Cloud Practitioner Flashcards
(44 cards)
What is Cloud Computing?
On-demand availability of computer system resources, especially data storage (cloud storage) and computing power, without direct active management by the user.
What are the deployment models of the cloud?
- Private Cloud - used by single organization, not exposed to public. Org has complete control. Security for sensitive apps. Meets specific business needs.
- Public Cloud - AWS, Google Cloud, Azure. Owned operated by 3rd party provider.
- Hybrid Cloud - Mix of private and public. Some servers on premise, some extend capabilities to cloud. Control over sensitive assets in private infra. Flexibility / cost effectiveness of public cloud.
What are the five characteristics of cloud computing?
- On-demand self service - provision resources and use them w/o human interaction from service provider.
- Broad nnetwork access - resources available over the network, can be accessed by diverse client platforms.
- Multi-tenancy and resource pooling - multiple customers can share same infra / apps with security and privacy.
- Rapid elasticity / scalability - Automatically & quickly acquire and dispose resources when needed. Scale based on demand.
- Measured service - pay exactly what you use.
What are the six advantages of Cloud Computing?
- Trade capital expense (CAPEX) for operational expense (OPEX) - pay on-demand: don’t own hardware; reduced total cost of ownership (TCO) & Operation Expense (OPEX)
- Benefit from massive economies of scale - Prices are reduced as AWS is more efficient due to large scale.
- Stop guessing capacity - scale based on actual measured usage.
- Increase speed and agility.
- Stop spending money running and maintaining data centers.
- Go global in minutes - leverage AWS global infra.
What problems does the Cloud solve?
- Flexibility: Change resource types when needed.
- Cost-Effectiveness: Pay as you go, for what you use.
- Scalability: Accommodate larger loads by making hardware stronger or adding additional nodes.
- Elasticity: Ability to scale out and scale-in when needed.
- High-availability and fault-tolerance: build across data centers.
- Agility: rapidly develop, test, and launch software applications.
What are the 3 types of Cloud Computing?
- Infra as a Service (IaaS) - Building blocks for cloud IT. Networking, computers, data storage. Highest level of flexibility, easy parallel w/ traditional on-premises IT.
- Platform as a Service (PaaS) - Removes the need for your org to manage underlying infra; focus on deployment and management of apps.
- Software as a Service (SaaS) - Completed product that is run and managed by the service provider.
What are AWS Regions?
A cluster of data centers in an area in the world. US-East(Ohio) , Africa(Cape Town), Asia Pacific (Hong Kong), Asia Pacific (Seoul)
How do you choose an AWS Region?
Compliance with data governance and legal requirements - data never leaves a region w/o explicit permission.
Proximity to customers - reduced latency.
Service Availability - not all regions have all services.
Pricing - prices varies from region to region.
What is an “AWS Availability Zone”?
An availability zone is a discreet data center w/ redundant power, networking, connectivity. Isolated from each other (isolated from disasters). Connected with high bandwidth, ultra-low latency networking: they form an AWS Region.
Shared Responsibility Model - What is it?
Defines customer’s responsibility vs AWS’ responsibility. Customer is responsible for security, data, operating systems, network/firewall configurations.
AWS is responsible for security OF the cloud - all their infra, hardware, software,
IAM Policy Structure - what is it?
Version, Id (optional), Statements
What is the structure of a “statement” in an IAM policy?
Sid - identifier for the statement (optional)
Effect - Allow / Deny
Principal - Account/user/role to which policy is applied to
Action - List of actions the policy allows/denies.
Resource - list of resources to which action is applied.
Condition - condition for when policy is in effect (optional).
How can you protect IAM user accounts?
Using IAM - Password Policy (min length, complexity, reuse, expiration)
Multi Factor Authentication - MFA.
What are the MFA device options in AWS?
Virtual MFA device - IE Google Authenticator, Authy
Univeral 2nd Factor Security Key (U2F)
Hardware Key Fob
Hardware Key Fob MFA Device for AWS GovCloud (US)
What is AWS SDK?
AWS Software Development Kit - language-specific set of libraries / api which enable you to programmatically manage AWS services.
What are IAM roles?
Allows services to perform actions on your behalf.
What are the IAM Security tools?
- IAM Credentials Report (account-level) - a report that lists all your account’s users and the status of their various creds.
- IAM Access Advisor (user-level) shows the service permissions granted to a user and when those services were last accessed.
AWS Best Practices
Don’t use root account beyond AWS account setup.
One physical user = one AWS user
Assign users to groups and assign permissions to groups.
Strong password policy
Use MFA
Create and use Roles for giving permissions to AWS sevices.
Use Access Keys for programmatic Access (CLI/SDK)
Audit permissions of your account using IAM Credentials Report and IAM Access advisor
Never share IAM users & access keys
Shared Responsibility Model for IAM - Who’s responsible for what? AWS vs You
AWS: Infrastructure, Configuration and Vulnerability Analysis, Compliance Validation
You: Users, Groups, Roles, Policies management and monitoring.
Enabling MFA & enforcing.
Rotating keys often
Using IAM tools to apply appropriate permissions
Analyze access patterns and review permissions.
IAM Summary: summerize the following
Users, Groups, Policies, Roles, Security, AWS CLI, AWS SDK, Access Keys, Audit
Users - mapped to a physical user, has password for AWS console.
Groups - contains users only
Policies - JSON document taht outlines permissions for users or groups.
Roles - give programmtic access AWS services.
Security - MFA + Password Policy.
AWS CLI - manage AWS services via command-line
AWS SDK - manage AWS services using a programming language.
Access Keys - allows access to AWS using CLI / SDK.
Audit - Credentials Reports and Access Advisor
What is EC2 User Data? What is it used for?
EC2 User Data is a script used to bootstrap an EC2 instance. This can be used to autmoate boot tasks such as: installing update, software, downloading files, creating user accounts etc.
EC2 Instance Purchasing Options: Define On-Demand, Reserved/Res Convertible, Savings Plans, Spot Instances, Dedicated Hosts, Dedicated Instances, Capacity Reservations
On-Demand - Short workload, predictable pricing, pay by second.
Reserve - 1 & 3 years; long workloads
Reserve Convertible - long workloads w/ flexible instances
Savings Plan (1 & 3 years) - commitment to an amount of usage, long workload.
Spot Instances - short workloads, cheap, can lose instances (not reliable)
Dedicated Hosts - book an entire physical server
Dedicated Instances - no other customers will share your hardware
Capacity Reservations - reserve capacity in a specific AZ for any duration.
EC2 Instance Store - pro’s cons over Elastic Block Store (EBS)
Pros:
EC2 instance store - higher performance hardware disk, better I/O performance. Ideal for buffer / cache / scratch data / temp content.
Cons:
Lose their storage if stopped (ephemeral)
Risk of data loss if hardware fails.
ALB vs NLB vs GLB
ALB - Application Load Balancer - layer 7, http/s / grpc protocols, http routing features, static dns.
NLB - Network Load Balancer - layer 4, TCP/UDP, millions of requests per sec, static ip through elastic IP
GLB - Gateway load balancer - GENEVE Protocol on IP packets (Layer 3), route traffic to firewalls you manage on EC2 instances, intrusion detection.
