General Flashcards

Question

Quicksight

Answer 1

It is a fast, cloud-powered business intelligence (BI) service that makes it easy for you to deliver insights to everyone in your organization. QuickSight lets you create and publish interactive dashboards that can be accessed from browsers or mobile devices. You can embed dashboards into your applications, providing your customers with powerful self-service analytics.

Answer 2

Application Integration: A fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication. The A2A pub/sub functionality provides topics for high-throughput, push-based, many-to-many messaging between distributed systems, microservices, and event-driven serverless applications. Using Amazon SNS topics, your publisher systems can fanout messages to a large number of subscriber systems, including Amazon SQS queues, AWS Lambda functions, HTTPS endpoints, and Amazon Kinesis Data Firehose, for parallel processing. The A2P functionality enables you to send messages to users at scale via SMS, mobile push, and email.

Answer 3

Application Integration: A fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications. Amazon SQS moves data between distributed application components and helps you decouple these components.

Answer 4

Compute and Serverless: It enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS. AWS Batch dynamically provisions the optimal quantity and type of compute resources (e.g., CPU or memory-optimized instances) based on the volume and specific resource requirements of the batch jobs submitted. With AWS Batch, there is no need to install and manage batch computing software or server clusters that you use to run your jobs, allowing you to focus on analyzing results and solving problems. AWS Batch plans, schedules, and runs your batch computing workloads across the full range of AWS compute services and features, such as Amazon EC2 and Spot Instances

Answer 5

Compute and Serverless: It is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale computing easier for developers.Automated backups On-Demand Instances – Pay, by the second, for the instances that you launch. Savings Plans – Reduce your Amazon EC2 costs by making a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years. Reserved Instances – Reduce your Amazon EC2 costs by making a commitment to a consistent instance configuration, including instance type and Region, for a term of 1 or 3 years. The offering class of a Reserved Instance is either Standard or Convertible. Spot Instances – Request unused EC2 instances, which can reduce your Amazon EC2 costs significantly. Dedicated Hosts – Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs. Dedicated Instances – Pay, by the hour, for instances that run on single-tenant hardware. Capacity Reservations – Reserve capacity for your EC2 instances in a specific Availability Zone for any duration.

Answer 6

Compute and Serverless: Paas Under the hood, it uses Cloud Formation A free service you can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications. AWS Elastic Beanstalk reduces management complexity without restricting choice or control. You simply upload your application, and AWS Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring, auto-scaling to application health monitoring. Everything runs on EC2, does not have serverless option It can also work with EFS. Can have one EC2 per container. No advanced container features, and exposes to a load balancer. (no network policies etc) Complete resource control, it can also use ECS AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.

Answer 7

Compute and Serverless: Faas Costs come from “number of requests to your function”, Compute time Consumed. It lets you run code without provisioning or managing servers. You pay only for the compute time you consume—there is no charge when your code is not running

Answer 8

Compute and Serverless: Lightsail plans include everything you need to jumpstart your project – a virtual machine, SSDbased storage, data transfer, DNS management, and a static IP address – for a low, predictable price. Offers pre-packaged tech stacks on top of easy-to-use virtual private server (VPS) instances, containers, storage, databases, and more Mainly for making websites fast (word press etc) Lacks flexibility Automatic instance scalability isn't supported in Lightsail. Instances can't be modified after launch. You must launch a new instance to change your plan. Databases can scale independent of virtual servers As your cloud ideas expand, you can easily move to EC2 with a simple, guided experience. You can integrate your Lightsail project with some of the 90+ other services in AWS through Amazon VPC peering Lightsail Containers enables customers to run Docker containers on the cloud right from their developer workflows. Lightsail creates containers from the Docker images pushed by the developers, while we take care of the infrastructure management complexities. Lightsail load balancers include integrated certificate management, providing free SSL/TLS certificates you can provision and add to a load balancer in just a few clicks. You can request and manage certificates directly from the Lightsail console – and we manage renewals on your behalf. Lightsail offers a fully configured MySQL or PostgreSQL database.

