Ultimate AWS associate Flashcards
What problems exist with a traditional IT approach (owning / renting infrastructure)?
Costs for renting, power, cooling, maintenance, adding and replacing hardware takes time + cost, limited elasticity on demand, monitoring costs, security (physical and software), environmental disasters
What is cloud computing?
ON-DEMAND delivery of compute, power, database storage, applications and other IT resources. It is Pay-as-you-go, specific to your needs. Almost instant access.
Deployment models, Private vs
Private: single organization - complete control, security for sensitive needs.
Public: Cloud resource owned and operated by third-party cloud service provider. AWS
Hybrid: Keep some servers on premise, extend some capabilities into the cloud.
Five characteristics of cloud computing?
- On-demand self service: no human interaction required to access.
- Broad network access: Resources available over the network, accessed by diverse client platforms
- Multi-tenancy and resource pooling: multiple customers can share same infrastructure + apps with security and privacy & serviced from the same physical resources.
- Rapid elasticity and scalability (major advantage)
- Measured service (pay for use)
Six advantages of the cloud
- Trading capital expensive for operational (not buying infra, paying for using instead)
- Benefit from economies of scale from large infra provider
- Stop guessing capacity, scaled on measured usage.
- Increased speed + agility
- Stop spending money running and maintaining data centers
- Going global in minutes leveraging AWS infra
Problems we solve:
We are flexible, cost effective, scalable, elastic and highly available while being agile (rapidly developing, testing and launching software)
Types of cloud computing?
IaaS: providing building blocks for cloud IT, provides networking, computers, data storage
PaaS: Everything managed by service provider, all you need is to focus on deployment and management of Apps.
SaaS: Completed product, run and managed by service provider for you to use
Three different pricing models, compute, storage, data give a brief description of each
Compute, pay for compute time.
Storage - data stored in cloud.
Data transfer (only when it is going OUT) - data IN is free.
How do you choose an AWS region?
It depends,
Compliance: governments want data to be local? can’t leave?
Proximity: does the application need reduced latency?
Available services: new services and features aren’t available in every region
Pricing: varies from region to region.
What is comprised of an availability zone?
One or more discrete data centers with redundant power, networking and connectivity. Each being separate from each other to avoid disasters, all connected with high bandwidth, low latency networking.
What are points of presence?
Edge locations, it delivers to end users with lower latency by caching information that is frequently accessed.
What is a region vs an availability zone?
AWS Regions are separate geographic areas. AWS Regions consist of multiple, physically separated and isolated Availability Zones
What is the name for a IAM policy assigned only to an individual?
This is an inline policy
An IAM policy document consists of ….
A version, statement (Sid: statement id, effect (allow/deny), principle (account/user/role), action (actions that are allowed), resource: what can be accessed, AND lastly, condition: for when policy is in effect.
How can you increase security for an IAM user?
setting a password policy, password expiry, prevent password re-use, activating MFA.
The three options to access AWS?
- Management console
- Command Line Interface protected by access keys
- Software Developer Kit (SDK) protected by access keys
How do you create access keys for CLI
IAM -> Users -> username -> create access key
Asks for use case
create access key, download .csv file
in CLI it will just ask for these details. Enter them. Done.
Cloudshell vs CLI
AWS CloudShell is a browser-based shell that you can launch directly from your AWS console and run the standard CLI commands. CloudShell is an extension to the AWS CLI and offers many advantages compared to AWS CLI.
An EC2 instance needs to action something what do we need to do?
the EC2 instance will require permission given by an IAM role. IAM roles can be given to services.
What does an IAM credential report show?
All account’s users and the status of their credentials
Access advisor would be used for what purpose? what kind of ‘level’ is this? individual, account, user, group?
shows service permissions granted to a user and when those services were last accessed. User-level.
Shared responsibility model for IAM?
I am responsible for creating users, groups, roles, policies management and monitoring, using MFA on all accounts, rotating keys, IAM tools to apply appropriate permissions, analyze access patterns and review permissions.
List two security tools for IAM
IAM Credentials report (all account’s users and the status of their credentials) and the access advisor (service permissions granted to a user and when last accessed)
List the capabilities surrounding EC2
- Renting virtual machines (EC2)
- Storing data on virtual drives (EBS)
- Distributing load across machines (ELB)
- Scaling services using an auto-scaling group (ASG)
Purpose of EC2 User data? examples?
