Aws Certified Solutions Architect Associate Flashcards
Elastic Map Reduce
Amazon Elastic MapReduce (Amazon EMR) provides you with a fully managed, on-demand Hadoop framework. Amazon EMR reduces the complexity and up-front costs of setting up Hadoop and, combined with the scale of AWS, gives you the ability to spin up large Hadoop clusters instantly and start processing within minutes.
Cloud Computing
ubiquitousconvenienton-demand access to shared computing resources that can be rapidly provisioned and released with minimal management effort
advantages of AWS
gaining agility - quick turnaroundno need to guess about capacity - no worries Black Fridaymove from capital expenses to variable / flexible expenses - especially for test projectsbenefit from massive economies of scaleless cost on data centerrapid pace of innovationgoing global in minutes
elastic means
you can scale up and down at any time
3 models of cloud computing
InfrastructurePlatformSoftwareAs a Service IaaS, PaaS, SaaS
IaaS
Infrastructure as a Service. A cloud computing technology useful for heavily utilized systems and networks. Organizations can limit their hardware footprint and personnel costs by renting access to hardware such as servers. Compare to PaaS and SaaS.
PaaS
Platform as a Service. Provides cloud customers with an easy-to-configure operating system and on-demand computing capabilities. Compare to IaaS and SaaS.
SaaS
Software as a Service; a subscription service where you purchase licenses for software that expire at a certain date.
IaaS managed by vendor
serversvirtualizationserver hardwarestoragenetworking
PaaS managed by vendor
IaaS 5serversvirtualizationserver hardwarestoragenetworkingplusruntimessecurity & integrationdatabases
Saas managed by vendor
IaaS 5serversvirtualizationserver hardwarestoragenetworkingPass 3runtimessecurity & integrationdatabasesplusapplications
3 cloud computing deployment models
all-in cloud Netflix closes all its data centersHybriddeploying all new ones thereon-premise or private cloudVMs within own data center with chargebacks
region
clusters of AZs - highly available data centers19 with 4 planned
Availability Zone
separate data centers contained in a regionone AZ consists of one to six data centers with redundant power and networkingcurrently 53
POP
Points of Presenceedge location in most of the major cities for better experience70 POPs
edge location used by
CDN content delivery networks for fast experience
shared security; AWS responsible for securitycustomers responsible for sec
OF the cloud (physical, surveillance, hardware, storage, virtualization, networking)IN the cloud (application, data)
EC2
Elastic Compute Cloudvirtual servers, called instancesmore than 30 varieties of instances
EC2 Auto Scaling
scale up and down as per your policiescreates high availabilitycan say 70 instances, and if one goes down, another comes up
docker
operating-system-level virtualization, also known as "containerization".run "containers". web server and web application, while a second container runs a database server that is used by the web application.
docker Containers are isolated from each other and bundle their own tools, libraries and configuration files; they can communicate with each other through well-defined channels. All containers are run by a single operating system kernel and are thus more
lightweight than virtual machines.
ECS
EC2 Container Servicecan run Docker containers on EC2has scheduler
VPS
Virtual Private Server (VPS)LightSail
Lightsail
VPSIn it a virtual machine, SSD-based storage, data transfer, DNS management, and a static IP are all offered as a package. Whereas in normal case you provision an EC2 instance and then setup the rest of these thingseasiest way to get started on AWS
AWS Batch
like Tidaldynamically provisions the optimal quantity and type of compute resources (e.g., CPU or memory optimized instances) based on the volume and specific resource requirements of the batch jobs submitted. plans, schedules, and executes your batch computing workloads across the full range of AWS compute services and features, such as Amazon EC2 and Spot Instances.
AWS Batch organizes its work into four components: (2 of 4)Jobs â __________Job Definition â__________
the unit of work submitted to AWS Batch, whether it be implemented as a shell script, executable, or Docker container image. describes how your work is be executed, including the CPU and memory requirements and IAM role that provides access to other AWS services.
AWS Batch organizes its work into four components: (2 of 4)Job Queues â__________Compute Environment â __________
listing of work to be completed by your Jobs. You can leverage multiple queues with different priority levels.the compute resources that run your Jobs. Environments can be configured to be managed by AWS or on your own as well as the number of and type(s) of instances on which Jobs will run. You can also allow AWS to select the right instance type.
amazon vpc
your own network in the cloudprovision a logically isolated section ofthe AWS Cloud where you can launch AWS resources in a virtual network that you define.Complete control over environment (IP address range, creation of subnets, and configuration of route tables and network gatewayscan use IPv4 or IPv6
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon Web Services (AWS) resources into a __________. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the __________
virtual network that you've definedscalable infrastructure of AWS.
Amazon Route 53__________
DNSSLA is 100 percent uptimeIPV6 okcan also route to in or outside of AWScan register domain namescan manage failover from primary to secondary
ELB
elastic load balancing
elastic load balancing
load balance across EC2 instanceshttp, tcp trafficcan integrate with Auto Scalingcan do health checks to remove failingcan do EC2 on different AZ across a region
Direct Connect
Dedicated Network Connection to AWSreduce bandwidth costs for high volume transferget consistent network performance1 or 10 Gbps can do multiple connections if need more
IAM
Identity and Access Management
Identity and Access Management
create users, groups, and roles
federated
of, relating to, forming, or joined in a federation
IAM can be ___________ with other systems, thereby allowing existing ____________
federatedidentities (users, groups, and roles) of your enterprise to access AWS
Inspector
inspect for security risks during deployment and in productionassess for deviations from best practicesinstall agent on each EC2 instance
ACM
AWS Certificate Manager
TLS
Transport Layer Security
AWS Certificate Manager
manages SSL/TLS certificates
Directory Service
built on MS Active Directoryenables single sign on and policy managementcan be stand alone or integrated with existing AD
WAF
Web Application Firewall
Web Application Firewall
rules to protect SQL injection and scriptingblock from certain IP addresses and geographies
DDoS
Distributed Denial of Service
Shield
protects against DDoSprotect your web appStandard (Free) and Advanced Tier
With Shield Advanced Tier you get
protect not only webapp but also attacks againstELBCloudFrontRoute 53
S3
Simple Shared Storage
Simple Shared Storage
one of 1st services launchedbackbone of AWS11 9s of durabilitysupports encryptionunlimited amount of data but files size less than 5TBpay only for what you useno minimum fee
Glacier
low costdata archiving and long-term backupmove infrequent from S3 to Glacier or vice versa
EBS
Elastic Block Storage
IOPS
(Input/Output Operations Per Second, pronounced eye-ops) - common performance measurement used to benchmark computer storage devices like hard disk drives
Elastic Block Storage
block level storage for use with EC2 instances allowing the install of different file systemmagnetic or SSDautomatically replicated within their AZencryption for data in rest or transitcan also create snapshots of EBS
EFS
Elastic File System
Elastic File System
provides simple, scalable, shared file storage with EC2 instancescan be accessed concurrently for up to thousands of EC2 instances
Storage gateway
seamlessly merge on-premise storage with AWS cloud storageis a VM installed on-premiseconnect as file server, local disk, or tape librarycompression and encryption built in
import / export options
snowball 50 and 80 TB
Kinesis Firehose
capture and auto load streaming data into S3
CDN
Content Delivery Network
To minimize the distance between the visitors and your website's server, a CDN stores a cached version of its content in multiple geographical locations (a.k.a., __________
points of presence, or PoPs). Each PoP contains a number of caching servers responsible for content delivery to visitors within its proximity.
CloudFront
global CDN of AWS via 100+ POPslike Akamaican deliver static and dynamic content
Amazon CloudFrontlowers both the__________ bar that'slong been requiredfor deliveringcontent via a CDNwhile improvingcustomer experiencefor companiesof all sizes.
technical andfinancial
RDS
Relational Database Services__________ offers the following database engines: SQL, MySQL, MariaDB, PostgreSQL, Aurora, and Oracle.can scale up or down at will
in RDS, AWS handles
admin tasks like patching, upgrades, and backupshas high availability
DynamoDB
Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed database and supports both DOCUMENT AND KEY-VALUE data models. Its flexible data model and reliable performance make it a great fit for mobile, web, gaming, ad-tech, loT, and many other applications.
redshift
petabyte scale data warehousing servicecolumnar formatauto backed up in S3magnetic or SSDvia ODBC or JDBC
Memcached is a general-purpose __________
distributed memory caching system. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. Memcached is free and open-source software,
Redis __________
(Remote Dictionary Server), RE-dis is an open-source in-memory data structure project implementing a distributed, in-memory key-value database with optional durability
ElastiCache
supports two in-memory cache environments (Memcached, Redis) helps improve performance of web apps
Aurora
relational DB for cloudsupports MySQL and PostgreSQLup to 64 TB in sizeconstantly backed up to S3 so point-in-time recovery
Presto
open source distributed SQL query engine for running interactive analytic queries against data sources of all sizes up to petabytes.approaches the speed of commercial data warehouses while scaling to the size of organizations like Facebook.
Presto allows querying data where it lives, including __________. A single Presto query can combine data from __________sources, allowing for analytics across your entire organization.
Hive, Cassandra, relational databases or even proprietary data storesmultiple
Athena
serverless, interactive query serviceanalyze S3 data via SQLuses Presto to get JSON, CSV, Parquet
EMR
elastic map reduce
Elastic Map Reduce
Hadoop running on AWS
Elastic Map Reduce simple 3 step process
store input data on S3process data on EC2store output data on S3
CloudSearch
A fully managed service in the AWS cloud that makes it easy to set up, manage, and scale a search solution for your website or application.34 languages
Data Pipeline
ETL process for Cloud & on-premise resources
Amazon Kinesis
Fully managed system for real time streaming data ingestion and processingYou create a stream and the service handles the restBuild real-time dashboards, capture exceptions, generate alerts, drive recommendations, and other real time business or operational decisions.Easy to set up extremely high capacity data pipes
QuickSight
BI Tool for analyzing data from Kinesis, RedShift, DynamoDB, flat files (ex. .CSV), and 3rd party source (ex. SalesForce) - Analytics
Amazon API Gateway is a fully managed service that makes it easy for developers to __________ at any scale. With a few clicks in the AWS Management Console, you can create an API that acts as a "__________" for applications to access data, business logic, or functionality from your back-end services, such as workloads running on Amazon Elastic Compute Cloud (Amazon EC2), code running on AWS Lambda, or any web application.
create, publish, maintain, monitor, and secure APIsfront door
Microservices
smaller modules that interact through APIs and can be updated without affecting the entire system.work together to create larger goal
AWS Step Functions
makes it easy to coordinate the components of distributed applicationsand microservices using visual workflowswaiting for human approval before next step
SWF
Simple Workflow Service
Simple Workflow Service helps developers build, run, and scale
background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud.
Simple Workflow Service
task coordination and state management service for cloud applications⢠12 month Timer⢠Can be used in warehouses and distribution systems⢠Ensures task is only assigned once and never duplicated⢠Delivered once and only once
SQS
Simple Queue Service
Amazon Simple Queue Service (SQS) is a fully managed __________ service that enables you to __________ microservices, distributed systems, and serverless applications.
message queuingdecouple and scale
SQS eliminates the complexity and overhead associated with __________, and empowers developers to focus on differentiating work.
managing and operating message oriented middleware
Using SQS, you can __________ between software components at any volume, __________ to be available.
send, store, and receive messageswithout losing messages or requiring other services
Simple Workflow Service differs from SQS
⢠Differs from SQS in that it can be performed by human actions rather than automated computer action
Elastic Transcoder
Media transcoding in the cloud.This service is designed to be highly scalable, easy to use and a cost effective way for developers and businesses to convert media for multiple uses.convert from source into output format
CodeCommit
a fully-managed source control service that makes it easy for companies to host secure and highly scalable private Git repositories.
CodePipeline
Release Software using Continuous Delivery
CodeBuild
like Hudson
CodeDeploy
like HudsonA service that automates code deployments to any instance, including EC2 instances and instances running on-premises.
CloudFormation
An easy way to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion.by creating scriptsjson file. or use templates.can check into version controlno charge
aws service catalog
AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWSusers with diff permissions see only what admin wants via IAMproduct is services that you want others to use
Chef__________
configuration management tool uses Ruby domain-specific language (DSL) for writing system configuration "recipes".
OpsWorks
An application management service that helps you automate operational tasks like code deployment, software configurations, package installations, database setups, and server scaling using Chef. Deploy and configure your infrastructure quickly.
OpsWorks uses __________
Chef to automate how servers are configured, deployed and managed across your instances.
AWS OpsWorks is a __________, an automation platform that treats server configurations as a code.
configuration management service that uses Chef
Chef is used to __________
streamline the task of configuring and maintaining a company's servers, and can integrate with cloud-based platforms such as Amazon EC2, Google Cloud Platform,Microsoft Azure to automatically provision and configure new machines.
CloudWatch
A monitoring service to monitor AWS resources as well as the applications that run on AWS
CloudWatch Monitor things like:__________
- EC2 - DynamoDB - RDS DB Instances - Custom metrics generated by applications and services - Any log files your applications generate
cloudwatch ___________or ___________ monitoring
basic is free, polls every 5 minutesdetailed is pay, polls every minute
cloudwatch can create
events to kick off lambda or various alerts
AWS Config
A service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
Config continuously __________ and allows you to automate the evaluation of recorded configurations against desired configurations.
monitors and records your AWS resource configurations
cloudtrail
__________ is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account.__________ allows AWS customers to record API calls, sending log files to Amazon S3 buckets for storage.You can turn on a trail across ALL regions for your AWS account.
SNS
Simple Notification Service (PUSH).
Amazon SNS follows the __________, with notifications being delivered to clients using a push mechanism that eliminates the need to check periodically (or poll) for new information and updates.
publish-subscribe (pub-sub) messaging paradigm
SES
Simple Email Service
ADS
Application Discovery Service
Application Discovery Service
helps enterprise customers plan migration projects by gathering information about their on-premises data centers.
ADS records__________ server traffic, and captures information related to the use of resources such as __________
inbound and outboundmemory and CPUs.
Application Discovery Service helps perform a __________ review and estimate how much it would cost to migrate and run their workloads on the AWS public cloud
total cost of ownership
Database Migration Service
Service to migrate from many commercial and open source DBs, homogenously or heterogenously while source DB stays online - Database
AWS Snowball
is a service that accelerates transferring large amounts of data into and out of AWS using physical storage appliances, bypassing the Internet.
AWS Snowball Edge
is a 100TB data transfer device with on-board storage and compute capabilities.
AWS Server Migration Service
agentless service for migrating thouands of on-premise workloads to aws. SMS allows for automation, scheduling, and tracking replications of live server volumes
AI
Lex - chat using voice and textPolly - converts text to speechRekognition - face and object recognition
Lex - __________
chat using voice and text
Polly - __________
converts text to speech
Rekognition - __________
face and object recognition
Greengrass
run compute, messaging, and data caching for IoT devicesrun Lambda, keep data in sync, and comm with other devices even when no Internet
ML Inference is a feature of AWS Greengrass that makes it easy to perform __________ locally on Greengrass Core devices using models that are built and trained in the cloud.
machine learning inference
AWS Greengrass seamlessly extends AWS to devices so they can __________on the data they generate, while still using the cloud for __________
act locally management, analytics, and durable storage.
AWS IoT Button
programmable button based on the Amazon Dash Button hardware. This simple Wi-Fi device is easy to configure and designed for developers to get started with AWS IoT Core, AWS Lambda, Amazon DynamoDB, Amazon SNS, and many other Amazon Web Services without writing device-specific code.$20
AWS IoT Button - For example, you can click the button to
unlock or start a car, open your garage door, call a cab, call your spouse or a customer service representative, track the use of common household chores, medications or products, or remotely control your home appliances.
Amazon Cognito
Single user identity and data synchronization serviceHelps manage and synch app data for users across their MOBILE devicesCreate unique identities for users through public login providers (Facebook, google, amazon) and support unathenticated guests
Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as __________. It frees you to focus on your applications so you can give them the fast performance, high availability, security and compatibility they need.
hardware provisioning, database setup, patching and backups
Amazon RDS is available on several database instance types - optimized for memory, performance or I/O - and provides you with six familiar database engines to choose from, including __________. You can use the AWS __________to easily migrate or replicate your existing databases to Amazon RDS.
Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and Microsoft SQL ServerDatabase Migration Service
Amazon ElastiCache offers fully managed __________.
Redis and Memcached
Amazon ElastiCache Seamlessly deploy, run, and scale __________. Build data-intensive apps or improve the performance of your existing apps by retrieving data from high throughput and __________ in-memory data stores. Amazon ElastiCache is a popular choice for Gaming, Ad-Tech, Financial Services, Healthcare, and IoT apps.
popular open source compatible in-memory data storeslow latency
how can you have a shared file system across multiple Amazon EC2 instances?
by using Amazon EFS
Amazon EFS
Elastic File System
Elastic File System is designed to provide massively __________access to thousands of Amazon EC2 instances, enabling your applications to achieve high levels of aggregate throughput and IOPS that scale as a file system grows, with consistent low latencies. As a regional service, Amazon EFS is designed for high availability and durability storing data __________ Availability Zones.
parallel shared redundantly across multiple
Think of EFS as a managed __________ (NFS), that is easily integrated with other AWS services like EC2 or S3.
Network File System
Amazon __________ (Amazon EBS) provides block level storage volumes for use with __________.
Elastic Block StoreEC2 instances
EBS volumes are highly available and reliable storage volumes that can be attached to any __________.
running instance that is in the same Availability Zone
EBS volumes that are attached to an EC2 instance are exposed as storage volumes that persist __________
independently from the life of the instance.
gp2
EBS General Purpose SSD (gp2)General Purpose SSD volume that balances price performance for a wide variety of transactional workloadsBoot volumes, low-latency interactive apps, dev & test
EBS Provisioned IOPS SSD (__________) -- the highest performance option. Provides high IOPS per volume and a high maximum throughput per volume and is ideal for __________
io1database workloads.
EBS General Purpose SSD (__________) -- the default EBS volume. Offers high IOPS per volume, but at a __________ than io1,
gp2lower rate and cost
gp2 is intended for __________
dev-test workloads, virtual desktops and low-latency apps.
Throughput Optimized HDD (__________) -- offers high throughput per volume and a large volume size, and is ideal for __________
st1data warehouses and log processing.
Cold HDD (__________) - meant for __________, and provides the lowest IOPS per volume at the lowest price of all the EBS volumes.
sc1less frequently accessed workloads, such as cold data
The Elastic Volumes feature enables you to__________
resize EBS volumes to accommodate changing application needs or snapshot sizes. You can also change any volume type WITHOUT DOWNTIME.
Compared with these S3 and EBS, Amazon EFS is the new kid on the block. An Amazon EFS file system is excellent as a managed __________.
network file system that can be shared across different Amazon EC2 instances
Amazon EFS works like __________ devices and performs well for __________, media processing workflows, and content management.
NASbig data analytics
EFS is:__________
Network filesystem (that means it may have bigger latency but it can be shared across several instances; even between regions)It is expensive compared to EBS (~10x more) You can attach the EFS storage to an EC2 InstanceCan be accessed by multiple EC2 instances simultaneouslyattach your EFS storage directly to on-premise servers via Direct Connect. ()
EBS is:__________
A block storage (so you need to format it). This means you are able to choose which type of file system you want.As it's a block storage, you can use Raid 1 (or 0 or 10) It is really fastIt is relatively cheap
EBS: With the new announcements from Amazon, you can store up to 16TB data per storage on SSD-s.You can __________ (while it's still running) for backup reasonsBut it only exists in a particular region. Although you can migrate it to another region, you __________ (only if you share it via the EC2; but that means you have a file server)
snapshot an EBScannot just access it across regions
EBS You can now increase __________. You can continue to use your application while the change takes effect.
volume size, adjust performance, or change the volume type while the volume is in use
S3 is:__________
An object store (not a file system).You can store files and "folders" but can't have locks, permissions etc like you would with a traditional file systemThis means, by default you can't just mount S3 and use it as your webserverBut it's perfect for storing your images and videos for your websiteGreat for short term archiving (e.g. a few weeks). It's good for long term archiving too, but Glacier is more cost efficient.
S3 part 2
Great for storing logsYou can access the data from every region (extra costs may apply)Much cheaper than EBS.You can serve the content directly to the internet, you can even have a full (static) website working direct from S3, without an EC2 instance
Glacier is:__________
Long term archive storageExtremely cheap to storePotentially very expensive to retrieveTakes up to 4 hours to "read back" your data (so only store items you know you won't need to retrieve for a long time)
in terms of pricing. For example Glacier, S3, EFS allocates the storage for you based on your usage, while at EBS you need to __________
predefine the allocated storage. Which means, you need to over estimate.
S3 availability
99.99
99.99% availability equals
53 minutes of downtime per yearor 9 seconds per day
s3 objects distributed to
3 different AZs within a region so 11 9s of durability
data lake
a storage repository that holds a vast amount of raw data in its original format until the business needs it
S3 can act as a
data lake
lexicographic or lexicographical order (also known as lexical order, __________
dictionary order, alphabetical order
Given that S3 supports a lexigraphically-sorted list API, it would stand to reason that the key names themselves are used in some way in both the map and the partitioning scheme...and in fact that is precisely the case: each key in this '__________' (that's what we call it internally) is stored and retrieved based on the __________ - this means that the object names you choose actually dictate how we manage the keymap.
keymapname provided when the object is first put into S3
Internally, the keys are all represented in S3 as strings like this:__________Further, keys in S3 are partitioned by __________
bucketname/keynameprefix.
S3 has automation that continually looks for areas of the keyspace that need splitting. Partitions are split either due to __________, or because they contain a __________ (which would slow down lookups within the partition).
sustained high request rateslarge number of keys
There is __________in moving keys into newly created partitions, but with request rates low and no special tricks, we can keep performance reasonably high even during __________.
overhead partition split operations
We frequently see new workloads introduced to S3 where content is organized by user ID, or game ID, or other similar semi-meaningless identifier. Often these identifiers are incrementally increasing numbers, or date-time constructs of various types. The unfortunate part of this naming choice where S3 scaling is concerned is two-fold: First__________
First, all new content will necessarily end up being owned by a single partition (remember the request rates from above...).
Second, all the partitions holding slightly __________ much faster than other naming conventions, effectively wasting the available operations per second that each partition can support by making all the old ones cold over time.
older (and generally less 'hot') content get cold
S3 even has an algorithm to detect this parallel type of write pattern and will automatically create __________from the same parent simultaneously - increasing the system's operations per second budget as request heat is detected.
multiple child partitions
By partitioning your data, you can __________, thus improving performance and reducing cost.
restrict the amount of data scanned by each query
By integrating CloudFront with Amazon S3, you can __________. You also send fewer direct requests to Amazon S3, which reduces your __________.
distribute content to your users with low latency and a high data transfer ratecosts
Amazon API Gateway
a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale.
AWS Step Functions
makes it easy to coordinate the components of distributed applicationsand microservices using visual workflows
AWS CodeCommit
a fully-managed source control service that makes it easy for companies to host secure and highly scalable private Git repositories.
AWS CodePipeline
AWS CodePipeline is a continuous integration and continuous delivery service for fast andreliable application and infrastructure updates.
CodePipeline builds, tests, and deploys yourcode every time there is a __________
code change, based on the release process models you define. Thisenables you to rapidly and reliably deliver features and updates. You can easily build out anend-to-end solution by using our pre-built plugins for popular third-party services like GitHubor by integrating your own custom plugins into any stage of your release process.
AWS CodeBuild
a fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy.
CEK
Content Encryption Key
Content Encryption Key
encrypts S3
SSE
Server Side Encryption
with S3 Server Side Encryption
will automatically encrypt your data on write and decrypt your data on retrieval
S3 Server Side Encryption uses ______________ AES __________ keys
Advanced Encryption Standard256 bit symmetric
3 ways to manage AES keys. SSE with
SSE with amazon S3 Key Management (SSE-SE)SSE with customer-provided keys (SSE-C)SSE with AWS Key Management Service (SSE-KMS)
SSE with amazon S3 Key Management (SSE-SE)
amazon takes care of itmaster key rotated on monthly basis
SSE with customer-provided keys (SSE-C)
amazon uses key to encrypt and decrypt but then immediately discarded after use
SSE with AWS Key Management Service (SSE-KMS)
very secureseparate and audited permissions for use of master keycan view failed attempts at decryption
ARN
Amazon Resource Name
Amazon Resource Name ___________example _________
uniquely identify AWS resourcesarn:partition:service:region:account-id:resource
partition
standard is awsaws-cn for China
policy variable for username
${aws:username}
3 storage classes of S3
S3 StandardS3 Standard Infrequent Access (IA)S3 Standard Reduced Redundancy Storage
S3 Standard
supports SSLdata lifecycle policiescross-region replicationcopied to 3 facilities and can sustain loss of 299.99 availability
S3 Standard Infrequent Access (IA)
99.9 availability over a yearmuch cheaper so good for backups and DR
S3 Standard Reduced Redundancy Storage
for noncritical, nonproduction data that you can reproduceie video encoding, 1080p, 720p versionskeep the master in S3 Standard and diff resolutions here99.99 durability and availablity
storage class is simply an _____________ associated with each S3 object. meaning _________
attributestay in same S3 bucket and access from same URLsno need to change application code or point to a different URL
versioning is always done at the
bucket levelif want only for a few files out a thousand, must move into new bucket
2 kinds of actions with a lifecycle policy
transition action - copy all older than x daysexpiration action - if delete a file, what will you do
if you want to apply the rules to a few files, _________
prefix the files with a unique prefix and thenenable the lifecycle rule on the prefix
S3 CRR
Cross Region Replication
Cross Region Replication
all data is replicated from a bucket in one Region to another bucket in another Region. The meta-data on the Objects are also replicated.
To enable Cross Region Replication you need to__________
turn on VERSIONING on both from and to buckets. use an IAM Policy to give S3 permission to replicate objects on your behalf.
Cross Region Replication is commonly used to move data to another region to __________
reduce the latency for users in different parts of the country/world.
Note: if you have an existing bucket with objects in that bucket and then decide to turn on Replication. Only the __________
new objects in that bucket will be replicated to the new regions. The original Objects will need to be copied.
you can't use CRR to
replicate the content to two buckets that are in the same region
recommended way to store on Glacier
tar or zip them into single file because cost will be lower
Amazon Glacier
write once, can't modifymultipart upload for large archivesstore from 1 byte to 40TB
glacier vault
Vaults are CONTAINERS for archives. Each AWS account can have up to 1,000 vaults. You can control access to your vaults and the actions allowed using IAM policies or vault access policies.like safe deposit box
amazon glacier vault lockspecify controls like WORM
enforce complianceWrite Once Read Many which locks from future edits
3 ways go get glacier data
standard 3 to 5 hours. 1 cent per gigabyteexpedited 1 to 5 minutes 3 cents per gigabytebulk 5 to 12 hours for petabytes. .25 cents per gigabyte
EBS offers persistent storage which means
storage is independent outside the life span of an EC2 instance
EBS provides ability to create
point in time snapshots that are then stored in S3can share with otherscopied across regions
EBS main features
raw, unformatted block device for any OS99.999 availability replicated within AZallocated in 1GB increments to 16 TB
EBS AFR
Annual Failure Rate between .1 and .2 percent
3 types of block storage
EC2 instance storeEBS SSD backed volumeEBS HDD backed volume
ephemeral
lasting a very short time
EC2 instance store
local storage of EC2 so can't be mounted into different serversephemeral so once EC2 instance shut down, data is gonecan't snapshot it
EBS Volumes are
elastic so can dynamically scale. can use cloudWatch and Lambda to automate it
gp2
General purpose SSD - balance price and performance
io1
provisioned IOPS SSD - high performance and price
7200 RPM can spin around15000 RPM can spin around
100 IOPS200 IOPS
st1
frequently accessed throughput intensivegood for sequential IO like data warehouse
random IO should use
GP or provisioned IOPs.
sc1
c for cold. cold HDD. much cheaper rarely accessed
Recommended for most workloadsSystem boot volumesVirtual desktopsLow-latency interactive appsDevelopment and test environments
General Purpose SSD (gp2)*
Critical business applications that require sustained IOPS performance, or more than 10,000 IOPS or 160 MiB/s of throughput per volumeLarge database workloads, such as:MongoDBCassandraMicrosoft SQL ServerMySQLPostgreSQLOracle
Provisioned IOPS SSD (io1)
Streaming workloads requiring consistent, fast throughput at a low priceBig dataData warehousesLog processingCannot be a boot volume
Throughput Optimized HDD (st1)
EBS Burst. GP2 volumes can support a sustained load of up to __________
3,000 operations per second for up to 30 minutes at a time.
Elastic File System attributes
same as regular file systemcan be shared across multiple EC2elastic to petabyte scalereplicated across AZs within a region
EFS superior to NAS since
mirrored across multiple AZs
to get visibility into EFS use
cloudwatch to see if running into I/O issues
SGW
Storage Gateway
Storage Gateway
deployed as VM in existing environmentcan connect your apps and storage to S3 via SGWhas cache for frequently accessed
Storage Gateway leverages these other services
cloudWatchcloudTrailIAM
Storage Gateway Three interfaces:
file, volume, & tape.
File gateway enables you to __________
store and retrieve objects in S3 using file protocols, such as NFS. Objects written through file gateway can be directly accessed in S3.
Volume gateway provides
cloud-backed storage volumes that you can mount as Internet Small Computer System Interface (iSCSI) devices from your on-premises application servers.
In the cached volume mode, your data is __________
stored in S3 and a cache of the frequently accessed data is maintained locally by the gateway.
In the stored volume mode, data is stored on your __________
local storage with volumes backed up asynchronously as EBS snapshots stored in S3.
Tape gateway provides your backup application with an __________
iSCSI virtual tape library (VTL) interface, consisting of a virtual media changer, virtual tape drives, and virtual tapes. Virtual tape data is stored in S3 or can be archived to Glacier.
Exabyte (EB)
1024 PB a quintillion bytes (10^18)
Petabyte (PB)
1,024 terabytes
Terabyte (TB)
1,024 gigabytes
amazon snowmobile
100 PB petabyteappears as NAS via fiber
Snowmobile uses multiple layers of security to help protect your data including __________. All data is encrypted with 256-bit encryption keys you manage through the AWS Key Management Service (KMS) and designed for security and __________
dedicated security personnel, GPS tracking, alarm monitoring, 24/7 video surveillance, and an optional escort security vehicle while in transitfull chain-of-custody of your data.
what is the best way to delete multiple objects from S3?
use multi-object delete
Multi-Object Delete operation enables you to delete multiple objects from a bucket using a __________
single HTTP request.
The Multi-Object Delete request contains a list of up to __________keys that you want to delete.
1000
the data across the EBS volume is mirrored across the ________ and not ___________
same AZ (but different data centers)multiple AZs
EBS replication is stored within the
same AZ, not across multiple AZs
your app needs a shared file system that can be accessed from multiple instances across different AZs. how would u provision it?
use an EFS instance and mount the EFS across multiple EC2 instancesacross multiple AZs
the same EBS volume can't be mounted across
multiple EC2 instances
by default, data never leaves a
region.
you can't use ___________ for a cross-region replication bucketbut you can use __________
Glacierall else S3 IA, RRS, Standard
when you connect your data center and VPC with a VPN or Direct Connect, it becomes an
extension of your data center in the cloud
without VPC, there would be no way to
isolate your resources running in the cloudit becomes difficult to manage the IP namespaces for thousands of servers
VPC gives you a comparatively sterile network environment that you can fit to your needs. You can create subnets isolated from the public internet, to contain mission-critical and security sensitive assets, accessible only from __________.
carefully-controlled, specific instances or subnets, with ports firewalled even between subnets within your VPC
CIDR
Classless Inter-Domain Routing
Classless Inter-Domain Routing
What method borrows bits from the host field of an IP address to create a subnet?
subnet
A logical subset of a larger network, created by an administrator to improve network performance or to provide security.
virtual private cloud
a subset of a public cloud that has highly restricted, secure access
CIDR172.31.12.0/248 + 8 + 8 = 24. So first three octets are network portion
final 0 added to host portion = 32-24 = 8So, we can set 2 to the power of 8, we can get 256 IP addresses
172.31.12.0/25network 25
host - 2 to the 7 = 128
172.31.12.0/25network 25break VPC into 2 subnets
subnet 1 (128)172.31.12.0/25 0-127subnet 2 (128)172.31.12.128/25 128-255Notice 128. if put 127 it would immediately cause error from overlap
10.0.0.0/27how many for host?
