Foundations Flashcards
(97 cards)
1
Q
What is the customer’s responsibility under aws Shared Responsibility Model? (8)
A
= customer is responsible for security IN the cloud
- what to store
- which aws services to use
- in what locations
- content format and structure
- who has access to that content
- access rights
- customer has full responsibility for security of any IaaS
2
Q
What is the aws’ responsibility under its Shared Responsibility Model? (7)
A
aws is responsible for security OF the cloud
-responsible for some aspects of basic security
+OS and database patching
+firewall configuration
+disaster recovery
-running of foundation services (compute, storage, DB, networking)
-aws global infrastructure (AZs, regions, edge locations)
3
Q
What is a listener?
A
~is a process that checks for connection requests
- configured with a protocol and a port for front-end (client to load balancer) connections, and a protocol and a port for back-end (load balancer to back-end instance) connections
4
Q
What is a target group in load balancing? (3)
A
- routes requests to one or more registered targets using the protocol and port number specified
- one target can be registered with multiple target groups
- health checks can be configured on a per target group basis
5
Q
What is path-based routing?
A
~provides rules that forward requests to different target groups
6
Q
What is host-based routing?
A
~ can be used to define rules that forward requests to different target groups based on host name
7
Q
What are sticky sessions? (3)
A
= cookies
- bind a user’s session for the duration of the session
- set depending on if you want to use duration-based cookies or application-controlled sticky sessions
8
Q
What are the properties of the Classic Load Balancer (Elastic)? (8)
A
- multiple AZs
- cross-zone balancing
- sticky sessions
- healthchecks
- access through single point
- decouple application environment
- provide high availability and fault tolerance
- increase elasticity and fault tolerance
9
Q
How does the load balancer scale?
A
- depending on the traffic pattern it sees
10
Q
How does an internet-facing/public load balancer work?
A
- gives you publicly resolvable DNS name that still allows cross-zone balancing
- allows you to route requests to the backend instances from the single exposed endpoint of the load balancer
11
Q
How does an internal load balancer work?
A
- can only be accessed through VPC
12
Q
What does Auto Scaling do? (4)
A
~ helps you ensures that you have the correct number of Amazon EC2 instances available to handle the load for your application
- w/o it too costly to always provide the capacity for the busiest day
- if we provide less capacity our services may tome out for the user
- still critical to monitor the performance of your workload with CloudWatch (monitoring tool)
13
Q
Which two critical questions does Autoscaling answer?
A
How can I ensure that my workload has enough EC2 resources to meet fluctuating performance requirements?
-> Scalability
How can I automate EC2 resource provisioning to occur on demand?
-> Automation
14
Q
Aws compliance is split into which 3 areas?
A
- aws security information sharing
- assurance programs
- aws risk and compliance programs
15
Q
What is the aws information sharing compliance approach? (3)
A
- obtaining industry certifications
- publishing security and control practices in white papers and website content
- providing documentation directly under NDA
16
Q
What are aws assurance programs made up of?
A
- certifications / attestations
- laws, regulations, and privacy
- alignments / frameworks
17
Q
Which 3 areas do aws risk and compliance programs consist of?
A
1 Risk management
2 Control environment
3 Information sharing
18
Q
Describe aws’ risk and compliance programs information security pillar.
A
- designed to protect confidentiality, integrity, and availability of information
- security white paper
19
Q
Describe aws’ risk and compliance programs control environment pillar. (5)
A
- includes policies, processes, and control activities
- secure delivery of aws service offerings
- supports the operating effectiveness of aws control framework
- integrates controls by leading cloud computing industry bodies
- aws monitors for leading practices
20
Q
Describe aws’ risk and compliance programs Risk management pillar. (11)
A
- aws’ strategic business plan includes risk management
- re-evaluated at least biannually
- identify risks
- implement appropriate measures
- additional internal and external risk assessments
- assessment by independent security firms
- aws maintains the security policy
- provides security training to ees
- performs application security reviews ensuring confidentiality, integrity, availability of data, and conformance to IS policy
- scan service endpoints for vulnerabilities
- notifies for remediation of vulnerabilities
21
Q
Can customers rely on aws’ endpoint scans alone?
A
No, they are not a replacement for customer scans. Customers can request to have their cloud infrastructure scanned within Acceptance Use policy.
