CP Basic Concepts Flashcards
(133 cards)
1
Q
Cloud Concepts:
What are some key financial benefits of migrating on-prem to AWS?
A
- Replace upfront capital expenditures (capex) with low variable operational expenditures (opex)
- Reduce the total cost of ownership
2
Q
Cloud Concepts:
What are the 4 Cloud Architecture Design Principles
A
- Implement Elasticity
- Think Parallel
- Decouple your components
- Design for failure
3
Q
Cloud Concepts:
How would you design mission-critical workloads in AWS that must be highly available
A
Use multiple Availability Zones
4
Q
Cloud Concepts:
How can you ensure that a change or failure in one component will not cascade to other components?
A
Loose coupling
5
Q
Cloud Concepts:
How would you enable your Amazon EC2 instances in the public subnet to connect to the public internet?
A
Use the Internet Gateway
6
Q
Cloud Concepts:
How would you enable your EC2 instances in the private subnet to connect to the public internet?
A
NAT Gateway
7
Q
Security:
What security management tool would you use to configure your AWS WAF rules across accounts?
A
AWS Firewall Manager
8
Q
Security:
If a company needs to download compliance-related documents in AWS like the Service Organization Controls (SOC) reports, where would they go?
A
AWS Artifact
9
Q
Security:
How would you improve the security of IAM users?
A
- Enable multi factor authentication (MFA)
2. Configure a strong password policy
10
Q
Security:
What is an IAM identity that uses access keys to manage cloud resources via the AWS CLI?
A
IAM User
11
Q
Security:
How would you grant temporary access to your AWS resources?
A
IAM Role
12
Q
Security:
How would you apply and easily manage common access permissions to a large number of IAM users in AWS?
A
IAM Group
13
Q
Security:
How would you grant the required permissions to access your S3 resources?
A
Bucket Policy and/or User Policy
14
Q
Security:
If you need to provide temporary AWS credentials for users who have authenticated via their social media logins as well as for guest users who don’t need any authentication, what would you use?
A
Amazon Cognito Identity Pool
15
Q
Security:
How would a startup evaluate the newly created IAM policies?
A
IAM Policy Simulator
16
Q
Security:
What is a service that discovers, classifies, and protects sensitive data such as personally identifiable information (PII) or intellectual property?
A
Amazon Macie
17
Q
Security:
What is a threat detection service that continually monitors for malicious activity to protect your AWS account?
A
Amazon GuardDuty
18
Q
Security:
What prevents unauthorized deletion of Amazon S3 objects?
A
Enabling Multi-Factor Authentication (MFA)
19
Q
Security:
How would a company control the traffic going in and out of their VPC subnets?
A
Network Access Control Lists (NACL)
20
Q
Security:
What acts as a virtual firewall in AWS that controls traffic at the EC2 instance level?
A
Security Group
21
Q
Security:
Where would you set up an automated security assessment service to improve the security and compliance of your applications?
A
Amazon Inspector
22
Q
Technology:
What would the company use if they need to use the AWS global network to improve availability of deployed applications on AWS using an anycast static IP address?
A
AWS Global Accelerator
23
Q
Technology:
If you need to securely transfer hundreds of petabytes of data in/out of AWS cloud, what would you use?
A
AWS Snowball Edge
24
Q
Technology:
What is a type of EC2 instance that allows you to use your existing server-bound software licenses?
A
Dedicated Host
25
Technology:
What is a service that allows you to continuously monitor and log account activities such as the user actions made from the AWS Management Console and AWS SDKs?
AWS CloudTrail
26
Technology:
| What is a highly available and scalable cloud DNS web service in AWS?
Amazon Route 53
27
Technology:
| How would you store the results of I/O intensive SQL database queries to improve application performance?
Amazon ElastiCache
28
Technology:
| What is a combination of AWS services that allow you to serve static files with lowest possible latency?
Amazon S3
| Amazon CloudFront
29
Technology:
How would you automatically scale the capacity of an AWS cloud resource based on the incoming traffic to improve availability and reduce failures?
AWS Auto Scaling
30
Technology:
| What would a company use to migrate an on-prem MySQL database to Amazon RDS?
AWS Database Migration Service (DMS)
31
Technology:
How would you automatically transfer your infrequently accessed data in your S3 bucket to a more cost-effective storage class?
S3 Lifecycle Policy
32
Technology:
What would you use to upload a single object as a set of parts to improve throughput and have a quicker recovery from any network issues?
The Multipart Upload API
33
Technology:
| What would a company use to establish a dedicated connection between their on-premise network and AWS VPC?
AWS Direct Connect
34
Technology:
| What is a Machine Learning service that allows you to add a visual analysis feature to your applications?
Amazon Rekognition
35
Technology:
| What is a source control service that allows you to host Git-based repositories?
