AWS services Flashcards

Question

Identity & Access Management (IAM) Best Practices

Answer 1

To secure AWS resources it is recommended that you follow these best practices: * Lock away your AWS account root user access keys. * Use roles to delegate permissions. * Grant least privilege. * Get started using permissions with AWS managed policies. * Validate your policies. * Use customer managed policies instead of inline policies. * Use access levels to review IAM permissions. * Configure a strong password policy for your users. * Enable MFA. * Use roles for applications that run on Amazon EC2 instances. * Do not share access keys. * Rotate credentials regularly. * Remove unnecessary credentials. * Use policy conditions for extra security. * Monitor activity in your AWS account.

Answer 2

Fully managed messaging service for both application-to-application (A2A) and application-to-person (A2P) communication pub/sub functionality provides messaging for high-throughput, push-based, many-to-many use cases SNS uses a pub-sub model whereby users or applications subscribe to SNS topics. When subscribing to an SNS topic the following endpoint types are supported: * HTTP/HTTPS. * Email/Email-JSON. * Amazon Kinesis Data Firehose. * Amazon SQS. * AWS Lambda. * Platform application endpoint (mobile push). SMS.

Answer 3

Your publisher systems can fanout messages to many subscriber systems including Amazon SQS queues, AWS Lambda functions and HTTPS endpoints, for parallel processing, and Amazon Kinesis Data Firehose. You can subscribe one or more Amazon SQS queues to an Amazon SNS topic from a list of topics available for the selected queue. When you publish a message to a topic, Amazon SNS sends the message to every subscribed SQS queue. Amazon SQS manages the subscription and any necessary permissions

Answer 4

distributed queue system that enables web service applications to quickly and reliably queue messages Messages in the queue need to be polled by the consumer (e.g. EC2 instance) Amazon SQS is pull-based, not push-based (like Amazon SNS). Messages can be kept in the queue from 1 minute to 14 days. The default retention period is 4 days. The SQS queue resolves issues that arise if the producer is producing work faster than the consumer can process it, or if the producer or consumer are only intermittently connected to the network. You can use an AWS Lambda function to process messages in an Amazon Simple Queue Service (Amazon SQS) queue. Lambda polls the queue and invokes your Lambda function synchronously with an event that contains queue messages. Lambda reads messages in batches and invokes your function once for each batch. When your function successfully processes a batch, Lambda deletes its messages from the queue.

Answer 5

dead-letter queue handles message failure (applies to SNS and SQS) It lets you set aside and isolate messages that can’t be processed correctly to determine why their processing didn’t succeed

Answer 6

Amazon SWF is used for processing background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully managed state tracker and task coordinator

Answer 7

AWS Step Functions can be used to coordinate the components of distributed applications as a series of steps in a visual workflow This is orchestration (a controller who controls interactions between services) as opposed to choreography (lots of small, independany services working together, loosly coupled)

Answer 8

It is an open source, distributed search and analytics suite based on Elasticsearch. Successor to the Amazon Elasticsearch Service Elasticsearch is a distributed search and analytics engine built on Apache Lucene. Elasticsearch is a popular search engine commonly used for log analytics, full-text search, security intelligence, business analytics, and operational intelligence use cases. With OpenSearch you can perform log analytics interactively, perform real-time application monitoring, website search, performance metric analysis and more.

Answer 9

* Fully-managed, pay-as-you-go, extract, transform, and load (ETL) service that automates the time-consuming steps of data preparation for analytics. * Glue can automatically discover both structured and semi-structured data stored in data lakes on Amazon S3, data warehouses in Amazon Redshift, and various databases running on AWS. * automatically discovers and profiles data via the Glue Data Catalog, recommends and generates ETL code to transform your source data into target schemas * runs the ETL jobs on a fully managed, scale-out Apache Spark environment to load your data into its destination * You can create and run an ETL job with a few clicks in the AWS Management Console.