Answer 9

Compute and Serverless: Offers an easy way to provide a cloud-based desktop experience to your end users. Select from a choice of bundles that offer a range of different amounts of CPU, memory, storage, and a choice of applications. Users can connect from a PC, Mac desktop computer, iPad, Kindle, or Android tablet.

Answer 10

Containers: More fine grain control of containers than Beanstalk A highly scalable and fast container management service. You can use it to run, stop, and manage containers on a cluster. With Amazon ECS, your containers are defined in a task definition that you use to run individual tasks or tasks within a service. In this context, a service is a configuration that you can use to run and maintain a specified number of tasks simultaneously in a cluster.

Answer 11

Containers: A managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes. Kubernetes is an open-source system for automating the deployment, scaling, and management of containerized applications. Amazon EKS:

Answer 12

Serverless compute for containers: A serverless, pay-as-you-go compute engine that lets you focus on building applications without managing servers. A technology that you can use with Amazon ECS or EKS to run containers without having to manage servers or clusters of Amazon EC2 instances. With Fargate, you no longer have to provision, configure, or scale clusters of virtual machines to run containers. This removes the need to choose server types, decide when to scale your clusters, or optimize cluster packing.

Answer 13

Database: - automatically replicate data across Availability Zones - Amazon Aurora is up to five times faster than standard MySQL databases and three times faster than standard PostgreSQL databases It is a MySQL and PostgreSQL compatible relational database engine that combines the speed and availability of high-end commercial databases with the simplicity and cost-effectiveness of open source databases.. It provides the security, availability, and reliability of commercial databases at 1/10th the cost. Amazon Aurora is fully managed by Amazon Relational Database Service (Amazon RDS). It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across three Availability Zones (AZs).

Answer 14

Database: -Designed with multi-AZ deployment in mind -Amazon Aurora is up to five times faster than standard MySQL databases and three times faster than standard PostgreSQL databases It is a key-value and document database that delivers single-digit millisecond performance at any scale. It’s NoSQL. Which service is used for caching data AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions. Lightsail plans include everything you need to jumpstart your project – a virtual machine, SSDbased storage, data transfer, DNS management, and a static IP address – for a low, predictable price.

Answer 15

Database: It is a web service for caching that makes it easy to deploy, operate, and scale an in-memory cache in the cloud. The service improves the performance of web applications by allowing you to retrieve information from fast, managed, in-memory caches, instead of relying entirely on slower disk-based databases. You can use ElastiCache for caching, which accelerates application and database performance, or as a primary data store for use cases that don't require durability like session stores, gaming leaderboards, streaming, and analytics. ElastiCache is compatible with Redis and Memcached. Boost application performance, reducing latency to microseconds.

Answer 16

Database: Provides you with six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. You can use the AWS DMS (Database Migration Service) to easily migrate or replicate your existing databases to Amazon RDS.Available on several database instance types - optimized for memory, performance or I/O Benefits: automated backup allows you to restore the database with a granularity of as little as 5 minutes No need to manage operating system Can have read replicas for high throughput. (read replicas provide enhanced performance and durability for RDS database (DB) instances. (They make it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. ) Read replicas can also be promoted when needed to become standalone DB instances)

Answer 17

Database: (has serverless and server options) It makes it fast, simple and cost effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against terabytes to petabytes of structured and semistructured data, using sophisticated query optimization, columnar. Also known as a Data Warehouse

Answer 18

Can query S3

Answer 19

Developer Tools: A fully managed continuous integration service in the cloud. CodeBuild compiles your source code, runs unit tests, and produces artifacts that are ready to deploy. CodeBuild eliminates the need to provision, manage, and scale your own build servers. It provides prepackaged build environments for popular programming languages and build tools such as Apache Maven, Gradle, and more. You can also customize build environments in CodeBuild to use your own build tools. CodeBuild scales automatically to meet peak build requests.

