AWS: CSA

Question 1

List CloudWatch EC2 metrics that are available by default

Answer 1

• CPU utilisation
• Network utilisation
• Disk reads

Question 2

List CloudWatch EC2 metrics that are not readily available by default

Answer 2

• Memory utilisation
• Disk swap utilisation
• Disk space utilisation
• Page file utilisation
• Log collection

Question 3

What is Amazon FSx for Lustre?

Answer 3

• High-performance file system built on Lustre
• Lustre is an open-source parallel file system
  
  • Stores data across multiple network file servers to maximise performance and reduce bottlenecks
• Use cases
  
  • High performance computing where high throughput and low latency is essential for processing large datasets
  • Machine learning and analytics
  • Media processing workloads (eg. video rendering, transcoding) where fast access to large files is required

Question 4

What is Amazon FSx for Windows FS?

Answer 4

• Fully managed, high performance file storage service compatible with Windows
• Supports SMB protocol, Windows NTFS and Microsoft Active Directory integration
• Thousands of compute instances can access a file system concurrently
• Use cases:
  
  • Enterprise applications eg. Microsoft SharePoint, Exchange and Active Directory
  • Migrating existing Window-based applications to AWS
  • Line of business applications

Question 5

What are the options to provide user authentication and access control for your file system if using Amazon FSx for Windows?

Answer 5

• Options:
  
  • AWS managed Microsoft Active Directory
  • Self managed Microsoft Active Directory
• After creating an AD config for a file system, the config can’t be changed
  
  • You will need to create a new file system from a backup and change the AD config for that file system
  • The configs allow users in your domain to use their existing identity to access FSx file system and control access to individual files and folders

Question 6

What is Amazon EFS?

Answer 6

• Fully managed file storage service for Linux-based applications
• Supports NFSv4 - easy to mount EFS on multiple EC2 instances simultaneously
• High availability and durability
  
  • Data stored across multiple AZ within a region
  • Built-in data redundancy and automatic failover
• Use cases:
  
  • Containerised applications - shared storage for containers running on multiple EC2 instances
  • CMS - multiple web servers can share access to same files and data
  • Dev and test environments - devs can share code/resources across multiple instances

Question 7

What happens when EFS is mounted on EC2 instances?

Answer 7

• Provides file system interface
• Multiple EC2 instances can access an EFS file system at the same time, allowing EFS to provide a common data source for workloads and applications running on more than one EC2 instance

Question 8

What is AWS Glue?

Answer 8

• Fully managed ETL service
• Serverless environment for running ETL jobs
  
  • Pay for resources only during job execution
• Provides a visual interface for defining ETL jobs
• Data can be extracted from various sources and transformed to a suitable format for analysis
• Automatic schema discovery and mapping
• Use cases:
  
  • Data integration and transformation
  • Data lakes and data warehouses
  • Serverless data processing

Question 9

What is AWS DMS?

Answer 9

• Fully managed database migration service
• Supports homogeneous and heterogeneous migrations
• Supports schema and data transformations
  
  • Map data to different schema structures
  • Transform data as it is being migrated
• Continuous data replication
• Perform one-time migrations as well as ongoing replication to keep databases in sync
• Use cases:
  
  • Cloud migration
  • Database consolidation
  • Disaster recovery

Question 10

What is AWS SCT?

Answer 10

• Standalone schema conversion tool
• Automate process of converting db schemas from one db engine to another
• Analyzes source schema and generates target schema compatible with chosen target db engine
• Use cases:
  
  • Database migration
  • Database engine upgrades
  • Cross-platform database consolidation

Question 11

What is AW Elastic Beanstalk?

Answer 11

• Fully managed platform-as-a-service
  
  • Developer-centric view of deploying an app on AWS
  • Once deployed, it builds the selected supported platform version and provisions one/more AWS resources (ie. EC2 instances) to run the application
• Free service but underlying AWS resources will have costs involved
• Use cases:
  
  • Web applications
  • Microservices
  • DevOps workflows

Question 12

What is Lambda@Edge?

