One Flashcards
(205 cards)
1
Q
What is the shared responsibility model?
A
AWS is responsible for security AT the cloud
Customer is responsible for security IN the cloud
2
Q
What is the zero trust model?
A
Defense in depth approach: applies security controls at all layers of customer’s network.
Three levels of security: network level (VPC, firewall), data encryption, IAM
3
Q
What is IAM (name and def)
A
Identity and access management
Tracks, identifies and access in a system
4
Q
What are IAM policies composed of?
A
the principals: specifies who permissions are given to,
the actions: specifies what’s being performed,
the resources: specifies which properties are being accessed
5
Q
What can an IAM policy be applied to?
A
a principal (identity-based) or a resource (resource-based)
6
Q
Only some services have resource-based policies. Which are they?
A
S3, SES, KMS (key mgmt service)
7
Q
What can be used in addition to VPC to restrict traffic into my network?
A
Amazon WAF (web application firewall)
8
Q
What can you use for resource-level security?
A
security group
9
Q
What can a security group be attached to?
A
EC2 instances, RDS instances, Lambda
10
Q
How many AZ’s does a region contain?
A
Three or more
11
Q
What is Rt 53?
A
a scalable DNS service that translates names into IP addresses (internet protocol) that computers can read, and can route traffic between regions.
Cust can also buy and register domain names here.
12
Q
Steps to determine the service you need.
A
- compute service: Do you want VM-based (EC2, Lightsail, Elastic Beanstalk) container-based (ECS, EKS, ?EC2), or serverless (Lambda)?
- Storage service: Do you want block storage (EBS), file system (EFS), object stores (S3), or archival storage (S3 Glacier)?
- Database service: Do you need relational db (RDS or Aurora), non-rel db (DynamoDB), data warehouse (Redshift - for lg scale analysis), data indexing searching?
- Config service
- Cost: Only pay for what you use
13
Q
Talk about EC2
A
Elastic Compute Cloud,
flexible, cost effective. AWS manages the physical host machine. Instance can have either Linux or Windows OS. Are scalable.
When cust spins up EC2 instance, they share a host with other instances (multi-tenancy).
14
Q
What is responsible for sharing the resources between EC2 instances?
A
hypervisor
15
Q
What are the EC2 instance types?
A
- general purpose: a balance of compute, memory, networking
- compute-optimized: high-perf processor for batch processing
- memory-optimized: for high-perf db’s
- accelerated computing: for floating pt # cals, graphics processing, game streaming
- storage-optimized: for high-sequential read/write
16
Q
Which EC2 instance is best for application servers?
A
general purpose
17
Q
Which EC2 instance preloads data and is good for high performance db’s?
A
memory-optimized
18
Q
Which EC2 instance is best for apps that have a high IOPS requirement (input/output ops per sec)
A
storage-optimized
19
Q
What factors should you consider when choosing a region?
A
- compliance
- proximity to users
- feature availability
- pricing
20
Q
How do you prevent downtime?
A
Run instances in different availability zones in one region.
21
Q
What is CloudFront?
A
A CDN (global content delivery network). It pushes cached copies of content from regions to edge locations to get content close to custs quickly, no matter where they are in world. Runs Rt 53 DNS.
22
Q
What is an AWS Outpost?
A
mini-region at a cust bldg run and owned by AWS
23
Q
What is used in AWS for services to interact?
A
API calls (application programming interface)
24
Q
What service do you use to create requests to send to AWS API’s to manage resources?
A
AWS Mgmt Console (browser based) or CLI (use this to script the API calls since it makes the cmd repeatable) or SDKs (software devlopment kits) or Beanstalk or Cloud Formation
25
What does Rt 53 use to direct traffic to endpoints?
Different routing policies:
- latency-based routing
- geolocation DNS (based on where cust is located)
- geoproximity routing
- weighted round robin
26
Which service minimizes the effect of DoS and DDos on your apps?
(denial of service and distributed denial of service)
AWS Shield
27
How many AWS support plans are there, and what are they?
Four:
- basic: free for all AWS custs. No trusted advisor check
- developer: No trusted advisor check
- business: Trusted advisor checks at the lowest cost.
- enterprise: Get TAM (technical acct mgr) and Trusted advisor checks
28
What is the name for the digital catalog of software?
AWS Marketplace
29
Which service tracks the metrics of an EC2 instance?
CloudWatch
30
What is CloudFormation?
