Week 2: Cloud Computing Foundations

Question 1

What is the difference between authentication and authorization in AWS IAM?

Answer 1

Authentication is the process of verifying who you are—for example, by using a username, password, and possibly multi-factor authentication. It answers the question “Who are you?”
Authorization is the process that determines what you are allowed to do after your identity is verified. It answers the question “What are you allowed to do?”

Question 2

How does the Principle of Least Privilege improve security in IAM?

Answer 2

The Principle of Least Privilege means granting users only the minimum permissions necessary to perform their tasks. This minimizes the risk of accidental or malicious misuse of privileges and reduces the potential damage from a compromised account.

By starting with a limited set of permissions and only granting additional rights as needed, organizations reduce their attack surface and simplify compliance with security policies.

Question 3

What are IAM users?

Answer 3

These are identities created for individual people or applications. Each IAM user has long-term credentials (passwords or access keys) and is meant to represent a single entity.

Question 4

What are IAM Groups?

Answer 4

A group is a collection of IAM users. Instead of assigning permissions individually, you attach policies to the group. This makes it easier to manage permissions for many users simultaneously

Question 5

What are IAM Roles?

Answer 5

Roles are identities that are not permanently associated with a specific person. Instead, roles can be assumed temporarily by users or services to perform specific tasks. They come with temporary credentials and are useful for scenarios like cross-account access or when a service needs to act on your behalf.

Question 6

How do IAM users, groups, and roles differ in managing access?

Answer 6

These differences allow organizations to manage access in a scalable and secure way: direct credentials for individual use (users), bulk policy assignment (groups), and temporary privilege elevation (roles).

Question 7

What are IAM policies?

Answer 7

JSON documents that define what actions an identity can or cannot perform on which resources. They contain elements like actions, resources, effects (allow or deny), and optional conditions.

Question 8

What is the difference between the identity-based and resource-based policies?

Answer 8

Identity-Based Policies:
These are attached to IAM identities (users, groups, or roles). The policy’s permissions are implied for that identity without explicitly stating who the principal is.
Resource-Based Policies:
These are attached directly to a resource (such as an S3 bucket or SQS queue). They include a principal element that specifies which identities (or accounts) are allowed to access the resource.

Question 9

What are best practices for managing IAM policies?

Answer 9

Least Privilege:
Always grant only the minimum permissions required for users and services to perform their tasks.
Policy Organization:
Use managed or customer-managed policies attached to groups or roles rather than individual inline policies to simplify administration.
Monitoring and Auditing:
Utilize tools like IAM Access Analyzer and Access Advisor to review permission usage and ensure that policies are not over-privileged.
Regular Review:
Periodically review and update policies to adapt to changing requirements and to remove unnecessary permissions.

Question 10

What is an AWS account, and how does it serve as a container for cloud resources and identities?

Answer 10

An AWS account is the primary container in AWS that holds all your Cloud resources (such as EC2 instances, S3 buckets, Lambda functions, etc.) and the associated IAM identities (users, groups, roles).

It establishes a boundary for resource management, billing, and security, ensuring that all resources within an account are managed and governed under a unified set of policies.

Question 11

How do AWS accounts support different environments?

Answer 11

A common design pattern is to use separate AWS accounts for different environments such as development, staging, and production.

This segregation isolates resources and permissions, helps manage costs and quotas independently, and improves security by reducing the blast radius if an environment is compromised.

Question 12

How does AWS IAM compare to similar structures in other cloud platforms like GCP and Azure?

Answer 12

While AWS uses IAM within its account structure, other cloud providers have similar—but not identical—mechanisms:
Google Cloud Platform (GCP): Uses “projects” as the basic container for resources.
Microsoft Azure: Uses “resource groups” (along with subscriptions and management groups) to organize resources.

Additionally, AWS IAM is not a pure role-based access control (RBAC) system since it incorporates users with long-term credentials, whereas GCP and Azure lean more towards a pure RBAC model.

