Practice 1 Flashcards
ASG Dynamic Scaling Plan
add/remove resources to maintain resource utilization at the specified target value
ASG Predictive Scaling Plan
> forecast future load demands by analyzing historical records for a metric (allows you to schedule accordingly)
only available for EC2 ASG
IAM DB Authentication
> you don’t need to use a password when you connect to a DB instance. Instead, you use an authentication token
- a unique string of characters thatAmazon RDSgenerates on request ;
- Each token has a lifetime of 15 minutes. You don’t need to store user credentials in the database, because authentication is managed externally using IAM.
AWS Security Token Service (STS)
> generate temporary tokens
web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)
AWS Budgets
gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount
When using ssh:
Error: Server refused our keyor
Error: No supported authentication methods
> appropriate user name for your AMI
> private key (.pem) file has been correctly converted to the format recognized by PuTTY (.ppk)
Amazon DynamoDB advantage over RDS
> schemaless
> low latency
Cloud watch Custom Metric
- Memory utilization
- Disk swap utilization
- Disk space utilization
- Page file utilization
5 Log collection
Default Cloudwatch metric
- Disk reads
- CPU utilization
- Network utilization
AWS Lambda encrypts environment variables using
the AWS Key Management Service
AWS CloudHSM
is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.
AWS CloudHSM vs AWS KMS
You should consider using AWS CloudHSM if you require:
• Keys stored in dedicated, third-party validated hardware security modules under your exclusive control.
• FIPS 140-2 compliance.
• Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.
High-performance in-VPC cryptographic acceleration (bulk crypto).
To calculate the total number of IP addresses of a given CIDR Block
1. Subtract32with the mask number : (32 - 27) =5 2. Raisethe number2to the power of the answer in Step #1 : 2^5= (2 * 2 * 2 * 2 * 2) =32
Amazon Athena
is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.
S3 Select is
an Amazon S3 feature that makes it easy to retrieve specific data from the contents of an object using simple SQL expressions without having to retrieve the entire object.
Amazon Redshift Spectrum
is a feature of Amazon Redshift that enables you to run queries against exabytes of unstructured data in Amazon S3 with no loading or ETL required.
Amazon Elasticsearch Service (Amazon ES)
is a managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the AWS Cloud. Elasticsearch is a popular open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis
Route Origin Authorization (ROA)
is a document that you can create through your Regional internet registry (RIR), such as the American Registry for Internet Numbers (ARIN) or Réseaux IP Européens Network Coordination Centre (RIPE). It contains the address range, the ASNs that are allowed to advertise the address range, and an expiration date
IP match condition in CloudFront
primarily used in allowing or blocking the incoming web requests based on the IP addresses that the requests originate from
Elastic IP address
static IPv4 address designed for dynamic cloud computing. An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.
AWS WAF
web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.
Amazon DynamoDB Accelerator (DAX)
fully managed, highly available, in-memory cache that can reduce Amazon DynamoDB response times from milliseconds to microseconds, even at millions of requests per second.
AWS Device Farm
app testing service that lets you test and interact with your Android, iOS, and web apps on many devices at once, or reproduce issues on a device in real time
RAID 0
increase the write performance
RAID 1
provide mirroring, redundancy, and fault-tolerance
Linux Amazon Machine Images use one of two types of virtualization
- paravirtual (PV) - slower
2. hardware virtual machine (HVM) - faster boot
Public Data Set Volume Encryption
public data sets are designed to be publicly accessible
Cost for transferring data from an EC2 instance to Amazon S3, Amazon Glacier, Amazon DynamoDB, Amazon SES, Amazon SQS, or Amazon SimpleDB in the same AWS Region
None
AWS Directory Service AD Connector
If the company is using a corporate Active Directory, it is best to useAWS Directory Service AD Connector for easier integration.
AWS Directory Service Simple AD
provides a subset of the features offered by AWS Managed Microsoft AD, including the ability to manage user accounts and group memberships, create and apply group policies, securely connect to Amazon EC2 instances, and provide Kerberos-based single sign-on (SSO)
Multi-AZ deployment
synchronous replication - highly durable
Read Replica
asynchronous replication - highly scalable
Enable Enhanced Monitoring in RDS
monitor how the different processes or threads on a DB instance use the CPU, including the percentage of the CPU bandwidth and total memory consumed by each process
Amazon EMR (Elastic Map Reduce)
> is an Amazon Web Services (AWS) tool for big data processing and analysis. Amazon EMR offers the expandable low-configuration service as an easier alternative to running in-house cluster computing.
not a fully managed Service (you can access your OS)
Amazon Neptune
fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets.
110.238.98.71/32 denotes
1 IP Address
110.238.98.71/0 denotes
refers to the entire network
Amazon Redshift workload management (WLM)
define the number of query queues that are available, and how queries are routed to those queues for processing. WLM is part of parameter group configuration. A cluster uses the WLM configuration that is specified in its associated parameter group
A web application that you developed stores sensitive information on a non-boot, unencrypted Amazon EBS data volume attached to an Amazon EC2 instance. How can you provide protection to the sensitive data of your Amazon EBS volume?
Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume and finally, delete the old Amazon EBS volume.
(Correct)
EBS encryption is done during
volume creation not after
Amazon Redshift Enhanced VPC Routing
> forces all COPY and UNLOAD traffic between your cluster and your data repositories through your Amazon VPC.
you can use standard VPC features, such as VPC security groups, network access control lists (ACLs), VPC endpoints, VPC endpoint policies, internet gateways, and Domain Name System (DNS) servers
Kinesis Client Library (KCL)
using this, you can develop a consumer application for Amazon Kinesis Data Streams
DynamoDB Streams Kinesis Adapter
recommended way to consume Streams from DynamoDB
Amazon Elastic Container Service (Amazon ECS)
highly scalable, high-performancecontainerorchestration service that supportsDockercontainers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.
