Pre-exam Flashcards
1
Q
What can you use NACL for?
A
you can monitor IP addresses
2
Q
NACL, deny or allow rules?
A
Can both make deny and allow rules. Must also create both inbound and outbound rules (stateless)
3
Q
what is stateful?
A
security groups = both inbound and outbound is created (stateful)
4
Q
where can you not make deny rules?
A
in security groups = o Cannot make deny rules since everything is denied by default so you can only make allow rules
5
Q
what is ElastiCache for?
A
= to store session state data + improve performance through caching
6
Q
What are the two properties of Redis?
A
Redis Elasticache = persistent storage, key-value storage
7
Q
What are the two properties of Memcached?
A
o Not persistent
o High-performance distributed memory cache service
8
Q
what are VPC endpoints for?
A
PrivateLink = ensures traffic does not traverse the internet
9
Q
what is Gateway endpoint?
A
VPC endpoint for S3 + DynamoDB
10
Q
what is Interface endpoint?
A
VPC endpoint for almost all services (just not s3 and DynamoDB which is for gateway endpoint)
11
Q
what is s3 for?
A
object-based storage
12
Q
how is the consistency for S3?
A
o Read after write for PUT
o Eventual consistency for deletes and modifications of objects
13
Q
what is efs for?
A
file-storage, NFSv4.1 protocol, also works with block, concurrent ec2 instances.
also good for big data and analytics
14
Q
how is the consistency for efs?
A
o Reflects the last write always (always read after write)
15
Q
what is DynamoDB for?
A
OLTP workloads
no-sql (schema-less)
serverless (no worry of infrastructure)
16
Q
how is dynamo db indexed?
A
Indexed by primary key
17
Q
what can DynamoDB not do?
A
No join across tables
18
Q
how is consistency for dynamo db?
A
o Eventual consistent for writes
- Can enable “strongly consistent reads” to fix this
19
Q
is dynamo db serverless?
A
yes, …. Unless using provisioned throughput
20
Q
how can joins be made with aurora?
A
joins across multiple tables possible
21
Q
how is consistency for aurora?
A
Low-latency write consistency
22
Q
what is ALB for?
A
o HTTP/HTTPS (Layer 7)
o Host and path-based routing
23
Q
what is NLB for?
A
o TCP, TLS, UDP, TCP_UDP, (Layer 4)
24
Q
what is CLB for?
A
o TCP, Layer 4
o Proxy protocols = TCP as back-end always
25
how is multi-az replication?
synchronous (active-passive)
26
how is read replica replication?
Read replica = read performance improved, asynchronous
27
what are A records for?
Ipv4 (google.com to IP address)
28
what are AAAA records for?
Ipv6
29
what are Alias records for?
Used with apex (domain apex digitalcloud.training) to connect to ELB
Alias records let you route traffic to selected AWS resources, such as CloudFront distributions and Amazon S3 buckets. They also let you route traffic from one record in a hosted zone to another record.
30
what is PTR record?
solves an IP address to a fully-qualified domain name (FQDN) as an opposite to what A record does. PTR records are also called Reverse DNS records
31
what is identity federation?
= IAM supports federation for delegated access to the Console or AWS APIs
32
what is STS?
(for single-sign-on) web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (such as federated users from an on-premise directory)
33
what are Temporary security credentials ?
aws access key, secret key and security token. Valued for default 12 hours, min 15m, max 36h
34
what is SAML 2.0?
what is usually used for federation (authentication) and grants temporary access based on the users AD credentials so you can access IAM without having a user
35
what is Cognito for?
used to authenticate users to web and mobile apps
36
what is user pool?
- Directory in Cognito. Users can sign in to web or mobile apps
- Can also use Facebook, amazon, and SAML to log in
37
what is identity pool?
- User can obtain temporary AWS credentials to access AWS services
38
what are the limits for EBS General Purpose?
- 1 GiB to 16 TiB, Max 16,000 iops
| - 3 IOPS per GB up to 16,000
39
what are the limits for EBS IOPS optimized?
- 4 Gib to 16 TiB, max 64,000 iops
| - Up to 50 IOPS per GB
40
what are the limits for EBS throughput optimized?
- Volume 500 Gib to 16 TiB, can burst, max 500/mb/s per volume, 500iops
41
what are EBS magnetic optimized for?
- Cheap for infrequently accessed
| - can be a boot volume
42
what are the limits for EBS cold?
