CCP Flashcards
1
Q
Describe the Shared Responsibility Model
A
The CUSTOMER is responsible for security in the cloud (customer data, OS, networking, configuration, encryption, client-side data).
AWS is responsible for the security of the cloud (regions, hardware, availability zones, internal networking, storage, database and compute infrastructure).
2
Q
Describe IAM (Identity and Access Management)?
A
users and groups only.
groups can only contain user, not other groups.
users can be a part of multiple groups.
3
Q
What is an IAM Policy?
A
a JSON snippet that consists of: a generic version, ID to identify the policy, and a statement to allow or deny access applied to a principal (account, user, or role).
4
Q
Name the 3 options to access AWS
A
- AWS Management Console: password and MFA
- AWS Command Line Interface (CLI): protected by access keys via CloudShell, terminal, scripts or direct via public APIs
- AWS Software SDK: for embedded within code protected by access keys
5
Q
What is an access key made of?
A
Access Key ID = username
Secret Access Key = password
6
Q
What is an IAM role used for?
A
Allow an AWS service to perform actions on your behalf
7
Q
How do you audit user security?
A
IAM Credential Reports (account-level) and IAM Access Advisor (user level)
8
Q
General purpose of an EC2 instance
A
EC2 = Elastic Compute Service = infrastructure as a service
Gives companies the ability to rent virtual machines
9
Q
what service allows you to store data on virtual machines tied to EC2 instances?
A
EBS = elastic block store
a network drive (almost like a USB stick) that allows an instances’ data to persist after termination
specific to a single instance and AZ
10
Q
what service allows you to distribute load across machines
A
ELB = elastic load balance
11
Q
what service allows you to scale the services using an auto scaling group
A
ASG = auto scaling group
12
Q
what is an EC2 instance made of
A
AMI (OS) + Instance Size (CPU and RAM) + Storage + security groups + EC2 user data
13
Q
what is a security group
A
a firewall attached to the EC2 instance
14
Q
what is EC2 user data
A
a script launched at the first start of an instance for additional set up
15
Q
what is SSH
A
gives a user the ability to terminal into an EC2 instance usually through port 22
16
Q
what is a EC2 instance role linked to
A
IAM role
17
Q
purchasing options of EC2 instances
A
on demand
spot
reserved (standard or convertible)
dedicated host
dedicated instance
18
Q
how do you move an EBS volume to a new AZ
A
EBS Snapshot
19
Q
what is an AMI
A
AMI = Amazon Machine Image
customized operating system (OS) of an EC2 instance built for a specific region with config, monitoring, etc
AMIs can be provided by AWS or make your own to maintain
20
Q
how do you automate the creation of virtual machines or container images
A
EC2 Image Builder
21
Q
what’s an alternative to EC2 Instance, why and potential use cases of alternative
A
EC2 Instance Store
EC2 instances are naturally larger and slower as Instance Store has a more high performing hardware disk
Good for buffer, cache, scratch data and temport content
22
Q
what’s an alternative to EBS and why
A
EFS = Elastic File System
single EFS can be utilized across multiple AZs and mounted (EFS Mount Target) to 100s of EC2. Highly available, scalable and expensive (pay per use)
23
Q
what is a better storage class for EFS, why and how do you use it
A
EFS-IA
lowers costs compared to EFS for files not accessed every day
EFS will automatically move files to EFS-IA based on lifecycle policy (i.e., last time the files were accessed)
24
Q
what are 3 fully managed 3rd party high-performance file systems on AWS
A
FSx for Windows File Server = Windows-native (on prem and cloud)
FSx for Lustre = high performance computing (HPC), tons of data. great for ML, analytics, video processing, financial modeling, etc
FSx for Net App
25
high-level description of s3
allows people to store objects (files) into buckets (directories)
names must be globally unique, but are defined at the region level
the files are basically unique keys to access an object within a bucket with versioning if enabled
26
how do you secure s3 and examples if necessary
user can allow access via API for specific IAM
encrypt object in s3 using encryption keys
resource-based via
- bucket policy for blanket rules for s3 across accounts
- object access control list (ACL) - finer level of security
- bucket access control list (ACL) - less common, but finer than a bucket policy
note: an IAM principal can access s3 object if the users/groups permissions ALLOW it OR the resource policy ALLOWS its AND there no explicit deny
27
what can be used to host static website and accessible to the internet
S3
28
s3 versioning is enabled where
enabled at the **bucket level** you can version files stored in s3 if file has the same key