32-27 = 52 to the 5 = 32
how many are reserved?
5 IP addressesfirst four and last oneif 16, then only have 11
routing table
A list of routes in a router, with each route listing the destination subnet and mask, the router interface out which to forward packets destined to that subnet, and as needed, the next-hop router's IP address.
A routing table contains the information necessary to __________.
forward a packet along the best path toward its destination
Each packet contains information about its origin and destination. When a packet is received, a network device examines the packet and matches it to the __________
routing table entry providing the best match for its destination.
A route table contains a set of rules, called routes, that are used to __________
determine where network traffic is directed.
the route table controls the routing for the subnet. A subnet can only be associated with one __________, but you can associate __________
route table at a timemultiple subnets with the same route table.
Your VPC has an implicit router.Your VPC automatically comes with a main route table that you can modify.You can create additional custom route tables for your VPC.Each subnet must be associated with a route table, which controls the routing for the subnet. If you don't explicitly associate a subnet with a particular route table, the subnet is __________
implicitly associated with the main route table.
once you create a VPC, you can't
alter the size of ityou can create new VPC with bigger IP range and migrate to new one
the smallest subnet you can create within VPC is ______ which corresponds to ________ available IP addresses
/2832-28 = 2 to the 4 = 16
a subnet is tied to
only one AZ
power of 2 table2 to the 4to 2 to the 16
4 165 326 647 128
Internet Gateway (IG)
Is a gateway that allows you to have internet access to you EC2 instances. Commonly used when dealing with VPCs
route table target of local means only
local traffic can flow within the VPC and no other traffic is allowed
Network Address Translation (NAT)
allows private IP addresses to connect to public Internet.but internet can't connect to private
NAT can only be used for
IPv4; not IPv6
2 types of NAT
NAT instancesNAT gateways
NAT instances
have been around since VPCs became available: They're simply EC2 instances with specially configured routing tables.
NAT gateways
introduced in October 2015; they are part of the VPC infrastructure, like the routers that let your subnets communicate with each other.
egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over__________
IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances.
For us, the cost of running and caring for __________ remains less than the cost of the NAT Gateway.
four NAT Instances
if use a NAT gateway, must specify an
elastic IP address
NAT gateway is created in a specific
AZ in a redundant fashion
Elastic Network Interface (ENI)
Virtual NIC on an EC2 instance; Secondaries are separate from the instance -
An elastic network interface (referred to as a network interface in this documentation) is a __________
logical networking component in a VPC that represents a virtual network card.
elastic network interface can include the following attributes:__________
A primary private IPv4 address from the IPv4 address range of your VPCOne or more secondary private IPv4 addresses from the IPv4 address range of your VPCOne Elastic IP address (IPv4) per private IPv4 addressOne public IPv4 addressOne or more IPv6 addressesOne or more security groupsA MAC addressA source/destination check flagA description
You can create a network interface, __________.
attach it to an instance, detach it from an instance, and attach it to another instance
The attributes of a network interface follow it as it's __________.
attached or detached from an instance and reattached to another instance
When you move a network interface from one instance to another, network traffic is __________
redirected to the new instance.
Elastic IP address is a __________
static IPv4 address designed for dynamic cloud computing. An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.
An Elastic IP address is a __________
public IPv4 address, which is reachable from the internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet; for example, to connect to your instance from your local computer.
To use an Elastic IP address, you first __________
allocate one to your account, and then associate it with your instance or a network interface.
When you associate an Elastic IP address with an instance or its primary network interface, the instance's public IPv4 address (if it had one) is released back into Amazon's pool of public IPv4 addresses. You cannot reuse a public IPv4 address, and you cannot __________
convert a public IPv4 address to an Elastic IP address.
To ensure efficient use of Elastic IP addresses, we impose a small hourly charge if an Elastic IP address is __________
not associated with a running instance, or if it is associated with a stopped instance or an unattached network interface.
Elastic IP is a combination of a __________.
public IP address and a static IP address
Elastic IP allows you to continue to __________
advertise AWS instances within your AWS network infrastructure.
A static IP is useful for various reasons. In cloud computing, a static IP address is advantageous for __________
DNS queries. If IPs are changing, this can affect the content loading process.
Static IP addresses are IPs which do not change. They are common for __________
business and cloud computing, which is why AWS includes this within the Elastic IP framework.
Elastic IP addresses are static IP addresses designed for dynamic cloud computing. Unlike traditional static IP addresses, however, Elastic IP addresses allow you to __________
mask instance or availability zone failures by programmatically remapping your public IP addresses to any instance associated with your account.
Rather than waiting on a data technician to reconfigure or replace your host, or waiting for DNS to propagate to all of your customers, Amazon EC2 enables you to engineer around problems with your instance or software by __________
programmatically remapping your Elastic IP address to a replacement instance.
there is ________ for using an elastic IP as long as you
no chargeassociate it with a running instance
A security group acts as a __________
virtual firewall that controls the traffic for one or more instances.
When you launch an instance, you can specify one or more security groups; otherwise, we use the default security group. You can add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group __________.
at any time; the new rules are automatically applied to all instances that are associated with the security group
When we decide whether to allow traffic to reach an instance, we evaluate __________
all the rules from all the security groups that are associated with the instance.
When you launch an instance in a VPC, you must specify a security group that's created for that VPC. After you launch an instance, you can __________.
change its security groups
Security groups are associated with __________.
network interfaces
Changing an instance's security groups changes the security groups associated with the __________
primary network interface (eth0).
By default, security groups allow __________
all outbound traffic.
Security group rules are __________
always permissive; you can't create rules that deny access.
For VPC security groups, this also means that responses to __________
allowed inbound traffic are allowed to flow out, regardless of outbound rules.
You can add and remove rules at __________. Your changes are __________
any timeautomatically applied to the instances associated with the security group.
When you associate multiple security groups with an instance, the rules from each security group are __________
effectively aggregated to create one set of rules. We use this set of rules to determine whether to allow access.
The following are the default rules for each default security group:Allows all __________ (the security group specifies itself as a source security group in its inbound rules)Allows all __________
inbound traffic from other instances associated with the default security groupoutbound traffic from the instance.
Security groups act at the __________
instance level, not the subnet level.
security group rule for SQL ServerProtocol type Protocol number Port Notes
Protocol type Protocol number Port NotesTCP 6 1433 (MS SQL) The default port to access a Microsoft SQL Server database, for example, on an Amazon RDS instance
Network access control lists (ACLs) â Act as a __________
firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
Flow logs â Capture information about the __________
IP traffic going to and from network interfaces in your VPC
You can secure your VPC instances using only __________; however, you can add __________ as an additional layer of defense.
security groupsnetwork ACLs
You can monitor the accepted and rejected IP traffic going to and from your instances by creating a __________.
flow log for a VPC, subnet, or individual network interface
Flow log data is published to __________, and can help you diagnose __________
CloudWatch Logsoverly restrictive or overly permissive security group and network ACL rules.
A stateful web service will keep track of the__________
"state" of a client's connection and data over several requests.
stateful web service example, the client might login, select a users __________
account data, update their address, attach a photo, and change the status flag, then disconnect.and remember state
In a stateless web service, the server __________.
doesn't keep any information from one request to the nextThe client needs to do it's work in a series of simple transactions, and the client has to keep track of what happens between requests. So in the above example, the client needs to do each operation separately: connect and update the address, disconnect. Connect and attach the photo, disconnect. Connect and change the status flag, disconnect.
A stateless web service is __________
much simpler to implement, and can handle greater volume of clients.
"To handle the removal of instances without impacting your service, you need to ensure that your application instances are __________
stateless. This means that all system and application state is stored and managed outside of the instances themselves."
both dynamoDB and RDS manage state! How do we make the web tier stateless? By using a __________
db service and keep your session in elasticache where you could retrieve it from a request session ID header
Network Access control lists are applicable at the __________L. That's not the case with security groups, security groups has to be __________
subnet level, so any instance in the subnet with an associated NACL will follow rules of NACassigned explicitly to the instance.
stateful firewall
remembers traffic that left so will allow it to return from target
Stateful firewalls remembers info between
states, context-sensitivemore powerful than stateless
security groups are __________this means if you send a __________________
stateful. request from your instance and vice versa, traffic is allowed
The process of inspecting traffic to identify unique sessions is called __________
stateful inspection.
stateless firewall
A firewall capable only of examining packets individually. Stateless firewalls perform more quickly than stateful firewalls, but are not as sophisticated.
stateless firewall doesn't __________
remember info between states, context-free, less powerful than stateful
NACL: Stateless: This means any changes applied to an incoming rule will __________
not be applied to the outgoing rule.Example: If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.
security group Stateful: This means any changes applied to an incoming rule will __________
be automatically applied to the outgoing rule.Example: If you allow an incoming port 80, the outgoing port 80 will be automatically opened.
Security Group Supports __________
Allow rules only { by default all rules are denied }You cannot deny a certain IP address from establishing a connectionDENY rules are DENIED
Network ACLSupports __________
Allow and Deny rules By Deny rules we mean, you could explicitly deny a certain IP address to establish a connection example: Block IP address 192.168.0.2 from establishing a connection to an EC2 Instance
Network ACL are tied to the subnet. This means any instances within the subnet group gets the rule applied. If you have many instances, managing the firewalls using Network ACL can __________
be very useful. Otherwise, with Security group, you have to manually assign a security group to the instances.
Network ACL Rules are applied__________Example:Rule # (Order number) Type Protocol Port Range Source Allow/Deny100 HTTP (80) TCP (6) 80 0.0.0.0/0 ALLOW200 HTTPS (443) TCP (6) 443 0.0.0.0/0 ALLOW
in their order (the rule with the lower number gets processed first)
security group is the _______ layer of defense
firstNetwork ACL is the second
you can associate an NACL with _______ subnets; however, ___________
multiplea subnet can be associated with only one NACL at a time
NACL as soon as a rule matches traffic, it's
applied regardless of any higher number rule that may contradict it
recommended to create NACL rules
like BASIC with increments of 100
in Security Group all rules are
evaluated before deciding whether to allow traffic. so a later rule could counter an earlier one
A VPC peering connection is a networking connection between two VPCs that enables you to __________
route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other AS IF THEY ARE WITHIN the same network.
You can create a VPC peering connection between your own VPCs, or with a VPC in __________
another AWS account.
The VPCs can be in different __________
regions (also known as an inter-region VPC peering connection).
AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a __________,
gateway nor a VPN connection
VPC peering does not rely on a separate piece of __________
physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.
A VPC peering connection helps you to facilitate the transfer of data. For example, if you have more than one AWS account, you can peer the VPCs across those accounts to create a __________. You can also use a VPC peering connection to allow other VPCs to __________
file sharing networkaccess resources you have in one of your VPCs.
A VPC peering connection is a __________.
one to one relationship between two VPCs
You can create multiple VPC peering connections for each VPC that you own, but __________.
transitive peering relationships are not supported
You do not have any peering relationship with VPCs __________
that your VPC is not directly peered with.
You cannot create a VPC peering connection between VPCs that have __________.
matching or overlapping IPv4 or IPv6 CIDR blocks
Amazon always assigns your VPC a unique IPv6 CIDR block. If your IPv6 CIDR blocks are unique but your IPv4 blocks are not, you __________
cannot create the peering connection.
VPC peering can be done only for
VPCs within a region
To establish a VPC peering connection, you do the following:1. The owner of the requester VPC sends a request to the __________
owner of the accepter VPC to create the VPC peering connection. The accepter VPC can be owned by you, or another AWS account, and cannot have a CIDR block that overlaps with the requester VPC's CIDR block.
2. The owner of the accepter VPC accepts the VPC peering connection request to activate the VPC peering connection.3. To enable the flow of traffic between the VPCs using private IP addresses, the owner of each VPC in the VPC peering connection must __________
manually add a route to one or more of their VPC route tables that points to the IP address range of the other VPC (the peer VPC).
4. If required, update the __________
security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted.
If both VPCs are in the same region, you can reference a security group from the __________
peer VPC as a source or destination for ingress or egress rules in your security group rules.
If both VPCs are in the same region, you can modify your VPC connection to enable __________.
DNS hostname resolution
By default, if instances on either side of a VPC peering connection address each other using a __________
public DNS hostname, the hostname resolves to the instance's public IP address.
You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a __________
different AWS Region.
A VPC endpoint enables you to __________
privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
VPC endpoint: Instances in your VPC do not require __________.
public IP addresses to communicate with resources in the service
VPC endpoint: Traffic between your VPC and the other service __________
does not leave the Amazon network.
VPC Endpoints are __________ devices. They are __________
virtualhorizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.
There are two types of VPC endpoints:__________
interface endpoints and gateway endpoints.
interface endpoint is an __________
elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service.
interface endpoint is an __________ The following services are supported:__________
Amazon API GatewayAWS CloudFormationAmazon CloudWatchAmazon CloudWatch EventsAmazon CloudWatch LogsAWS CodeBuildAWS ConfigAmazon EC2 APIElastic Load Balancing APIAWS Key Management ServiceAmazon Kinesis Data StreamsAmazon SageMaker RuntimeAWS Secrets ManagerAWS Security Token ServiceAWS Service CatalogAmazon SNS
A gateway endpoint is a gateway that is a target for a __________
specified route in your route table, used for traffic destined to a supported AWS service. The following AWS services are supported:Amazon S3DynamoDB
AWS PrivateLink simplifies the security of data shared with cloud-based applications by __________
eliminating the exposure of data to the public Internet.
AWS PrivateLink provides private connectivity between __________
VPCs, AWS services, and on-premises applications, securely on the Amazon network.
Connect your VPCs to services in AWS in a secure and scalable manner with AWS PrivateLink. AWS PrivateLink traffic doesn't traverse the Internet, reducing the exposure to threat vectors such as __________
brute force and distributed denial-of-service attacks
AWS PrivateLink: Use __________ so that your services function as though they were hosted directly on your private network.
private IP connectivity and security groups
Significantly simplify your internal network architecture with AWS PrivateLink. Connect services across different accounts, and VPCs within your own organization, with no need for __________
firewall rules, path definitions, or route tables.
AWS PrivateLink: There is no longer a need to configure an __________
Internet gateway or a VPC peering connection.
More easily migrate traditional on-premises applications to SaaS offerings hosted in the cloud with AWS PrivateLink. Since your data does not get exposed to the Internet where it can be compromised, you can migrate and use more cloud services with the confidence that __________
your traffic remains secure and compliant with regulations. You no longer have to choose between using a service and exposing your critical data to the Internet.
You can create your own application in your VPC and configure it as an __________
AWS PrivateLink-powered service (referred to as an endpoint service).
Other AWS principals can create a connection from their VPC to your endpoint service using an interface VPC endpoint. You are the __________
service provider, and the AWS principals that create connections to your service are service consumers.
AWS Data Pipeline is a web service that helps you __________
reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals.
AWS Data Pipeline can copy from __________
S3 to DynamoDB, to and from RDS MySQL, S3 and Redshift.
Also, AWS Pipeline can copy these data from __________
one AWS Region to another.
to create VPC endpoint
specify VPC and service you wantcan also attach policyspecify route table
why use VPC endpoint
save a lot of money since no data transfer charges between your VPC EC2 and S3.
