Fundamentals Flashcards
1
Q
IAM Policies
A
allow or deny access to AWS services when attached to IAM User, Group, or Role
2
Q
(T/F) IAM is global
A
True
3
Q
IDP (ID Provider)
A
IAM - authenticate and authorize (based on policies)
4
Q
(T/F) IAM is free
A
True
5
Q
(T/F) IAM has direct control on federated accounts.
A
False
6
Q
Access Keys
A
Long-Term credentials within IAM users. Used for CLI. Don’t change regularly or automatically. IAM user can have two access keys. Can be created, deleted, inactive, active. Default to active..
7
Q
Two parts to Access Keys
A
Key ID and Secret Access Key. Once you get the secret access key, you can’t get it again so WRITE that down
8
Q
Public Service
A
Accessed anywhere with Internet
9
Q
Private Service
A
Access through VPC
10
Q
(T/F) Nothing from the Internet can get to the VPC unless it is configured to do so.
A
True
11
Q
AWS Zones
A
Pubic Internet Zone -> AWS Public Zone -> AWS Private Zone
12
Q
Command Line Interface (CLI) use the region code (ap-southeast-2) whereas the console uses the regions name which looks like…
A
Asia Pacific (Sydney)
13
Q
VPC Default is assigned
A
One account & One Region
14
Q
Two types of VPC
A
Default and Custom
15
Q
(T/F) Custom VPC can have more than one region
A
True
16
Q
VPC CIDR
A
IP Addresses a VPC can use. Default VPC is always the same 172.31.0.0/16
17
Q
(T/F) Custom VPC can only have one CIDR
A
False
18
Q
Default VPC are always configured the same way when it comes to subnets
A
One subnet in each AZ in the region. Each subnet will have its own CIDR so subnet in AZ one could be 172.31.211.0/20
19
Q
Each VPC subnet comes with…
A
Internet Gateway, Security Group, NACL
20
Q
EC2 Instance
A
OS Configured for your needs
21
Q
(T/F) EC2 Instances are private by default
A
True, need to configure public access
22
Q
EC2 are AZ resilient which means
A
If the AZ fails, the instance fails
23
Q
EC2 On-Demand Billing
A
By second or hour depending on the OS
24
Q
EC2 Popular Types of storage
A
Local host storage or Elastic Block Storage (EBS)
25
EC2 Lifecycle
Running, Stopped, Terminated
26
EC2 Running, you pay for
CPU, Memory, Disk (storage), networking
27
EC2 Stopped, you pay for
Just Disk (storage)
28
EC2 Terminated, you pay for
Nothing but once it it is terminated it cannot be recreated
29
Amazon Machine Image (AMI)
Used to create an EC2 instance or created from an EC2 instance. It is the image that configures the stack
30
AMI Contains three things
Permissions, Root Volume, Block Device Mapping
31
AMI Permissions
Public - Everyone Allowed
Owner (private) - implicit allow
Explicit - specific AWS accounts allowed
32
AMI Root volume
Think C:\ in Windows or ROOT in Linux
33
AMI Block Device Mapping
Which volume is boot and which is data
34
Connect to EC2 by...
RDP for Windows or SSH for Linux
35
(T/F) you need a key pair to connect through Linux
True
36
RDP Port
3389
37
SSH Port
22
38
S3
Global storage platform
Regional based/resilient (replicated among AZ in a region)
Public server, unlimited data & multi-user
Think of it as default storage for AWS
39
Two parts of S3
Objects and Buckets
40
S3 Object
Files, data, etc.
41
S3 Bucket
Containers that hold S3 Objects
42
S3 Objects Two Parts
Object Key (think of it as filename)
Value (content being stored)
43
S3 Object Value Range
0 - 5 TB
44
S3 Bucket region?
Has a primary home region that it never leaves unless it is configured to do so
45
Blast Radius (major disaster) =
Region
46
(T/F) Bucket names do not need to be globally unique
False, pay attention to trick questions that may ask why you can't create the bucket name. Bucket names have to be unique across all regions and all AWS accounts
47
(T/F) S3 buckets can hold unlimited objects and since each object is 0-5TB, you have unlimited storage
True
48
Flat structure
How S3 is structured, all items are on the root and appear as folders by the naming convention in the S3 Object Key
49
S3 Bucket names Format
3-63 characters, all lowercase, no underscores, must start with lowercase or number, can be IP formatted
50
S3 Bucket limit
100 soft limit
1000 hard limit
51
S3 storage in AWS - object, file, or block?
Object. It is not file or block storage like EFS or EBS.
Can't mount an S3 bucket (example: G:\)
Great for large scale
Great for offloading
52
Offloading
Input and/or output to many AWS products to S3
53
ARN
Amazon Resource Name - uniquely reference single service in AWS. Can be with a wildcard.