Bootstrapping, to automate EC2 boot tasks, only run once at the instance first start. Installing updates, software, common files, etc. Runs via root user.
what are the naming conventions for Ec2? m5.2xlarge as an example
m: instance class
5: generation (AWS improves these over time obv)
2xlargE: size within the instance class.
EC2 instance types? list some examples
General purpose, compute optimized (ML, gaming server, high performance web servers, batch processing workloads etc), memory optimized (fast performance for workloads, processing large data sets in memory) , storage optimized (SQL databases, cache for in memory databases, data warehousing applications etc)
What are firewalls on an EC2 instance? how do firewalls interact with EC2?
They are security groups. They interact as rules and can be attached to more than one EC2 instance & an instance can have multiple security groups as well.
Ports to know for exam 22, 21, 22 (another), 80, 443, 3389
SSH, FTP, SFTP, HTTP & HTTPS, RDP
What is EC2 instance connect?
an alternative to SSH, instead using the web browser, we don’t need to manage SSH keys. Still needs an SSH port open on inbound security groups.
If trying to perform a command on an EC2 instance but access denied what to do?
Check IAM roles, maybe permission isn’t granted to that EC2 instance.
EC2 on demand instances give a description
Pay for what you use.
Highest cost but no upfront.
No long-term commitment.
Recommended: Short-term uninterrupted workloads.
Reserved instances give some info pricing
Compared w/ EC2, info on what, time, payment options, other options and recommendation
up to 72% discounts compared w/ on-demand.
You reserve instance type , region, OS
Reservation period: 1 year or 3 years+
Can be no upfront or upfront (all upfront, most discount)
Into a region or zone,
Can buy/sell in marketplace if not needed anymore.
Recommended for steady state applications, like databases
EC2 savings plan instance
Discounts, usage options, instance use, location
Discount based on long-term usage.
Commit to certain usage option $10 hour for 1/3 years etc.
Any usage beyond that is at on-demand pricing.
Locked to specific region and instance family (T2, M5 etc) but can change the size, OS and Tenancy
EC2 spot instances pros, cons
Biggest discounts 90% compared to on-demand
You can lose at any point of time if max price < current spot price?
Most cost-efficient instances in AWS.
Recommended for: Batch jobs, data analysis, image processing, any distributed workloads
NOT for critical jobs/processes/databases.
EC2 dedicated hosts are.. and allow?
a physical server with an EC2 instance capacity fully dedicated to you
allows you to address compliance reqs, use own software licenses
Can pay on-demand and reserved options
Useful for software that have complicated licensing models or companies that have strong regulatory needs/compliance.
In an EC2 instance, what is referred to as being the OS and firewall?
This is the AMI and the Security group
How do you set up the EC2 user data?
This is done at the start by entering a script, it is the bootloader of downloads, installs etc.
How long can you have an EC2 reserved instance?
A) 6 months
B) 1 year
C) 1 to 3 years
D) 1 or 3 years
E) 3 years
Answer is D 1 or 3 years, not any time inbetween
Can EC2 instances be optimized for users? how?
Depending on the needs, a compute, memory or storage optimzed EC2 instance can be created.
Reserved vs spot instances?
Reserved are good for long uninterrupted workloads. Spot for short, quick and potentially interrupted, therefore not critical workloads.
Whats special about an EBS volume? (And what is it?)
Elastic block storage, the data persists after the EC2 instance is terminated. It is a network attached drive. Kind of like a network USB stick
How many instances (at this course level) can EBS volumes be attached to at a time? and AZ consideration?
Just one. Similarly, only a specific AZ. But you can have 2 EBS volumes on one instance. They don’t need to be attached at all times. There is something later called EBS Multi-attach, but that is more advanced.
Why would you snapshot an EBS volume? give one reason
In order to move the volume across an AZ. Snapshot and replicate (?)
What is an option we can give to an EBS volume to control its behviour?
Delete on termination or do not delete on termination.
After taking a snapshot how can you make it cheaper to store? how long to restore?
by moving it to an “Archive tier” 75% cheaper. 24-72 hours.
