linux academy Flashcards
1
Q
EC2 firewalls
A
Security Groups are the primary firewalls for EC2s. They implicitly deny all traffic. Only traffic explicitly allowed will pass through the SG.
2
Q
Application load balancer
A
Layer 7
3
Q
Message queue service
A
SQS
4
Q
Cross account IAM roles
A
Used to give other AWS accounts access to your resources
5
Q
IAM groups
A
group of IAM Users can be assigned to IAM groups and inherit permissions policies associated with the group. Recommended best practice to avoid managing permissions policies for individual AIM Users.
6
Q
TO turn a private subnet to a public subnet
A
Associate a custom route table with it that has a route to the Internet Gateway.
7
Q
Customer master key
A
Key used by KMS to encrypt and decrypt data keys
8
Q
Security Token Service (STS)
A
Used to generate temporary access keys with limited lifetime. Permissions granted come from a role (Assume Role) or IAM User (GetSessionToken).
9
Q
Open ID connect
A
Identity layer on top of the Oauth 2.0 protocol used by web identity providers (Facebook, Google, Amazon.com). Authorization tokes from compatible OpenID Connect providers can be used to obtain credentials from STS.
10
Q
Kinesis Data Streams
A
Big data service for injesting and storing data of high volume, vareity and velocity in a stream
11
Q
Redis
A
In-memory NoSQL database that can be automatically managed by ElastiCache.
12
Q
Maximum rentention period for RDS manual snapshots
A
unlimited
13
Q
Direct connect gateways
A
allows you to connect from Direct Connect to any VPC in any region except China
14
Q
AWS WAF
A
Layer7 firewall
15
Q
SAML
A
Security Access Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
7 72
16
Q
CloudFront
A
AWS’ Content Delivery Network
17
Q
Security Group
A
1) Operates on the instance layer
2) Supports “allow” rules only
3) Is “stateful”, so return traffic request are allowed regardless of rules
4) Evaluates ALL rules before deciding to allow traffic
18
Q
AWS WAF rules can be applied at
A
An Application Load Balancer
CloudFront
19
Q
Default VPC
A
1) Default VPC is user friendly, allowing you to immediately deploy instances
2) All subnets in a default VPC have an internet gateway attached
3) Each EC2 instance has both a public and a private IP address
4) If you delete the default VPC the only way to get it back is to contact AWS
20
Q
Stateless firewall
A
NACLs are an example of a stateless firewall. To allow traffic BOTH inbound and outbound rules are always required.
21
Q
Shared Tenancy
A
The default configuration of an EC2 host, where multiple AWS customers can run on the same host.
22
Q
Private VIF
A
Virtual Interface from Direct Connect to the Virtual Private Gateway of a VPC
23
Q
Redshift
A
A managed service for data warehousing
24
Q
EFS
A
Elastic File System - a managed service for NFS
25
HDFS
Hadoop Distributed File System. Stores data locally on core nodes of an Hadoop Cluster.
26
VPC flow logs
Logging of accepted and rejected network traffic inside of your VPC
27
S3 object size limit
5TB
28
Two supported formats for CloudFormation Templates
JSON and YAML
29
AWS Shield
DDOS protection
30
SNS (and also MQ)
PUb sub messaging service
31
A consultants best friend
Trusted Advisor makes recommendations for Cost Optimization, Fault Tolerance, Performance, Security, and Service Limits
32
Glacier
Low cost storage for archives
33
Guard duty
A continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs.
34
Ephemeral storage
Local disks on host machines are called Instance Store. These are immediately wiped when and EC2 instance is stopped or terminated.
35
Disaster recover patterns in order of increasing cost
Backup and Restore
Pilot Light
Low Capacity Standby
Multi-site Active-Active
36
Partition key
Required for each item in a DynamoDB table
37
Cloud HSM
Dedicated HSM for encryption key management
38
BGP
Border Gateway Protocol - used to dynamically propagate routes between data centers and VPCs
39
BGP
Border Gateway Protocol - used to dynamically propagate routes between data centers and VPCs
40
Transient cluster
EMR cluster that is configured to run steps and then terminate itself upon completion.
41
Route53
DNS service (named for DNS port number 53)
42
Security access key
AWS API calls must be signed with API Access Keys which consist of and Access Key ID and Secret Access Key.
43
Licecycle policies
Rules that automatically transition S3 aging objects into less expensive storage classes including Glacier.
44
Provisioned IOOPS are needed when
Your application requires consistent IOPs to your EBS volume (eg. a production relational DB).
