Summary Flashcards
GReceive alerts when the reservation utilization falls
AWS Budgets
Amazon S3 vs EFS
S3 does not support file append like EFS
AWS Neptune
Build and run graph applications
Support Plans
Developer Business Enterprise-on-ramp Enterprise
<12 hrs < 1hr <30 mins <15 mins
- TAMs 1 TAM
Business 24/7 24/7 24/7
hours email
access
- AWS Sup API AWS Sup API AWS Sup API
Incident detection for
additional fee
AWS Managed Srvs AWS Managed Srvs
for additional fee for additional fee
re:Post:Private re:Post:Private
for additional fee for additional fee
Access to Access to architectural
architectural reviews
reviews
MFA devices
- U2F security key - Plug into a USB port on your computer. Authenticated by tapping the device instead of manually entering a code
- Virtual Multi-Factor Authentication (AWS MFA) device - Software app that runs on a phone or other device and emulates a physical device. Authenticated by typing a valid code from the device
- Hardware Multi-Factor Authentication (AWS MFA) device - Hardware device that generates a six-digit numeric code. Authenticated by typing a valid code from the device
- SMS text message-based Multi-Factor Authentication (AWS MFA) - IAM user settings include the phone number of the user’s SMS-compatible mobile device. Authenticated by OTP
Disaster Recovery Plans
Automated backups - Same region (Recovery Time Objective is lowest)
Manual snapshots - Cross region (Recovery Point Objective is lowest)
Read replicas - Cross region
Amazon EC2 instance user data and metadata
Bootstrap script or configuration parameters while launching your instance
Metadata is data about your instance that you can use to manage the instance
S3 pricing
There are four cost components to consider for S3 pricing –
storage pricing;
request and data retrieval pricing;
data transfer and transfer acceleration pricing;
and data management features pricing.
Under “Data Transfer”, You pay for all bandwidth into and out of Amazon S3, except for the following:
(1) Data transferred in from the internet,
(2) Data transferred out to an Amazon Elastic Compute Cloud (Amazon EC2) instance, when the instance is in the same AWS Region as the S3 bucket,
(3) Data transferred out to Amazon CloudFront (CloudFront).
AWS Web Application Firewall (AWS WAF) lets you monitor the HTTP and HTTPS requests that are forwarded to….
- Application Load Balancer
- Amazon CloudFront
- Amazon API Gateway
- AWS AppSync
Billing alarms
CloudWatch
AWS Shield Advanced provides protection for the following AWS Services
- EC2,
- Elastic Load Balances,
- Amazon CloudFront,
- Amazon Route 53,
- AWS Global Accelerator
Which of the following is available across all AWS Support plans
AWS Health Dashboard – Your account health
Key components of S3 Glacier
- Access Policy
- Archive
- Vault
Routing algorithm for ALB
ALB selects target based on the routing rule then selects node using round robin strategy
The classic ALB using round robin for TCP listners only
Bucket Policies and ACLs wrt to S3
Bucket Policies control access to entire bucket and ACLs to individual object within the bucket
URL structure of S3
https.<bucket>.<S3>/<object></object></S3></bucket>
Amazon Glacier components
Archive, Vault(Groups of archives) and Access Policies(to control access to objects within archive and vaults)
Database migration services
Can migrate to and from AWS and on-premise
Can migrate from EC2 to RDS
Can migrate to Redshift and DynamoDB
VPC Peering some facts
It can happen across regions and between different AWS accounts
It also used to store data for fault tolerance, DR and redundnacy
Traffic between different regions is encrypted by default but not encrypted by defualt within same region
TCO
Recommendations on resource types based on operational best practices and user inputs
DataSync
Transfer from on-premise to AWS storage services
Between AWS storage services
Between public clouds to AWS storage services
Its for continuous synching vs DMS which is for Database migration only
Athena some facts
Serverless query service
Interactive query service that makes it easy to analyze unstructured, semi-structured, and structured data stored in Amazon S3 directly in Amazon Simple Storage Service (Amazon S3) using standard SQL
Compatible with CSV, JSON, AVRO or columnar data formats such as Apache Parquet and Apache ORC,
DynamoDB Backups, who configures and who takes backup?
Customer configures and AWS takes backups
AppSync
Simplify application development with GraphQL APIs by providing a single endpoint to securely query or update data from multiple databases, microservices, and APIs
Consolidate data from multiple databases, APIs, and microservices in a single network call, from a single endpoint, abstracting backend complexity
Amplify
Facilitate the development and deployment of web and mobile applications. Quickly build full-stack applications
AWS Firewall Manager
Simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections, including AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall. It does not work with Network ACLs
Security Hub collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues
SCPs
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.
