AWS SAP-CO2 Study Guide Flashcards
1
Q
What is an OU in AWS?
A
An Organizational Unit (OU) is a way to group AWS accounts within an AWS Organization to help manage and organize accounts more effectively.
2
Q
What steps are involved in AWS Account Organizational Unit Migration?
A
Remove the member account from the former organization.
Send an invite to the member account from the prospective organization.
Accept the invite from the prospective organization upon the member account.
Ensure the OrganizationAccountAccessRole is added to the member account.
3
Q
What is AWS Control Tower, and what does it automate?
A
AWS Control Tower is a service that simplifies the setup and governance of a secure and compliant multi-account AWS environment. It automates the setup of environments, as well as ongoing policy management using guard rails such as SCPs and AWS Config.
4
Q
What are Service Control Policies (SCPs) used for?
A
SCPs are policies used for OUs to manage permissions within AWS Organizations. They help set limits and guardrails for accounts to ensure compliance and control.
5
Q
Do SCPs grant permissions directly to AWS accounts?
A
No, SCPs do not grant permissions directly. Permissions are still managed through IAM (Identity and Access Management). SCPs define restrictions, and the effective permissions are the intersection of IAM, SCP, and IAM permissions boundaries.
6
Q
What happens if an OU does not have all features enabled?
A
An OU must have all features enabled to utilize SCPs effectively. Disabling features may affect policy enforcement.
7
Q
Who does SCPs affect within member accounts?
A
SCPs affect member accounts and attached users and roles within, including the root user(s), but not management accounts.
8
Q
How do SCPs impact resource-based policies?
A
SCPs do not directly affect resource-based policies. They control permissions at the account level but do not change resource-based policies within services.
9
Q
What are service-linked roles, and how do SCPs interact with them?
A
Service-linked roles enable other AWS services to integrate with AWS OUs. SCPs do not affect service-linked roles’ permissions; they continue to function as designed.
10
Q
What happens if SCPs are disabled at the root account level?
A
If SCPs are disabled at the root account level, all SCPs are automatically detached from OUs under that root account. If re-enabled, accounts under that root revert to full AWS Access (default).
11
Q
What is the similarity between SCPs and IAM permissions boundaries?
A
Both SCPs and IAM permissions boundaries require an explicit “allow.” If not explicitly allowed, access is denied.
12
Q
What is the key principle of “Allow vs. Deny” in IAM policies?
A
If any “Deny” statement is present in a policy, it takes precedence over “Allow” statements. Default behavior is to deny all resources, and “Allow” statements are needed to grant permissions.
13
Q
What does LDAP stand for, and what is its purpose?
A
LDAP stands for Lightweight Directory Access Protocol. It is a software protocol used for locating data about organizations, individuals, and resources in a network.
14
Q
What is Identity Federation?
A
Identity Federation is a system of trust between two parties for authenticating users and conveying information needed to authorize their access to resources.
15
Q
What types of entities can be included in AWS user groups?
A
AWS user groups can only contain users. They do not include other types of entities.
16
Q
What is the difference between S3 Bucket Policies and Access permissions?
A
S3 Bucket Policies are used to add or deny permissions across some or all S3 objects in a bucket for central management. Access permissions grant users access to S3 resources. Bucket policies can restrict based on conditions like request time, SSL usage, and requester IP address.
17
Q
What type of access control is provided by IAM Policies, ACLs, and Bucket Policies?
A
IAM Policies: User-level control.
ACLs (Access Control Lists): Account-level control.
Bucket Policies: Both account-level and user-level control.
18
Q
What is the IAM Credentials Report used for?
A
The IAM Credentials Report is a security tool that lists all AWS accounts, IAM users, and the status of their various credentials. It is used for auditing permissions at the account level.
19
Q
What is the purpose of IAM Access Advisor?
A
IAM Access Advisor shows the service permissions granted to a user and when those services were last used. It helps in revising policies at the user level.
20
Q
What is the AWS Policy Simulator used for?
A
The AWS Policy Simulator is used to test and troubleshoot IAM policies that are attached to users, user groups, or resources.
21
Q
What is IAM Access Analyzer used for?
A
IAM Access Analyzer is a service used to identify unintended access to resources in an organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity to avoid security risks.
22
Q
What is Amazon Cognito, and what is its role?
A
Amazon Cognito is a web identity federation service and identity broker that handles interactions between applications/resources and web Identity Providers (IdPs). It helps with user authentication and authorization.
23
Q
What is a User Pool in Amazon Cognito?
A
A User Pool is user-based and handles user registration, authentication, and account recovery in Amazon Cognito. It is compatible with various Identity Providers (IDPs).
24
Q
What is an Identity Pool in Amazon Cognito?
A
An Identity Pool receives an authentication token to authorize access to resources directly or through the API Gateway. It maps to IAM roles and has default roles for authenticated/guest users.
25
What is AWS Resource Access Manager (RAM) used for?
AWS Resource Access Manager is used to share AWS resources that you own with other AWS accounts, either within the same Organizational Unit (OU) or any AWS account. It helps avoid resource duplication.