Do snapshots expire?
Yes, you can specify retention from 1 day to 1 year.
Describe the use of EC2 image builder
Automate the creation of VMs. AUtomate create, maintain and validate and test
Can be run on a schedule
What are the costs of EC2?
Free, you only pay for the resources. Paying for the EC2 instances it creates. When AMi is created, paying for storage of AMI.
You need something faster than an EBS what do you use?
An EC2 instance store. Better I/O performance. However they lose their storage if stopped.
What is good for an instance store?
Buffer, cache, scratch data, temp content
What is special about EFS?
Can be mounted to 100s of EC2 at a time. It is highly available, expensive, scalable. Multi-AZ
How do save on EFS?
Using EFS infrequent access. up to 92% lower cost. Will automatically move files to IA based on last time accessed. This is defined in the life cycle policy.
What is the lifecycle policy on EFS?
After X number of days move to X location (EFSIA)
In EC2 storage what is AWS responsibility?
Infrastructure, replication of data for EBS volumes and EFS drives, replacing faulty hardware, ensuring employees cannot access your data.
What is responsibility of customer in EC2 storage?
Settiing up/backing up data (snapshots), setting up data encryption, responsibility of any data on the drives, understanding the risk of using EC2 instance store.
Amazon FSx what is it and used for?
it is a fully managed service. File systems X, launch 3rd party - high performance file systems on AWS. FSx for Lustre, FSx for windows file server
FSx on windows file server is?
for windows instances. Fully managed, highly reliable and scalable windows native shared file system. Supports SMB protocol and windows NTFS.
FSx for Lustre
Fully managed, high performance computing (think FSx for lustre) lustre = linux and cluster, used for high performance such as machine learning, analytics, video processing, financial modelling, 100s GB/s etc.
What is attached/mapped to a specific availability zone?
An EBS volume
What can be attached to multiple EC2 instances across multiple AZs?
EFS
Which load balancer provides Layer 7 protocols, HTTP routing, static DNS?
Application load balancer.
What does the network load balancer do?
TCP/UDP protocols (layer 4), high performance, millions of requests per second. Static IP through elastic IP
What does the gateway load balancer do?
Routes traffic to firewalls that managed on EC2 instances. IDS, layer 3.
Auto scaling group does:
- Scales out (adds an EC2 instance) to match increasing loads
- Scales in (removes)
- Min and max number req of machines running
- Register new instances to a load balancer.
What is an autoscaling group?
its a group that is attached to a load balancer, it increases or decreases EC2 instances depending on its needs.
How do we create an autoscaling group?
Click ASG -> create launch template -> Name it, describe it, choose AMI, instance type, no key pair needed, existing SG,
What are all of the auto scaling strategies?
Auto Scaling Strategies include: Manual Scaling, Dynamic Scaling (Simple/Step Scaling, Target Tracking Scaling, Scheduled Scaling), and Predictive Scaling.
What does a load balancer do when instances fail?
Load Balancers have the ability to handle instance failure by redirecting traffic to healthy instances.
How does a load balancer handle back-end autoscaling?
It doesn’t, this is done by autoscaling groups
How is amazon S3 advertised?
labelled as infinitely scaling storage, many websites use s3 as backbone
Amazon S3 use cases?
backup and storage, disaster recovery, archive files, hybrid cloud storage, host applications & media, datalakes and big data analytics, software delivery and static websites etc.
What are the files in S3 buckets called? and the name of buckets need to be?
Objects , globally unique (across all regions and accounts).
Is S3 regional or global?
S3 looks global but the buckets are created in the region
what does a bucketname look like
it-looks-like-this
No uppercase, underscores, 3-63 characters long, not an IP, start with lowercase letter or number, not start with prefix or end with suffix
UNIQUE across all accounts, regions etc.
What is the Full path of an object?
The key. S3://my-bucket/my_file_example.txt
A prefix + object name
Max size of S3 file? how to upload bigger?
5gb, if bigger has to be multi-part upload.
What are the different types of security in S3?
User-based IAM policies
Resource - based
What are the three resource-based policies?
Bucket policies (Bucket-wide rules)
Object access control list (finer grain)
Bucket access control list - less common
What rights does an IAM principal have towards S3?
