Amazon Elastic Cloud Computer (EC2) Flashcards

Question

Windows-based sign-in default is what? (EC2 instance)

Answer 1

Remote Desktop Protocol.

Answer 2

administrator

Answer 3

Public (AWS stores) and Private (user must keep safe)

Answer 4

Running, stopped, terminated

Answer 5

pending, shutting down, stopping

Answer 6

While running. There can be charges associated in a stopped state for data storage though.

Answer 7

Instance Metadata Service. | 1. Enables code running on an EC2 instance to discover properties about the instane

Answer 8

Instance Metadata Service has a special IP address: 169.254.169.254 1. This can be queried using HTTP to get metadata information 2. Including: instance itself, credentials resulting from IAM role, retreive user data during launch to boot strap information

Answer 9

Virtual Private Cloud. 1. Comprises logically isolated networks within an AWS account, networks or software defined can span all availabilty zones within a particular AWS region. 2. We maintain complete control over VPC connectivity

Answer 10

Define a VPC with blocks of addresses specified in an classless inter-domain routing. 1. CIDR notation is a compact representation of an IP address and its associated routing prefix. The notation is constructed from an IP address, a slash ('/') character, and a decimal number. The trailing number is the count of leading 1 bits in the routing mask, traditionally called the network mask.

Answer 11

False. They are isolated by default. Can't communicate with other networks, including the internet, unless explicitly given permission to do so.

Answer 12

1. Egress only internet (IVP6 - allows outbound traffic only.) 2. Amazon VPC endpoints - allows traffic from a VPC to a specific AWS service or 3rd party SaaS without internet gateway. 3. AWS Transit Gateway - allows us to centrally mange connectivity between multiple VPCS on a prem environment with single gateway 4. Amazon VPC peering - establishes peer relationships between VPCs, traffic privately routed from one VPC to another 5. Virtual Private Gateway - allows us to establish a private connection to a corporate network (VPN or direct connection DX) 6. Internet Gateway - highly connected, allowing outbound and inbound traffic

Answer 13

1. Private - IP V4, not reachable from internet. Used for private communication b/n VPCs or Corporate networks. 2. Public - IP V4 that are reachable from the internet. AWS automatically manages them. Association only persists while instance is running and cannot be manually managed. 3. Caveat is the Elastic IP Address - IP V4 that is reachable from the internet but we can manage the association b/n instances and IP addresses. 4. IP V6 - IP V4 and IP V6 operate separately, can use either protocol or both protocols.

Answer 14

1. Subnets are linked to availabilty zones within the region where the VPC is deployed.

Answer 15

1. VPCs have subnets. 2. A subnet is linked to an availabilty zone within a given region where the VPC is deployed 3. Each subnet is allocated its own block of private IP addresses, defined by CIDR (classless inter-domain routing)

Answer 16

1. Subset of the IP address range do not overlap with any other subset. 2. When launching an EC2 instance, the primary network interface is assigned a private IP V4 address automatically from a CIDR subnet. 3. Usually we create 2 instances, one that we launch when we want to reach the internet (public, ex: webserver) and one for the backend (private ex: database)

Answer 17

1. Routes defined in a route table define network traffic. | 2. Network traffic is controlled with routes

Answer 18

1. Each route table has a specific rule, "local route" 2. This rule allows traffic from an instance in one subnet within a VPC to traffic within any other subnet in the same VPC

Answer 19

1. Destination 2. Target - When launching a public EC2 instance, must assign a public IP address to the instance. - Without one, the instance will not be able to communicate across the internet.

Answer 20

1. A security group operates as a stateful firewall

Answer 21

1. Specify the source or destination | 2. Define protocol and ports that we want to allow

Answer 22

1. Inbound - allows us to control source, protocols and ports of inbound traffic. - Ex: When configuring a Linux instance, we specify the incoming rule to allow SSH traffic over port 22 2. Outbound Security Groups - allows us to control destination, protocols and ports for outbound traffic. - Ex: the default outbound rule is assigned to a security group to allow all outbound protocol and ports to all destinations. We can tighten these rules by removing the default and adding our own instead.

