Review Flashcards
Monthly billing for lambda is based on what?
Execution request and the time is rounded to the nearest 100 ms.
which is a compulsory section in CFT
resources
Maximum size of an item in DynamoDB table
400KB
AWS service supports infrastructure as a code?
CloudFormation
a Load balancer can span across?
Multiple AZs
What can be used to provide internet connectivity to the resources residing in a private subnet?
Internet gateway.
CloudWatch
can not manually deleted.
DATA STORED IN A S3 CAN BE ACCESSED FROM?
anywhere across the internet.
By default, which of the following metrics are not supported by CLoudWatch?
Memory free/used.
which Services is used along with S3 to enable S3 Transfer Acceleration?
CloudFront
MySQL RDS instance
CAN NOT be stopped or paused. TO SAVE MONEY, the user needs to take the final snapshot, terminate the instance and launch a new instance in the future from that snapshot.
Elastic Load Balancing
use SSL certificate in order to improve your system security. use AWS identity and Access Management to upload your certificate to your load balancer.
SQS Time to live
1 minute to 2 weeks
SQS data size in a message
256KB
EBS Volume
it is required to mount the device when a user creates an EBS volume and attaches it as a device.
DynamoDb access
Amazon DynamoDB integrates with AWS Identity and Access Management(IAM). You can use AWS IAM to grant access to Amazon DynamoDB resources and API actions. To do this, you first write an AWS IAM policy, which is a document that explicitly lists the permissions you want to grant. you then attach that policy to an AWS IAM user or role.
Best suitable options to allow access to the log bucket.
Provide ACL for the logging group.
CloudFormation
gives developers and systems administrators an easy way to create and manage collections of AWS resources. you can now set ReadReplicas for your databases with RDS when you create a new cloudFormation template.
AWS RDS with multi AZ feature
the user can not provision the availability zone. RDS is launched automatically instead.
user need to specify whether it is multi AZ or not.
AWS Elastic Beanstalk
support multiple running environment.
Ec2-classic
AWS does not provide a fixed MAC address to the instances launched in ECs-classic. If the instance is launched as apart of EC2-VPC, it ca have an ENI which can have a fixed MAC. However, with EC2-CLassic, every time the instance is started or stopped it will have a new MAC address. To get this MAC, the orgAMzation can run a script on boot which can fetch the instance metadata and get the MAC address from that instance metadata.
IAM User
IAM users by default cannot change their password. the root owner or IAM administrator needs to set the policy in the password policy page, which should allow the user to change their password. Once it is enabled, the IAM user can always change heir passwords from the AWS console or CLI.
EBS volume
provides persistent data storage. the user cam attacj a volume to any instance provided they are both in the same AZ.
ReceiveMessageWaitTimeSeconds
when set to greater than zero enables long polling. Long polling allows the Amazon SQS service to wait until a message is available in the queue before sending a response.
S3 bucket policies
require a Principal be defined.
If you do not ensure that DNS is re-resolved or use multiple test clients to simulate increased load, the test may continue to hit a single IP address when Elastic Load Balancing has actually allocated many more IP addresses. Because your end users will not all be resolving to that single IP address, your test will not be a realistic sampling of real-world behavior.
Use a third party load-testing service to send requests from globally distributed clients, Force the software-based load tester to re-resolve DNS before every request
MissingSecurityHeader
400 bad request would be the HTTP response code for Missing SecurityHeader.
S3:ReducedRedundancyLostObject
S3 provides the S3:ReducedRedundancyLostObject for objects that are using the Reduce Redundancy Storage class on Amazon S3. This notification is used with SNS and sends a JSON object notification to the subscribed SNS topics if an object is lost by Amazon S3. This allows you to create automation and be informed with RRS (99.9% durability storage) has an object data loss from one of your buckets. AWS now supports event notifications for object creation as well.
API call to attach an EBS volume to an EC2 instance
AttachVolume
necessary steps to set up a static website on S3.
Upload an index document to your S3 bucket, Enable static website hosting in your S3 bucket properties, Select the “Make Public” permission for your bucket’s objects
What is the API call used when authenticating users against a Web Identity Provider like Facebook, Google, Amazon, etc.)?
AssumeRoleWithWebIdentity API call while passing the provider’s token and specifying the ARN (Amazon Resource Number) for the IAM Role.
What is the default timeout of Temporary Security Credentials issued by AWS after a user has authenticated with a third-party Identity Provider?