Answer 10

* analyze data in Amazon S3 using standard SQL * Can use with other services such as Amazon RedShift (data warehouse)

Answer 11

* Athena = query S3 data using SQL * RedShift = data warehouse (columnar storage) * EMR(Elastic MapReduce) = data processing (big data), running tasks such as machine learning, graph analytics, data transformation, streaming data. * Glue = ETL service, transform data from S3 bucket, RedShift, other databases and move to various destinations.

Answer 12

* makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information * Data is processed in “shards” – with each shard able to ingest 1000 records per second * max default limit of 500 shards that can be increased * A record consists of a partition key, sequence number, and data blob (up to 1 MB). * Transient data store – default retention of 24 hours but can be configured for up to 7 days.

Answer 13

* real-time processing of streaming big data. * stores data for later processing by applications (key difference to Firehose which delivers data directly to AWS services). * data is captured and stores for processing in **shards** * each shard can support up to 1000 PUT records per second * records of a stream are accessible for up to 24 hours from the time they are added to the stream (can be raised to 7 days by enabling extended data retention). * Splitting increases the number of shards in your stream and therefore increases the data capacity of the stream. * Splitting increases the cost of your stream (you pay per-shard).

Answer 14

* easiest way to load streaming data into data stores and analytics tools. * Captures, transforms, and loads streaming data * Kinesis Data Streams can be used as the source(s) to Kinesis Data Firehose * You can configure Kinesis Data Firehose to transform your data before delivering it. * With Kinesis Data Firehose you don’t need to write an application or manage resources * Each delivery stream stores data records for up to 24 hours. * Data can be delivered to S3, RedShift, ElasticSearch, Splunk

Answer 15

Streams - Allows you to write custom consumers Firehouse - Simplifies data transforming and data storing Streams - Guarantees order delivery Firehouse - Messages can be delivered more than once as the order is not guaranteed Streams - Failure block the shard until succession or expiration Firehouse - It has a built-in retry mechanism for each delivery Streams - Allows you to set the number of shard Firehouse - Allows you to set the data volume. Shards are managed by the service Streams - It supports multiple types of consumers along with multiple consumers Firehouse - Stream can only have one destination

Answer 16

SQS: * Consumers pull data. * Messages still persist in the queue after being read. An API call to delete the message from the queue is required after successfull receipt of the message from the consumer. * One consumer by default only possible * No need to provision throughput. * No ordering guarantee (except with FIFO queues). * Individual message delay. SNS: * Push data to many subscribers. * Up to 10,000,000 subscribers. * Data is not persisted (lost if not deleted). * Pub/sub. * Up to 10,000,000 topics. * No need to provision throughput. * Integrates with SQS for fan-out architecture pattern. Kinesis: * Consumers pull data. * As many consumers as you need. * Possible to replay data. * Meant for real-time big data, analytics, and ETL. * Ordering at the shard level. * Data expires after X days. * Must provision throughput.

Answer 17

* big data processing and analysis. * web service that enables businesses, researchers, data analysts, and developers to process vast amounts of data * EMR utilizes a hosted Hadoop framework running on Amazon EC2 and Amazon S3 * With EMR you can run petabyte-scale analysis at less than half of the cost of traditional on-premises solutions and over 3x faster than standard Apache Spark * Most used for log analysis, financial analysis, or extract, translate and loading (ETL) activitie

Answer 18

* convert (or “transcode”) video and audio files from their source format into versions that will playback on devices like smartphones, tablets and PCs. * Picks up files from an input S3 bucket and saves the output to an output S3 bucket. * You are charged based on the duration of the content and the resolution or format of the media

Answer 19

* AWS Systems Manager is a central hub to control and view your entire AWS infrastructure *

Answer 20

* AWS Config continually assesses, audits, and evaluates the configurations and relationships of your resources on AWS, on premises, and on other clouds. * enables security and governance * AWS Config records point-in-time configuration details for your AWS resources as Configuration Items

Answer 21

* allows you to manage, configure and provision your AWS infrastructure as code * Resources are defined using a CloudFormation template * Supports YAML or JSON

