I wanted to take some good notes for anyone to refresh on their training before the Cloud Practitioner Exam. Below each section will be a few of the knowledge check questions. Try to answer them without referencing the notes above.
Instead of having to design and build your own data center, you allow the internet to scale your application as needed based on usage.
Reduce risk(being agile), secure data(using common models or integrating security checks into deployment pipeline), scalability(resize resources as necessary ie. elasticity), plan for natural disaster(Low liability and multiple regions creating fault tolerance), experiment and innovative culture promotion.
- AWS Management Console
- CLI - command line interface
- SDK
- Economy
- Elasticity
- Efficiency
- Expediency
Computer instance where you can choose hardware config, OS image, Port forwarding and service enabling (ssh, http).
Storage units for EC2 instances. Designed for being durable and available. Hard drive equivalent (ssh, magnetic hd) with snapshot config. Commonly used to store a database to keep database changes separate from OS hard disk.
What are the benefits of using Amazon EC2 instance compared to physical servers in your infrastructure (select two)?
A [ ] - Pay only for the capacity you use B [ ] - Resizable C [ ] - The ability to have different storage requirements D [ ] - The ability to hot-add additional RAM E [ ] - Automatic automated backups
Answer: A, C
- Managed cloud storage service
- Store virtually unlimited number of objects
- Access any time from anywhere
- Rich security controls
Data storage (images, videos etc.) that is accessed via your bucket (mediacenter) and a key (welcome.mp4) for example mediacenter/welcome.mp4
Storing application assets Static Web Hosting Backup and Disaster recovery Staging area for big database
Pick region close to where you're hosting to increase latency
Physically distinct and independent infrastructure. UPS (uninteruptable power supply) and backup availability zones to never lose access to your services
Content delivery to end users. Edge locations forward your service to the end user quicker by having higher access in areas with high traffic
Which components of the AWS infrastructure can be described as multiple, isolated locations, within one geographic area?
regions edge Locations s3 buckets availability zones
Answer: Availability zones
Region based networking tool to control allowed internet gateways, subnets of both private and public resources.
Measures to filter traffic to your AWS instances. Using VPC's you can generate security groups that act as firewalls through a series of rules to access your instances.
Which of the following statements is true of Amazon VPC
Each VPC is private, dedicated network connection from your premises to AWS Each AWS account can have only one VPC associated with it A VPC acts as a physical firewall for your cloud infrastructure You can create many subnets in a VPC, though fewer is recommended to limit complexity
Answer: You can create many subnets in a VPC, though fewer is recommended to limit complexity
Second type of load balancer.
Applications in EC2 instances controlled by a single load balancer for applications in the EC2 instances. For example two EC2 instances forwarding an application and using a load balancer to forward each of those ec2 apps on a different port but on the same dns address
Path - rules that forward requests to different target groups Host - rules that forward requests to different target groups based on host name
Ensures you have correct number of EC2 instances available to handle the load. Monitor your resource performance using AMazon cloud watch. Creating a scaling policy tells auto-scaling when and how it will scale (up or down) based on application usage.
Create DNS Zones for your applications.
You have an app composed of individual services. You need to route a request to a service based on the content of the request. Which service do you use?
Amazon Route 53 AWS CloudTrail EC2 Auto Scaling Elastic Load Balancing
Answer: Elastic Load Balancing
Manages OS install and patches, backups, availability, scaling, etc. so you can focus on application performance.
Serverless computing. Use cases: Continuous scaling. Automated backups, IoT, serverless sites, etc.
Platform as a service, quick deployment, reduce management complexity.
What's the first step to using AWS Lambda?
Deploy an OS image Upload your Code Provision EC2 instances Pay for estimated compute time
Answer: Upload your Code
Pub/Sub messaging (email sms). Subscribe email or phone or other things to get notifications for amazon changes that you choose to subscribe to.
Metrics for your AWS services such as CPU utilization, status check failures, State changes, snapshots. Lets you set alarms that trigger other services. Can Stop,terminate, or reboot services.