Answer 23

Access Control Lists (in the context of a VPC) 1. Allow an admin to control traffic entering/leaving a subnet. 2. Consists of inbound/outbound rules that may be linked to multiple subnets within a specific VPC. 3. ACL acts as a stateless firewall against traffic inbound/outbound to a specific subnet - stateless means it doesn't track connection/ replies 4. Therefore, both inbound/outbound rules must allow it on the network ACL. - i fa network ACL is not specified then for a subnet then it gets associated with the default network ACL for the VPC (which allows all inbound/outbound traffic)

Answer 24

- Responsibility is shared between AWS and the customer

Answer 25

1. Security of physical/ hardware infrastructure (AWS Regions and Availablity Zones, restricting access to servers and physical networks. 2. Core Software (Compute, storage, database, network services) 3. AWS Edge Cases

Answer 26

1. Security on the cloud 2. Making secure choices when configuring the infrastructure (including data encryption) - Data encryption: client-side, server-side, in transit 3. Platform, application, access, including suitable firewall rules 4. OS, network, firewall configuration 5. Controlling network traffic

Answer 27

1. Amazon: underlying core software on physical host machines (including virtualization layer) 2. Customer: Sensitive data stored on *guest* OS - ensuring OS is patched regularly - note: AWS provides tools like system manager to help with these responsibilities (can automate patching, but still ultimately lies with user) - managing user accounts/ guest operations - security on any applications installed on the instance

Answer 28

1. Log into AWS MC with IAM user. 2. EC2 instance 3. Launch instance, Choose an AMI (Amazon Machine Image) 4. Chose a free tier option 5. Selected and created new key pairs 6. launch instance 7. Can view state in EC2 dashboard

Answer 29

Secure Shell. 1. Connect to EC2 instance with SSH 2. Log in as IAM user 3. EC2 Console: - Running instance (ensure it's selected) - Connect - 3 options: EC2 Instant Connect (browser based SSH connection) - Session Manager - SSH Client 4. Choose SSH - copy the SSH command under "Example" 5. Open Powershell

Answer 30

1. (point to user folder) 2. cd downloads 3. paste ssh command 4. yes 5. ps aux (to see what's running) 6. exit (to close connection)

Answer 31

1. EC2 Instance Connect (browser based SSH connection) 2. Session Manager 3. SSH Client

Answer 32

1. pem = open SSH | 2. ppk = Putty

Answer 33

Amazon Virtual Private Cloud

Answer 34

1. sign in as admin IAM 2. Create key value pair 3. Launch VPC wizard 4. Select VPC Configuration - This plus the creation of key value pairs will allow us to now deploy EC2 instance into

Answer 35

1. VPC w/ Single Public Subnet 2. VPC w/ Public & Private Subnets 3. VPC w/ Public & Private Subnets & Hardware VPN Access 4. VPC w/ Private Subnet Only and hardware VPN Access

Answer 36

1. IPv4 Private CIDR = /16 | 2. IPv4Public CIDR = /24

Answer 37

1. Default | 2. Dedicated

Answer 38

1. 3389. | 2. Protocol: TCP

Answer 39

1. 22 | 2. Protocol: TCP

Answer 40

1. EC2 MC 2. Network Security -> Security Groups 3. Create New SG. 4. Name it. ex: webserver-group 5. Description: ex: allow SSH access to webserver 6. Select VPC options (you'll see one you already created) 7. Add inbound rules - Add an SSH type, under source options = MyIp 8. Outbound rules allow all traffic (default) - Now we have created a security group that we can use to deploy our EC2 instance into and ensure only our IP address has access to webservers over port22

Answer 41

1. Custom 2. Anywhere 3. MyIp

Answer 42

1. EC2 dashboard 2. Create an instance 3. Configure details - number of instances (can choose multiple) with scaling - purchasing options - choose VPC 4. Add storage, need root volume 5. Add tags, like name 6. Configure Security Group (add a new one or use existing) 7. Get key pair (new or existing) 8. Connect to instance through powershell

Answer 43

1. Reliable, high - availablity storage volumes that can attach to any running instance in same availablity zone

Answer 44

1. Allocate 2. Associate 3. Disassociate 4. Release

Answer 45

1. Must allocate elastic IP to your instance or network interface. 2. Network settings -> Elastic IP - now will have a public IPv4 address - add key and value (ex: name static IP) 3. Associate the Elastic IP - open the instance and associate 4. Disassociate - Network Settings -> Elastic IP - disassociate 5. Release Elastic IP - in Elastic IP dashboard - Actions -> release