Answer 22

* **Templates** = The JSON or YAML text file that contains the instructions for building out the AWS environment * **Stacks** = The entire environment described by the template and created, updated, and deleted as a single unit * **StackSets** = AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation * **Change Sets** = A summary of proposed changes to your stack that will allow you to see how those changes might impact your existing resources before implementing them * **Templates** = The JSON or YAML text file that contains the instructions for building out the AWS environment

Answer 23

* AWS Storage Gateway is a set of hybrid cloud storage services that provide on-premises access to virtually unlimited cloud storage. * Storage Gateway optimizes data transfer to AWS by sending only changed data and compressing data. * AWS with Storage Gateway, it is not suitable for transferring large sets of data to AWS. Storage Gateway is mainly used in providing low-latency access to data by caching frequently accessed data on-premises while storing archive data securely and durably in Amazon cloud storage services. Use AWS DataSync for large datasets.

Answer 24

AWS OpsWorks is a configuration management service that provides managed instances of these two open-source tools (Chef and Puppet).

Answer 25

* CloudTrail enables governance, compliance, and operational and risk auditing of your AWS account. * CloudTrail provides visibility into user activity by recording actions taken on your account.

Answer 26

CloudWatch * monitors your application (application/service actions) * central monitoring and logging service for AWS. Each AWS Service reports it metrics directly to CloudWatch CloudTrail * audit your AWS account (user actions) * monitors your **internal usage** of your AWS account. Every user or application changes resources in your account will be monitored.

Answer 27

* Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. * CloudWatch is used to collect and track metrics, collect, and monitor log files, and set alarms. With CloudWatch you can: * Gain system-wide visibility into resource utilization. * Monitor application performance. * Monitor operational health.

Answer 28

**Amazon SNS** is a fully managed pub/sub messaging service. With Amazon SNS, you can use topics to simultaneously distribute messages to multiple subscribing endpoints such as Amazon SQS queues, AWS Lambda functions, HTTP endpoints, email addresses, and mobile devices (SMS, Push). **Amazon SQS** is a message queue service used by distributed applications to exchange messages through a polling model. It can be used to decouple sending and receiving components without requiring each component to be concurrently available. A fanout scenario occurs when a message published to an SNS topic is replicated and pushed to multiple endpoints, such as Amazon SQS queues, HTTP(S) endpoints, and Lambda functions. This allows for parallel asynchronous processing.

Answer 29

* Amazon EKS provisions and scales the Kubernetes control plane, including the API servers and backend persistence layer, across multiple AWS availability zones for high availability and fault tolerance. * To migrate the application to a container service, you can use Amazon ECS or Amazon EKS. But the key point in this scenario is a cloud-agnostic and open-source platforms. Take note that Amazon ECS is an AWS proprietary container service. This means that it is not an open-source platform. Amazon EKS is a portable, extensible, and open-source platform for managing containerized workloads and services. Kubernetes is considered cloud-agnostic because it allows you to move your containers to other cloud service providers.

Answer 30

AWS Organization is a service that allows you to manage multiple AWS accounts easily. With this service, you can effectively consolidate billing and manage your resources across multiple accounts.

Answer 31

* AWS IAM Identity Center helps you securely create or connect your workforce identities and manage their access centrally across AWS accounts and applications. * IAM Identity Center is the recommended approach for workforce authentication and authorization on AWS for organizations of any size and type.

Answer 32

* Application Load Balancer operates at the request level (layer 7) HTTP/HTTPS, routing traffic to targets (EC2 instances, containers, IP addresses, and Lambda functions) based on the content of the request * Application Load Balancer simplifies and improves the security of your application, by ensuring that the latest SSL/TLS ciphers and protocols are used at all times. * ALBs can also route and load balance gRPC traffic between microservices or between gRPC-enabled clients and services

Answer 33

Route 53 is a DNS. Below are some of the routing policies: **Latency Routing** lets Amazon Route 53 serve user requests from the AWS Region that provides the lowest latency. It does not, however, guarantee that users in the same geographic region will be served from the same location. **Geoproximity Routing** lets Amazon Route 53 route traffic to your resources based on the geographic location of your users and your resources. You can also optionally choose to route more traffic or less to a given resource by specifying a value, known as a bias. A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource. **Geolocation Routing** lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. **Weighted Routing** lets you associate multiple resources with a single domain name (tutorialsdojo.com) or subdomain name (subdomain.tutorialsdojo.com) and choose how much traffic is routed to each resource.