Use multiple edge locations and regions to cache your application if your app is stored in a different region but your users are in another region or edge location.
Simplify tasks of repeatably and predictable nature. Take in JSON or YAML formatted templates to spin up an ec2 instance. Similar to docker and using the depends on, you don't need to create the templates in order. Automate product operation of AWS tools.
Which of the following best describes amazon CloudFront? Provides a common language for you to describe and provision all the infrastructure resources in your cloud environment Speeds up the delivery of your content to viewers across the globe Provides you with data and actionable insights to monitor your applications Provides topics for high-throughput, push based, many to many messaging
Answer: Speeds up the delivery of your content to viewers across the globe
5 Pillars - Security, Reliability, Performance efficiency, Cost optimization, Operational excellence
IAM - Identity and access management Detective controls - integrate auditing controls of logs Infrastructure protection - allowing only those who are allowed through rules Data protection - data backup, replication, classification, encryption Incident response - process made to respond and mitigate security incidents
Implement security at all layers Enable traceability - logs Apply principle of least privelege - access controls and authentication Focus on securing your system - Automate - scalability and cost efficiency
Ability of a system to recover from issues/failures
Foundations Change management Failure management
Test recovery procedures - simulate failures and test reactions before an actual failure Automatically recover - automate your recovery plans before they occur Scale horizontally - fault tolerence using multiple small resources Stop guessing capacity - Manage change in automation -
Select customizable solutions - Ones where you can support scaling for the possible Review to continually innovate - always look at the newest tools to ensure you're using the best solution for your hosting Monitor AWS services - Amazon Lambda and many more Consider trade-offs -
Democratize advanced tech Go global in minutes Use a serverless architecture Experiment more often Have mechanical sympathy
Continual process of refinement of a system to maximize ROI
Use cost-effective resources Matching supply with demand Increase expenditure awareness Optimize over time
Adopt a consumption model Measure overall efficiency Reduce spending on data center operations Analyze and attribute expenditure Use managed services
Manage and automate changes Respond to events Define the standards to manage daily ops
Fault tolerance - ability of a system to remain operational. Built in redundancy. High Avail - keeping your service available the most amount of time
Elastic Load Balancers - distribute incoming traffic. Elastic IP address - static IP addresses. Mask failures. Continues to access apps if an instance fails. Route 53 - translate domain names to IP addresses. Geo-location routing, health checks, latency checks, etc. Auto Scaling - terminate/launch instances. Amazon CouldWatch - distributed statistics gathering system. Tracks metrics of infrastructure.
Amazon Simple Queue Service (SQS) - email notification service etc. Amazon Simple storage service (S3) - backup to storage of files Amazon Relational Database Service (RDS) - scaled, fault tolerant database, automate backups
Traditionally this would cost more because you have to maintain and manually control all the resources yourself. Amazon takes care of all of this reducing cost, handling traffic spikes, and testing resources.
Which of the following is NOT a pillar of the AWS Well-architected framework? Persistence Operational Excellence Security Cost Optimization
Answer: Persistence
Both you and AWS is responsible for security. Layers of the app
- Physical - done by AWS to provide secure network
- Network - uses AWS network and compliant
- Hypervisor - AWS runs this to ensure we can run many instances without any concern
- Guest OS - AWS Has not control in this
- Application - AWS has no control into the app
- User Data - AWS has no control of user data
User - Operator Group - overlap of User and Role Role - authentication method for a User. Temporary. Not permissions. Policy Document - permissions, json, directly to a user or group of users, or a role
API call - put file in s3, they provide the file and hits an endpoint with credentials. IAM validates the user using info from group or user data, and then checks if the operation you're requesting is allowed by the policy documents.
If a hacker gets your info (username, password) and you have no 2FA, they could start deleting resources and threatening your organization in order to stop the data loss. Using IAM you can cut off all permissions and have a log of operations attempted to narrow down where the login was compromised will still protecting your system.
