AWS Certified Cloud Practitioner Study
AWS General Design Principles
1- Stop guessing your capacity needs: Eliminate guessing about your infrastructure capacity needs. When you make a capacity decision before you deploy a system, you might end up sitting on expensive idle resources or dealing with the performance implications of limited capacity. With cloud computing, these problems can go away. You can use as much or as little capacity as you need, and scale up and down automatically. 2- Test systems at production scale: In the cloud, you can create a production-scale test environment on demand, complete your testing, and then decommission the resources. Because you only pay for the test environment when it's running, you can simulate your live environment for a fraction of the cost of testing on premises. 3- "Automate to make architectural experimentation easier": Automation allows you to create and replicate your systems at low cost and avoid the expense of manual effort. You can track changes to your automation, audit the impact, and revert to previous parameters when necessary. 4- "Allow for evolutionary architectures": Allow for evolutionary architectures. In a traditional environment, architectural decisions are often implemented as static, one-time events, with a few major versions of a system during its lifetime. As a business and its context continue to change, these initial decisions might hinder the system's ability to deliver changing business requirements. In the cloud, the capability to automate and test on demand lowers the risk of impact from design changes. This allows systems to evolve over time so that businesses can take advantage of innovations as a standard practice. 5- "Drive architectures using data": In the cloud you can collect data on how your architectural choices affect the behavior of your workload. This lets you make fact-based decisions on how to improve your workload. Your cloud infrastructure is code, so you can use that data to inform your architecture choices and improvements over time. 6- "Improve through game days:" Test how your architecture and processes perform by regularly scheduling game days to simulate events in production. This will help you understand where improvements can be made and can help develop organizational experience in dealing with events.
What does AWS Shield (Advanced) do?
For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges. AWS Shield Advanced is available globally on all Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on an Elastic IP or Elastic Load Balancing (ELB) in the following AWS Regions - Northern Virginia, Northern California, Ohio, Oregon, Ireland, London, Frankfurt, Stockholm, Singapore, Sydney, Seoul and Tokyo.
The Edge location does not distribute load. It is used in conjunction with the Cloudfront service to cache common responses and deliver content to end users with low latency. The AWS service that is used to distribute load is the ELB service.
It does cache common responses
MAKE SURE TO RETAKE ALL OF THE QUIZZES IN LINUX ACADEMY
MAKE SURE TO RETAKE ALL OF THE QUIZZES IN LINUX ACADEMY
Where is CloudWatch located in the Amazon console?
Management Tools
Amazon Shared Responsibility Model Basics
Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve customer's operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. As shown in the chart below, this differentiation of responsibility is commonly referred to as Security "of" the Cloud versus Security "in" the Cloud.
Elastic Compute Cloud (EC2)
Think of EC2 as your basic desktop computer. The AWS definition is this... "Amazon Elastic Compute Cloud (EC2) provides scalable computing capacity in the Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2 to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. Amazon EC2 enables you to scale up or down to handle changes in requirements or spikes in popularity, reducing your need to forecast traffic."
Amazon Free Tier Usage
Usage trading and billing widget...shows you the free tier services used and how much you are allotted free space, and how much you will pay if you go over that free space.
How can you display the distribution of AWS spending?
Using AWS Cost Explorer
Upgrading a server with a larger hard drive is an example of _____________________. While adding more hard drives to a storage array is an example of ________________.
Vertical scaling, Horizontal Scaling Vertical scaling = upgrading a server with larger hard drive horizontal scaling = adding more hard drives to a storage array
When you create an AWS account, a default ________ is created for you
Virtual Private Cloud (VPC)
Pricing for Elastic Cloud Compute (EC2)
You are charged per second (based on an hourly rate) for the amount of time the instance is in a "running" state (Applies to "On-demand" and "Spot") Reserved instances are in 1 or 3 year terms regardless of use. Hourly rates depend on options you select, such as: - The purchasing option you choose (on demand, reserved, or spot) - Instance type (the instance's processing capacity, think CPU...i.e. general purpose, compute optimized, GPU optimized, etc) - AMI type (think operating system such as linux (price varies based on distribution/software packages) or windows (price varies based on version/software packages)) - region the instance is provisioned in ***Note: you are also charged for transferring data in/out of an instance
If you are in IT with access to using IAM, you can create users and assign them access to policies to certain services (such as S3)
You can also add people to IAM user groups to simplify the process
Which of the following reserved instances' payment options provides a discounted hourly rate for the duration of the term? (choose two)
You can choose between three payment options when you purchase a Standard or Convertible Reserved Instance: 1- No Upfront: No upfront payment is required. You are billed a discounted hourly rate for every hour within the term, regardless of whether the Reserved Instance is being used. No Upfront Reserved Instances are based on a contractual obligation to pay monthly for the entire term of the reservation. A successful billing history is required before you can purchase No Upfront Reserved Instances. 2- Partial Upfront: A portion of the cost must be paid up front and the remaining hours in the term are billed at a discounted hourly rate, regardless of whether you're using the Reserved Instance. 3- All Upfront: With the All Upfront option, you pay for the entire Reserved Instance term with one upfront payment. This option provides you with the largest discount compared to On-Demand instance pricing.
CloudWatch Alarms
You can view the alarms in CloudWatch or have the alarm trigger an action (like an SNS message)...For example, we could set an alarm to alert us for thresholds set, like if CPU utilization rises above 80% or if the number of objects in a bucket exceeds 100, or if current monthly billing is greater than $500.00
Elastic Cloud Compute (EC2)
a compute capacity service (ie: servers)
lifecycle policies
a feature inside of S3 that allows us to set certain time tables where objects can be moved from storage class to storage class. Allows you to set your own parameters.
What is "key pair"
a file that is shared between the user and EC2 instance to serve as a sort of username and password
Network Access Control Lists (NACL)
a firewall/security layer on the subnet level
security group (SG)
a firewall/security on the instance or server level
Simple Storage Service (S3)
a fully-managed bulk file storage service
multi-factor authentication (MFA)
a two-layer form of login verification that requires an additional (rotating) code number
Simple Storage Service (S3)
an online, bulk storage service you can access from almost any device. Amazon S3 has a simple web services interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web. It gives any user access to the same highly scalable, reliable, fast, inexpensive data storage infrastructure that Amazon uses to run its own global network of web sites. The service aims to maximize the benefits of scale and to pass those benefits on to users.
folders
any subfolders created inside of a bucket
AWS White Papers
are a collection of Technical Documents that outline many AWS relevant topics such as (but not limited to): 1) Architecture best practices 2) Security best practices 3) Cloud computing economics 4) Serverless Architecture ***NOTE: All white papers have been received and approved by AWS, independent analysts, or the AWS community
Distributed Denial of Service (DDoS) attacks
are cyber-attacks where the perpetrator seeks to make a network resource unavailable to its intended users by temporarily disrupting services of a host connected to the internet. This is done by overloading the server capacity of the website with traffic, usually incoming messages, requests for connections, or fake packets!
IAM Users
are individuals who have been granted access to an AWS account. For example, if your company gives you access to their AWS account, then you are an IAM user (probably one of many the company has set up). Each IAM user has a username, password, and permissions to access various AWS services.
The common use of IAM is to manage...
users, groups, access policies, roles, user credentials, user password policies, multi-factor authentication (MFA), API keys for programmatic (CLI) access
Common personal uses of cloud services include ___________ and ____________.
backups, sharing (have everything accessible via mobile device, home computer, and work computer...this is closely tied to high availability and fault tolerance) fault tolerant because if your home computer blows up, you can still get your important file via other devices
Common Enterprise uses of cloud services include:
being able to instantly add additional servers in order to handle an increase of traffic or employees while also not having to pay for the physical installation of hardware servers in their actual office buildings (also take up a lot of space) and don't have to waste time configuring new physical servers. They don't have to predict what their growth is going to be... also if traffic/demand decreases, they can instantly remove extra servers they don't need. Demonstrates elasticity and scalability within infrastructures
You can create folders and import objects into buckets by
by clicking "upload" or "Create Folder"
inline policies
coded policy permissions (more specific and less limited)
AWS is like a really powerful ____________ located somewhere else that lets you do a crazy amount of things
computer
AWS Data Centers
contain the physical servers that run AWS resources...they contain multiple iterations (copies) of servers with duplicated data...web formatted content in different locations. These iterated servers are usually housed within the same region.
CloudFront
content Delivery Network (CDN) that allows you to store (cache) your content at "edge locations" located all around the world. This allows your customers to access your content more quickly (and also provides additional security -- especially against DDoS attacks). More aptly, "Amazon CloudFront is a global content delivery network (CDN) service that securely delivers data, videos, applications, and API's to your viewers with low latency and high transfer speeds. CloudFront is integrated with AWS -- both physical locations that are directly connected to the AWS global infrastructure, as well as software that works seamlessly with services including AWS Shield from DDoS mitigation, Amazon S3, Elastic Load Balancing, or Amazon EC2 as origins for your applications, and AWS Lambda to run custom code to your viewers.
