Cloud Practitioner Exam Flashcards
List out 6 benefits of AWS Cloud
- Variable instead of capital expense
- Economies of scale by sharing servers with others
- Don’t have to ‘guess’ capacity
- Quicker to start operating
- Don’t need to manage data centre
- Global
How does AWS Cloud allow users to focus on business value?
AWS takes care of IT infrastructure concerns, allowing orgs to focus on their business.
Define at least 6 items that would be part of a Total Cost Ownership Proposal
- Location
- Service
- Tenancy
- Operating System
- Workload
- Number of Instances
Identify which operations will reduce costs by moving to the cloud
Infrastructure costs
Explain the 5 cloud architecture design principles
- Perform operations as code
- Make frequent, small reversible changes
- Refine operations procedures frequently
- Anticipate failure (pre-mortem exercises)
- Learn from all operational failures
What are the 7 elements of the shared responsibility model
- Physical security
- Client and end-point protection
- Identity and access management
- Application-level controls
- Network controls
- Host infrastructure
- Physical security
Rank the following models from most customer responsible to most cloud provider responsible:
SaaS
FaaS
On-premises
IaaS
PaaS
- On-premises
- IaaS
- PaaS
- SaaS
- FaaS
What is the customer always responsible for in the shared responsibility model?
Data classification and accountability
What is the core responsibility of AWS in the share responsibility model?
Protecting the infrastructure that runs the cloud services offered
In the shared responsibility model, whose responsibility is the security of your platform for PaaS environments
Shared Responsibility
In the shared responsibility model, the responsibility for data security in SaaS environments belongs to ________
Customer
Shared responsibility model
Who is responsible for Application level controls in IaaS?
Customer
Shared responsibility model
Who is responsible for Application level controls in PaaS?
Both customer and cloud provider
Shared responsibility model
Who is responsible for Network Controls in FaaS?
Cloud Provider
Shared responsibility model
Who is responsible for IAM in PaaS?
both customer and cloud provider
Where can you find AWS compliance information?
AWS Artifact
Where are system and organisations control located in AWS?
AWS Artifact
Identity and access management (IAM) is capable of performing the following tasks:
- Fine grained access to AWS resources
- Providing options for multi-factor authentication
- Analysing access for users and services across AWS environment
- Integrating with existing corporate directories
AWS CloudTrail is where:
trails and recent activities are summarized
CloudTrail Management Events for the last ___ days are displayed in the Event History
90
In CloudTrail, when are events recorded?
When resources are created, updated or deleted
What is a trail?
It is a generated path of tracked actions
What does an event log include:
event name, time, user, kind of resource, resource name
CloudTrail Insights allow customers to ….
monitor their accounts for abnormal behaviour
What are some examples of abnormal behaviour in CloudTrail
Sudden increase in resource provisioning
Increase in AWS identity and access management operations
Drops in routine maintenance
Is CloudTrail automatically enabled, or must you enable it?
It is automatically enabled
CloudWatch is a monitoring service that
tracks AWS cloud resources and apps running on your AWS account
What are four features that CloudWatch offer?
- Real-time tracking of metrics
- Creates alarms for when metrics such as price or health reach beyond desired states
- Creates a repository where you can parse and leverage alarms to notify you of anything that is unwanted
- Allows you to create dynamic dashboards
What does Amazon Inspector do?
It tests for network access and the security state of apps running on those instances
What are four features Amazon Inspector offers?
- It gives a risk rating to cloud assets
- Produces detailed reports
- Automated security assessments through development and deployment
How does Amazon Inspector work?
- It works by scanning the network configuration within AWS to assess for reachability and uses an agent that is installed on the EC2 instances to assess for security risks at the infrastructure level
What does WAF stand for?
Web Application Firewall
What does AWS WAF allow you to do?
- Monitor the HTTP(s) requests to your application hosted in AWS
- Control access to applications based on origin IP addresses
What AWS service allows you to use Web Access Control Lists, Rules and Rule Groups to set permissions and protect your application
AWS WAF
Where can WAF and Shield be found in AWS?
Network Access Analyser > Services, Security, Identity and Compliance > WAL & Shield
What AWS Service protects from DDoS attacks?
AWS Shield
What are the two types of AWS shields that can be deployed?
Shield Standard and Shield Advanced
What does AWS Guard Duty do?
Continuously monitors particular data sources for threat intelligence
What data sources does AWS Guard Duty monitor?
Flow Logs, CloudTrail event logs, CloudTrail event logs, and DNS logs
What does AWS Control Tower
It allows teams to leverage Landing Zones as a secure add-on to AWS organisations
What are Landing Zones and what do they offer?
Landing Zones = well-architected, multi-account AWS environment that is scalable and secure
Allow account administrators to provide secured AWS accounts that are configured with a baseline
AWS Control Tower handles which of the following?