important to note: any file that is not versioned prior to enabling versioning will have version "null'" and suspending does not delete the pervious versions
29
what are two types of s3 replication and give uses
first of all versioning must be enabled and you still have to give proper IAM permissions to s3
1. CRR = cross region replication. use cases: compliance, lower latency access, replication across accounts
2. SRR = same region replication. use cases: log aggregation, live replication between production and test accounts
30
can files in storage classes can be moved manually or lifecycle policies
yes
31
attributes of s3 standard - general purpose
Quickly accessible, low latency, high throughput. good for: big data, gaming, content distribution
32
attributes of s3 infrequent access (IA)
standard-IA: for less frequently accessed data, but requires rapid access when needed, great for DR
one zone-IA: same as above, but in a single AZ, so data is lost if AZ is destroyed, good for secondary backup or data you can recreate
obviously lower cost than s3 standard
33
what is the lowest cost storage class of s3
glacier storage classes, there are 3 of them:
amazon s3 glacier instant retrieval: millisecond retrieval, great for data accessed once a quarter
amazon s3 glacier flexible retrieval: min storage duration is 90 days
amazon s3 glacier deep archive: for long term, greater than 180 days
34
how can you automatically move s3 objects to better storage
s3 intelligent tiering. there are no retriviel charges.
35
how can you analyze who has access to your s3 buckets
IAM Access Analyzer. evaluates s3 buckets, s3 acl, s3 access point policies.
36
why does the snow family exist?
they're portable devices to collect and process data at the edge OR migrate data into and out of AWS
to overcome challenges related to limited connectivity, bandwidth, high network costs or connection stability
great for anything that takes more than a week to transfer
37
what services are a part of the snow family specific to data migration? give an example.
1. Snowcone. small portable device to withstand **harsh environments**. must provide own battery and cables. can be sent back to AWS offline or connect it to internet and use AWS datasync to send data.
2. Snowball edge: physical data transfers to move TB or PB. large data cloud migrations, disaster recovery.
3. Snowmobile: an actual truck to move exabytes of data. great for anything over 10 PB.
38
what services are a part of the snow family specific to edge computing? give an example.
1. Snowcone. small portable device to withstand harsh environments. must provide own battery and cables. can be sent back to AWS offline or connect it to internet and use AWS datasync to send data.
2. Snowball edge: physical data transfers to move TB or PB. large data cloud migrations, disaster recovery.
39
what is an option to maintain hybrid cloud storage?
AWS storage gateway can be a bridge between on-premise and cloud data.
specifically, onprem file, volumes and tapes can be bridge via storage gateway EBS, s3, glacier
40
what desktop application do you use to manage snow family devices
OpsHub
41
What service is a relational database and what query language?
Amazon RDS. SQL.
42
Why RDS over deploying database on EC2?
Many reasons, but the number 1 is RDS is a managed service which means we don't have to manage the database, AWS will automate provisioning, OS patching, monitoring dashboards, scaling capability, multi-AZ DR, the list goes on.
storage backed by EBS
43
what is the one disadvantage of RDS vs EC2
you can't SSH into your instance
44
what is aurora? what are the advantages
Amazon's proprietary RELATIONAL database technology that supports PostgreSQL and MySQL
3-5x improved performance over RDS
there's also an Amazon Aurora Serverless option that takes no upfront planning, overhead. good for infrequent intermittent, unpredictable workloads
45
caches are in memory databases with high performance and low latency. what service is useful here?
ElastiCache. Helps reduce load off databases for read intensive workloads.
46
what service is a high performing non relational database?
DynamoDB is a serverless NoSQL database capable of handling massive workloads with single-digit millisecond latency
47
How do you improve DynamoDB performance
use a fully managed in-memory cache called DynamoDB Accelerator (DAX)
48
What database service is great for OLAP (online analytical processing analytics and data warehousing)? and what are some key attributes?
Redshift. Based on PostreSQL.
used for OLAP and not OLTP.
scales to PB of data, which is why Data and BI teams love it.
there is a serverless option for this as well
49
What service creates Hadoop clusters to analyze and processe a ton of data
Amazon EMR (Elastic MapReduce). Fully managed service for data processing, machine learning, web indexing.