1 hour – minimum is 15 minutes
In what order are Atomic Counters written to a DynamoDB?
All write requests are applied in the order in which they are received.
ec2-net-utils
For AWS Linus, it is a package that configures additional network interfaces that the user can attach while the instance is running, refreshes secondary IP addresses during DHCP lease renewal, and updates the related routing rules.
send push notifications to mobile devices using SNS and ADM
need to obtain RegistrationID and Client secret. you do not need Device token.
MS SQL RDS
does not support multi AZ
HOW TO CONFIGURE TERMINATION POLICIES?
either specify any one of the policies as a standalone policy or list multiple policies in an ordered list.
S3 Bucket ACL
can grant permission to S3 Log Delivery group to write access log objects to the user’s bucket.
Elastic Beanstalk
support multiple environments
ec2-share-image-attribute
share image
IAM role
– IAM roles are based on temporary security tokens, so they are rotated automatically. Keys in the source
code cannot be rotated (and are a very bad idea). It’s impossible to retrieve credentials from an S3 bucket if you
don’t already have credentials for that bucket. Active Directory authorization will not grant access to AWS
resources.
Which relational database engines does Amazon RDS support?
Amazon RDS supports Amazon Aurora, MySQL, MariaDB, Oracle, SQL Server, and PostgreSQL database engines.
the default interval for CloudWatch metrics
1 minutes?
how to attach volume to an EC2 instance from different AZ?
take a snapshot of the volume and create a new volume in the instance’s AZ, then attach.
multiple IAM group policies
always aggregated.
Connect to RDS(MYSQL)
open port 3306 in the security group for MYSQL.
Can user create a larger EBS volume from an existing snapshot with lower size?
Yes, user need to change the size of the device with resize…
AWS ELB with custom domain
by creating CNAME with the existing domain name service provider;
by creating a record with Route 53.
can be used to bootstrap both the chef Server and chef Client software
CloudFormation
Amazon RDS DB instance back up
automated backups and DB snapshots.
CLI commands for EC2 instances
ec2-accept-vpc-peering-connection; ec2-allocate-address; ec2-assign-private-ip-address; ec2-associate-address; ec2-associate-dbcp-options; ec2-associate-route-table; ec2-attach-internet-gateway; ec2-attach-network-interface(not ec2-allocate-interface).
SQS security
SQS uses either your Access Key ID or an X.509 certificate to authenticate your identity.
x-Forwarded-Port
identify the port used by the client while requesting ELB.
Tag limits
10 tags er load balancer;
max key length 127;
max value length 255;
keys and values are case sensitive.
DB parameter group
contains engine configuration values that can be applied to one or more DB instances of the same instance type.
RDS charge
on a pay as you go basis. It charges the user based on the instance type, number of hours that the instance is running, data transfer, storage cost as well for I/O request. the monitoring is free of cost.
SQS free tier message limit
1 million
SQS allow anonymous access queue
Yes
Can an AMI launch EC2 instance within same region?
Yes
AWS console for DynamoDB
can setup alarms to monitor your table’s capacity usage;
create, update, and delete tables;
View your table’s top monitoring metrics on real-time graphs from CloudWatch.
can not import data from other databases or from files.
Shared responsibility
Customer’s responsibility:
Life-cycle management of IAM credentials;
Security group and ACL settings
Encryption of EBS volumes
Patch management on the EC2 instance’s OS;
AWS responsibility:
Decommissioning storage devices?;
controlling physical access to compute resources;
manual auto scalling
modify the desired capacity. if the user is trying to CLI, use command as-set-desired-capacity – desired-capacity
account alias
has to be unique so different account can not have the same alias.
EBS-Optimized instance
the Provisioned IOPS volumes are designed to deliver within 10% of the provisioned IOPS performance 99.9% of the time in a given year.
Subnet to Route table
one subnet must be associated with exactly one Route Table, However, multiple subnets can be associated with the same Routed table.
MWF – Markers
enable you to record information in the workflow execution history that you can use for any custom or scenario-specific purpose.
tracking usage
The cost of an IAM user or groups can never be tracked separately for the purpose of billing. usage a tracking is only at account level.
default visibility timeout
30 seconds.
creating an EBS Volume
user can attach multiple volumes to the same instance and stripe them together to in crease the I/O, can take a snapshot from the existing volume but can not create an AMI from the volume. the user can create an AMI froma snapshot.
creating an EBS Volume
user can attach multiple volumes to the same instance and stripe them together to in crease the I/O, can take a snapshot from the existing volume but can not create an AMI from the volume. the user can create an AMI from a snapshot.