Answer 20

Developer Tool: A version control service hosted by Amazon Web Services that you can use to privately store and manage assets (such as documents, source code, and binary files) in the cloud. A secure, highly scalable, managed source control service that hosts private Git repositories.

Answer 21

Developer Tools: A deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services. CodeDeploy can deploy application content that runs on a server and is stored in Amazon S3 buckets, GitHub repositories, or Bitbucket repositories. CodeDeploy can also deploy a serverless Lambda function. You do not need to make changes to your existing code before you can use CodeDeploy.

Answer 22

Developer Tools: CodePipeline lets you select CloudFormation as a deployment action in any stage of your pipeline. A continuous delivery service you can use to model, visualize, and automate the steps required to release your software. You can quickly model and configure the different stages of a software release process. CodePipeline automates the steps required to release your software changes continuously. For information about pricing for CodePipeline This solution uses CodePipeline to create an end-to-end pipeline that fetches the application code from CodeCommit, builds and tests using CodeBuild, and finally deploys using CodeDeploy.

Answer 23

Developer Tools: Depending on your choice of AWS CodeStar project template, that toolchain might include source control, build, deployment, virtual servers or serverless resources, and more. AWS CodeStar also manages the permissions required for project users (called team members). CodeStar connects CodeCommit/git, CodeBuild, CodePipeline, and CodeDeploy together using predefined templates. It’s just an overlay to the underlying services to simplify the orchestration a cloud-based service for creating, managing, and working with software development projects on AWS.

Answer 24

Customer Engagement: With Amazon Connect, you can set up a contact center in minutes that can scale to support millions of customers. contact center as a service (CCaS) solution that offers easy, self-service configuration and enables dynamic, personal, and natural customer engagement at any scale.

Answer 25

Management, Monitoring, and Governance: Step and Schedule Options? Helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups. You can specify the minimum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes below this size. You can specify the maximum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes above this size. If you specify the desired capacity, either when you create the group or at any time thereafter, Amazon EC2 Auto Scaling ensures that your group has this many instances If you specify scaling policies, then Amazon EC2 Auto Scaling can launch or terminate instances as demand on your application increases or decreases. For example, the following Auto Scaling group has a minimum size of one instance, a desired capacity of two instances, and a maximum size of four instances.

Answer 26

Management, Monitoring, and Governance: AWS Budgets integrates with multiple other AWS services, such as AWS Cost Explorer, so you can easily view and analyze your cost and usage drivers, AWS Chatbot, so you can receive Budget alerts in your designated Slack channel or Amazon Chime AWS Service Catalog, so you can track cost on your approved AWS portfolios and products. use to configure custom cost and usage limits and enable alerts for when defined thresholds are exceeded?

Answer 27

Management, Monitoring, and Governance: Infrastructure as Code, drift detection can tell if things have changed since created It gives developers and systems administrators an easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion. Can deploy in multiple regions simultaneously. Using either YAML or JSON Format or using sample templates

Answer 28

Management, Monitoring, and Governance: Cloud trail for audit trail. CloudTrail as a service is for logging all AWS API calls. Cloud trail for audit trail. Cloudwatch for monitoring. CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs. Does a lot of API Tracking CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. You can easily view recent events in the CloudTrail console by going to Event history.

Answer 29

Management, Monitoring, and Governance: Monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications. Can monitor and alert based on CPU usage. The CloudWatch home page automatically displays metrics about every AWS service you use. Cloudwatch for monitoring. Cloud trail for audit trail. CloudWatch can have billing alarm You can additionally create custom dashboards to display metrics about your custom applications, and display custom collections of metrics that you choose. CloudWatch focuses on the activity of AWS services and resources, reporting on their health and performance. On the other hand, CloudTrail is a log of all actions that have taken place inside your AWS environment.

Answer 30

Management, Monitoring, and Governance: Record Config Changes It is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. The Config Rules feature enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. With AWS Config, you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.