Your web app requires temp auth to use AWS services. Which IAM entity should be used?
User Role MFA Group
Answer: Role
Automated tool to inspect security vulnerabilities and deviations from best practices related to security.
Streamline security compliance, increase dev agility, enforce security standards, integrate security into devops.
Managed DDoS protection service that safeguards apps running on AWS
DDoS mitigation challenges - complex setup and implementation, bandwidth limitations, manual intervention, time consuming, degraded performance etc.
Standard - auto protection of any resource or regions in AWS, quick detection, automated mitigation techniques, and self service (no need to engage AWS support)
AWS - Provide secure controlled platform and wide array of security features Customer - Configure IT to support your ops
Certification/attestations Legal support Alignment/frameworks
AWS Perform security tests to their compliance certification rules.
Which of the following is managed DDoS protection service?
Amazon Inspector AWS Trusted Advisor AWS Identity and Access Management AWS Shield
Answer: AWS Shield
- Compute capacity
- Storage
- Outbound data transfer (aggregated)
- Inbound data transfer
- data transfer between services
Cost factors
- Clock-second/hourly billing
- Resources incur charges only when running
- Instance config
- Physical capacity of the instance
- Varies based on
- AWS region
- OS
- number of cores
- memory
- compute capacity by the hour and second
- min 60 secs
- low or no up-front payment instances reserved
- discount on hourly charge for that instance
- bid for unused ec2 capacity
- provision multiple instance to handle peak loads
- Use Elastic load balancing to distribute traffic
- Monthly cost based on:
- hours load balancers run
- data load balancer processes
- Amazon CloudWatch
Auto scaling...
Standard
- 99.99999999999% durability
- 99.99% avail
SIA
- same durability
- 99.9% availability
Storage Cost
- number and size of objects
- type of storage
Requests
- PUTS get different rates than GETS
- number of requests
Volume types
- General purposed SSD
- Provisioned IOPS SSD
- Magnetic
Snapshots
- Added cost per GB-month of data stored
- Data Transfer
- inbound free
- outbound tiered for discounts
Cost efficient and resizable capacity
- clock-hour billing - charges when running
- db characteristics - Engine, size, memory
- DB purchase type - on-demand (by hour), reserved(up front), etc.
- provisioned storage
- no additional storage for 100% of storage
- backups terminated DB instance billed GB/month
- Deployment type
- storage and I/O charges vary
- single avail
- multi avail zones
Hosting content to serve to multiple regions
Cost Optimization, Performance, Security, Fault Tolerance
Saved over 500 million for customers
Plans to help your needs and hosting.
Which of the following statements best describes AWS Trusted Advisor?
A. A tool that estimates the cost savings when using AWS and provides a detailed set of reports B. A tool that helps customers estimate their monthly AWS bill more efficiently C. A tool that enables you to view and analyze your costs and usage D. A tool that provides you real time guidance to help you provision your resources following AWS best practices.
Answer - D. A tool that provides you real time guidance to help you provision your resources following AWS best practices
- https://d0.awsstatic.com/whitepapers/aws-overview.pdf
- https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf
- https://d0.awsstatic.com/whitepapers/aws_pricing_overview.pdf
- https://media.amazonwebservices.com/AWS_TCO_Web_Applications.pdf
- https://aws.amazon.com/premiumsupport/plans/
Take some practice exams and then go get your certificate!
https://aws.amazon.com/certification/certified-cloud-practitioner/
Regions contain 2 or more availability zones
AWS is responsible for security of the cloud.
- Access and Training for Amazon employees
- Global Data Centers and Underlying Network
- Hardware for Global Infrastructure
- Configuration Management for Infrastructure
- Patching cloud Infrastructure and Services
Customer is responsible for security in the cloud
- Individual Access to cloud resources and training
- Data security and encryption (in transit and at rest)
- Operating System, Network, and Firewall configuration
- All code deployed onto cloud infrastructure
- Patching Guest OS and Custom Applications
Building a Data center, upfront costs for the building, servers, and support equipment. Expense to attain a fixed asset.
