Theory

Question 1

iAM Users and Groups

Answer 1

iAM is a global service.
User is single entity.
Groups only contain users

Question 2

iAM Policies

Answer 2

iAM Group is attached a policy which defines the access control to a resource
Structure is Effect (Allow/Deny), Action(API calls), Resource (What resource access is allowed)

Question 3

iAM Role

Answer 3

iAM roles are used by AWS services to access resources on users behalf.
Permissions are assigned to the iAM role in order to do that.
E.g. - EC2 instance roles, Lambda function roles, CloudFormation roles

Question 4

iAM Role application steps

Answer 4

1. Add new role
2. Choose the AWS service like EC2, Lambda, etc…
3. Attach a policy

Question 5

EC2 Instance Type(optimized)

Answer 5

Compute Optimized - Batch processing, media transcoding, high performance web servers, scientific modeling, ML, gaming servers

Memory Optimized - High performance RDBMS or NonRDMBS, distributed webscale cache stores, In memory DB for BI, real time proecssing of big structured data

Storage Optimized - OLTP, RDBMS and NoSQL DB, Cache in memory DB like Redis, DW, distributed file system

Question 6

Connecting to EC2

Answer 6

Using SSH, EC2 instance connect and Putty

Question 7

EC2 Purchase Options

Answer 7

On Demand - Pay by sec after first min (Linux and Windows). For other OS Pay by hour. Stopped instances, however, do not incur charges. [For short term uninterruped workload]

Reserved (1 or 3 years) - Commit to an instance type, Region, Tenancy(host, dedicated, default) and OS. Reserved Instances incur charges for every clock-hour during the selected term, regardless of instance running status [For steady state usage like DB]

Convertible Reserved - Same as Reserved except you can change instance type, family, region, tenancy or OS

Savings Plan (1 or 3 years) - Commit to usage in $ (like $10/hour) instead of instance type. Compute savings plan you can change instance family and region. Ec2 savings plan you can change instance type,size, OS and Tenancy within same family

Spot - Short workloads and can lose the instance [For batch jobs, data analysis, image processing, etc]

Dedicated host - Dedicated entire physical server and unshared. On demand or resereved [For compliance or existing server bound s/w licences]

Dedicated instance - Dedicated entire physical server and shared [No control on instance placement. Can move h/w after stop/start]

Capacity reservations - Reserve capacity in specific AZ for any duration. No time commitment. If you dont run you are still charged. [For short term uninterruped workload in a specific AZ]

Question 8

Availability, Scalability and Elasticity

Answer 8

Availability = Running your application in at least two AZs
Scalability = Application can take greater loads either by increasing the size (verticle) or add more instances (horizontal)
Elasticity = Same as horizontal scalability

Question 9

ASG Strategies

Answer 9

Manual scaling - Update the size manually
Condition based scaling -
1. Simple step scaling
e.g. When all my EC2 instance goes over 70% for five minutes, then add two units to capacity to my ASG
2. Target tracking scaling
e.g. I want the average CPU utilization of all the EC2 instances in my ASG to stay at around 40% on average
3. Scheduled Scaling
e.g. Increase the minimum capacity to 10 EC2 instances in my ASG
at 5pm on Friday
4. Predictive scaling
e.g. using ML to predict the pattern and scale

Question 10

Bucket Policy

Answer 10

Bucket wide rules that you can assign directly from the S3 console

Question 11

Replication

Answer 11

CRR - Cross Region Replication
SRR - Same Region Replication
Copying is asynchronous

Question 12

Storage Classes

Answer 12

(Availability, Minimum Storage Duration Charge, Minimum billable object size, Retrieval Fee)

Amazon S3 Standard-General Purpose (99.99, NA, NA, NA)
Amazon S3 Intelligent Tiering (99.9, NA, NA, NA)
Amazon S3-Infrequent Access (99.9, 30, 128KB, PerGB)
Amazon S3 One Zone-Infrequent Access (99.5, 30, 128KB, PerGB)
Glacier Instant Retrieval (99.9, 90, 128KB, PerGB)
Glacier Flexible Retrieval (99.99, 90, 40KB, PerGB)
Glacier Deep Archive (99.99, 180, 40 KB, PerGB)

Question 13

Encryption

Answer 13

Server side encryption is default
Client side encryption is done when data is encrypted before uploading into S3