Answer 12

• Serverless compute service extending Lambda capabilities to CloudFront edge locations
• Execute code closer to your end users to reduce latency
• Leverages Lambda service to automatically scale functions
• Event-driven - functions run in response to CloudFront events
• Use cases:
  
  • Dynamic content personalisation
  • Security and access control
    
    • Protect against XSS and SQL injections
  • Content optimisation
    
    • Optimise content delivery by compressing images, caching frequently accessed resources

Question 13

At which points can you use Lambda functions to change CloudFront requests/responses?

Answer 13

• Viewer request - after CloudFront receives a request from a viewer
• Origin request - before CloudFront forwards request to origin
• Origin response - after CloudFront receives response from origin
• Viewer response - before CloudFront forwards response to viewer

Question 14

How does Lambda work with CloudFront CDN?

Answer 14

• CloudFront functions
• Lambda@Edge

Question 15

What are the differences between CloudFront functions vs Lambda@Edge?

Answer 15

• CloudFront functions
  
  • Written in JS
  • Limited integration with AWS services - focused on CDN-related tasks
  • Runtime limitations - designed for lightweight, short-lived tasks that are executed quickly at the edge
  • Can be triggered by viewer requests/responses
• Lambda@Edge
  
  • Supports multiple programming languages
  • Can be integrated with a lot of AWS services
  • Fewer runtime limitations - suitable for more complex and resource-intensive tasks
  • Can be triggered by all requests/responses from CloudFront (incl. origin requests/responses)

Question 16

What is the difference between signed URLs vs signed cookies when serving private content from CloudFront?

Answer 16

• Signed URL:
  
  • Embed authentication information directly into URLs making it useful for one-time or temp access to specific resources
  • Use cases:
    
    • RTMP distribution
• Signed cookie:
  
  • Store authentication information in user’s browser to maintain session-based authentication and authorisation
  • Use cases:
    
    • Provide access to multiple restricted files
    • Don’t want to change current URLs

Question 17

What is AWS Shield?

Answer 17

• Managed DDoS protection service
• Automatically included at no extra cost with all AWS services that are accessible over the internet ie. CloudFront, ELB, Route53
• Third-party DDoS providers may offer more customisation options but require more setup and may incur more costs
• Use cases:
  
  • Protecting web apps
  • Ensuring high availability
  • Safeguarding against financial loss (Shield Advanced)

Question 18

What is the difference between AWS Shield - standard vs advanced?

Answer 18

• Standard
  
  • Automatic protection against most common DDoS attacks
  • Included with all AWS services at no extra cost
• Advanced
  
  • All features of standard
  • Real-time attack visibility and metrics
  • Additional cost protection features to safeguard against financial loss
  • Personalised support during attacks

Question 19

What is AWS Lake Formation?

Answer 19

• Simplifies setting up and managing data lakes on AWS
• Automates data ingestion, transformation, and access controls
• Supports batch and real-time data ingestion
• Includes a centralised data catalog that automatically indexes and organises metadata so it’s easy to search and analyze
• Use cases:
  
  • Analytics and machine learning where there are large volumes of data from various sources
  • ETL jobs
  • Data governance and compliance

Question 20

What are data lakes?

Answer 20

Centralised repo that allows you to store all your structured/unstructured data at any scale

Question 21

How does AWS Lake Formation define access control policies?

Answer 21

• IAM policies
• Resource-based policies
  
  • Used to grant access to specific AWS accounts, IAM roles or federated users
• Granular permissions
  
  • Granular permissions can be granted at the db, table, column level
  • Using the “grant” api operation
  • When granting permissions, you specify the resource (eg. tables, columns) and the actions the user can perform

Question 22

What is the difference between FSx for Lustre vs EFS?

Answer 22

• FSx for Lustre
  
  • Designed for high performance, compute-intensive workloads
• EFS
  
  • General purpose file system suitable for a range of use cases

Question 23

What is the difference between EFS vs S3?

Answer 23

• EFS
  
  • Shared file storage mounted directly to EC2 instances
  • Suitable for applications/workloads that require shared access to files
• S3
  
  • Object storage service
  • Store and retrieve large amounts of unstructured data ie. images/videos/backups

Question 24

What is AWS RAM?