When using a custom DNS for name resolution, both __________must be implemented.
forward DNS lookup and reverse DNS lookup
To set up DNS in your VPC, ensure that DNS hostnames and DNS resolution are both enabled in your VPC. The VPC network attributes __________
enableDnsHostnames and enableDnsSupport must be set to true.
every VPC must only have
one DHCP option set assigned to it
once you've associated a new DHCP option set,
new instances launched in VPC will automatically start using the newer option set
The following table lists all the supported options for a DHCP options set
DNSdomain-namentp-servers (Network Time Protocol)netbios-name-serversnetbios-node-type
BGP
(Border Gateway Protocol)
BGP (Border Gateway Protocol)
Dubbed the "protocol of the Internet," this path-vector routing protocol is the only current EGP and is capable of considering many factors in its routing metrics.
EGP (Exterior Gateway Protocol)
The protocol responsible for exchanging routing information between two neighboring gateways.
why direct connect
more bandwidth between your data center and AWSmost start with two for redundancy
if can't afford two direct connects, then ____________
start with one DC and one VPN for failovermany start with VPN before DC
VPC flow logs
To log all your VPC traffic to CloudWatch.
VPC flow logs help see
why specific traffic not reaching an instancecan then see overly restrictive security group rulesto see security attacks
VPC flow logs cost
no chargehowever CloudWatch logs charges apply
in every account, a _____________ is created
default VPChelps jumpstart to AWS
don't recommend deleting of default VPC
even if not used since can create problems later
with EC2, you have complete
control just like in your data centercan start and stop the service and have root accesscan control and reboot with APIs
EC2 instance type that you specify determines the __________
hardware of the host computer used for your instance.
Each instance type offers different __________
compute, memory, and storage capabilities and are grouped in instance families based on these capabilities.
6 instance types
General purposeCompute optimizedMemory optimizedStorage optimizedAccelerated computingBare metal
General purpose
T2 baseline with burst, M5 latest gen, M4, M3provide a balance of compute, memory, and networking resources, and can be used for a variety of workloads.
M5 latest gen, M4, M3 does not
provide burst like T*
how can a T2 burst?
accrue CPU credits when idle so ideal for those that don't use full CPU utilization
T2 used for
web server, development environment
Compute optimized
C5, C4, C3media transcoding, large user base, long running batch, gaming
Memory optimized
X1e, X1, R4, R3in memory DB like SAP HANA, Oracle DB in memory, NoSQL, Presto, Spark,
Memory Optimized good for HPC
High Performance Computing
Storage optimized
H1, I3, D2anything I/O bound like database, datawarehouse, NoSQL, ReDis
Accelerated computing or Advanced Computing
P3, P2, G3, F1Machine Learning, computational finance,
provides access to hardware-based accelerators like GPUs or FPGAs which enable parallelism
Accelerated computing or Advanced Computing
Bare metal
...
Current generation instance types __________ only. Some previous generation instance types support __________ and some AWS regions support PV instances.
support hardware virtual machine (HVM)paravirtual (PV)
For best performance, we recommend that you use an __________
HVM AMI. In addition, HVM AMIs are required to take advantage of enhanced networking.
EC2 uses Intel processor so in turn use all processor features that Intel provides
AES-NI Advanced Vector ExtensionsTurbo Boost
AES-NI
Advanced Encryption Standard - New Instructionfaster data security and greater security
Advanced Vector Extensions
improved image and audio/video processing
Turbo Boost
more performance when needed
placement group
logical grouping of instances within a single Availability Zone.
Placement groups enable applications to participate in a __________. __________
low-latency, high speed 10 Gbps network
Placement groups are recommended for applications that beneï¬t from__________.
low network latency, high network throughput, or both. Remember that this represents network connectivity between instances
To fully use this network performance for your placement group, choose an instance type that supports __________
enhanced networking and 10 Gbps network performance.
The main differences between PV and HVM AMIs are the way in which they __________and whether they can take advantage of __________
boot special hardware extensions (CPU, network, and storage) for better performance.
placement group aka
cluster networkingmesh networking. each computer talks to each other computer
placement group must be in
same AZ
cannot move instance into a
placement group
Clusterâ__________
clusters instances into a low-latency group in a single Availability Zone
Spreadâ__________
spreads instances across underlying hardware
A cluster placement group is a __________
logical grouping of instances within a single Availability Zone. A placement group can span peered VPCs in the same region.
The chief benefit of a cluster placement group, in addition to a __________
10 Gbps flow limit, is the non-blocking, non-oversubscribed, fully bi-sectional nature of the connectivity.
cluster placement group, all nodes within the placement group can talk to __________
all other nodes within the placement group at the full line rate of 10 Gpbs flows and 25 aggregate without any slowing due to over-subscription.
We recommend that you launch the number of instances that you need in the placement group in a __________
single launch request and that you use the same instance type for all instances in the placement group.
If you try to add more instances to the placement group later, or if you try to launch more than one instance type in the placement group, you increase your chances of __________
getting an insufficient capacity error.
If you receive a capacity error when launching an instance in a placement group that already has running instances, __________
stop and start all of the instances in the placement group, and try the launch again. Restarting the instances may migrate them to hardware that has capacity for all the requested instances.
A spread placement group is a group of instances that are __________
each placed on distinct underlying hardware.
Spread placement groups are recommended for applications that have a __________
small number of critical instances that should be kept separate from each other.
Launching instances in a spread placement group reduces the risk of __________
simultaneous failures that might occur when instances share the same underlying hardware.
Spread placement groups provide access to distinct hardware, and are therefore suitable for __________
mixing instance types or launching instances over time.
A spread placement group can __________, and you can have a maximum of __________running instances per Availability Zone per group.
span multiple Availability Zonesseven
The following are the only instance types that you can use when you launch an instance into a cluster placement group:__________
General purpose: M4, M5, M5d [notice no T*]Compute optimized: C3, C4, C5, C5d, cc2.8xlargeMemory optimized: cr1.8xlarge, R3, R4, R5, R5d, X1, X1e, z1dStorage optimized: D2, H1, hs1.8xlarge, I2, I3, i3.metalAccelerated computing: F1, G2, G3, P2, P3
The maximum network throughput speed of traffic between two instances in a cluster placement group is limited by the __________
slower of the two instances.
__________(SR-IOV)
single root I/O virtualization
Single-root I/O virtualization
method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces.
Enhanced networking provides __________
higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies.
There is no additional charge for using __________
enhanced networking.
EC2 on-demand instance
most popularpay on flat hourly or per second billingno commitment or minimums
EC2 __________ instance provides up to a ________ % discount compared to an ____________ instance
reserved75on-demand
EC2 Reserved instance provide you with a significant discount (up to 75%) compared to On-Demand instance pricing. In addition, when Reserved Instances are assigned to a specific __________
Availability Zone, they provide a capacity reservation, giving you additional confidence in your ability to launch instances when you need them.
2 types Reserved Instances Purchase Options__________and __________Reserved Instances Pricing
Standard Convertible
Standard Reserved Instances provide you with a significant discount (up to 75%) compared to On-Demand instance pricing, and can be purchased for a __________ term. Customers have the flexibility to change the __________ type of their Standard Reserved Instances.
1-year or 3-yearAvailability Zone, the instance size, and networking
Purchase Convertible Reserved Instances if you need additional flexibility, such as the ability to use __________ Convertible Reserved Instances provide you with a significant discount (up to __________%) compared to On-Demand Instances and can be purchased for a 1-year or 3-year term.
different instance families, operating systems, or tenancies over the Reserved Instance term.54
You can choose between three payment options when you purchase a Standard or Convertible Reserved Instance. With the __________
All Upfront optionPartial Upfront optionNo Upfront option
All Upfront option, __________
you pay for the entire Reserved Instance term with one upfront payment. This option provides you with the largest discount compared to On-Demand instance pricing.
With the Partial Upfront option, you make a __________
low upfront payment and are then charged a discounted hourly rate for the instance for the duration of the Reserved Instance term.
The No Upfront option __________
does not require any upfront payment and provides a discounted hourly rate for the duration of the term.
Amazon EC2 Spot Instances __________
offer spare compute capacity available in the AWS cloud at steep discounts compared to On-Demand instances. Spot Instances enable you to optimize your costs on the AWS cloud and scale your application's throughput up to 10X for the same budget.
If your maximum price exceeds the current Spot price, Amazon EC2 __________. Otherwise, Amazon EC2 __________
fulfills your request immediately if capacity is availablewaits until your request can be fulfilled or until you cancel the request.
To use Spot Instances, you create a Spot Instance request that includes the __________.
number of instances, the instance type, the Availability Zone, and the maximum price that you are willing to pay per instance hour
Amazon EC2 does not terminate Spot Instances with a __________when the Spot price changes. This makes them ideal for jobs that take a finite time to complete, such as batch processing, encoding and rendering, modeling and analysis, and continuous integration.
specified duration (also known as Spot blocks)
Spot Instance pool - __________
A set of unused EC2 instances with the same instance type, operating system, Availability Zone, and network platform.
Spot price - __________
The current price of a Spot Instance per hour.
AMI
Amazon Machine Image
Amazon Machine Image
provides the information required to launch an instance, which is a virtual server in the cloud.
An AMI includes the following 3x:__________
A template for the root volume for the instance (for example, an operating system, an application server, and applications)Launch permissions that control which AWS accounts can use the AMI to launch instancesA block device mapping that specifies the volumes to attach to the instance when it's launched
You can share an AMI with specific AWS accounts without __________. All you need are the __________
making the AMI publicAWS account IDs.
AMIs are a __________resource. Therefore, sharing an AMI makes it available in that __________.
regional region
To make an AMI available in a different region, __________
copy the AMI to the region and then share it.
All AMIs are categorized as either backed by __________.
Amazon EBS or backed by instance store
Amazon EBS backed
root device for an instance launched from the AMI is an Amazon EBS volume created from an Amazon EBS snapshot.
backed by instance store
root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3.
3 AMI Launch Permission Description__________
public The owner grants launch permissions to all AWS accounts.explicit The owner grants launch permissions to specific AWS accounts.implicit The owner has implicit launch permissions for an AMI.
When you launch an instance from an instance store-backed AMI, __________.
all the parts have to be retrieved from Amazon S3 before the instance is available
With an Amazon EBS-backed AMI, __________
only the parts required to boot the instance need to be retrieved from the snapshot before the instance is available.
You use a shared AMI at your own risk. Amazon can't vouch for the __________. Therefore, you should treat shared AMIs as you would any foreign code that you might consider deploying in your own data center and perform the appropriate due diligence.
integrity or security of AMIs shared by other Amazon EC2 users
only EBS backed instances support the
stop action and can have data persistence
Linux Amazon Machine Images use one of two types of virtualization: __________.
paravirtual (PV) or hardware virtual machine (HVM)
The main differences between PV and HVM AMIs are the way in which they __________
boot and whether they can take advantage of special hardware extensions (CPU, network, and storage) for better performance.
For the best performance, we recommend that you use __________ when you launch your instances.
current generation instance types and HVM AMIs
HVM AMIs are presented with a __________ of the root block device of your image.
fully virtualized set of hardware and boot by executing the master boot record
HVM provides the ability to run an operating system __________
directly on top of a virtual machine without any modification, as if it were run on the bare-metal hardware
Unlike PV guests, HVM guests can take advantage of __________ that provide fast access to the underlying hardware on the host system.
hardware extensions
PV AMIs boot with a special boot loader called PV-GRUB, which starts the boot cycle and then chain loads the kernel specified in the menu.lst file on your image. Paravirtual guests can run on host hardware that does not have explicit support for virtualization, but they cannot take advantage of special __________
hardware extensions such as enhanced networking or GPU processing.
Paravirtual guests traditionally performed better with storage and network operations than HVM guests because they could leverage __________, whereas HVM guests had to translate these instructions to emulated hardware.
special drivers for I/O that avoided the overhead of emulating network and disk hardware
Now PV drivers are available for HVM guests, so operating systems that cannot be ported to run in a paravirtualized environment can still see performance advantages in storage and network I/O by using them. With these PV on HVM drivers, HVM guests can get the __________
same, or better, performance than paravirtual guests.
ICMP
Internet Control Message Protocol
Internet Control Message Protocol (ICMP) is a __________
supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.[1]
ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to
exchange data between systems, nor is it regularly employed by end-user network applications (with the exception of some diagnostic tools like ping and traceroute).
security groups: if there is more than 1 rule for a port, you apply
the most permissive rule
ECS containers are like hardware virtualization (like EC2) but instead of
partitioning a machineyou isolate the processes running on a single OS
the 1st time u log into EC2 instance, you need
the key pair
IAM all permissions are at start
implicitly denied by default
STS
Security Token Service
Security Token Service
web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
root account
cannot restrict any access here
can't add one group into
another group. can only contain users
IAM roles allow you to __________
delegate access to users or services that normally don't have access to your organization's AWS resources.
AWS role Trust policy__________
A document in JSON format in which you define WHO is allowed to assume the role. This trusted entity is included in the policy as the principal element in the document.
AWS role Permissions policy__________
A permissions document in JSON format in which you define WHAT actions and resources the role can use
IAM Best Practices__________
Lock Away Your AWS Account Root User Access KeysGrant Least PrivilegeConfigure a Strong Password Policy for Your UsersEnable MFA for Privileged UsersUse Roles for Applications That Run on Amazon EC2 InstancesRemove Unnecessary CredentialsUse Policy Conditions for Extra SecurityMonitor Activity in Your AWS Account
Policy conditions are __________
boolean operators that determine whether a match exists between a policy and a request. There are a near limitless number of conditions that can be used for IAM policies.
Policy conditions are especially useful when working with __________ who need access to your organization's AWS resources.
partners and third-party vendors
Kubernetes
an open source system for automating deployment, scaling, and management of CONTAINERIZED applications
The Old Way to deploy applications was to install the applications on a host using the operating-system package manager. This had the disadvantage of entangling the applications' __________ with each other and with the host OS. One could build immutable virtual-machine images in order to achieve predictable rollouts and rollbacks, but VMs are __________
executables, configuration, libraries, and lifecyclesheavyweight and non-portable.
The New Way is to deploy containers based on operating-system-level virtualization rather than hardware virtualization. These containers are isolated from each other and from the host: they have their own filesystems, they can't __________. They are easier to build than VMs, and because they are decoupled from the underlying infrastructure and from the host filesystem, they are portable across __________
see each others' processes, and their computational resource usage can be boundedclouds and OS distributions.
Because containers are small and fast, one application can be packed in each container image. This one-to-one __________ relationship unlocks the full benefits of containers.
application-to-image
The name Kubernetes originates from Greek, meaning h__________, and is the root of governor and cybernetic. __________is an abbreviation derived by replacing the __________
elmsman or pilotK8s 8 letters "ubernete" with "8".
CNCF
Cloud Native Computing Foundation
Cloud Native Computing Foundation builds __________
sustainable ecosystems and fostersa community around a constellation of high-quality projects that orchestratecontainers as part of a microservices architecture.
Using EC2 Fleet, you can define separate __________capacity targets, specify the instance types that work best for your applications, and specify how Amazon EC2 should __________your fleet capacity within each purchasing model.
On-Demand and Spot distribute
AWS Auto Scaling monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. Using AWS Auto Scaling, you can setup scaling for multiple resources across multiple services in minutes. AWS Auto Scaling provides a simple, powerful user interface that lets you build scaling plans for Amazon __________
EC2 instances and Spot Fleets, Amazon ECS tasks, Amazon DynamoDB tables, and Amazon Aurora Replicas.
When an impaired instance fails a health check, Amazon EC2 Auto Scaling automatically __________
terminates it and replaces it with a new one. That means that you don't need to respond manually when an instance needs replacing.
Auto Scaling group can span
multiple AZs within region
Amazon EC2 Auto Scaling supports cooldown periods when using __________scaling policies, but not when using __________ scaling.
simple target tracking policies, step scaling policies, or scheduled
Amazon EC2 Auto Scaling supports the following adjustment types for step scaling and simple scaling:__________
ChangeInCapacityExactCapacityPercentChangeInCapacity
ChangeInCapacityâ__________
Increase or decrease the current capacity of the group by the specified number of instances. A positive value increases the capacity and a negative adjustment value decreases the capacity.Example: If the current capacity of the group is 3 instances and the adjustment is 5, then when this policy is performed, there are 5 instances added to the group for a total of 8 instances.