AWS CodeCommit
36
Technology:
| What is a service that can trace user requests in your application?
AWS X-Ray
37
Technology:
| What would a company use to retrieve the Instance ID, public keys, and public IP address of their EC2 instance?
Instance Metadata
38
Technology:
| If you need to speed up the content delivery of static assets to your customers around the globe, what would you use?
Amazon CloudFront
39
Technology:
| How would you create and deploy infrastructure-as-code templates?
AWS Cloud Formation
40
Technology:
| What would you use to encrypt the log data stored and managed by AWS CloudTrail?
AWS Key Management Service (AWS KMS)
41
Technology:
| What is a database service that can be used to store JSON documents?
Amazon DynamoDB
42
Billing:
| Who is the designated technical point of contact that will maintain an operationally healthy AWS environment?
Technical Account Manager (TAM)
43
Billing:
| What is a tool that inspects your AWS environment and makes recommendations that follow AWS best practices?
AWS Trusted Advisor
44
Billing:
| What would a startup use to estimate their cost of moving their application to AWS?
AWS Pricing Calculator
45
Billing:
| How would you set coverage targets and receive alerts when your utilization drops?
AWS Budgets
46
Billing:
What is a type of Reserved Instance that allows you to change its instance family, instance type, platform, scope, or tenancy?
Convertible Reserved Instance
47
Billing:
| What lets you take advantage of unused EC2 capacity in the AWS cloud and provide up to a 90% discount?
Spot Instances
48
Billing:
| Where would you go to centrally manage policies and consolidate billing across multiple AWS accounts?
AWS Organizations
49
Billing:
What is the most cost-efficient storage option for retaining database backups that allow occasional data retrieval in minutes?
Amazon Glacier
50
Billing:
| Where would you forecast future costs and usage of your AWS resources based on your past consumption?
AWS Cost Explorer
51
Billing:
| How would you categorize and track AWS costs on a detailed level?
Cost Allocation tags
52
Billing:
| If a company launched a new VPC that was way beyond the default service limit, what would they do?
Request a service limit decrease in the AWS Support Center
53
Billing:
| What is the most cost-effective option when you purchase a Reserved Instance for a 1-year term?
All Upfront
54
Billing:
| What would you do to combine usage volume discounts of your multiple AWS accounts?
Consolidated Billing
55
Billing:
| Where would you sell your catalog of custom Amazon Machine Images (AMIs) in AWS?
AWS Marketplace
56
What are valid security group rules?
Security groups accept IP address, address range, and security group ID as either source or destination
Example:
Inbound RDP rule with address range as source
Inbound HTTP rule with security group ID as source
57
What does Operational Excellence focus on?
Running and monitoring systems to deliver business value and continually improve processes and procedures
58
What does Performance efficiency focus on?
Ability to use computing resources efficiently to meet system requirements and maintain that as demand and tech evolves.
59
What is AWS SHield?
It's a DDoS protection service with always on detection.
2 tiers: standard and advanced
Shield standard is available for all customers no charge
When used with CloudFront and Route 53, infrastructure attacks (level 3 and 4) are protected
60
What does a security group do?
Acts as a virtual firewall to control inbound and outbound traffic.
They act at the instance level and can have up to 5 security groups assigned to one instance.
Can add rules to control inbound traffic and rules to control outbound traffic.
61
Describe SNS
Messaging service that can provide topics for high-throughput, push-based, many-to-many messaging.
Can even be used to fan out notifications for SMS and email.
62
Reserved instances can be bought for which services?
```
EC2
RDS
ElastiCache
Redshift
DynamoDB
```
63
What is an account alias?
Substitute for the account ID in the web address for your account.
64
What service to be used for static websites?
Amazon S3 lets you host a static website
65
What service to be used for static websites?
Amazon S3 lets you host a static website
66
Instance Tags
Own metadata in the form of tags applied to an instance
67
Multipart Upload API is part of what cloud best practice?
Think Parallel
68
What does an application load balancer do?
Application Load balancer operates at the request level and can register lambda functions as targets with listener rules to forward requests.
69
What is an ELB Health Check?
Application load balancer periodically sends requests to test their status as a health check.
Requests are only routed to the healthy targets and must pass one health check to be considered healthy.
If unable to connect to EC2 behind an ELB, it's because the load balancer has identified it as being unhealthy.
70
What is AWS Elastic Beanstalk?
Easy to use service to deploy and scale web applications. Can upload code and beanstalk handles deployment.
Capacity provisioning, load balancing, auto-scaling and application health monitoring are covered.
Fastest way to deploy the application on AWS.
71
How would you connect your AWS VPC network to your local network through an IPsec tunnel?
A VPN gateway in the VPC connected to the Customer Gateway in the on-premise network.
Customer gateway is the anchor on the client side while the virtual private gateway is the anchor on the AWS side.