AWS CloudFormation is a service that helps you model and set up your AWS resources. You must build the architecture.
31
What is Elastic BeanStalk?
A deployment tool. You do NOT build the architecture.
32
If you are an RDS customer, who is responsible for the EC2 instance?
AWS since RDS is a managed service.
33
Are groups, users, and roles authenticated in IAM?
Groups are NOT authenticated but user and role can be.
34
In IAM, what can a policy be attached to?
user, group, or role
35
How far apart are availability zones from each other?
62 miles
36
What are some services at edge locations?
Rt 53 (DNS), CloudFront (caching), Shield, WAF (firewall)
37
What are the EBS volume types?
- General Purpose SSD: balances price and perf. Good for most workloads.
- Provisioned IOPS SSD (solid state drive): good for transactional workloads involving frequent read/write ops with small I/O size (IOPS)
- Throughput-optimized HDD (hard disk drive): good for large streaming workloads where the dominant performance attribute is throughput.
- Previous generation: HDD for workloads with small dataset, accessed infrequently and perf is not of primary importance.
38
What is an EBS snapshot?
A backup of the EBS volume.
39
Are EBS volumes and EC2 instances stored on the same hardware?
NO
40
Describe how to name an S3 bucket.
DNS naming convention:
| 3-63 chars, no uppercase, must start with letter or number, globally unique.
41
What is the durability of S3?
11 9's (99.99999999999%)
42
Is there an S3 storage limit?
No. But an object can only be up to 5TB
43
What is S3 versioning?
When versioning is enabled on a bucket, each time an object is uploaded it gets a new, unique version ID.
44
What is S3 lifecycle policy?
automatic moving of objects from tier to tier (from S3 to IA tier if not used in 30 days)
45
Which storage service allow reading of a single block of data?
EBS
46
Which storage service is good for db files?
EBS
47
What is a stateful security group?
It remembers, so traffic that is allowed in, is also allowed out.
48
What is an NACL?
network access control list.
Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.
You can create a custom network ACL and associate it with a subnet.
49
What is CloudWatch?
A service for monitoring resources and apps, logging, alerting and can trigger automation.
50
What is CloudTrail?
Records API calls to your account. Good for security and compliance auditing.
51
What does ELB do?
Distributes traffic to healthy EC2 instances ensuring traffic is evenly balanced between the instances.
52
What are the types of ELB?
1. ALB (application load balancer): good for complex traffic routing, operate on layer 7 of the OSI model and directs traffic based on the content of the URL. This is called path-based routing.
2. NLB (network load balancer): good for high volume spiky traffic patterns, operate on layer 4 of the OSI model and directs traffic based on the port number.
3. CLB (classic load balancer): outdated.
53
How do you grant access to S3 bucket?
By S3 bucket policies or IAM.
54
What are the engine choices for RDS?
MS SQL server, Oracle, MySQL, PostgreSQL, MariaDB, Amazon Aurora
55
Which are the noSQL db's?
DynamoDB, DocumentDB (json docs), Neptune (graph db, retail websites)
56
How do you query DynamoDB?
With API calls
57
Do IAM users, roles and policies are permanent keys?
Users have permanent keys. Roles do not.
58
What is ARN?
Amazon Resource Name. Everything created in your acct gets an ARN, and is unique.
59
What is cloud computing?
The on-demand delivery of compute power, db, storage, apps, and other IT resources through a cloud services platform (like AWS) via the internet with pay-as-you-go pricing.
60
How do you access and manage AWS services?
Through the AWS Mgmt Console
61
How can you control multiple AWS services with one tool?
Use the AWS CLI (command line interface)
62
What does serverless mean?
Customer does NOT manage the infrastructure.
63
What are the five pillars of a well-architected framework?
- cost optimization
- reliability
- operational excellence
- performance efficiency
- security
64
What are the three types of cloud computing?
- IaaS (infrastructure as a service)
- PaaS (platform as a service)
- SaaS (software as a service)
65
What are the five pillars of security?
=detective controls
- IAM
- infrastructure protection
- data protection
- incident response
66
What are the three common types of charges that you can incur in AWS?
compute (usually pay per hour)
storage (usually pay per GB of data)
data out
67
What are the four support tiers?
- basic: free, no tech support
- developer: during bus hour via em, only one person,
- business: 24-7, unlimited people, one hr response for urgent cases
- enterprise: 15 min response for critical case
68
What does Trusted Advisor check?