Answer 34

You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes. Automating snapshot management helps you to: – Protect valuable data by enforcing a regular backup schedule. – Retain backups as required by auditors or internal compliance. – Reduce storage costs by deleting outdated backups. Combined with the monitoring features of Amazon CloudWatch Events and AWS CloudTrail, Amazon DLM provides a complete backup solution for EBS volumes at no additional cost.

Answer 35

Amazon Macie is designed to automatically discover, classify, and protect sensitive data, such as personal identifiable information (PII) and intellectual property. It uses machine learning algorithms to scan and identify sensitive data across AWS services like Amazon S3 buckets. Amazon GuardDuty is primarily focused on providing intelligent threat detection for AWS accounts and workloads. It helps detect potential security threats by analyzing event logs from various AWS services, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs Macie cannot detect usage patterns on S3 data. While Amazon Macie is capable of detecting policy changes in S3 buckets, this is not enough to detect unauthorized or suspicious access patterns which is what GuardDuty can do.

Answer 36

An Amazon EBS volume is a durable, block-level storage device that you can attach to a single EC2 instance. You can use EBS volumes as primary storage for data that requires frequent updates, such as the system drive for an instance or storage for a database application. You can also use them for throughput-intensive applications that perform continuous disk scans. EBS volumes persist independently from the running life of an EC2 instance. Here is a list of important information about EBS Volumes: * When you create an EBS volume in an Availability Zone, it is automatically replicated within that zone to prevent data loss due to a failure of any single hardware component. * After you create a volume, you can attach it to any EC2 instance in the same Availability Zone * Amazon EBS Multi-Attach enables you to attach a single Provisioned IOPS SSD (io1) volume to multiple Nitro-based instances that are in the same Availability Zone. However, other EBS types are not supported. * An EBS volume is off-instance storage that can persist independently from the life of an instance. You can specify not to terminate the EBS volume when you terminate the EC2 instance during instance creation. * EBS volumes support live configuration changes while in production which means that you can modify the volume type, volume size, and IOPS capacity without service interruptions. * Amazon EBS encryption uses 256-bit Advanced Encryption Standard algorithms (AES-256) * EBS Volumes offer 99.999% SLA.

Answer 37

Key points: * Kinesis Data Stream allows consumers to READ streaming data (consumers poll the data) * Kinesis Firehouse is used to LOAD streaming data to a target destination (consumers received data as they're subscribed) Kinesis Data Stream consumers: * Lambda * EC2 * Spark on Elastic MapReduce * Kenisis Data Analytics Kinesis Data Firehose consumers: * S3 * RedShift * ElasticSearch * Splunk

Answer 38

Kinesis Data Stream features: * ingests and stores data streams to be READ by the consumer * can hold data for up to 365 days * can replay * manual scailing Kinesis Data Firehose features: * prepares and LOADS the data continously to the destination you choose * can NOT store data * no replay * automatically scales

Answer 39

File Gateway presents a file-based interface to Amazon S3, which appears as a network file share. It enables you to store and retrieve Amazon S3 objects through standard file storage protocols. File Gateway allows your existing file-based applications or devices to use secure and durable cloud storage without needing to be modified. With File Gateway, your configured S3 buckets will be available as Network File System (NFS) mount points or Server Message Block (SMB) file shares.