- Volume 500 GiB to 16 TiB, max 250/mb/s per volume, 250 iops
- Cannot be boot volume
- cheapest version we have
43
what are some serverless applications?
- API Gateway
- Lambda
- S3
- DynamoDB
- SNS
- SQS
- Kinesis
- AWS Glue
- AWS Fargate (in ECS)
44
what does Lambda track?
Lambda (tracks latency per request + number of requests + error requests)
45
what is Raid 0 for?
no redundancy but writes data to multiple disks. Increases performance
46
what is Raid 1 for?
improve redundancy / availability = mirror
47
what is kinesis streams for?
real-time processing of streaming data
48
what is kinesis firehose for?
delivers streams to AWS services such as S3, Splunk, Redshift and elasticsearch
49
what is kinesis analytics for?
processing and analyzing real-time streaming data
50
what does Elastic Network Adapter (ENA) offer?
high-performance-computing/network,
51
what does Elastic Fabric Adapter (EFA) offer?
o High-performance-computing (HPC) for machine learning
| o OS by-pass functionality
52
what is Active-passive ?
failover policy. One instance running and one backup (Multi-az)
53
what is Active-active ?
multiple instances running at the same time
54
what is important about simple AD?
fully cloud-based… does not connect to on-premise
55
what is AD Connector for?
directory gateway to redirect requests to your on-premise AD and eliminates the need for direct synchronization = when you want to use an existing AD with AWS
56
what is a small and a big AD connector?
o Small connector up to 500 users
| o Large connector for 500-4999
57
what is AD connector for Microsoft for?
best choice if +5000 users
58
what is custom origin for?
to avoid direct access to the instances behind (used with EC2)
(CloudFront)
59
what is RTMP for?
- RTMP.= serve video files (stored in S3)
| CloudFront
60
what is Web distribution for?
Web = serve files with http
| CloudFront
61
what is CloudFormation for?
- Provision infrastructure
| - Describes exactly what resources are provisioned, their settings and changes to them
62
what is CloudWatch for?
monitoring
63
what is CloudTrail for?
auditing
64
what can you audit with CloudTrail?
- Data Events: also known as data plane operations
| - Management Events: also knows as control plane operations
65
what are the 3 storage gateways?
- File Gateway (NFS & SMB) = stored in S3
- Volume Gateway (iSCSI)
o Stored volumes
o Cached volumes
- Tape Gateway (VTL) = for archiving / backup
66
what is a file gateway for?
- File Gateway (NFS & SMB) = stored in S3
67
what is a volume gateway for?
- Volume Gateway (iSCSI)
o Stored volumes
o Cached volumes
68
what is a tape gateway for?
- Tape Gateway (VTL) = for archiving / backup
69
what is AWS code deploy for?
automates application deployment to amazon ec2 instances, on-premises instances, or serverless Lambda functions
70
what is AWS Glue for?
fully managed extract, transform and load service (ETL)
71
what is AWS Shield for?
to mitigate DDoS attacks
72
what is AWS Connect for?
self-service cloud-based contact center
73
what is API Gateway for?
HTTPS endpoints always, REST API,
74
what is Global Accelerator for?
improves availability and performance with both local and global users using static Anycast IP addresses
75
what is CodeCommit for?
for software version control, hosts Git repositories
76
what is Trusted Advisor for?
real time guidance to help provision resources following AWS best practices, reduce cost and increase performance and security, can display current usage and limits of services
77
what is CloudHSM for?
Cloud Hardware Security Module… hardware-based storage solution for cryptographic keys.
78
what is SNS for?
Simple Notification Service, to send notifications through Lambda, HTTP/S, Email, SMS, SQS,
79
what are X-Forwarded For (XFF) ?
identifying IP address connecting to a web server through HTTP proxy or load balancer
80
what is proxy protocols used with?
for TCP/SSL
81
what do Parameter Groups do?
manages Database configurations
82
what are Presigned URLs for?
provide temporary access to a specific object to those who do not have AWS credentials
83
what are Presigned Cookies for?
CloudFront signed cookies allow you to control who can access your content when you don't want to change your current URLs or when you want to provide access to multiple restricted files, for example, all of the files in the subscribers' area of a website
84
what is Perfect Forward Secrecy (PFS) used with?
for CloudFront and ELB
85
what are AWS Step Functions?
coordinate multiple AWS services into serverless workflows (Lambda, ECS etc.) = orchestrate serverless workflows
86
what is Egress-Only Internet Gateway for?
allows VPC based IPv6 traffic
87
what is IPsec VPN for?
when you want to connect your network into the cloud and also directly access the internet from your VPC. IPsec AWS Site-to-Site VPN Connection
88
what is VPN CloudHub?
essentially just a “hub”/center for multiple VPN connections from different customer networks entering into AWS
89
What is DynamoDB Streams?