45
Five pillars of well architected framework
```
Security
Operational Excellence
Reliability
Performance Optimization
Cost Efficiency
```
46
Service that makes best practice recommendations
Trusted Advisor
47
Eventual consistency
Distributed storage systems are often eventually consistent which means that read requests made immediately after new or updated data may return the old data, or missing data in the case of new items.
48
Archival storage
Glacier
49
A/20 VPC contains how many ip addresses
This would have 12 bits of addresses which is 4,096. However, every subnet inside of this VPC would take away five from this amount.
50
Some reasons to use Aurora
Continuous Backup
Enterprise-Class performance at much lower cost
Multi-Master
Severless option
Read Replicas with lag of a few milliseconds
51
Variables in cloud formation template that prompt use rfor values
parameters
52
AWS organizations
Multiple AWS Account management with control over IAM permissions and consolidated billing.
53
Internet Gateway
Must be attached to a VPC to receive and send traffic to an Internet address. Another type of gateway is a Virtual Private Gateway, which is used to make a private connection to a data center.
54
Max retention period for RDS automates snapshots
35 days
55
UserData
A script that will automatically execute when an EC2 instance launches. Used for self-configuration. On Linux it is typically a BASH shell script.
56
Reserved Instance
An instance that receives a discount because you agree to pay for it for one or three years.
57
Burstable instance
T instances accumulate CPU credits when operating at a low baseline performance and will burn credits when bursting up to 100% vCPU capacity.
4 11
58
Automated events are triggered by
CloudWatch Alarms
| Scheduled Actions
59
Dedicated Tenancy
An EC2 and VPC option where a host machine will only run the dedicated instances for a single AWS customer account.
60
A managed service for graph databases
Neptune
61
MFA
Multi-Factor Authentication can utilize a hardware or virtual device that provides a rotating 6 digit code known as a one-time password (OTP). MFA devices can be associated with Root Users and IAM Users. In order for these users to log in to the console they would need to provide the OTP in addition to their password.
62
CloudWatch
Realtime monitoring of AWS services
63
AMI
An Amazon Machine Image contains a snapshot of the boot volume and mappings for secondary volumes.
64
S3 stoarage clases
Standard
Standard IA
Single Zone IA
Glacier
65
VPC peering
Connect two VPCs without using internet or VPN
66
On demand instance
An EC2 instance that is billed by the number of seconds in the running state over a month.
67
Network ACL
1) Operates at the subnet boundary
2) Supports ALLOW & DENY rules
3) Stateless, so return traffic must be allowed through an outbound rule
4) Process rules in NUMBER ORDER (lower #'s overrule higher #'s)
68
Cloud watch logs agent
Installed on you EC2 instances, streams log files to CloudWatch Logs
69
Trust policy
Associated with an IAM Role, a Trust Policy lists the entities that may assume the role.
70
Spot instance
Heavily discounted EC2 instance that can be interrupted by AWS when they need the capacity.
71
Health checks can be configured on
ELBs
Route 53
Target Groups
72
Stateful firewall
Security Groups are examples. Responses to requests are allows allowed through if the request was allowed.
73
SSH key pairs
Consist of a public part copied to the Linux instance and a private part provide by the SSH client.
74
EBS optimized
A feature of the current generation EC2 instances where a separate network interface is used for communications between the instance and EBS. This is required to consistently achieve the desired IOPs.
75
File gateway
A configuration of Storage Gateway that stores local files in S3 as objects
76
API gateway
A service that allows you to front backend API services
77
Macie
Security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.
78
NACLS apply firewall rules at the .....
Subnet Boundary
79
A hot standby secondary instance in a different AZ from the primary. Synchronous Replication. Automatic Failover.
The RDS multi-AZ feature provides
80
Ways to offload traffic from RDS datatbase
Read Replicas
| ElastiCache
81
Subnets cannot span more than one
Availability Zone
82
Strong password policy
It is the responsibility of the customer to create a strong password policy in IAM. There is none by default.
83
Edge location
100+ locations around the world that run edge services such as CloudFront and Route 53.
84
VPCs cannot span more than one
region
85
VPC endpoints
When added to your VPC allow you to reach public endpoints for AWS services such as DynamoDB and S3 using private addresses.
86
SWF
Orchestration tool for managing tasks in sequence
87
services with server side encryption
S3, Redshift, EBS, RDS, DynamoDB, SQS, Kinesis, EFS, Elastic Transcoder all integrate with KMS for data encryption/decryption
88
Persistent storage
EBS volumes may be configured to have a lifecycle separate from the instance. They are never deleted when an instance stops, but they may be configured to be deleted when an instance terminates.