Question 13

What are the components of IAM Roles?

Answer 13

Trust Policy:
Defines who (which principals) is allowed to assume the role.
Permissions Policy:
Specifies what actions the role is allowed to perform once assumed.

Question 14

What are IAM roles and why are they important?

Answer 14

IAM Roles are identities that provide temporary access to AWS resources. Roles are important because they enable temporary, least-privilege access for users and services and help improve security by avoiding long-term credential distribution.

Question 15

What are the different types of IAM roles and their differences/use cases?

Answer 15

Service Roles:
These are used by AWS services (for example, EC2 instance profiles) to perform actions on your behalf. They avoid the need to hard-code long-term credentials in applications.
Cross-Account Roles:
Allow users or services from one AWS account to access resources in another account. They enable secure collaboration between different accounts.
Roles for Federated Access:
Enable users authenticated by external identity providers to assume roles and access AWS resources without needing an IAM user in the account.

Question 16

What is the purpose of temporary security credentials?

Answer 16

Temporary security credentials are designed to provide short-term access to AWS resources. They reduce the risk associated with long-term credentials by automatically expiring after a set duration (typically between 1 to 12 hours).

Question 17

How does the AssumeRole API, STS allow for authorization?

Answer 17

The AssumeRole API (provided by AWS Security Token Service, or STS) is used to:

Allow a principal (user, role, or service) to assume a role.
Generate temporary credentials that grant the permissions defined in the role’s policy.

Question 18

What is Federated Identity?

Answer 18

Federated Identity refers to using an external identity provider (such as Active Directory, Google, or Facebook) to authenticate users. Once authenticated externally, users can exchange their authentication token for temporary AWS credentials via STS.

This setup supports single sign-on (SSO) and eliminates the need to create separate IAM users for external or third-party identities, thereby simplifying user management and improving security.

Question 19

Define VPC

Answer 19

Virtual Private Cloud (VPC) is a logically isolated section of a cloud provider’s network. It allows you to define your own private network in the cloud, similar to having your own dedicated physical network infrastructure

Question 20

What are the Key Characteristics of VPCs?

Answer 20

Region Association: A VPC is created within a specific region (for example, AWS’s us-east-1).
IP Address Range: When creating a VPC, you define an overall IP address range using CIDR (Classless Inter-Domain Routing) block notation.
Multiple VPCs: By default, you can have up to five VPCs per account, though these can be increased upon request.
Isolation: The VPC isolates your network resources from other customers’ networks, ensuring security and control

Question 21

Define VPC Subnets

Answer 21

Subnets are logical subdivisions within a VPC that partition the overall CIDR block into smaller segments. They help organize and isolate resources based on their function or security needs. Each subnet is assigned a smaller CIDR block that is a subset of the VPC’s IP address range. Each subnet is associated with one specific Availability Zone (AZ) within an AWS region

Question 22

What are the Types of VPC Subnets?

Answer 22

Public Subnets: Have a route in their routing table to an Internet Gateway (IGW), allowing direct Internet access.
Private Subnets: Lack a direct route to an IGW; typically, they access the Internet via a NAT gateway or instance for outbound traffic only.

Question 23

Why Does Each VPC Subnet only have one associated availability zone?

Answer 23

High Availability: Spreading resources across multiple availability zones reduces the risk of simultaneous failures.
Fault Tolerance: Since availability zones are isolated from one another, placing critical resources in different zones increases resilience.

Question 24

What are the types of VPC Gateways?

Answer 24

Internet Gateway: Connects a VPC to the Internet. An IGW is attached to the VPC (not directly to a subnet) and is referenced in routing tables to enable public subnets to send and receive traffic over the Internet.

NAT Gateway/Instance: Allows instances in private subnets to initiate outbound traffic to the Internet while preventing inbound connections from the Internet. A NAT instance is an EC2 instance you manage, whereas a NAT gateway is a managed service by AWS that offers higher bandwidth and easier management.

