Cantril

Question 1

IAM Service-linked role

Answer 1

IAM role linked to a specific AWS service
You can’t delete the role until it’s no longer needed

Question 2

IAM PassRole Permissions

Answer 2

a user can (e.g.) initialize a Cloudformation stack and pass a role to it. The role may have the necessary permissions even if the user does not. The user must have permission to pass the role.

Question 3

Elastic Beanstalk Application

Answer 3

A collection of things relating to an application: code and infra

Question 3

Service Control Policies

Answer 3

account permissions boundaries. And, they do not apply to the management account.

Question 4

Source Bundle

Answer 4

Elastic Beanstalk Application Version

Question 5

Elastic Beanstalk Environment

Answer 5

Container of infra and configuration for a specific application version

Question 6

EB Deployment Policy Options

Answer 6

1. All at once
   Deploy to all at once, brief outage
   Simple, but significant limitations
2. Rolling
   Deploy in rolling batches
   Loss in capacity during deployment
3. Rolling with additional batch
   As above, but you pay for an additional batch so there’s no loss in capacity
   Safer, but more expensive
4. Immutable
   New instances with new version in new autoscaling group
   When it passes its tests, the new instances are added to the original autoscaling group and the original instances are terminated
   You have to pay for double your capacity during deployment
   Lowest risk
5. Traffic splitting
   Same as Immutable, but sends 50% of traffic to the new instances before terminating the old instances
   you can do A/B testing
   Regression path is quick

Question 7

If you have an RDS instance inside an EB environment and you want to decouple it

Answer 7

1. Create an RDS snapshot
2. Enable delete protection
3. Create a new DB environment with the same app version
4. Ensure new env can connect to the DB that is now outside of EB
5. Swap environments (CNAME or DNS)
6. Terminate the old environment - this will try to terminate the RDS instance, but will fail because of step 2
7. Locate DELETE_FAILED stack in CF and manually delete the stack, choosing to retain stuck resources

Question 8

Customize EB environments

Answer 8

CF format in yml or json, stored in .ebextensions/*.config
option_settings allows you to set options of resources

Question 9

Dockerrun.aws.json

Answer 9

ElasticBeanstalk and Docker

Question 10

ECS

Answer 10

Elastic Container Service

Question 11

ECR

Answer 11

Kinda like DockerHub, has container images

Question 12

ECR Registry

Answer 12

can have many repositories

Question 13

ECR Repository

Answer 13

can have many images

Question 14

ECR Container Definition

Answer 14

Tells ECS where your container is, what port it uses. Just enough info about the container you want to define

Question 15

ECR Task Definition

Answer 15

Task is a self-contained application. A task can have multiple container definitions inside it. It also contains the Task Role, which is an IAM role that the task can assume

Question 16

ECR Service Definition

Answer 16

How we want a task to scale. It can add availability and scalability

Question 17

ECS EC2 Mode

Answer 17

Runs within a VPC. Can take advantage of MultiAZ
Not serverless

Question 18

ECS Fargate

Answer 18

Serverless. The user is not responsible for managing EC2 instances.
Each resource that is running your tasks and services is injected into your VPC.
You only pay for the resources you consume. You don’t manage hosts.

Question 19

using containers

EC2, ECS with EC2, or ECS Fargate?

Answer 19

ECS

Question 20

Large consistent workload, price conscious

EC2, ECS with EC2, or ECS Fargate?

Answer 20

EC2 Mode, using Spot and Reserve Instances

Question 21

Large workload, overhead conscious, minimizing what you need to manage

EC2, ECS with EC2, or ECS Fargate?

Answer 21

Fargate

Question 21

Small / Burst workloads

EC2, ECS with EC2, or ECS Fargate?

Answer 21

Fargate

Question 22

Batch / Periodic

EC2, ECS with EC2, or ECS Fargate?

Answer 22

Fargate

Question 23

Kubernetes

Answer 23

Container orchestration product Automated way to manage Clusters

Question 24

K8s Pods

Answer 24

Pods can contain more than one container. Pods manage the containers within them. Usually, one container per pod

Question 25

K8s Kub-apiserver

Answer 25

the front end for the k8s control plane

Question 26

K8s etcd

Answer 26

Highly available key value store used within the cluster. Database that is main backing store for the cluster

Question 27

K8s Kube-scheduler

Answer 27

Constantly checks for pods with no nodes and assigns nodes to that pod based on availability and configuration

Question 28

EKS Three Modes

Answer 28

Self Managed Managed node groups Fargate

Question 29

OpsWorks Three modes

Answer 29

Puppet Enterprise - define a state and puppet handles the rest Chef Automate - IaC OpsWorks - AWS Integrated Chef, no servers - this will be the most likely one on the test

Question 30

OpsWorks Lifecycle Events

Answer 30

Setup Configure Deploy Undeploy Shutdown

Question 31

appspec.yml

Answer 31

Codedeploy Uses appspec.yml or appspec.json to deploy an application

Question 32

CodeBuild can deploy into 7 services

Answer 32

EB OpsWorks CF ECS Service Catalog Alexa Skills Kit S3

Question 33

CodeDeploy lifecycle event hooks (7)