ExactCapacityâ__________
Change the current capacity of the group to the specified number of instances. Specify a positive value with this adjustment type.Example: If the current capacity of the group is 3 instances and the adjustment is 5, then when this policy is performed, the capacity is set to 5 instances.
PercentChangeInCapacityâ__________
Increment or decrement the current capacity of the group by the specified percentage. A positive value increases the capacity and a negative value decreases the capacity. If the resulting value is not an integer, it is rounded as follows:Values greater than 1 are rounded down. For example, 12.7 is rounded to 12.Example: If the current capacity is 10 instances and the adjustment is 10 percent, then when this policy is performed, 1 instance is added to the group for a total of 11 instances.
This section shows you how to scale your Auto Scaling group in response to changing demand from an Amazon __________queue.
Simple Queue Service (Amazon SQS)
Amazon SQS offers a __________
secure, durable, and available hosted queue that lets you integrate and decouple distributed software systems and components.
Operating at the individual request level (Layer 7), __________routes traffic to targets within Amazon Virtual Private Cloud (Amazon VPC) based on the content of the request.
Application Load Balancer
Network Load Balancer is also optimized to handle __________ traffic patterns.
sudden and volatile
Classic Load Balancer provides basic load balancing across multiple Amazon EC2 instances and operates at both the __________ level. __________
request level and connection
__________Load Balancer is intended for applications that were built within the EC2-Classic network.
Classic
With enhanced container support for Elastic Load Balancing, you can now load balance across multiple __________on the same Amazon EC2 instance. You can also take advantage of deep integration with the Amazon __________, which provides a fully-managed container offering.
ports EC2 Container Service (ECS)
Simply register a service with a load balancer, and ECS transparently manages the __________ containers. The load balancer automatically detects the port and dynamically reconfigures itself.
registration and de-registration of Docker
Elastic Load Balancing offers ability to load balance across __________ using the same load balancer.
AWS and on-premises resources
For example, if you need to distribute application traffic across both AWS and on-premises resources, you can achieve this by registering all the resources to the __________
same target group and associating the target group with a load balancer
There are three types of load balancers: __________
Application Load Balancers, Network Load Balancers, and Classic Load Balancers.
If you are running microservices, you can route traffic to __________using path-based routing. For example, you can route general requests to one target group and requests to render images to another target group.
multiple back-end services
You can also create rules that combine __________ routing. This would allow you to route requests to api.example.com/production and api.example.com/sandbox to distinct target groups.
host-based routing and path-based
Before you start using your Application Load Balancer, you must add one or more __________.
listeners
A listener is a process that checks for __________.
connection requests, using the protocol and port that you configure
The rules that you define for a listener determine how the __________
load balancer routes requests to the targets in one or more target groups.
Listeners support the following protocols and ports:__________
Protocols: HTTP, HTTPSPorts: 1-65535
Each target group is used to __________
route requests to one or more registered targets.
When you create each listener rule, you specify a target group and conditions. When a rule condition is met, traffic is __________
forwarded to the corresponding target group.
You can create different target groups for different types of requests. For example, create one target group for __________
general requests and other target groups for requests to the microservices for your application
cross-zone load balancing, which changes the way that Elastic Load Balancing (ELB) __________
routes incoming requests, making it even easier for you to deploy applications across multiple aVAILABILITY Zones.
__________, which enables the load balancer to bind a user's session to a specific instance. This ensures that all requests from the user during the session are sent to the same instance.
sticky session feature (also known as session affinity)
Application Load Balancers support __________ only. The name of the cookie is __________. The contents of these cookies are encrypted using a rotating key. You cannot decrypt or modify load balancer-generated cookies.
load balancer-generated cookiesAWSALB
Sticky sessions benefit
caching
serverless
on infrastructure to managescalabilitybuilt-in redundancypay only for usage
lambda supports 4 languages
pythonC#javanode.js
lambda max duration
5 minutes
1) Metering. API Gateway helps you define plans that __________
meter and restrict third-party developer access to your APIs. You can define a set of plans, configure throttling, and quota limits on a per API key basis. API Gateway automatically meters traffic to your APIs and lets you extract utilization data for each API key.
2) Security. API Gateway provides you with multiple tools to authorize access to your APIs and control service operation access. Amazon API Gateway allows you to leverage AWS administration and security tools, such as __________
AWS Identity and Access Management (IAM) and Amazon Cognito, to authorize access to your APIs. Amazon API Gateway can verify signed API calls on your behalf using the same methodology AWS uses for its own APIs. Using Lambda authorizers written as AWS Lambda functions, API Gateway can also help you verify incoming bearer tokens, removing authorization concerns from your backend code.
3) Resiliency. Amazon API Gateway helps you manage traffic with __________
throttling so that backend operations can withstand traffic spikes. Amazon API Gateway also helps you improve the performance of your APIs and the latency your end users experience by caching the output of API calls to avoid calling your backend every time.
4) Operations Monitoring. After an API is published and in use, API Gateway provides you with a metrics dashboard to __________
monitor calls to your services. The Amazon API Gateway dashboard, through integration with Amazon CloudWatch, provides you with backend performance metrics covering API calls, latency data and error rates. You can enable detailed metrics for each method in your APIs and also receive error, access or debug logs in CloudWatch Logs.
5) Lifecycle Management. After an API has been published, you often need to build and test new versions that enhance or add new functionality. Amazon API Gateway lets you operate multiple API versions and multiple stages for each version simultaneously so that existing applications can continue to call __________
previous versions after new API versions are published.
__________(REST) is an architectural style that defines a set of constraints to be used for creating web services.
REpresentational State Transfer
Web services that conform to the REST architectural style, or RESTful web services, provide __________between computer systems on the Internet.
interoperability
REST-compliant web services allow the requesting systems to access and manipulate __________representations of web resources by using a __________
textual uniform and predefined set of stateless operations.
KDS
Kinesis Data Streams
Amazon Kinesis Data Streams (KDS) is a __________
massively scalable and durable real-time data streaming service.
KDS data collected is available in __________to enable real-time analytics use cases such as __________
milliseconds real-time dashboards, real-time anomaly detection, dynamic pricing, and more.
KDS can continuously capture __________ from hundreds of thousands of sources such as __________. The data collected is available in milliseconds to enable real-time analytics use cases such as real-time dashboards, real-time anomaly detection, dynamic pricing, and more.
gigabytes of data per secondwebsite clickstreams, database event streams, financial transactions, social media feeds, IT logs, and location-tracking events
Amazon Kinesis Data Streams enables real-time processing of __________Amazon Simple Queue Service (Amazon SQS) offers a reliable, highly scalable hosted queue for storing messages as they travel between computers. Amazon SQS lets you easily move data between __________
streaming big data. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications. The Amazon Kinesis Client Library (KCL) delivers all records for a given partition key to the same record processor, making it easier to build multiple applications reading from the same Amazon Kinesis data stream (for example, to perform counting, aggregation, and filtering).distributed application components and helps you build applications in which messages are processed independently (with message-level ack/fail semantics), such as automated workflows
We recommend Amazon Kinesis Data Streams for use cases with requirements that are similar to the following:__________
Routing related records to the same record processor (as in streaming MapReduce). Ordering of records. For example, you want to transfer log data from the application host to the processing/archival host while maintaining the order of log statements.Ability for multiple applications to consume the same stream concurrently. For example, you have one application that updates a real-time dashboard and another that archives data to Amazon Redshift. You want both applications to consume data from the same stream concurrently and independently.Because Amazon Kinesis Data Streams stores data for up to 7 days, you can run the audit application up to 7 days behind the billing application.
We recommend Amazon SQS for use cases with requirements that are similar to the following:__________
Messaging semantics (such as message-level ack/fail) and visibility timeout. For example, you have a queue of work items and want to track the successful completion of each item independently. Individual message delayDynamically increasing concurrency/throughput at read time. For example, you have a work queue and want to add more readers until the backlog is cleared. With Amazon Kinesis Data Streams, you can scale up to a sufficient number of shards (note, however, that you'll need to provision enough shards ahead of time).Leveraging Amazon SQS's ability to scale transparently. For example, you buffer requests and the load changes as a result of occasional load spikes or the natural growth of your business. Because each buffered request can be processed independently, Amazon SQS can scale transparently to handle the load without any provisioning instructions from you.
kinesis data stream allows
parallel processingie one does real time analytics another sends to S3
kinesis has 3 services
streamsfirehose - load and transform to s3, redshift, elasticsearchanalytics - analyze using> SQL
The __________continually push data to Kinesis Data Streams, and the __________process the data in real time.
producers consumers
Consumers (such as a custom application running on Amazon __________) can store their results using an AWS service such as Amazon__________
EC2 or an Amazon Kinesis Data Firehose delivery stream DynamoDB, Amazon Redshift, or Amazon S3.
Each shard has a sequence of __________. Each data record has a __________ number that is assigned by Kinesis Data Streams.
data recordssequence
A stream's retention period is set to a default of __________hours after creation. You can increase the retention period up to __________ using the IncreaseStreamRetentionPeriod operation, and decrease the retention period down to a minimum of __________
24 168 hours (7 days)24 hours using the DecreaseStreamRetentionPeriod operation. Additional charges apply for streams with a retention period set to more than 24 hours
partition key is used to group data by __________
shard within a stream. Kinesis Data Streams segregates the data records belonging to a stream into multiple shards.
It uses the partition key that is associated with each data record to determine __________
which shard a given data record belongs to.
Each data record has a sequence number that is __________within its shard. Kinesis Data Streams assigns the sequence number after you write to the stream with client.putRecords or client.putRecord. Sequence numbers for the same partition key generally increase over time. The longer the time period between write requests, the__________
unique larger the sequence numbers become.
Amazon Kinesis Data Firehose is the easiest way to reliably__________. It can capture, transform, and load streaming data into Amazon __________, enabling near real-time analytics with existing business intelligence tools and dashboards you're already using today.
load streaming data into data stores and analytics toolsS3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk
Amazon Kinesis Data Firehose can convert the format of incoming data from __________to Parquet or ORC formats before storing the data in Amazon S3, so you can
JSON save storage and analytics costs
Amazon Kinesis Data Firehose will automatically apply that function to every input data record and load the transformed data to destinations. Amazon Kinesis Data Firehose provides pre-built Lambda blueprints for converting common data sources such as __________. You can use these pre-built blueprints without any change, or customize them further, or write your own custom functions.
Apache logs and system logs to JSON and CSV formats
You can also configure Amazon Kinesis Data Firehose to automatically __________
retry failed jobs and back up the raw streaming data.
Amazon Kinesis Data Analytics is the easiest way to __________
process streaming data in real time with standard SQL without having to learn new programming languages or processing frameworks.
Amazon Kinesis Data Analytics enables you to __________
query streaming data or build entire streaming applications using SQL, so that you can gain actionable insights and respond to your business and customer needs promptly.
Amazon Kinesis Data Analytics takes care of everything required to run your queries continuously and __________
scales automatically to match the volume and throughput rate of your incoming data.
With Amazon Kinesis Data Analytics, you only pay for the __________
resources your queries consume. There is no minimum fee or setup cost.
origin web server
aka originlocation where actual noncached data resides
An origin server is the a__________Same thing goes for CloudFront from AWS and many other products like Varnish Cache Server. Often that means you have one origin server and then cache/proxy/CDN locations all over the world.
uthoritative source of content. The term is used when you have a proxy server in front. For instance Cloudflare takes requests for your website, and if they don't have a cached resource for a specific image, they go back to the origin server to fetch (and cache) it.
route 53 weighted round robin
send DNS like load balance to diff servers you specifycan do more weight to some servers and also A/B testing. ie 10% to new, rest to current code
Route 53 routing policy types
Simple routing policy - Use for a single resource that performs a given function for your domain, for example, a web server that serves content for the example.com website.Failover routing policy - Use when you want to configure active-passive failover.Geolocation routing policy - Use when you want to route traffic based on the location of your users.Geoproximity routing policy - Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.Latency routing policy - Use when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the best latency.Multivalue answer routing policy - Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.Weighted routing policy - Use to route traffic to multiple resources in proportions that you specify.
Simple routing policy - __________Failover routing policy - Use when you want to configure active-passive failover.Geolocation routing policy - __________
Use for a single resource that performs a given function for your domain, for example, a web server that serves content for the example.com website.Use when you want to route traffic based on the location of your users.
Geoproximity routing policy - __________Latency routing policy - __________
Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.Use when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the best latency.
Multivalue answer routing policy - __________Weighted routing policy - __________
Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.Use to route traffic to multiple resources in proportions that you specify.
Web Application Firewall A special type
of firewall that looks more deeply into packets that carry HTTP traffic.
Managed Rules for AWS WAF give you a set of __________
pre-configured rules written and managed by AWS Marketplace Sellers, allowing you to quickly get started with AWS WAF rules for your application. Y
Web Application Firewall can protect against
SQLi injectioncross-site scripting XSStoo many web crawlersDDoS / HTTP floods
Managed Rules are written by security experts who have extensive and up-to-date knowledge of threats and vulnerabilities. Rules are written based on threats observed across many customers. AWS WAF Managed Rules are __________Managed Rules sellers create rules using a combination of security engineers on staff, automated traffic analysis and threat intelligence databases.
automatically updated by AWS Sellers as new vulnerabilities and bad actors emerge.
WAF integrated with
CloudFrontso have more scalability, redundancy
Web Application Firewall can block or allow against
IP, geography, size, string, regex
Web Application Firewall 2 types or rules
regular - A and B; A or Brate-based - like regular but rate limit in 5 minute intervals. if limit 2000, then from IP x no more than 2000 requests within 5 minutes
rate-based - __________
like regular but rate limit in 5 minute intervals. if limit 2000, then from IP x no more than 2000 requests within 5 minutes
The CAP Theorem states that it is possible to have all 3 aspects __________
(Consistency, Availability,Partition Tolerance) without having to sacrifice any of them.
What Are the Main Benefits of Amazon SQS?Security - __________Server-side encryption (SSE) __________
You control who can send messages to and receive messages from an Amazon SQS queue.lets you transmit sensitive data by protecting the contents of messages in queues using keys managed in AWS Key Management Service (AWS KMS).
Durability - __________Availability - __________
To ensure the safety of your messages, Amazon SQS stores them on multiple servers. Standard queues support at-least-once message delivery, and FIFO queues support exactly-once message processing.Amazon SQS uses redundant infrastructure to provide highly-concurrent access to messages and high availability for producing and consuming messages.
Scalability - __________Reliability - __________
Amazon SQS can process each buffered request independently, scaling transparently to handle any load increases or spikes without any provisioning instructions.Amazon SQS locks your messages during processing, so that multiple producers can send and multiple consumers can receive messages at the same time.
Customization - __________
Your queues don't have to be exactly alikeâfor example, you can set a default delay on a queue. You can store the contents of messages larger than 256 KB using Amazon Simple Storage Service (Amazon S3) or Amazon DynamoDB, with Amazon SQS holding a pointer to the Amazon S3 object, or you can split a large message into smaller messages.
Standard Queue __________uNLIMITED Throughput - __________
Available in all regions.Standard queues support a nearly unlimited number of transactions per second (TPS) per action.
Standard Queue At-Least-Once Delivery - __________Best-Effort Ordering - __________
A message is delivered at least once, but occasionally more than one copy of a message is delivered.Occasionally, messages might be delivered in an order different from which they were sent.
FIFO queue
Available in the US East (N. Virginia), US East (Ohio), US West (Oregon), and EU (Ireland) Regions.High Throughput - By default, FIFO queues support up to 3,000 messages per second with batching. To request a limit increase, file a support request. FIFO queues support up to 300 messages per second (300 send, receive, or delete operations per second) without batching.Exactly-Once Processing - A message is delivered once and remains available until a consumer processes and deletes it. Duplicates aren't introduced into the queue.First-In-First-Out Delivery - The order in which messages are sent and received is strictly preserved.
High Throughput - By default, FIFO queues support up to __________Exactly-Once Processing - __________
3,000 messages per second with batching. To request a limit increase, file a support request. FIFO queues support up to 300 messages per second (300 send, receive, or delete operations per second) without batching.A message is delivered once and remains available until a consumer processes and deletes it. Duplicates aren't introduced into the queue.