Virtual Private Gateway: Enables site-to-site VPN connections, letting you securely connect your on-premises network to your VPC.

Question 25

What are routing tables and how are they used?

Answer 25

Gateways are connected through routing tables that define which traffic goes to the Internet, a NAT service, or a VPN connection. This routing ensures that traffic flows to the correct destination based on its destination IP.

Question 26

What are the characteristics of a Security Group?

Answer 26

Instance-Level Firewall: Acts as a virtual firewall for individual EC2 instances. Stateful: If you allow an inbound request, the response is automatically allowed, regardless of outbound rules. Rules & Flexibility: You can define rules specifying which protocols, ports, and source IP ranges (or even other security groups) are allowed. Use Cases: Typically used to restrict access to specific applications (e.g., only allowing SSH from a known IP for a bastion host).

Question 27

What is the characteristics of Network Access Control Lists (NACLs)?

Answer 27

Subnet-Level Firewall: Provides an additional layer of security by controlling traffic at the subnet level. Stateless: Inbound and outbound rules are evaluated separately, so you must explicitly allow both directions of traffic. Rule Evaluation: Rules are processed in order based on rule numbers (lower numbers have higher precedence), with a default “catch-all” rule at the end. Design Best Practices: While the default NACL allows all traffic, for tighter security, custom rules should be implemented to restrict access to only the necessary protocols and ports.

Question 28

What are VPC Flow logs?

Answer 28

VPC Flow Logs can be enabled to capture information about the IP traffic going to and from network interfaces in your VPC. These logs are crucial for security audits and troubleshooting unauthorized access attempts.

Question 29

What is the web application architecture?

Answer 29

Web (Presentation) Tier: Handles client requests from web browsers, mobile apps, or other HTTP-capable clients. It serves static content and performs initial request routing. Application (Logic) Tier: Contains the core business logic such as user authentication, product recommendations, and overall processing. This layer ensures that the application responds correctly to user actions. Database (Data) Tier: Stores persistent data in relational or NoSQL databases (e.g., user data, product catalogs, transactions). This separation supports scalability and maintainability.

Question 30

What are load balancers?

Answer 30

Load balancers are network components that distribute incoming HTTP and HTTPS traffic across multiple servers, containers, or instances. They serve as the single entry point for client requests and: Prevent any single server from being overwhelmed. Enhance application performance and reliability. Simplify security management by offloading tasks like SSL termination. They are essential to maintain high availability and fault tolerance within a web application.

Question 31

What are the different types of load balancers, and their usage?

Answer 31

Classic Load Balancer (CLB): An older option that operates on both Layer 4 (TCP) and some Layer 7 (HTTP/HTTPS) features, but with limited advanced functionalities. Application Load Balancer (ALB): Operates at Layer 7 (the application layer). It supports advanced request routing based on host or path rules, making it ideal for microservices and containerized applications. Network Load Balancer (NLB): Functions at Layer 4. It is built for high performance, handling TCP and UDP traffic with very low latency, which is useful for real-time applications. Gateway Load Balancer (GWLB): Designed for integrating and managing virtual network appliances (such as firewalls and intrusion detection systems), providing an inline architecture for third-party applications.

Question 32

Steps to Configure and Deploy Load Balancers

Answer 32

Setup: Create the load balancer through the AWS management console or with infrastructure-as-code tools (like CloudFormation or Terraform). Selection: Choose your VPC, subnets, and availability zones. Listeners & Rules: Define listeners (commonly on port 80 for HTTP and port 443 for HTTPS) and configure routing rules that direct traffic to target groups. Health Checks: Establish health checks (for instance, by pinging a specific path such as /health) to ensure only healthy instances receive traffic. Security: Offload SSL termination and manage security policies centrally through the load balancer.