What are "inherited controls" in the shared responsibility model?
controls which a customer fully inherits in AWS...they are physical and environmental controls
The primary benefits for both individual and enterprise users are _______ _____________, _______ _______________, _________________, and ______________.
high availability, fault tolerance, scalability, and elasticity
What are the four pillars that serve as the foundation of AWS?
high availability, fault tolerance, scalability, and elasticity
Web servers ________ web formatted content
host
roles
how different AWS services, such as EC2 and S3 are granted permission to communicate and share data
topics
how you label and group different endpoints that you send messages to in SNS
DynamoDB
is a NoSQL database service. Unlike RDS, DynamoDB does not provide other NoSQL software options. "Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model, reliable performance, and automating scaling of throughput capacity, makes it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications"
Intelligent Tiering basically serves the same purpose as _____________ but doesn't allow you to set your own parameters. Instead, it moves objects to certain storage classes based on your S3 storage over time, which can be more efficient
lifecyles
You can change what region you are working in via the console and that corresponds to the actual server located in the area closest to your selected region
obviously, you would choose the region closest to you to avoid lagging
According to the Shared Responsibility Model, AWS responsibility is "Security _____ the Cloud" -- AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
of
API keys are used to let programmers into the console with a special _____________
password
AWS API
refers to the AWS Application Programming Interface (allows you to code...)
high availability
refers to the concept of something being accessible when you attempt to access it (and/or the ability to access something via multiple platforms)
IAM is a global service, so the region is set to "Global" if you are in IT and working in IAM. You can assign permissions to IAM users on a regional basis so that they can only manipulate services provided by AWS data centers, within a certain ________ (probably good for ensuring highest speed)
region
When you create a bucket, you must select a specific _______________ for it to exist in.
region (This means that any data you upload to the S3 bucket will be physically located in the data center in that region)
When configuring EC2 instance types, you have to set _____________ and ________________ _________.
region, availability zone
At the highest level, AWS' infrastructure is made up of numerous ___________ that are located all around the world
regions
storage class
represents the "classification" assigned to each object in S3. Available classes include Standard, Standard IA (Infrequent Access), One Zone - IA (Infrequent Access), Intelligent Tiering, and Glacier. Each storage class has varying attributes that dictate things like storage cost, object availability, object durability, and frequency of access (to the object). Each object must be assigned a storage class (Standard is the default class) and can change the storage class of an object at any time (for the most part)
What is the "Reserved" EC2 Buying Option?
reserved purchasing allows you to purchase an instance for a set time period of (1) or (3) years This allows for a significant price discount over using on-demand you can select to pay upfront, partial upfront, or no upfront Once you buy a reserved instance, you own it for the selected time period and are responsible for the entire price (regardless of how often you use it)
buckets
root level folders you can create in S3
Which of the following is one of the benefits of AWS Security? Free AWS premium members Starts automatically once you upload your data Scale quickly None of the above
scale quickly Security scales with your AWS Cloud usage. No matter the size of your business, the AWS infrastructure is designed to keep your data safe. AWS Security doesn't start automatically, you have to go on and set up how your data will be accessed and decide whether this data will be encrypted or not and so on.`
When you use a "cloud" service such as iCloud, DropBox, or Amazon Web Services -- you are just utilizing __________ _____________ owned and managed by those companies.
server computers
object lifecycles
set rules to automatically transfer objects between storage classes at defined time intervals...another feature/benefit of S3
API keys for programmatic (CLI) access
special credentials required for accessing AWS resources via the Command Line Interface (CLI)
What is the "Spot" EC2 buying option?
spot pricing is a way for you to "bid" on an instance type and only pay for and use that instance when the spot price is equal to or below your "bid" price This option allows Amazon to sell the use of unused instances, for short amounts of time, at a substantial discount Spot prices fluctuate based on supply and demand in the spot marketplace You are charged by the second (but bid pricing based on an hourly rate) When you have an active bid, an instance is provisioned for you when the spot price is equal to or less than your bid price Provisioned instances automatically terminate when the spot price is greater than your bid price
S3 is Amazon's primary __________ service
storage
Glacier isn't technically a ____________ __________ but it is still referenced as one
storage class
domain names
such as practionersbrief.com, are implemented to avoid the issue of having to input IP addresses. So much easier for us to remember, but the web browser still needs to know the IP addresses to get access to the web server
Which of the following features of Amazon RDS allows for better availability for databases? (Choose 2 answers)
Multi-AZ and Read Replica's If you are looking to use replication to increase database availability while protecting your latest database updates against unplanned outages, consider running your DB instance as a Multi-AZ deployment. You can use Multi-AZ deployments and Read Replicas in conjunction to enjoy the complementary benefits of each. You can simply specify that a given Multi-AZ deployment is the source DB instance for your Read Replica(s). That way you gain both the data durability and availability benefits of Multi-AZ deployments and the read scaling benefits of Read Replicas.
What are the set of rules that Bucket names must follow?
Must be unique across all of AWS, 3 to 63 characters in length, can only have lowercase letters numbers and hyphens, must not be formatted as IP addresses
Which of the following security features is associated with a subnet in a VPC to protect against incoming traffic requests? AWS Inspector Subnet Groups NACL Security Groups
NACL
Groups let you assign IAM permission policies to a whole bunch of people
Nice when are in a company and have a group of departments
AWS Shared Responsibility Model
Defines how Security and Compliance are shared between AWS customers
A company has developed an eCommerce web application and the application needs an uptime of at least 99.5%. Which of the following deployment strategies should they use?
Deploying the application across multiple Regions ***Edge locations are not used to host applications. Edge locations are used by CloudFront to cache and distribute content to your global customers with low latency
What is the Standard storage class?
Designed for general, all-purpose storage Is the default storage option 99.999999999% object durability ("eleven nines") 99.99% object availability Is the most expensive storage class
What is the Glacier storage class?
Designed for long-term archival storage May take several hours for objects stored in Glacier to be retrieved 99.999999999% object durability Is the cheapest S3 storage class (very low storage cost)
What is the One Zone - IA (Infrequent Access) storage class?
Designed for objects that you do not access frequently but must be immediately available when accessed (only uses one availability zone) 99.99% object durability 99.50% object availability Is -20% less expensive than the standard-IA storage class
What is the Standard - IA (Infrequent Access) storage class?
Designed for objects that you do not access frequently, but must be immediately available when accessed (uses multiple Availability Zones) 99.999999999% object durability ("eleven nines") 99.90% object availability Is less expensive than the standard storage class
What is the Intelligent-Tiering storage class?
Designed to optimize costs by automatically moving data to the most cost-effective tier based on your usage 99.999999999% object durability ("eleven nines") 99.90% object availability Pricing depends on the assigned storage class
SNS benefits
Send automated or manual notifications Send notification to email, mobile sms, and http endpoints Closely integrated with other AWS service (such as CloudWatch) so that alarms, events, and actions in your AWS can trigger notifications
What does "S3" stand for
Simple Storage Service
What are the benefits of Amazon DMS?
Simple to use Minimal downtime Supports widely used databases Low cost Fast and easy to set up Reliable
objects
files stored in a bucket
managed policies
click and select policies that you can attach to groups
Customers would be using AWS services provided via regions __________ to them
closest
Where is CloudTrail located in the AWS console?
"Management Tools"
We can find "IAM" under what section of the AWS console?
"Security, Identity, and Compliance" section of the AWS Services list
If NACL and SG are configured to allow HTTP traffic, then HTTP request will be allowed into the subnet, then into the EC2 instance. If they are configured to deny FTP traffic then any FTP request will be blocked
"VPC" is under the Network and Content Delivery section of the AWS console. Under "Security" on the left side, there are options to look at Security Groups and Network Access Control Lists
We can also allow IAM users to gain access to certain AWS services policies with limited access such as...
"read only" or "full access" and so on and so forth
What are the two steps for creating a bucket?
(1) Choose a bucket name (2) Select a region
What are the primary benefits of AWS?
(1) Common personal uses of cloud services (2) Benefits to personal users (3) Common enterprise uses of cloud services (4) Benefits to enterprise users (5) How high availability, fault tolerance, scalability, and elasticity relate to these uses and benefits
What is the IP Address Process?
(1) User enters web server's IP address into web browser, initiating a request and (2) the request is routed across the open internet to the web server (3) web server receives request and sends back data and (4) user then views the web page in their browser The problem with using IP addresses of web servers instead of url's is that they aren't readily supplied and (like a phone #) they aren't easy to remember
What is the DNS Process?
(1) User inputs domain name into the browser (2) browser sends domain name to the DNS Server, asking for the IP address associated with the Domain name (3) DNS Server searches its list of domain names, and finds the current IP address for the web server associated with the domain name and (4) the DNS Server then sends the IP address back to the web browser (5) Web browser uses IP address to send request to the web server to get the web content (6) request is routed across the open internet to the web server (7) and then web server sends back the web page data in their browser
What are the two things required to make a website work?
(1) Web server with a public IP address w/ web formatted content (2) User with web browser and the IP address of web server
subscribers
(i.e. web servers, email addresses, Amazon SQS queues, Lambda functions, etc) consume or receive the message or notification over one of the supported protocols (Amazon SQS, HTTP/S, email, SMS, Lambda) when they are subscribed to the topic
Availability Zones
(within a region) work together to make up a collection of your AWS resources. Properly designed applications will utilize multiple availability zones for high availability and fault tolerance. Availability zones have direct low latency connections between each other and each availability zone is isolated from the others to ensure fault tolerance
What does the "Business" AWS Support Plan include?
