Tut Dojo Test 3 Flashcards
What kind of backup service does RDS provide?
RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases.
RDS saves the automated backups of your DB instance according to the backup retention period that you specify. By default, an RDS created from the
AWS console has a backup retention of 7 days. You can further modify this backup retention period between 0-35 days.
Amazon Aurora Backup Solution
For Amazon Aurora, it backs up your cluster volume automatically and retains restore data for the length of the backup retention period.
Aurora backups are continuous and incremental so you can quickly restore to any point within the backup retention period.
No performance impact or interruption of database service occurs as backup data is being written. You can specify a backup retention period, from 1 to 35 days, when you create or modify a DB cluster.
Amazon S3 Backup Solution
S3 has a lifecycle policy but not a backup policy. Standard S3 is already very durable and AWS has no options for automatic backup on S3.
Amazon EFS Backup Solution
EFS is already a highly available and durable file storage service and AWS does not provide out-of-the-box automated backup for EFS.
Amazon EC2 Backup Solution
EC2 does not offer automatic backups for your instances. You need to manually create AMI’s of your images if you want to make a backup or copy to other regions.
Set up a cloud-based single sign-on (SSO) service to centrally manage SSO access to all of the company’s AWS accounts and cloud applications.
Full access has also been configured by the Engineer in AWS Organizations.
Which of the following should the Engineer configure to complete the setup?
Set up permission sets in AWS SSO. Associate the permission sets with AWS Directory Service users and groups
Where does account store by default with AWS SSO?
AWS SSO automatically provides you with a store by default, which you can use to manage your users and groups within AWS SSO. If you choose to store them in AWS SSO, create your users and groups and assign their level of access to your AWS accounts and applications.
Alternatively, you can choose to Connect to Your External Identity Provider using Azure Active Directory or connect to your Microsoft AD Directory using AWS Directory Service.
What is a permission set?
A collection of administrator-defined policies that AWS SSO uses to determine a user’s effective permissions to access a given AWS account. Permission sets can contain either AWS managed policies or custom policies that are stored in AWS SSO.
Policies are essentially documents that act as containers for one or more permission statements.
These statements represent individual access controls (allow or deny) for various tasks that determine what tasks users can or cannot perform within the AWS account.
SCPs Characteristics
In SCPs, you can restrict which AWS services, resources, and individual API actions the users and roles in each member account can access. You can also define conditions for when to restrict access to AWS services, resources, and API actions.
These restrictions even override the administrators of member accounts in the organization. When AWS Organizations blocks access to a service, resource, or API action for a member account, a user or role in that account can’t access it
Difference of Permission Sets VS SCP
Permission sets are stored in AWS SSO and are only used for AWS accounts. They are not used to manage access to cloud applications. Permission sets ultimately get created as IAM roles in a given AWS account, with trust policies that allow users to assume the role through AWS SSO.
SCP is used to manage access with AWS accounts.
Permission Sets are used with AWS SSO
SCP is used with AWS Organization
aws:PrincipalOrgID
Use this key to compare the identifier of the organization in AWS Organizations to which the requesting principal belongs with the identifier specified in the policy.
Principal
An entity that can make a request for an action or operation on an AWS resource.
Users, roles, federated users, and applications are all AWS principals.
Your AWS account root user is your first principal.
Request
When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI, that principal sends a request to AWS.
Actions or operations
the actions or operations that the principal wants to perform.
Resources
the AWS resource object upon which the actions or operations are performed.
Environment data
information about the IP address, user agent, SSL enabled status, or the time of day.
Resource data
data related to the resource that is being requested.
Trusted Advisor
Trusted Advisor analyzes your AWS environment and provides best practice recommendations in five categories:
Cost Optimization Performance Security Fault Tolerance Service Limits
Access to the seven core Trusted Advisor checks are available to all AWS users.
Access to the full set of Trusted Advisor checks are available to Business and Enterprise Support plans.
It provides alerts on several of the most common security misconfigurations that can occur, including leaving certain ports open that make you vulnerable to hacking and unauthorized access, neglecting to create IAM accounts for your internal users, allowing public access to Amazon S3 buckets, not turning on user activity logging (AWS CloudTrail), or not using MFA on your root AWS Account.
Detailed Monitoring
You can aggregate the metrics for AWS resources across multiple accounts and Regions like aggregate statistics for your EC2 instances that have detailed monitoring enabled.
This charge is additional and can monitor instance with. a one second interval.
Metric math/Metric Math
AWS allows you to use CloudWatch metric math to aggregate and transform metrics from multiple accounts and Regions.
Metric math enables you to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics. You can visualize the resulting time series on the CloudWatch console and add them to dashboards. You can add a math expression to a graph on your CloudWatch dashboard.
Evaluate Target Health
Ensure Health Checks behind ELB are passing before sending traffic to ELB.
Systems Manager automation capabilities
Build automations to configure and manage instances and AWS resources.
Create custom runbooks or use pre-defined runbooks maintained by AWS.
Receive notifications about Automation tasks and runbooks by using Amazon EventBridge.
Monitor Automation progress and details by using the AWS Systems Manager console.
** Note: Systems Manager requires credentials.
AWS Shield keywords
protection against DDoS attacks
UDP reflection attacks and TCP SYN floods
Amazon EBS–optimized instances
An Amazon EBS–optimized instance uses an optimized configuration stack and provides additional, dedicated capacity for Amazon EBS I/O. This optimization provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance.
EBS–optimized instances deliver dedicated bandwidth to Amazon EBS. When attached to an EBS–optimized instance, General Purpose SSD (gp2 and gp3) volumes are designed to deliver at least 90% of their provisioned IOPS performance 99% of the time in a given year