Analyzing App security
DDoS protection
Key Storage and Management
Securing and Governing Multiple AWS Accounts
Securing and Governing Multiple AWS Accounts
What does VPC stand for?
Virtual Private Cloud
Where can you find the ability to create a VPC?
Services > Networking & Content Delivery > VPC > Create VPC
What is a VPC
VPC is a network service that managed the traffic to all other AWS services you plan to use.
What can you use VPCs to do?
You use it to configure IP addresses, managed allowed ports etc
Which features of AWS helps cloud security by restricting access to subnets? This feature works like firewalls with rules for inbound/outbound access.
Network Access Control List (ACLs)
What do AWS Security Groups do?
Decides what traffic can reach and leave the resources it is connected to
What are 2 kinds of resources you can link a security group to?
EC2, VPC
Which AWS feature is focused on discovering sources of likely intrusions?
Network Access Analyser
How does the network access analyser work?
It scan the network access scopes (e.g. identifies non-permissible traffic types).
What determines the cost to run a network access analyser
The number of elastic network interfaces investigated
Where can you find security findings from across AWS accounts, services and 3rd-party partners to help analyse security trends and priority issues?
Security Hub
What are 3 benefits of Security Hub?
- Reduce complexity and effort when improving security of AWS accounts and workloads
- Centralise findings and save time digging
- Provides detailed dashboards that highlight current status to help leadership make decisions
Where can you find a list of the most frequently asked questions categorised by services provided by AWS?
AWS Knowledge Centre
Where can you find automated and managed services offered by AWS that inspects your AWS account for best security and efficient practices?
Amazon Trusted Advisor
What does Trusted Advisor base its recommendations on?
What other customers have implemented
What are the different types of cloud deployment models?
Public cloud,
Private cloud
Community Cloud (for nominated community of orgs)
Hybrid
What are the 5 connectivity options
Network-to-Amazon VPC
Amazon VPC-to-Amazon VPC
Software remote access-to-Amazon VPC
Transit VPC
AWS Cloud WAN
How are availability zones related to regions?
Regions = multiple isolated availability zones
What are availability zones?
Data centres with redundant power
What is a cloud front edge location?
It is a content distribution network that provides a delivery service for cached content
Is there more availability zones or cloud front edge locations?
Way more edge locations
How do multiple availability zones provide high availability?
Availability zones are placed in distributed locations such that if one goes down, another is available.
When might you consider using multiple AWS regions?
- to keep data close to the users to reduce latency
- give you greater control over your recovery time in the event of a hard dependency failure on a regional AWS service.
What is the benefit of edge locations?
- Faster user experience
- Faster file upload
What are the 4 categories of services on AWS?
Compute
Storage
network
database
What is AWS’ compute service?
EC2
What does EC2 stand for?
Elastic Compute Coud
What is EC2?
web service that provide resizable compute capacity using the cloud.
What makes up EC2?
- Virtual machine in the cloud
- 8 instance types, each with different CPU, RAM and storage
- Uses EBS
What is EBS?
Elastic Block Storage = virtual storage volumes with the ability to attach multiple
What does AWS SLA guarantee?
99.99% uptime on EC2 and EBS within a region
What are the 3 EC2 types?
- on-demand
- Reserved (pay ahead of time and save cost)
- Spot instance (short term agreement - get it when its availabile)
What is AWS S3?
Amazon Simple Storage Service = object storage service that offers industry-leading scalability, availability, security, performance
What does object based storage mean?
It stores things like files, images, videos etc as objects in a non-hierarchial way
What is a bucket is S3?
Container for objects stored in S3.
How can you access a bucket?
Over HTTPs, they have unique URLs
What do you store inside buckets?
The objects i.e. files, metadata, media etc. Its not file-based storage as that would assume hierarchy
What are keys?
Unique identifiers within buckets.
How many keys does each object get?
Exactly one
What are regions?
Regions are the geographical area where S3 will store buckets. Want to put them as close to customers as possible.
What are the 5 Storage classes?
Standard
Intelligent Tiering
One-Zone Infrequent Access
Glacier
Glacier Deep Archive
What is the standard storage class?
default, deployed across multiple zones to stay low cost
What is the intelligent tiering class?
Analysis of usage of objects in buckets and reclassification and billing differently
What is One-Zone Frequent Access?
Cheaper, no redundant replication of data across zones
What is Glacier?
Archival based, gives you a couple hours of retrieval time
What is Glacier Deep Archive?
Archival based, can take up to 12 hours to retrieve. Save on cost, but very slow.
What are some AWS networking Services?
ELB
and
Autoscaling
What does an elastic load balancer do?
Automatically distributes application traffic across multiple endpoints
What are some endpoints that elastic load balancers distribute traffic across?
across EC2 instances, IP addresses, lambda functions, containers
What are the major benefits of Elastic Load Balancers
Security
Uptime
Accessibility
What are the 4 types of load balancers offers by AWS?
