Main Flashcards
What are the four Disaster Recover Strategies by increasing RPO / RTO ?
- Backup & Restore (RPO / RTO = Hours)
- Pilot Light (RPO / RTO) = 10s of Minutes
- Warm Standby (RPO / RTO) = Minutes
- Multi-site Active / Active (RPO / RTO) = Realtime
What is ENA and EFA? What are the differences
ENA = Elastic Network Adapter
Custom network interface optimized to deliver high throughput and packet per second
EFA = Elastic FIber Adapter
Network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications
Difference:
EFA provides a OS-bypass functionality. OS-bypass is an access model that allows HPC and machine learning applications to communicate directly with the network interface hardware to provide low-latency, reliable transport functionality.
What are the (4) S3 Encryption Types and their descriptions?
- SSE-S3 - Amazon S3 manage the data and the encryption keys
- SSE-KMS - AWS manages the data key but you manage the AWS KMS keys in AWS KMS
- SSE-C - you manage the encryption key, passing it as part of the request
- Client side Encryption - Data is encrypted locally before its passed to the Amazon S3 service. The Amazon S3 service receives your encrypted data; it does not play a role in encrypting or decrypting it
What are the ways (6) to control and manage access to a REST API in API Gateway ?
Resource policies
Lets you create resource-based policies to allow or deny access to your APIs and methods from specified source IP addresses or VPC endpoints.
Standard AWS IAM roles and policies
Offers flexible and robust access controls that can be applied to an entire API or individual methods. IAM roles and policies can be used for controlling who can create and manage your APIs, as well as who can invoke them.
IAM tags
Can be used together with IAM policies to control access.
Endpoint policies for interface VPC endpoints
Allows you to attach IAM resource policies to interface VPC endpoints to improve the security of your private APIs
Lambda authorizers
Lambda functions that control access to REST API methods using bearer token authentication—as well as information described by headers, paths, query strings, stage variables, or context variables request parameters. Lambda authorizers are used to control who can invoke REST API methods. (SAML, oAuth)
Amazon Cognito user pools
Lets you create customizable authentication and authorization solutions for your REST APIs. Amazon Cognito user pools are used to control who can invoke REST API methods.
What are the different types (4) of services that return temporary security credentials ?
AssumeRole
Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.
AssumeRoleWithSAML
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.
AssumeRoleWithWebIdentity
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
GetSessionToken
Returns a set of temporary credentials for an AWS account or IAM user. (MFA)
S3 Security Types (4)
IAM Policies
Bucket Policies
Object Access Control List
Bucket Access Control List
What is EFS ?
Elastic File System Managed NFS Only Linux Web Server Data Sharing NFS 4.1
Name the different types (3) of EFS Performance Modes ?
General Purpose
Latency-sensitive use cases, like web serving environments, content management systems, home directories, and general file serving
Max I/O
Highly parallelized applications and workloads, such as big data analysis, media processing, and genomic analysis, can benefit from this mode.
Throughput Mode File system's throughput scales as the amount of data stored in the EFS Standard or One Zone storage class grows
What are some of the EC2 Placement Group Strategies (3) ?
Cluster – packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC applications.
Partition – spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka.
Spread – strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.
What happens during EC2 Hibernate?
The instance moves to the stopping state.
Amazon EC2 signals the operating system to perform hibernation (suspend-to-disk).
The hibernation freezes all of the processes, saves the contents of the RAM to the EBS root volume, and then performs a regular shutdown.
What is EC2 Nitro ?
The next generation of EC2 instances
Faster innovation
The Nitro System is a rich collection of building blocks that can be assembled in many different ways, giving us the flexibility to design and rapidly deliver EC2 instance types with an ever-broadening selection of compute, storage, memory, and networking options. This innovation also leads to bare metal instances where customers can bring their own hypervisor or have no hypervisor.
Enhanced security
The Nitro System provides enhanced security that continuously monitors, protects, and verifies the instance hardware and firmware. Virtualization resources are offloaded to dedicated hardware and software minimizing the attack surface. Finally, Nitro System’s security model is locked down and prohibits administrative access, eliminating the possibility of human error and tampering.
Better performance and price
What are the types (6) of EC2 instances and their purposes ?
On-demand
Pay for compute capacity by the hour or the second depending on which instances you run. No longer-term commitments or upfront payments are needed. You can increase or decrease your compute capacity depending on the demands of your application and only pay the specified per hourly rates for the instance you use.
Savings Plans
Savings Plans are a flexible pricing model that offer low prices on EC2 and Fargate usage, in exchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1 or 3 year term
Reserved
Standard Reserved Instance
One-year to three-year term
Enables you to modify Availability Zone, scope, networking type, and instance size (within the same
instance type) of
your Reserved Instance.