Answer 31

Management, Monitoring, and Governance: Contains the most comprehensive set of AWS cost and usage data available, including additional metadata about AWS services, pricing, credit, fees, taxes, discounts, cost categories, Reserved Instances, and Savings Plans. Itemizes usage at the account or Organization level by product code, usage type and operation. These costs can be further organized by Cost Allocation tags and Cost Categories.

Answer 32

Management, Monitoring, and Governance: Streamlines the process of bringing software vendor licenses to the AWS Cloud. As you build out cloud infrastructure on AWS, you can save costs by repurposing your existing license inventory for use with cloud resources. License Manager reduces the risk of licensing overages and penalties with inventory tracking that is tied directly to AWS resources.

Answer 33

Management, Monitoring, and Governance: AWS will do a lot more for your services and you get designated specialists for support. Cloud architect etc. helps you operate AWS more efficiently and securely. Leveraging AWS services and a growing library of automations, configurations, and run books, AMS can augment and optimize your operational capabilities in both new and existing AWS environments.

Answer 34

Management, Monitoring, and Governance: It helps you centrally manage and govern your environment as you grow and scale your AWS resources. Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts. Service control policies (SCPs) which are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions (API actions) for all accounts in your organization. Benefit from lower unit pricing for aggregated use Has service control policies similar to IAM

Answer 35

Management, Monitoring, and Governance: It helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text. Secrets Manager offers secret rotation with built-in integration for Amazon RDS for MySQL, PostgreSQL, and Amazon Aurora. Also, the service is extensible to other types of secrets, including API keys and OAuth tokens.

Answer 36

Management, Monitoring, and Governance: It gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. With Systems Manager, you can group resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances, by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources.

Answer 37

Management, Monitoring, and Governance: A capability of AWS Systems Manager, provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, Amazon Machine Image (AMI) IDs, and license codes as parameter values. You can store values as plain text or encrypted data.

Answer 38

Management, Monitoring, and Governance: It is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices. Trusted Advisor can help you save cost with actionable recommendations by analyzing usage, configuration and spend. If you enabled Security Hub for your AWS account, you can view your findings in the Trusted Advisor console

Answer 39

Networking and Content Delivery: Cost comes from Number of Request and Traffic distribution It is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you're serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance. If the content is already in the edge location with the lowest latency, CloudFront delivers it immediately. If the content is not in that edge location, CloudFront retrieves it from an origin that you've defined—such as an Amazon S3 bucket, a MediaPackage channel, or an HTTP server (for example, a web server) that you have identified as the source for the definitive version of your content. You specify origin servers, like an Amazon S3 bucket or your own HTTP server, from which CloudFront gets your files which will then be distributed from CloudFront edge locations all over the world.

Answer 40

Networking and Content Delivery: It makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your data center, office, or co-location environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC Amazon Connect is an easy to use omnichannel cloud contact center that helps companies provide superior customer service at a lower cost company connect from their on-premises network to VPCs in multiple regions using private connections? Goes for on prem -> direct connect location -> vpc. Has 3 speeds of fiber wire (1 gbps, 10 gbps, 100 gbps) dont overlap ip address

Answer 41

Networking and Content Delivery: can be used to deploy the required SSL server certificates for HTTPS protocol It is a highly available and scalable cloud Domain Name System (DNS) web service. It is designed to give developers and business Has Endpoints and Subnets extremely reliable and cost-effective way to route end users to Internet applications by translating human readable names, such as www.example.com, into the numeric IP addresses, such as 192.0.2.1, that computers use to connect to each other. Amazon Route 53 Traffic Flow makes it easy for you to manage traffic globally through a variety of routing types, including Latency Based Routing, Geo DNS, Geoproximity, and Weighted Round Robin—all of which can be combined with DNS Failover in order to enable a variety of low-latency, fault-tolerant architectures. You can use it for failover to regional replicated infrastructure