DynamoDB Streams help you to keep a list of item level changes or provide a list of item level changes that have taken place in the last 24hrs. Amazon DynamoDB is integrated with AWS Lambda so that you can create triggers—pieces of code that automatically respond to events in DynamoDB Streams
90
What is Policy Generator for?
AWS Policy Generator to create a bucket policy for your Amazon S3 bucket. Bucket policies can be used to grant permissions to objects
You can define permissions on objects when uploading and at any time afterwards using the AWS Management Console.
You cannot use a bucket ACL to grant permissions to objects within the bucket. You must explicitly assign the permissions to each object through an ACL attached as a subresource to that object
91
What is password policy?
A password policy can be defined for enforcing password length, complexity etc. (applies to all users)
You can allow or disallow the ability to change passwords using an IAM policy and you should attach this to the group that contains the users, not to the individual users themselves
92
What is SNI for?
With Server Name Indication (SNI) a client indicates the hostname to connect to. SNI supports multiple secure websites using a single secure listener
93
What is EMR for?
Elastic Map Reduce (EMR) is used for processing and analyzing data using the Hadoop framework. It is not used for transforming streaming data
94
What is CloudFormation Stack for?
AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation
95
What can be used to cache static content?
CloudFront is ideal for caching static content such as the files in this scenario and would increase performance
96
Where can Kinesis Firehose export to?
Kinesis Firehose which captures, transforms, and loads streaming data into “destinations” such as S3, RedShift, Elasticsearch and Splunk
97
FIFO can process sequentially. What else?
Kinesis Streams
98
What is Athena for?
Querying such as SQL querying from S3 buckets
99
What is scheduled scaling?
Scheduled scaling: Scaling based on a schedule allows you to set your own scaling schedule for predictable load changes. To configure your Auto Scaling group to scale based on a schedule, you create a scheduled action. This is ideal for situations where you know when and for how long you are going to need the additional capacity
100
What is an interface VPC endpoint for?
Other AWS principals can then create a connection from their VPC to your endpoint service using an interface VPC endpoint. => to connect to another VPC’s endpoint
101
What is server access logging for?
Server access logging provides detailed records for the requests that are made to a bucket. To track requests for access to your bucket, you can enable server access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and an error code,
102
How to perform envelope encryption?
The AWS KMS API can be used for encrypting data keys (envelope encryption)
103
What is AWS certificate manager for?
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources
104
What is AWS budgets for?
AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. Budget alerts can be sent via email and/or Amazon Simple Notification Service (SNS) topic
105
What is AWS cost explorer?
The AWS Cost Explorer is a free tool that allows you to view charts of your costs
106
What can AWS billing dashboard do?
The AWS Billing Dashboard can send alerts when you're bill reaches certain thresholds but you must use AWS Budgets to created custom budgets that notify you when you are forecast to exceed a budget
107
How can you connect to a ec2 instance
Key pairs
108
What is NAT Gateway?
Intelligent... NAT Gateway: A ‘middle-man’ sitting in your public subnet between your private subnet and the internet. Used to e.g. download updates for your instances or servers in the private subnet. Blocks all incoming traffic. Limited to 45Gbps.
109
What is NAT instance?
NAT Instance: Basically, the same as NAT Gateway expect that you’re launching and controlling the instance (i.e. same as setting up an RDS versus creating an EC2 and using that as a server), you generally just want to use a NAT Gateway which is managed and also redundant across multiple EC2.
110
What is ENI?
Eth0 (cannot Be moved), eth1 (can be detaches sand attached to other instances),
Elastic Network Interface (ENI): Can be used to attach multiple network interfaces to an instance, e.g. when you want one network interface in the public subnet with access to the internet, and another network interface on the same instance in a private subnet with access to the corporate network.
111
What is a bastion host for?
Bastion Host: Used to securely deliver remote (SSH / RDP) access to instances in a private subnet through the public internet. So, Bastion Hosts are used for secure access to instances in other networks, whereas NAT Gateway/Instances are used for outbound traffic to e.g. fetch an update to the server from the internet.