26
What can be shared using AWS RAM?
AWS RAM can be used to share resources like VPC subnets, AWS Transit Gateway, Route 53 Resolver Rules, and License Manager Configurations across accounts using Private IPs.
27
What is the purpose of AWS API Gateway?
AWS API Gateway serves as a front door to AWS resources, enabling users to access Lambda functions, EC2 instances, DynamoDB, and more. It offers caching for improved performance, throttling, low cost, scalability, CORS support, and handles security with authentication through Cognito User Pools and authorization with IAM.
28
What types of certificates are used for HTTPS security integration with AWS API Gateway?
For Edge-Optimized deployments, certificates are in the US-East-1 region. For Regional deployments, certificates are in the API Gateway region. Custom domain names for HTTPS integration can be set up using AWS ACM (AWS Certificate Manager).
29
What are the differences between Application Load Balancer (ALB) and Elastic Load Balancer (ELB/CLB)?
ALB is best suited for load balancing HTTP(s) traffic at the layer 7 (WebSockets) and has static DNS names. ELB/CLB are legacy load balancers that can handle HTTP(s) and strict Layer 4 load balancing for TCP protocols. They have static DNS names and support sticky sessions via cookies.
30
What is the purpose of Route 53 Health Checks?
Route 53 Health Checks are used to monitor the health of endpoints, such as applications, servers, or other AWS resources. They work with routing policies like weighted routing, latency-based routing, geolocation, and multivalue routing, helping to detect and respond to endpoint health issues.
31
What does AWS Global Accelerator offer?
AWS Global Accelerator provides Anycast/static IP addresses for global users, optimizing application availability and performance. It routes user traffic to the nearest endpoint based on performance, location, and policies. It's suitable for non-HTTP use cases like gaming (UDP), IoT (MQTT), and VOIP.
32
What is the primary function of CloudFront in AWS?
CloudFront is a serverless service that scales, saves network bandwidth, and delivers entire websites, including dynamic, static, streaming, and interactive content using a global network of edge locations. It improves website performance by caching content and serving it from the nearest edge location to users.
33
What is the difference between Unicast IP and Anycast IP?
Unicast IP is where each server has a unique IP address, while Anycast IP is where multiple servers share the same IP address, and the client is routed to the nearest server using that IP.
34
What is the purpose of AWS PrivateLink?
AWS PrivateLink allows the exposure of a VPC service to other VPCs without using VPC peering. It provides a secure and private connection between VPCs, eliminating the need for public internet access.
35
What is the primary use case for AWS Direct Connect?
AWS Direct Connect is used to establish a dedicated network connection between on-premises data centers and AWS VPCs. It is ideal for high-throughput workloads and provides a reliable and secure connection to AWS resources.
36
How are IP addresses divided using CIDR notation?
CIDR (Classless Inter-Domain Routing) notation divides IP addresses into subnets by specifying the number of bits used for the network and host portions of the address. For example, /24 means the first 24 bits are for the network, and the remaining 8 bits are for hosts.
37
What is the main purpose of AWS Global Accelerator?
AWS Global Accelerator is a network service that improves the availability and performance of applications for global users. It provides Anycast/static IP addresses to create a fixed entry point, routes traffic to the optimal endpoint based on performance, and offers fast failover for disaster recovery.
38
What is the key difference between AWS Global Accelerator and Amazon CloudFront?
AWS Global Accelerator is designed to improve the performance of applications using TCP/UDP, making it suitable for non-HTTP use cases like gaming and IoT. Amazon CloudFront, on the other hand, is a content delivery service that caches and delivers website content, including dynamic and static content, at edge locations.
39
How does Route 53 handle DNS routing and domain registration?
Route 53 is an AWS service for DNS routing and domain registration. It manages DNS records, including A, AAAA, CNAME, MX, and PTR records, and allows you to route traffic based on routing policies such as simple, weighted, latency, geolocation, and more.
40
What is the primary purpose of Route 53 Health Checks (HC)?
Route 53 Health Checks are used for failover in services like Application Load Balancers (ALB) by monitoring the health of endpoints (e.g., applications, servers). If an endpoint fails the health check, traffic is redirected to healthy endpoints.
41
What is the difference between Unicast IP and Anycast IP?
Unicast IP assigns a unique IP address to each server, whereas Anycast IP assigns the same IP address to multiple servers, routing traffic to the nearest one. Anycast IP is used to create a fixed entry point, as in AWS Global Accelerator.
42
What does the Route 53 Resolver service do?
Route 53 Resolver allows connectivity between AWS infrastructure and external DNS resolvers. It can automatically answer DNS queries for local VPC domain names and be configured to integrate with on-premises DNS resolvers.
43
How can AWS Direct Connect benefit organizations?
AWS Direct Connect provides a dedicated network connection between on-premises data centers and AWS VPCs, reducing network costs, increasing bandwidth, and ensuring a more reliable and secure connection to AWS resources.
44
What are some common DNS types used in Route 53?
Common DNS types in Route 53 include SOA records, NS records, A records, MX records, and PTR records, each serving a specific purpose in DNS management.
45
What is the purpose of CIDR notation in networking?
