Cloud Practitioner

Question 1

What is Cloud Computing?

Answer 1

On-demand availability of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the user.

Question 2

What are the deployment models of the cloud?

Answer 2

1. Private Cloud - used by single organization, not exposed to public. Org has complete control. Security for sensitive apps. Meets specific business needs.
2. Public Cloud - AWS, Google Cloud, Azure. Owned operated by 3rd party provider.
3. Hybrid Cloud - Mix of private and public. Some servers on premise, some extend capabilities to cloud. Control over sensitive assets in private infra. Flexibility / cost effectiveness of public cloud.

Question 3

What are the five characteristics of cloud computing?

Answer 3

1. On-demand self service - provision resources and use them w/o human interaction from service provider.
2. Broad nnetwork access - resources available over the network, can be accessed by diverse client platforms.
3. Multi-tenancy and resource pooling - multiple customers can share same infra / apps with security and privacy.
4. Rapid elasticity / scalability - Automatically & quickly acquire and dispose resources when needed. Scale based on demand.
5. Measured service - pay exactly what you use.

Question 4

What are the six advantages of Cloud Computing?

Answer 4

1. Trade capital expense (CAPEX) for operational expense (OPEX) - pay on-demand: don’t own hardware; reduced total cost of ownership (TCO) & Operation Expense (OPEX)
2. Benefit from massive economies of scale - Prices are reduced as AWS is more efficient due to large scale.
3. Stop guessing capacity - scale based on actual measured usage.
4. Increase speed and agility.
5. Stop spending money running and maintaining data centers.
6. Go global in minutes - leverage AWS global infra.

Question 5

What problems does the Cloud solve?

Answer 5

1. Flexibility: Change resource types when needed.
2. Cost-Effectiveness: Pay as you go, for what you use.
3. Scalability: Accommodate larger loads by making hardware stronger or adding additional nodes.
4. Elasticity: Ability to scale out and scale-in when needed.
5. High-availability and fault-tolerance: build across data centers.
6. Agility: rapidly develop, test, and launch software applications.

Question 6

What are the 3 types of Cloud Computing?

Answer 6

1. Infra as a Service (IaaS) - Building blocks for cloud IT. Networking, computers, data storage. Highest level of flexibility, easy parallel w/ traditional on-premises IT.
2. Platform as a Service (PaaS) - Removes the need for your org to manage underlying infra; focus on deployment and management of apps.
3. Software as a Service (SaaS) - Completed product that is run and managed by the service provider.

Question 7

What are AWS Regions?

Answer 7

A cluster of data centers in an area in the world. US-East(Ohio) , Africa(Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Seoul)

Question 8

How do you choose an AWS Region?

Answer 8

Compliance with data governance and legal requirements - data never leaves a region w/o explicit permission.
Proximity to customers - reduced latency.
Service Availability - not all regions have all services.
Pricing - prices varies from region to region.

Question 9

What is an “AWS Availability Zone”?

Answer 9

An availability zone is a discreet data center w/ redundant power, networking, connectivity. Isolated from each other (isolated from disasters). Connected with high bandwidth, ultra-low latency networking: they form an AWS Region.

Question 10

Shared Responsibility Model - What is it?

Answer 10

Defines customer’s responsibility vs AWS’ responsibility. Customer is responsible for security, data, operating systems, network/firewall configurations.

AWS is responsible for security OF the cloud - all their infra, hardware, software,

Question 11

IAM Policy Structure - what is it?

Answer 11

Version, Id (optional), Statements

Question 12

What is the structure of a “statement” in an IAM policy?

Answer 12

Sid - identifier for the statement (optional)
Effect - Allow / Deny
Principal - Account/user/role to which policy is applied to
Action - List of actions the policy allows/denies.
Resource - list of resources to which action is applied.
Condition - condition for when policy is in effect (optional).

Question 13

How can you protect IAM user accounts?

Answer 13

Using IAM - Password Policy (min length, complexity, reuse, expiration)
Multi Factor Authentication - MFA.

Question 14

What are the MFA device options in AWS?

Answer 14

Virtual MFA device - IE Google Authenticator, Authy
Univeral 2nd Factor Security Key (U2F)
Hardware Key Fob
Hardware Key Fob MFA Device for AWS GovCloud (US)

Question 15

What is AWS SDK?

Answer 15

AWS Software Development Kit - language-specific set of libraries / api which enable you to programmatically manage AWS services.

Question 16

What are IAM roles?

Answer 16

Allows services to perform actions on your behalf.

Question 17

What are the IAM Security tools?

Answer 17

1. IAM Credentials Report (account-level) - a report that lists all your account’s users and the status of their various creds.
2. IAM Access Advisor (user-level) shows the service permissions granted to a user and when those services were last accessed.

Question 18

AWS Best Practices

Answer 18

Don’t use root account beyond AWS account setup.
One physical user = one AWS user
Assign users to groups and assign permissions to groups.
Strong password policy
Use MFA
Create and use Roles for giving permissions to AWS sevices.
Use Access Keys for programmatic Access (CLI/SDK)
Audit permissions of your account using IAM Credentials Report and IAM Access advisor
Never share IAM users & access keys

Question 19

Shared Responsibility Model for IAM - Who’s responsible for what? AWS vs You

Answer 19

AWS: Infrastructure, Configuration and Vulnerability Analysis, Compliance Validation

You: Users, Groups, Roles, Policies management and monitoring.
Enabling MFA & enforcing.
Rotating keys often
Using IAM tools to apply appropriate permissions
Analyze access patterns and review permissions.