AWS Secrets Manager
helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
AWS Systems Manager Parameter Store
provides secure, hierarchical storage for configuration data management and secrets management.
Amazon Inspector
automated security assessment service that helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on the instances. It does not provide a custom metric to track the memory and disk utilization of each and every EC2 instance in your VPC
you cannot directly assign an EIPto an Auto Scaling - group - true or false
True
Match Viewer
Origin Protocol Policy which configures CloudFront to communicate with your origin using HTTP or HTTPS, depending on the protocol of the viewer request. CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols
CloudFront signed URLs and signed cookies provide the same basic functionality:
they allow you to control who can access your content
Usesigned URLsfor
• -You want to use an RTMP distribution. Signed cookies aren’t supported for RTMP distributions.
• -You want to restrict access to individual files, for example, an installation download for your application.
-Your users are using a client (for example, a custom HTTP client) that doesn’t support cookies.
Usesigned cookiesfor
- You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers’ area of a website.
• -You don’t want to change your current URLs.
Termination policy for the scale in in ASG
If there are multiple instances to terminate based on the above criteria, determine which unprotected instances are closest to the next billing hour. (This helps you maximize the use of your EC2 instances and manage your Amazon EC2 usage costs.) If there is one such instance, terminate it.
pre-signed URLs
> grant time-limited permission to download the objects.
When you create a pre-signed URL for your object, you must provide your security credentials, specify a bucket name, an object key, specify the HTTP method (GET to download the object) and expiration date and time.
The pre-signed URLs are valid only for the specified duration.
Oracle Recovery Manager (RMAN) and Oracle Real Application Clusters (RAC) are supported in RDS - true or false
false
Amazon MQ
recommended if you’re using messaging with existing applications and want to move your messagingservice to the cloud quickly and easily
If you are building brand new applications in the cloud, then it is highly recommended that you consider ? for messaging queue:
Amazon SQS and Amazon SNS
How to protect back end spikes if using API Gateway and lambda
use throttling limits in API Gateway
Aurora cluster endpoint
> also known as a writer endpoint for an Aurora DB cluster simply connects to the current primary DB instance for that DB cluster.
This endpoint is the only one that can perform write operations in the database such as DDL statements, which is perfect for handling production traffic but not suitable for handling queries for reporting.
Lambda@Edge
lets you run Lambda functions to customize the content that CloudFront delivers, executing the functions in AWS locations closer to the viewer.
AWS Serverless Application Model (SAM) service
open-source framework that you can use to buildserverless applicationson AWS
(Aserverless applicationis a combination of Lambda functions, event sources, and other resources that work together to perform tasks.)
How to improve the DynamoDB performance by distributing the workload evenly and using the provisioned throughput efficiently
use of partition keys with high-cardinality attributes, which have a large number of distinct values for each item.
How to secure the session data in the portal by requiring them to enter a password before they are granted permission to execute Redis commands.
Using RedisAUTHcommand can improve data security by requiring the user to enter a password before they are granted permission to execute Redis commands on a password-protected Redis server
(DDoS)attack
A distributed denial-of-service (DDoS)attackis a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
AWS Shield Advanced
In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS (distributed denial-of-service) attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall.
AWS Firewall Manager
is mainly used to simplify your AWS WAF administration and maintenance tasks across multiple accounts and resources. It does not protect your VPC against DDoS attacks.
AWS WAF
can help you block common attack patterns to your VPC such as SQL injection or cross-site scripting, this is still not enough to withstand DDoS attacks
Lifecycle hook
you can add it o your ASG to perform custom actions when instances launch or terminate
Target tracking scaling
increase or decrease the current capacity of the group based on target value for specific metric
Step scaling
increase or decrease current capacity of the group based on a set of scaling adjustments know as step adjustments, that vary based on size of the alarm breach
simple scaling
increase or decrease the current capacity of the group based on the a single scaling adjustment
scale out cooldown period
amount of time in seconds after a scale out activity completes before another scale out activity can start
scale in cooldown period
amount of time in seconds after a scale in activity completes before another scale in activity can start
permission policy
describes who has access to what
identity based policies
IAM policies
resource based policies
policies attached to a resource
Amazon RDS supports only which policies?
identity based policies (IAM)
You need to associate an Elastic IP address with your instance to enable communication with the internet - T or F
true
every instance in a vpc has a default network interface called
primary network interface (eth0)
DynamoDB Streams
optional feaure that captures data modification events in DynamoDB tables
Cloudwatch log Insights
enables you to interactively search and analyze your log data in Cloudwatch logs using queries
Cloudwatch Vended logs
logs that are natively published by AWS services on behalf of the Customer (VPC flow logs) is the first vended log type that will benefit from this tiered model
VPN connection consists of
- VPG
2. Customer Gateway
Amazon Kinesis can load streaming data into
Amazon ElasticSearch service
Amazon Kinesis agent
a pre built java application that offers an easy way to collect and send data to your Amazon Kinesis data stream
Blue/Green deployment
refers to the practice of running 2 production environments, one live and one idle, and switching the 2 as you make software changes
DynamoDB and Cloudfront do not have a Read Replica Feature - T or F
True
Multi-AZ deployments are available for
MySQL, MariaDB, Oracle, and PostgreSQL
CloudWatch gathers metrics about CPU utilization from
the hypervisor for a DB instance
Enhanced Monitoring gathers its metrics from
an agent on the instance