Can enable access to remote network from VPC by:
1. Attach virtual private gateway to VPC
2. Create custom route table
3. Update security group rules
4. Create Site to Site VPN connection
5. Configure routing to pass traffic through
Key part is that the Site-to-site VPN supports Internet Protocol Security (IPsec) VPN connections.
72
Can a subnet span Availability zones?
No, it must reside entirely within one AZ
73
Which infrastructure corresponds to a VPC's subnet?
Availability Zone
74
For EBS, what are SSDs used for?
```
Small and random IO Operations
Best for transactional workloads
Best for critical business applications that require sustained IOPS performance
Cost is high
Dominant performance attribute is IOPS
```
75
For EBS, what are HDDs used for?
Large sequential IO operations
Best for large streaming workloads requiring consistent fast throughput
Big data, data warehouses, log processing are good usecases
Best for throughput-oriented storage with volumes of data that are infrequently accessed
Low cost
Dominant attribute is throughput
76
What can be used to deploy and rollback a web application from git to on-prem server?
AWS OpsWorks
77
How can RDS production instances be more cost-effective when used for a long period of time?
Go for reserved instances
78
What is CLoudTrail?
Can log monitor, and keep activity of actions in AWS.
Can automatically record and store data.
Trail applies to all regions in AWS by default but can be specified for a region.
79
How to create point-in-time backups of EBS volumes?
Backups are stored in S3
Can create EBS Snapshots that are incremental (only latest changes are backed up)
Can backup while EC2 instance is running
80
What is tied to an AZ where it was launched?
EBS volume can only be attached to instances in the same AZ.
81
What are zonal services in AWS?
Ec2 instance
| EBS Volumes tied to AZs they were launched
82
What does Amazon Detective do?
Collects log data from AWS and uses ML and graph theory to build linked set of data to conduct faster and more efficient security investigations
83
What is Amazon Pinpoint?
AWS's digital user engagement service to measure across channels like email, text, mobile push
Can segment audiences, manage campaigns, scheduling, template management, AB testing, analytics.
84
What are AWS Step Functions?
They provide serverless orchestration by breaking it into multiple steps with flow and tracking input/outputs.
It maintains application state and stores log of data passed.
Can update workflow independently from business logic
85
When to use SQS?
To have a durable storage for application events and messages and to decouple parts of system for better fault tolerance
86
What is used to secure VPC network?
NACL
87
What do Characteristics do Dedicated Hosts hosts have that Dedicated Instances do not?
Both enable the use of dedicated physical servers
Both have automatic instance placement
```
Host only has:
Per host billing
Visibility of sockets, cores, host ID
Affinity between a host and instance
Targeted Instance placement
Adding capacity using an allocation request
```
88
What API is used to change AZ, instance size, and networking type for Standard instances?
ModifyReservedInstances API
89
What API is used to change AZ, instance size, and networking type for Convertible reserved instances?
ExchangeReservedInstancesAPI
90
What can Convertible Reserved Instances do that Standard Reserved Instances cannot?
Change instance families, operating system, tenancy, and payment option.
Benefit from price reductions
91
What are services corresponding to File System needs?
Amazon Elastic File Storage since S3 uses a flat name space
92
What services provide structured data with querying capabilities?
DynamoDB, RDS, or CloudSearch can be paired with S3 to index and query metadata
93
What services provide storage for rapidly changing data?
Key thing to note is that the solution must take read and write latencies into account.
EBS, RDS, DynamoDB, EFS are all good options
Also, any kind of relational database up and running on EC2 will work for this.
94
What is good for dynamic website hosting?
Most dynamic websites need some level of database interaction or server-side scripting. Keeping that in mind, using EC2 or EFS will serve this purpose.
Note that S3 is good for static content websites.
95
How can you monitor estimated AWS charges?
Use CloudWatch alarms
96
How can you deploy an application to your on-premise servers?
Use OpsWorks and CodeDeploy
97
What level is a security group at?
At the EC2 level
98
What level is a NACL?
At the subnet level
99
What are some key differences between security groups and NACLs?
At the EC2 instance level vs. subnet
Supports "Allow" rules only vs. supports "Allow" and "Deny" rules
Is Stateful (allows return traffic automatically) vs. is stateless (only rules can allow return traffic)
Up to 5 groups per instance, 1 NACL per subnet
Up to 50 rules per security group, 20 rules per NACL
Allows outbound traffic by default, denies outbound traffic by default
Associated with network interfaces, can associate 1 NACL with multiple subnets but only one subnet can only have 1 NACL.
100
Among storage types (file, object, block), which one is stored redundantly in a single AZ vs multiple?
Block, Amazon EBS
101
What are some NoSQL data models?
```
Document
Graph
key-value
In-memory
Search
```
102
What are the ACID properties that relational databases provide?