Question 20

IAM Summary: summerize the following
Users, Groups, Policies, Roles, Security, AWS CLI, AWS SDK, Access Keys, Audit

Answer 20

Users - mapped to a physical user, has password for AWS console.
Groups - contains users only
Policies - JSON document taht outlines permissions for users or groups.
Roles - give programmtic access AWS services.
Security - MFA + Password Policy.
AWS CLI - manage AWS services via command-line
AWS SDK - manage AWS services using a programming language.
Access Keys - allows access to AWS using CLI / SDK.
Audit - Credentials Reports and Access Advisor

Question 21

What is EC2 User Data? What is it used for?

Answer 21

EC2 User Data is a script used to bootstrap an EC2 instance. This can be used to autmoate boot tasks such as: installing update, software, downloading files, creating user accounts etc.

Question 22

EC2 Instance Purchasing Options: Define On-Demand, Reserved/Res Convertible, Savings Plans, Spot Instances, Dedicated Hosts, Dedicated Instances, Capacity Reservations

Answer 22

On-Demand - Short workload, predictable pricing, pay by second.
Reserve - 1 & 3 years; long workloads
Reserve Convertible - long workloads w/ flexible instances
Savings Plan (1 & 3 years) - commitment to an amount of usage, long workload.
Spot Instances - short workloads, cheap, can lose instances (not reliable)
Dedicated Hosts - book an entire physical server
Dedicated Instances - no other customers will share your hardware
Capacity Reservations - reserve capacity in a specific AZ for any duration.

Question 23

EC2 Instance Store - pro’s cons over Elastic Block Store (EBS)

Answer 23

Pros:
EC2 instance store - higher performance hardware disk, better I/O performance. Ideal for buffer / cache / scratch data / temp content.

Cons:
Lose their storage if stopped (ephemeral)
Risk of data loss if hardware fails.

Question 24

ALB vs NLB vs GLB

Answer 24

ALB - Application Load Balancer - layer 7, http/s / grpc protocols, http routing features, static dns.

NLB - Network Load Balancer - layer 4, TCP/UDP, millions of requests per sec, static ip through elastic IP

GLB - Gateway load balancer - GENEVE Protocol on IP packets (Layer 3), route traffic to firewalls you manage on EC2 instances, intrusion detection.

Question 25

Auto Scaling Groups - Scaling Strategies.

Answer 25

Manual
Dynamaic - Simple / Step (cloud watch alarm triggered when cpu > 70% for example); Target Tracking Scaling, ie “i want average ASG cpu to stay at 40%”; Schedule Scaling - “i want more instances between 9am and 5pm”
predictive - uses machine learning to analyze past useage, and scale accordingly.

Question 26

S3 Security - User-Based

Answer 26

IAM policies which API calls should be allowed for a specific user from IAM

Question 27

S3 Security - Resource-Based

Answer 27

Bucket Policies - bucket wide rules from the S3 console - allows cross account.
Object Access Control List (ACL) finer grain
Bucket Access Control List (ACL) - less common

Question 28

S3 Security - Encryption

Answer 28

Encrypt using keys.

Question 29

Redshift - primary best use?

Answer 29

Data warehouse & analytics, analytic dashboards.

Question 30

EMR - Elastic MapReduce - best uses?

Answer 30

Analyze vast amount of technology in a cluster of EC2 instances: Data processing, machine learning, web indexing, big data.

Question 31

Athena - best uses?

Answer 31

Serverless query service to perform analytics against S3 objects using SQL: Business Intel analytics / reporting, analyze & query VPC flow logs, ELB Logs, CloudTrails etc.
Exam tip - analyze data in S3 using serverless SQL = athena.

Question 32

QuickSight

Answer 32

Create dashboards / charts on databases to visually represent data

Question 33

DocumentDB

Answer 33

NoSql DB based on Mongo, store query index JSON. Scales to workloads w/ millions of requests.

Question 34

Neptune

Answer 34

Fully managed graph database (IE social network).

Question 35

QLDB - Quantum Ledger Database

Answer 35

A ledger is a book recording financial transactions

Question 36

QLDB vs Managed Blockchain

Answer 36

no decentralization component

Question 37

Amazon Managed Blockchain

Answer 37

Blockchain build apps where parties execute transactions w/o the need for a trusted, central authority.
Compatible w/ hyperledger fabric and ethereum.

Question 38

AWS Glue

Answer 38

Managed extract, transform, and load ETL service.
Useful to prepare and transform data for analytics.

Question 39

Database Migration Service - DMS

Answer 39

Quickly and securely migrate databases to AWS, resilient, self healing. Soruce DB is operational during migration

Question 40

What is the name of a central repo to store structural and operational metadata for data assets in AWS glue?

Answer 40

Glue Data Catalog

Question 41

Which database is a managed service with SQL capability suited for Online Transaction Processing (OLTP)?

Answer 41

RDS

Question 42

Which AWS service can create complex graphs for fraud detection?

Answer 42

Neptune

Question 43

Batch vs Lambda

Answer 43

Lambda:
Time Limit, limited runtimes, limited temp disk space, serverless

Batch:
No time limit, any runtime (as long as it’s packaged in docker), relies on EBS / instance store for disk space, relies on EC2 (can be managed by AWS)

Question 44

What is lightsail? Best uses casess

Answer 44

Virtual servers, storage, databases, and networking - ideal for people with limited cloud experience who need to get started quickly; low predictable pricing, minimal configuration required.