Answer 24

• Service that enables you to securely share your AWS resources with other AWS accounts
  
  • Accounts within your organisation or outside
• Avoid overhead and complexity of duplicating resources across multiple accounts and regions
• Centralised management and monitoring
• Use cases:
  
  • Shared network resources
  • Shared DNS rules
  • Cost efficiency

Question 25

What is AWS Organisations?

Answer 25

• Management service that enables you to consolidate AWS accounts
• Provides framework for applying policies and permissions across accounts to simplify billing and enhance security
• Use cases:
  
  • Consolidating billing
  • Centralised policy management
  • Account isolation - separate accounts to reduce risk of affecting production accidentally

Question 26

What is the difference between AWS Organisations vs AWS Control Tower?

Answer 26

• Organisations
  
  • Granular control and customisation options for advanced users
  • Suitable for users wanting detailed control over their account structures and policies
• Control tower
  
  • Uses AWS Organisations under the hood
  • User-friendly with guided setup
  • Suitable for users wanting streamlined setup

Question 27

What is AWS Secret Manager?

Answer 27

• Service for securely storing, managing and retrieving secrets
  
  • Secrets are stored securely using encryption keys managed by AWS KMS
  • Secrets are encrypted at rest and in transit
• Automated secret rotation
• Supports multiple versions of a secret
• Use cases:
  
  • Storing db credentials, config secrets and API keys
  • Handle secrets in microservices architecture by enabling each service to only access the secrets it needs

Question 28

What is AWS Systems Manager Parameter Store?

Answer 28

• Service providing secure, hierarchical storage for config data management and secrets management
  
  • Parameters can be stored as plain text or encrypted data using AWS KMS
• Supports versioning of parameters to track changes
• Use cases:
  
  • Storing application configuration settings ie. db connections, feature flags, environment-specific settings
  • Managing API keys
  • Dynamic configuration updates - retrieve config data at runtime to dynamically update configs without redeployment

Question 29

What is the difference between AWS Parameter Store vs AWS Secrets Manager?

Answer 29

• Parameter store
  
  • General purpose
  • Used for config data and secrets
  • Requires custom implementation for secrets rotation
  • Free tier for standard parameters and charges for advanced parameters
• Secrets manager
  
  • More robust secret management capabilities
  • Automatic secrets rotation
  • Higher cost

Question 30

What is AWS WAF?

Answer 30

• Managed service that helps protect web applications from common web exploits ie. OWASP top 10 vulnerabilities
• Create security rules to control traffic to your apps
  
  • Pre-configured managed rulesets
  • Custom rules to filter web traffic based on IP addresses, HTTP headers/body or URI strings
• Real-time monitoring
• Use cases:
  
  • Web application protection
  • DDoS protection
  • IP whitelisting/blacklisting
  • Block requests from specific countries/regions

Question 31

What is the difference between AWS WAF vs AWS Shield?

Answer 31

• WAF
  
  • Protects web applications from layer 7 attacks (application layer) ie. SQL injections, XSS
  • Customisable and managed rules for application-level security
• Shield
  
  • Protects against DDoS attacks at layer 3 (network layer), layer 4 (transport layer) and some layer 7 attacks (application layer)
  • AWS Shield Advanced includes DDoS cost protection and advanced metrics

Question 32

What is AWS Firewall Manager?

Answer 32

• Security management service that provides centralised control over your organisation’s firewall rules across multiple AWS accounts/resources
• Simplifies administration of firewall policies - manage rules for:
  
  • AWS WAF
  • AWS Shield
  • VPC security groups
  • AWS Network Firewall
  • Route 53 Resolver DNS Firewall
• Use cases:
  
  • Org-wide security policies
  • Enforce consistent security rules and automate compliance

Question 33

What is the difference between AWS WAF vs AWS Firewall Manager?

Answer 33

• AWS WAF
  
  • Protect web applications by mitigating common web exploits
  • Operates on per-application basis
• AWS Firewall Manager
  
  • Centralised management for not only WAF rules but other firewall rules and security policies
  • Enforce WAF rules across AWS accounts and resources in a unified manner