CIDR (Classless Inter-Domain Routing) notation is used to specify IP address ranges and subnet masks. It allows for more flexible allocation of IP addresses and efficient use of address space.
46
How many VPCs are allowed per AWS region by default?
By default, AWS allows up to 5 Virtual Private Clouds (VPCs) per region.
47
How many subnets are allowed per VPC in AWS?
AWS allows up to 200 subnets per VPC. Subnets are used to segment a VPC into smaller network segments.
48
What does the notation "/32" represent in CIDR?
The notation "/32" in CIDR represents a subnet mask where no octet of the IP address changes. It effectively specifies a single IP address.
49
In CIDR notation, what does "/0" represent?
In CIDR notation, "/0" represents a subnet mask where all octets of the IP address can change, effectively representing all possible IP addresses.
50
How many IP addresses are available in a subnet with a CIDR notation of "/29"?
A subnet with a CIDR notation of "/29" provides 8 IP addresses. Two of them are reserved for network address and broadcast address, leaving 6 usable IP addresses.
51
Why does AWS reserve certain IP addresses within a VPC's CIDR block for each subnet?
AWS reserves certain IP addresses, such as the first 4 and the last 1, in each subnet for specific purposes, including the VPC router, Amazon provided DNS mapping, and future use. These addresses are not available for user allocation.
52
What is the purpose of CIDR notation in AWS security group (SG) rules?
CIDR notation is used in AWS security group rules to define IP address ranges that are allowed or denied access to resources. SG rules specify which IP addresses or CIDR blocks can communicate with AWS resources.
53
What is an EC2 On-Demand Instance, and how is it billed?
An EC2 On-Demand Instance is a pay-as-you-go instance where you are billed by the second for instances launched after the first minute of usage.
54
What is an EC2 Savings Plan Instance, and what are the available commitment terms?
An EC2 Savings Plan Instance allows you to commit to a certain amount of usage for 1 or 3-year terms. Any usage beyond the commitment is billed at the On-Demand rate.
55
What is an EC2 Reserved Instance, and how does it differ from a Savings Plan?
An EC2 Reserved Instance is a commitment to a consistent instance configuration for 1 or 3 years. It is great for cost optimization and can be shared across AWS Organization accounts. It cannot be used for existing server-bound software licenses.
56
What is an EC2 Convertible Reserved Instance, and when is it a good choice?
An EC2 Convertible Reserved Instance is one of the reserved instance purchasing options that offers flexibility. It is suitable for long workloads with the ability to change instance type, family, OS, scope, and tenancy during the reservation term.
57
What are EC2 Dedicated Instances, and how do they differ from Dedicated Host Instances?
EC2 Dedicated Instances run on hardware dedicated to a customer's use within a VPC but may share hardware with other instances from the same AWS account. Dedicated Host Instances run on physical servers dedicated entirely to a customer's use and allow the use of existing server-bound software licenses.
58
What is an EC2 Spot Instance, and when is it most cost-effective?
An EC2 Spot Instance is the most cost-efficient EC2 instance type, offering up to 90% off the On-Demand rate. It is suitable for workloads with flexible start/end times, such as batch jobs and data analysis.
59
What are EC2 Spot Fleets, and what strategies can be used to allocate Spot Instances?
EC2 Spot Fleets are sets of Spot Instances and optional On-Demand Instances. Strategies for allocating Spot Instances include Lowest Price (cost optimization), Diversified (availability), and Capacity Optimized (optimal capacity).
60
What are EC2 Spot Blocks (Spot Duration), and how do they differ from regular Spot Instances?
EC2 Spot Blocks allow you to "block" spot instances for a specified time frame (1 to 6 hours) without interruptions. In rare situations, Spot Blocks may be reclaimed. They are not available to new customers.
61
How are EC2 Security Group (SG) configurations defined?
EC2 Security Group (SG) configurations specify source (inbound rules) or destination (outbound rules) for network traffic. They can be defined using single IPv4/IPv6 addresses, CIDR blocks, Prefix List IDs for AWS services, or references to other SGs.
62
What is a Cluster Placement Group in EC2, and what are its characteristics?
A Cluster Placement Group in EC2 clusters instances into a low-latency group within a single Availability Zone (AZ). It offers high network speeds and low latency. If the underlying rack fails, all instances within the group can fail simultaneously. Use cases include big data jobs and applications requiring low latency and high network throughput.
63
What is a Partition Placement Group in EC2, and what are its characteristics?
A Partition Placement Group in EC2 spreads instances across different partitions within an AZ. Each partition relies on different sets of racks, and instances within one partition do not share racks with instances in other partitions. It can scale to hundreds of instances per group and supports up to 7 partitions per AZ, spanning multiple AZs. Use cases include distributed and replicated workloads such as HDFS, HBase, Cassandra, Kafka, and Hadoop.
64
What is a Spread Placement Group in EC2, and what are its characteristics?
A Spread Placement Group in EC2 spreads instances across underlying hardware to reduce the risk of simultaneous failures. It can have a maximum of 7 instances per group per AZ and can span multiple AZs. Instances in a Spread Placement Group are isolated from each other, making it suitable for critical applications requiring isolation from each other.