Question 14

Shared Responsibility(S3)

Answer 14

Client responsibility is for
S3 versioning
S3 bucket policies
Replication
Logging and Monitoring
S3 storage classes
Data encryption at rest and in transit

Question 15

Snowball Edge Pricing

Answer 15

You have to pay for except data into Amazon S3

Question 16

Storage classes uses

Answer 16

Amazon S3 Standard- Frequently accessed data

Amazon S3 IT - Data automatically moves from frequest to IA tier

Amazon S3-IA - Less frequently accessed but requires rapid access when needed

Amazon S3 One Zone-IA - Less frequently accessed but requires rapid access when needed but 1 zone only

Glacier Instant Retrieval - Archiving but millisecond retrieval (once a quarter)

Glacier Flexible Retrieval - Archiving but 1min to 12 hrs retreival

Glacier Deep Archive - Archiving but 12 hrs to 48 hrs retreival

Question 17

RDS and Aurora

Answer 17

SQL Databases and Aurora is AWS proprietery DB (Postgre SQL and MySQL)
Multi AZ setup for DR
Verticle and Horizontal scaling
You CANNOT SSH into your instance

Question 18

RDS Deployment

Answer 18

Read Replicas - Read from more than 1 instance and write to only 1
Multi-AZ - Read and Write from 1 and on Failover move to another
Multi Region - Region 1(Main) reads/writes on Region 1 instance and Region 2 reads on Region 2 but writes to Region 1

Question 19

Serverless
Is IaaS or PaaS or FaaS?

Answer 19

Function as service (FaaS)

Question 20

Gateways

Answer 20

Internet - Connect public subnet to internet
NAT/Instance - Connect private subnet to internet
Customer - For site to site VPN at on premise
Virtual Private - For site to site VPN at AWS VPC

Question 21

DDoS

Answer 21

Denial of service attack - The attacker uses BOT requests to the application server which is unable to service genuine user’s requests due to overload from BOT requests.

Question 22

Shared Responsibility(ec2)

Answer 22

Patch Management - like for RDS its AWS responsibility but for EC2 software patch management is customer responsibility
Awareness and Training -like AWS gives this to their employees and you give it to your employees
Configuration Management

Question 23

Operational Excellence

Answer 23

IaaS and PaaS, Anticipate and Learn from failure, Changes to Infra

• All your operations should be code (IaaS, PaaS)
• Annotate documentation
• Make frequent and small reversible changes
• Refine operations procedures frequently
• Anticipate failure
• Learn from all these failures

Question 24

Security

Answer 24

Logs, identity foundation, keep people away from data

• Strong identity foundation
• Enable traceability (Logs and Metrics)
• Apply security at all layers (Edge->VPC->Subnet->ELB->EC2->OS-Application)
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events

Question 25

Reliability

Answer 25

Failover, stop guessing capacity, scale out - Test recovery procedures - Automatically recover from failure - Scale horizontally - Stop guessing capacity (use auto scaling) - Use automation for changes in infrastructure

Question 26

Performance Efficiency

Answer 26

Serverless, advanced technology, go global in mins - Use advanced technologies - Go global in minutes - Use serverless architecture - Experiment more often - Mechanical sympathy - Be aware of all AWS services

Question 27

Cost Optimization

Answer 27

Pay only what you use, Using cloudwatch, use tags - Pay only what you use - Measure overall efficiency - Use CloudWatch - Stop spending on data center operations - Analyze and attribute expenditure - Use Tags - Use managed services to reduce cost of ownership

Question 28

Sustainability

Answer 28

- Understand your impact - Establish sustainability goals - Maximize utilization - Anticipate and adopt more efficient h/w or s/w - Use managed services - Reduce downstream imapct of cloud workloads

Question 29

AWS Well Architected Tool

Answer 29

AWS tool to review the architechture againt the 6 pillars

Question 30

AWS CAF (Cloud adoption framework)

Answer 30

- White paper that helps you to build and execute a plan for digital transformation using AWS - It groups the capabilities under Business - Business - People - Governance Technical - Platform - Security - Operations

Question 31

AWS CAF Transformation Phases

Answer 31

EALS - Envision (Demostrate the benefits of cloud to business, foundation for Digi Tran) - Align (Capability gaps across 6 CAF perpectives and create a action plan) - Launch (Build and deliver pilot in production) - Scale (Expand pilot initiatives)