Answer 33

1. ApplicationStop - before the app is downloaded. To prepare for the deployment 2. DownloadBundle - when it copies the app down to a temporary location 3. BeforeInstall - preinstallation tasks. Maybe make a backup? 4. Install - copies the app files from the temporary location to the active location. You can’t run any scripts here 5. AfterInstall - post-install steps. Config, file permissions, licensing maybe 6. ApplicationStart - restart any services that were stopped during the ApplicationStop event 7. ValidateService - verify that the deployment was completed

Question 34

AWS Config

Answer 34

Records config changes over time on resource Great for auditing of changes, compliance with standards It’s a regional service, but supports cross-region and account aggregation Change generate SNS notifications Once enabled, the config supported resources is contantly tracked. Config Rules - evaluate resources against a customer-defined standard

Question 35

AWS Service Catalog

Answer 35

An admin user will create CloudFormation templates (or groups of them) and publish them as “portfolios” to AWS Service Catalog. Other users can browse these portfolios and launch the product.

Question 36

Amazon Inspector

Answer 36

Scans EC2 instances and their OS, and containers to detect vulnerabilities and deviations against best practice

Question 37

Amazon Inspector two types

Answer 37

1. Network Assessment (Agentless) 2. Network and Host Assessment (Agent, because it would need access to the instance)

Question 38

CVE

Answer 38

Common vulnerabilities and exposures A Rules Package that can be used by Amazon Inspector

Question 39

CIS

Answer 39

Center for Internet Security (CIS) Benchmarks A Rules Package that can be used by Amazon Inspector

Question 40

Amazon Inspector Rules Package: Security best practices for Amazon Inspector checks what 4 things

Answer 40

1. Disable root login over ssh 2. Using only modern version numbers for ssh 3. Password complexity checks 4. Permissions on certain folder

Question 41

AWS Guard Duty

Answer 41

Continuous security monitoring service Analyzes supprted Data Sources Uses AI/ML, plus threat intelligence feeds Identifies unexpected and unauthorized activity

Question 42

AWS Trusted Advisor

Answer 42

It compares what you have to what you should have, compared to AWS best practices

Question 43

AWS Trusted Advisor checks what 5 major areas

Answer 43

1. Cost Optimization 2. Performance 3. Security 4. Fault Tolerance 5. Service Limits

Question 44

AWS Trusted Advisor 7 core checks (basic and developer support plans)

Answer 44

1. S3 Bucket Permissions 2. Security Groups - Specific Ports Unrestricted 3. IAM Use 4. MFA on Root Account 5. EBS Public Snapshots 6. RDS Public Snapshots 7. 50 service limit checks (checks for >80% of service limits)

Question 45

AWS Trusted Advisor Business and Enterprise Support checks what

Answer 45

1. The 7 Core checks 2. 115 Further checks 3. Access to the AWS Support API If you want to test for approaching service limits and automatically request an increase, you’ll need Business or Enterprise level support 4. CloudWatch Integration - reacts to changes

Question 46

Route 53 ARC (Application Recovery Controller)

Answer 46

simplifies and automates the recovery of applications deployed across multiple Availability Zones (AZs) and Regions. It enhances application resilience by managing failover and recovery processes during outages

Question 47

Amazon FSx for NetApp ONTAP

Answer 47

a fully managed AWS service that delivers reliable, scalable, and high-performing file storage using NetApp's ONTAP file system. It supports Linux, Windows, and macOS instances both in AWS and on-premises, offering sub-millisecond latencies and SSD-level performance while optimizing costs through automatic data tiering

Question 48

Web Access Control List (Web ACL)

Answer 48

apply one of these to a resource to protect it with WAF.

Question 49

WebACL Rule Types (2)

Answer 49

Regular (e.g. an IP address that can access port 22) Rate-based (e.g. the same IP address tries to connect 5000 times in 5 minutes)

Question 50

Web Application Firewall applies to what 4 services

Answer 50

Cloudfront, ALB, Appsync, API Gateway

Question 51

WebACL Rules can match on what 10 things

Answer 51

Origin country IP Label Header Cookies Query Parameter URI path Querystring Body (only first 8192 bytes) HTTP Method

Question 52

WebACL Actions (6)

Answer 52

Allow (not valid for rate-based) Block Count - just counts the request Captcha Custom Response (Uses a header with this prefix: x-amzn-waf-) Label - can pass info to a subsequent rule

Question 53

AWS Network Firewall Rule Groups contains what information

Answer 53

1. Type: Either stateless or stateful 2. Processing order and default action 3. Rules: calculates PASS, DROP, or FORWARD

Question 54

AWS Network Firewall Rule has what 5 inputs

Answer 54

Protocol, source CIDR, destination CIDR, source port, destination port

Question 55

AWS Network Firewall Rule has what 4 possible outputs

Answer 55

Pass Drop Forward Custom