65
What happens to EC2 instances in terms of recovery after a failure?
In EC2, after a failure, instances can recover with the same private IP, public IP, elastic IP, metadata, placement group, and instance ID.
66
What is EC2 User Data, and how is it used?
EC2 User Data is used to perform automated, dynamic configuration tasks and run scripts after an instance starts. It can be passed as shell scripts or cloud-init directives during instance launch. By default, user data runs only during the initial boot cycle, but configurations can be updated to run them every time an instance is restarted.
67
What is EC2 Hibernate, and what are its benefits?
EC2 Hibernate allows instances to preserve their in-memory state, resulting in faster boot times as the OS is not stopped and restarted. The memory state is written to a file in the root EBS volume, which must be encrypted. Hibernate is available for On-Demand, Reserved, and Spot Instances and is useful for long-running processing and services with long initialization times. However, it cannot be used beyond 60 days.
68
What is the Elastic Fabric Adapter (EFA), and what is it used for?
The Elastic Fabric Adapter (EFA) is a networking solution designed to improve network performance for high-performance computing (HPC) workloads on AWS. It is specifically designed for Linux instances and tightly coupled workloads, leveraging the MPI standard. EFA bypasses the underlying Linux OS to provide low-latency and reliable transport for inter-node communications.
69
What are the benefits of EC2 Enhanced Networking?
EC2 Enhanced Networking offers higher bandwidth, higher packets per second (PPS), and lower latency compared to standard networking options. It provides two options: ENA (Elastic Network Adapter) with up to 100 Gbps bandwidth and Intel 82599VF with up to 10 Gbps bandwidth (legacy).
70
What are the different AWS Scaling Policies, and how do they work?
AWS Scaling Policies include:
Dynamic Scaling: This includes Target-Tracking scaling, which adjusts the capacity based on a target metric (e.g., maintaining a specific CPU utilization).
Simple/Step Scaling: This allows you to define specific scaling steps triggered by CloudWatch alarms (e.g., adding or removing instances based on CPU utilization thresholds).
Scheduled Actions: Scheduled scaling based on known usage patterns (e.g., increasing capacity at specific times).
Predictive Scaling: Continuous forecasting of load and scheduled scaling ahead.
71
What is scaling cooldown in AWS Auto Scaling?
Scaling cooldown is a period following a scaling action during which AWS Auto Scaling does not initiate any further scaling actions. The default cooldown period is 300 seconds. It helps prevent rapid and potentially unnecessary scaling actions that could occur if further changes in load occur immediately after a scaling action.
72
What is the difference between Amazon EC2 Auto Scaling and AWS Auto Scaling?
Amazon EC2 Auto Scaling is a service specifically focused on managing EC2 instances, allowing you to automatically launch or terminate instances based on configuration parameters or schedule. It relies on predictive scaling for determining resource capacity.
AWS Auto Scaling is a centralized service that can manage scaling for various AWS resources, including EC2 instances, spot fleets, Auto Scaling groups, ECS, DynamoDB, and RDS based on utilization targets or metrics. It introduced scaling plans to manage resource utilization efficiently.
73
How does EC2 Auto Scaling handle the termination of instances?
EC2 Auto Scaling follows a specific termination precedence:
Determine which Availability Zone (AZ) has the most instances and at least one unprotected instance.
Determine which instances to terminate to align the remaining instances with the allocation strategy for the on-demand or spot instances being terminated.
Determine if the instance uses the oldest launch template or launch configuration, and choose instances using the old version.
If multiple unprotected instances are to terminate, determine which instances are closest to the next billing hour.
74
What is Amazon Elastic Container Registry (ECR) and what are its key features?
Amazon Elastic Container Registry (ECR) is a private and public container image registry service provided by AWS. Key features include:
Storage for container images.
Backed by Amazon S3.
Access control using IAM.
Integration with ECS, EKS, and Fargate.
Support for vulnerability scans, versioning, image tags, and image lifecycle management.
75
What are the two launch types available in Amazon ECS, and how do they differ?
Amazon ECS offers two launch types:
Amazon EC2: In this launch type, tasks are run on EC2 instances. It can use EFS volumes but not EBS volumes.
AWS Fargate: Fargate allows you to run tasks without the need to manage underlying EC2 instances. It supports EFS volumes, FSx for Windows, docker volumes, or bind mounts for storage.
76
What is the purpose of Amazon ECS Autoscaling target tracking metrics, and can they be triggered by EventBridge rules or schedules?
Amazon ECS Autoscaling uses target tracking metrics, such as ECSSVCAVECPU (Average CPU usage) and ECSSVCAVEMEM (Average memory usage), to automatically adjust the number of tasks in a service based on a target metric. These metrics can indeed be scaled in/out based on EventBridge-invoked rules or schedules.
77
What roles are involved in IAM for Amazon ECS, and how are they used?
In Amazon ECS, there are two key IAM roles:
EC2 Instance Profile (EC2 only): Used by the ECS agent running on EC2 instances to make API calls to the ECS service, send container images from ECR, and reference sensitive data in Secrets Manager or SSM Parameter Store.
