ACG Exam Tips - student feedback Flashcards Preview

AWS misc tips > ACG Exam Tips - student feedback > Flashcards

Flashcards in ACG Exam Tips - student feedback Deck (51):

What is Kinesis

Look for language in questions:
If they say big data think Kinesis
if they say BI, think Redshift
if they say big data processing think Elastic Map Reduce

Service for real time processing of streaming data at massive scale. Configure producers to send data to a Kinesis Stream

Way to consume big data


EBS Backed vs Instance Store

On the exam, look for long term storage and think EBS backed. For short term think instance store volumes

EBS backed volumes are persistent
Instance Store backed volumes are ephemeral

EBS volumes can be detached and reattached to other EC2 instances

EBS volumes can be stopped and data will be persist
instance store volumes can't be stopped without losing data.


What is opsworks

orchestration service that uses Chef

For exam, just look for terms like chef, recipes or cookbooks and associate them with OpsWorks


Elastic Transcoder

cloud based media transcoding

has presets for common formats, does that for you

pricing based on minutes transcoded and resolution


3 SWF Actors

Workflow Starters - app that initiates a workflow. ie. commence website

Deciders - control flow of activity tasks in the workflow execution

Activity Workers - carry out activity tasks


How to query metadata to get public IP addresses



AWS Organizations

Account management service that lets you consolidate multiple AWS accounts for central management

2 feature sets:
consolidated billing
all features

Have an Organization with OU's under it, with AWS accounts associated to them


Consolidated billing

paying account with linked accounts (ie dev, production, back office)

Monthly bill reflects each linked account

paying account can't access resources of the linked accounts

linked accounts (limit of 20) are independent


advantages of consolidated billing

one bill per account
volume pricing discount
unused reserved instances for EC2 applied across the group
east to track charges, allocate costs


consolidated billing best practices

enable MFA and strong password on root account

use paying account only for billing


how many linked accounts by default

20, can request more


billing alerts for linked accounts

when monitoring is enabled for paying account, billing data for linked accounts included

can create billing alerts for individual accounts


Describe Cloud trail in terms of logging for multiple AWS accounts

is per account and enabled per region

can consolidate the logs between accounts using an S3 bucket and cloud trail

1. turn on cloud trail in paying account
2. create bucket policy allowing cross-account access
3. turn on cloud trail in all accounts and use bucket in paying account


What is Cross Account Access?

lets you easily work with a multi-account AWS environment by letting you easily switch roles in the AWS Console

Can sign into console with your IAM username, then switch to manage other account without having to enter another name and password


Steps required to implement Cross Account Access

Identity account numbers
Create a group in IAM, and a user for it (Dev, John)
Log into production account, create new policy
create the cross account role
apply new policy to the role
login to the developer account, create new policy there
apply new policy to the developer group
log in as John
switch accounts


AWS Document for creating Cross Account Access

Create IAM role in the AWS account that users want to sign into (Prod). (need the account ID)

Give users in the original account (Dev) permissions to assume the role in the target account (Prod)

Create a script allowing user to sign into the Prod account console


Tag overview

Tags can be inherited, ie from autoscaling, cloud formation, elastic beanstalk

Tags can be nested

Tags are metadata


resource groups overview

let you group resources using tags

contain info like region, name, health checks

contain specific details:
IP addresses, port configs, DB engine types


One big big benefit of Resource Groups

great for tracking who is using what


tag editor

lets you view all resources both tagged and untagged


VPC Peering overview

connection between two VPC's letting you route between them with private IP addresses

Can only peer within a single region

Can peer with a VPC in another account

peering connection is not a gateway or VPN. It uses the existing VPC infrastructure

No single point of failure for peering


is transitive peering supported in VPC peering?



can overlapping IP blocks use VPC peering?



Direct Connect benefits

reduce costs with large amounts of traffic

increase reliability

increase bandwidth


Direct Connect vs VPN

VPN can be setup quickly, generally low bandwidth and more variability

Direct Connect like a leased line. It is a dedicated line to a peering facility where it cross connects to AWS

Can take weeks, months to set up


Direct Connect bandwidths available

1 Gb
10 Gb

sub 1Gb available through AWS direct connect partners


Direct connect vlan tagging

Direct connect uses 802.1q vlan tagging, allows you to reach multiple parts of AWS network over one link


(STS) Security Token Service

grants users limited, temporary access to AWS resources

Users come from 3 sources

1. Federation (SAML, typically with AD)
2. Federation with mobile apps
3. Cross-Account access


STS Key Terms

combining list of users in one domain with another one

Identity Broker
Service that allows you to take identity from A and federate it to B
Usually you have to create your own

identity store
service like AD, facebook, google, etc

user in an identity store


do you usually have to create your own identity broker?