The longest duration for which the user can retain the automated backup?
35 days
/dev/sda1
reserved for the root device for Linux instance.
Glacier resources
Vault and Archives are core data model concepts;
job is required to initiate download of archive.
notification configuration is required to send user notification when archive is available for download.
SNS delivery transports
HTTP, SMS, not UDP.
Peek a message in Amazon SQS
PeekMessage action has been removed from Amazon SQS. was mainly for debug. to do this, you can log the message ID and the receipt handle for your messages and correlate them to confirm when a message has been received and delated.
When to use an Object ACL?
An object ACL is the only way to manage access to objects not owned by the bucket owner
Permissions vary by object and you need to manage permissions at the object level
(an object ACL is also limited to a maximum of 100 grants);
Object ACLs control only object-level permissions
When to Use a Bucket ACL
is to grant write permission to the Amazon S3 Log Delivery group to write access log objects to your bucket.
When to Use a Bucket Policy
You want to manage cross-account permissions for all Amazon S3 permissions
protocol
SSH – prot 22
RDP – port 3389
TCP,UDP – port 3306 – MYSQL
AWS OpsWorks
a configuration management service uses chef, an automation platform that treats server configurations as code.
has 2 offerings, AWS Opsworks for Chef Automate, and AWS OpsWorks Stacks.
Share responsibility – AWS
AWS Global infrastructure: AZs, regions, edge locations;
compute, storage, database, networking
Share responsibility – Customer
Platform, Applications, IAM; OS, Network & Firewall configuration; client-side data encryption, server-side data encryption, Network Traffic Protection
AWS Products – Compute
EC2; EC2 auto scaling; Elastic Container Service; Elastic Container Service for Kubernetes; Elastic Container Registry; Amazon Lightsail; AES Batch; Elastic Beanstalk; AWS Fargate; Lambda; severless Application Repository; VMware Cloud on AWS.
AWS Products – Storage
S3, EBS, Elastic File system, Glacier, Storage gateway; snowball; snowball Edge; snowmobile;
AWS Products – Database
Aurora; RDS; DynamoDB; ElastiCache; Reshift; Neptune; Database Migration Service;
AWS Products – Migration
Application Discovery Service; database migration service; Migration Hub; server migration service; snowball snowball edge; snowmobile;
AWS Products – Networking & Content Delivery
VPC; cloudFront; Route 53; API gateway; direct connect; Elastic load Balancing;
SNS end point protocol
HTTP(s); Email; Email-JSON; SQS; Application; AWS Lambda; SMS(short Message Service)
maximum number of SWF domain in an account
100
limits on the size of item collection
10GB
smallest amount of Reserved Capacity
100 capacity units
Can data be saved when a stack is deleted in CloundFormation?
Yes. by define deletion policy. you can specify snapshots be created before it is delected. you can also specify a resource should be preserved and not deleted when the stack is deleted.
Identify Security Weakness
Perform SQL injection for application testing;
Penetration testing – as performed by attackers to find any vulnerability.
hardening test – to find if there are any unnecessary ports open perform SQL injection to find any DB security issues.
Not this one – Code memory checks are generally useful when the organization wants to improve the application performance.
ItemCOllectionSizeLimitExceededException
For a tabe with a local secondary index, a group of items with the same partition key value has exceeded the maximum size limit of 10 GB.
BundleInstance
Bundles an Amazon Instance store-backed Windows instance. During bundling, only the root device volume is bundled. Data on other instance store volumes is not preserved.
This action is not applicable for Linus instances, or windows instances taht are backed by Amazon EBS.
BatchGetItem
can retrieve a max 100 items total size <16MB.
limit of data can be retrieved by a scan operation
1MB
max SWF workflows per domain
10,000
Elastic Map Reduce
allows organizations to do complex analysis on large volumes of data.
Available SDK
Android, IOS, JavaScript, Java, .Net, Node.js PHP Python Ruby Go C++
Shared responsibility – AWS
Restricting access to the data centers;
proper destruction of decommissioned disks;
Patching of firmware for the hardware on which your AWS resources reside.
by default, subnets within a custom VPC
can communicate with each other, across availability zones.