Can access, if allowed and no explicit deny.
What does an S3 bucket policy look like?
It is a JSON document.
IAM user wants to access S3 bucket, how?
Assign IAM permissions through a policy to S3 bucket.
If we have EC2 instance and want to give access to S3 bucket. IAM users?
Use IAM roles, EC2 instance role with correct IAM permissions.
S3s can be used to create websites?
True, static and dynamic.
CRR vs SRR?
Cross region replication vs same region.
How to set up asyncrhonous rep between CRR and SRR? two must haves.
Versioning MUST be enabled.
Need proper IAM permissions to read/write.
Use case for replication? CRR
Compliance, lower latency, across accounts.
Use case SRR?
Log aggregation, live replication between prod and test.
What are all the different storage types for S3? hint: 2 standard, 3 something and 2 of something else.
Standard- general purpose
Standard - infrequent access
Glacier instant/flexible & deep
AIntelligent tiering
One zone infrequent access
Define S3 durability
How many times an object will be lost on S3. Same for all storage classes.
S3 standard / general purpose availability, use cases
99.99% availability
Used for frequent accessed data.
Low latency, high throughput
Sustains 2 concurrent facility failures
Use case: Big data analytics, gaming, content distribution,
S3 infrequent access availability and use cases
lower cost than S3 standard, less frequently accessed. 99.9% availability (less than general, 99.99%)
Use case: disaster recovery, backups.
S3 infrequent but ONE zone access?
High durability 99.9999% but ONLY in a single AZ. Lost if AZ destroyed. 99.5% availabilty. Secondary copies of backups.
Glacier storage classes.. cold.. low cost object storage used for and pricing?
archiving and backup. Price for storage + object retrieval cost.
S3 glaciier instant retrieval info:
Millisecond retrieval. Great for data accessed once a quarter. Min storage duration of 90 days.
Glacier flexible retrieval info:
1-5min retrieval, 3-5 hours (standard) and 5-12 for bulk. min storage 90 days.
Glacier deep archive..
12 hour retrevial for standard, 48 hours for bulk. Min 180 days.
What is S3 intelligent tiering for? price?
Small monthly monitoring and auto tiering fees. Move objects automatically between access tiers based on usage. No retrieval charges. It just allows you to relax while it moves for you.
Why would you use the IAM access analyzer?
To ensure only intended people have access to your S3 buckets. Can see resources in account that are shared by other entities.
Responsibility of AWS for S3?
Infra, config and vulnerability analysis, compliance validation
Responsibility of customer for S3?
S3 versioning, policies, replication setup/config, logging and monitoring, S3 storage classes, data encryption at rest and in transit.
You need a high secure solution that is portable, to collect and process data at the edge, migrating data into and out of the AWS what do you use?
Snowcone or snowball edge. The cone is for smaller data needs. 8-14 TB vs 80-210 TB storage
migration up to terabytes, snowball up to petabytes.
What issues might people turn towards the snow family?
Uses: those with limited connectivity, bandwidth, high network costs, shared bandwidth and stability issues. If it takes >1 week, snowball is good.
Snowball pricing, how does it work?
Data IN into the snowball device to S3 is free.
You pay for the device usage and data transfer out of AWS.
Rest is on-demand, days of usage, or committed upfront where you pay monthly 1 year or 3 years.
Why might a hybrid cloud be a good strategy?
Long cloud migrations.. security requirements, compliance, IT strategies
functions of a AWS storage gateway?
Bridging between on-premise data and cloud data in S3, hybrid model solution.
Uses: Disaster recovery, backup & restore, tiered storage.
What can you do with databases that other file storage options (EFS,EBS,EC2 instance store, S3) can’t accomodate?
Structuring the data, building indexes to efficiently query and search the data.
What is a relational database?
Looks like excel spreadsheet, links between them. they relate to one another.
What is a noSQL database and its benefit?
non relational database, built for specific data models, flexible for modern apps. Scalable (out), high performance and highly functional.
RDS stands for? brief description:
relational database service. Managed DB service for SQL. Create databases in cloud such as: MySQL, oracle, aurora, etc.
Why not just put a DB into an EC2 instance?