22
Q
What is the customer’s part in the shared compliance model? (5)
A
- governance over the entire IT control environment
- establishment of a control environment
- understanding of required compliance objectives
- validation based risk tolerance
- verification of effectiveness
23
Q
What is one of the compliance approaches aws recommends customers adopt? (4)
A
REVIEW - info available from aws together with other info & as much of the entire IT environment as possible
DESIGN - and implement control objectives to meet the enterprise compliance requirements
IDENTIFY - and document controls owned by outside parties
VERIFY - if all control objectives are met and all controls are designed and operate effectively
24
Q
What is a region in aws?
A
= geographic area with 2 or more AZs
- there is no automatic replication across regions
- not all services are available in all regions
- highest organisational level for AWS services
25
What is an AZ in aws? (3)
= a location with 1 or more distinct data centres*
- isolated from another, but connected by a high-speed, low latency link
- physically and logically seperate
- have there own discrete, uninterruptable power supply, on-site backup generators, cooling equipment & networking connectivity
- supplied by different grids from independent utility companies for power & are networked by multiple tier-1 transit providers
- its best practice to spread across multiple AZs
26
What is an Edge location in aws? (3)
= worldwide network of data centers used by CloudFront (content delivery network) to deliver content to customers
- faster delivery to end user
- typically located in highly populated areas
27
What is Amazon Elastic Block Store (EBS)?
= backup using Snapshots (point-in-time)
| - persistent and customisable block storage for EC2 instances
28
What are snapshots in EBS good for? (3)
- re-create a new volume from a snapshot anytime
- you can copy or share snapshots
- you can keep a snapshot in a different AZs for disaster recovery
29
What are the properties of Amazon EBS? (5)
- choose between HDD and SDD types
- select the type of storage that best fits your needs
- replicated in the same AZ
- elastic volumes
- EBS volumes can increase capacity and change to different types on-the-fly (don’t even need to change instances)
30
How is encryption handled in EBS? (3)
- easy and transparent encryption
- encrypt volumes at no additional cost
- data between EC2 instances and EBS is encrypted in transit
31
What is Amazon S3?
= Amazon Simple Storage Service
| = managed cloud storage service
32
Give some of the properties of S3. (4)
- you can store a virtually unlimited number of objects
- objects can be videos, images, snapshots, etc several terrabytes in size
- access anytime from anywhere
- has rich security controls
33
How do you access S3? (3)
- create a bucket for your object & specify a key for retrieval (key may be file path)
- stored across multiple AZs in your selected region
- access S3 through the aws Mgt Console, aws CLI or aws SDKs or via bucket directly (key must be globally unique)
34
What happens if your data in S3 grows?
- automatically scales as your data grows
| - high volume requests also automatically scaled
35
What are common use cases for S3? (4)
- storing application assets
- static web hosting
- backup and disaster recovery
- staging area for Big Data
36
Launching an instance is also called...
... scaling out.
37
Terminating an instance is also called...
...scaling in.
38
What is AWS lambda?
- let’s you run code without provisioning or managing service
- fully-managed serverless compute
39
What are the properties of aws lambda? (7)
- executes code only when needed
- scales automatically to 1000s of requests per second
- event-driven execution
- sub-second metering
- multiple languages supported
- ideal for variable and intermittent workloads
- set up your code to trigger from other aws services, HTTP endpoints, or in-app activity
40
What are the limitations of aws Lambda regarding disk space, memory and fn-runtime?
512 MB diskspace max
128 to 15,036 MB memory
max 5 min fn-execution
41
Give some use cases for aws Lambda. (6)
- automated backups
- processing objects uploaded to S3
- event-driven log analysis
- event-driven transformations
- IoT
- operating serverless websites
42
What is aws Lambda also known as?