First-In-First-Out Delivery -__________
The order in which messages are sent and received is strictly preserved.
when use SQS standard
Send data between applications when the throughput is important, for example:Decouple live user requests from intensive background work: let users upload media while resizing or encoding it.Allocate tasks to multiple worker nodes: process a high number of credit card validation requests.Batch messages for future processing: schedule multiple entries to be added to a database.
when use SQS FIFO
Send data between applications when the order of events is important, for example:Ensure that user-entered commands are executed in the right order.Display the correct product price by sending price modifications in the right order.Prevent a student from enrolling in a course before registering for an account.
Immediately after a message is received, it remains in the queue. To prevent other consumers from processing the message again, Amazon SQS sets a visibility timeout, a period of time during which Amazon SQS __________
prevents other consumers from receiving and processing the message. The default visibility timeout for a message is 30 seconds. The minimum is 0 seconds. The maximum is 12 hours.
An Amazon SQS message has three basic states:__________
Sent to a queue by a producer.Received from the queue by a consumer.Deleted from the queue.
Amazon SQS offers standard as the default queue type. Standard queues support a nearly unlimited number of __________ (TPS) per action.
transactions per second
Standard queues support __________ message delivery. However, occasionally (because of the highly distributed architecture that allows nearly unlimited throughput), more than __________
at-least-onceone copy of a message might be delivered out of order.
The expiration of a message is always based on its original enqueue timestamp. When a message is moved to a dead-letter queue, the enqueue timestamp remains unchanged. For example, if a message spends 1 day in the original queue before being moved to a dead-letter queue, and the retention period of the dead-letter queue is set to 4 days, the message is __________
deleted from the dead-letter queue after 3 days
Thus, it is a best practice to always set the retention period of a dead-letter queue to be __________
longer than the retention period of the original queue.
sqs delivery delay can be
0 seconds to 15 minutes
Amazon SQS Delay QueuesDelay queues let you postpone the delivery of new messages to a queue for a number of seconds. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is __________
0 seconds. The maximum is 15 minutes.
For standard queues, the per-queue delay setting is __________For FIFO queues, the per-queue delay setting is __________
not retroactiveâchanging the setting doesn't affect the delay of messages already in the queue.retroactiveâchanging the setting affects the delay of messages already in the queue.
Delay queues are similar to visibility timeouts because both features make messages __________.
unavailable to consumers for a specific period of time
The difference between the two is that, for delay queues, a message is hidden when it is __________ to queue, whereas for visibility timeouts a message is hidden __________ from the queue
first addedonly after it is consumed
To set delay seconds on individual messages, rather than on an entire queue, use __________ to allow Amazon SQS to use the message timer's __________
message timersDelaySeconds value instead of the delay queue's DelaySeconds value.
SQS Long PollingLong polling helps __________
reduce the cost of using Amazon SQS by eliminating the number of empty responses (when there are no messages available for a ReceiveMessage request) and false empty responses (when messages are available but aren't included in a response).
When should I use SQS long polling, and when should I use SQS short polling?In almost all cases, SQS __________
long polling is preferable to SQS short polling. Long polling requests allow your queue consumers to receive messages as soon as they arrive in your queue, while reducing the number of empty ReceiveMessageResponses you encounter.
Combined together, SQS long polling results in __________However, if your application is written to expect an immediate response from a ReceiveMessage call, you may not be able to take advantage of long polling without some application modifications.
higher performance at reduced cost for the majority of use cases.
Amazon Simple Notification Service (SNS) Topics are __________Owners __________
named groups of events or acess points, each identifying a specific subject, content, or event type. Each topic has a unique identifier (URI) that identifies the SNS endpoint for publishing and subscribing.create topics and control all access to the topic. The owner can define the permissions for all of the topics that they own.
Subscribers are __________Publishers __________
clients (applications, end-users, servers, or other devices) that want to receive notifications on specific topics of interest to them.send messages to topics. SNS matches the topic with the list of subscribers interested in the topic, and delivers the message to each and every one of them.
Simple Notification Service (SNS) is a highly available, durable, secure, fully managed pub/sub messaging service that enables you to __________.
decouple microservices, distributed systems, and serverless applications
Amazon SNS provides __________.
topics for high-throughput, push-based, many-to-many messaging. Using Amazon SNS topics, your publisher systems can fan out messages to a large number of subscriber endpoints for parallel processing, including Amazon SQS queues, AWS Lambda functions, and HTTP/S webhooks
Additionally, SNS can be used to fan out notifications to end users using __________
mobile push, SMS, and email.
AWS Step Functions lets you __________.
coordinate multiple AWS services into serverless workflows so you can build and update apps quickly
Using Step Functions, you can design and run workflows that stitch together services such as AWS __________. Workflows are made up of a __________.
Lambda and Amazon ECS into feature-rich applicationsseries of steps, with the output of one step acting as input into the next
You can monitor each step of execution as it happens, which means you can identify and fix problems quickly. Step Functions automatically __________ so your application executes in order and as expected.
triggers and tracks each step, and retries when there are errors,
AWS Step Functions is the last application service released by AWS to solve a problem that many people reading this have probably experienced: __________
orchestrating complex flows using Lambda Functions.
In many use cases, there are several processes composed of different tasks. If you want to run the entire process in a serverless way, you can create a Lambda Function for each task and run those functions using your own orchestrator. Writing a code that orchestrates those functions could be painful and really hard to debug and optimize. AWS Step Functions removes this need by applying an __________.
easy design and by implementing a complex flow for our functions or tasks
"AWS Step Functions makes it easy to coordinate the components of __________
distributed applications and microservices using visual workflows."
AWS Step Functions is the spiritual descendant of the not-so-simple-to-use __________service. It addresses many of its predecessor's usability issues and made AWS __________the centerpiece.
Simple Workflow (SWF) Lambda
AWS Step Functions 7 state types
task - does the work / lambdachoice - branching logicparallel - fork to multiple outputwait failsucceedpass
AWS Elastic Beanstalk is an easy-to-use service for __________
deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
You can simply upload your code and Elastic Beanstalk automatically handles the __________
deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time.
There is __________ charge for Elastic Beanstalk - you pay only for the AWS resources needed to __________
no additionalstore and run your applications.
With AWS Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without __________
worrying about the infrastructure that runs those applications.
AWS Elastic Beanstalk reduces __________
management complexity without restricting choice or control.
You simply upload your application, and AWS Elastic Beanstalk automatically handles the details of __________
capacity provisioning, load balancing, scaling, and application health monitoring.
AWS OpsWorks is a __________.
configuration management service that provides managed instances of Chef and Puppet
Chef and Puppet are __________
automation platforms that allow you to use code to automate the configurations of your servers.
OpsWorks lets you use __________
Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments.
OpsWorks has three offerings, __________
AWS Opsworks for Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.
AWS OpsWorks for Chef Automate is a __________
fully managed configuration management service that hosts Chef Automate, a suite of automation tools from Chef for configuration management, compliance and security, and continuous deployment.
OpsWorks also maintains your Chef server by automatically patching, updating, and backing up your server. OpsWorks eliminates the need to operate your own __________OpsWorks gives you access to all of the Chef Automate features, such as configuration and compliance management, which you manage through the Chef console or command line tools like __________. It also works seamlessly with your existing Chef cookbooks.
configuration management systems or worry about maintaining its infrastructure. Knife
Choose AWS __________ if you are an existing Chef user.
OpsWorks for Chef Automate
AWS OpsWorks for Puppet Enterprise is a __________ OpsWorks also maintains your Puppet master server by automatically patching, updating, and backing up your server.
fully managed configuration management service that hosts Puppet Enterprise, a set of automation tools from Puppet for infrastructure and application management.
Choose AWS __________ if you are an existing Puppet user.
OpsWorks for Puppet Enterprise
AWS OpsWorks Stacks is an application and server management service. With OpsWorks Stacks, you can __________ Within each layer, you can provision Amazon __________ This allows you to automate tasks such as installing packages and programming languages or frameworks, configuring software, and more.
model your application as a stack containing different layers, such as load balancing, database, and application server.EC2 instances, enable automatic scaling, and configure your instances with Chef recipes using Chef Solo.
Choose AWS __________ if you need a solution for application modeling and management.
OpsWorks Stacks
OpsWorks service is __________charge; customers who subscribe to it pay for __________. OpsWorks supports on-premises servers, which are charged hourly, but there is no additional charge for computing power beyond the requisite instances, EBS volumes, Elastic IP addresses and other AWS resources.
free of compute power, storage and other billable resources used
3 types of nodes in EMR cluster
mastercoretask
HDFS
Hadoop Distributed File System
Hadoop Distributed File System
A highly distributed, fault-tolerant file storage system designed to manage large amounts of data at high speeds.
type of nodes in EMR cluster - core
like task node runs task assigned by master node but also stores data in HDFS
type of nodes in EMR cluster - master__________
coordinates distribution of job across core and task nodes
type of nodes in EMR cluster - task
runs only task and doesn't store dataoptional and only provides pure compute
AWS CloudFormation provides a common language for you to __________
describe and provision all the infrastructure resources in your cloud environment.
CloudFormation allows you to use a __________. This file serves as the SINGLE SOURCE OF TRUTH for your cloud environment.
simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts
AWS CloudFormation is available at __________charge, and you pay only for the AWS resources needed to run your applications.
no additional
CloudFormation provisions your resources in a __________
safe, repeatable manner, allowing you to build and rebuild your infrastructure and applications, without having to perform manual actions or write custom scripts.
CloudFormation takes care of determining the right operations to perform when managing your __________, and rolls back changes __________
stackautomatically if errors are detected.
CloudFormation Codifying your infrastructure allows you to treat your infrastructure as just __________. You can author it with any __________
codecode editor, check it into a version control system, and review the files with team members before deploying into production.
A template is a __________. __________
simple text file that describes a stack, a collection of AWS resources you want to deploy together as a group
You use the template to define all the AWS resources you want in your stack. This can include __________
Amazon Elastic Compute Cloud instances, Amazon Relational Database Service DB Instances, and other resources.
A stack is a collection of AWS resources that you can __________. In other words, you can create, update, or delete a collection of resources by creating, updating, or deleting stacks.
manage as a single unit
All the resources in a stack are defined by the stack's AWS CloudFormation template. A stack, for instance, can include all the __________required to run a web application, such as a web server, a database, and networking rules. If you no longer require that web application, you can simply __________
resources delete the stack, and all of its related resources are deleted.
AWS CloudFormation ensures all stack resources are created or deleted as appropriate. Because AWS CloudFormation treats the stack resources as a single unit, they must __________.
all be created or deleted successfully for the stack to be created or deleted
If a resource cannot be created, AWS CloudFormation __________. If a resource cannot be deleted, any remaining resources are __________
rolls the stack back and automatically deletes any resources that were createdretained until the stack can be successfully deleted.
For a scalable web application that also includes a back-end database, you might use an __________ Normally, you might use each individual service to provision these resources. And after you create the resources, you would have to configure them to work together. All these tasks can add complexity and time before you even get your application up and running.
Auto Scaling group, an Elastic Load Balancing load balancer, and an Amazon Relational Database Service database instance.
Can I manage individual AWS resources that are part of an AWS CloudFormation stack?__________
Yes. AWS CloudFormation does not get in the way; you retain full control of all elements of your infrastructure. You can continue using all your existing AWS and third-party tools to manage your AWS resources.
AWS OpsWorks vs AWS Beanstalk vs AWS CloudFormation?
OpsWorks is an orchestration tool like Chef - in fact, it's derived from Chef - Puppet. use Opsworks to specify the state that you want your network to be in by specifying the state that you want each resource - server instances, applications, storage - to be in.CloudFormation is a json template (**) that specifies the state of the resource(s) that you want to deploy i.e. you want to deploy an AWS EC2 micro t2 instance in us-east-1 as part of VPC 192.168.1.0/24. ElasticBeanstalk is a PAAS- you can upload the specifically Ruby/Rails, node.js or Python/django or Python/Flask apps. If you're running anything else like Scala, Haskell or anything else, create a Docker image for it and upload that Docker image into Elastic Beanstalk (*).
elastic beanstalk is the __________opsworks is the __________cloudformation is the__________when you want granular control over everything in your environment, cfn is the choice. cfn can handle pretty much anything - from tiny footprint, one instance web server deployments to netflix - with a templatized, code driven approach. if you're doing serious work with aws, you're probably using cloudformation.
high level offering. it is the simplest way to deploy an application on aws. if you're looking for a no-frills, automagic, as-fully-managed-as-you-can-get-in-aws experience, this is it.middle tier. operating as a full featured orchestration tool (thus the tight relationship with chef), opsworks combines straightforward deployment, configuration and management with the flexibility to handle complex implementations. nuts and bolts, low level utility.
setup monitoring of cloudtrail logs by
sending them to CloudWatch logs
AWS CloudTrail is a service that enables __________
governance, compliance, operational auditing, and risk auditing of your AWS account.
With CloudTrail, you can __________
log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
CloudTrail provides __________ This event history simplifies security analysis, resource change tracking, and troubleshooting.
event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
AWS CloudTrail increases visibility into your user and resource activity by recording AWS Management Console actions and API calls. You can identify which __________
users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.
Q: Is there any cost associated with CloudTrail Event History being enabled on my account upon creation?__________
There is no cost for viewing or searching account activity with CloudTrail Event History.
What happens when I apply a trail to all regions?Once you apply a trail in all regions, CloudTrail will __________. CloudTrail will record and process the log files in each region and will deliver log files containing account activity across all AWS regions to __________ If you specified an optional SNS topic, CloudTrail will deliver SNS notifications for all log files delivered to a single SNS topic.
create a new trail in all regions by replicating the trail configurationa single S3 bucket and a single CloudWatch Logs log group.
Q: I have multiple AWS accounts. I would like log files for all the accounts to be delivered to a single S3 bucket. Can I do that?__________
Yes. You can configure one S3 bucket as the destination for multiple accounts.
You can troubleshoot operational and security incidents over the past 90 days in the CloudTrail console by viewing __________
Event history.
AWS Config is a service that enables you to __________
assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
With Config, you can review changes in configurations and relationships between AWS resources, This enables you to simplify compliance auditing, security analysis, change management, and operational troubleshooting.
dive into detailed resource configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines.
With AWS Config, you are able to continuously monitor and record configuration changes of your AWS resources. Config also enables you to inventory your AWS resources, the configurations of your AWS resources, as well as software configurations within EC2 instances at any point in time. Once change from a previous state is detected, an Amazon__________
Simple Notification Service (SNS) notification can be delivered for you to review and take action.
While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes violate any of the conditions in your rules. If a resource violates a rule, AWS Config __________
flags the resource and the rule as noncompliant.
For example, when an EC2 volume is created, AWS Config can evaluate the volume against a __________
rule that requires volumes to be encrypted. If the volume is not encrypted, AWS Config flags the volume and the rule as noncompliant.
AWS Config can also check all of your resources for account-wide requirements. For example, AWS Config can check whether the number of EC2 volumes in an account __________, or whether an account uses __________
stays within a desired totalAWS CloudTrail for logging.
to process a lot of streaming data
Kinesis DATA STREAM
to ingest huge amount of data without stringest SLA
Kinesis Data Firehose
Firehose can scale to __________of streaming data per second, and allows for __________
gigabytes batching, encrypting and compressing of data.
It should be noted that Firehose will __________scale to meet demand, which is in contrast to __________, for which you must manually provision enough capacity to meet anticipated needs.
automatically Kinesis Streams
data streams is used for ____________ as opposed to firehose which is for _________
real time datadata (can do more ETL)
Which relational database engines does Amazon RDS support?__________
Amazon RDS supports Amazon aURORA, MySQL, mARIAdb, Oracle, SQL Server, and pOSTGREsql database engines.
similarly, Amazon Aurora PostgreSQL delivers up to __________times the performance of PostgreSQL.
three
Amazon RDS manages your Amazon Aurora databases, handling time-consuming tasks such as provisioning, patching, backup, recovery, failure detection and repair. You pay a simple monthly charge for each Amazon Aurora database instance you use. There are no __________
upfront costs or long-term commitments required.