Not enabled by default
SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines
SCPs alone are not sufficient in granting permissions to the accounts in your organization. No permissions are granted by an SCP. An SCP defines a guardrail, or sets limits, on the actions that the account’s administrator can delegate to the IAM users and roles in the affected accounts.
The administrator must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to actually grant permissions.
The effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies
If an instance store reboots, does the data in the instance persist?
Yes
Which tool lets you visualise and manage your AWS costs?
AWS Cost Explorer
Which AWS service reduces network latency?
CloudFront
Which Amazon S3 storage class has the lowest cost?
S3 Glacier Deep Archive
Which perspective of the AWS Cloud Adoption Framework focuses on minimizing the business risks?
Governance Perspective
Which AWS service helps you build text chatbots?
Amazon Lex
What is Service Quotas in AWS?
Quotas, also referred to as limits in AWS services, are the maximum values for the resources, actions, and items in your AWS account
Scope of VPC
A VPC can span all Availability Zones within an AWS Region
AWS Resource Explorer
Facilitates resource search and discovery within AWS accounts
AWS Knowledge Center
Available through AWS re:Post, offers official articles and videos addressing common questions and requests from AWS customers
Individual Amazon S3 objects range?
0 to 5TB
AWS Tape Gateway
You can use it to directly connect to your tape drive on premise and using AWS Storage Gateway backup the data on Amazon S3 Tape Library w/o any code changes
Securing EC2
- SSH (IP is public and key stored on accessing machine)
- EC2 in private subnet, which talks to bastion host on public subnet which inturn talks to user over internet (key stored on accessing machine)
- Add MFA on access
- SSM (No need of bastion host. EC2 in private subnet with access to internet using NAT or VPC endpoint)
Migration strategies
Rehosting — “lift-and-shift”(Copy Paste)
Replatforming — “lift-tinker-and-shift” (Minor Optimize)
Refactoring - Re-architecting (Major Optimize)
Relocate - Major move
Repurchasing — Moving to a different product
Retire — Get rid of
Retain — Usually this means “revisit” or do nothing (for now)
Amazon WorkLink
Fully managed service introduced by AWS that facilitates secure, one-click access to internal corporate websites for employees
Secure access from iOS and Android phones to internal websites and web apps, simplifying the user experience with a single-step process
Generates webpage content in the AWS cloud and transfers it to the user’s phone
AWS CloudShell
AWS CloudShell is a browser-based shell that allows users to run scripts with the AWS Command Line Interface (CLI) and experiment with service APIs
AWS Application Composer
Visual designer that you can use to build your serverless applications from multiple AWS services
Amazon Timestream
Time Stream DB for IoT
Amazon S3 Object Lock
Prevent the deletion or overwriting of objects in Amazon S3 for a specified duration or indefinitely
DynamoDB vs DocumentDB
Fully managed Vs gives admin access to users
Less costly Vs More Costly
Does not support MongoDB Vs SupportsMongoDB
NoSQL Vs NoSQL
Key-Value Vs JSON
AWS Compute Optimzer Vs Cost Explorer
Compute Optimizer delivers all recommendations regardless of the cost implications wheres Cost Explorer recommends pertaining to cost only
AWS OpsWork Vs AWS OpsHub Vs AWS Opscenter Vs AWS Workspace
Configuration management service for cloud enterprises, utilizing Puppet or Chef for application configuration and operation
Vs
Unified view and automates operational tasks on AWS Snow Family devices
Vs
Capability of AWS systems manager for configuration management of aws resources like firewall settings, anti virus settings, patch update, etc
Vs
Virtual desktop service
AWS Glue Vs AWS Macie Vs AWS Neptune
ETL
Vs
PII
Vs
Database service powering graph
AWS Service Catalog Vs AWS Config
Create and manage catalogs of IT services that are approved for AWS
Vs
Assessing, auditing, and evaluating the configurations and relationships of resources
Amazon MQ Vs AWS SQS
Set up and operate message brokers on AWS Vs message queue(Storing messages as they travel between computers)
Network ACL Vs Security Group
Stateless(Separate rules for inbound and outbound Traffic) Vs Statefull(If allowed inbound, outbound is automatically allowed)
Allow/Deny Vs Allow
Subnet Vs EC2
Which CAF perspective covers Benefit Management?