- the connective tissue of aws services
43
What is aws Elastic Beanstalk? (3)
= PaaS
- allows quick deployment of your apps
- orchestration service for deploying infrastructure which orchestrates various aws services
44
What platforms does Elastic Beanstalk support? (10)
- Packer Builder
- single container, multi-container, and preconfigured Docker
- Go
- Java SE
- Java with Tomcat
- .NET on Windows Server with IIS
- Node.js
- PHP
- Python
- Ruby
45
What are the characteristics of Elastic Beanstalk? (4)
- reduces mgt complexity
- keeps control in your hands - choose instance type, database, set and adjust autoscaling, update your app, access server log files, and enable HTTPS on load balancer
- easily implemented
- update your app as easily as deployed
46
What services does aws Elastic Beanstalk provide? (5)
- application services
- HTTP service
- OS
- language interpreter
- host
47
What is the Application Load Balancer? (5)
- new offering contrasting to the Classic Load Balancer with additional features:
- supported protocols / HTTP, HTTPS,
HTTP/S & WebSockets
- CloudWatch metrics / add. load blc metrics &
Target Group metric dimension
- access logs / ability to see connection details for
WebSocket connections
- health checks / insight into target & app health at
a more granular level
48
What additional features does the Application Load Balancer have over the Classic one? (5)
- path and host-based routing
- native IPv6 support
- aws WAF
- dynamic ports
- deletion protection & request tracing
49
When is the Application Load Balancer better used than the Classic Load Balancer?
- good for use with containers to host your micro services & route to those apps from a single load balancer
- can route different requests to the same instance but differ the path based on the port
- if you have different containers listening on various ports, you can set routing rules to distribute traffic to only the desired backend application
50
What are the core characteristics of VPC? (8)
- a private virtual network within the aws cloud: uses the same concepts as on-premise networking
- allows complete control of network configuration: ability to isolate and expose resources inside it
- offers several layers of security controls: ability to allow and deny specific internet and internal traffic
- other aws services deploy into VPC: services inherent security built into the network
51
What is the “location” of a VPC, region/AZ-wise? (3)
- lives within a region
- multiple VPCs per account - can be used to segregate environments
- subnets are used to divide Amazon VPC, can span multiple AZs
52
How do you control traffic to subnets?
- configure route tables to control traffic going out of subnets
- subnets within a VPC can communicate with each other
53
What are the 3 interfaces of AWS, i.e. ways to use AWS?
- AWS Mgt Console
- CLI
- SDKs
54
What is the AWS Management Console?
~ an easy-to-use graphical interface that supports the majority of Amazon Web Services
55
What does CLI stand for and why use it?
= Command Line Interface
~ access to services via discrete command
- its programming language agnostic
- gives you the flexibility to create scripts
56
What do SDKs do?
= Software Development Kits
- incorporate the connectivity and functionality of AWS cloud services into your code / ability to use AWS in existing applications
- flexibility to create applications
57
What does EC2 stand for?
Elastic Compute Cloud
58
Specifically, what does Elastic mean?
If properly configured, you can increase or decrease the amount of servers required by an application automatically according to the current demands on that application.
59
In AWS # of instances stands for...
... # of servers.
60
What are some simple characteristics of EC2 instances? (3)
- pay as you go
- broad selection of HW/SW
- global hosting
61
Simple steps to create an instance (9)
- login to Console
- choose region
- launch EC2 wizard
- select AMI (SW)
- select instance type (HW)
- configure network
- configure storage
- configure key pairs
- launch & connect
62
What are some of the features of VPC? (5)
- subnets
- route tables
- Internet Gateway (IGW)
- NAT Gateway
- Network Access Control Lists (NACL)
63
What are Route tables there for?
- control traffic going out of subnets (of a VPC)
64
What is IGW?
= Internet Gateway
| - allows access to the internet from Amazon VPC
65
What is a NAT Gateway?
- allows private subnet resources to access thr internet
66
What do NACLs do?
= Network Access Control List
| - control access to subnets, stateless
67
What do Security Groups do? (3)
- act as built-in firewalls
- control accessibility to instances
- another way to filter traffic to your instances
68
What is a target in load balancing?
- a destination for traffic based on the established listener rules
69
What is Request Tracing used for with the Application Load Balancer?
- can be used to track HTTP requests from clients to target
70
What components are required for Autoscaling? (3)
- Launch configuration
- Auto scaling group
- Auto scaling policy
71
To start Autoscaling by setting a Launch configuration we decide... (5)
... what to launch.
- AMI
- Instance type
- Security groups
- Roles
72
To start Autoscaling by setting an Autoscaling Group we decide... (6)
... where deployment takes place.
- VPC & subnets
- Load balancer
- Minimum instances
- Maximum instances
- Desired capacity
73
To start Autoscaling by setting an Auto Scaling Policy we decide... (5)
... when to launch and terminate EC2 instances.
- Scheduled
- On-demand
- Scale-out policy
- Scale-in policy
74
What is Amazon Route 53?