Applications
Network
Gateway
Classic
What is the applications load balancer used for?
web traffic http https
What is the network load balancer used for?
TCP, UDP, TLS Traffic
Internal servers
What is the gateway load balancer used for?
Scaling traffic for virtual apps
What is the classic load balancer used for?
Basic load balancer, isn’t used for much
What does the AWS autoscaling services do?
Optimises performance while lowering infrastructure costs by scaling multiple AWS resources safely
Autoscaling services monitor for unhealthy resources and applications to _____________________
deploy replacements automatically
What can the AWS autoscaling services scale?
EC2 Autoscaling Groups
EC2 Spot fleeting requests
Elastic container services (ECS)
DynamoDB
Aurora
Do both Autoscaling and ELB serve for high availability and security?
Yes
What does Autoscaling focus on doing?
Increasing or decreasing resources
What does ELB focus on doing?
balancing traffic load to multiple endpoints and instances
What are the two AWS database services?
Relational Database Service (RDS)
and
DynamoDB, a NoSQL database managed by Amazon
What does the RDS offer?
It supports 3rd party relational databases i.e. Microsoft SQL, MariaDB, PostgreSQL, Oracle
AND Amazon Aurora
You can scale database with a click of a button
It auto replicates to a standby instance for availability
What does the DynamoDB NoSQL database offer?
Fully managed, just write the code
Very high performance at scale
Highly Available and secure
Where can you find documentation for tech support?
- best practices
- Whitepapers,
- AWS knowledge Center
- Forums
- Blogs
What are the various levels of support plans?
Developer
Business
Enterprise
What does developer level offer?
For when experimenting or testing
7 core checks
general + system impaired guidance
business hours
unlimited cases / 1 primary contact
What does business level offer?
For when you have production workloads in AWS
full set of checks
general + system impaired + production gudiance
24x7 contact
unlimited cases / unlimited contacts
Api support
What does enterprise level offer?
for when you have business and / or mission cirtical workloads in AWS
Business +
business critical system down guidance
Consultative review and guidance based on your application
Designated technical account manager
Online labs
Concierge support team
What is the AWS Partner Network?
a global community of partners that leverages programs, expertise, and resources to build, market, and sell customer offerings.
What are the 4 sources of technical assistance and knowledge?
Professional services, solutions architects, training and certification, APN
What are the benefits of using AWS Trusted Advisor
- Help follow AWS best practices
- Uses checks to fins ways to optimise AWS infrastructure, secuirity, performance, reduce costs, monitor service quotas
Main benefits
1. Cost optimisation
2. Performance
3. Security
4. Fault Tolerance
5. Service Quotas
What are the various pricing models for AWS?
On-Demand Instances, Reserved Instances, Spot Instances
What is on Demand Instance pricing best used for?
when you need low cost, flexible computing capacity but dont want to commit to long term contract
Best for short-term, irregular workloads that cannot be interrupted
Ideal for applications being developed / tested on AWS for the first time
What is Reserved Instance pricing best used for?
Best for if you have a predictable workload over 1 or 3 year term
What discount compared to on-demand instance pricing do you get with reserved instance?
up to 75% discount
What are the three types of reserved instances?
Standard reserved (for max savings)
Convertible reserved instances (for flexibility to change types)
Scheduled reserved instances (for instances on a recurring schedule)
What is Spot Instance pricing best for?
- When you have flexible start and end times
- Apps that are only feasible at very low compute prices
- Urgent computing needs for large amounts of additional capacity
What is the spot instance discount compared to on-demand instance pricing
Up to 90% discount compared to on-demand
Which instance can be interrupted within two minutes of notification when AWS needs the capacity back?
Spot Instant pricing
This pricing is best for fault-tolerant applicatiosn
What is consolidated billing? and why is it useful for users?
Consolidating all billing for multiple AWS accounts into one, which simplifies billing to avoid multiple billing cycles per department (difficult to scale with)
How can multiple accounts aid in allocating costs across departments?
You can have multiple accounts to track costs on a department-specific basis, but then one overall bill to pay
Which AWS service is responsible for high-level tracking of expenses across multiple AWS accounts?
AWS organisations
How can you get billing support and information?
AWS support centre -> Create case
AWS knowledge centre -> billing mangement
Where can you find pricing information on AWS services
AWS pricing whitepaper
AWS pricing calculator
How can you figure alerts / alarms to help with billing?
You can place alerts on your budgets which trigger when % of budget amount is reached
You can also get it to send you an SMS of the alert
Which AWS service is used for monitoring cloud service usage that exceeds defined cost thresholds?
AWS cloudtrail
what are resource groups used for?
Organising AWS resources
What do resource groups allow you to manage and automate?
Tasks at scale across multiple resource groups all at once
Where can you access resource groups?
AWS management console, AWS system manager console and by using the resource groups API via CLI or SDK