- cost optimization
- security
- fault tolerance
- performance
- service limits
69
You need to implement an automated service that will scan your AWS environment with the goal of improving security and reducing costs. What service should you use?
Trusted Advisor
70
Name three key components of Glacier.
Vault, archive, access policy. Buckets are NOT part of glacier. Data is auto encrypted.
71
For a subnet to be public and send non-local traffic to the internet, you must update the route table of the public subnet and attach what to the VPC that contains the subnet?
internet gateway
72
Which service provides a view of the performance and availability of your AWS services based upon your requirements?
Personal Health Dashboard
73
What is the AWS event-driven, serverless compute service?
Lambda
74
You need a virtual hard disk for your EC2 instance. What should you use?
EBS
75
What is the URL structure for objects in S3?
https - bucket name - dot - the S3 regional endpoint - / - object name
76
What service can tell you when you have crossed a billing threshold?
CloudWatch
77
What is the name for a series of edge locations plus info about how you want content managed as part of a CDN?
a distribution
78
What service would you use for predictable monthly pricing and allowing for burst above baseline of CPU perf?
Lightsail
79
Which service provides consistently high CPU perf and costs varying by usage?
EC2
80
Which is a managed db service that's 5X faster that a MySQL db?
Aurora
81
How do you recreate an EBS volume?
recreate the volume from a snapshot.
82
What are edge locations responsible for?
hosting CloudFront (CDN)
83
You have a variable workload and only want to pay for the compute time when your code isn't running. Which service should you use?
Lambda
84
What allows you to restrict access to individual objects in an S3 bucket?
access control lists
85
Which type of load balancer uses listeners, targets and target groups?
Application load balancer
86
Which ELB would be best suited to help you host a website?
ALB
87
Are S3 buckets private by default?
Yes
88
You need to allow resources in a private subnet to access the internet. What must be present to enable this access?
NAT Gateway
89
What allows you to make entire buckets public?
Bucket policy
90
Your S3 buckets are missing. What should you check?
CloudTrail logs
91
Which languages can be used to author CloudFormation templates?
JSON and YAML
92
Are DynamoDB and RDS managed db's?
Yes
Dynamo DB is noSQL
RDS is SQL
93
Is Lightsail a PaaS?
yes
94
Both ALB and Classic use Round Robin strategy to select a node.
True
95
Which service is best for storing sales data?
Redshift
96
Which service is bet for providing audit info on your AWS account?
CloudTrail
97
What is diff between vertical and horiz scaling?
Vertical adds more resources and horiz adds more instances.
98
How improve perf of online banking portal?
- Use of SSL acceleration and
- Relieve computational overhead on the web erver by offloading https session processes to hardware security modules in an AWS CloudHSM cluster.
99
A developer wants to automate updating a set of apps. Which service use?
CodeDeploy
100
Which tool use to forecast AWS spending?
Cost Explorer (free)
101
What service can automate the creation of new accounts?
Organizations
102
What is the benefit of running an app across two AZ's?
It increase the availability of the app.
103
Describe scalability.
It diverts traffic based on demand, and to instances with the least load.
104
What is autoscaling?
To scale resources based on demand.
105
Which service gives the user the ability to group resources across diff regions by app and then collectively view their operational data for monitoring purposes?
systems manager
106
A company has consistently high throughput and requires no jitter and very low latency between its on-premise and AWC cloud. Which service should it use?
DirectConnect
107
A website goes viral for a few days and then rapidly declines in popularity. Which storage class and config should you use?
S3 standard and lifecycle policies
108
You want to host a db server for a min of 1 year. Which would cost least?
partial upfront costs reserved instances
109
What use for fast, secure img xfers to S3?
S3 Transfer Acceleration
110
What is term for a user-defined label that has a key-value pair of variable char length. It is assigned to AWS resources?
resource .
| These can be edited or removed at any time.
111
What is the purpose of the ELB?
To distribute traffic to multiple EC2 instances
112
Which service helps troubleshoot runtime errors?
X-Ray
113
Best server for university during exam processing time?
serverless Lambda
114
What disaster recovery deployment has the lowest downtime?
multi-site then warm standby
115
Use EC2 reserved instance with a spot instance for a predictable workload with brief unpredictable spikes
True
116
What purpose of API?
It allows developer to work with AWS resources programmatically.
117
What is purpose of leader node in Redshift?
To receive queries and manage client connections
118
What is right sizing?
cost saving solution that analyzes data over a period of time to determine and recommend the type of EC2 instance appropriate for your workload.