Answer 46

1. An elastic IP address is a static IP 2. Normally if running instances, when you start and stop them your public IP gets reset each time 3. With an elastic IP you can start and stop instances and the public IPv4 and public DNS will remain

Answer 47

1. EC2 dashboard, open running instance 2. Description section, copy SSH Command 3. Open Powershell - cd downloads paste - now connected to server (ex: amazon linux 2 machine image) 4. Ensure software packages are up to date - sudo yum update -y - -y suppresses the confirmations 5. Install Apache - sudo yum install -y httpd 6. Start Apache Service - sudo systemctl start httpd 7. Configure Apache Webserver to start each time system is booted - sudo systemctl enable httpd 8. Verify that httpd is running - sudo systemctl is-enabled 9. Add Security Group rule to allow inbound traffic over port 80 - Descriptions -> security groups -> open group - add rule - select HTTP Custom, allow all traffic CIDR (0.0.0.0/0) 9. Return to instance, copy the public DNS 10. open browser and paste - now Apache test page loads so it's wokring

Answer 48

1. sudo yum update-y | - y suppresses the confirmations

Answer 49

1. sudo yum install -y httpd

Answer 50

1. sudo systemctl enable httpd

Answer 51

1. sudo systemctl is-enabled

Answer 52

- Goal to allow EC2 account to manipulate files in a directory. Need to modify ownership and permissions. 1. Add EC2 user to Apache user group 2. Assign Apache group ownership of "var www" directory 3. Assign write permisions 4. EC2 dashboard - connect webserver instance, copy ssh connection 5. Powershell - cd downloads paste - now we're connected 6. Add EC2 user to apache group - sudo usermod -aG apache $USEr 7. Pick up new group for session - newgrp apache 8. View membership in group - groups 9. Change group ownership of "var www" to content of Apache user group - sudo chown -R ec2-user: apache /var/www 10. Add group write permission, set permissions for var www and sub directories - sudo chmod 2775/var/www&&find/var/www-type-d-exec sudo chmod 2775 {} \; 11. Add group write permission in recursive manner - find /var/www/ type f -exec sudo chmod 0664 {} \ - now EC2 user and any future members of apache user group can add, delete, edit files in apache root for server 12. Add output in index.html (so don't just see apache test page) - echo "hello world ... $(users) on $(hostname -f)">/var/www/html/index.html 13. to view webpage, copy public DNS and paste into web browser

Answer 53

1. "var/www/html"

Answer 54

1. sudo usermod -aG apache$USER

Answer 55

1. newgrp Apache

Answer 56

1. sudo chown -R ec2-user: apache /var/www

Answer 57

1. sudo chmod 2775 /var/www && find /var/www-type d-exec sudo chmod 2775 {}\

Answer 58

1. find /var/www/ type f -exec sudo chmod 0664 {}\; | - now EC2 user and any future memers of apache group can add, delete, edit files in apache root server

Answer 59

1. echo "hello world...$(users) on $(hostname -f)" > /var/www/html/index.html - this will add command into index.html which will render user and render host name of machine when they navigate to the webpage

Answer 60

1. w get -q0 -local host - q suppresses "wget"'s output - ) documents will not be written to appropriate file but will be concatenated in powershell

Answer 61

- goal: can bootstrap multiple instances at once and user data is passed to all instances - Need EC2 dashboard, code editor, powershell 1. EC2 dashboard, launch new instance Amazon Linux 2 machine image - t2.micro - configure details at bottom scroll to bottom, we'll fille this part in (options, as text, as file, input is already 64 based encoded) 2. Code editor - write code - configure Amazon Linux 2 AMI, update SW packages - add ec2user to apache group - set folder and file permissions for document root - generate index.html in document root with bootstrapped message 3. Configure security groups - HTTP CIDR open 0.0.0.0/0 - ssh source - MyIP - select key pair - launch instance 4. View instances (now both are running) - copy public DNS of first one and paste in browser - repeat for second - both instances have same user data but message is dynamic