89
KinesisAgent
Java application that will stream files into Kinesis
90
Cost allocation tags
Tags used to attribute expenditure
91
Kinesis firehose
Service that can store streaming data into S3, Redshift, ElasticSearch, or Splunk
92
Config rules
Analyzes configuration changes against rules to determine compliance
93
A network load balancer
If you need a Elastic load balancer that can handle massive sudden traffic spikes choose
94
NAT gateway
A managed service that provides a way for private instances to go out to the Internet for external content.
95
Custome metrics
Metrics that you stream into CloudWatch from your instances such a memory utilization
96
You can add more RAM to an instance by
Increasing the size of the instance or selecting a different instance type that offers more RAM (eg. memory optimized instances)
97
EMR
Managed hadoop clusters
98
Docker
A tool used to create and run applications in containers
99
Obtain instance metadata
curl http://169.254.169.254/latest/meta-data/
100
Fault Tolerence
A special case of High Availability, usually requiring extra redundancy, to make sure that outages do not result in performance degradation.
101
Three layers that can contain rules are
NACL, Security Group, OS. There is also a Layer 7 firewall service known as WAF that can be associated with a CloudFront Distribution or ALB.
102
Elastic IPs
EIPs are public IPs that are assigned to an AWS account. They may be associated and removed freely from instances. They are not automatically removed from the instance when it is stopped and started.
103
Hypervisor
Application on host machine that allows isolated multiple virtual instances to securely share resources.
104
CloudTrail
Logging of API calls to AWS services
105
Stateless Application
An application that saves state information in a shared off-instance datastore.
106
DynamoDB
A managed NoSQL database service for documents or key values
107
Groups vs roles
Credentials in groups are permanent and have to be manually rotated.
Roles use temporary credentials that expire. No risk of permanent credentials
108
Shard
Fixed processing capacity
input - 1MB/s
output - 2MB/s
Streams contain shards and can be "resharded" based on data input
109
Lazy loaded
When a EBS vol is built from S3 snapshot, files from the block are not immediately loaded unless we try to read them.
110
STS
Security Token Service - API End Point which can be called to receive temporary Access Keys.
Made when we want to receive credentials from IAM, directly. Returns the following 4 components
1. Session Token
2. Access ID
3. Secret Access Key
4. Expiration timestamp
111
Cross Account access
Granting a different AWS account permissions to access services in your account
112
Storage class in S3
Standard Storage Class - 99.99% availability - most expensive
Infrequent Access - 99.9% availability - less expensive than S3
One Zone Infrequent Access - 99.5% availability
Glacier (separate storage service in S3) - cheapest storage option
113
Horizantal scaling
Increasing capacity by increasing number of instances
114
AWS nosql engines
DynamoDB - Document
ElastiCache - Key Value
Neptune - Graph
HBase on Elastic Map Reduce (EMR)- Column
115
Types of relations database
On-Line Transaction Processing (optimized for trasactions most databases like SQL Server, Oracle etc.)
On-Line Analytical Processing (optimized for running queries for data. For ex. data warehouses)
116
Types of ELB
Classic ELB on Layer 4
Application ELB on Layer 7
Network ELB on Layer 4
117
displays metadata when logged on to a particular instance
http://169.254.169.254/latest/metadata
118
Features of intel Xeon processors
AVX - highly parallel HPC
AES-NI - accelerated enc/dec
TurboBoost - overclocking
Transactional Sync Extensions - optimized for multi-threaded
P state C state control - performance and sleep state optimization
119
ELB
Elastic Load Balancer. Balances/Distributes the network traffic across the EC2 instances even in different availability zones.
Comes with an own DNS name in the Amazon domain. Can launch in public subnet to allow access to users over the internet or on private subnets as internal load balancers.
Does proactive health check against EC2 instances it routes traffic to.
120
IPV4 and IPV6 in AWS
IPv4 has an option of Private and Public addresses
Has 3 sets of addresses for private addresses
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
IPv6 has only Public addresses
121
Types of NoSQL database
Column - stored by column (very fast for querying)
Key Value - stored by key value pairs
Document - optimized to store json and txt files
Graph - used by social media application, optimized for relationships
122
Auto scaling
Automating the process of adding capacity to the server using API calls
123
CSA terminology
High Availability, Fault Tolerance, Scalability, Elasticity, Cost Efficient, Secure
124
EC2 Storage types
Instance Storage, EBS (Elastic Block Storage), EFS (Elastic File Share)
Instance Storage - HDDs or SSDs mounted on the host machine. Can be used only by one instance.
EBS - Hosted outside the host machine, need a network connection from EC2 instance to connect ot EBS volume (over a separate EBS optimized n/w interface). Can be used only by one instance.
EFS - Similar to EBS but can be used only by multiple instances instances. Used as File Shares, can't be used as boot volumes.