RDS has automated provisioning, patching, continous backups and restore, monitoring dashboards, scaling capability etc. Just can’t SSH into it..
What is good about Aurora?
cloud optimized AWS proprietary tech, postgreSQL and MySQL both supported. Costs about 20% more than RDS. But more efficient, possibly cheaper.
Why Aurora over RDS?
More cloud optimized, autoscaling based on actual usage, no capacity planning required, least management overhead, pay per second, good for infrequent intermittent or unpredictable workloads.
Machines connect to WWW using what? (if using private IP)
a NAT and internet gateway (a proxy)
What happens to the IP when an EC2 instance is stopped and started?
It can change
Why would someone choose an elastic IP?
They want a fixed public IP for their instance (one at a time)
What are alternatives (that are better) than an elastic IP?
Use of a DNS name and/or load balancer.
A business wants control over EC2 instances, what do you suggest?
The use of placement groups.
1) Clusters, clustering instances into low latency group in single AZ.
2) Spread, spreading across underlying hardware (max 7 in group per AZ) - for more critical apps
3) Partition, spreads instances across many different partitions (different sets of racks) within an AZ, scales to 100s of EC2 instances
Pros & cons of cluster groups?
Amazing network between instances. Great for big data jobs that require fast completion, apps requiring low latency. Cons, if one AZ fails they all go down.
Spread group pros and cons?
Span across AZs, reduced risk using diff hardware, but limited to 7 instances per AZ
What does a spread of placement groups look like?
Could have a few EC2 instances on different hardware in 1 AZ, 2 more on 2 different hardware, etc. 6 different hardware in total but 3 different zones
How does partition groups work?
Up tp 7 partitions per AZ. Can span multiple AZs in same region. Up to 100s of EC2 instances. 1 Partition going down doesn’t effect others. Don’t share racks with other partitions. Access to partition info via metadata.
A logical component in a VPC that represents a virtual network card is called..
an elastic network interface.
What are the attributes of an ENI
Primary IPv4, one or more secondary IPv4.
One elastic IP per private IP
one public IPv4
One or more sec groups
A MAC address
You can attach ENI independently, and attach them on the fly for failover.
Bound to a specific AZ.
EC2 stop, terminate and hibernate ?
Stop, data is kept in tact, terminate: any EBS volumes are gone (unless chosen not to), hibernate - whatever was in RAM, is preserved (instance boot is much faster), RAM state is in root EBS volume. When restarted, its like it never stopped. Useful for long processes that aren’t stopped, or services that take time to initialize but don’t want to wait.
How to attach an ENI to an EC2 in another AZ
Elastic Network Interfaces (ENIs) are bounded to a specific AZ. You can not attach an ENI to an EC2 instance in a different AZ.
How is the status of a load balancer determined ?
it is done via a healthcheck, which uses a port and route (/health), if it recieves a 200 response, then all ok.
what does a security group for an instance with a load balancer look like?
0.0.0.0 would go into the load balancer, then the ec2 instance would only allow http traffic from the load balancer.
How would you use an NLB and ALB together?
The NLB would go infront of the ALB. The NLB would route traffic, if HTTP/HTTPS to the ALB, and if TCP/UDP to the place its suppose to go to. Can help with high volume stuff and acting as an additional load balancer, for example routing it across many ALBs?
Purpose of a gateway load balancer?
To act as a gate, sending traffic to 3rd party appliances, such as firewalls, IDS/IPS etc, then it is ‘OK’d and sent back to the gateway, then sent to the applications.
What does a cross zone load balancer do?
distributes traffic across multiple AZs. If there are two EC2s in one AZ and 5 in another, it’ll distribute traffic evenly (if chosen) across all of them. Without it, two EC2 instances may take more traffic than the 5.
How do certificates work with load balancers?
load balancers can hold the certificates and encrypt the information “in-flight”, load balancers, depending, can hold more than 1 certificate for more than 1 application/backend.
What is a listener?
A listener is a process that checks for connection requests, using the protocol and port that you configure. Listener can be on a load balancer.
Purpose of draining phase EC2 instance?
Done by the ELB settings. Allows for any remaining inflight connections to complete, between a time set, 1 to 36000 seconds. This is during the time it is deregistering