Answer 40

Use Server-Side Encryption – You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects. * Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) * Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) * Use Server-Side Encryption with Customer-Provided Keys (SSE-C) Use Client-Side Encryption – You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools. * Use Client-Side Encryption with AWS KMS–Managed Customer Master Key (CMK) * Use Client-Side Encryption Using a Client-Side Master Key

Answer 41

AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). Fargate makes it easy for you to focus on building your applications. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design. For microservices architecture: use AWS Fargate on Amazon EKS with Service Auto Scaling to run the containerized app platform

Answer 42

AWS Backup is a centralized backup service that makes it easy and cost-effective for you to backup your application data across AWS services in the AWS Cloud, helping you meet your business and regulatory backup compliance requirements. AWS Backup makes protecting your AWS storage volumes, databases, and file systems simple by providing a central place where you can configure and audit the AWS resources you want to backup, automate backup scheduling, set retention policies, and monitor all recent backup and restore activity. Note: AWS Aurora has a maximum backup retention period for automated backup is only 35 day. Therefore anything longer than 35 days, use AWS Backup.

Answer 43

AWS Database Migration Service helps you migrate your databases to AWS with virtually no downtime. All data changes to the source database that occur during the migration are continuously replicated to the target, allowing the source database to be fully operational during the migration process.

Answer 44

**$ Spot Instances** * temporary, spare EC2 capacity available at deep discount * workloads that need a short-term compute boost **$$ Reseved Instances** * capacity reservation purchased on 1 or 3 year term at a discount * applications with a steady state usage **$$$$ On-Demand** * pay-as-you-go, scaleable * short-term, variable workloads that cannot be interuppted **$$$$$ Dedicated Host** * fully dedicated physical server * projects that must meet corporate compliance requirements

Answer 45

https://tutorialsdojo.com/comparison-of-aws-services/

Answer 46

[https://tutorialsdojo.com/amazon-kinesis-data-streams-vs-data-firehose-vs-data-analytics-vs-video-streams/](https://tutorialsdojo.com/amazon-kinesis-data-streams-vs-data-firehose-vs-data-analytics-vs-video-streams/)

Answer 47

[https://tutorialsdojo.com/s3-pre-signed-urls-vs-cloudfront-signed-urls-vs-origin-access-identity-oai-origin-access-control-oac/](https://tutorialsdojo.com/s3-pre-signed-urls-vs-cloudfront-signed-urls-vs-origin-access-identity-oai-origin-access-control-oac/)

Answer 48

AWS Transit Gateway provides a hub and spoke design for connecting VPCs and on-premises networks. You can attach all your hybrid connectivity (VPN and Direct Connect connections) to a single Transit Gateway consolidating and controlling your organization’s entire AWS routing configuration in one place. It also controls how traffic is routed among all the connected spoke networks using route tables. This hub and spoke model simplifies management and reduces operational costs because VPCs only connect to the Transit Gateway to gain access to the connected networks.

Answer 49

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second. DAX does all the heavy lifting required to add in-memory acceleration to your DynamoDB tables, without requiring developers to manage cache invalidation, data population, or cluster management.

Answer 50

AWS Lambda scales your functions automatically on your behalf. Every time an event notification is received for your function, AWS Lambda quickly locates free capacity within its compute fleet and runs your code. Since your code is stateless, AWS Lambda can start as many copies of your function as needed without lengthy deployment and configuration delays.

Answer 51

Amazon API Gateway lets you create an API that acts as a “front door” for applications to access data, business logic, or functionality from your back-end services, such as code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization, and access control, monitoring, and API version management. Amazon API Gateway has no minimum fees or startup costs.

Answer 52

VPC endpoints for Amazon S3 simplify access to S3 from within a VPC by providing configurable and highly reliable secure connections to S3 that do not require an internet gateway or Network Address Translation (NAT) device. When you create an S3 VPC endpoint, you can attach an endpoint policy to it that controls access to Amazon S3. You can use two types of VPC endpoints to access Amazon S3: gateway endpoints and interface endpoints. * A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your VPC over the AWS network. * Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on-premises, or from a different AWS Region. Interface endpoints are compatible with gateway endpoints. If you have an existing gateway endpoint in the VPC, you can use both types of endpoints in the same VPC.