112
What is IGW for?
Internet Gateway (IGW): Serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. What makes a subnet public is basically whether the subnet’s route-table directs traffic to the internet gateway.
113
What is anycast IP for?
AnyCast IP: Allows multiple instances to share the same IP address and is used with AWS Global Accelerator to give access to the instance that is closest to the user.
114
What is WAF for?
AWS WAF: a web application firewall service that helps protect your web apps from common exploits that could affect app availability, compromise security, or consume excessive resources. Although this can help you against DDoS attacks, AWS WAF alone is not enough to fully protect your VPC
115
What is Firewall Manager for?
AWS Firewall Manager: simplifies your AWS WAF administration and maintenance tasks across multiple accounts and resources.
116
What is GuardDuty?
Amazon GuardDuty: an intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads
117
What is Transit Gateway for?
AWS Transit Gateway: Enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. With AWS Transit Gateway, you only have to create and manage a single connection from the central gateway into each Amazon VPC, on-premises data center, or remote office across your network.
118
What is Run Command for?
Run Command: enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the console to configure instances without having to login to each instance.
119
What is EC2Config for?
Windows. Windows AMIs for Windows Server 2012 R2 and earlier include an optional service, the EC2Config service. EC2Config runs initial startup tasks when the instance is first started and then disables the
120
Wat is AWS config for?
t enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
121
What is AWS Workspaces?
Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution. You can use Amazon WorkSpaces to provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe.
122
What is Neptune for?
Graph databases, AWS Neptune: fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets.
123
What is AWS inspector?
AWS Inspector: an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.
124
What is short and long polling?
AWS SQS Polling: The ReceiveMessageWaitTimeSeconds is the queue attribute that determines whether you are using Short or Long polling. By default, its value is zero which means it is using Short polling. If it is set to a value greater than zero, then it is Long pollin
125
What is ROA for?
ROA authorizes Amazon to advertise an address range under a specific AS number. Used for Bring Your Own IP (BYOIP) when you want to transfer an on-premises IP- range to AWS.
126
What is CodeDeploy for?
CodeDeploy: a fully managed deployment service that automates software deployments to a variety of compute-services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers.
127
What is a Lanbda invocation?
: When a Lambda function is called (invoked): Invoke: [cause a procedure to be carried out.]
128
What is Cliudwatch logs agent?
CloudWatch Log Agents: provides an automated way to send log data to CloudWatch Logs from Amazon EC2 instances. A plug-in to the AWS CLI that pushes log data to CloudWatch Logs. A script (daemon) that initiates the process to push data to CloudWatch Logs. A cron job that ensures that the daemon is always running.
129
What is FSx for Lustre for?
launch and run the world’s most popular high-performance file system. For workloads where speed matters, such as machine learning, high performance computing (HPC), video processing, and financial modeling. Works natively with S3 with a high-performance POSIX interface.
130
What is Direct Connect
dedicated network connection from your premises to AWS. Connects you to a region and all AZs within that region.
131
What is consolidated billing?
AWS Consolidated Billing: consolidate billing and payment for multiple AWS accounts or multiple Amazon Internet Services accounts. Every organization in AWS Organizations has a master (payer) account that pays the charges of all the member (linked) accounts.
132
What does cross account access allow?
IAM Cross Account Access: by setting up cross-account access in this way, you don't need to create individual IAM users in each account. In addition, users don't have to sign out of one account and sign into another in order to access resources in different AWS accounts.
133
What is LDAP for?
Read and write to ADs. Lightweight Directory Access Protocol (LDAP): a standard communications protocol used to read and write data to and from Active Directory. Some applications use LDAP to add, remove, or search users and groups in Active Directory or to transport credentials for authenticating users in Active Directory.
134
What is DynamoDB Global Tables?
Global Tables: provides a fully managed solution for deploying a multi- region, multi-master database.
135
What is cluster subnet group for?
Cluster Subnet Group: allows you to specify a set of subnets in your VPC
136
How to set up S3 static website?
S3 Static Website: Bucket name same as website and an Alias Record pointing to the bucket.
137
What is size limit for DynamoDB?
The cumulative size of attributes per item must fit within the maximum DynamoDB item size (400 KB). Recommended to use S3 to store objects larger than 400 KB.
138
How does Aurora Global database work?
Aurora Global Database: designed for globally distributed applications, allowing a single Amazon Aurora database to span multiple AWS regions.