Answer 42

Networking and Content Delivery: Instances in one region can communicate with each other using Inter-Region VPC Peering, public IP addresses, NAT gateway, NAT instances, VPN Connections or Direct Connect connections. When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; It lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can establish peering relationships between VPCs across different AWS Regions (also called inter-Region VPC peering). Can configure A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. NAT Gateway? Routing subtable

Answer 43

Security, Identity, and Compliance: It is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA). DDS? The Payment Card Industry Data Security Standard (PCI DSS) Gain access to AWS security and compliance documents

Answer 44

Security, Identity, and Compliance: You can provide certificates for your integrated AWS services either by issuing them directly with ACM or by importing third-party certificates into the ACM management system. Handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications. ACM certificates can secure singular domain names, multiple specific domain names, wildcard domains, or combinations of these. ACM wildcard certificates can protect an unlimited number of subdomains. You can also export ACM certificates signed by ACM Private CA for use anywhere in your internal PKI.

Answer 45

Security, Identity, and Compliance: It is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. You can quickly add and remove HSM capacity on-demand, with no up-front costs. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.

Answer 46

Security, Identity, and Compliance: It lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. With Amazon Cognito, you also have the option to authenticate users through social identity providers such as Facebook, Twitter, or Amazon, with SAML identity solutions, or by using your own identity system. In addition, Amazon Cognito enables you to save data locally on users’ devices, allowing your applications to work even when the devices are offline. You can then synchronize data across users’ devices so that their app experience remains consistent regardless of the device they use. Check out single sign on.

Answer 47

Security, Identity, and Compliance: automatically extracts time-based events such as login attempts, API calls, and network traffic from AWS CloudTrail and Amazon VPC flow logs. It also ingests findings detected by GuardDuty. From those events, Detective uses machine learning and visualization to create a unified, interactive view of your resource behaviors and the interactions between them over time.

Answer 48

Security, Identity, and Compliance: A continuous security monitoring service that analyzes and processes the following Data sources: VPC Flow Logs, AWS CloudTrail management event logs, CloudTrail S3 data event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. Can output alerts to CloudWatch

Answer 49

Security, Identity, and Compliance: IAM is used to securely control individual and group access to AWS resources. IAM is universal (global) and does not apply to regions. Uses SAML 2.0 to enable single sign-on to multiple applications through a central user portal The IAM console provides information about when IAM users and roles last attempted to access AWS services. This information is called service last accessed data. This data can help you identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of “least privilege.” That means granting the minimum permissions required to perform a specific task. Access Advisor tab in the IAM lets you exam the detail view for any IAM user, group, role, or managed policy. Enable MFA for all users, Create individual IAM users. Which of the following are AWS recommended best practices in relation to IAM? (Select TWO.) Create Individual IAM Users, Enable MFA for all users. More secure than access keys and easier Access keys are long-term credentials for an IAM user or the AWS account root user. Should be rotated frequently Temporary credentials (which last from a few seconds to multiple hours) are used by IAM Roles Users - an entity that you create in AWS. The IAM user represents the person or service who uses the IAM user to interact with AWS. User Groups - a collection of IAM users. Cannot be nested. You can use user groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users. Roles - (no keys or passwords - temp credentials) very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. Policies - You manage access in AWS by creating policies and attaching them to IAM identities Groups - An IAM user group is a collection of IAM users. User groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. AWS provides AWS Security Token Service (AWS STS) as a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users you authenticate (federated users).

Answer 50

Security, Identity, and Compliance: (This service is specifically for EC2 and ECR, whereas detective is for more general traffic) A vulnerability management service that continuously scans your AWS workloads for vulnerabilities. Amazon Inspector automatically discovers and scans Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure.

Answer 51

Security, Identity, and Compliance: A fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS S3.

Answer 52

Security, Identity, and Compliance: AWS Shield is available globally on all CloudFront, Global Accelerator, and Route 53 edge locations It is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides you with always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield: Standard (free) Advanced (has DDoS support team) CloudFront – Shield DDoS mitigations only allow traffic that's valid for web applications to pass through to the service. This provides automatic protection against many common DDoS vectors, like UDP reflection attacks. Route 53 – Shield mitigations only allow valid DNS requests to reach the service. Shield mitigates DNS query floods using suspicion scoring that prioritizes known good queries and deprioritizes queries that contain suspicious or known DDoS attack attributes.