ECS Task Role: Allows each ECS task to have a specific IAM role, enabling different roles for different ECS services. The task role is defined in the task definition.
78
What are the different ways to manage nodes in Amazon EKS, and what are the options for node types?
In Amazon EKS, you can manage nodes using the following methods:
Managed Node Groups: EKS creates and manages nodes (EC2 instances) for you. Supports On-Demand or Spot Instances.
Self-Managed Nodes: Nodes created and managed by you, registered with the EKS cluster. Supports On-Demand and Spot Instances. You can use prebuilt AMIs like the Amazon EKS Optimized AMI.
79
What are the characteristics and use cases of AWS Lambda (λ)?
AWS Lambda is a serverless compute service with the following characteristics:
Serverless backend that can run code in response to events.
Free tier includes 1 million requests and 400,000 GB-seconds of compute time.
Billed per 1,000,000 requests and duration of memory usage.
Supports up to 10 GB of RAM.
Environment variables for configuration.
No out-of-the-box caching.
Regionally based with no time limit (unlike Lambda).
Concurrency executions limit (default 1000, adjustable)
80
What is AWS Fargate, and how does it work?
AWS Fargate is a serverless compute engine for containers that allows you to run containers without managing the underlying infrastructure. AWS runs ECS tasks for you based on the CPU and memory requirements you specify. Fargate provides VPC isolation, storage resources, and has no time limit like AWS Lambda. It supports EFS for storage but does not support mounting EBS volumes.
81
What is AWS CloudTrail, and what does it monitor and record?
AWS CloudTrail is a service that monitors and records account activity across AWS infrastructure. It provides governance, compliance, and audit capabilities for AWS accounts. It records a history of events and API calls within your AWS account.
82
What are the two types of CloudTrail events, and what is the difference between them?
CloudTrail events can be separated into two types:
Management Events: These events are enabled by default and capture management actions like creating, modifying, or deleting AWS resources.
Data Events: These events are not enabled by default due to the volume of data they generate. Data events track specific resource-level activities and can be turned on to trigger or invoke actions.
83
What is CloudTrail Insights, and how does it help detect unusual activity?
CloudTrail Insights is a feature that helps detect unusual activity in an AWS account by analyzing normal management events to create a baseline. It then continuously analyzes write events, such as S3, CloudTrail console, and EventBridge events, to detect unusual patterns that may indicate issues like inaccurate resource provisioning or bursts of AWS IAM actions.
84
How long are CloudTrail events stored by default, and what is the alternative for longer retention?
CloudTrail events are stored for 90 days by default. If you need longer retention, you can configure CloudTrail to send events to Amazon S3, where you can store and analyze them using services like Amazon Athena.
85
What is Amazon EventBridge (formerly known as CloudWatch Events), and how does it work?
Amazon EventBridge is a service that provides connectivity between events and services. It allows you to react to events from various AWS services and external sources by defining event patterns in AWS JSON rule configurations. When an event matches a rule, it can trigger actions like invoking AWS Lambda functions, sending SNS or SQS messages, or initiating other services.
86
What are Event Buses in Amazon EventBridge, and what are the types of Event Buses?
Event Buses in Amazon EventBridge are logical containers for events. There are three types of Event Buses:
Default Event Bus: Receives events from AWS services.
Partner Event Bus: Receives events from third-party SaaS partners.
Custom Event Bus: Receives events from custom applications or AWS services not integrated with the default bus.
87
What are some characteristics of Amazon SQS (Simple Queue Service)?
Amazon SQS is a distributed message queue service with the following characteristics:
Messages are stored for a configurable retention period.
Supports both standard and FIFO (First-In-First-Out) queues.
Messages are 256 KB or less in size.
Can have multiple consumers for a queue.
Supports short polling and long polling for message retrieval.
Offers a dead letter queue to capture messages that encounter exceptions or timeouts.
Provides visibility timeouts to prevent message duplication.
88
What are some characteristics of Amazon SNS (Simple Notification Service)?
Amazon SNS is a publish/subscribe messaging service with the following characteristics:
Supports pub/sub model with topics and subscriptions.
Allows filtering of messages for subscribers using filter policies.
Supports push-based data delivery to subscribers via various transport protocols.
Integrates with various AWS services and external endpoints.
Offers encryption in transit and at rest using KMS.
Supports up to 100,000 topics and 12,500,000 subscribers.
89
What is AWS Certificate Manager (ACM), and what is its primary purpose?
AWS Certificate Manager (ACM) is a service that provisions, manages, imports, and deploys public and private SSL/TLS certificates for use with AWS services and internally connected resources. Its primary purpose is to simplify the process of managing SSL/TLS certificates and automate certificate renewals.
90
What is the role of Systems Manager (SSM) Parameter Store, and how does it manage secrets?
SSM Parameter Store is used to store and manage secrets, configurations, and other sensitive information securely. It tracks parameter versions, supports encryption with AWS Key Management Service (KMS), provides notifications via EventBridge, and allows setting Time-to-Live (TTL) for parameters.