= managed DNS (Domain Name System) service
- provides reliable & highly scalable way to route end users to end points
- end points can be apps, EC2 instances, Loadbalancers, Cloudfront Distribution, any endpoint on the internet, even including resources in an on-prem data centre
75
How does Route 53 work when a user enters a certain domain name into their browser?
- query is routed to users Internet Service Provider
- ISP’s DNS forwards request to Route 53
- translates domain name into IP address
- then the users browser can make requests for that specific address
76
What is a Hosted Zone in Route 53?
- first thing you create when signing up to Route 53
- it’s where all DNS data is kept
- you will receive 4 named servers where you can delegate on your domain
- you can have internal or external ones
77
What is an FQDN in Route 43?
= Fully Qualified Domain Name
| - domain you have purchased with the Domain Register (external or purchased throught Route 53)
78
What is an Internal Hosted Zone in Route 53 usually used for?
- used when your application components need to communicate to each other
79
What are the services Route 53 provides? (6)
- simple routing
- geo-location
- failover
- weighted round robin
- latency-based
- multi-value answer
80
What are the characteristics of Route 53? (6)
- domain registration
- global, highly available DNS
- public and private DNS names
- multiple routing algorithms
- both IPv4 and IPv6
- integrated with other AWS cloud services
81
What is Amazon RDS?
= Amazon Relational Database Services
| - managed service that sets up, operates and scales a relational database w/o any ongoing admin
82
What does RDS manage? (7)
- OS installation and patches
- Db software install and patches
- Db backups
- high availability
- scaling
- power and rack & stack
- server maintenance
83
With RDS what do you manage?
- application optimisation
84
Which databases does RDS support? (6)
- MySQL
- Amazon Aurora
- Microsoft SQL Server
- PostgreSQL
- MariaDB
- Oracle
85
When setting up RDS what do you have to choose?
- the DB instance class and the DB Instance Storage
86
What is a DB Instance Class?
- resources found in a DB Instance are determined by its DB Instance Class
- select CPU, memory and network performance
- tailor to your requirements as they differ in performance characteristics and price
87
What is the DB Instance Storage?
- type of storage us dictated by the type of disk: magnetic, general purpose (SSD), provisioned IOPS
- tailor to your requirements as they differ in performance characteristics and price
88
Amazon RDS:
| Subnets in an Amazon VPC are associated with a single AZ, so when you select the [...], you’re also choosing [...]
subnet
| the AZ or physical location for your Db instance.
89
RDS and multi-agency deployment
- one of the most powerful features of RDS
- once configured, RDS automatically generates a stand-by copy of the db instance in another AZ (in same VPC)
- after seeding the db copy, transactions are synchronously replicated to the standby copy
90
What are the benefits of multi-agency deployment in RDS? (4)
- can enhance availability during planned system maintenance and help protect db against db instance failure and AZ disruption
- if master db instance fails, RDS automatically brings standby db instance online as new master
- there should be no data loss
- no need to change anything in your application code to use copy for failover
91
RDS and read replicas - how does it work
- updates made to the source db instance are asynchronously copied to read replica
92
RDS and read replicas - what engines does RDS support (4)
- MySQL
- MariaDB
- PostgreSQL
- Amazon Aurora
93
RDS and read replicas - benefits (4)
- reduce load on source db by routing read queries from your apps to the read replica
- can also scale out beyond capacity constraints if a single db instance for read-heavy db workloads
- with manual action can also be promoted to master db instance
- can be created in different region than master db to satisfy disaster recovery reqs or cut down on latency by directing reads to a replica closer to user
94
RDS - use cases (3)
1) web and mobile apps: high throughput, massive storage scalability, high availability
2) e-commerce apps: low-cost db, data security, fully managed solution
3) mobile and online games: rapidly grow capacity, automatic scaling, db monitoring
95
What is Amazon SNS?
= Amazon Simple Notification Service
| - flexible, fully managed, pub/sub messaging and mobile communications service
96
Amazon SNS - characteristics (5)
- coordinates delivery of message subscribing endpoints and clients
- > enables you to send different information to different subscribers
- easy to set up, operate and send reliable communications
- allows you to decouple and scale microservices, distributed systems and serverless apps
- allows pub/sub messaging for different Amazon Services (e.g. Lambda, etc.)
97
What is Amazon SNS mobile Identifications?
- allows similar publishing as SNS but to different mobile systems, like ADM, APNS, Baidu, GCM, MPNS and WNS