125
Security Group
Security Groups are the Firewall for EC2. Contains protocols, port #, IP address ranges from where traffic is allowed etc. Each EC2 instance must be a part of at least one security upgrade
126
AWS shield
DDoS mitigation service
127
AWS RDS, AWS Redshift
Has database engines like Oracle, MySQL, PostgreSQL, MariaDB, SQLSever, Aurora
Redshift is an OLAP that is optimized for analytics
128
parts of an IAM role
Permissions and Trust Policy.
Permissions Policy - Grants permissions to certain AWS service APIs.
Trust Policy - specifies entities that can have the permission to assume this role
129
ARN
Amazon resource name
130
EC2 components
AMI
Instance Type
Network Interface
Storage
131
CAP
Consistency Availability Partition
132
IAM role in EC2
To assign an IAM role to an EC2 instance, user's permissions policy must have PassRole permission that allows EC2 instance to assume that role. Then, the instance makes a call to STS and saves the credentials in metadata. The application has access to the credentials, so that it can access other services per the permissions in the Role.
133
Types of kinesis streams
Data is only retained for 24 hours but can be extended to 7days
Video Streams
Data Streams - 1MB blobs
Firehose - stream data and store it in S3, Redshift, Elasticsearch or splunk
Data Analytics - Can run SQL queries against streams
134
Access to VPC
Users accessing the VPC from the internet can access it only if we attach the VPC to the internet gateway
135
Benefit of VPC
Network Layer Security. Gives a max of 65536 addresses inside the private cloud.
Reserves 5 addresses from the address list for internal routing purposes
136
IAM policy
Policy is a document that formally states one or more permissions
By default all permissions are implicitly denied.
Any explicit deny always overrides explicit allow.
137
Any actions done in AWS console is referred to as
API calls (Application programming interface)
138
A AWS well architected framework
It consists of 5 pillars:
1) Operational excellence
2) Reliability
3) Security
4) Performance efficiency
5) Cost Optimization
139
AWS connection tools
1) AWS Management console
2) AWS CLI (Command line interface)
2) AWS SDKs (Software developing kits)
140
CSA Terminology
1)High availability
2)Fault tolerance
3)Scalability
4)Elasticity
5)Cost efficient
6)Secure
0 15
141
Default permission
By default any IAM user you create in an AWS account is created with NO access to any AWS service.This is a IMPLICIT DENY rule set on all new IAM users
142
What are regiounal edge caches
By default any IAM user you create in an AWS account is created with NO access to any AWS service.This is a IMPLICIT DENY rule set on all new IAM users
143
IAM Manages
The common use of IAM is to manage
1) Users
2) Groups
3) Roles
4) API keys
5) IAM Access policy
6) MFA for individual users
144
Which of the following support plans gives access to all the checks in the AWS Trusted Advisor service?
business, enterprise, developerm basic
145
options of disaster recovery type
Multi-site, standby, pilot light, warm standby
146
What is the preferred method of centrally managing billing, controlling access, compliance, security, and share resources across your AWS accounts
AWS organizations
147
In the AWS Shared Responsibility Model, which of the following is not your responsibility as the customer?
Decommissioning your data
148
Can you encrypt metadata in S3
Yes, if you put the metadata in a DynamoDB table and enable encryption during creation.
149
You receive an alert about an issue between an application and the database servers. What should you check to ensure communication is working
Since the issue is communication between the application and server, you should check security group rules since security groups control access at the instance ENI level.
150
Which of the following tools can best assist with security compliance
AWS Trusted Advisor, Inspector
151
AWS Guard Duty
Guard Duty is a threat detection service that monitors your environment for malicious or unauthorized activity.
152
AWS Inspector
AWS Inspector can check your EC2 instances for common security vulnerabilities.
153
AWS Trusted Advisor
AWS Trusted Advisor provides real-time guidance to help you provision your resources and environments following AWS best practices and staying within limits.
154
You have an EC2 instance in your environment that needs access to a DynamoDB table. What option below gives your EC2 instance access to the DynamoDB table?
IAM role
155
Pick two AWS services that use serverless technology
s3, dynamo db
156
Reserved Instances
Reserved Instances are reserved for at least a year, so they would not meet the requirement of only being needed for a short period of time, but do provide you with a significant discount (up to 75%) compared to on-demand instance pricing. You have the flexibility to change families, OS types, and tenancies while benefitting from RI pricing when you use Convertible RIs.
157
Which is the best choice to manage your bills for multiple accounts under one master account
Consolidated billing in AWS Organizations
158
What resource can you use to learn about AWS architectural and security best practices
AWS whitepapers
159
What tool is best for forecasting your AWS spending
AWS cost explorer
