12.4 Whizlabs - Practice Test II

AWS EC2 provides a repository of public data sets that can be seamlessly integrated into AWS cloud-based applications. There is no charge for using public data sets.
Instance Lifecycle:
When you create an EBS volume in an AZ, it is automatically replicated within that same zone to prevent data loss due to the failure of any single hardware component.
We have a VPC-1 only contains private subnets, and now we use a single AWS Direct Connection and private virtual interface to connect the on-premises network with VPC-1. Having a VPN Connection is considered as a backup to a Direct Connect connection to increase fault tolerance. One can also have another Direct Connect connection in the same Region as VPC-1, so that if one goes down, the other one would still be active.
Elastic IP Addresses.
1. An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.
2. An Elastic IP address is a public IPv4 address, which is reachable from the internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet (It means an instance must either have a public IP or Elastic IP in order to accessible from the Internet). AWS currently do not support Elastic IP addresses for IPv6.
After you create an AMI, you can keep it private or you can share it with a specified list of AWS accounts. You can also make your custom AMI public through modifying the Image permissions, so that the community can use it.
The basic requirement for logging into an EC2 instance on the AWS : Key pairs.
I2 instances are optimized to deliver tens of thousands of low-latency, random IO operations per second to applications. They are suitable for following scenarios:
1. NoSQL databases
2. Clustered databases
3. Online Transaction Processing (OLTP) systems.
Elements you can manage in IAM dashboard: Groups, Users, Roles, Policies, Encryption keys, etc.
AWS Lambda supports code written in Node.js (JS runtime), Python, Java and C# (using the .NET core runtime).
Identity Providers (IdP) and Federation. If you already manage user identities outside of AWS, you can use IAM identity providers (IdP) instead of creating IAM users in your AWS account. When you use an IdP, you don't have to create custom sign-in code or manage your own user identities; the IdP provides that for you. Your external users sign in through a well-known identity provider, such as Login with Amazon, Facebook, Google, and many others. You can give those external identities permissions to use AWS resources in your account. Identity providers help keep your AWS account secure because you don't have to distribute or embed long-term security credentials, such as IAM access keys, in your application. To use an IdP, you create an IAM identity provider entity to establish a trust relationship between your AWS account and the IdP. IAM supports IdPs that are compatible with OpenID Connect (OIDC) ---- Web Identity Federation, or SAML 2.0 (Security Assertion Markup Language 2.0) ---- SAML 2.0-based Identity Federation.
If we want to support the autonomy of divisions and separated resources while enabling corporate to maintain governance and cost oversight, on the one hand, we need to separate governance model for each section of resources, and separate AWS account for each division and enable IAM cross-account access for all corporate administrators in each child account. On the other hand, each division's AWS account can sign up for Consolidating Billing to the main corporate account by creating AWS Organizations. The administrators can then be granted access via cross account role access.
When you enable CloudTrail, you need to provide an S3 bucket where all the logs can be written to.
A typical structure of how an application is designed when using SQS:
Multi-AZ deployment of DB instances in same Region enhanced your database availability. What happens when you failover from primary DB instance to secondary or standby DB instance? Failover is automatically handled by Amazon RDS so that you can resume database operations as quickly as possible without administrative intervention. When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary. We encourage you to follow best practices and implement database connection retry at the application layer.
Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. These AMIs include the string amzn-ami-vpc-nat in their names, so you can search for them in the Amazon EC2 console. When you launch an instance from a NAT AMI, the following configuration occurs on the instance:
1. IPv4 forwarding is enabled and ICMP redirects are disabled.
2. A script runs at startup and configures iptables IP masquerading.
Basic monitoring (5 minutes periods). Detailed monitoring (sending 1 minutes metrics to CloudWatch).
Major advantages of having a VPN in AWS. One of the major advantages is that you can combine your on-premise data center to AWS via a VPN connection. You can create an IPsec, hardware VPN connection between your VPC and your remote data center. On the AWS side of the VPN connection, a Virtual Private Gateway provides two VPN endpoints for automatic failover (so that you can build two VPN connections to enhance availability). You configure your Customer Gateway which is the physical device or software application on the remote data center side of the VPN connection. What you must have:
1. You are required to assign a static internet-routable IP address to a Customer Gateway.
2. You also need an entry in route table to route the traffic to the Virtual Private Gateway, dest: 0.0.0.0/0 -> target: VGW-ID.
To enable access to or from the Internet for instances in a VPC subnet, you must do the following:
1. Attach an Internet gateway to your VPC.
2. Ensure that your subnet's route table points to the Internet gateway.
3. Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
4. Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.
Internal ELB vs. Internet-facing ELB. You can assign instance from private subnet to ELB, in this case, ELB will automatically become internal ELB and AWS will assign scheme as "Internal". If your subnet is public then ELB will automatically become external ELB and AWS will assign scheme as "Internet-facing". You can add Internet Gateway to VPC and add IGW route in the subnet to make it available over the Internet, however, in this case, AWS will still show ELB scheme as internal but it will allow Internet traffic to the instance. (You always need an IGW.)
