master.
S3 buckets by default are private. T or F?
True
You want predictable monthly pricing, and the instance must have the ability to burst above baseline CPU when needed. Which service should you use to launch the instance?
Lightsail
Which compute service is known for consistently high CPU performance and costs that vary by usage?
EC2
Which service should you use to be notified when you have crossed a billing threshold?
CloudWatch
For a subnet to be public and send non-local traffic to the Internet, you must update the Route Table of the public subnet and attach what to the VPC that contains the subnet?
Internet Gateway
What doc do you use to grant permissions to users, groups and roles?
policy
If you want to see who tampered with your S3 bucket, what should you look at?
CloudTrail logs
Which is the managed db that is up to 5X faster than traditional MySQL db?
Aurora db (SQL)
Where do you look for AWS service alerts?
- Service Health Dashboard, and
- Personal Health Dashboard
Which load balancer uses listeners, targets, and target groups?
ALB
What is the name for a series of edge locations plus info about how you want content managed as part of a CDN?
a distribution
What are valid access types for an IAM user?
- programmatic access via the command line, API, SDK (software dev kit), or
- Mgmt console access
Which is the best load balancer when hosting a website?
ALB
What allows you to restrict access to an indiv object in an S3 bucket?
ACL (access control list)
Your boss wants a managed NoSQL database. Which service?
DynamoDB
Which service can you get that will automatically scan your AWS environment with the goal of improving security and reducing costs?
Trusted Advisor
Which is an event-driven, serverless compute service?
Lambda
You want to archive data that needs to be encrypted into Glacier. What do you need to do?
Send the data to Glacier. The data is encrypted by default.
A software dev team needs to create multiple testing environments each day. Provisioning needs to happen within mins. The number of environments per day varies. What is best way to create these environments?
Have CloudFormation provision the stacks and resources needed for the environments.
What compute service use when you don’t want to pay when your code is not running?
Lambda
Which load balancer uses a round-robin distribution strategy?
- Classic LB for TCP listeners only.
- ALB: to select a node.
What do you use to allow resources in a private subnet to access the internet?
NAT Gateway
You are being audited. Where can you get the info to provide to the audit team?
CloudTrail
You have RDS. Are you responsible for the database backups?
NO
You have RDS. Are you responsible for the optimization of your app that’s using RDS?
Yes
You want to re-create an EBS volume. How would you do this?
Re-create the volume from a snapshot.
You have a mission-critical app that must be globally available at all times. Which deployment strategy should you use?
Multi-region
Who should you report malicious activities to at AWS?
Abuse Team
Which services have built-in DDoS protection?
Rt 53, CloudFront, WAF, ELB, VPC, Security Groups
What is authentication?
The first part of the login process: Identifying who is accessing the system
First a user is authenticated then authorized. T or F?
True
What is authorization?
The 2nd part of the login process: Evaluating what permissions a user has.
Which service controls authentication and authorization within an AWS account?
IAM.
Security Groups and ACL’s are tools within IAM.
For EC2, what is the cust responsible for?
- maintenance and updating the OS and apps (patching)
- updating the db software
- managing access to the db
- security config.
- AWS will only take care of the underlying hrdwre to provide the service.
Which service is used during the process of encrypting EBS volumes?
KMS (key mgmt service)
What do you create to give permission to an EC2 app to access other resources?
A role
What do you give a group of people to assign them a pre-defined set of permissions based on their job role?
IAM group
You use your corp directory to grant access to users. What is this called?
Federated Access
What acts as built-in firewalls for your virtual servers?
Security Groups
What do you use to login to the Mgmt Console?
username and password
What are you responsible for when using S3?
Backing up your data.
Which service performs automated network assessments of EC2 instances to check for vulnerabilities?
Inspecter.
you create assessment templates to automate security vulnerability assessments.
What are factors that contribute to the agility that AWS provides?
speed, experimentation, culture of innovation
What does elasticity do?
It scales resources to the required capacity based on changes in WORKLOAD DEMAND. Scales up or down, so no need to worry about capacity.
What are the principles of sound cloud design?
- Assume everything will fail.
- Infrastructure as code
- Disposable resources
- Scalability
What are the principles of sound cloud design for performance efficiency?
- Deploy into multiple regions to go global in minutes
- Use serverless architectures.
- Democratize advanced technologies.
What is scalability?
Adding resources to your app as USER DEMAND grows. Expand out.
What is agility?
Decreasing the time to start new services.
T or F? A scalable system diverts traffic based on demand to instances with the least load.
True
Which AWS service automates infrastructure provisioning and admin tasks for an analytical data warehouse?
Redshift
What is the best suited file storage option for use when an admin is looking to deploy shared file access, linux-based workloads which will require up to petabytes of data stores?
EFS
What is the benefit of running an application across two AZs?
It increases the availability of an app compared to running in a single AZ.
Which service can store code?
CodeCommit
Which serverless service can run code?
Lambda
What does an ELB do?
Distribute traffic to multiple EC2 instances.
What is the best case for RDS?
In an org where only a finite number of processes query the db in predictable and well-structured schemas.
Which services does the Trusted Advisor Dashboard offer?
cost optimization performance security fault tolerance service limits
Which service provides security optimization recommendations?
Trusted Advisor
In which service can you group resources from different regions and view their operational data for monitoring purposes?
Systems Manager
What is the value of having AWS Cloud services accessible through an API?
It allows developers to work with AWS resources programmatically.
A start-up org wants to deploy a web and mobile app devop environment. How can this be achieved efficiently?
Use Quickstarts to id and provision the appropriate CloudFormation templates.
A department in an org has a monthly expenditure limit on their AWS acct and they are worried about exceeding it. What can they use to help?
Budgets, and create an email alert based on the budget parameters.
How is Cloud9 diff from Lambda?
Cloud9: developers can share in real-time.
Lambda: can be used to create functions that run in Cloud9
What is autoscaling?
To scale out resources based on demand. It monitors your apps and autom. adjusts capacity to maintain steady, predictable performance at the lowest possible cost.
T or F? A resource day can be edited or removed at any time.
True. They are a user-defined key-value pair, useful for labeling when running queries.
Trusted Advisor: best practices and recommendations
True
What’s the diff between lifecycle policy and intelligent tiering?
LIfecycle policy is pre-configured with a transition rule and not dependant on access patterns like intelligent tiering is.
What’s the diff between lifecycle policy and intelligent tiering?
LIfecycle policy is pre-configured with a transition rule and not dependent on access patterns like intelligent tiering is.