SQS was the first service on the AWS platform.
yes
In Identity Access Management, you can use SAML (Security Assertion Markup Language 2.0) to give your federated users single sign-on (SSO) access to the AWS Management Console.
Yes
free services
auto scaling;
elastic bean stalk;
VPC;
cloudconformation;
What is the name of the API call used to request temporary security credentials from the AWS platform when federating with Active Directory?
AssumeRoleWithSAML
The steps When using Active Directory to authenticate to AWS,
The user navigates to ADFS webserver. The user enter in their single sign on credentials. The user’s web browser receives a SAML assertion from the AD server. The user’s browser then posts the SAML assertion to the AWS SAML end point for SAML and the GiveUserSAMLAccess API request is used to request temporary security credentials. 5) The user is then able to access the AWS Console.
The steps When using Active Directory to authenticate to AWS,
The user navigates to ADFS webserver. The user enter in their single sign on credentials. The user’s web browser receives a SAML assertion from the AD server. The user’s browser then posts the SAML assertion to the AWS SAML end point for SAML and the AssumeRoleWithSAML API request is used to request temporary security credentials. 5) The user is then able to access the AWS Console.
What is CIA and AAA models, ingress vs. egress filtering, and which AWS services and features fit
CIA are the fundamentals of Information Security. Confidentiality (generally encryption), Integrity (the accuracy of a message or server…i.e. hash value), Availability (availability of a service)
AAA is authentication, authorization, and accounting. Who you are (identification), what are you allowed to do (privileges), and audit
ReturnItemCollectionMetrics
set this parameter to SIZE to monitor item collection size.
HTTP Status Code
400 – IncompleteSignature; MissingAction
InvalidParameterValue; Missing Parameter; InvalidDigest; InvalidBuckeName; IncompleteBody;
403 – OptInRequired; InvalidClientToken; MalformedQueryString; InvalidObjectState;
DynamoDB limit
Sort key – 1024
partition key –2048
ElasticBeanstalk supported platform
Elastic Beanstalk provides platforms for programming languages (Java, PHP, Python, Ruby, Go), web containers (Tomcat, Passenger, Puma) and Docker containers, with multiple configurations of each.
Securely upload/download data to Amazon S3
via SSL endpoints using the HTTPS protocol.
ListTables
To obtain a list of all your tables, use the ListTables operation. A single ListTables call can return a maximum of 100 table names; if you have more than 100 tables, you can request that ListTables return paginated results, so that you can retrieve all of the table names.
BatchWriteItem
The BatchWriteItem operation puts or deletes multiple items in one or more tables. When called in a loop, it also checks for unprocessed items and submits a new BatchWriteItem request with those unprocessed items until all items have been processed.
features supported by RDS
automated backup. automated failure detection and recovery;
automated software patching;
scaling is not automated and the user needs to plan it with a few clicks.
what to do to ensure that EC2 instances accept requests only from ELB?
remove all the rules set for the other requests and open the port only for ELB source security group. meaning configure the security group of EC2, which allows access to the ELB source security group.
maximum number of stacks per cloudformation templates
20
How can you secure data at rest on an EBS volume?
Use an encrypted file system on top of the EBS volume.?
RDS DB instance
is an isolated DB environment provided by AWS in which the user can create more than one database, The maximum size of the instance should be between 5GB–3TB. the size of each DB can be anything in this range.
cloudformation
can be used to bootstrap both the Chef Server and Chef Client software.
registering an activity in Amazon SWF
provide: name, version, and timeout values based on how long you expect the activity to take. you do not need to provide domain.
access RDS from an EC2 instance using IP address. Both are in the same region but different AZs. how to her configure the instance is accessed faster.
specify an IP range in RDS security group. recommends using the private IP address of the Amazon EC2 instance. this provides more direct network route from the amazon EC2 instance to the RDS DB instance. and does not incur network charges for the data sent outside of the amazon network.
how to know accounts limits
as-describe-account-limits/ calling DescribeAccountLimits action
hosting MS SQL on an EBS volume vs RDS
RDS provides an automated backup feature, PIOPS is available with both RDS and EBS. HA is not available with MS SQL.
settingup an ELB, what to be considered so the instance gets registered with ELB
IP address.
setting up an ELB, what to be considered so the instance gets registered with ELB
IP address.
using RDS with MYSQL
RDS charges the user on a pay as you go basis. it charges the user based on the instance type, number of hours that the instance is running, data transfer, storage cost as well for the IO requests. the monitoring is free of cost.