Answer 53

Amazon FSx lets you easily and securely backup, archive, or replicate your on-premises file storage to AWS in order to meet regulatory, data retention, or disaster recovery requirements. Amazon FSx for Windows File Server provides fully managed, highly reliable, and scalable file storage that is accessible over the industry-standard Service Message Block (SMB) protocol. It is built on Windows Server, delivering a wide range of administrative features such as user quotas, end-user file restore, and Microsoft Active Directory (AD) integration. Amazon FSx is accessible from Windows, Linux, and MacOS compute instances and devices. Thousands of compute instances and devices can access a file system concurrently.

Answer 54

AWS Database Migration Service (AWS DMS) is a cloud service that makes it easy to migrate relational databases, data warehouses, NoSQL databases, and other types of data stores. You can use AWS DMS to migrate your data into the AWS Cloud or between combinations of cloud and on-premises setups. With AWS DMS, you can perform one-time migrations, and you can replicate ongoing changes to keep sources and targets in sync. If you want to migrate to a different database engine, you can use the AWS Schema Conversion Tool (AWS SCT) to translate your database schema to the new platform. You then use AWS DMS to migrate the data. Because AWS DMS is a part of the AWS Cloud, you get the cost efficiency, speed to market, security, and flexibility that AWS services offer. You can use AWS DMS to migrate data to an Amazon DynamoDB table. Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. AWS DMS supports using a relational database or MongoDB as a source.

Answer 55

Amazon Elastic MapReduce (EMR) is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. By using these frameworks and related open-source projects such as Apache Hive and Apache Pig, you can process data for analytics purposes and business intelligence workloads. Additionally, you can use Amazon EMR to transform and move large amounts of data into and out of other AWS data stores and databases such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB.

Answer 56

Amazon S3 Select is designed to help analyze and process data within an object in Amazon S3 buckets, faster and cheaper. It works by providing the ability to retrieve a subset of data from an object in Amazon S3 using simple SQL expressions. Your applications no longer have to use compute resources to scan and filter the data from an object, potentially increasing query performance by up to 400%, and reducing query costs as much as 80%. You simply change your application to use SELECT instead of GET to take advantage of S3 Select.

Answer 57

Amazon Redshift also includes Redshift Spectrum, allowing you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, ORC, Parquet, RCFile, RegexSerDe, SequenceFile, TextFile, and TSV. Redshift Spectrum automatically scales query compute capacity based on the data being retrieved, so queries against Amazon S3 run fast, regardless of data set size.

Answer 58

A reader endpoint for an Aurora DB cluster provides load-balancing support for read-only connections to the DB cluster. Use the reader endpoint for read operations, such as queries. By processing those statements on the read-only Aurora Replicas, this endpoint reduces the overhead on the primary instance. It also helps the cluster to scale the capacity to handle simultaneous SELECT queries, proportional to the number of Aurora Replicas in the cluster. Each Aurora DB cluster has one reader endpoint. If the cluster contains one or more Aurora Replicas, the reader endpoint load balances each connection request among the Aurora Replicas. In that case, you can only perform read-only statements such as SELECT in that session. If the cluster only contains a primary instance and no Aurora Replicas, the reader endpoint connects to the primary instance. In that case, you can perform write operations through the endpoint.

Answer 59

A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure. Your data is automatically encrypted and never travels over the public internet. AWS Transit Gateway deploys an elastic network interface within VPC subnets, which is then used by the transit gateway to route traffic to and from the chosen subnets. You must have at least one subnet for each Availability Zone, which then enables traffic to reach resources in every subnet of that zone.

Answer 60

Amazon EventBridge is a service that provides real-time access to changes in data in AWS services, your own applications, and software as a service (SaaS) applications without writing code. It is a serverless event bus service that you can use to connect your applications with data from a variety of sources. You can use an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom event pattern and an input transformer to match an AWS Config evaluation rule output as NON_COMPLIANT. Then, route the response to an Amazon Simple Notification Service (Amazon SNS) topic.