What does "five times the performance of MySQL" mean?Amazon Aurora delivers significant increases over MySQL performance by __________
tightly integrating the database engine with an SSD-based virtualized storage layer purpose-built for database workloads, reducing writes to the storage system, minimizing lock contention and eliminating delays created by database process threads.
Amazon Aurora automatically divides your database volume into __________ spread across many disks.
10GB segments
Amazon Aurora storage is also __________. Data blocks and disks are continuously scanned for errors and __________
self-healingrepaired automatically.
Amazon Aurora Parallel Query refers to the ability to __________
push down and distribute the computational load of a single query across thousands of CPUs in Aurora's storage layer.
A terabyte of data using the decimal, power-of-10 system equals __________bytes, while a terabyte of data using the binary, power-of-two system would equal __________ bytes. The nearly __________ difference began to cause problems and could not be ignored.
1,000,000,000,000 1,099,511,627,776100 billion-byte
Q: What can I cache using Amazon ElastiCache for Memcached?You can cache a variety of objects using the service, from the content in persistent data stores (such as __________)
Amazon RDS, DynamoDB, or self-managed databases hosted on EC2
ElastiCache for Redis __________
combines the speed, simplicity, and versatility of open-source Redis with manageability, security, and scalability from Amazon to power the most demanding real-time applications in Gaming, Ad-Tech, E-Commerce, Healthcare, Financial Services, and IoT.
Amazon Redshift uses a variety of innovations to achieve up to __________times higher performance than traditional databases for data warehousing and analytics workloads:Columnar Data Storage: Instead of storing data as a series of rows, Amazon Redshift organizes the data by column. Unlike row-based systems, which are ideal for transaction processing, column-based systems are ideal for __________
ten data warehousing and analytics, where queries often involve aggregates performed over large data sets. Since only the columns involved in the queries are processed and columnar data is stored sequentially on the storage media, column-based systems require far fewer I/Os, greatly improving query performance.
Advanced Compression: Columnar data stores can be compressed much __________
more than row-based data stores because similar data is stored sequentially on disk. Amazon Redshift employs multiple compression techniques and can often achieve significant compression relative to traditional relational data stores. In addition, Amazon Redshift doesn't require indexes or materialized views and so uses less space than traditional relational database systems. When loading data into an empty table, Amazon Redshift automatically samples your data and selects the most appropriate compression scheme.
Massively Parallel Processing (MPP): Amazon Redshift automatically distributes data and query load across all nodes. Amazon Redshift makes it easy to __________
add nodes to your data warehouse and enables you to maintain fast query performance as your data warehouse grows.
Redshift Spectrum: Redshift Spectrum enables you to run queries against exabytes of data in Amazon S3. There is no __________ required.
loading or ETL
Amazon Neptune is a fast, reliable, fully-managed __________database service that makes it easy to build and run applications that work with __________.
graph highly connected datasets
SQL queries for highly connected data are complex and hard to tune for performance. Instead, with Amazon Neptune you can use open and popular graph query languages to execute powerful queries that are easy to write and perform well on connected data. The core of Neptune is a purpose-built, high-performance graph database engine optimized for storing __________ and querying the graph with milliseconds latency. You can use Neptune for graph use cases such as __________
billions of relationshipsrecommendation engines, fraud detection, knowledge graphs, drug discovery, and network security.
Q: What is a CloudFormation stack?A CloudFormation stack is a collection of AWS __________
resources that you can manage as a single unit. The resources in a stack are defined by the stack's CloudFormation template. In this project, you will use a CloudFormation stack to create and provision the VPC, subnets, security groups, and RDS instances you need to complete the databse migration from Oracle to Aurora. After completion of the project, you can easily delete the stack to avoid incurring additional charges.
To further maximize read performance, Amazon RDS for MySQL allows you to __________
add table indexes directly to Read Replicas, without those indexes being present on the master.
Multi-AZ Deployments vs Read ReplicasSynchronous replication - highly durable __________
Asynchronous replication - highly scalable
Multi-AZ Deployments vs Read ReplicasAutomated backups are taken from standby __________
No backups configured by default
Multi-AZ Deployments vs Read ReplicasOnly database engine on primary instance is active __________
All read replicas are accessible and can be used for read scaling
Multi-AZ Deployments vs Read ReplicasAlways span two Availability Zones within a single Region __________
Can be within an Availability Zone, Cross-AZ, or Cross-Region
Multi-AZ Deployments vs Read ReplicasDatabase engine version upgrades happen on primary __________
Database engine version upgrade is independent from source instance
Multi-AZ Deployments vs Read ReplicasAutomatic failover to standby when a problem is detected __________
Can be manually promoted to a standalone database instance
You can combine Multi-AZ deployments and read replicas to enjoy the benefits of each. For example, you can configure a source database as __________
Multi-AZ for high availability and create a read replica (in Single-AZ) for read scalability.
SQL Server TDE
Transparent Data Encryption
you can encrypt to and from RDS via
SSLall 7 RDS engines support it
RDS snapshot
manualway of backing up to S3 and can restoretemporary I/O suspension for few seconds to minutes
Amazon RDS Performance Insights is like
SQL Sentryshows you most waits by IO, CPU, SQL, etc
Amazon RDS Performance Insights is a __________Performance Insights allows non-experts to detect performance problems with an easy-to-understand dashboard that visualizes database load.
database performance tuning and monitoring feature that helps you quickly assess the load on your database, and determine when and where to take action.
aurora has __________ replication
synchronousso no concept of standby databaseso read replica can be promoted to primary
HSM
hardware security module
hardware security module
A physical device that can generate cryptographic keys for authentication.
HSM is short for Hardware Security Module. It is a piece of __________
HARDWARE â a dedicated appliance that provides secure key storage and a set of cryptographic operations within a TAMPER-RESISTANT enclosure. You can store your keys within an HSM and use them to encrypt and decrypt data while keeping them safe and sound and under your full control. You are the only one with access to the keys stored in an HSM.
AWS CloudHSM service brings the benefits of HSMs to the cloud. You retain full control of the keys and the cryptographic operations performed by the HSM(s) you create, including __________ Your cryptographic keys are protected by a tamper-resistant HSM that is designed to meet a number of international and US Government standards including NIST FIPS 140-2 and Common Criteria EAL4+.
exclusive, single-tenant access to each one.
Each of your CloudHSMs has an IP address within your Amazon Virtual Private Cloud (VPC). You'll receive administrator credentials for the appliance, allowing you to create and manage cryptographic keys, create user accounts, and perform cryptographic operations using those accounts. We __________
do not have access to your keys; they remain under your control at all times.
Redshift is a __________database, which means that each block holds data for only a single __________.
columnar column
The zone map is held __________.
separately from the block, like an index
The zone map holds only __________.
two data points per block, the highest and lowest values in the block
redshift be careful when compressing your
sort keyssince a small key column can be compressed and will need to read a lot of other noise
redshift metadata tables exist in
leader node
in redshift, ___________ is already included, for example if you have 6 TB data warehouse, you just get _____________
data mirroring3 nodes of dc1.8xlarge at 2.5TB for total of 7.5TBdata will be mirrored within those 3 nodes
If Enhanced VPC Routing is not enabled, Amazon Redshift routes traffic through __________
the internet, including traffic to other services within the AWS network.
We see this as a "tyranny of OR." You can have the throughput of local disks (via Redshift) OR the scale of Amazon S3. You can have sophisticated query optimization OR high-scale data processing. You can have fast join performance with optimized formats OR a __________. But you shouldn't have to choose. At this scale, you really can't afford to choose. You need "all of the above."
range of data processing engines that work against common data formats
We built Redshift Spectrum to end this "tyranny of OR." With Redshift Spectrum, Amazon Redshift customers can easily __________
query their data in Amazon S3.
Like Amazon EMR, you get the benefits of __________
open data formats and inexpensive storage, and you can scale out to thousands of nodes to pull data, filter, project, aggregate, group, and sort
Like Amazon Redshift itself, you get the benefits of a sophisticated __________
query optimizer, fast access to data on local disks, and standard SQL.
And like nothing else, Redshift Spectrum can execute highly sophisticated queries against an __________of data or moreâin just __________.
exabyte minutes
Amazon Athena is an __________
interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.
Athena is __________
serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.
Athena is easy to use. Simply point to your data in Amazon __________
S3, define the schema, and start querying using standard SQL. Most results are delivered within seconds
. With Athena, there's no need for complex __________
ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.
Athena is out-of-the-box integrated with AWS __________
Glue Data Catalog, allowing you to create a unified metadata repository across various services, crawl data sources to discover schemas and populate your Catalog with new and modified table and partition definitions, and maintain schema versioning.
You can also use Glue's fully-managed __________
ETL capabilities to transform data or convert it into columnar formats to optimize cost and improve performance.
AWS Glue is a fully managed ____________________
extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. You can create and run an ETL job with a few clicks in the AWS Management Console.
You simply point AWS Glue to your data stored on AWS, and AWS Glue __________
discovers your data and stores the associated metadata (e.g. table definition and schema) in the AWS Glue Data Catalog.
Once cataloged, your data is immediately searchable, queryable, and available for ETL. AWS Glue __________ to execute your data transformations and data loading processes.
generates the code
If you are not a Redshift customer, then it becomes more interesting. Assuming you have objects on S3 that Athena can consume, then you might start with __________
Athena vs spinning up Redshift
Remember that access to Spectrum requires an __________.
active, running Redshift instance
Redshift Spectrum is not an option without __________Athena might make sense given that fact you many not want to run Amazon Redshift clusters in a pair or across thousands of nodes. Athena may suffice for your workload, saving time and money!
Redshift. Access to the "Redshift+Redshift Spectrum" tandem has costs that might not be worthwhile (right now).
RPO: __________
Recovery Point Objective
Recovery Point Objective (RPO) describes the __________
interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan's maximum allowable threshold or "tolerance."
Example: If the last available good copy of data upon an outage is from 18 hours ago, and the RPO for this business is 20 hours then we are still __________the parameters of the Business Continuity Plan's RPO. In other words it the answers the question - __________
within "Up to what point in time could the Business Process's recovery proceed tolerably given the volume of data lost during that interval?"
RTO: __________
Recovery Time Objective
The Recovery Time Objective (RTO) is the __________ In other words, the RTO is the answer to the question: "How much time did it take to recover after notification of business process disruption?"
duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity.
RPO limits how __________RTO is related to downtime and represents how _________
FAR to roll back in time, and defines the maximum allowable amount of lost data measured in time from a failure occurrence to the last valid backup.LONG it takes to restore from the incident until normal operations are available to users
Recovery Point Objective (RPO) describes the interval of time that might pass during a disruption before the __________RTO designates the amount of "real time" that can pass before the __________
quantity of data lost during that period exceeds the Business Continuity Plan's maximum allowable threshold or "tolerance."disruption begins to seriously and unacceptably impede the flow of normal business operations.
To speed up queries on non-key attributes, you can create a global secondary index. A global secondary index contains a selection of attributes from the base table, but they are organized by a __________. The index key does not need to have any of the key attributes from the table; it doesn't even need to have the same key schema as a table.
primary key that is different from that of the table
Global secondary index â an index with a __________
partition key and a sort key that can be different from those on the base table.
A global secondary index is considered "global" because queries on the index can __________Local secondary index â an index that has the __________
span all of the data in the base table, across all partitions.same partition key as the base table, but a different sort key.
A local secondary index is "local" in the sense that __________
every partition of a local secondary index is scoped to a base table partition that has the same partition key value.
When your application writes data to a DynamoDB table and receives an HTTP 200 response (OK), the __________ The data is eventually consistent across all storage locations, usually within __________
write has occurred and is durable.one second or less.
DynamoDB supports __________consistent and __________consistent reads.
eventually strongly
Eventually Consistent ReadsWhen you read data from a DynamoDB table, the response might not reflect the results of a recently completed write operation. The response might include some _______ data. If you repeat your read request after a short time, the response __________
stale should return the latest data.
Strongly Consistent ReadsWhen you request a strongly consistent read, DynamoDB returns a response with the __________
most up-to-date data, reflecting the updates from all prior write operations that were successful.
A strongly consistent read might not be available if there is a
network delay or outage.
Amazon __________ (DAX) is a
DynamoDB Accelerator
Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, __________
in-memory cache for DynamoDB that delivers up to a 10x performance improvement - from milliseconds to microseconds - even at millions of requests per second.
DAX does all the heavy lifting required to add__________
in-memory acceleration to your DynamoDB tables, without requiring developers to manage cache invalidation, data population, or cluster management.
Now you can focus on building great applications for your customers without worrying about performance at scale. You do not need to modify application logic, since DAX is __________ You can enable DAX with just a few clicks in the AWS Management Console or using the AWS SDK. Just as with DynamoDB, you only pay for the capacity you provision.
compatible with existing DynamoDB API calls.
document database is a type of nonrelational database that is designed to store __________.
semistructured data as documents
Document databases are intuitive for developers to use because the data in the application tier is typically represented as a __________.
JSON documentDevelopers can persist data by using the same document model format that they use in their application code.
In a document database, each document can have the same or different data structure, and each document is __________
self-describingâincluding its possibly unique schemaâand isn't necessarily dependent on any other document.
Documents are grouped into "__________," which serve a similar purpose to a table in a relational database.
collections
A document database is a great choice for content management applications such as __________
blogs and video platforms.
CatalogsDocument databases are efficient and effective for storing catalog information. For example, in an e-commerce application, different products usually have different numbers of attributes. Managing thousands of attributes in relational databases is inefficient, and the reading performance is affected. Using a document database, each product's attributes can be described in a __________ and __________. Changing the attributes of one product won't affect others.
single document for easy managementfaster reading speed
serverless: __________
"a service that abstracts away the management of containers." So our new buzzword is "containerless".
Matillion It's sort of like __________, so you have visual representation of the transformations, and your old-school DBA goes "Oh, that looks like my ETL tool!"
SQL Server SSIS in a browser
The long and short is â if you're ETL-ing or ELT-ing, I prefer a __________. Amazon really shines there. I don't really like their native Data Pipeline, but they shine because of vendors like Matillion. On the other hand, Google requires you to code everything against their __________
tool rather than an APIAPIs, usually in Java.
Amazon QuickSight is a fast, cloud-powered __________
BI service that makes it easy to buildvisualizations, perform ad-hoc analysis, and quickly get business insights from yourdata
Amazon QuickSight using our cloud-based service you can easily connect to your data, performadvanced analysis, and create stunning __________and rich __________that can beaccessed from any browser or mobile device.
visualizations dashboards
AWS Organizations offers __________
policy-based management for multiple AWS accounts. With Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those groups.
Organizations enables you to __________
centrally manage policies across multiple accounts, without requiring custom scripts and manual processes.
Using AWS Organizations, you can create __________ (SCPs) that centrally control AWS service use across multiple AWS accounts.__________
Service Control Policies
You can group your accounts into __________ (OUs) and attach different access policies to each OU.
organizational units
For example, if you have accounts that must access only the AWS services that meet certain regulatory requirements, you can __________
put those accounts into one OU. You then can attach a policy to that OU that blocks access to services that do not meet those regulatory requirements
Service control policy (SCP)A policy that __________
specifies the services and actions that users and roles can use in the accounts that the SCP affects.
SCPs are similar to IAM permission policies except that they __________ Instead, SCPs are__________
don't grant any permissions. filters that allow only the specified services and actions to be used in affected accounts
. Even if a user is granted full administrator permissions with an IAM permission policy, any access that is __________
not explicitly allowed or that is explicitly denied by the SCPs affecting that account is blocked.
For example, if you assign an SCP that allows __________
only database service access to your "database" account, then any user, group, or role in that account is denied access to any other service's operations.
SCPs are available only when you enable __________
all features in your organization.
When you apply an SCP to an OU or an individual AWS account, you choose to either enable (__________), or disable (__________) the specified AWS service. __________
whitelistblacklist
OAI
Origin Access Identity
I want to restrict access to my Amazon Simple Storage Service (Amazon S3) bucket so that objects can be accessed only through an Amazon CloudFront distribution. How can I do that?ResolutionTo allow access to your Amazon S3 bucket only from a CloudFront distribution, __________
first add an origin access identity (OAI) to your distribution. Then, review your bucket policy and Amazon S3 access control list (ACL) to be sure that:1. Only the OAI can access your bucket.2. CloudFront can access the bucket on behalf of requesters.3. Users can't access the objects in other ways, such as by using Amazon S3 URLs.