Question 33

Monitoring and Logging Load Balancers

Answer 33

Monitoring: Utilize AWS CloudWatch to monitor metrics like request counts, response times, and error rates. Logging: Enable access logs (often stored in Amazon S3) to capture detailed request data (client IPs, response codes, latency, etc.). These logs can be analyzed using tools such as Amazon Athena or integrated with visualization services.

Question 34

What are the Best Practices for Load Balancers?

Answer 34

Deploy load balancers across multiple availability zones for high availability Enable cross-zone load balancing to evenly distribute requests Fine-tune idle timeouts and routing rules to suit specific workload needs. Use centralized SSL management and update firewall rules as needed. Actively monitor performance metrics and health check statuses to quickly address issues.

Question 35

What are the Common Pitfalls for Load Balancers?

Answer 35

- Not spreading the load balancer across multiple zones, which risks downtime if one zone fails. - Incorrect idle timeout settings or routing rules that may disconnect long-lived connections or misdirect traffic. - Using too many load balancers or mismanaging them can lead to increased costs. - Failing to configure proper health checks may cause unhealthy instances to remain in rotation, impacting performance.

Question 36

What is Autoscaling?

Answer 36

Autoscaling is the process of automatically adjusting the number of compute resources (servers or instances) in response to changes in workload. It works by: Adding more instances when demand increases and Removing instances when demand decreases. This mechanism ensures that the application has sufficient resources to handle traffic spikes and avoids the cost of maintaining unused capacity during low demand.

Question 37

What are the Different Types of Autoscaling and Their Usage?

Answer 37

Manual Scaling: An operator manually adjusts the desired capacity via the AWS console or CLI. It’s simple but reactive rather than proactive. Dynamic Scaling: Uses real-time metrics (via CloudWatch alarms) to automatically scale out when a metric (e.g., CPU usage) exceeds a threshold and scale in when it falls below another threshold. This type is highly responsive to unpredictable changes. Scheduled Scaling: Adjusts capacity based on a pre-defined schedule. This is useful for predictable workload patterns, such as daily peak times, allowing you to add resources ahead of known traffic surges.

Question 38

How is Autoscaling integrated with Load Balancing?

Answer 38

Automatic Registration: When an autoscaling group launches new instances, these instances automatically register with the associated load balancer (whether ALB or NLB) after they pass health checks. Seamless Traffic Distribution: This ensures that as new instances come online, they immediately start handling traffic, and as instances are terminated, they are gracefully deregistered from the load balancer.

Question 39

Monitoring and Logging Autoscaling

Answer 39

Monitoring: Key Metrics: Utilize AWS CloudWatch to track metrics such as CPU usage, memory utilization, network traffic, and custom application-specific metrics. Alerts: Set up CloudWatch alarms to trigger scaling actions based on these metrics. Logging: Scaling Events: Log autoscaling events (such as when instances are added or removed) for analysis and troubleshooting. Cost & Performance Analysis: Review scaling logs to understand cost implications and performance trends, helping to refine scaling policies.

Question 40

What are the Best Practices for Autoscaling?

Answer 40

- Choose instance types that match your workload (CPU-intensive vs. memory-intensive tasks). - Set cooldown periods to prevent rapid, repeated scaling actions (known as thrashing), allowing new instances time to stabilize. - Use a mix of scheduled and dynamic scaling to handle both predictable and unexpected demand. - Prefer comprehensive health checks (such as ELB health checks) over basic system-level checks. - Conduct load tests or simulate traffic to verify that scaling policies work as expected.

Question 41

What are the Common Pitfalls for Autoscaling?

Answer 41

- Poorly set thresholds can lead to excessive scaling actions, increased costs, or degraded performance. - Without proper cooldowns, scaling actions may trigger too frequently, leading to instability. - Not validating scaling policies under realistic loads can result in unanticipated issues during peak traffic. - Uncontrolled scaling can lead to higher-than-expected costs if not monitored carefully.