Format: arn:partition:service:region:account-id:resource-id
For S3 it would be arn:aws:s3:::catgif/ = just the bucket
arn:aws:s3:::catgif/* = access objects in the bucket but not the bucket
Note ::: because there is no region because s3 is global
54
CloudFormation
Tool that lets you create, update, and delete infrastructure in AWS
55
Base of CloudFormation
Templates written in either YAML or JSON
56
CloudFormation Template contains
List of resources
57
Mandatory component of CloudFormation Templates
Resources - which AWS resources are being spun up
58
Other CloudFormation Template Components
- Description - free text field
- AWSTemplateFormatVersion - which version, if used Description must be underneath it
- Metadata - control the UI
- Parameters - prompt user for more information
- Mappings - use lookup tables
- Conditions - decision making in the template
- Outputs - created output based on the template running, for example: "AZ Zone 2"
59
Two steps to CloudFormation Conditions Component
Step 1 = create condition
Step 2 = use condition
60
Logical Resource (CloudFormation)
Tells AWS what to create. For example: use "instance" for an EC2 instance.
61
Stack (CloudFormation)
Contains all the logical resources that the template tells it to create.
Created when you take a template and tell CloudFormation to do something with the template.
62
The whole point of CloudFormation
Any logical resources in the stack, CloudFormation makes a physical resource in your AWS account.
CloudFormation's job is to keep the logical and phyisical creations in sync.
63
CloudWatch
Support service used by almost all AWS Services - public service in Public Internet Zone
64
Three main jobs of CloudWatch
Metrics, Logs, Events
65
CloudWatch Events activated when?
If something happens (ex. an EC2 Instance Started) AND event scheduling (ex. do this at this time)
66
CloudWatch Agent
Add functionality to CloudWatch that isn't gathered natively (CPU usage is native; on-premises logs need CloudWatch Agent)
67
Namespace (CloudWatch)
Namespace = container for monitoring data. All AWS data goes into a namespace as AWS/SERVICENAME or AWS/EC2. That’s reserved for AWS, you can’t name that. Outside of that you can name it as needed
68
Metric (CloudWatch)
collection of related data points that is time ordered.
69
Datapoint (CloudWatch)
consists of two things, timestamp and value. So for CPU utilization 2019-12-03T08:45:45Z and 98.3.
70
Dimension (CloudWatch)
separate datapoints for different THINGS or PERSPECTIVES within the same metric
71
Alarm (CloudWatch)
linked to metric and take an action based on that metric (example SNS)
72
High Availability (HA)
ENSURE an agreed level of operational PERFORMANCE, usually UPTIME, for a HIGHER THAN NORMAL PERIOD
73
Fault Tolerance (FT)
property that enables a system to CONTINUE OPERATING PROPERLY in the event of the FAILURE OF SOME (one or more faults within) of its COMPONENTS
74
High Availability (HA) vs. Fault Tolerance (FT)
Fault tolerance is to operate through failure, high availability to maximum uptime
75
Disaster Recovery (DR)
policies, tools and procedures to ENABLE THE RECOVERY or CONTINUATION of VITAL technology infrastructure and systems FOLLOWING A NATURAL OR HUMAN-INDUCED DISASTER
76
Route53
Register Domains; Host Zones in managed nameservers it provides; global service; can withstand one or two regional failures and continue to run
77
Hosted Zones
ZONE FILES in AWS, hosted on four managed name servers; can be PUBLIC or PRIVATE linked to VPC(S); stores records (RECORDSETS)
78
Nameserver (NS)
record type .com zone to amazon.com zone
79
A or AAA records
maps host name to IP A=IPv4 AAA=IPv6
80
CNAME
create the equivalent of DNS shortcuts or Host to Host; create three CNAMEs for FTP, MAIL, WWW and point them all to the server so they go the right place. EXAM ALERT – CNAMES cannot point to an IP only another host name so look out for that!
81
MX Records
How a server can find a mail server for a domain. MX records have to main parts – priority and value. MX 10 mail; MX 20 mail.other.domain. The dot to the right means it is a fully domain name. Priority says the lower number is picked first so MX 10 mail would be chosen first to deliver mail.
82
TXT Record
add arbitrary text to a domain think Google Analytics requiring text in the TXT record so it can query it and use it.
83
TTL
Time to Live. Set on DNS record in seconds. Tells it how long cache records for authoritative source (authoritative answer). If another client queries the same thing, they will get back a non-authoritative answer cached on the resolver server (most likely ISP server) because of TTL. It’s the TTL that may delay switching IP’s, etc.
84
How many DNS root servers exist?
13
85
Who manages DNS root servers?
12 different organizations
86
Type of organisation maintaines the zones for a