Governance
Which CAF perspective covers Risk Management?
Governance
Which CAF perspective covers data curation?
Governance
Which CAF perspective covers portfolio managment?
Business
Which CAF perspective covers product managment?
Business
Which CAF perspective covers data science?
Business
Which CAF perspective covers change acceleration?
People
Which CAF perspective covers organization design?
People
Which CAF perspective covers provisioning and orchestration?
Platform
Which CAF perspective covers CI/CD?
Platform
Which CAF perspective covers incident and problem mgmt?
Operations
Which CAF perspective covers Configuration mgmt?
Operations
Which CAF perspective covers change and release mgmt?
Operations
Which CAF perspective covers performance and capacity?
Operations
Which CAF perspective covers event management?
Operations
Which CAF perspective covers Incident Response?
Security
Which CAF perspective covers Incident and Problem management?
Operations
Make frequent, small, reversible changes, which WAF pillar?
Operational Excellence
Anticipate failure, which WAF pillar?
Operational Excellence
Go global in minutes, which WAF pillar?
Performance Efficiency
Experiment more often, which WAF pillar?
Performance Efficiency
Democratize advanced technologies, which WAF pillar?
Performance Efficiency
Automatically recover from failure, which WAF pillar?
Reliability
Test recovery procedures, which WAF pillar?
Reliability
Stop guessing capacity, which WAF pillar?
Reliability
Manage change through automation, which WAF pillar?
Reliability
Implement cloud financial management, which WAF pillar?
Cost optimization
Which CAF perspective covers Cloud Financial mgmt?
Governance
OLTP Vs OLAP which service?
OLTP->Amazon RDS,Amazon DynamoDB
OLAP->Amazon Redshift(DW)
What is EFS scope
EFS can be accessed within the same region across all AZs
Kinesis data stream
vs
data analytics
vs
client library
vs
data firehose
Capture, process and store(Ingestion service) data for consumers
vs
Analytical service using SQL service
vs
Analytical service using SQL KCL (more complex than Anlytical service)
vs
ETL service to load data in data lakes, data stores, and analytics services
AWS Billing Conductor
Vs
AWS Cost Explorer
Vs
AWS Cost and Usage Report
Vs
AWS Organization
Grouping of accounts for billing and apply custom pricing plans
Vs
Visualize, understand, forcast and manage your AWS costs and usage over time
Vs
Publish your AWS billing reports to an Amazon Simple Storage Service (Amazon S3) bucket that you own. Reports that break down your costs by the hour or day, by product or product resource, or by tags that you define yourself
Vs
If you create multiple accounts, you can use the consolidated billing feature of AWS Organizations to combine all your member accounts under one management account and receive a single bill
FSx vs EFS
FSx is designed for Windows workloads, offering fully managed Windows file systems, including Windows-native features like Active Directory integration and Windows ACLs (Access Control Lists).
Vs
EFS is a managed Network File System (NFS) for Linux-based workloads
IoT Greengrass vs IoT Core
IoT Core operates in the cloud, while Greengrass is designed for edge computing, allowing devices to perform computations locally
AWS Data Pipeline vs AWS SQS
Automates the movement and transformation of data, allowing users to define data-driven workflows
Vs
scalable and fully managed message queuing service for decoupling components of a cloud application, ensuring reliable and asynchronous communication
AWS Managed services vs professional services
Managed services are ongoing and typically contracted, addressing daily IT needs comprehensively
Vs
Professional services offer expertise for specific projects, ensuring optimal implementation and functionality
AWS Audit Manager Vs Security Hub
Security Hub conducts automated security checks aligned to different industry and regulatory frameworks. Audit Manager automatically collects the findings generated by these Security Hub checks as a form of evidence and combines them with other evidence, such as AWS CloudTrail logs, to help customers generate assessment reports
Security Hub is cloud security posture management (CSPM) service
Audit Manager helps you manage stakeholder reviews of your controls and enables you to build audit-ready reports with much less manual effort
AWS workspaces vs appstream
AWS WorkSpaces is a fully managed desktop-as-a-service (DaaS) solution that lets you provide virtual desktops to your users
Vs
AWS AppStream is a fully managed application streaming service that lets you stream desktop applications to any computer running a web browser
Stateless Vs Stateful
Configure and more control
Vs
Ready configured and less control
EC2 Image Builder Vs AMI
Service facilitating automated creation, management, and deployment of machine and container images. It simplifies the creation of virtual machines
Vs
Snapshot of an EC2 instance that includes the operating system and application software
EC2 Image Builder can distribute AMIs or container images to any AWS Region
AWS Manage Parameter Store Vs Secrets Manager
Designed for centralizing configuration data with only one version and with or without encryption using KMS (Mostly non secret data and no additional charge)
Vs
Securely storing and managing sensitive information, such as API keys and database credentials which always encrypted with multiple versions(additional charge)
CSSPF ( Trusted Advisor)
EALS (CAF Life Cycle)
BGPPOS (CAF)
TPOP (CAF Domains)
CORPSS (Well Architected Framework)
Cost, Security, Service Limits, Performance, Fault Tolerance
Envision, Align, Launch, Scale
Business, Governance, People, Platform, Operations, Security
Technology, Process, Organization, Product
Cost Optimization, Operational Excellence, Reliability, Performance Efficiency, Security and Sustainability
AWS Owned
Vs
AWS Managed
Vs
Customer Managed keys
Encryption keys owned by AWS and NOT stored in customer account and used across multiple customer accounts and stored under default key store. Customer cannot access it
Vs
Encryption keys created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS and stored in customer account under default key store. Customer can access it.