Instances launched within a default subnet will by default have a _______ and a _______ associated with them
public IPv4 address and a public DNS hostname
The recommended way to connect to an EC2 instance is by using your Access Key ID and Secret Access Key. A, true, or B, false?
false. You should always use a role to connect to an EC2 instance because those keys are going to be automatically rotated by AWS themselves, and it will make it much easier for you to be able to reuse the same role without modifying the code.
You have created a VPC using the VPC wizard with a CIDR block of 100.0.0.0/16. You selected a private subnet and a VPN connection using the VPC wizard and launched an EC2 instance in the private subnet. Now you need to connect to the EC2 instance via SSH. What do you need to connect to the EC2 instance?A.Allow inbound traffic on port __________on your network.__________
22 A is correct. SSH runs on port 22. There you need to allow inbound access to port 22.
why wrongYou have created a VPC using the VPC wizard with a CIDR block of 100.0.0.0/16. You selected a private subnet and a VPN connection using the VPC wizard and launched an EC2 instance in the private subnet. Now you need to connect to the EC2 instance via SSH. What do you need to connect to the EC2 instance?Create a pubic subnet and from there connect to the EC2 instance.__________
Since you have already created a VPN while creating the VPC, the VPC is already connected with your network. Therefore, you can reach the private subnet directly from your network. The port at which SSH runs is 22, so you need to provide access to port 22.
An ephemeral port is a __________
short-lived endpoint that is created by the operating system when a program requests any available user port. The operating system selects the port number from a predefined range, typically between 1024 and 65535, and releases the port after the related TCP connection terminates.
On servers, ephemeral ports may also be used as the port assignment on the server end of a communication. This is done to __________File Transfer Protocol (FTP) and Remote Procedure Call (RPC) applications are two protocols that can behave in this manner.
continue communications with a client that initially connected to one of the server's well-known service listening ports.
You have created a VPC with a CIDR block of 200.0.0.0/16 with a public subnet of 20.0.0.0/24. You launched an EC2 instance in the public subnet, and you are hosting your web site from that EC2 instance. You have already configured the security groups correctly. What do you need to do from network ACLs so that the web site is accessible from your home network of 192.168.1.0/24?Allow inbound traffic from 192.168.1.0/24 on port 80 and outbound traffic to destination 192.168.1.0/24 on ____________________
an ephemeral port.You need to allow both inbound and outbound traffic from and to your network. Since you need to access the web site from your home, you need to provide access to port 80. The web site can in return request any available user port at the home network; thus, you need to allow an ephemeral port.
Which instance type runs on hardware allocated to a single customer?__________
Dedicated instanceA dedicated instance runs on hardware allocated to a single customer. The dedicated instances are physically isolated at the host hardware level from instances that belong to other AWS accounts.
Dedicated Instances are Amazon __________
EC2 instances that run in a VPC on hardware that's dedicated to a single customer.
Your Dedicated instances are __________
physically isolated at the host hardware level from instances that belong to other AWS accounts.
Dedicated instances may share hardware with other instances from the __________
same AWS account that are not Dedicated instances.
Dedicated Hosts give you additional VISIBILITY and CONTROL over how instances are placed on a physical server, and you can reliably use the __________ over time.
same physical server
As a result, Dedicated Hosts enable you to use your existing __________ and address corporate COMPLIANCE and REGULATORY requirements.
server-bound software licenses like Windows Server
Dedicated Instances that belong to AWS accounts that are linked to a single payer account are__________ at the hardware level. However, Dedicated Instances may share hardware with other instances from the __________ that are not Dedicated Instances.
also physically isolatedsame AWS account
You may not __________ on the same dedicated host - If you purchase a dedicated instance you must decide what __________
mix EC2 instance typestype of instance that you will be placing on it.
For example you would purchase an m4.large host meaning that you could put as many m4.large instances on that host that you want up to the maximum (22 as of this writing) but you are not allowed to add __________for example. If you want to add m4.xlarge instances on dedicated hosts then you must
m3.large or m4.xlarge purchase another dedicated host.
Primary Use Cases - In addition to the compliance purposes, dedicated hosts are used for __________ Specifically this option is most often used with Microsoft BYOL situations where the customer doesn't have Software Assurance or the product doesn't have license mobility.
licensing purposes when the license model requires you to use sockets or cores.
If you want to deploy serverless architecture, then you can use __________ and __________to build the new application.
API GatewayLambda
NAT gateway __________high availability. A NAT instance __________ high availability.
provides doesn't provide
seems like a no-brainer: pick the NAT Gateway. But in the real world, the decision is a little more complex, which is no doubt why Amazon still maintains__________
AMIs for NAT Instances
NAT Instance vs. NAT Gateway
GW is best, most reliable but expensiveinstance is EC2 instance with routing tables. about 1/4 the price but must patch and maintain more
scale-up vs. scale-out in the context of comparing a __________.
pet and a herd of cattle
emphasized the __________. This was much more important than whether you __________Those are, I believe, side effects, of how you view a server. If you view a server (whether metal, virtualized, or containerized) as inherently something that can be destroyed and replaced at any time, then it's a member of the herd. If, however, you view a server (or a pair of servers attempting to appear as a single unit) as indispensable, then it's a pet.
disposability of cattle and the uniqueness of petsscale-up or scale-out.
In the old way of doing things, we treat our servers like pets, for example Bob the mail server. If Bob goes down, it's all hands on deck. The CEO can't get his email and it's the end of the world. In the new way, servers are __________, like cattle in a herd. For example, www001 to www100. When one server goes down, it's __________
numberedtaken out back, shot, and replaced on the line.
Let's take a minute to clearly define pets and cattle.Pets__________
Servers or server pairs that are treated as indispensable or unique systems that can never be down. Typically they are manually built, managed, and "hand fed". Examples include mainframes, solitary servers, HA loadbalancers/firewalls (active/active or active/passive), database systems designed as master/slave (active/passive), and so on.
Cattle__________Typically, during failure events no human intervention is required as the array exhibits attributes of __________ by restarting failed servers or replicating data through strategies like triple replication or erasure coding.
Arrays of more than two servers, that are built using automated tools, and are designed for failure, where no one, two, or even three servers are irreplaceable. "routing around failures"
Cattle Examples include __________
web server arrays, multi-master datastores such as Cassandra clusters, multiple racks of gear put together in clusters, and just about anything that is load-balanced and multi-master.
Scale Up__________Scale Out__________
§ Servers are like pets§ You name them, and when they get sick, you nurse them back tohealth§ Servers are like cattle§ You number them, and when they sick, you shoot them
Each NAT gateway is created in a specific __________ and implemented with __________
Availability Zoneredundancy in that zone.
. To create an Availability Zone-independent architecture, create a NAT gateway in __________ and configure your __________
each Availability Zonerouting to ensure that resources use the NAT gateway in the same Availability Zone.
ENI is a network interface and __________IP addresses
has nothing to do with
Glacier expedited retrieval option, you should be able to get a document within __________
five minutes,
Your application is hosted on EC2 instances, and all the data is stored in an EBS volume. The EBS volumes must be durably backed up across multiple AZs. What is the most resilient way to back up the EBS volumes?__________
Take regular EBS snapshots.By using snapshots, you can back up the EBS volume, and you can create the snapshot in a different AZ.
why wrongYour application is hosted on EC2 instances, and all the data is stored in an EBS volume. The EBS volumes must be durably BACKED UP across multiple AZs. What is the most resilient way to back up the EBS volumes?Mirror data across two EBS volumes by using RAID.__________
even if you mirror the data across two EBS volumes by using RAID, you will have high availability of the data but not a BACKUP.
With Amazon EBS, you can use any of the standard RAID configurations that you can use with a traditional bare metal server, as long as that particular RAID configuration is __________ for your instance. This is because all RAID is accomplished at the __________level.
supported by the operating systemsoftware
For greater I/O performance than you can achieve with a single volume, RAID 0 can __________, RAID 1 can mirror two volumes together.
stripe multiple volumes together; for on-instance redundancy
use raid 0 when
When I/O performance is more important than fault tolerance; for example, as in a heavily used database (where data replication is already set up separately).
Is RAID 1 overkill on Amazon EBS drives in terms of reliability?
Yes, EBS is fault tolerant on the back end, but EBS failures do occur and in unexpected ways. What you don't see is the type of failure that most of us are used to - drive goes bad and just fails outright. The most frequent failure is a huge and unpredictable increase in latency which can make your application unresponsive. With RAID1 or RAID 10 sets, you can simply fail the problem drive out of the array and replace it with a new one with no downtime.
You want to query the memory utilization of an EC2 instance. How can you monitor it?__________
Use CloudWatch CUSTOM metrics.Memory is not part of CloudWatch instance metrics; therefore, you need to create a custom metric to monitor it.
You are running an application in the us-east-1 region. The application needs six EC2 instances running at any given point in time. With five availability zones available in that region (us-east-1a, us-east-1b, us-east-1c, us-east-1d, us-east-1e), which of the following deployment models is going to provide fault tolerance and a cost-optimized architecture if one of the AZs goes down?__________
Six EC2 instances in us-east-1a and six EC2 instances in us-east-1byou should always be up and running on six EC2 servers even if you lose one AZ. With D you will be running only eight servers at any point in time. Even if you lost an AZ, you will still be running with six EC2 instances.
why wrong:In the AWS console, right-click the subnet and then select the Make Public option.
there is no concept of right-clicking.
You have been tasked to create a public subnet for a VPC. What should you do to make sure the subnet is able to communicate to the Internet? (Choose two.)__________
1. Attach an Internet gateway to the VPC.2. Create a route in the route table of the subnet allowing a route out of the Internet gateway.When you connect an Internet gateway to a VPC, it becomes a public subnet, but it must have a route so that traffic can flow in and out of the subnet.
You are deploying an application in multiple EC2 instances in different AZs and will be using ELB and Auto Scaling to scale up and scale down as per the demand. You are planning to store the session information in DynamoDB. Since DynamoDB has a public endpoint and you don't want to give Internet access to the application server, what is the most secure way your application server can talk with DynamoDB?__________
Leverage the VPC endpoint for DynamoDB.Amazon DynamoDB also offers VPC endpoints using which you can secure the access to DynamoDB. The Amazon VPC endpoint for DynamoDB enables Amazon EC2 instances in your VPC to use their private IP addresses to access DynamoDB with no exposure to the public Internet.
You are running an application on EC2 instances, and you want to add a new functionality to your application. To add the functionality, your EC2 instance needs to write data in an S3 bucket. Your EC2 instance is already running, and you can't stop/reboot/terminate it to add the new functionality. How will you achieve this? (Choose two.)__________
1. Create an IAM role that allows write access to S3 buckets.2. Attach the IAM role that allows write access to S3 buckets to the running EC2 instance.You can attach an IAM role to a running or stopped instance. Therefore, you should create an IAM role and then attach it to the running EC2 instance.
Why wrong?You are running an application on EC2 instances, and you want to add a new functionality to your application. To add the functionality, your EC2 instance needs to write data in an S3 bucket. Your EC2 instance is already running, and you can't stop/reboot/terminate it to add the new functionality. How will you achieve this? (Choose two.)__________
Launch a new EC2 instance with an IAM role that can access the S3 bucket.You can't launch new EC2 servers because the question clearly says that you can't stop or terminate the existing EC2 server.
You are running a fleet of EC2 instances for a web server, and you have integrated them with Auto Scaling. Whenever a new server is added to the fleet as part of Auto Scaling, your security team wants it to have the latest OS security fixes. What is the best way of achieving this objective?__________
Launch the instance with a bootstrapping script that is going to install the latest update.Whenever Auto Scaling creates a new instance, it picks all the configuration details from the Auto Scaling group, and therefore you don't have to do anything manually.Bootstrapping scripts with an update action will make sure the instance has all the security fixes before it is released for use.
Even if Auto Scaling launches a new instance, it is not necessary that the instance will have all the security fixes in it. The instance will have the security fixes when __________
the AMI was last updated.
What does a public subnet have in a VPC?__________
At least one route in its associated routing table that uses an Internet gateway (IGW)A public subnet always has an Internet gateway attached to it.
When editing permissions (policies and ACLs), creating S3 buckets, and doing activities with EC2 instances, who is the owner in the context of AWS?__________
The owner refers to the ROOT account.In AWS, the account owner is also referred to as the root account, which is the superuser.
What is the range of CIDR blocks that can be used inside a VPC?__________
Between /16 and /28The allowed block size is between a /16 netmask (65,536 IP addresses) and a /28 netmask (16 IP addresses).
You work for a large media organization who has traditionally stored all their media on large SAN arrays. After evaluating AWS, they have decided to move their storage to the cloud. Staff will store their personal data on S3, and will have to use their Active Directory credentials in order to authenticate. These items will be stored in a single S3 bucket, and each staff member will have their own folder within that bucket named after their employee ID. Which of the following steps should you take in order to help set this up? (Choose 3)Use AWS security token service to create temporary tokens.Create an IAM role.Create either a federation proxy or identity provider.Create an IAM user for each member of staff and use their existing active directory password for the account.
Sorry!You cannot tag individual folders within an S3 bucket. If you create an individual user for each staff member, there will be no way to keep their active directory credentials synched when they change their password. You should either create a federation proxy or identity provider and then use AWS security token service to create temporary tokens. You will then need to create the appropriate IAM role for which the users will assume when writing to the S3 bucket.
âYou are developing a web application, and you are maintaining separate sets of resources for your alpha, beta, and release environments. Each version runs on Amazon EC2 with an EBS volume. You use Elastic Load Balancing to manage traffic and Amazon Route 53 to manage your domain. What's the best way to check the health and status of all three groups of services simultaneously?â
Create a resource group containing each set of resources and view all three environments from a single, group dashboard.NOTUse CloudWatch to proactively monitor each environment.
GeoLocation is the best option because it is based on __________. Geoproximity routing is another option where the decision can be based on __________.
national bordersdistance
EBS volumes can be encrypted, but they are __________by default. SSL certificates will only be useful to encrypt data __________.
not encrypted in transit, not data at rest
3 ways to encrypt your EC2 and EBS Encrypt the data using native encryption tools available in the __________Encrypt your data inside your __________, before storing it on EBS.Use__________ encryption tools.
operating system (such as windows bitlocker).application third party volume
Amazon EBS encryption uses AWS Key Management Service (AWS KMS) __________ (CMKs) when creating encrypted volumes and any snapshots created from them. A unique AWS-managed CMK is created for you automatically in each region where you store AWS assets. This key is used for Amazon EBS encryption unless you specify a ____________________
customer master keyscustomer-managed CMK that you created
Creating your own CMK gives you more flexibility, including the ability to __________ to define access controls
create, rotate, and disable keys
Also, you cannot __________ for an existing EBS volume. Instead, you must create a __________
enable encryptionnew, encrypted volume and copy the data from the old one to the new one using the file manipulation tool of your choice. Rsync (Linux) and Robocopy (Windows) are two good options, but there are many others.
5 WAF conditions__________
Step 3: Create an IP Match ConditionStep 4: Create a Geo Match ConditionStep 5: Create a String Match ConditionStep 5A: Create a Regex Condition (Optional)Step 6: Create a SQL Injection Match Condition
A geo match condition specifies the __________
country or countries that requests originate from.
A string match condition identifies the strings that you want AWS WAF to search for in a __________
request, such as a specified value in a header or in a query string. Usually, a string consists of printable ASCII characters, but you can specify any character from hexadecimal 0x00 to 0xFF (decimal 0 to 255).
AWS WAF includes other conditions, including the following:Size constraint conditions - __________Cross-site scripting match conditions - Identifies the part of web requests, such as a __________
Identifies the part of web requests, such as a header or a query string, that you want AWS WAF to check for lengthheader or a query string, that you want AWS WAF to inspect for malicious scripts.
during ___________ the instance with the _____________ will terminate first
scale-inoldest launch configuration .