91
What are the key features of AWS Secrets Manager?
AWS Secrets Manager helps manage, retrieve, and rotate database credentials, API keys, and other secrets. It offers automatic secret generation on rotation, encryption at rest with KMS, integration with AWS services like RDS, and auditing through CloudTrail and CloudWatch.
92
What is the purpose of Amazon GuardDuty, and what types of threats can it protect against?
Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity. It can protect against threats such as cryptocurrency attacks, anomaly detection via machine learning, malware scanning, and suspicious activity in AWS accounts, EC2, S3, EBS, and more.
93
What does Amazon Macie do, and what types of data does it protect?
Amazon Macie is a security service that uses machine learning and natural language processing to discover, classify, and protect sensitive data stored in Amazon S3. It can protect data such as personally identifiable information (PII) and offers dashboards, reports, and alerts.
94
What are the services that AWS WAF can protect, and what is its primary use case?
AWS Web Application Firewall (WAF) can protect services such as CloudFront, API Gateway, ALB, Appsync, and Cognito User Pool. Its primary use case is to monitor and control access to web applications by defining Web ACL rules.
95
What is the purpose of AWS Shield, and how does it provide DDoS protection?
AWS Shield is a DDoS protection service that safeguards applications running on AWS against distributed denial-of-service (DDoS) attacks at layer 3 and layer 4. AWS Shield Advanced offers more advanced protections for services like ELB, EC2, CloudFront, and more.
96
What is AWS Firewall Manager, and how does it help manage security rules?
AWS Firewall Manager is a service that manages security rules across all accounts of an AWS organization. It helps manage rules for services like WAF, AWS Shield Advanced, security groups, and more. It ensures consistent security rule enforcement.
97
What is AWS Network Firewall, and what types of traffic can it inspect and protect against?
AWS Network Firewall is a firewall service that provides protection for the entire Amazon VPC, from layer 3 to layer 7. It can inspect and protect against various types of traffic, including inbound and outbound internet traffic, VPC-to-VPC traffic, Direct Connect, and Site-to-Site VPN traffic.
98
What is the role of Amazon Inspector, and how does it assess security?
Amazon Inspector is an automated security assessment service that assesses the security of AWS Lambda functions, EC2 instances, and container infrastructure. It checks for vulnerabilities, unintended network accessibility, and other security issues, providing risk scores and findings.
99
What are Security Groups (SGs), and how do they differ from Network Access Control Lists (NACLs)?
Security Groups (SGs) are stateful, instance-level firewalls that control inbound and outbound traffic. They are used to allow specific traffic to EC2 instances, load balancers, and other resources. Network Access Control Lists (NACLs) are stateless, subnet-level firewalls used to control traffic at the subnet level. SGs are typically used for more granular control, while NACLs are used for subnet-level control.
100
What is the purpose of an Internet Gateway (IGW) in a VPC?
An Internet Gateway (IGW) allows resources within a VPC to connect to the internet (IPv4/IPv6). It serves as the entry and exit point for traffic between the VPC and the internet.
101
What is Launch Configuration Tenancy, and how does it interact with VPC tenancy?
Launch Configuration Tenancy refers to the tenancy attribute of instances during their launch configuration. VPC tenancy, controlled by the tenancy attribute of the VPC, determines whether instances are shared (default), dedicated, or dedicated host. The interaction between Launch Configuration Tenancy and VPC tenancy determines the tenancy type of launched instances.
102
What types of VPC configurations can be created using the Amazon VPC console wizard?
The Amazon VPC console wizard allows you to create various VPC configurations, including:
VPC with public and private subnets.
VPC with public and private subnets and AWS Site-to-Site VPN access.
VPC with a single public subnet.
VPC with a private subnet only and AWS Site-to-Site VPN access.
103
What is the purpose of VPC Traffic Mirroring, and what can be done with captured network traffic?
VPC Traffic Mirroring allows you to capture and inspect network traffic within a VPC. Captured traffic can be routed to security appliances for analysis. You can capture traffic from source ENIs and route it to target ENIs or Network Load Balancers (NLBs). It can be used for monitoring and security analysis.
104
What is the role of Virtual Private Gateway in a VPC, and when is it necessary?
A Virtual Private Gateway (VGW) is the VPN connector on the AWS side of a VPN connection. It is created and attached to the VPC when setting up a site-to-site VPN connection to an on-premises data center. It enables encrypted network connectivity between the VPC and the on-premises network.
105
What does AWS VPN (AWS Site-to-Site VPN) provide, and how is it configured?
AWS VPN (AWS Site-to-Site VPN) establishes an ongoing VPN connection between an on-premises data center (customer gateway) and an Amazon VPC (Virtual Private Cloud). It uses IPsec to create an encrypted network connection. Configuration involves setting up a Virtual Private Gateway (VGW) and a Customer Gateway.
106
What is a Transit VPC, and how does it function?
A Transit VPC uses customer-managed EC2 VPN instances in a dedicated transit VPC to facilitate network traffic routing. It allows data transfer between VPCs but incurs data transfer costs. AWS Transit Gateway is often considered a more cost-effective and less maintenance-intensive alternative.