Scenario for setting up Identity Broker to authenticate an EC2 application in a VPC to an Active Director over a VPN, so application can write to S3

user enters account and password

app calls Identity Broker which captures credentials

ID Broker uses LDAP to validate the credentials

ID Broker uses IAM credentials to call new GetFederationToken Function. Includes an IAM policy, duration and policy for permissions to be granted

STS confirms policy of IAM user making the call gives the permission to create new tokens and then gives 4 values to application
access key, secret access key, token and token lifetime

ID Broker returns temp credentials to app

app uses temp credential to make requests to S3

S3 uses IAM to verify credentials

IAM allows S3 to perform requested operation


Federate Active Directory with AWS

User brows to AD Federated Services website

Sign-on page authenticates user against AT

Users's browser gets SAML assertion in form of authentication response from ADFS

User's browser posts the SAML assertion to AWS sign-on endpoint. Sign-on uses "AssumeRoleWithSAML API to get temporary credentials and creates a sign-on URL for the console

User's browser receives sign-on URL and is redirected to the console


AWS Workspaces (read FAQ)

A VDI, cloud based replacement for desktops

User can login with existing AD credentials if integrated with AD

But don't need AD domain.

Also don't need AWS account to login to workspaces

workspaces are persistent

by default users given local admin rights


ECS and Docker Part 1 - what is docker?

It packages software into standard units called Containers

They let you package application code, configurations and dependencies into building blocks, providing consistency efficiency


VM vs Container

Each VM has to have a guest OS

Container doesn't have a guest OS, only dependencies

Docker gains higher density because of this


Container benefits

reduces dependencies

increased consistency from dev - test - qa - prod

containers don't affect each other

increased portability


Docker components

Docker image - like an ISO or AMI but has only files required to boot container

Docker Container - isolated application platform

Layers / Union File System -

Docker File - images built from base images, contains instructions

Docker daemon / engine -

Docker client - interface to the docker engine

Docker registries / hubs - host images for people to share


Elastic Container Service

ECS eliminates need for your own container management system, or worry about scaling your infrastructure

Regional Service you can use in one or more AZ's to schedule placement of containers across your cluster

ECS can create a consistent deployment and build experience, manage and scale workloads and build application architectures


What is a Docker Image?

read only template with instructions for creating a docker container

like cloudformation

Collection of root filesystem changes and execution parameters for use in a container runtime

It's created from a docker file that specifies components to install


What is ECR - EC2 Container Registry?

Managed AWS Docker Registry Service (AWS Docker Hub)


What are ECS Task definitions?

text files in JSON format describing one or more containers that form your application

Describes a docker container in JSON


ECS Services

lets you run and maintain instances in an ECS cluster

Like Auto-Scaling Groups but for ECS


ECS Clusters

grouping of container instances you can place tasks on.

Contain multipole container instance types

region specific

can only be part of one cluster at a time

Can use IAM polices to manage access


ECS Scheduling

Service Scheduler
ensures specified number of tasks are constantly running. Reschedules tasks if they fail

Custom Scheduler
create own schedulers, use 3rd party schedulers


ECS Container Agent

lets container instances connect to your cluster

Can install on any EC2 Linux instance that supports ECS specification


ECS Secirotu

IAM Roles control EC2 instance access to ECS. ECS tasks use IAM to access services, resources

Security Groups at host level, not task or container level

Configure OS of EC2 instances in ECS cluster


ECS Soft Limits

Clusters per region = 1000
Instances per cluster = 1000
Services per cluster = 500


ECS Hard Limits

One load balancer per service
1000 tasks per service
10 containers per task definition
10 tasks per instance (hosts)


ECS Exam Tips 1

ECS - AWS managed EC2 containers

Containers = method of OS virtualization

Containers created from read-only template called image

Image has instructions for creating the container

Images stored in a registry like AWS ECR or DockerHub


ECS Exam Tips 2

Task Definition required to run containers in ECS

Task Definitions are JSON files describing containers (CPU, RAM, etc)

Task Definitions are like cloud formation templates

ECS Services lets you run and maintain "desired count" of instances in an ECS cluster

Services are like AutoScaling Groups for ECS

ECS Cluster is logical grouping of container instances you can put tasks on


ECS Exam Tips 3

clusters can have multipole container instance types

clusters are region specific

container instances can only be part of one cluster at a time

can create IAM policies for clusters

Schedule ECS 2 ways: Service or Customer

ECS agent (linux only) connects EC2 instances to ECS cluster

IAM and ECS for access control

Security Groups work at instance not container or task level