50
what service queries analyzes s3 objects
Amazon Athena. Serverless query service using standard SQL language.
51
what is Amazon QuickSight?
serverless machine learning-powered BI service to create interactive dashboards. integrated with RDS, Aurora, Athena, Redshift, S3, etc
52
what is AWS's version for MongoDB (nosql database)
DocumentDB. used to store, query, and index JSON data.
53
what's a great service to manage graph databases (interconnected network). what are some use cases.
Amazon Neptune. knowledge graphs (wikipedia), fraud detection, recommendation engines, social networking
54
what is serverless time series database. what is it capable of?
Amazon Timestream. store and analyze trillions of events per day with built-in time series analytics functions (to identify patterns in the data near real-time)
55
what service provides ledger services
Amazon QLDB (Quantum Ledger Database). immutable review of all changes made to an application over time.
56
what is a ETL service
AWS Glue. useful for preparing and transforming data for analytics
57
what service supports quick and secure migration databases to AWS, resilient, self healing
DMS. Database Migration Service.
58
what is docker? what service comes into play here?
docker = platform to deploy apps that are packaged in containers that can be run on any OS (app will run the same regardless of where they're run)
Amazon ECS (Elastic Container Service).
59
How is Fargate different than ECS?
ECS requires the EC2 instances to be created already.
Fargate is serverless. New container into Fargate and Fargate handles the rest.
60
where do you store docker images on AWS?
Amazon ECR (Elastic Container Registry).
61
as an alternative to EC2, for short functions?
AWS lambda. no servers to manage, ran on demand with autoscaling and event-driven.
62
Fully managed serverless service for developers to easily create, publish, maintain, monitor and secure APIs
Amazon API Gateway
63
For people with little cloud experience, but would like to stand up cloud infra, what would they use?
Amazon Lightsail. great use case of simple web applications. Has high availability, but no auto-scaling and limited aws integrations.
64
what is cloud formation
a declarative way to outline AWS infrastructure in the order you specify.
no infra as code, each resource is automatically tagged.
there are existing template out there too.
65
what allows you to define your cloud infrastructure using a familiar language
AWS Cloud Development Kit. offers the ability to deploy infrastructure and application runtime code together.
66
what is elastic beanstalk
managed service for developers to create end-to-end application. just the application is the responsibility of the developer.
managed service = instance config, os, capacity provisioning, load balancing and auto scaling, application health, etc.
67
orchestrate steps to have code automatically pushed to production
AWS CodePipeline
67
hybrid service to automatically deploy applications
AWS CodeDeploy
68
code repository for developers to store code
CodeCommit
68
code building service that compiles source code, run testsm and produce packages that are ready to be deploy
AWS CodeBuild
69
what can be used for artifact management where developers and CodeBuild can retrieve dependencies?
AWS CodeArtifact
70
Cloud IDE for writing, running and debugging code within the web browser.
AWS Cloud 9
71
What helps you manage your EC2 and OnPrem systems at scale with no ssh keys or port 22 needed
AWS Systems Manager (SSM).
72
How do you store secrets, passwords and private config?
AWS Systems Manager Parameter Store
73
Managed DNS and list the policies
Route53.
Simple
Weighted: distribute traffic across servers
Latency: allow users to talk to the server closest to them
Failover Routing Policy: health check and send traffic to healthy servers
74
What can prevent DDoS attacks?
AWS CloudFront. Integrated with Shield and AWS Web Application Firewall
75
Why is AWS CloudFront valuable?
Improves read performance, content is cached at the edge. Great for dynamic content that needs to be available at low-latency in few regions.
76
describe AWS Outpost
server racks that offer the same AWS infrastructure, services, APIs and tools to build your own applications on-premise.
setup and managed by AWS, but the customer is responsible for the physical rack.
77
Infrastrucuture deployments embedded within telecommunications providers data centers at the edge of the 5G networks
AWS WaveLength. Bringing AWS services to the edge of the 5G network.
78
what is a subset of a region called. Give an example.
AWS Local Zone. AWS Region is us-east-1 and the local zones are Boston, Chicago, Dallas, Houston, Miami
79
if the context of global application architecture, describe the 4 types.