** Recommended if you have production workloads in AWS AWS Trusted Advisor Full set of checks Enhanced technical support with 24x7 phone, email, and chat access to Support Engineers Unlimited cases/unlimited contacts (IAM supported) Case Severity/Response Times are less than 24 hours for general guidance, less than 12 hours if the system is impaired, less than 4 hours if the production system is impaired, and less than 1 hour if the production system is down Contextual Architectural Guidance to your use-cases AWS Support API for Programmatic Case Management Interoperability and configuration guidance and troubleshooting via third-party software support Access to Infrastructure Event Management for no additional fee (Proactive programs) No Technical Account Management No Training No Account Assistance Starts at $100 a month
AWS Artifact
*** Allows you to manage your agreements with AWS is a self-service audit artifact retrieval portal that provides our customers with on-demand access to AWS' compliance documentation and AWS agreements. You can use AWS Artifact Reports to download AWS security and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports. You can use AWS Artifact Agreements to review, accept, and track the status of AWS agreements such as the Business Associate Addendum (BAA).
What is the "Enterprise" AWS Support Plan include?
*** Recommended if you have business and/or mission critical workloads in AWS AWS Trusted Advisor Full Set of checks Enhanced Technical Support: 24x7 phone, email, and chat access to Support Engineers Unlimited cases/ unlimited contacts (IAM supported) Case Severity/Response Times are less than 24 hours for general guidance, less than 12 hours if system impaired, less than 4 hours for production system impairments, less than 1 hour if production system is down, and less than 15 minutes if a business-critical system is down Consultative review and guidance based on your applications (Architectural Guidance) AWS Support API for Programmatic Case Management Interoperability and configuration guidance and troubleshooting (third party software support) Infrastructure event management, Well-Architected Reviews, Operations Reviews, Technical Account Manager (TAM) coordinates access to programs and other AWS experts as needed (Proactive Programs) Designated Technical Account Manager (TAM) to proactively monitor your environment and assist with optimization Access to online self-paced labs (training) Concierge Support Team (Account Assistance) Starts at $15,000 a month
AWS X-Ray
*** service that can handle an application with large number of services and serves as a powerful tool for analyzing and debugging... helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture. With X-Ray, you can understand how your application and its underlying services are performing to identify and troubleshoot the root cause of performance issues and errors. X-Ray provides an end-to-end view of requests as they travel through your application, and shows a map of your application's underlying components. You can use X-Ray to analyze both applications in development and in production, from simple three-tier applications to complex microservices applications consisting of thousands of services.
AWS CloudFormation
***REMEMBER THIS!!! Allows customers to manage their infrastructure as code! is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS CloudFormation takes care of provisioning and configuring those resources for you. You don't need to individually create and configure AWS resources and figure out what's dependent on what; AWS CloudFormation handles all of that.
What does the "Developer" AWS Support Plan Include?
**Recommended if you are experimenting or testing in AWS... AWS Trusted Advisor 7 Core Checks Business hours ** email access to Support Engineers...Unlimited cases/ 1 primary contact to Enhanced Technical Support Case Severity/Response Times less than 24 business hours for general guidance and less than 12 business hours if your system is impaired General Architecture Guidance No Programmatic Case Management No Third-Party Software Support No Proactive Programs No Technical Account Management No Training No Account Assistance Pricing starts at $29 a month
What best describes the "Principle of Least Privilege"?
Users should be granted permissions to access only the resources they need to do their assigned job
What are the AWS Pricing Principles?
1.) AWS works as a pay-as-you-go model...meaning you only pay for what you use, when you are using it... There is no upfront cost and charges end when you stop using a service 2.) No long-term contracts or complex licensing (exception can be made for things like reserved EC2 instances) 3.) Volume discounts are available -- the more you use a service, the cheaper it is per unit used 4.) No termination fees 5.) AWS offers a "Free Tier" option for those that are new to AWS. Free Tier offers limited AWS resources to you free-of-charge for 12 months (new accounts only)
Is your account compromised?!?!? If it is...what steps do you follow?
1.) Change your AWS root account password 2.) Change all IAM user's passwords 3.) Delete or rotate all API keys (programmatic) 4.) Delete any resources in your account that you did not create 5.) Respond to any notifications you received from AWS through support center and/or contact them to open a case!
What does Support Concierge service include?
24x7 access to AWS billing and account inquiries Guidance and best practices for billing allocation, reporting, consolidation of accounts, and root-level account security Access to Enterprise account specialists for payment inquiries, training on specific cost reporting, assistance with service limits, and facilitating bulk purchases **SO basically a bunch of billing assistance and guidance that other businesses (guessing ones that aren't this big) do not have access to...this makes sense
AMI options
AMI come in three different categories: Community AMIs, AWS Marketplace AMIs, and My AMIs.
What are the basic EC2 components?
AMI's (linux or windows), instance type (processing power), EBS (local storage), IP Addressing (Internet Access), Security Groups (Security), and RAM
What are "My AMIs"?
AMIs that you create yourself
AWS CloudFormation
AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources to your cloud environment. CloudFormation allows you to use a sipmle text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. This file serves as the single source of truth for your cloud environment. AWS CloudFormation is available at no additional charge, and you pay only for the AWS resources needed to run your applications.
So basically, located in each availability zone is one or more ________ ________ _____________.
AWS Data Centers
A company decided to migrate its Oracle database to AWS. Which AWS service can help achieve this without negatively impacting the functionality of the source database?
AWS Database Migration Service (DMS)
AWS Database Migration Service (DMS)
AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. The AWS Database Migration Service can migrate your data to and from most widely used commercial and open-source databases. AWS Database Migration Service support homogenous migrations such as Oracle to Oracle, as well as heterogeneous migrations between different database platforms, such as Oracle or Microsoft SQL Server to Amazon Aurora. With AWS Database Migration Service, you can continuously replicate your data with high availability and consolidate databases into a petabyte-scale data warehouse by streaming data to Amazon RedShift and Amazon S3. ****When migrating databases to Amazon Aurora, Amazon RedShift, Amazon DynamoDB, or Amazon DocumentDB (with MongoDB compatibility) you can use DMS free for SIX MONTHS
What does Amazon CloudFront use to distribute content to global users with low latency?
AWS Edge Locations
AWS allows us to "Stop guessing about our capacity needs" and "Automate to make architectural experimentation easier"... these principles belong to what?
AWS General Design Principles
AWS Key Management Service (KMS)
AWS Key Management Service (KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
what needs a username and password to access AWS resources?
AWS Management Console
Your company is planning to host its applications on the AWS Cloud. Which of the following services can be used to decouple distributed software systems and components? AWS SNS AWS EBS AWS Glacier AWS SQS AWS SES
AWS SNS and AWS SQS Amazon Simple Queue Service (SQS) and Amazon SNS are both messaging services within AWS, which provide different benefits for developers. Amazon SNS allows applications to send time-critical messages to multiple subscribers through a "push" mechanism, eliminating the need to periodically check or "poll" for updates. Amazon SQS is a message queue service used by distributed applications to exchange messages through a polling model. Amazon SQS provides flexibility for distributed components of applications to send and receive messages without requiring each component to be concurrently available. In brief, SQS and SNS can be integrated together to decouple application components so that they run (or fail ) independently, increasing the overall fault tolerance of the system.
What is the name of Amazon's RDS SQL database engine?
Amazon Aurora
What are the two main data store engines you can choose from when using ElastiCache?
Redis (open-source, in-memory data store and cache) MemcacheD (a widely adopted memory object caching system)
How does AWS Shield protect DNS?
AWS Shield Standard automatically protects your Amazon Route 53 Hosted Zones from infrastructure layer DDoS attacks at no additional cost. This includes attacks like Reflection attacks or SYN floods that frequently target your DNS. AWS Shield Standard automatically uses various techniques like header validations and priority-based traffic shaping to automatically mitigate these DDoS attacks. In addition, AWS Shield Advanced provides additional protection for extreme scenarios when manual intervention via the 24x7 access to the AWS DDoS Response Team is required. Further, AWS Shield Advanced also provides visibility into the attacks on your Route 53 infrastructure.
AWS Shield
AWS Shield is managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield -- Standard and Advanced.
Trusted Advisor
AWS Trusted Advisor is a service that "advises" and helps you optimize aspects of your AWS account. "A resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment, Trusted Advisor provides real-time guidance to help you provision your resources following AWS's best practices"
What allows you to carve out a portion of the AWS cloud?
AWS VPC
Which of the following services can help protect your web applications from SQL injection and other vulnerabilities in your application code?
AWS WAF (web application firewall) can help protect your web applications from SQL injection and other vulnerabilities to application code (Aurora is a database service...not a security means)
AWS Web Application Firewall (WAF)
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules. With AWS WAF you pay only for what you use. AWS WAF pricing is based on how many rules you deploy and how many web requests your web application receives. There are no upfront commitments. *****You can deploy AWS WAF on either Amazon CloudFront as part of your CDN solution, the Application Load Balancer (ALB) that fronts your web servers or origin servers running on EC2, or Amazon API Gateway for your APIs.
