AWS Cloud Practitioner Certification Exam Questions & Answers

Cloud benefits over on-premises - Answer 1. Trade capital expense for variable expense 2. Massive economies of scale 3. Stop guessing capacity 4. Increase speed and agility 5. Stop spending money on running and maintaining data centers 6. Go global in minutes Basic benefits of the cloud - Answer 1. Scalability - ability to resize your resources as necessary. 2. Agility - increasing speed (via global reach), ease of experimentation (via access to new resources) 3. Innovation - experiment quickly 4. Efficiencies of Scale - deploy system in multiple regions around the world providing lower latency, and a better experience for your customers at a minimal cost. 5. Reliability - ability to recover from infrastructure service failures AWS Shared Responsibility Model - Answer 1. User Data 2. Applications 3. Guest Operating System ------------------------------ 4. Hypervisor (virtual machine monitor) 5. Network 6. Physical AWS Cloud - Answer Access to servers, database, storage, higher-level application components in seconds. Treat them as temporary and disposable resources, free from the constraints of fixed and finite IT infrastructure. Reduce risks, auto scale, ensure reliable coverage even in the face of a natural disaster, and secure data. Security Compliance - Responsibility of Customer - Answer Customers are responsible for configuring in secure and controlled way 1. Must review info/resources available to meet compliance requirements 2. Designs/Implements controls owned by outside parties 3. Verifies all control objectives are met Security Compliance - Responsibility of AWS - Answer AWS's approach to compliance: works with 3rd party auditors/agents to provide customers compliant security. 1. Risk management = reevaluate 2x/year (at least) to identify the risk and address them 2. Control environment = internal and external assessments 3. Information security = establish framework and policies, formal progress to protect confidential data Security Best Practices - Answer a. Test often, patch quickly, and respond to incidents at a lightning speed b. Data Security: resilient infrastructure, highly secure, strong safeguards c. Continual Improvement: constant evolving on IAM, logging, DDOS protection d. Advanced Security Services: address real-time emerging risk, ops management e. Network Security: built-in firewalls, encryption in transit, private/dedicated connection, DDOS mitigation f. Inventory and Configuration Tools: deployment, template management, definitive tools g. Data Encryption: encryption capabilities, key management options, hardware based key h. Access Control: IAM, multi-factor authentication, integration and federation w/corporate discretion, Amazon Cognito, SSO i. Monitoring & Logging: visibility into API calls, log aggregation, alert notification IAM - Answer Identity and Access Management Groups - Answer collection of users, users can be in multiple groups Users - Answer permanent named operator. Credentialed or temporary. Human or machine. Automated method. Role - Answer authentication method, operator, human or machine. Credentialed or temporary. Role ≠ permissions. Policy Documents - Answer Permissions. Json. Attached to either a role, group, or user. Looked at from a single view. i. Deny Statements: Override any Allow statements ii. Implicit allow if there is not a deny statement iii. Every API action (successful or denied) is recorded in Cloudtrail If there are no policy documents attached to IAM, nothing happens but it gets tracked in CloudTrail Amazon Inspector - Answer Automated security assessment service. Eliminates security risks - runs security benchmarks against specific EC2 instances. i. Looks for deviations from best practices or vulnerabilities ii. Findings are dependent on choices of rule packages iii. Vulnerabilities found before and after deployment iv. API driven - can be integrated in devops process v. Visibility in security testing during app development vi. Can define standards and best practices for organizational enforcement AWS Shield - Answer provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. Two tiers - Standard and Advanced. Benefits: Minimizes downtime & latency. Cost efficient, seamless integration, customizable protection, proactively and automatically blocks bad traffic. Helps overcome challenges of mitigating DDOS attacks; overcome costs and challenges Denial of Service Attacks (DOS) - Answer website or app is unavailable bc of large bandwidth consumption or tied up other system resources. Disrupts access for the legit users. Distribution of Denial of Service Attacks (DDOS) - Answer Attacker uses multiple sources - compromised computer. Objective is to knock the webapp offline for a period of time. Amazon Web Application Firewalls (WAF) - Answer Protects web apps from common web exploits. Write your own rules to allow or deny traffic based on its HTTPS requests. Block requests of app layers before reaching the AWS web infrastructure. Can be attached to cloudfront or application load balancer. Protects against DDoS attacks. Cloud Deployement: Cloud - Answer fully deployed in cloud; all part of apps run in cloud; either been created in cloud or have been migrated from existing infrastructure; built on low-level infra pieces. Startups use this. Cloud Deployement: Hybrid - Answer most common method is between cloud and existing on-premises infrastructure to extend, grow, an org's infra into cloudwhile connecting cloud resources to internal system. Banks use this. Cloud Deployement: On Premises - Answer no benefits of cloud, but people use it bc it provides dedicated resources; same as legacy IT infrastructure. sometmes called 'private cloud'. For super sensitive stuff, like Government uses it. AWS Regions - Answer A geographically distinct physical location w/ multiple availability zones (at least 2). Isolated from other regions - greatest possible fault tolerance and stability. Largest is US-EAST, and new services come there first. It has all the billing info. Availability Zones - Answer Have 1 or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. i. Allow operating production applications and databases that are more highly available, fault tolerant, and scalable than a single data center. ii. Fault Tolerance: system can remain operational even if some of the components of system have failed. Built in redundancy of application's components. iii. Isolated but are connected via low-latency links with other zones in same region. iv. Designed as an independent failure zone - physically separated within a typical metropolitan region and are located in lower risk flood plains Represented by a region code: us-east-1a <10Min latency between AZs Data Centers - Answer One more more discrete data center per availability zone. Each with redundant power, networking, and connectivity, housed in separate facilities. Data security is top priority; AWS customer has complete control and ownership of data, including which region, how to encrypt, who has encryption keys Edge Locations - Answer Data center owned by trusted AWS partner which has direct connection to the AWS network. Allows for low latency no matter where the end user is geographically located. Serve requests for Cloudfront and Route 53. Requests going through these services will be routed to the nearest edge location. AWS Global Infrastructure - Answer 69 availability zones 22 geographic regions Way more edge locations than AZ's More than 190 countries steadily expanding global infrastructure to help customers achieve lower latency and higher throughput Trusted Advisor - Answer tool w/best practices and checks all resources in account to check if accordance w/ best practices. i. Five Categories: Service limits, Security, Fault Tolerance, Performance, and Cost Optimization ii. Compares your account resources w/established best practices. iii. Has an API - you can get notification on specific checks when they fail so you can take immediate action iv. Can be automated bc of integration with CloudWatch v. For users that want to follow best practices to increase performance and fault tolerance Free account - has 7 checks. Enterprise or Business has all trusted advisor checks. Technical Account Manager: - Answer Proactive guidance. Advocate and dedicated voice within AWS. User's primary point of contact, can provide guidance, architectural review, and continuous ongoing communication to keep that user informed/prepared as they plan, optimize, and deploy. Enterprise Support Plan - Answer 1. 24x7 phone, chat, email. Unlimited cases/contacts 2. General and system impaired is the same 24 and 12 hrs 3. Business critical system down is 15 min 4. Architectural guidance is consultative review 5. Proactive programs - technical account manager 6. GREATER THAN $15k, or 10% of monthly usage for the first $150k, 7% until $500k, then 5% up to $1M