107
How does VPC Peering work, and what are its limitations?
VPC Peering establishes private connections between two VPCs, making them behave as if they are on the same network. It works across different AWS accounts and regions but is not transitive, meaning direct peering connections must be established between each VPC. Overlapping CIDRs are not allowed.
108
What is AWS Transit Gateway, and what advantages does it offer?
AWS Transit Gateway enables transitive peering between thousands of VPCs and on-premises data centers. It uses a hub-and-spoke model, supports multiple AWS accounts through AWS Resource Access Manager (RAM), and allows route table control to limit communication between VPCs. It works with Direct Connect and VPN connections.
109
What is AWS VPN CloudHub, and in what scenarios is it used?
AWS VPN CloudHub is used to connect multiple sites, each with its own VPN connection, over the public internet. It establishes secure network connections between customer gateways and AWS VPN CloudHub. It is cost-effective for primary and secondary network connectivity between different locations, especially in hub-and-spoke configurations.
110
What is the purpose of a NAT Gateway in a VPC, and how does it differ from a NAT Instance?
A NAT Gateway is used in a public subnet of a VPC to enable instances in private subnets to initiate outbound IPv4 traffic to the internet or other AWS services. It prevents inbound traffic from the internet. It is fully managed by AWS, tied to a specific availability zone, and uses an Elastic IP. In contrast, a NAT Instance is a user-managed EC2 instance in a public subnet serving a similar purpose but with more configuration and management requirements.
111
What are the key differences between a NAT Gateway and a NAT Instance?
Availability: NAT Gateway is highly available within an availability zone, while NAT Instances require user-managed failover scripts.
Bandwidth: NAT Gateway supports up to 45 Gbps, while NAT Instances' bandwidth depends on the EC2 instance type.
Maintenance: NAT Gateway is fully managed by AWS, while NAT Instances require user management, including software updates and patches.
Cost: NAT Gateway incurs charges based on usage and data transfer, while NAT Instances have costs associated with the EC2 instance type, size, and network costs.
Security Groups: NAT Gateway does not have associated security groups, while NAT Instances require user-managed security groups.
Bastion Host: NAT Gateway cannot be used as a bastion host, but NAT Instances can be configured for port forwarding and used as bastion hosts.
112
What is the purpose of a VPC Endpoint, and how does it differ from a public endpoint?
A VPC Endpoint allows private network connections to AWS services instead of using the public internet. It is redundant, scales horizontally, and removes the need for internet gateways or NAT gateways to access AWS services. VPC Endpoints come in two types: Interface Endpoints, which provision ENIs and support most AWS services, and Gateway Endpoints, which provision gateways and support specific services like S3 and DynamoDB. They are preferred over public endpoints for enhanced security and reduced data transfer costs.
113
What are VPC Flow Logs, and what information do they capture?
VPC Flow Logs capture information about IP traffic going into and out of network interfaces within a VPC. This includes Subnet Flow Logs and ENI (Elastic Network Interface) Flow Logs. They help monitor and troubleshoot connectivity issues. VPC Flow Logs can be stored in Amazon S3 or CloudWatch Logs and capture network information for various AWS managed interfaces, such as ELB, RDS, Elasticache, Redshift, Workspaces, NAT Gateways, and Transit Gateways.
114
What is the role of a Bastion Host/Server in a VPC, and how should its security groups be configured?
A Bastion Host or Server is an EC2 instance used to SSH into private EC2 instances within a VPC. It typically resides in the public subnet and serves as a gateway for accessing private instances. To secure a Bastion Host, its security group should allow inbound SSH traffic (port 22) only from a trusted source, such as a specific IP address or a trusted network. The security groups of private instances should be configured to allow inbound SSH access from the security group of the Bastion Host or the private IP of the Bastion Host.
115
What is an Egress-only Internet Gateway, and in what scenario is it used?
An Egress-only Internet Gateway is used in a VPC to enable instances to make outbound connections over IPv6 while preventing incoming IPv6 connections from the internet to those instances. It is used when you want to allow outbound IPv6 traffic but don't want to receive incoming IPv6 connections. It requires configuration of the VPC's route tables.
116
What is AWS CloudHSM, and what is its primary use case?
AWS CloudHSM is a dedicated Hardware Security Module (HSM) service provided by AWS. It is used to meet corporate, contractual, regulatory, and compliance requirements for secure generation, storage, and management of cryptographic keys. CloudHSM ensures that cryptographic keys are only accessible through access to a tamper-resistant hardware device. It is used within a VPC and is commonly used for database and data warehouse encryption.
117
What is EBS (Elastic Block Store), and what are its key features?
EBS is a block storage service in AWS that provides persistent storage volumes for EC2 instances. Key features include the ability to create and attach volumes to instances, take snapshots for backup, provisioned IOPS for high-performance workloads, and the ability to change volume size and storage type on the fly.
118
What are the differences between EBS-backed instances and instance-store-backed instances (AMIs)?
EBS-backed instances use Amazon Elastic Block Store (EBS) volumes for root storage and can be stopped without losing data. In contrast, instance-store-backed instances use ephemeral storage and cannot be stopped without losing data. EBS-backed instances are more flexible and durable, making them suitable for most use cases.