119
What are the trusted advisor checks?
cost optimization, performance, security, fault tolerance, service limits
120
One of a blogger's articles has gone viral sending a lot of traffic to the blog, and causing poor browsing experience for some reader. How can normal service be restored?
Set up read replicas on the backend RDS instance where the article resides.
121
What can be done to increase the fault tolerance of an app?
Deploy resources across multiple availability zones.
122
What can be used a an additional layer of security to using a user name and password when logging into the AWS Console?
MFA (multi-factor authentication)
123
Which support plan provides 24/7 access, and response time of < 1 hour for bus critical event.
Enterprise
124
What is name for a geographic location in AWS?
Region
125
What are two features of RDS that allow for better availability of databases?
Read replicas and Multi-AZ
126
An EC2 instance where utilization is guaranteed to be consistent for a long period of time. How would you get the lowest cost?
Use reserved instance.
127
You want to deploy a video-based app. The videos will be accessed by users around the world. Which service should you use to help stream the content in an efficient manner?
CloudFront
128
Which service allows you to analyze EC2 instances against pre-defined security templates to check for vulnerabilities?
Inspector
129
Which service can help decouple resources?
SQS
130
What can you use to spin-up EC2?
Amazon Machine Image
131
Which service helps you do a cost benefits analysis?
TCO Calculator (total cost of ownership)
132
What does an EC2 instance in your VPC need in order for the Internet Gateway to route its traffic to the Internet?
Public IP address
133
Your application needs full-managed storage for OBJECTS. Which service?
S3
134
Which service is the virtual hard disk?
EBS
135
What are edge locations responsible for?
Hosting CloudFront (CDN)
136
Lightsail is an example of PaaS (platform as a service):
| True or False
True
137
What happens when an RDS Master database in a Multi-AZ deployment goes down?
RDS automatically fails over to the standby AZ, which is promoted to Master.
138
S3 buckets by default are private. T or F?
True
139
You want predictable monthly pricing, and the instance must have the ability to burst above baseline CPU when needed. Which service should you use to launch the instance?
Lightsail
140
Which compute service is known for consistently high CPU performance and costs that vary by usage?
EC2
141
Which service should you use to be notified when you have crossed a billing threshold?
CloudWatch
142
For a subnet to be public and send non-local traffic to the Internet, you must update the Route Table of the public subnet and attach what to the VPC that contains the subnet?
Internet Gateway
143
What doc do you use to grant permissions to users, groups and roles?
policy
144
If you want to see who tampered with your S3 bucket, what should you look at?
CloudTrail logs
145
Which is the managed db that is up to 5X faster than traditional MySQL db?
Aurora db (SQL)
146
Where do you look for AWS service alerts?
- Service Health Dashboard, and
| - Personal Health Dashboard
147
Which load balancer uses listeners, targets, and target groups?
ALB
148
What is the name for a series of edge locations plus info about how you want content managed as part of a CDN?
a distribution
149
What are valid access types for an IAM user?
- programmatic access via the command line, API, SDK (software dev kit), or
- Mgmt console access
150
Which is the best load balancer when hosting a website?
ALB
151
What allows you to restrict access to an indiv object in an S3 bucket?
ACL (access control list)
152
Your boss wants a managed NoSQL database. Which service?
DynamoDB
153
Which service can you get that will automatically scan your AWS environment with the goal of improving security and reducing costs?
Trusted Advisor
154
Which is an event-driven, serverless compute service?
Lambda
155
You want to archive data that needs to be encrypted into Glacier. What do you need to do?
Send the data to Glacier. The data is encrypted by default.
156
A software dev team needs to create multiple testing environments each day. Provisioning needs to happen within mins. The number of environments per day varies. What is best way to create these environments?
Have CloudFormation provision the stacks and resources needed for the environments.
157
What compute service use when you don't want to pay when your code is not running?
Lambda
158
Which load balancer uses a round-robin distribution strategy?
- Classic LB for TCP listeners only.
| - ALB: to select a node.
159
What do you use to allow resources in a private subnet to access the internet?
NAT Gateway
160
You are being audited. Where can you get the info to provide to the audit team?
CloudTrail
161
You have RDS. Are you responsible for the database backups?
NO
162
You have RDS. Are you responsible for the optimization of your app that's using RDS?
Yes
163
You want to re-create an EBS volume. How would you do this?