Answer 61

AWS Config provides a detailed view of the configuration of AWS resources in your AWS account. This includes how the resources are related to one another and how they were configured in the past so that you can see how the configurations and relationships change over time. You can use AWS Config rules to evaluate the configuration settings of your AWS resources. When AWS Config detects that a resource violates the conditions in one of your rules, AWS Config flags the resource as non-compliant and sends a notification. AWS Config continuously evaluates your resources as they are created, changed, or deleted. To analyze potential security weaknesses, you need detailed historical information about your AWS resource configurations, such as the AWS Identity and Access Management (IAM) permissions that are granted to your users or the Amazon EC2 security group rules that control access to your resources.

Answer 62

AWS Control Tower offers the easiest way to set up and govern a secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and it enables governance using controls you can choose from a pre-packaged list.

Answer 63

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC

Answer 64

AWS Health provides ongoing visibility into your resource performance and the availability of your AWS services and accounts. You can use AWS Health events to learn how service and resource changes might affect your applications running on AWS. AWS Health provides relevant and timely information to help you manage events in progress. AWS Health also helps you be aware of and to prepare for planned activities. You can use Amazon EventBridge to detect and react to AWS Health events. Then, based on the rules that you create, EventBridge invokes one or more target actions when an event matches the values that you specify in a rule. For example, you can use AWS Health to receive email notifications if you have AWS resources in your AWS account that are scheduled for updates, such as Amazon Elastic Compute Cloud (Amazon EC2) instances.

Answer 65

An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. EFA provides lower and more consistent latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems.

Answer 66

Amazon CloudWatch agent enables you to collect both system metrics and log files from Amazon EC2 instances and on-premises servers. CloudWatch monitors: * CPU utilization * Network utilization * Disk performance * Disk Reads/Writes Does NOT monitor memory usage. You have to install a CloudWatch agent on EC2 instance to collect and monitor the custom metric (memory usage).

Answer 67

AWS EC2 Monitoring — 5 min metrics intervals AWS EC2 Detailed Monitoring — 1 min metrics intervals CloudWatch Agent running on an EC2 Instance— Detailed metric

Answer 68

AWS License Manager is a service that makes it easier for you to manage your software licenses from software vendors (for example, Microsoft, SAP, Oracle, and IBM) centrally across AWS and your on-premises environments. You can prevent license usage when the available licenses are exhausted by selecting the “**Enforce license limit**” option in license configuration. When this limit exceeds, the instance launch is blocked to control overages.

Answer 69

* $ Magnetic volume = infrequently accessed data, low cost * $$ General Purpose (SSD) = reccomended default choice, suitable for small to mid sized databases * $$$ Provisioned IOPS (SSD) = consistency, low latency, designed for performance I/O intensive applications such as large relational or NoSQL databases

Answer 70

**Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)** – Each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data. **Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)** – Similar to SSE-S3, but with some additional benefits and charges for using this service. There are separate permissions for the use of a CMK that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you with an **audit trail** that shows when your CMK was used and by whom. Additionally, you can create and manage customer-managed CMKs or use AWS managed CMKs that are unique to you, your service, and your Region. KMS = Key Management Service CMK = Customer Managed Key **Server-Side Encryption with Customer-Provided Keys (SSE-C)** – You manage the encryption keys and Amazon S3 manages the encryption, as it writes to disks, and decryption when you access your objects.

Answer 71

AWS Application Migration Service (AWS MGN) is the primary migration service recommended for lift-and-shift migrations to AWS. AWS MGN enables organizations to move applications to AWS without having to make any changes to the applications, their architecture, or the migrated servers. AWS Application Migration Service minimizes time-intensive, error-prone manual processes by automatically converting your source servers from physical, virtual machines, and cloud infrastructure to run natively on AWS.