Regular day to day expenses of a business. Ongoing connectivity, utility, maintenance costs.
AWS takes care of the potential unused CapEx and up-front costs. Managed scaling for OpEx.
User Interface for exploring your AWS Costs Provides breakdowns including
- By service
- By cost tag
Provides predictions for the next three months of cost Gives recommendations for cost optimization Can be accessed via API
Allows organizations to manage multiple accounts under a single master account Provides organizations with the ability to leverage consolidated billing for all accounts Enables organizations to centralize logging and security standards across accounts
- Operational Excellence - running and monitoring systems for business value
- Security - Protecting Info and business assets
- Reliability - Enabling infrastructure to recover from disruptions
- Fault tolerance
- High availability
- Performance Efficiency - Using resources efficiently to achieve business value
- Cost optimization - Achieving minimal costs for the desired value
- Backup and Restore
- Pilot Light - minimal resources are setup in AWS to support a DR event
- Warm Standby - Systems are running in AWS and can be scaled up for DR
- Multi-Site - systems are running on two regions and support users
Provided for all aws customers Access to Trusted Advisor (only 7 core checks) 24 x 7 access to customer service, documentation, forums, and whitepapers
Includes all features of basic support Business hours access to support engineers $29 per month(tied to usage) Limited to 1 Primary contact
Include all Developer support Full set of Trusted Advisor Checks 24 x 7 phone, email, and chat access to support engineers Unlimited contacts $100 per month(tied to usage)
Includes all Business support Include Designated Technical Account Manager (TAM) Includes concierge support team $15000 per month (tied to usage)
Users leverage browser to configure resources
Command line access
Programmatic access
DNS service(yes service-ception).High availability service(service goes down and you can still provide same level of service).
Enables virtual networks Supports IPv4 and IPv6 Supports public and private subnets Can utilize NAT for private subnets Enables connection to your data center Can connect to other VPC's Supports private connections to many AWS services
Easy to establish a dedicated network connection from your premises to AWS.
Content delivery network Enables users to get content from closest server to them Supports static and dynamic content Uses AWS edge locations Includes advanced security features
- AWS Shield for DDoS
- AWS WAF (firewall)
Distribute traffic across multiple targets Supports one or more availability zones but only one region Three types
- Application load balancer
- Network LB
- Classic LB
Security and compliance is a shared responsibility between AWS and the customer
Control access to services Free Manage both authentication and authorization Support Identity federation
Users - physical user accounts Groups - manage permissions for group of IAM users Roles - assume permissions for a task
Policies in AWS IAM JSON doc that defines permissions for an AWS IAM identity (principal) Defines both AWS services that the identity can access and what actions they can perform
MFA - multi-factor auth Least Privilege Access - only users who are granted access that require it for their current tasks should have it
Security Groups - Enables firewall-like controls for resource within VPC Network ACL's - controls inbound and outbound traffic for subnets within VPC Flow logs - captures info around traffic within your VPC
- AWS CloudTrail - logging of all actions taken within your AWS account
- AWS Shield - Provides detection and mitigation of DDoS attacks
- AWS Web Application Firewall - configurable web app for common exploitations
OS and additional software are provided in a AMI (Amazon machine image) Resources are provided by instance type Instances can store data in two ways
- Instance store
- only available while instance is running
- Elastic Block Store (EBS)
- persistent storage
Types
- General Purpose
- Compute, Memory, and Storage
- Accelerated computing
Scaling
- Vertical Scaling - some down time
- Horizontal Scaling - launch instances to help scaling
- Auto-Scaling Group -
- set of EC2 instances
- Min/Max # of instances
- Health checks on each instance
- Scaling policies that define scaling behavior
- Exists within 1 or more availability zones in a single region
- Elastic Load Balancer
- Auto-Scaling Group -