According to the AWS Acceptable Use Policy
AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services: 1- Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers. 2- Amazon RDS. 3- Amazon CloudFront. 4- Amazon Aurora. 5- Amazon API Gateways. 6- AWS Lambda and Lambda Edge functions. 7- Amazon Lightsail resources. 8- Amazon Elastic Beanstalk environments.
AWS Direct Connect
AWS network feature that can help you make a private connection between AWS and your data center
ELB service (Elastic Load Balancer)
AWS service that is used to distribute load
One of the main benefits of AWS as a cloud computing service is its reliability. What does it actually mean?
Ability to recover quickly from failures Automatically provision new resources to meet demand
What are the things housed within a typical AWS data center?
Access Management -- IAM Compute -- EC2, Lambda Storage -- S3, Glacier Networking -- VPC, Direct Connect, Route 53 Notifications -- SNS Databases -- RDS, DynamoDB, ElastiCache, RedShift Monitoring -- CloudWatch, CloudTrail
S3 is a AWS service for ____________ that allows you to create buckets and store files within them...
Access rights in the console come from the IT Department of your company. They choose which users have access to what services. Some companies also use particular services
What does AWS Shield (Standard) do?
All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
What are the benefits of having infrastructure hosted in the AWS Cloud?
All of the physical security and most of the data/network security are taken care of for you Increase speed and agility No upfront costs
In order to implement best practices when dealing with "Single Point of Failure", you should aim to build as much automation as possible in both detecting and reacting to failure. Which of the following AWS services would help you? ELB Amazon Route 53 Auto Scaling Amazon EC2 auto-recovery
All of them!
When creating security groups, one of the best practices is to _____________
Allow only required traffic, which is denied by default
CloudFormation Designer
Allows you to use drag-and-drop interface to edit cloudformation templates
Amazon RDS Aurora
Amazon Aurora is a MySQL and PostgreSQL - compatible relational database built for the cloud, that combines the performance and availability of traditional enterprise databases with the simplicity of cost-effectiveness of open source databases. Amazon Aurora is up to 5 times faster than standard MySQL databases and up to 3 times faster than PostgreSQL databases. It provides the security, availability, and reliability of commercial databases at 1/10th the cost. Amazon Aurora is fully managed by Amazon Relational Database Service (RDS), which automates time-consuming administration tasks like hardware provisioning, database setup, patching and backups. Amazon Aurora features a distributed, fault-tolerant, self-healing storage system that auto-scales up to 64TB per database instance. It delivers high performance and availability with up to 15 low latency read replicas, point-in-time recovery, continuous backup to Amazon S3, and replication across three Availability Zones (AZ).
Which of the following services has been described as a global content delivery network (CDN) service? Amazon SES Amazon Cloudtrail Amazon CloudFront Amazon S3
Amazon CloudFront
Amazon Cognito
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0. ***Spend your time creating great apps...let Amazon Cognito handle authentication with Secure and scalable user directory, social and enterprise identity federation, Standards-based authentication, security for your apps and users, access control for AWS resources, and easy integration with your app
Which service allows the customer to retain full administrative priveledges of the underlying virtual infrastructure?
Amazon EC2
Where can you store files on AWS?
Amazon EFS Amazon EBS Amazon S3 Amazon Elastic File System (Amazon EFS) provides simple, scalable, elastic file storage for use with AWS Cloud services and on-premises resources. It is easy to use and offers a simple interface that allows you to create and configure file systems quickly and easily. Amazon EFS is built to elastically scale on demand without disrupting applications, growing and shrinking automatically as you add and remove files, so your applications have the storage they need, when they need it. It is designed to provide massively parallel shared access to thousands of Amazon EC2 instances, enabling your applications to achieve high levels of aggregate throughput and IOPS that scale as a file system grows, with consistent low latencies. As a regional service, Amazon EFS is designed for high availability and durability storing data redundantly across multiple Availability Zones.
Amazon EMR
Amazon EMR provides a managed Hadoop framework that makes it easy, fast, and costeffective to process vast amounts of data across dynamically scalable EC2 instances. You can also run other popular distributed frameworks such as Apache Spark, HBase, Presto, and Flink in EMR, and interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB. EMR Notebooks, based on the popular Jupyter Notebook, provide a development and collaboration environment for ad hoc querying and exploratory analysis. EMR securely and reliably handles a broad set of big data use cases, including log analysis, web indexing, data transformations (ETL), machine learning, financial analysis, scientific simulation, and bioinformatics.
Amazon Elastic Block Store (EBS)
Amazon Elastic Block Store (EBS) provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability. Amazon EBS volumes offer the consistent and low-latency performance needed to run your workloads. With Amazon EBS, you can scale your usage up or down within minutes -- all while paying a low price only for what you provision. Amazon EBS is designed for application workloads that benefit from fine tuning for performance, cost and capacity. Typical use cases include Big Data analytics engines (like the Hadoop/HDFS ecosystem and Amazon EMR clusters), relational and NoSQL databases (like Microsoft SQL Server and MySQL or Cassandra and MongoDB), stream and log processing applications (like Kafka and Splunk), and data warehousing applications (like Vertica and Teradata)
Which service allows you to run containerized applications on a cluster of EC2 instances?
Amazon Elastic Container Service
Amazon Elasticsearch Service
Amazon Elasticsearch Service is a fully managed service that makes it easy for you to deploy, secure, and operate Elasticsearch at scale with zero down time. The service offers open-source Elasticsearch APIs, managed Kibana, and integrations with Logstash and other AWS services, enabling you to securely ingest data from any source and search, analyze, and visualize it in real time. Amazon Elasticsearch Service lets you pay only for what you use -- there are no upfront costs or usage requirements. With Amazon Elasticsearch Service, you get ELK stack you need, without the operational overhead.
A company currently uses VM Templates to spin up virtual machines on their on-premise infrastructure. Which of the following can be used in a similar way to spin up EC2 instances on the AWS Cloud?
Amazon Machine Images (AMI)
Amazon Kinesis Data Firehose
Amazon Kinesis Data Firehose is the easiest way to reliably load streaming data into data stores and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards you're already using today. It is a fully managed service that automatically scales to match the throughput of your data and requires no ongoing administration. It can also batch, compress, transform, and encrypt the data before loading it, minimizing the amount of storage used at the destination and increasing security. You can easily create a Firehose delivery stream from the AWS Management Console, configure it with a few clicks, and start sending data to the stream from hundreds of thousands of data sources to be loaded continuously to AWS - all in just a few minutes. You can also configure your delivery stream to automatically convert the incoming data to columnar formats like Apache Parquet and Apache ORC, before the data is delivered to Amazon S3, for cost-effective storage and analytics. With Kinesis Data Firehose, you only pay for the amount of data you transmit through the service, and if applicable, for data format conversion. There is no minimum fee or setup cost.
You work as on-premises MySQL DBA. The work of database configuration, backups, patching, and DR can be time-consuming and repetitive. Your company decided to migrate to the AWS Cloud. Which of the following can help you save time on the regular database tasks and focus on giving them the fast performance and high availability that they need?
Amazon RDS
Domain registration
Amazon Route 53 lets you register domain names such as example.com
Health checking
Amazon Route 53 sends automated requests over the internet to your application to prove that it is reachable, available, and functional.
Domain Name System (DNS) Service
Amazon Route 53 translates friendly domains into IP addresses like 192.0.2.1 Amazon Route 53 responds to DNS queries using a global network of authoritative DNS servers which reduces latency
Which of the following S3 storage classes is ideal of data with unpredictable access patterns?
Amazon S3 Intelligent-Tiering **it's all tiering silly! Remember the training!
One of the benefits of AWS Cloud is that there are many services where you don't need to manage their underlying infrastructure. What are all of the services that don't need to be managed?
Amazon S3, Amazon RDS, Amazon RedShift, Amazon WorkSpaces, Amazon CloudFront, Amazon CloudSearch, and other services... like Amazon MapReduce and DynamoDB (their underlying infrastructure does not need to be managed)
Amazon SQS
Amazon Simple Queue Service (Amazon SQS) offers a reliable, highly-scalable hosted queue for storing messages as they travel between applications or microservices. It moves data between distributed application components and helps you decouple these components.
What does AWS stand for?
Amazon Web Services
Your company requires that all the data on your EBS volumes be encrypted. How would you go about doing this?
Amazon allows you to encrypt the file system on an EBS volume on EBS volume setup Amazon Elastic Block Store (EBS) offers an encryption solution for your Amazon EBS volumes so you don't have to build, maintain, and secure your own infrastructure for managing encryption keys for block storage. To get started, simply enable encryption when you create a new EBS volume using the AWS Management Console, API, or CLI. Once you create and attach an encrypted Amazon EBS volume to a supported Amazon Elastic Compute Cloud (Amazon EC2) instance type, data stored at rest on the volume, disk I/O, and snapshots created from the volume are all encrypted.
