EC2 - II

Question 1

EC2 data

Answer 1

User-data - user defined
Meta-data - intrinsic

Question 2

Userdata processing on ec2

Answer 2

EC2 instance is a slave to the user data. It doesn’t interpret it, it just passes it on to system process responsible for executing it

Question 3

Effects of a failed user-data

Answer 3

Ec2 Launch is not affected by a failed userdata. Instance will pass its System checks whether or not the userdata script executes successfully or fails

Question 4

How secured is a user-data?

Answer 4

Userdata is not secured. Any one that can access the instance can access its user data. Do not pass in sensitive data into it.

Question 5

File size for ec2 user data

Answer 5

16Kb max. But can contain instructions to download infinite size of files for its job

Question 6

EC2 user Data Format

Answer 6

Base64

Question 7

Linux 2023 Instance metadata Command (Version2)

Answer 7

TOKEN= ‘curl -X PUT “http://169.254.169.254/latest/api/token’ -H “x-aws-ec2-metadata-token-ttl-seconds:21600”’

Question 8

Linux 2023 Instance userdata Command (Version2)

Answer 8

TOKEN= ‘curl -X PUT “http://169.254.169.254/latest/api/token’ -H “x-aws-ec2-userdata-token-ttl-seconds:21600”’

Question 9

Userdata using CloudFormation

Answer 9

Using CloudFormation, you must encode the user data to 64bits

Question 10

Applications onEC2 access instance role via?

Answer 10

metadata

meta-data is attached to the instance profile(CLI, CF, SDK)

Inside the meta-data there’s an IAM tree, inside the IAM Tree there’s a role attached there. (*iam/security-credentials/role-name)

EC2 and STS Token ensures the credentials are constantly rotated to avoid expired data

Applications must always lias with metadata to ensure they re using the latest version of the rotated credentials

Question 11

Best practice IAM Roles

Answer 11

Always use Roles instead of storing long term credentials.

Avoid Storing Long term credentials on your instance or Local Host

Question 12

Instance Role

Answer 12

A Specific type of IAM Role is designed so it can be assumed by an EC2 Instance. When an Instance assumes a role, the instance and all its applications gain access to all the security credentials assigned in the role

Question 13

“AWS Configuration”

Answer 13

Avoid using AWS Configure option for instaling AWS CLI toolkit. Credentials are stored in the instance which is not secured. Instead, use EC2 Instance Role.

Question 14

IAM Role Types

Answer 14

1. AWS Service
2. Account
3. Web Identity
   4 SAML 2.0 Federation
4. Custom Trust Policy

Question 15

ec2-user

Answer 15

Alwys check to ensure that your Instance Connect is about to connect to an ec2-user

Question 16

AWS CLI utility rules

Answer 16

Reference

https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#cli-configure-quickstart-precedence

Question 17

Effect of Deleting EC2 Instance Role from the IAM Console

Answer 17

Deleting an IAM Role does not remove the Role from the Instance. It will still be existing in the In the Instance Profile. . It MUST be Detached from the Instance

Question 18

Define IAM ROles

Answer 18

An IAM role is an identity you can create that has specific permissions with credentials that are valid for short durations. Roles can be assumed by entities that you trust.

Question 19

IAM Role Session Duration

Answer 19

=>3,600seconds - 12Hrs (Minimum of 1hr by default)

IAM users switching roles in the console are granted a role session duration up to this value. API or CLI users can use the DurationSeconds parameter to set a session duration up to this maximum.

By default, temporary security credentials are valid for 1 hour.

Question 20

Parameter st Instance metadata are always rotated and always valid. Thanks to ssm ore access

Answer 20

For every resource/identity requesting access to credentials in PM Store, Parameter store will always check with IAM and Kms for authentication.

Question 21

EC2 instance profile

Answer 21

An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.

Any role is captured into instance profile which manages the role across instance applications

Question 22

Instance credentials expiry

Answer 22

Instance metadata are always rotated and always valid(**as long as the instance role is still attached **. Thanks to ssm

Question 23

Ssm parameter command

Answer 23

$aws ssm get-parameters –/parameterName-or-Path

Question 24

Cluster Placement and EC2 Host

Answer 24

All Instances within a cluster group are most likely running on the same host.

All Instances in a cluster placement are directly connected together in an upto 10GB/s bandwidth for single Stream data transfer rate against the normal 5GBps of normal bandwidth

Single Az,
Subsequent instances follow suit with the AZ of the first instance

Question 25

EC2 Placement Groups

Answer 25

* Cluster - Pack instances close together * Spread - Keep instances separated * Partition - groups of instances spread apart

Question 26

Cluster Placement Latency

Answer 26

Lowest possible inter-instance Latency Max packets per session(PPS) This speed is proportional to the Instance in use High-performance Networking instances Enhanced Networking enabled

Question 27

Cluster Placement Cons

Answer 27

Offers little to no resilience - Host can fail - AZ can fail and - ***any failure goes down with the entire cluster*** - Advisable to use same instances and Launch them at same time - not available on all instance types

Question 28

Clustter Placement and HA

Answer 28

Cluster placement can not span AZs. It's locked to a single AZ However can span a paired AZ.

Question 29

Use case

Answer 29

High speed Low Latency workload HPC

Question 30

Spread Placement can span AZ

Answer 30

Infrastructure Isolation(Each instance has its own rack, isolated networking and power supply) Fault Isolation Advantage Limited to 7 instances per AZ Dedicated Host or Instances are not supported

Question 31

Spread Placement Use case

Answer 31

Physical instance distance is required Blast radius separation within application. Small number of critical instances that require isolation. HA

Question 32

Partition Placement Group

Answer 32

- Need for morethan 7 instances in a spread placement in an AZ that needs to be separated per fault domain. - Instances can be placed in a specific partition, or ec2 can automatically do placement arrangement - Multi AZ is available - For Huge Scale parallel processing systems - Offers visibility into the partition(helps topology-aware applications, eg Cassandra, HDFS,HBASE) they make intelligent data replication decisions.

Question 33

EC2 enhanced Networking

Answer 33

The Host becomes aware of the virtual layer over it and assigns to each instance its dedicated network resources. Host's NIC is virtually parallelized as against a serial(Single) NIC attending to all virtual instances on the Host.

Question 34

Enhanced Networking Pros

Answer 34

Higher IO Higher bandwidth Low Latency High PPS CPU load is ofloaded to ENI