Atomicity - transaction required to execute
Consistency - data must conform to the schema
Isolation - concurrent transactions are separate
Durability - Recover from failure to last known state
103
What are relational databases' performance most dependent on?
The disk subsystem along with optimization of queries, indexes, and table structure.
104
What are NoSQL databases' performance most dependent on?
Hardware cluster size, network latency, calling application
105
How do relational databases scale vs. NoSQL?
Relational scale up by increasing compute of hardware and scale out by adding replicas
NoSQL are partitionable via key-value access patterns and scale out using distributed architecture
106
How are NoSQL databases' interfaced with?
Object-based APIs to store and retrieve in-memory data structures using partition keys.
107
What are NoSQL databases particularly a good choice for?
High throughput, low-latency use-cases that scale horizontally beyond a single instance.
108
Which RDS engine lets you bring your own license?
Oracle
109
What does AWS automatically handle for you?
1. Securing AWS data centers from environmental hazards
2. Introducing updates and patches to EC2 hypervisors
Note that web application firewall, guest operating system patching, or replicating data between AZs is not automatically handled.
110
Expense shifting when moving to the cloud?
Capital expense traded for variable expense
111
Why are AZs separated by a meaningful distance from each other?
To keep them as far apart from each other in case of a disaster
112
If many customers time out from the website when running an auto-scaling group of EC2 instances and the group has stopped adding new instances, which of the Trusted Advisor categories will give more insight on this?
Performance - helps improve speed and responsiveness of applications
Service Limits - shows when usage is more than 80% of the service limit. The number of instances may have hit a limit and therefore no more are being provisioned.
Note that Fault Tolerance highlights redundancy shortfalls, service limits, and over-utilized resources
113
What is a good disaster recovery precaution when launching dynamic web applications with mission-critical workloads that need to be available all the time?
Launch applications in 2 different regions to prevent downtime during regional outages
114
What makes it easier to set up the entire dev and CD toolchain for coding, building, testing, and deploying application code?
CodeStar. It even has integrated issue tracking by JIRA.
Code Pipeline helps automate release pipelines but doesn't provide an entire dev and CD toolchain.
115
What are benefits of using Dynamo DB as the database?
Store unstructured data
Scale size automatically so as to not worry about capacity
Note that AURORA is self healing, not dynamo DB.
116
What compliance requirement has AWS achieved that allows handling of medical information?
HIPAA
117
What is PCI DSS?
Set of security standards for credit card information
118
What is SOC 1?
Report on Controls at a Service Organization for control over financial reporting
119
What is SOC 2?
Making sure systems are secure, available, processing integrity, confidential, and private.
120
What actions don't affect costs in S3?
Uploading objects into S3.
Note that moving objects from one bucket to another does incur costs.
121
What is S3 Standard-IA for?
Long-lived and infrequently accessed data. Note that IA stands for Infrequent Access.
122
What is S3 One Zone-IA for?
Same as Standard-IA but for non-critical data since it's only available in one AZ
123
What is S3 Reduced Redundancy for?
Frequently accessed but non critical data
124
What is S3 Intelligent-tiering?
Long-lived data with changing or unknown access patterns
125
What is S3 Glacier for?
Long-term data with retrieval from minutes to hours
126
What is S3 Glacier Deep Archive for?
Long term data with retrieval in hours
127
What are some main differences between IaaS, PaaS, and SaaS?
SaaS: Vendor manages everything but the application.
PaaS: Customers manage data and runtime but everything else is managed by the vendor.
IaaS: Customers now take on Middleware and operating systems as well. However, virtualization, servers, storage, and networking are all managed by AWS.
128
What is a database that is self-healing with a high throughput?
Amazon Aurora
129
If a customer wants to further secure his network beyond security groups and NACLs, what can he use?
AWS WAF and Amazon GuardDuty
GuardDuty is a threat detection service that keeps monitoring for threats and analyzes events across CloudTrail, VPC Flow Logs, and DNS logs.
WAF is a web app firewall that protects web apps from threats. Can customize rules that block common attack patterns.
Note that Amazon KMS is just a repo for keys but doesn't protect from threats.
130
What can monitor the compliance status of your AWS resources against a set of guidelines?
AWS Config. It records the configurations and lets you automate evaluation of these configs against desired configs.
131
If a MariaDB RDS instance is known to have high memory consumption during peak hours, what would you do to resolve this issue if its handling write-intensive operations?
Generally, horizontal scaling would work but since this is a database, it will make sense to scale the instance vertically.
Note that scaling databases horizontally is difficult unless there is a proper orchestrator.
132
What offers better read/write and temporary block level storage for your instance?
Instance Store. It is located on disks that are physically attached to the host computer.
Note that EBS and EFS are persistent storage, not temporary.
133
What do you inherit from AWS after signing up?
Best practices of AWS policies, architecture, and operational processes