CloudFormation allows you to create Microsoft Windows stacks?
Yes. based on EC2 Windows AMIs and provides you with the ability to install software, to use remote desktop to access your stack, and to update and configure your stack.
Can user get a notification of each instance start/terminate configured with auto scaling?
Yes if configured with the auto scaling group.
to achieve automated scaling
EC2; cloudwatch will be used to monitor the resources and based on the scaling need it will trigger policies.
Advantage of DynamoDB on SSD
low request pricing; serve high-scal request workloads; low-latency response time; high IO performance of SSD.(not WebApp)
AWS can not assigh public IPs to network interface
yes. assign EIP.
features supported by RDS
automated backup. automated failure detection and recovery;
automated software patching;
scaling is not automated and the user nneds to plan it with a few clicks.
features can be used to restrict access to data in S3
set an S3 Bucket policy;
set an S3 ACL on the bucket or the object.
configuring IAM policy from AWS console
use policy generator;
use custom policy;
assign no permission;
policy simulator is not available int eh console;
products and features can be deployed by Elastic Beanstalk
auto scaling groups;
elastic Load Balancers;
RDS instance;
AWS console for DynamoDB can not import data from other database or from files.
set up alarms to monitor table capacity usage;
create, … delete table;
View your table’s top monitoring metrics on real-time graphs from cloudwatch.
How many workflow types, activity types, and domains can I register with Amazon SWF?
You can have a maximum of 10,000 workflow and activity types (in total) that are either registered or deprecated in each domain. You can have a maximum of 100 Amazon SWF domains (including registered and deprecated domains) in your AWS account.
Are there limits on the number of workflow executions that I can run simultaneously?
At any given time, you can have a maximum of 100,000 open executions in a domain.
Can data be saved when a stack is deleted in cloudformation?
AWS CloudFormation allows you to define deletion policies for resources in the template. You can specify that snapshots be created for Amazon EBS volumes or AmazonRDS database instances before they are deleted. You can also specify that a resource should be preserved and not deleted when the stack is deleted. This is useful for preserving Amazon S3 buckets when the stack is deleted.
ListStackResources
Returns descriptions of all resources of the specified stack.
For deleted stacks, list-stack-resources returns resource information for up to 90 days after the stack has been deleted
AWS OpsWorks
AWS OpsWorks is a configuration management service that uses Chef, an automation platform that treats server configurations as code. OpsWorks uses Chef to automate how servers are configured, deployed, and managed across your Amazon Elastic Compute Cloud (Amazon EC2) instances or on-premises compute environments. OpsWorks has two offerings, AWS Opsworks for Chef Automate, and AWS OpsWorks Stacks.
CreatePlatformEndPoint
creates an endpoint for a device and mobile app on one of the supported push notification services, such as GCM and APNS. CreatePlatformEndpoint requires the PlatformApplicationArn that is returned from CreatePlatformApplication. The EndpointArn that is returned when using CreatePlatformEndpointcan then be used by the Publish action to send a message to a mobile app or by the Subscribe action for subscription to a topic.
cloud resources powering my AWS Elastic Beanstalk application?
EC2, RDS, ELB, auto scaling, S3, SNS
SNS APIs
CreateTopic – Create a new topic.
DeleteTopic – Delete a previously created topic.
ListTopics – List of topics owned by a particular user (AWS ID).
ListSubscriptionsByTopic – List of subscriptions for a particular topic
SetTopicAttributes – Set/modify topic attributes, including setting and modifying publisher/subscriber permissions, transports supported, etc.
GetTopicAttributes – Get/view existing attributes of a topic
AddPermission – Grant access to selected users for the specified actions
RemovePermission – Remove permissions for selected users for the specified actions
Topic limit
10 million subscriptions per topic;
100,000 topics per account;
SWF Limit
100 domains per account;
10,000 workflow and activity types in each domain.
How can you ensure maximum protection of preserved versions in S3?
MFA
REF function of AWS::EC2::EIP
returns instance public IP
limit parameters in cloudformation template
60
AWS Flow Framework
enables you to develop amazon SWF-based applications quickly and easily.
open activity tasks per workflow execution in SWF
1000
SWF
manage your workflow execution history and other details of your workflows across 3 availability zones.
connection draining
time out value – 1 second to 1 hour; default 5 minutes.
max subnets in a VPC
200