Convertible Reserved Instance
One-year to three-year term
Enables you to exchange one or more Convertible Reserved Instances for another Convertible Reserved Instance with
a different configuration, including instance family, operating system, and tenancy
Spot Instances
Allow you to request spare Amazon EC2 computing capacity for up to 90% off the On-Demand price
Dedicated Hosts
A physical EC2 server dedicated for your use. Dedicated Hosts can help you reduce costs by allowing you to use your existing server-bound software licenses,
Name 2 IAM Security Tools?
IAM Credential Report
Status of the users’ credentials, including passwords, access keys, MFA devices, and signing certificates
IAM Access Advisor
Helps you audit service access, remove unnecessary permissions, and set appropriate permissions providing the last timestamp
What is the port for Windows RDP ?
3389
Name four MFA device options ?
Virtual
A software app that runs on a phone or other device and emulates a physical device.
U2F security key
A device that you plug into a USB port on your computer
Hardware MFA device
A hardware device that generates a six-digit numeric code based upon a time-synchronized one-time password algorithm
SMS text message-based MFA
A type of MFA in which the IAM user settings include the phone number of the user’s SMS-compatible mobile device.
What are Spot Fleets ?
What are four Spot Fleet strategies ?
Definition: Set of Spot Instances and optionally On-Demand Instances that is launched based on criteria that you specify
Strategies:
Lowest Price
The Spot Instances come from the Spot capacity pool with the lowest price. This is the default strategy.
Diversified
The Spot Instances are distributed across all Spot capacity pools.
Capacity Optimized
The Spot Instances come from the Spot capacity pool with optimal capacity for the number of instances that are launching.
InstancePoolsToUseCount
The Spot Instances are distributed across the number of Spot capacity pools that you specify. This parameter is valid only when used in combination with lowest-price.
When does RDS Auto Scaling happen ? (3)
Free storage < 10 %
Low storage lasts at least 5 minutes
6 hours since last modificaiton
What are the 2 types of ElasticCache in memory stores supported ?
What are the use-cases for each ?
Redis
Advanced Data Structures
Snapshots
Replication
Transactions
Pub/Sub
Lua scripting
Geospatial support
Ability to tier data between memory and SSD using the ? node type.
Ability to authenticate users with role-based access control.
You need Redis streams, a log data structure that allows producers to append new items in real time and also allows consumers to consume messages either in a blocking or non-blocking fashion.
You need both encryption and dynamically adding or removing shards from your Redis (cluster mode enabled) cluster.
Ability to dynamically add or remove shards from your Redis (cluster mode enabled) cluster.
Memcached
Multithreaded Architecture
You need the simplest model possible.
You need to run large nodes with multiple cores or threads.
You need the ability to scale out and in, adding and removing nodes as demand on your system increases and decreases.
You need to cache objects.
Name 3 patterns for ElasticCache ?
Lazy Loading
Loads data into the cache only when necessary
Write through
Adds data or updates data in the cache whenever data is written to the database
Adding TTL
Avoid cluttering up the cache with extra data. Can be used with the above
What is a reader endpoint and why use one?
Provide high availability for your read-only queries from your DB
What are the four types of Load Balancers and their features?
Classic Load Balancer
Layer 4/7
Protocol listeners: TCP, SSL/TLS, HTTP, HTTPS
Application Load Balancer
Layer 7
Target: IP, Instance, Lambda
Protocol listeners: HTTP, HTTPS, gRPC
Network Load Balancer
Layer 4
Target: IP, Instance, Application Load Balancer
Protocol listeners: TCP, UDP, TLS
Gateway Load Balancer Layer 3 Gateway + Layer 4 Load Balancing Target: IP, Instance Protocol listeners: IP Deploy, scale, and manage your third-party virtual appliances.
https://aws.amazon.com/elasticloadbalancing/features/
Name and describe the EBS Volume Types?
General Purpose SSD
Provides a balance of price and performance. Recommended for most workloads.
Low-latency interactive apps
Development and test environments
Provisioned IOPS SSD
Provides high performance for mission-critical, low-latency, or high-throughput workloads.
Sub-millisecond latency
Sustained IOPS performance
More than 64,000 IOPS or 1,000 MiB/s of throughput
I/O-intensive database workloads
Hard disk drives (HDD) Throughput Optimized HDD — A low-cost HDD designed for frequently accessed, throughput-intensive workloads. Big data Data warehouses Log processing
Cold HDD — The lowest-cost HDD design for less frequently accessed workloads.
Throughput-oriented storage for data that is infrequently accessed
Scenarios where the lowest storage cost is important
What is a Cloudfront signed URL?
What is a S3 pre-signed URL ?
What are the differences?
In CloudFront, a signed URL allow access to a path. Therefore, if the user has a valid signature, they can access it, no matter the origin.
In S3, a signed URL issue a request as the signer user. When you sign a request, you need to provide IAM credentials, so accessing a signed URL has the same effect as that user would have done it.
What are the three Cloudfront Price Classes?
Class ALL: This default price class includes all regions
Class 200: Only USA, Europe, HK, Singapore and Japan
Class 100: Only USA and Europe