Answer 53

Security, Identity, and Compliance: It is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web application by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. Pricing is based on how many rules you deploy and how many web requests your application receives, you only pay for what you use

Answer 54

Storage: It enables you to centralize and automate data protection across AWS services. AWS Backup offers a cost-effective, fully managed, policy-based service that further simplifies data protection at scale. AWS Backup also helps you support your regulatory compliance or business policies for data protection. Together with AWS Organizations, AWS Backup enables you to centrally deploy data protection policies to configure, manage, and govern your backup activity across your organization’s AWS accounts and resources

Answer 55

It provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. EBS-backed means the root volume is an EBS volume and storage is persistent. Storage: Cost comes from size of volumes per month and snapshots(stored in S3) amount of data. Pay for what you use. It can scale up or down. An EBS volume cannot attach to multiple compute resources unlike EFS NOT built with Multi AZ deployment in mind - Amazon EBS volume data is replicated across multiple servers within the same Availability Zone. It can be encrypted.

Answer 56

Storage: Elastic file system for linux, fsx for windows It can attach to multiple compute resources unlike EBS

Answer 57

Storage: Maximum file object size = 5 tb. With an unlimited amount of objects it can store. It is an object storage service that offers industry-leading scalability, data availability, security, and performance. (essentially serverless). Can have versioning. And has a lifecycle policy. Amazon S3 is designed for 99.999999999% (11 9's) of durability, and stores data for millions of applications for companies all around the world. Lifecycle Management - to create rules to control the transfer of objects between different storage classes? S3 Standard for frequently accessed data, \ S3 Standard-IA) S3 Standard-Infrequent Access S3 One Zone-IA - S3 One Zone-Infrequent Access ( for less frequently accessed data, cheaper than standard and in only 1 AZ) S3 Glacier Instant Retrieval for archive data that needs immediate access, S3 Glacier Flexible Retrieval (formerly S3 Glacier) for rarely accessed long-term data that does not require immediate access, (S3 Glacier Deep Archive) and Amazon S3 Glacier Deep Archive Amazon S3 Transfer Acceleration is a bucket-level feature that enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket PRINCIPALS element specifies the user, account, service, or other entity that is allowed or denied access to a resource. S3 buckets configured for cross-region replication can be owned by a single AWS account or by multiple accounts AWS Responsibility - operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. Customer Responsibility - are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.

Answer 58

Storage: It is a secure, durable, and extremely low-cost storage service for data archiving and long-term backup. It is designed to deliver 99.999999999% durability, and provides comprehensive security and compliance capabilities that can help meet even the most stringent regulatory requirements. You can store data for as little as $1 per terabyte per month expedited retrievals - that typically complete in 1–5 minutes, standard retrievals - that typically complete in 3–5 hours, bulk retrievals - that return large amounts of data typically in 5–12 hours.

Answer 59

You can transfer hundreds of terabytes or petabytes of data between your on-premises data centers and (Amazon S3). With on-board storage and compute power for select AWS capabilities. Snowball Edge can do local processing and edge-computing workloads in addition to transferring data between your local environment and the AWS Cloud. Each Snowball Edge device can transport data at speeds faster than the internet. This transport is done by shipping the data in the appliances through a regional carrier. The appliances are rugged, complete with E Ink shipping labels. Snowball Edge devices have three options for device configurations (Storage Optimized, Compute Optimized, Compute Optimized with GPU) AWS Snowcone - (Max HDD 8 TB) AWS Snowcone is the most compact and portable device. AWS Snowball - (Max HDD 80 TB) AWS Snowball AWS Snowmobile - (Max HDD 100 PB - 100,000 Terabytes AWS Snowmobile

