Theory Flashcards

1
Q

iAM Users and Groups

A

iAM is a global service.
User is single entity.
Groups only contain users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

iAM Policies

A

iAM Group is attached a policy which defines the access control to a resource
Structure is Effect (Allow/Deny), Action(API calls), Resource (What resource access is allowed)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

iAM Role

A

iAM roles are used by AWS services to access resources on users behalf.
Permissions are assigned to the iAM role in order to do that.
E.g. - EC2 instance roles, Lambda function roles, CloudFormation roles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

iAM Role application steps

A
  1. Add new role
  2. Choose the AWS service like EC2, Lambda, etc…
  3. Attach a policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

EC2 Instance Type(optimized)

A

Compute Optimized - Batch processing, media transcoding, high performance web servers, scientific modeling, ML, gaming servers

Memory Optimized - High performance RDBMS or NonRDMBS, distributed webscale cache stores, In memory DB for BI, real time proecssing of big structured data

Storage Optimized - OLTP, RDBMS and NoSQL DB, Cache in memory DB like Redis, DW, distributed file system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Connecting to EC2

A

Using SSH, EC2 instance connect and Putty

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

EC2 Purchase Options

A

On Demand - Pay by sec after first min (Linux and Windows). For other OS Pay by hour. Stopped instances, however, do not incur charges. [For short term uninterruped workload]

Reserved (1 or 3 years) - Commit to an instance type, Region, Tenancy(host, dedicated, default) and OS. Reserved Instances incur charges for every clock-hour during the selected term, regardless of instance running status [For steady state usage like DB]

Convertible Reserved - Same as Reserved except you can change instance type, family, region, tenancy or OS

Savings Plan (1 or 3 years) - Commit to usage in $ (like $10/hour) instead of instance type. Compute savings plan you can change instance family and region. Ec2 savings plan you can change instance type,size, OS and Tenancy within same family

Spot - Short workloads and can lose the instance [For batch jobs, data analysis, image processing, etc]

Dedicated host - Dedicated entire physical server and unshared. On demand or resereved [For compliance or existing server bound s/w licences]

Dedicated instance - Dedicated entire physical server and shared [No control on instance placement. Can move h/w after stop/start]

Capacity reservations - Reserve capacity in specific AZ for any duration. No time commitment. If you dont run you are still charged. [For short term uninterruped workload in a specific AZ]

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Availability, Scalability and Elasticity

A

Availability = Running your application in at least two AZs
Scalability = Application can take greater loads either by increasing the size (verticle) or add more instances (horizontal)
Elasticity = Same as horizontal scalability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ASG Strategies

A

Manual scaling - Update the size manually
Condition based scaling -
1. Simple step scaling
e.g. When all my EC2 instance goes over 70% for five minutes, then add two units to capacity to my ASG
2. Target tracking scaling
e.g. I want the average CPU utilization of all the EC2 instances in my ASG to stay at around 40% on average
3. Scheduled Scaling
e.g. Increase the minimum capacity to 10 EC2 instances in my ASG
at 5pm on Friday
4. Predictive scaling
e.g. using ML to predict the pattern and scale

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Bucket Policy

A

Bucket wide rules that you can assign directly from the S3 console

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Replication

A

CRR - Cross Region Replication
SRR - Same Region Replication
Copying is asynchronous

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Storage Classes

A

(Availability, Minimum Storage Duration Charge, Minimum billable object size, Retrieval Fee)

Amazon S3 Standard-General Purpose (99.99, NA, NA, NA)
Amazon S3 Intelligent Tiering (99.9, NA, NA, NA)
Amazon S3-Infrequent Access (99.9, 30, 128KB, PerGB)
Amazon S3 One Zone-Infrequent Access (99.5, 30, 128KB, PerGB)
Glacier Instant Retrieval (99.9, 90, 128KB, PerGB)
Glacier Flexible Retrieval (99.99, 90, 40KB, PerGB)
Glacier Deep Archive (99.99, 180, 40 KB, PerGB)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Encryption

A

Server side encryption is default
Client side encryption is done when data is encrypted before uploading into S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Shared Responsibility(S3)