Elastic Load Balancing (ELB)
An ELB evenly distributes traffic between EC2 instances that are associated with it. "A load balancer distributes incoming application traffic across multiple EC2 instances in multiple availability zones. This increases the fault tolerance of your applications. Elastic Load Balancing detects unhealthy instances and routes traffic only to healthy instances"
You can edit a policy for a group by going into the group and clicking "Create Group Policy" which will allow you to manipulate the specific policy permissions you want the group members to have by writing JSON code -- super cool!
An easier way to do this might just be manually selecting the policies by clicking "Attach Policy"
object sharing
Another feature/benefit of S3. Is the ability to make an object publicly available via URL link
You have developed a microservices application. Which of the following should you use to make sure that each EC2 instance in a system gets the same amount of traffic?
Application Load Balancer Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions. Elastic Load Balancing offers three types of load balancers: 1- Application Load Balancer. 2- Network Load Balancer. 3- Classic Load Balancer.
For the Standard, Standard - IA (Infrequent Access), One Zone - IA (Infrequent Access), Intelligent Tiering storage classes, you can manually switch the object's storage class between the four listed above...but when?
At any time! (:
Each region is comprised of multiple _______________ ___________ which are where specific AWS data centers are located
Availability Zones
Pricing for Simple Storage Service (S3)
Based on How much data you store: - data at rest in S3 - charged per GB stored - Price per GB varies per region and storage class Based on request pricing - moving data in/out of S3 - PUT, POST, LIST, GET, Request (API Request) - Lifecycle Transitions Request - Data Retrieval, Data Archive, Data Restore
What are the various AWS Support Plans?
Basic -- included in any AWS Account -- plan holders get no access to a customer support representative Developer -- starts at $29 per month -- get business hours access to Cloud Support Associate Business -- starts at $100 per month -- get 24x7 access to Cloud Support Engineer Enterprise -- starts at $15,000 per month -- get 24x7 access to a Senior Cloud Support Engineer
Your logs show that one or more AWS-owned IP addresses are sending packets to multiple ports on your server, and you believe this is an attempt to discover unsecured ports. What do you do?
Contact AWS Abuse team
CloudFront benefits include...
Cache content at Edge Locations for fast distribution to customers Built-in dedicated denial of service DDoS protection Integrates with many AWS services (S3, EC2, ELB, Route 53, and Lambda)
Auto Scaling builds on the benefits of Elastic Load Balancing while adding the benefits of scalability and elasticity
Can scale automatically within minutes!
What are the main features/benefits of consolidated billing?
Central location to manage billing access all of your AWS accounts Gain volume discounts for usage across all of your AWS accounts
Main features/benefits of AWS Organizations
Centrally manage access policies across multiple AWS accounts Control access to AWS Services Automate AWS account creation and management Consolidate billing across multiple AWS accounts
Which of the following AWS Services are free to use? CloudFormation CloudWatch Auto-Scaling Route 53
Cloud Formation Auto Scaling
You are planning to host a large eCommerce application on the AWS Cloud. One of your major concerns is internet attacks such as DDoS. What following services can help with this concern? CloudFront AWS Shield AWS EC2 AWS Config
CloudFront AWS Shield
What are the Trusted Advisor categories:
Cost Optimization Performance Security Fault Tolerance
What should you do to keep the data on EBS volumes safe?
Create EBS snapshots ***Creating snapshots of EBS Volumes can help ensure that you have a backup of your EBS volumes just in case any issues arise.
Which of the following features of RDS allows for data redundancy across regions and improves disaster recovery?
Creating Read Replicas Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. In addition to that creating Read Replicas across regions improves your disaster recovery capabilities and allows you to scale out globally. **snapshots are for EBS only for point-in-time backup copies
Outline the Shared Responsibility Model figure provided on the AWS website:
Customer (responsible for security "in" the Cloud): Customer data; platform, applications, identity and access management; operating system, network, and firewall configuration; client-side data encryption and data integrity authentication; server-side encryption (file system and/or data); networking traffic protection (encryption, integrity, identity); AWS (Responsible for security "of" the Cloud): SOFTWARE = compute, storage, database, networking...HARDWARE/AWS GLOBAL INFRASTRUCTURE = Regions, Availability Zones, Edge Locations
what is the main benefit of discoupling an application?
Reduce inter-dependencies so failures do not impact other components of the application
What are the prohibited activities when it comes to penetration testing?
DNS zone walking via Amazon Route 53 hosted zones Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS Port flooding Protocol flooding Request flooding (login request flooding, API request flooding)
Primary Use Cases for Lambda:
Data Processing Real-time file processing Real-time stream processing Build serverless backends for web, mobile, IOT, and 3rd party API request
You have the following options for protecting data in transit in Amazon S3: (Choose two)""
Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit by using SSL or by using client-side encryption.
Route 53 benefits include...
Domain registration Domain Name System (DNS) Service Traffic Flow (send users to the best endpoint) Health Checking DNS Failover (automatically change domain endpoint if system fails) Integrates with ELB, S3, and CloudFront as endpoints
You cannot install Aurora on ________
EC2 (it is a managed service that is already installed on the AWS Cloud. You can launch Amazon Aurora using the Amazon RDS Management console)
Regarding pricing, which EC2 option can give you up to 90% off the On-Demand price?
EC2 Spot Instances -- "Reserved Instances" can give you a discount of up to 75%
What are the services permitted for vulnerability and penetration testing?
EC2 instances NAT Gateways Elastic Load Balancers RDS CloudFront Aurora API Gateways Lambda and Lambda Edge Functions Lightsale Resources Elastic Beanstalk Environments
Which of the following can be used to control access to your EC2 instances? DB security groups IAM policies EC2 security groups
EC2 security groups (SG's)
There is a need to analyze a large number of data sets. Which of the following services can help fulfill this requirement?
EMR Amazon EMR helps you analyze and process vast amounts of data by distributing the computational work across a cluster of virtual servers running in the AWS Cloud. The cluster is managed using an open-source framework called Hadoop. Amazon EMR lets you focus on crunching or analyzing your data without having to worry about time-consuming setup, management, and tuning of Hadoop clusters or the compute capacity they rely on.
If a server crashes the ELB will re-route all users to the working servers
Elastic Load Balancing is a foundational component of High Availability and Fault Tolerance
What makes Cloud computing better than traditional data centers?
Eliminating SPOF's Distributed Infrastructure On-Demand Infrastructure Cost savings
Use cases for Amazon RDS - Aurora
Enterprise Applications Software as a Service (SaaS) Applications Web and Mobile Gaming
Which are controls which a customer fully inherits from AWS?
Environmental Controls Physical Controls
Benefits of Amazon Elastic Beanstalk
Fast and simple to begin Developer productivity Impossible to outgrow Complete resources control
How does AWS Shield protect other applications?
For other custom applications, which are not based on TCP (like UDP, SIP, etc.), you cannot use services like Amazon CloudFront or Elastic Load Balancing. In these cases, you often need to run your applications directly on internet-facing Amazon EC2 instances. AWS Shield Standard also protects your Amazon EC2 instance from common infrastructure layer (Layer 3 and 4) DDoS attacks like UDP reflection attacks, like DNS reflection, NTP reflection, SSDP reflection, etc. AWS Shield Standard uses various techniques like priority-based traffic shaping which are automatically engaged when a well-defined DDoS attack signature is detected. You can also get advanced protection against large and sophisticated DDoS attacks for these applications by enabling AWS Shield Advanced on Elastic IP address. AWS Shield Advanced's enhanced DDoS detection automatically detects the type of AWS Resource and size of EC2 instance and applies appropriate pre-defined mitigations. With AWS Shield Advanced, customers can also create their own custom mitigation profiles by engaging the 24X7 AWS DDoS Response Team (DRT). AWS Shield Advanced also ensures that, during a DDoS attack, all your Amazon VPC Network Access Control Lists (ACLs) are automatically enforced at the border of the AWS network giving you access to additional bandwidth and scrubbing capacity to mitigate large volumetric DDoS attacks. With AWS Shield Advanced, you can get additional protection against DDoS attacks like SYN floods or other vectors like UDP floods. Learn more about Attaching Elastic IP to an Amazon EC2 Instance.
Without permissions being explicitly granted to an IAM user, that user will not be able to access any AWS services
Generally, a company's IT department will be responsible for what are called IAM permission policies
Which of the following is your responsibility when creating Amazon VPC security groups? (Choose 2)
Giving a name and description for the security group Adding rules to the security group
How do you set up your AWS console to receive free tier usage alerts?
Go to cost management preferences and check "Receive Free Tier Usage Alerts" (you can also receive billing alerts and reports)
Cloudwatch Logs
helps you aggregate logs from your EC2 instance
Which of the following is not part of the Cloud Computing models? Infrastructure as a Service (IaaS) Hardware as a Service (HaaS) Platform as a Service (PaaS) Software as a Service (SaaS)
Hardware as a Service (HaaS) There are three cloud computing models: IaaS, PaaS, and SaaS
Benefits of Amazon RDS - Aurora
High Performance and Scalability High Availability and Durability Highly Secure MySQL and PostgreSQL Compatible Fully Managed Migration Support
What are the use cases for Amazon DMS (Database Migration Service?)