Single, Single: single region, single az
Single, Multi: single region, multi az
Multi, Active-Passive: Multi region, read/write and read only for some servers
Multi, Active-Active: Multi region, read/write everywhere
80
what are the three different cloud integration patterns to decouple your applications
1. Amazon SQS: queue model, messages deleted after they're read with FIFO
2. Amazon SNS: pub/sub model, perfect for sending one message to many receivers
3. Kinesis: real-time streaming
they all can scale independently of your application
81
what if a company is migrating to the cloud and don't want to use SQS or SBS, what else could they use to run on-prem servers?
Amazon MQ. a managed message broker service for RabbitMQ and ActiveMQ
82
what provides metrics and alarms for every service in AWS
Amazon CloudWatch and Amazon CloudWatch Alarms
83
How could you collect EC2 log for cloud and onprem servers?
Amazon Cloudwatch Logs
84
Conceptually, what is Amazon EventBridge
It gives customers the ability to respond to schedule batch jobs, create event pattern to react to something, trigger lambda functions or respond to 3rd party tools.
85
what service provides API governance, compliance and audit capability for AWS account
AWS CloudTrail
86
What service gives you tracing and visual analysis of your applications?
AWS X-ray
87
how could a company automated (ML) code reviews and application performance recommendations
Amazon CodeGuru: CodeReviewer (review code) and CodeProfiler (examine runtime behavior of applications)
88
what is the difference between AWS health dashboard and Account health dashboard
AWS health dashboard: status of all AWS services across all regions
AWS Account health dashboard: AWS events that impact infrastructure only
89
How would you provide internet access to a VPC
Internet Gateway
90
How would you provide an instance or private subnet internet access?
NAT Gateway / Instance
91
What does a NACL provide?
stateless rules, almost like a firewall for inbound and outbound traffic
92
what is a firewall that operates at the EC2 instance level or ENI (Elastic Network Interface)?
Security Group
93
How do you connect two VPCs?
VPC Peering, non overlapping IP ranges, non transitive
94
What is Elastic IP?
fixed public IPv4, ongoing cost if not in-use
95
how do you provide a VPC access to AWS services?
VPC Endpoints
96
if a company wants to connect to a 3rd party vpc what would you use?
PrivateLink
97
how do you connect over a public internet between onprem DC and AWS
Site-to-Site VPN
98
If you want to connect your computer via openVPN into your VPC what would you use
ClientVPN
99
If you want direct private connection to AWS what would you use
DirectConnect
100
If you wanted to connect thousands of VPC and onprem networks together what would you use
Transit Gateway
101
how do you protect the entire VPC
AWS Network Firewall and manage them with AWS Firewall Manager (rules for all accounts in AWS)
102
aws managed service for encryption keys. and what is the alternative:?
AWS KMS (customer-managed or aws managed)
alternative: CloudHSM, keys generated from your own hardware device
103
what is amazon guard duty
uses ML algorithms for anomaly detection
if there are finding, use eventbridge to send notifications or trigger lambda functions
104
how would you run automated security assessments? and what are the limits
Amazon Inspector and can report findings/score to SecurityHub or EventBridge
only for EC2 instances, container images and lambda functions
105
how would you audit and record compliance of AWS resources per region?
AWS Config. records configuration and changes over time.
can be stored in s3 and analyzed by athena
105
true or false. Macie is an ML and pattern matching to discover and protect your sensitive data in AWS.
true.
106
what service can be used oto identify the root cause of security issues or suspicious activities
Amazon Detective
107
Not worth creating cards for, but review ML section link included below
https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20245410#content
108
how do you set up multiple accounts at a time
ControlTower
109
what is trusted advsior
a service that analyzes our aws accounts and provides recommendations for the following:
1. cost optimization
2. performance
3. security
4. fault tolerance
5. service limits
6. operational excellence
part of the business and enterprise support plan
110
Not worth creating cards for, but review Billing section link included below
https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20245410#content
111
how can you grant temporary limited-privileges credentials to access aws resources?
AWS Security Token Service (STS)
112
how would you create access for external users
Amazon Cognito
113
SSO for AWS
AWS IAM identity center
114
Virutal Desktops
Amazon WorkSpaces
115
stream an application without provisioning infrastructure
Amazon AppStream 2.0, not need for virtual desktop
116
store and synchronize web and mobile apps and make use of GraphQL
Amazon AppSync
117
how could you have a done-for-you full stack web and mobile application
AWS Amplify
118
a drag-and-drop interface to design and build severless applications
AWS Application Composer
119
fully managed service to test you web and mobile apps
AWS Device Farm