Question 32

AWS CAF Transformation Domains

Answer 32

TPOP - Technology - Process - Organization - Product

Question 33

AWS Right Sizing

Answer 33

Process of matching the instance type and size to your workload performance and capacity requirements at the lowest possible cost -CloudWatch, Cost Explorer, Trusted Advisor

Question 34

AWS Assurance Program

Answer 34

Certfication/Attestation and Compliance with Laws and Regulations

Question 35

Access Key use

Answer 35

Access key as Access ID + Secret Access Key. Both are used to authenticate a user. Employed for programmatic requests to AWS services via AWS CLI or API

Question 36

SOC1 and 2 Vs PCI Vs ISO

Question 37

EC2 instance customer responsibility

Answer 37

Security configs and Patching of OS and Apps

Question 38

AWS Risk and Compliance program components

Answer 38

Risk Management Information Security Control Environment

Question 39

Root user access keys can be deleted. True or False?

Answer 39

True

Question 40

Federated Access

Answer 40

Using corporate directory to provide AWS resources

Question 41

Can we assign User Groups or Users to an instance in AWS?

Answer 41

No. Only iAM Roles can be assigned. The roles are then assigned to Groups or Users

Question 42

In S3, replication across AZs is whoe's responsibility? In S3 backing up data is whoes's responsibility?

Answer 42

AWS Customer

Question 43

Which services have build in DDoS prevention?

Answer 43

Route 53, WAF, ELB, CloudFront, VPC and SGs

Question 44

RDS what is customer responsibility?

Answer 44

Managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions

Question 45

ELB can distribute across regions. True or False?

Answer 45

False. Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones This increases the fault tolerance of your applications

Question 46

Resource tags

Answer 46

1. Manually Assigned a key and value 2. Can assign a key and leave value as empty (not null)

Question 47

Redshift Components

Answer 47

Cluster - composed of one or more compute nodes Compute Node - run the compiled code and send intermediate results back to the leader node for final aggregation Leader Node - manages communications with client programs and all communication with compute nodes Redshift Managed Storage - Data warehouse data is stored

Question 48

AWS QuickStart

Answer 48

Higher level IaaS compared to cloudformation. Pre-built templates and guides for rapid deployment of various workloads on AWS infrastructure Good for starters

Question 49

AWS CloudWatch vs Budget (Alarm)

Answer 49

In CloudWatch the alarm is triggered when the threashold limit is breached CloudWatch is real-time metrics breaches In Budget the alarm is triggerred against the estimated cost is reached Budget is broader financial perspective with a focus on estimated costs and increased flexibility

Question 50

OpsWork Vs CloudFormation

Answer 50

Infra + App configuration Vs Infra deployment

Question 51

AWS Penetration testing

Answer 51

Customers are not permitted to conduct any security assessments of AWS infrastructure or the AWS services themselves. If you discover a security issue within any of the AWS services observed in your security assessment, please contact AWS Security immediately AWS customers are welcome to carry out security assessments or penetration tests of their AWS infrastructure without prior approval for the services listed in the AWS permitted list

Question 52

AWS Lambda@Edge

Answer 52

Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your application

Question 53

Data Consistency Options

Answer 53

Eventual Consistency: Updates may not be immediately reflected in all replicas, providing scalability and performance benefits. However, it introduces a temporary inconsistency window. Strong Consistency: Guarantees that any read operation reflects the most recent write. This ensures immediate data accuracy but may impact system performance.

Question 54

AWS Lifecycle policies for S3

Answer 54

Predefined rules determining actions performed on objects over their lifecycle Users can configure rules in S3 Lifecycle to transition objects between storage tiers or expire them based on criteria such as age or count

Question 55

Can you change the SG attached to an instance even if its running?

Answer 55

Yes

Question 56

Route53 hosted zone

Answer 56

For example, the amazon.com hosted zone may contain records named www.amazon.com, and www.aws.amazon.com, but not a record named www.amazon.ca

Question 57

Support plans supporting Business-critical system down?

Answer 57

Enterprise with < 30 mins for on-ramp and < 15 mins for enterprise For business suppport plan there is no business critical support and only production system down < 1hr