Homogeneous Database Migrations (Oracle to Amazon RDS for Oracle Database OR MySQL Database to Amazon Aurora Database) Heterogeneous Database Migrations ((1) Oracle Database to Amazon Aurora Database through AWS Schema Conversion Tool...THEN (2) MySQL Database to Amazon Aurora Database) Development and Test (Production database on-premises to Development and Testing Database in the cloud) Database Consolidation (MySQL database on premises, MySQL database in Amazon EC2, and MySQL database in Amazon RDS to a combined new Amazon Aurora Database) Continuous Data Replication (Amazon Aurora Database to Amazon Aurora in different region, Amazon RDS for MySQL, and MySQL on premises) So basically, it can go from on-premises to in the cloud and vice versa...
There is also a "reduced redundancy" option, but it is a not recommended storage class
I don't know why it's not recommended but it isn't very commonly used
user password policies
IAM user password format requirements (i.e. a password must be a minimum of 8 characters and include 1 number)
user credentials
IAM user's username and password for logging in to AWS
DNS Servers are basically like a phone book of domain names and associated ____________________.
IP Addresses
You are going to create snapshots from EBS volumes in another geographical location using the console. Where would you create the snapshots?
In another region *** since you are going to create the snapshots in another geographical location then the answer is regions
AWS Support Concierge Team
Included as part of the Enterprise Support plan, this team are AWS billing and account experts that specialize in working with enterprise accounts. This Concierge team will quickly and efficiently assist you with your billing and account inquiries, and work with you to help implement billing and account best practices so that you can focus on what matters running your business
Benefits of Amazon WAF
Increased protection against web attacks Security integrated with how you develop applications Ease of deployment and maintenance Improved web traffic visibility cost effective web application protection enhanced security with managed rules
object durability
Is the percent (%) over one year time period that a file stored in S3 will NOT be lost. For object durability of 99.999999999% ("eleven nines") that means there is a 0.000000001% chance of a file being lost in a year. OR If you have 10,000 files stored in S3 (@ 11 nines durability), then you can expect to lose one file in 10 million years
What SQL database engine options are available in RDS?
MariaDB, PostgreSQL, MySQL, Aurora, Oracle, Microsoft
According to the AWS Acceptable Use Policy, penetration testing of EC2 instances:
May be performed by the customer on their own instances without prior authorization from AWS
Where is Simple Notification Services (SNS) located in the AWS console?
Messaging
CloudWatch benefits include...
Monitor metrics for almost all of your AWS resources Create and monitor custom metrics Create custom dashboards for easy viewing of metrics Monitor and store logs Set alarms and events (and trigger actions based on them)
Benefits of Lambda include:
No servers to manage Continuous Scaling Subsecond Metering Integrates with almost all other AWS Services
Best practice is to select the region that is physically closest to you (to reduce transfer latency)
OR if you are serving files to a customer based in a certain area of the world, create the bucket in a region closest to your customer (to reduce latency for them)
What are the names of the EC2 Buying Options?
On-Demand, Reserved, and Spot
You want to run a questionnaire application for only one day (without interruption), which AWS EC2 purchase option would you choose? Reserved instances Spot instances Dedicated instances On-demand instances
On-demand instances *** you don't know how much traffic there's going to be...allows you to increase or decrease your compute capacity depending on the demands of your application
Which statement is correct in relation to service limits? (select all that apply)
Option A. Understanding your service limits (and how close you are to them) is an important part of managing your AWS deployments - continuous monitoring allows you to request limit increases or shut down resources before the limit is reached. One of the easiest ways to do this is via AWS Trusted Advisor's Service Limit Dashboard, which currently covers 39 limits across 10 services. Option C. AWS maintains service limits for each account to help guarantee the availability of AWS resources, as well as to minimize billing risks for new customers. Some service limits are raised automatically over time as you use AWS, though most AWS services require that you request limit increases manually. Most service limit increases can be requested through the AWS Support Center by choosing Create Case and then choosing Service Limit Increase. Option D. With the AWS Limit Monitor, you can receive email notifications or notifications can be sent to your existing Slack channel, enabling you to request limit increases or shut down resources before the limit is reached.
What are the benefits of AWS Personal Health Dashboard?
Personalized view of Service Health Detailed Troubleshooting Guidance Proactive Notifications **cost optimization is not one of these...you can get help with this through AWS trusted advisor
RDS vs DynamoDB
RDS -- stores related data in tables (using columns and rows), typically used for very structured data (such as contact lists) DynamoDB -- stores related data in JSON-like, name-value documents...typically used for non-structured data such as cataloging documents
Difference/Benefits of RDS and DynamoDB
RDS -------- For when you need an SQL Database option Easy to set up, highly available, fault tolerant, and scalable Used when data is clearly defined Common use cases include online stores and banking systems DynamoDB----------------------- For when you need a NoSQL database option Fast, highly scalable, and fully-managed Used when data is fluid and can change Common uses include social networks, web analytics
What is the major difference between AWS's RDS and DynamoDB database options?
RDS offers SQL database options and DynamoDB offers a NoSQL database option (so basically, RDS offers many and DynamoDB only offers one)
Amazon offers services for both types of databases... __________ for SQL updates and _____________________ for NoSQL databases
RDS, DynamoDB
Relational Database Service (RDS)
Relational Database Service is an SQL database service that provides a wide range of SQL database options to select from. SQL options include... Amazon Aurora MySQL MariaDB PostgreSQL Oracle Microsoft (6 different types, with Aurora being Amazon's default) Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient, resizable capacity, while automating time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups. It frees you to focus on your applications so you can give them the fast performance, high availability, security, and compatability they need
Use cases for EBS...
Relational database Enterprise applications Development and test NoSQL databases Business continuity
In the world of databases, there are two main categories...what are they?
Relational databases known as "SQL" Non-Relational Databases known as "NoSQL"
What are benefits of EBS?
Reliable, secure storage Consistent, Low-latency performance Backup, Restore, Innovate Quickly Scale up, easily scale down Geographic Flexibility Optimized Performance
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.
Remember this! If you are creating a website with a bunch of videos that should be accessed quickly from around the globe-- this is a super great tool!
Which of the following does AWS perform on your behalf for EBS volumes to reduce the possibility of failure? Replication of the volume across availability zones Replication of volume across regions Replication of volume in the same Availability Zone Replication of the volume across Edge Locations
Replication of the volume in the same availability zone ***explanation: When you create an EBS volume in an Availability Zone, it is automatically replicated within that zone to prevent data loss due to failure of any single hardware component
What is the service that gives you a DNS in the cloud?
Route 53
What are the characteristics of S3? (Choose 2) S3 allows you to store unlimited amounts of data S3 allows you to store objects of virtually unlimited size S3 should be used to host a relational database Objects are directly accessible via a URL
S3 allows you to store unlimited amounts of data Objects are directly accessible via a URL **READ the directions and only pick as many as they ask! S3 cannot store objects of unlimited size
Which of the following AWS Cloud services is designed according to the Multi-AZ principle? (Choose 2 answers) DynamoDB ElastiCache Elastic Load Balancing Amazon Virtual Private Cloud S3
S3 and DynamoDB ** Amazon DynamoDB runs across AWS proven, high-availability data centers. The service replicates data across three facilities in an AWS region to provide fault tolerance in the event of a server failure or Availability Zone outage. ** Amazon S3 provides durable infrastructure to store important data and is designed for durability of 99.999999999% of objects. Your data is redundantly stored across multiple facilities and multiple devices in each facility. Although Elastic Load Balancing and Amazon ElastiCache can be deployed across multiple Availability Zones, you must explicitly take such steps when creating them.
You decided to pay a low upfront fee to get a significantly discounted hourly rate What is the payment model you are going to use?
Save when you reserve
What are the benefits of AWS Shield?
Seamless integration and deployment Customizable protection Managed protection and attack visibility Cost efficient
What does AWS Snowball provide?
Secure transfer of large amounts of data into and out of the AWS Cloud
AWS Snowball
Snowball is a petabyte-scale data transport solution that uses devices designed to be secure to transfer large amounts of data into and out of the AWS Cloud. Using Snowball addresses common challenges with large-scale data transfers including high network costs, long transfer times, and security concerns. Customers today use Snowball to migrate analytics data, genomics data, video libraries, image repositories, backups, and to archive part of data center shutdowns, tape replacement or application migration projects. Transferring data with Snowball is simple, fast, more secure, and can be as little as one-fifth the cost of transferring data via high-speed Internet. With Snowball, you don't need to write any code or purchase any hardware to transfer your data. Simply create a job in the AWS Management Console ("Console") and a Snowball device will be automatically shipped to you. Once it arrives, attach the device to your local network, download and run the Snowball Client ("Client") to establish a connection, and then use the Client to select the file directories that you want to transfer to the device. The Client will then encrypt and transfer the files to the device at high speed. Once the transfer is complete and the device is ready to be returned, the E Ink shipping label will automatically update and you can track the job status via Amazon Simple Notification Service (SNS), text messages, or directly in the Console.
AWS data centers are within Availability Zones, with each Availability Zone containing and identical iteration of a server within a region.
So if a region had 3 Availability Zones, there would be iterations of that server in each of the 3 zones
By default, all new objects uploaded to S3 are set to the _________________ storage class
Standard
What is the default storage class type in S3?