A

Client responsibility is for
S3 versioning
S3 bucket policies
Replication
Logging and Monitoring
S3 storage classes
Data encryption at rest and in transit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Snowball Edge Pricing

A

You have to pay for except data into Amazon S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Storage classes uses

A

Amazon S3 Standard- Frequently accessed data

Amazon S3 IT - Data automatically moves from frequest to IA tier

Amazon S3-IA - Less frequently accessed but requires rapid access when needed

Amazon S3 One Zone-IA - Less frequently accessed but requires rapid access when needed but 1 zone only

Glacier Instant Retrieval - Archiving but millisecond retrieval (once a quarter)

Glacier Flexible Retrieval - Archiving but 1min to 12 hrs retreival

Glacier Deep Archive - Archiving but 12 hrs to 48 hrs retreival

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

RDS and Aurora

A

SQL Databases and Aurora is AWS proprietery DB (Postgre SQL and MySQL)
Multi AZ setup for DR
Verticle and Horizontal scaling
You CANNOT SSH into your instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

RDS Deployment

A

Read Replicas - Read from more than 1 instance and write to only 1
Multi-AZ - Read and Write from 1 and on Failover move to another
Multi Region - Region 1(Main) reads/writes on Region 1 instance and Region 2 reads on Region 2 but writes to Region 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Serverless
Is IaaS or PaaS or FaaS?

A

Function as service (FaaS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Gateways

A

Internet - Connect public subnet to internet
NAT/Instance - Connect private subnet to internet
Customer - For site to site VPN at on premise
Virtual Private - For site to site VPN at AWS VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

DDoS

A

Denial of service attack - The attacker uses BOT requests to the application server which is unable to service genuine user’s requests due to overload from BOT requests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Shared Responsibility(ec2)

A

Patch Management - like for RDS its AWS responsibility but for EC2 software patch management is customer responsibility
Awareness and Training -like AWS gives this to their employees and you give it to your employees
Configuration Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Operational Excellence

A

IaaS and PaaS, Anticipate and Learn from failure, Changes to Infra

  • All your operations should be code (IaaS, PaaS)
  • Annotate documentation
  • Make frequent and small reversible changes
  • Refine operations procedures frequently
  • Anticipate failure
  • Learn from all these failures
24
Q

Security

A

Logs, identity foundation, keep people away from data

  • Strong identity foundation
  • Enable traceability (Logs and Metrics)
  • Apply security at all layers (Edge->VPC->Subnet->ELB->EC2->OS-Application)
  • Automate security best practices
  • Protect data in transit and at rest
  • Keep people away from data
  • Prepare for security events
25
Q

Reliability

A

Failover, stop guessing capacity, scale out

  • Test recovery procedures
  • Automatically recover from failure
  • Scale horizontally
  • Stop guessing capacity (use auto scaling)
  • Use automation for changes in infrastructure
26
Q

Performance Efficiency

A

Serverless, advanced technology, go global in mins

  • Use advanced technologies
  • Go global in minutes
  • Use serverless architecture
  • Experiment more often
  • Mechanical sympathy - Be aware of all AWS services
27
Q

Cost Optimization

A

Pay only what you use, Using cloudwatch, use tags

  • Pay only what you use
  • Measure overall efficiency - Use CloudWatch
  • Stop spending on data center operations
  • Analyze and attribute expenditure - Use Tags
  • Use managed services to reduce cost of ownership
28
Q

Sustainability

A
  • Understand your impact
  • Establish sustainability goals
  • Maximize utilization
  • Anticipate and adopt more efficient h/w or s/w
  • Use managed services
  • Reduce downstream imapct of cloud workloads
29
Q

AWS Well Architected Tool

A

AWS tool to review the architechture againt the 6 pillars

30
Q

AWS CAF (Cloud adoption framework)

A
  • White paper that helps you to build and execute a plan for digital transformation using AWS
  • It groups the capabilities under
    Business
  • Business
  • People
  • Governance
    Technical
  • Platform
  • Security
  • Operations
31
Q

AWS CAF Transformation Phases

A

EALS

  • Envision (Demostrate the benefits of cloud to business, foundation for Digi Tran)
  • Align (Capability gaps across 6 CAF perpectives and create a action plan)
  • Launch (Build and deliver pilot in production)
  • Scale (Expand pilot initiatives)
32
Q