Answer 60

Storage: Hardware It is a hybrid storage service that enables your on-premises applications to seamlessly use AWS cloud storage (S3). You can use the service for backup and archiving, disaster recovery, cloud data processing, storage tiering, and migration. Your applications connect to the service through a virtual machine or hardware gateway appliance using standard storage protocols, such as NFS, SMB and iSCSI. The gateway connects to AWS storage services, such as Amazon S3, S3 Glacier, and Amazon EBS, providing storage for files, volumes, and virtual tapes in AWS. The service includes a highly-optimized data transfer mechanism, with bandwidth management, automated network resilience, and efficient data transfer, along with a local cache for low-latency on-premises access to your most active data. Amazon S3 File Gateway - supports a file interface into Amazon Simple Storage Service (Amazon S3) and combines a service and a virtual software appliance. Amazon FSx File Gateway - is a new file gateway type that provides low latency, and efficient access to in-cloud Amazon FSx for Windows File Server file shares from your on-premises facility. Tape Gateway - A tape gateway provides cloud-backed virtual tape storage. The tape gateway is deployed into your on-premises environment as a VM running on VMware ESXi, KVM, or Microsoft Hyper-V hypervisor. Volume Gateway - (Cached and Stored) A volume gateway provides cloud-backed storage volumes that you can mount as Internet Small Computer System Interface (iSCSI) devices from your on-premises application servers.

Answer 61

Operational Excellence Pillar The ability to support development and run workloads effectively, gain insight into their operations, and to continuously improve supporting processes and procedures to deliver business value. Perform operations as code Make frequent, small, reversible changes Refine operations procedures frequently Anticipate failure Learn from all operational failures Security Pillar The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture. Reliability Pillar The reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle. This paper provides in-depth, best practice guidance for implementing reliable workloads on AWS. Automatically recover from failure test recovery procedures Scale horizontally to increase aggregate workload capacity Stop guessing capacity Performance Efficiency Pillar The ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve. Democratize advanced technologies: Make advanced technology implementation easier for your team Go global in minutes Use serverless architectures Experiment more often Consider mechanical sympathy: Cost Optimization Pillar The ability to run systems to deliver business value at the lowest price point. Sustainability Pillar The ability to continually improve sustainability impacts by reducing energy consumption and increasing efficiency across all components of a workload by maximizing the benefits from the provisioned resources and minimizing the total resources required.

Answer 62

Both Amazon SQS and Amazon SWF are services that facilitate the integration of applications or microservices. Amazon SWF API actions are task-oriented. Amazon SQS API actions are message-oriented. A web service that makes it easy to coordinate work across distributed application components. SWF enables applications for a range of use cases, including media processing, web application back-ends, business process workflows, and analytics pipelines, to be designed as a coordination of tasks. If you require external signals to intervene in your processes, or you would like to launch child processes that return a result to a parent than pick SWF over Step Functions

Answer 63

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments. OpsWorks has three offerings, AWS Opsworks for Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.

Answer 64

Customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services, listed in the next section under “Permitted Services.” Permitted Services Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers Amazon RDS Amazon CloudFront Amazon Aurora Amazon API Gateways AWS Fargate AWS Lambda and Lambda Edge functions Amazon Lightsail resources Amazon Elastic Beanstalk environments Prohibited Activities DNS zone walking via Amazon Route 53 Hosted Zones Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS (These are subject to the DDoS Simulation Testing policy) Port flooding Protocol flooding Request flooding (login request flooding, API request flooding)