119
How can you encrypt EBS volumes and snapshots, and what are the benefits of using encryption?
You can encrypt EBS volumes and snapshots using AWS Key Management Service (KMS). Encrypted volumes and snapshots provide enhanced security for data at rest. Encrypted snapshots can be copied to other regions and retain their encryption.
120
What is Amazon EFS (Elastic File System), and what are its key features?
Amazon EFS is a managed file storage service that can be mounted on multiple EC2 instances. Key features include support for Linux-based instances, security group control, throughput scaling, and different performance and throughput modes.
121
What is the difference between Standard and Infrequent Access storage classes in Amazon EFS?
Standard storage class is for frequently accessed files, while Infrequent Access (EFS-IA) is for files with lower access frequency. EFS-IA offers lower storage costs but may have retrieval fees.
122
What is AWS FSx, and what types of file systems does it offer?
AWS FSx is a managed file storage service that offers high-performance file systems for specific use cases. It includes FSx for Windows File Server, FSx for Lustre, and FSx for NetApp ONTAP.
123
What is the purpose of Amazon FSx for Windows File Server, and what features does it provide?
Amazon FSx for Windows File Server is a fully managed Windows file system that supports SMB and Windows NTFS. It integrates with Microsoft Active Directory, offers ACLs, user quotas, and can be mounted on Linux EC2 instances.
124
What is Amazon FSx for Lustre, and for what types of workloads is it designed?
Amazon FSx for Lustre is a high-performance, parallel, and distributed file system designed for workloads that require fast storage to keep up with compute, such as machine learning, high-performance computing, video processing, and more.
125
What is AWS Storage Gateway, and how does it enable hybrid cloud storage?
AWS Storage Gateway is a hybrid cloud storage service that provides on-premises access to virtual cloud storage. It allows organizations to integrate on-premises environments with AWS cloud storage, supporting various protocols like NFS, SMB, and iSCSI. Cached volumes store recently accessed data locally, while volume and tape gateways back up data in the cloud.
126
What are the different types of gateways provided by AWS Storage Gateway, and what protocols do they support?
AWS Storage Gateway offers three types of gateways: File Gateway (supports NFS and SMB), Volume Gateway (supports iSCSI), and Tape Gateway (supports iSCSI for virtual tapes). Each type serves different use cases for integrating on-premises environments with AWS cloud storage.
127
What is the AWS Snow Family, and what are its key components?
The AWS Snow Family is a set of physical devices designed for data migration, edge computing, and offline data transfer. Key components include Snowball, Snowball Edge, Snowcone, and Snowmobile.
128
What is the purpose of AWS Snowball devices, and what are the available types?
AWS Snowball devices are used for offline data transfers, especially when moving large amounts of data in or out of AWS. The available types include Snowball Edge Storage Optimized, Snowball Edge Compute Optimized, and Snowcone.
129
How does AWS Snowmobile compare to other AWS Snow Family devices in terms of data transfer capacity?
AWS Snowmobile is designed for transferring exabytes of data and has a capacity of 100 PB. It is suitable for massive data transfer needs.
130
What is the role of AWS OpsHub in managing AWS Snow Family devices?
AWS OpsHub is software that allows users to manage AWS Snow Family devices, unlock and configure single or clustered devices, transfer files, launch and monitor instances, and perform various management tasks.
131
What is Amazon S3, and what is the purpose of S3 buckets?
Amazon S3 (Simple Storage Service) is a scalable object storage service offered by AWS. S3 buckets are containers for storing objects or files. They provide a way to organize and manage data within S3.
132
What are some naming conventions and restrictions for S3 buckets?
S3 bucket names must be globally unique, start with a lowercase letter or number, be between 3-63 characters long, and not contain uppercase letters, underscores, or IP addresses. They must also not start with the prefix 'xn--' or end with the suffix '-s3alias'.
133
How does versioning work in Amazon S3, and why is it useful?
Versioning in Amazon S3 allows users to preserve, retrieve, and restore every version of every object stored in a bucket. It helps in protecting against accidental deletions or modifications and provides a way to roll back to previous versions of objects.
134
What are signed URLs in Amazon S3, and what are they used for?
Signed URLs are generated URLs that grant temporary access to S3 objects. They are useful for allowing secure downloads or uploads of objects by providing time-limited access with specific permissions.
135
What are the encryption options available for Amazon S3, and how do they differ?
Amazon S3 offers server-side encryption options, including SSE-S3, SSE-KMS, and SSE-C. SSE-S3 and SSE-KMS are managed by AWS, while SSE-C allows customers to provide their own external keys. Client-side encryption is also an option, where encryption is performed by the client before sending data to S3.
136
What is CORS (Cross-Origin Resource Sharing) in Amazon S3, and how does it allow requests from different origins?
CORS is a mechanism that enables web browsers to make cross-origin requests to resources hosted in a different domain. It allows requests from different origins to access S3 resources by specifying the appropriate CORS headers (Access-Control-Allow-Origin).