Re-create the volume from a snapshot.
164
You have a mission-critical app that must be globally available at all times. Which deployment strategy should you use?
Multi-region
165
Who should you report malicious activities to at AWS?
Abuse Team
166
Which services have built-in DDoS protection?
Rt 53, CloudFront, WAF, ELB, VPC, Security Groups
167
What is authentication?
The first part of the login process: Identifying who is accessing the system
168
First a user is authenticated then authorized. T or F?
True
169
What is authorization?
The 2nd part of the login process: Evaluating what permissions a user has.
170
Which service controls authentication and authorization within an AWS account?
IAM.
| Security Groups and ACL's are tools within IAM.
171
For EC2, what is the cust responsible for?
- maintenance and updating the OS and apps (patching)
- updating the db software
- managing access to the db
- security config.
* AWS will only take care of the underlying hrdwre to provide the service.
172
Which service is used during the process of encrypting EBS volumes?
KMS (key mgmt service)
173
What do you create to give permission to an EC2 app to access other resources?
A role
174
What do you give a group of people to assign them a pre-defined set of permissions based on their job role?
IAM group
175
You use your corp directory to grant access to users. What is this called?
Federated Access
176
What acts as built-in firewalls for your virtual servers?
Security Groups
177
What do you use to login to the Mgmt Console?
username and password
178
What are you responsible for when using S3?
Backing up your data.
179
Which service performs automated network assessments of EC2 instances to check for vulnerabilities?
Inspecter.
| you create assessment templates to automate security vulnerability assessments.
180
What are factors that contribute to the agility that AWS provides?
speed, experimentation, culture of innovation
181
What does elasticity do?
It scales resources to the required capacity based on changes in WORKLOAD DEMAND. Scales up or down, so no need to worry about capacity.
182
What are the principles of sound cloud design?
- Assume everything will fail.
- Infrastructure as code
- Disposable resources
- Scalability
183
What are the principles of sound cloud design for performance efficiency?
- Deploy into multiple regions to go global in minutes
- Use serverless architectures.
- Democratize advanced technologies.
184
What is scalability?
Adding resources to your app as USER DEMAND grows. Expand out.
185
What is agility?
Decreasing the time to start new services.
186
T or F? A scalable system diverts traffic based on demand to instances with the least load.
True
187
Which AWS service automates infrastructure provisioning and admin tasks for an analytical data warehouse?
Redshift
188
What is the best suited file storage option for use when an admin is looking to deploy shared file access, linux-based workloads which will require up to petabytes of data stores?
EFS
189
What is the benefit of running an application across two AZs?
It increases the availability of an app compared to running in a single AZ.
190
Which service can store code?
CodeCommit
191
Which serverless service can run code?
Lambda
192
What does an ELB do?
Distribute traffic to multiple EC2 instances.
193
What is the best case for RDS?
In an org where only a finite number of processes query the db in predictable and well-structured schemas.
194
Which services does the Trusted Advisor Dashboard offer?
```
cost optimization
performance
security
fault tolerance
service limits
```
195
Which service provides security optimization recommendations?
Trusted Advisor
196
In which service can you group resources from different regions and view their operational data for monitoring purposes?
Systems Manager
197
What is the value of having AWS Cloud services accessible through an API?
It allows developers to work with AWS resources programmatically.
198
A start-up org wants to deploy a web and mobile app devop environment. How can this be achieved efficiently?
Use Quickstarts to id and provision the appropriate CloudFormation templates.
199
A department in an org has a monthly expenditure limit on their AWS acct and they are worried about exceeding it. What can they use to help?
Budgets, and create an email alert based on the budget parameters.
200
How is Cloud9 diff from Lambda?
Cloud9: developers can share in real-time.
Lambda: can be used to create functions that run in Cloud9
201
What is autoscaling?
To scale out resources based on demand. It monitors your apps and autom. adjusts capacity to maintain steady, predictable performance at the lowest possible cost.
202
T or F? A resource day can be edited or removed at any time.
True. They are a user-defined key-value pair, useful for labeling when running queries.
203
Trusted Advisor: best practices and recommendations
True
204
What's the diff between lifecycle policy and intelligent tiering?
LIfecycle policy is pre-configured with a transition rule and not dependant on access patterns like intelligent tiering is.
205
What's the diff between lifecycle policy and intelligent tiering?
LIfecycle policy is pre-configured with a transition rule and not dependent on access patterns like intelligent tiering is.
