Global Content Delivery Flashcards
What is ACM?
AWS Certificate Manager (ACM) is a service which allows for the creation, management, and renewal of certificates.
True/False. ACM can run as either a public or private Certificate Authority (CA).
True.
Can ACM generate or import certificates?
Both.
True/False. If ACM generates a certificate, it cannot renew said certificate for us.
False. If ACM generates a certificate, it CAN renew said certificate for us.
True/False. If we import a certificate into ACM, we are responsible for renewing the certificate.
True.
Can ACM certificates be deployed to all AWS services?
No. Certificates can only be deployed to supported services.
Can ACM be used with EC2?
No.
True/False. ACM is a regional service.
True.
True/False. Certificates cannot leave the region they are generated or imported in.
True.
Do services using ACM certificates need to be in the same region as the ACM certificate that they are using?
For most services, the certificate needs to be located in the same region as the service (if the service is in ap-southeast-2 then the ACM would also need to be in ap-southeast-2).
For global services, such as CloudFront, the ACM would need to be located in ’us-east-1’.
What is CloudFront?
CloudFront is a Content Delivery Network (CDN) within AWS.
What all can be configured in CloudFront on a behavior basis?
Caching policies, allowed HTTP methods, and viewer access can be configured on a behavior basis.
What is the default TTL for objects cached in CloudFront?
Objects cached by CloudFront have a default TTL of 24 hours.
Is it possible to set min/max TTL values in CloudFront?
It’s possible to set minimum TTL and maximum TTL values that will be applied across all objects.
Different headers can also be used to set TTLs, but if the values indicated in these headers is outside the range of the minimum/maximum TTLs, the minimum/maximum TTL would then be applied.
What are examples of headers that can be used with custom origins in CloudFront?
Origin Header: Cache-Control max-age (seconds)
Origin Header: Cache-Control s-maxage (seconds)
Origin Header: Expires (Date & Time)
How is cache invalidations performed in CloudFront?
Cache invalidations are performed on a distribution.
What do CloudFront Distributions do for CloudFront?
CloudFront distributions tell CloudFront where we want content to be delivered from, and the details about how to track and manage content delivery.
Cache invalidations are applied to all edge locations within that distribution.
How can we identify what specific image was used when viewing CloudFront logs in CloudWatch?
Versioned file names can be useful for quickly identifying what specific image was used when we view our logs in CloudWatch, and it also results in us not needed to be overly dependent on using cache invalidations.
Does CloudFront support SSL by default?
CloudFront supports SSL by default via the following certificate:
*.cloudfront.net
When can we not use the default SSL certificate in CloudFront?
The default SSL certificate cannot be used if we’re taking advantage of the Alternate Domain Names feature and using a DNS Provider such as Route53 to point our Alternate Domain Name at our CloudFront Distribution.
What is SNI?
Server Name Identification (SNI) is an extension for the TLS protocol to indicate a hostname in the TLS handshake.
What are CloudFront origins?
CloudFront origins are the location where content is stored, and from which CloudFront gets content to serve to users.
What type of identity can be associated with CloudFront Distributions that utilize S3 Origins?
An Origin Access Identity (OAI) is a type of identity that can be associated with CloudFront Distributions that utilize S3 Origins.
True/False. OAIs can be used in S3 Bucket Policies to allow access from an OAI, but implicitly deny everything else.
True.
