12.5 Whizlabs - Practice Test III

1. EBS snapshots are incremental and complete. You don't need to maintain multiple snapshots if you are looking on reducing costs.

2. To protect the sensitive data on you unencrypted EBS volume, you need to create a snapshot of it, copy to an encrypted snapshot, and restore an encrypted volume. The other workable but not best solution is to create a new encrypted volume and copy the data from the unencrypted volume to it.

3. Use cases of DynamoDB vs. RDS (or relational engine on EC2) vs. S3

   1. Amazon DynamoDB does the database management and administration, and you simply store and request your data. Automatic replication and failover provides built-in fault tolerance, high availability, and data durability. Amazon DynamoDB tackles the core problems of database scalability, management, performance, and reliability, it does not have all the functionality of a relational database. It does not support complex relational queries (e.g. joins) or complex transactions.

   2. Amazon DynamoDB stores structured data, indexed by primary key, and allows low latency read and write access to items ranging from 1 byte up to 400KB. Amazon S3 stores unstructured BLOBs (Binary Large Objects) and suited for storing large objects up to 5 TB. In order to optimize your costs across AWS services, large objects or infrequently accessed data sets should be stored in Amazon S3, while smaller data elements or file pointers/meta data (possibly to Amazon S3 objects) are best saved in Amazon DynamoDB.

4. CloudWatch metrics now supports the following three retention period schedules:

   1. 1 minutes datapoints are available for 15 days.

   2. 5 minutes datapointes are available for 63 days.

   3. 1 hour datapoints are available for 455 days.

   Retention period: it is an aspect of records lifecycle. It identifies the duration of time for which the information should be maintained or "retained".

5. For a IAM user,

   1. using username and password to access AWS console

   2. using Access Key ID and Secret Access Key to programmatically interact with AWS through some development tools

6. DB Parameter Groups (for RDS, DynamoDB, ElastiCache, Redshift) are used to assign specific setting which can be applied to a set of DB instances in AWS.

7. S3 bucket at-rest server-side (3 keys) and client-side (2 keys) encryption.

8. A private IP address is an IP address that is not reachable over the Internet. You can use private IP addresses for communication between instances in the same network (EC2-Classic or a VPC). When an instance is launched, a private IP address is allocated for the instance using DHCP. Each instance is also given an internal DNS hostname that resolves to the private IP address.

9. RAID 5 is bad for write. Commonly, we use RAID 0 or RAID 10 to improve disk IO performance of EBS. Better instance types can give you a higher computing/memory/network capability.

10. Amazon ElasticBeanstalk stores your application files and server log files (optional) in Amazon S3.

11. Remove one or more ingress rules from a security group using CLI: revoke-security-group-ingress

12. EC2 supports two types of block devices:

    1. Instance-store volumes (virtual devices whose underlying hardware is physically attached to the host computer for the instance)

    2. EBS volumes (remote storage devices)

13. You can use IAM to manage API keys, roles, and MFA.

14. You can add Tags which define which instances are production and which are development instances, and then add a condition to the IAM policy which allows access to specific tags. In this way, you can ensure that the users who are responsible for development instances don't have the access to work on the production instances to ensure better security.

15. For ensuring EBS volume backup is properly and the data is durable, you can write a cronjob that uses the AWS CLI to take a snapshot of production EBS volumes. The data is durable because EBS snapshots are stored on the Amazon S3 standard storage class.

16. If you have an EBS backed instance store, then the underlying host can changed when the instance is stopped and started. If you have instance store volumes, the data on the instance store devices will be lost.

17. Alias resource record sets are virtual records that work like CNAME records. But they differ from CNAME records in that they are not visible to resolvers. Resolvers only see the A record and the result IP address of the target record. As such, unlike CNAME records, alias resource record sets are available to configure a zone apex (a.k.a. a root domain or naked domain) in a dynamic environment. So when you create a hosted zone and having a pointer to the load balancer, you need to mark "yes" for the Alias option, then you can choose the ELB which you have defined in AWS.

18. AWS Key Management Service vs. AWS CloudHSM (these two and IAM are all under the AWS Security, Identity, & Compliance part)

    1. AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. This is sufficient if you the basic needs of managing keys for security.

    2. For higher requirement on security, one can use CloudHSM. The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM.

19. CloudFront Origin Access Identity (OAI).

20. Avoiding DDoS attack:

    1. Use an Amazon CloudFront distribution for both static and dynamic content.

    2. Use ELB and Auto-Scaling groups at the web app tier. Restrict direct Internet traffic to Amazon RDS tier.

    3. Add alert Amazon CloudWatch to look for high Network in and CPU utilization.

    You can also have other practices about API Gateway, Route53, and VPC.

21. If you cannot use ELB, how can you deploy the application with high availability and fault tolerance?

    1. Ensure that the instance it is using has an Elastic IP address assigned to it.

    2. Write a custom script that pings the health of the instance, and if the instance stops responding, switch the Elastic IP address to a standby instance.

22. You can use SWF and SQS to create a decoupled architecture which has resources in AWS and on-premise servers. You can leverage SWF and SQS to utilize and coordinate both on-premises servers and EC2 instances for your decoupled application.

23. In Auto-scaling group, if the threshold for the scale down/in is too low, then the instances will keep on scaling down rapidly. The application will scale up and down multiple times within a short duration of time. Hence it is best to keep on optimal threshold for your metrics defined for CloudWatch, it means change the scale down CloudWatch metric to a higher threshold. For optimizing for costs while preserving elasticity, you can:

    1. Modify the CloudWatch triggers to ensure the thresholds are appropriate for the scale down policy. (Don't scale down so easily)

    2. Modify the Auto-scaling group Cool down timers.

24. The recovery time objective (RTO) is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption) in order to avoid unacceptable consequences associated with a break in business continuity.

25. Perfect Forward Secrecy is currently available for CloudFront and ELB.