ACG Exam Tips - student feedback Flashcards Preview

AWS misc tips > ACG Exam Tips - student feedback > Flashcards

Flashcards in ACG Exam Tips - student feedback Deck (51):
1

What is Kinesis

Look for language in questions:
If they say big data think Kinesis
if they say BI, think Redshift
if they say big data processing think Elastic Map Reduce

Service for real time processing of streaming data at massive scale. Configure producers to send data to a Kinesis Stream

Way to consume big data

2

EBS Backed vs Instance Store

On the exam, look for long term storage and think EBS backed. For short term think instance store volumes

EBS backed volumes are persistent
Instance Store backed volumes are ephemeral

EBS volumes can be detached and reattached to other EC2 instances

EBS volumes can be stopped and data will be persist
instance store volumes can't be stopped without losing data.

3

What is opsworks

orchestration service that uses Chef

For exam, just look for terms like chef, recipes or cookbooks and associate them with OpsWorks

4

Elastic Transcoder

cloud based media transcoding

has presets for common formats, does that for you

pricing based on minutes transcoded and resolution

5

3 SWF Actors

Workflow Starters - app that initiates a workflow. ie. commence website

Deciders - control flow of activity tasks in the workflow execution

Activity Workers - carry out activity tasks

6

How to query metadata to get public IP addresses

curl http://169.254.169.254/latest/meta-data
get http://169.254.169.254/latest/meta-data

7

AWS Organizations

Account management service that lets you consolidate multiple AWS accounts for central management

2 feature sets:
consolidated billing
all features

Have an Organization with OU's under it, with AWS accounts associated to them

8

Consolidated billing

paying account with linked accounts (ie dev, production, back office)

Monthly bill reflects each linked account

paying account can't access resources of the linked accounts

linked accounts (limit of 20) are independent

9

advantages of consolidated billing

one bill per account
volume pricing discount
unused reserved instances for EC2 applied across the group
east to track charges, allocate costs

10

consolidated billing best practices

enable MFA and strong password on root account

use paying account only for billing

11

how many linked accounts by default

20, can request more

12

billing alerts for linked accounts

when monitoring is enabled for paying account, billing data for linked accounts included

can create billing alerts for individual accounts

13

Describe Cloud trail in terms of logging for multiple AWS accounts

is per account and enabled per region

can consolidate the logs between accounts using an S3 bucket and cloud trail

1. turn on cloud trail in paying account
2. create bucket policy allowing cross-account access
3. turn on cloud trail in all accounts and use bucket in paying account

14

What is Cross Account Access?

lets you easily work with a multi-account AWS environment by letting you easily switch roles in the AWS Console

Can sign into console with your IAM username, then switch to manage other account without having to enter another name and password

15

Steps required to implement Cross Account Access

Identity account numbers
Create a group in IAM, and a user for it (Dev, John)
Log into production account, create new policy
create the cross account role
apply new policy to the role
login to the developer account, create new policy there
apply new policy to the developer group
log in as John
switch accounts

16

AWS Document for creating Cross Account Access

Create IAM role in the AWS account that users want to sign into (Prod). (need the account ID)

Give users in the original account (Dev) permissions to assume the role in the target account (Prod)

Create a script allowing user to sign into the Prod account console

17

Tag overview

Tags can be inherited, ie from autoscaling, cloud formation, elastic beanstalk

Tags can be nested

Tags are metadata

18

resource groups overview

let you group resources using tags

contain info like region, name, health checks

contain specific details:
IP addresses, port configs, DB engine types

19

One big big benefit of Resource Groups

great for tracking who is using what

20

tag editor

lets you view all resources both tagged and untagged

21

VPC Peering overview

connection between two VPC's letting you route between them with private IP addresses

Can only peer within a single region

Can peer with a VPC in another account

peering connection is not a gateway or VPN. It uses the existing VPC infrastructure

No single point of failure for peering

22

is transitive peering supported in VPC peering?

no

23

can overlapping IP blocks use VPC peering?

no

24

Direct Connect benefits

reduce costs with large amounts of traffic

increase reliability

increase bandwidth

25

Direct Connect vs VPN

VPN can be setup quickly, generally low bandwidth and more variability

Direct Connect like a leased line. It is a dedicated line to a peering facility where it cross connects to AWS

Can take weeks, months to set up

26

Direct Connect bandwidths available

1 Gb
10 Gb

sub 1Gb available through AWS direct connect partners

27

Direct connect vlan tagging

Direct connect uses 802.1q vlan tagging, allows you to reach multiple parts of AWS network over one link

28

(STS) Security Token Service

grants users limited, temporary access to AWS resources

Users come from 3 sources

1. Federation (SAML, typically with AD)
2. Federation with mobile apps
3. Cross-Account access

29

STS Key Terms

Federation
combining list of users in one domain with another one

Identity Broker
Service that allows you to take identity from A and federate it to B
Usually you have to create your own

identity store
service like AD, facebook, google, etc

identities
user in an identity store

30

do you usually have to create your own identity broker?