Vs
Encryption keys you create, own, and manage and stored in customer account under custom key store. Customer can access it.
Conceirge
Vs
TAM
Vs
Partner Network (APN Partner)
Vs
Managed Service Provider(MSP)
Vs
Professional Services
Billing and Accounts support
Vs
TAM provide architectural and operational guidance under enterprise support plans
Vs
Consists of MSP(Overall), Competency Partners(Technical) , Service Partners(s/w products) and consulting partners (advisory)
They are enagaged with customer during the migration into dev/test. For migration to production they involve professional services that work with customer management. After production for continued support they enagage MSP
Vs
MSP provide end-to-end AWS solutions and services after the migration is completed
Vs
During cloud Adoption stage provide professional service through APN partner
AWS Backup
Vs
Data Sync
Vs
Storage Gateway
Automated backup service within AWS
Vs
Onpremise to AWS sending of data over internet
Vs
Accessing AWS storage services on premise + data back capabilities
AWS GuardDuty Vs AWS Detective
RealTime Threat Detection Vs Post Incident Analysis
AWS Systems Manger Insights
AWS Systems Manager’s built-in insights are dashboards that include recent API calls through AWS CloudTrail,
recent configuration changes through AWS Config,
instance software inventory listings,
instance patch compliance views,
and instance configuration compliance views
Object Vs File Vs Block
Cannot modify object only recreate
Cannot lock object
Suitable for huge volume of unstructured data
Fast searcheable
IoT, Video Surveliance, Emails
Vs
Can modify file
Can lock file
Suitable for less volume of structured data
Easy access
Documents, Archiving
Vs
Can modify block
Cannot lock block
Suitable for huge volume
Cannor search
Databases, Emails, Virtual Machine file system
Billing Alarms Vs Budget Alerts
The billing alarm represents only the amount you have been already charged. In contrast, a budget can alarm you based on forecasted charges, which can give you a bit of head up to figure out what’s happening before you get hit with excess bill usage.
The other key difference is that Budgets allow you to create filtered alarms, only for some regions and services of interest. Filtering by region is not possible with billing alerts. Another thing is that budget support linked accounts, which again is not possible with the billing alerts.
Pricing Options for AWS storage services
EBS - GB you provision per month + Additional input/output operations per second (IOPS) + Throughput beyond baseline performance
EBS Snapshot - Storage Pricing + Restore Pricing
EFS - Storage + Throughput
S3 - Storage + Throughput
Common Features among Developer, Business and Enterprise
General guidance: < 24 hours**
System impaired: < 12 hours**
Support Automation Workflows
Prioritized responses on AWS re:Post
Common Features Business and Enterprise
General guidance: < 24 hours
System impaired: < 12 hours
Production system impaired: < 4 hours
Production system down: < 1 hour
Architectural Guidance
Support Automation Workflows
AWS Countdown Premium (paid in business)
Full set of Trusted Advisor checks
Prioritized responses on AWS re:Post
24/7 phone, web, and chat access to Cloud Support Engineers
Access to AWS Support App in Slack
AWS Support API
Third Party Software Support : Interoperability and configuration guidance and troubleshooting
Underutilized resources can be identified by?