Answer 65

There are seven design principles for security in the cloud: Implement a strong identity foundation: Implement the principle of least privilege and enforce separation of duties with appropriate authorization for each interaction with your AWS resources. Centralize privilege management and reduce or even eliminate reliance on long-term credentials. Enable traceability: Monitor, alert, and audit actions and changes to your environment in real time. Integrate logs and metrics with systems to automatically respond and take action. Apply security at all layers: Rather than just focusing on protection of a single outer layer, apply a defense-in-depth approach with other security controls. Apply to all layers (e.g., edge network, VPC, subnet, load balancer, every instance, operating system, and application). Automate security best practices: Automated software-based security mechanisms improve your ability to securely scale more rapidly and cost effectively. Create secure architectures, including the implementation of controls that are defined and managed as code in version-controlled templates. Protect data in transit and at rest: Classify your data into sensitivity levels and use mechanisms, such as encryption, tokenization, and access control where appropriate. Keep people away from data: Create mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. This reduces the risk of loss or modification and human error when handling sensitive data. Prepare for security events: Prepare for an incident by having an incident management process that aligns to your organizational requirements. Run incident response simulations and use tools with automation to increase your speed for detection, investigation, and recovery.

Answer 66

A fully managed service that extends AWS infrastructure,VPC, services, APIs, and tools to customer premises. By providing local access to AWS managed infrastructure, AWS Outposts enables customers to build and run applications on premises using the same programming interfaces as in AWS Regions, while using local compute and storage resources for lower latency and local data processing needs.

Answer 67

A subnet is a range of IP addresses in your VPC

Answer 68

It operates at the subnet level Stateless and has deny and allow rules.

Answer 69

Operational expenditures - buying consumable hardware etc printer ink Capital expenditure- Buying servers, and desks etc

Answer 70

The AWS free security resources include the AWS Security Blog, Whitepapers, AWS Developer Forums, Articles and Tutorials, Training, Security Bulletins, Compliance Resources and Testimonials.

Answer 71

A developer tool that provides intelligent recommendations to improve code quality and identify an application’s most expensive lines of code.

Answer 72

Has server and serverless options The industry-leading cloud big data solution for petabyte-scale data processing, interactive analytics, and machine learning using open-source frameworks such as Apache Spark, Apache Hive, and Presto.

Answer 73

The factors that have the greatest impact on cost include: Compute, Storage and Data Transfer Out

Answer 74

Can provide accurate estimates of cost based off expected usage.

Answer 75

A highly available multi-tenant directory-based store in AWS. These directories scale automatically to hundreds of millions of objects as needed for applications. This lets operations staff focus on developing and deploying applications that drive the business, not managing directory infrastructure. Unlike traditional directory systems, Cloud Directory does not limit organizing directory objects in a single fixed hierarchy.

Answer 76

A fast, fully managed database service powering graph use cases such as identity graphs, knowledge graphs, and fraud detection.

Answer 77

Is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch AWS resources, such as Amazon EC2 instances, into your VPC. A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different Regions.

Answer 78

Connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.

Answer 79

Helps developers analyze and debug distributed applications in production or under development, such as those built using microservice architecture. With X-Ray, you can understand how your application and its underlying services are performing so you can identify and troubleshoot the root cause of performance issues and errors. X-Ray provides an end-to-end view of requests as they travel through your application, and shows a map of your application’s underlying components.

Answer 80

Leverages AWS experience and best practices to help you digitally transform and accelerate your business outcomes

Answer 81

APN Consulting Partners are professional services firms that help customers design, architect, build, migrate, and manage their workloads and applications on AWS. Consulting Partners include System Integrators, Strategic Consultancies, Agencies, Managed Service Providers, Value-Added Resellers. AWS supports the APN Consulting Partners by providing a wide range of resources and training to support their customers.

Answer 82

Helps enterprise customers plan migration projects by gathering information about their on-premises data centers.

Answer 83

Provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture.

Answer 84

Simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections, including AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall. With Firewall Manager, you set up your protections just once and the service automatically applies them across your accounts and resources, even as you add new accounts and resources.

Answer 85

Provides multiple ways to set up and run Microsoft Active Directory with other AWS services such as Amazon EC2, Amazon RDS for SQL Server, FSx for Windows File Server, and AWS IAM Identity Center (successor to AWS Single Sign-On). AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use a managed Active Directory in the AWS Cloud.

General Flashcards

(109 cards)