Standard
What are the different storage class types in S3?
Standard, Standard IA, One Zone - IA, Intelligent Tiering, Glacier
CloudWatch alarms can interact with SNS to send a message to the system administrator and fix the server error
Super cool!
As part of the Enterprise Support Plan, who is the primary point of contact for ongoing support needs?
TAM (Technical Account Manager) -- provides technical expertise for the full range of AWS services and obtains a detailed understanding of your use case and technology architecture
By showing how much you can save by using AWS, the calculator helps you reduce the TCO by avoiding large capital expenditures on IT hardware and infrastructures
TCO Calculator also provides directional guidance on cost savings...Elements can be added/modified as you move through the process to best estimate the cast savings...
**** What are the 5 pillars of the AWS Well Architected Framework?
The 5 Pillars of the AWS Well-Architected Framework: Operational Excellence: The operational excellence pillar includes the ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures. Security: The security pillar includes the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. Reliability: The reliability pillar includes the ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues. Performance Efficiency: The performance efficiency pillar includes the ability to use computing resources efficiently to meet system requirements and to maintain that efficiency as demand changes and technologies evolve. Cost Optimization: The cost optimization pillar includes the ability to avoid or eliminate unneeded cost or suboptimal resources.
Total Cost of Ownership (TCO) Calculator
The TCO Calculator is a free tool provided by AWS that allows you to estimate the cost savings of using AWS Cloud vs using an on-premises data center
Elastic Cloud Compute Shared Responsibility Model (EC2)
What AWS is responsible for: - Setup and maintenance of the physical hardware located at each AWS data center - The physical security data centers - The setup and maintenance of the host virtualization software You are responsible for: - Networking level security (NACL's and SG's) - Operating System patches and updates - IAM user access management - Client and server side data encryption ...this is just the shared responsibility model for EC2...need to know for all of the other core services
How does AWS Shield protect Web Applications and APIs
When using Amazon CloudFront, AWS Shield Standard automatically provides comprehensive protection against infrastructure layer attacks like SYN floods, UDP floods, or other Reflection attacks. AWS Shield Standard's always-on detection and mitigation systems automatically scrubs bad traffic at Layer 3 and 4 to protect your application. Over 99% of infrastructure layer attacks detected by AWS Shield Standard are automatically mitigated in less than 1 second for attacks on Amazon CloudFront. Learn how to use Amazon CloudFront to Protect your Dynamic applications from DDoS attacks. Learn how Slack uses Amazon CloudFront to protect against DDoS attacks. For additional protection against large and sophisticated DDoS attacks, you can also use AWS Shield Advanced on Amazon CloudFront. With Shield Advanced, customers get 24X7 access to the AWS DDoS Response Team (DRT), who proactively apply any mitigations necessary for any sophisticated infrastructure layer (Layer 3 or 4) attacks using additional techniques like traffic engineering. In addition, AWS Shield Advanced also protects you against application layer attacks, like HTTP floods. AWS Shield Advanced's always-on built-in detection system baseline's customer's stead state application traffic and monitors for any anomalies. AWS Shield Advanced includes AWS WAF at no additional cost allowing you to customize any application layer mitigation.
A company decided to migrate to the AWS Cloud. AWS offers a wide range of services and instance types. They want to reduce costs as much as possible. Which of the following is the main factor to consider when choosing the instance type of services like Amazon RDS and Amazon Redshift?
Workload utilization of CPU and RAM ***In some cases, you should select the cheapest type that suits your workload's requirements. In other cases, using fewer instances of a larger instance type might result in lower total cost or better performance. You should benchmark and select the right instance type depending on how your workload utilizes CPU, RAM, network, storage size, and I/O.
Virtual Private Cloud (VPC)
a private sub section of AWS that you control, in which you can place AWS resources (such as EC2 instances and databases). You have FULL control over who can access the AWS resources that you place in your VPC. A better definition of this is "Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways." When you create an AWS account, a default VPC is created for you
AWS Organizations is available to ________ AWS customers at no additional cost
all
CloudTrail
allows you to monitor all actions taken by IAM users (i.e. services accessed and actions taken -- such as logging who deleted an S3 object)... According to the AWS website, "AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, consciously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity including actions taken through AWS Management Console, AWS SDK's, command line tools, and other AWS services. This event history simplifies security analysis resource change tracking, and troubleshooting.
Consolidated Billing
allows you to view, manage, and pay bills for multiple AWS accounts in one user interface. "AWS Organizations enables you to set up a single payment method for all the AWS accounts in your organization through consolidated billing With consolidated billing, you can see a combined view of charges incurred by all of your accounts, as well as take advantage of pricing benefits from aggregated usage, such as volume discounts for Amazon EC2 and Amazon S3.
Auto Scaling
automates the process of adding (scaling up) or removing (scaling down) EC2 instances based on traffic demand for your application. "Auto scaling helps you ensure that you have the correct number of Amazon EC2 instances, called Auto Scaling groups. You can specify the minimum number of instsances in each Auto Scaling group, and Auto Scaling ensures that your group never goes below this size. You can specify the maximum number of instances in each Auto Scaling group, and Auto Scaling ensures that your groups never go above this size. If you specify the desired capacity, either when you create the group or at any time hereafter, Auto Scaling ensures that your group has this many instances. If you specify scaling policies, then Auto Scaling can launch or terminate instances on demand as your application increases or decreases
object versioning
automatically keep multiple versions of an object (when enabled)...another great feature/benefit of S3
AWS Abuse Team
can assist you when AWS resources are being used to engage in the following types of abusive behavior: I. Spam: You are receiving unwanted emails from an AWS-owned IP address, or AWS resources are being used to spam websites or forums. II. Port scanning: Your logs show that one or more AWS-owned IP addresses are sending packets to multiple ports on your server, and you believe this is an attempt to discover unsecured ports. III. Denial of service attacks (DOS): Your logs show that one or more AWS-owned IP addresses are being used to flood ports on your resources with packets, and you believe this is an attempt to overwhelm or crash your server or software running on your server. IV. Intrusion attempts: Your logs show that one or more AWS-owned IP addresses are being used to attempt to log in to your resources. V. Hosting objectionable or copyrighted content: You have evidence that AWS resources are being used to host or distribute illegal content or distribute copyrighted content without the consent of the copyright holder. VI. Distributing malware: You have evidence that AWS resources are being used to distribute software that was knowingly created to compromise or cause harm to computers or machines on which it is installed.
What are "shared controls" in the shared responsibility model?
controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation with their use of AWS services. Examples include: Patch Management (AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications) Configuration Management (AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications) Awareness and Training (AWS trains AWS employees, but a customer must train their own employees)
What are "Customer Specific" in the shared responsibility model?
controls which are solely the responsibility of the customer based on the application they are deploying within AWS services...examples include: Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments
Shared Responsibility Model
defines what you can (as an AWS account holder/user) and Amazon Web Services are responsible for when it comes to security and compliance. "Security and Compliance is a shared responsibility between AWS and the customer. The shared model can help relieve customer's operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration fo the AWS provided security group firewall"
Web servers are responsible for sending ___________________ information to DNS Servers (like updating a listing in a phone book)
domain/IP information
Availability zones contain ________________ data from the same region in case of natural disasters
duplicated
What are some additional benefits of S3?
durable, reliable, scalable security (offers three different types of encryption) integrates with almost all other AWS services can run big data analytics on objects directly in S3 easy to get data in and out of S3 robust admin and access management options available
You can store any type of ________ in S3
file
What are community AMIs?
free to use generally, with these AMIs, you are just selecting the OS you want
What are the EC2 instance type options?
general purpose, compute optimized, GPU optimized, memory optimized, storage optimized (depending on your use case and desired development environment, these options (pick 1 of 6) make a huge difference in how your EC2 instance functions
According to the Shared Responsibility Model, Customer responsibility is "Security _____ the Cloud" -- Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, services such as Amazon Elastic Compute Cloud (EC2), Amazon Virtual Private Cloud (VPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks. If a customer deploys and Amazon EC2 instance, they are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance.
in
If a IAM user is in a group, you can still customize them _____________ by directly attaching special IAM permissions policies in addition to what they already have access to as a member of a group
individually
Amazon Direct Connect
is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. AWS Direct Connect lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Using industry standard 802.1q VLANs, this dedicated connection can be partitioned into multiple virtual interfaces. This allows you to use the same connection to access public resources such as objects stored in Amazon S3 using public IP address space, and private resources such as Amazon EC2 instances running within an Amazon Virtual Private Cloud (VPC) using private IP space, while maintaining network separation between the public and private environments. Virtual interfaces can be reconfigured at any time to meet your changing needs.