Cost Explorer - With rightsizing recommendation
Trusted Advisor - Compare with best practices
Cloudwatch - Monitor underutized resources with alarms
For Startup what is the sequence:
LightSail
Cloud Foundation
Quick Starts (AWS Partner Solutions)
Cloud Foundation -> LightSail -> Quick Starts
After disaster event happens and recovery time?
Backup and Restore
Vs
Pilot Light
Vs
Warm Standby
Vs
Multi-site active-active
Provision all AWS resources after event and restore backup (hours)
Vs
Provision some AWS resourses and scale after event (10s of minutes)
Vs
Scale after event (minutes)
Vs
No need to provision and scale after event (real time)
Dedicated Host Vs Dedicated Instance
Hardware doesn’t change after stop/start of the instance
Vs
Hardware may change after stop/start of the instance
In both hardware is not shared with any other aws accounts
Storage class Availability Sequence
99.99(Std) —> 99.9(IT) —> 99.9(IA) —> 99.5(IA-1 Zone) —> 99.9(IR)—> 99.99(F)—>99.99(Deep)
Storage class minimum storage duration
NA(Std)—>NA(IT)—>30 days(IA)—>30 Days(IA-1 Zone)—>90 days(IR)—>90 days(F)—>180 days(Deep)
Storage class minimum capacity charge
NA(Std)—>NA(IT)—>128 KB(IA)—>128 KB(IA-1 Zone)—>128 KB(IR)—>40 KB(F)—>40 KB(Deep)
To extract event logs for analysis what is the most cost effective way?
- Extract logs in S3 and use Athena
Others are
- ETL into
How to do automated backup of all EBS Volumes?
Amazon Data Lifescycle Manager
Enables a single Aurora database to extend across multiple AWS regions, facilitating high-performance for globally distributed applications
Amazon Global Database
S3 Glacier
Host Infrequently Accessed Data
How to monitor the swap spaces in EC2 instances
CloudWatch with SwapUtilization on
Implement FanOut Messaging
SNS Topic with multiple SQS
Implement Read Replication < 1 sec
Aurora with CRR
Load balancer to use for UDP communication with many game servers
Network Load Balancer
Retrieve a subset of data from large CSV file stored in S3
Perform S3 select operation using bucket name and object’s key
To upload 1 TB file on S3
Use S3 multipart upload API. Uploads large objects in part using parallel upload resumable transfer
Retrieve instance ID, Public keys and Public IP of EC2 instance
Use the magic URL after logging into the EC2 instance
Cost effective solution to manage over provisioning of resources
Use target tracking scaling in ASG solution
Accelerate the transfer of historical records on premise to AWS using most cost effective solution
DataSync on Amazon Glacier Deep Archive
Globally deliver static content with low latency
Use S3 bucket with cloudfront distribution
Minimize data transfer cost between 2 EC2 instances
Deploy EC2 instances in the same region. Data transfer is not charged at all if they are in the same region
Import the SSL/TLS certification in AWS
Use AWS Certification Manager or upload it into AWS IAM
Encrypt EBS Volumes from uncrypted EBS snapshots
Copy snapshots using symmetric customer master key
Limit the maximum number of requests from single IP
Create a rate based rule in WAF
How to restrict accidental deletion/overwriting of objects in S3 bucket
Enable versioning and MFA delete
How to keep data transfer cost low
Limit Unnecessary Outbound Data Transfers
Cache content in Amazon CloudFront
Keep Data Transfer within a Single Region
Keep EC2 Data Transfers within a Single Availability Zone
How to give on premise AD credential access to AWS services
Use AWS Managed Microsoft AD and configure AD connector
To secure the sensitive data stored in EBS volumes
Enable EBS encryption to encrypt data at rest
How to ensure data in transit and data at rest in S3 is always encrypted
Enable S3 server side or client side encryption
EC2 instance types
TM=General Purpose
RXZ=Memory
PGFV=Accelerated Computing
IDH=Storage
HPC=High Performance Computing
Operation Excellence
Performance Efficiency
Reliability
Operation Excellence - IaC, Managed Service, Observability
Performance Efficiency - Serverless, Go global in minutes, RightSizing
Reliability - DR, Availability, Test Recovery, Stop guessing capacity
Serverless AWS services
AWS Lambda
AWS Fargate
Amazon DynamoDB
Amazon CloudWatch
Amazon S3
Amazon API Gateway
Amazon Aurora
Amazon SNS
Amazon SQS
Amazon QuickSight
SSD vs HDD
IOPS Vs Throughput
Costly Vs Less costly
Transactional workloads Vs Large streaming workload