Answer 72

A Gateway endpoint is a type of VPC endpoint that provides reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. Instances in your VPC do not require public IP addresses to communicate with resources in the service. When you create a Gateway endpoint, you can attach an endpoint policy that controls access to the service to which you are connecting. You can modify the endpoint policy attached to your endpoint and add or remove the route tables used by the endpoint. An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies). It is a separate policy for controlling access from the endpoint to the specified service.

Answer 73

In Amazon Pinpoint, an event is an action that occurs when a user interacts with one of your applications, when you send a message from a campaign or journey, or when you send a transactional SMS or email message. For example, if you send an email message, several events occur: – When you send the message, a send event occurs. – When the message reaches the recipient’s inbox, a delivered event occurs. – When the recipient opens the message, an open event occurs. You can configure Amazon Pinpoint to send information about events to Amazon Kinesis. The Kinesis platform offers services that you can use to collect, process, and analyze data from AWS services in real time.

Answer 74

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

Answer 75

By default, all Amazon S3 resources such as buckets, objects, and related subresources are private, which means that only the AWS account holder (resource owner) that created it has access to the resource. The resource owner can optionally grant access permissions to others by writing an access policy. In S3, you also set the permissions of the object during upload to make it public. - Configure the S3 bucket policy to set all objects to public read. - Grant public read access to the object when uploading it using the S3 Console.

Answer 76

- Snapshots are automatically encrypted. - All data moving between the volume and the instance are encrypted. Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use with EC2 instances. EBS volumes are highly available and reliable storage volumes that can be attached to any running instance that is in the same Availability Zone. EBS volumes that are attached to an EC2 instance are exposed as storage volumes that persist independently from the life of the instance.

Answer 77

Amazon EC2 Auto Scaling supports the following types of scaling policies: **Target tracking scaling** – Increase or decrease the current capacity of the group based on a target value for a specific metric. This is similar to the way that your thermostat maintains the temperature of your home – you select a temperature and the thermostat does the rest. **Step scaling** – Increase or decrease the current capacity of the group based on a set of scaling adjustments, known as step adjustments, that vary based on the size of the alarm breach. **Simple scaling** – Increase or decrease the current capacity of the group based on a single scaling adjustment.

Answer 78

Amazon Pinpoint is an AWS service that you can use to engage with your customers across multiple messaging channels. You can use Amazon Pinpoint to send push notifications, in-app notifications, emails, text messages, voice messages, and messages over custom channels. In Amazon Pinpoint, an event is an action that occurs when a user interacts with one of your applications, when you send a message from a campaign or journey, or when you send a transactional SMS or email message

Answer 79

AWS Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. AWS Trusted Advisor provides real-time guidance to help you provision your resources following AWS best practices.

Answer 80

Amazon Polly converts text inputs to speech. Amazon Lex is a service for building conversational interfaces using voice and text (chatbot).

Answer 81

Amazon Elastic File System (EFS) is designed to provide serverless, fully elastic file storage that lets you share file data without provisioning or managing storage capacity and performance. Choose this when questions ask about best storage solution that "allows concurrent connections from multiple EC2 instances".

Answer 82

* When you need a higher packet per second (PPS) performance * When you need a consistently lower inter-instance latencies

Answer 83

Port 22 = SSH Port 3389 = TCP and UDP (remote desktop) Port 3306 = MySQL

Answer 84

Network Load Balancer and Application Load Balancer can only distrubte traffic within their respective regions and not other regions. Route53 is best used instead to balance the incoming load to two or more AWS regions more effectively.

Answer 85

AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA).

Answer 86

Use Amazon Elastic File System (EFS)

Answer 87

**Internet Gateway** is used for instances in the public subnet to have accessibility to the Internet **NAT Gateway** allows instances in the private subnet to gain access to the Internet, but not vice versa **VPC endpoint** enables you to privately connect your VPC to supported AWS services and VPC endpoint services **Transit Gateway** is used for interconnecting VPCs and on-premises networks through a central hub

AWS services Flashcards

Key points of each service (111 cards)