Amazon Web Services (AWS)
is a cloud services provider, also known as Infrastructure as a Service (IaaS). It provides services such as storage, computing power, databases, analytics, networking, developer tools, virtualization, and even security. -- you can set up your own web servers, networking, and security -- so much more powerful and useful than iCloud or Dropbox (just for storage) -- Most people use cloud services just for storage
AWS Service Documentation
is a collection of documents specific to each AWS Service. They provide detailed technical explanations and walkthroughs on how to use each service and features
ElastiCache
is a data caching service used to help improve speed/performance of web applications running on AWS. "Amazon ElastiCache is a web service that makes it easy to deploy, operate, and scale an in-memory data store or cache in a cloud. The service improves the performance of web applications by allowing you to retrieve information from fast, managed, secure in-memory data stores, instead of relying entirely on slower disk-based databases. Amazon ElastiCache supports two open-source in-memory engines"
RedShift
is a data warehouse database service designed to handle petabytes of data for analysis. "Amazon Redshift is a fast, fully managed data warehouse that makes it simple and cost-effective to analyze all of your data using standard SQL and your existing Business Intelligence (BI) tools. It allows you to run complex analytic queries against petabytes of structured data, using sophisticated query optimization, columned storage on high-performance local disks, and massively parallel query execution"
Cost Explorer
is a free tool that allows you to view charts of your costs - view cost data for the past 13 months - forecast how likely you are to spend over next 3 months - use explorer to discover patterns in how much you spend on AWS resources over time - and identify (cost) problem areas - identify which services you use the most and/or metrics, like which Availability Zones have the most traffic, or which linked AWS account is used the most
Amazon EC2 Dedicated Host
is a physical server with EC2 instance capacity fully dedicated to your use. Dedicated Hosts can help you address compliance requirements and reduce costs by allowing you to use your existing server-bound software licenses.
CloudWatch
is a service that allows you to monitor various elements in your AWS account. "Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and applications you run in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications. CloudWatch alarms send notifications or automatically make changes to the resources you are monitoring based on the rules that you define...use the dashboard to view metrics" So basically like Google Analytics for all of your AWS resources
Infrastructure Event Management
is a short-term engagement with AWS Support, available as part of the Enterprise-level Support product offering, and available for additional purchase for Business-level Support subscribers. AWS Infrastructure Event Management partners with your technical and project resources to gain a deep understanding of your use case and provide architectural and scaling guidance for an event. Common use-case examples for AWS Event Management include advertising launches, new product launches, and infrastructure migrations to AWS.
firewall
is a type of software that either allows or blocks certain kinds of internet traffic to pass through it
Simplified Notification Services
is an AWS service that allows you to automate the sending of email or text message notifications, based on events that happen in your AWS account. More aptly, "Simple notification service (SNS) is a web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients. In Amazon SNS, there are two types of clients -- publishers and subscribers-- also referred to as providers and consumers...
Amazon Inspector
is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API. To help you get started quickly, Amazon Inspector includes a knowledge base of hundreds of rules mapped to common security best practices and vulnerability definitions. Examples of built-in rules include checking for remote root login being enabled, or vulnerable software versions installed. These rules are regularly updated by AWS security researchers. **basically like a malware detector set up on your computer that you can run to check out if there have been any breeches
AWS Elastic Beanstalk
is an easy to use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time, There is no additional charge for Elastic Beanstalk -- you pay only for the AWS resources needed to store and run your applications
AWS Security Team
is responsible for the security of services offered by AWS (whereas the abuse team is to protect against your stuff that is being hacked or misused)
Lambda
is serverless computing. It is the next generation of cloud computing that will replace EC2 (for the most part). "AWS Lambda is a computer service that lets you run code without provisioning or managing servers. AWS Lambda executes your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time you consume. There is no charge when your code is not running. With AWS Lambda, you can run code for virtually any type of application or backend service -- all with zero administration, AWS Lambda runs your code on high-availability compute infrastructure and performs all the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, code monitoring and logging. All you need is to supply your code in one of the languages that AWS Lambda supports (currently Node.js, Java, C#, and Python)" Basically, AWS creates more servers for you when needed...and configures them completely so that you don't have to...
Amazon Simple Queue Service (SQS)
is the only service that provides scalable message queuing service. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available
object availability
is the percent (%) over a one year time period that a file stored in S3 will be accessible. For object availability of 99.99% that means there is a 0.01% chance that you won't be able to access a file stored in S3 in a year. OR For every 10,000 hours, you can expect a total of one hour for which a file may not be able to be accessed
Penetration Testing
is the practice of testing one's own application security for vulnerability by simulating an attack. This is only available for certain AWS services
Identity and Access Management (IAM)
is the service where AWS user accounts and their access to various AWS Services is managed. By default, any new user created in an AWS account is created without access to any AWS services (only the ability to login). For a user to access an AWS Service, permission must be granted to that user, which is managed in/by IAM
Route 53
is where you configure and manage web domains for websites or applications you host on AWS. Amazon Route 53 performs three main functions: domain registration, domain name system (DNS service), Health checking. You can use combination of these functions. For example, you can use Amazon Route 53 as both your registrar and your DNS service, or you can use Amazon Route 53 as the DNS service for a domain that you registered with another domain registrar.
Domain name is like a person's _________ and the IP address is like the person's ___________
name, address
What is the "On-Demand" EC2 Buying Option?
on-demand purchasing allows you to choose any instance type you like and provision/terminate it at any time (on-demand). It is the most expensive purchasing option It is the most flexible purchasing option You are only charged when the instance is running (and billed by the second) You can provision/terminate an on-demand instance at any time
AMI is like a computer's _____________ _____________, and EBS is like the computer's ________ __________...EC2 instances are just like the basics of a computer, just with different terminology
operating system, hard drive
AWS Organizations
organizations allow you to (or your company) to manage billing and access to multiple AWS accounts (in one user interface). "AWS Organizations offers policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts and then apply policies to those groups. Organizations enables you to centrally manage policies across multiple accounts, without requiring custom scripts and manual processes. Using AWS Organizations you can create Service Control Policies (SCP's) that centrally control AWS service use across multiple AWS accounts. You can also use Organizations to help automate the creation of new accounts through API's. Organizations helps simplify the billing for multiple accounts by enabling you to set up a single payment method for all the accounts through consolidated billing."
What are AWS Marketplace AMIs?
pay to use generally comes packaged with additional, licensed software cost of licenses included in the cost of the EC2 instance you're purchasing
If you want new objects to have a different storage class, then you need to set the proper settings ____________ to or ____________ the upload process.
prior, during (you can do this by either: selecting another storage class during the upload process ("set properties") OR using object lifecycle policies)
Just as the responsibility to operate the IT environment is ____________ between AWS and its customers, so is the management, operation, and verification of IT controls.
shared (AWS can help relieve customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in the AWS environment that may previously have been managed by the customer. As every customer is deployed differently in AWS, customers can take advantage of shifting management of certain IT controls to AWS which results in a (new) distributed control environment. Customers can then use the AWS control and compliance documentation available to them to perform their control evaluation and verification procedures as required. Below are examples of controls that are managed by AWS, AWS Customers and/or both)
subnet
shorthand for subnetwork, is a sub-section of a network. Generally, a subnet includes all the computers in a specific location. (Think of it like a singular apartment in an apartment complex, where said apartment complex is one large network)
Trusted Advisor services include...
six checks that cover basic security and performance. These are available for all types of AWS Support Plan accounts... 1) Security Groups (port checks) 2) IAM use 3) Is Multi-Factor Authentication enabled on the root IAM user account? 4) EBS public snapshots 5) RDS public snapshots 6) Service limits ...available only for Enterprise Support Plan accounts... 1) Access to full list of Trusted Advisor Checks 2) Notifications to stsay up to date with weekly resource deployments 3) Programmatic access to retrieve/refresh Trusted Advisor results via API
Lambda pretty much completely eliminates all of the set up, configuration, security, scaling, and management required with EC2 servers
so you don't have to...this is what James uses!
There is also a Command Line Interface (CLI) option that allows you to interact with the AWS services via the ____________
terminal
You can _______________ EC2 instances if you aren't using them anymore (or at the moment) because EC2 instances are scalable and elastic
terminate
scalable
the ability to easily grow in size, capacity, and/or scope when required (usually based on demand)
elastic
the ability to not only grow (scale) when required, but also reduce in size when required. Aka: if something is scalable, it is not elastic (can't shrink) but if something is elastic, it is scalable
fault tolerance
the ability to withstand a certain amount of failure and still remain functional (and/or self healing) and return to full capacity
subscriptions
the endpoints that a topic sends messages to (i.e. the email addresses or phone # of our system admin)
"the Cloud"
the simplest way to define the "cloud" is that it is a computer located somewhere else that you access via the Internet and utilize in some capacity. More aptly, the "cloud" is comprised of server computers located in the large data centers placed all around the world.
Amazon Simple Storage Service basically has an _________________ amount of storage capacity
unlimited
publishers
used in Amazon SNS to communicate asynchronously with subscribers by providing and sending a message to a topic, which is a logical access point and communication channel.
Domain Name System (DNS) Servers
were created as a solution, providing a central location where your browser can send a domain name and get the associated IP address in return. For this to work, the DNS Servers need to be continually updated with current domain name and IP address information.
S3 Transfer Acceleration
what is the feature provided by the AWS that enables fast and secure transfer of files over long distances between your client and amazon s3 bucket?
When you use an AWS service...
you are utilizing one of the servers in an AWS data center
To move an object to Glacier storage class...
you can manually change the storage class (new) OR you can use object lifecycles Keep in mind though, objects cannot be instantly switched from the Glacier storage