yes

31

Scenario for setting up Identity Broker to authenticate an EC2 application in a VPC to an Active Director over a VPN, so application can write to S3

user enters account and password

app calls Identity Broker which captures credentials

ID Broker uses LDAP to validate the credentials

ID Broker uses IAM credentials to call new GetFederationToken Function. Includes an IAM policy, duration and policy for permissions to be granted

STS confirms policy of IAM user making the call gives the permission to create new tokens and then gives 4 values to application
access key, secret access key, token and token lifetime

ID Broker returns temp credentials to app

app uses temp credential to make requests to S3

S3 uses IAM to verify credentials

IAM allows S3 to perform requested operation

32

Federate Active Directory with AWS

User brows to AD Federated Services website

Sign-on page authenticates user against AT

Users's browser gets SAML assertion in form of authentication response from ADFS

User's browser posts the SAML assertion to AWS sign-on endpoint. Sign-on uses "AssumeRoleWithSAML API to get temporary credentials and creates a sign-on URL for the console

User's browser receives sign-on URL and is redirected to the console

33

AWS Workspaces (read FAQ)

A VDI, cloud based replacement for desktops

User can login with existing AD credentials if integrated with AD

But don't need AD domain.

Also don't need AWS account to login to workspaces

workspaces are persistent

by default users given local admin rights

34

ECS and Docker Part 1 - what is docker?

It packages software into standard units called Containers

They let you package application code, configurations and dependencies into building blocks, providing consistency efficiency

35

VM vs Container

Each VM has to have a guest OS

Container doesn't have a guest OS, only dependencies

Docker gains higher density because of this

36

Container benefits

reduces dependencies

increased consistency from dev - test - qa - prod

containers don't affect each other

increased portability

37

Docker components

Docker image - like an ISO or AMI but has only files required to boot container

Docker Container - isolated application platform

Layers / Union File System -

Docker File - images built from base images, contains instructions

Docker daemon / engine -

Docker client - interface to the docker engine

Docker registries / hubs - host images for people to share

38

Elastic Container Service

ECS eliminates need for your own container management system, or worry about scaling your infrastructure

Regional Service you can use in one or more AZ's to schedule placement of containers across your cluster

ECS can create a consistent deployment and build experience, manage and scale workloads and build application architectures

39

What is a Docker Image?

read only template with instructions for creating a docker container

like cloudformation

Collection of root filesystem changes and execution parameters for use in a container runtime

It's created from a docker file that specifies components to install

40

What is ECR - EC2 Container Registry?

Managed AWS Docker Registry Service (AWS Docker Hub)

41

What are ECS Task definitions?

text files in JSON format describing one or more containers that form your application

Describes a docker container in JSON

42

ECS Services

lets you run and maintain instances in an ECS cluster

Like Auto-Scaling Groups but for ECS

43

ECS Clusters

grouping of container instances you can place tasks on.

Contain multipole container instance types

region specific

can only be part of one cluster at a time

Can use IAM polices to manage access

44

ECS Scheduling

Service Scheduler
ensures specified number of tasks are constantly running. Reschedules tasks if they fail

Custom Scheduler
create own schedulers, use 3rd party schedulers

45

ECS Container Agent

lets container instances connect to your cluster

Can install on any EC2 Linux instance that supports ECS specification

46

ECS Secirotu

IAM Roles control EC2 instance access to ECS. ECS tasks use IAM to access services, resources

Security Groups at host level, not task or container level

Configure OS of EC2 instances in ECS cluster

47

ECS Soft Limits

Clusters per region = 1000
Instances per cluster = 1000
Services per cluster = 500

48

ECS Hard Limits

One load balancer per service
1000 tasks per service
10 containers per task definition
10 tasks per instance (hosts)

49

ECS Exam Tips 1

ECS - AWS managed EC2 containers

Containers = method of OS virtualization

Containers created from read-only template called image

Image has instructions for creating the container

Images stored in a registry like AWS ECR or DockerHub

50

ECS Exam Tips 2

Task Definition required to run containers in ECS

Task Definitions are JSON files describing containers (CPU, RAM, etc)

Task Definitions are like cloud formation templates

ECS Services lets you run and maintain "desired count" of instances in an ECS cluster

Services are like AutoScaling Groups for ECS

ECS Cluster is logical grouping of container instances you can put tasks on

51

ECS Exam Tips 3

clusters can have multipole container instance types

clusters are region specific

container instances can only be part of one cluster at a time

can create IAM policies for clusters

Schedule ECS 2 ways: Service or Customer

ECS agent (linux only) connects EC2 instances to ECS cluster

IAM and ECS for access control

Security Groups work at instance not container or task level