An application has been migrated from on-premise to AWS.
1. You will not be responsible for the ongoing maintenance of packages for RDS and DynamoDB, because their infrastructure is managed by AWS.
2. You are allowed to access to the underlying infrastructure of ElasticBeanstalk, EMR and EC2.
3. You cannot access OS of RDS databases, as RDS is partially managed service by AWS (It is partially because we still need to specify the server capacity, security group, etc. But in some questions it is also considered as fully). In case a customer need to have access to OS or require OS privileges, for their database for more granular control or other compliance reason, then they can install their database engine in EC2 instance.
4. The fully managed service includes Aurora and DymanoDB.
Amazon EBS encryption. It offers you a simple encryption solution for your EBS volumes. When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
1. Data at rest inside the volume
2. All data moving between the volume and the instance
3. All snapshot created from the volume
Amazon S3 encryption. For in-transit, using SSL/TLS. For at-rest, in the server-side you encrypt using three different type of keys, and you also can encrypt in the client-side.
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns.
NAT is just used to relay information from private subnets to the Internet. It cannot protect web applications from security threats.
An EC2 Role should be used when deploying EC2 instances to grant permissions rather than storing IAM user credentials in EC2 instances. Your most likely scenario will actually be SQS polling from an EC2 instance deployed with an IAM Role because when your polling SQS from EC2 you should use IAM Roles. What you should never do is use IAM user API keys for authentication to poll SQS messages.
When a consumer consumed a message from a SQS queue, this message will become invisible (when the visibility timeout, it becomes visible again, it means the consumer may crashed, so this message can be consumed by aother consumer). When the consumer processed a message, it is the consumer delete the message from the queue, not the SQS queue delete the message.
A bastion host is a special purpose computer on a network specifically designed and configured to withstand attack. The computer generally hosts a single application, for example, a proxy server, and all other service are removed or limited to reduce the threat to the computer. A bastion host is kept on a public subnet. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets. The bastion host should have a security group and should only be accessed (SSH) from a particular IP address for maximum security.
Invalid VPC Peering connection configurations:
1. Overlapping CIDR blocks
2. Transitive Peering
3. Edge to edge routing through a gateway or private connection
Amazon cannot recover your keys (any kind of keys) if you lose your credentials to the application. Amazon doesn't have access to your keys or credentials and therefore has no way to recover your keys if you lose your credentials.
Managing Your Costs with AWS Budgets. Budgets enable you to plan your service usage, service costs, and your RI utilization. You can also track how close your plan is to your budgeted amount or to the free tier limits. Budgets provide you with a quick way to see your usage-to-date and current estimated charges from AWS and to see how much your predicted usage accrues in charges by the end of the month. Budgets also compare current estimates and charges to the amount that you indicated you want to use or spend and lets you see how much of your budget has been used. AWS updates your budget status several times a day. Budgets track your unblended costs, subscriptions, and refunds. You can create up to 20,000 budgets per AWS master account. Your first two budgets are free of charge. Each additional budget costs $0.02 per day.
You can use IAM user policies and attach them to users/groups that need specific access to AWS resources, e.g. S3 buckets (using S3 bucket policy is not appropriate).
AWS EC2 and EMR allow the administrator to access to the underlying Operating System, but AWS RDS and DynamoDB doesn't. For EC2, your security credentials identify you to services in AWS and grant you unlimited use of your AWS resources, such as EC2 resources. For EMR and applications like Hadoop need permission to access other AWS resources when running jobs on behalf of users.
Managing Access Keys for IAM Users.
1. Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for individual AWS services. To fill this need, you can create, modify, view, or rotate access keys (access key IDs and secret access keys) for IAM users.
2. When you create an access key, IAM returns the access key ID and secret access key. You should save these in a secure location and give them to the user.
3. To ensure the security of your AWS account, the secret access key is accessible only at the time you create it. If a secret access key is lost, you must delete the access key for the associated user and create a new key.
4. By default, when you create an access key, its status is Active, which means the user can use the access key for AWS CLI, Tools for Windows PowerShell, and API calls. Each user can have two active access keys, which is useful when you must rotate the user's access keys. You can disable a user's access key, which means it can't be used for API calls. You might do this while you're rotating keys or to revoke API access for a user.
5. You can delete an access key at any time. However, when you delete an access key, it's gone forever and cannot be retrieved. (You can always create new keys.)
6. You can give your users permission to list, rotate, and manage their own keys.
Data in S3 bucket is replicated to multiple facilities in the same Region.

Previous12.3 Whizlabs - Practice Test I Next12.5 Whizlabs - Practice Test III

Last updated 5 years ago

Was this helpful?