AWS CAF Transformation Domains

A

TPOP

  • Technology
  • Process
  • Organization
  • Product
33
Q

AWS Right Sizing

A

Process of matching the instance type and size to your workload performance
and capacity requirements at the lowest possible cost
-CloudWatch, Cost Explorer, Trusted Advisor

34
Q

AWS Assurance Program

A

Certfication/Attestation and Compliance with Laws and Regulations

35
Q

Access Key use

A

Access key as Access ID + Secret Access Key. Both are used to authenticate a user.
Employed for programmatic requests to AWS services via AWS CLI or API

36
Q

SOC1 and 2 Vs PCI Vs ISO

37
Q

EC2 instance customer responsibility

A

Security configs and Patching of OS and Apps

38
Q

AWS Risk and Compliance program components

A

Risk Management
Information Security
Control Environment

39
Q

Root user access keys can be deleted. True or False?

40
Q

Federated Access

A

Using corporate directory to provide AWS resources

41
Q

Can we assign User Groups or Users to an instance in AWS?

A

No. Only iAM Roles can be assigned. The roles are then assigned to Groups or Users

42
Q

In S3, replication across AZs is whoe’s responsibility?
In S3 backing up data is whoes’s responsibility?

A

AWS
Customer

43
Q

Which services have build in DDoS prevention?

A

Route 53, WAF, ELB, CloudFront, VPC and SGs

44
Q

RDS what is customer responsibility?

A

Managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions

45
Q

ELB can distribute across regions. True or False?

A

False.
Elastic Load Balancing automatically distributes your incoming traffic across multiple targets, such as EC2 instances, containers, and IP addresses, in one or more Availability Zones
This increases the fault tolerance of your applications

46
Q

Resource tags

A
  1. Manually Assigned a key and value
  2. Can assign a key and leave value as empty (not null)
47
Q

Redshift Components

A

Cluster - composed of one or more compute nodes

Compute Node - run the compiled code and send intermediate results back to the leader node for final aggregation

Leader Node - manages communications with client programs and all communication with compute nodes

Redshift Managed Storage - Data warehouse data is stored

48
Q

AWS QuickStart

A

Higher level IaaS compared to cloudformation.
Pre-built templates and guides for rapid deployment of various workloads on AWS infrastructure
Good for starters

49
Q

AWS CloudWatch vs Budget (Alarm)

A

In CloudWatch the alarm is triggered when the threashold limit is breached
CloudWatch is real-time metrics breaches
In Budget the alarm is triggerred against the estimated cost is reached
Budget is broader financial perspective with a focus on estimated costs and increased flexibility

50
Q

OpsWork Vs CloudFormation

A

Infra + App configuration
Vs
Infra deployment

51
Q

AWS Penetration testing

A

Customers are not permitted to conduct any security assessments of AWS infrastructure or the AWS services themselves. If you discover a security issue within any of the AWS services observed in your security assessment, please contact AWS Security immediately

AWS customers are welcome to carry out security assessments or penetration tests of their AWS infrastructure without prior approval for the services listed in the AWS permitted list

52
Q

AWS Lambda@Edge

A

Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your application

53
Q

Data Consistency Options

A

Eventual Consistency: Updates may not be immediately reflected in all replicas, providing scalability and performance benefits. However, it introduces a temporary inconsistency window.

Strong Consistency: Guarantees that any read operation reflects the most recent write. This ensures immediate data accuracy but may impact system performance.

54
Q

AWS Lifecycle policies for S3

A

Predefined rules determining actions performed on objects over their lifecycle
Users can configure rules in S3 Lifecycle to transition objects between storage tiers or expire them based on criteria such as age or count

55
Q

Can you change the SG attached to an instance even if its running?

56
Q

Route53 hosted zone

A

For example, the amazon.com hosted zone may contain records named www.amazon.com, and www.aws.amazon.com, but not a record named www.amazon.ca

57
Q

Support plans supporting Business-critical system down?

A

Enterprise with < 30 mins for on-ramp and < 15 mins for enterprise
For business suppport plan there is no business critical support and only production system down < 1hr