AWS/Cloud Midterm MIST 4630 questions and answers, graded A+

AWS/Cloud Midterm MIST 4630 questions and answers, graded A+ Cloud Computing Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction Three Primary Service Models IaaS, PaaS, SaaS IaaS Infrastructure as a service (IaaS) is an instant computing infrastructure, provisioned and managed over the Internet. Quickly scale up and down with demand and pay only for what you use PaaS Platform as a service (PaaS) is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications. You purchase the resources you need from a cloud service provider on a pay-as-you-go basis and access them over a secure Internet connection. SaaS Software as a service (SaaS) allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendaring, and office tools (such as Microsoft Office 365) Advantages of Iaas Eliminate capital expense, improve recovery, innovate rapidly, respond quicker to shifts, focus on core business, increase stability, reliability, and supportability, better security, get new services out faster Advantages of Paas cut coding time, app dev without adding staff, develop for all platforms more easily, use sophisticated tools affordably, support geo distributed dev teams, efficiently manage the app lifecycle. Advantages of Saas Gain access to sophisticated apps, pay for what is used, mobilize workforce easily, access app data from anywhere. Three main cloud deployment models Cloud, hybrid, On premises Cloud fully deployed in the cloud. Everything runs in the cloud Hybrid a meld between cloud and existing on-premises infrastructure to extend the infrastructure into the cloud. Serves as a connection between onsite and cloud On-premises (sometimes called a private cloud) For most cases, this is the same as legacy IT infrastructure but uses application management and virtualization tech to try and increase resource utilization. Often sought out for its dedicated resources. How is cloud LIKE traditional IT the entire tech stack is still there it is just in the cloud instead and can be separated up. Still has firewalls, ACL, and admins but in the form of security groups, network access control lists, and IAM in the cloud. Routers, network pipelines, and switches are now elastic load balancing and Amazon VPC. Storage is storage. How is cloud UNLIKE traditional IT Less expensive to not have to provision all your own resources. You can pay for what you need and use rather than having to constantly run at peak performance wasting money and resources. Advantages of cloud computing Capital expense traded for variable expense (pay for what you use). Benefit from massive economies of scale (so many users in the cloud translates into lower prices for all). Stop guessing your capacity (flexibility). Increased speed and agility (everything is just a click away). Stop spending money on running and maintaining data centers (focus on money making endeavors). Go global in minutes (lower latency and better experience for all). Web Service Any piece of software that makes itself available over the internet or on private networks. Three ways you can work with AWS services Console, CLI, SDKs Console graphical interface of the majority of the features offered by AWS CLI Command Line Interface a suite of utilities that can be launched from. Command script in Linux, macOS, or Microsoft SDKs Software Development Kits enables accessing AWS in a variety of popular programming languages. Allows you to use AWS in your existing applications and also allows for creation of applications that deploy and monitor complex systems entirely through code 6 perspectives of the Cloud Adoption Framework Business People Governance Platform Security Operations Business ensures IT is aligned with business needs People ensures training, staffing, and organizational changes to build an agile organization Governance ensures that skills and processes align IT strategy and goals with business strategy and goals to maximize the business value Platform understands and communicates the nature of IT systems and their relationships. Must describe the architecture of the target state environment. Security ensures that the organization meets its security objectives Operations ensures we align with and support the operations of the business and define how day to day, quarterly, and yearly business will be conducted Economic benefits of Cloud adoption Pay as you go, no guessing of capacity (wasted resources), no maintenance of personal systems and data centers. Three fundamental drivers of cost for AWS compute, storage, data transfer Compute charge per hour/second. Varies by instance type Storage charges per GB Data Transfer Outbound is aggregated and charged, Inbound has no charge (with some exceptions), Charged typically per GB. Utility style pricing You pay for exactly the amount of resources that you actually need. Pay for what you use, pay less when you reserve, pay less when you use more, pay less as AWS grows. List some free AWS services Free Tier - Amazon VPC, Elastic Beanstalk, Auto scaling, AWS CloudFormation, and IAM. A free EC2 T2 micro instance for a year. S3, Elastic block store (EBS), elastic load balancing (ELB), AWS data transfers TCO Total Cost of Ownership the financial estimate to help identify direct and indirect costs of a system. How does Cloud TCO compare to on-premise TCO You can save immensely by moving to cloud. On premise is all predicted costs. Cloud is all commissioned when needed and decommissioned when not which results in vastly lower overall costs. AWS Pricing Calculator tool you can use to estimate your total price for AWS services AWS Organization A free account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. Can also do billing. Can create service control policies (SLP's) that control AWS services across multiple AWS accounts. Also uses IAM for security accorss accounts. AWS billing A service that you use to pay your AWS bill, monitor your usage, and budget your costs. Enables you to forecast and obtain a better idea of what your costs and usage might be in the future so that you can plan ahead. AWS Cost Management Service Used to optimize, allocate, and control your AWS costs and usage. Also uses AWS bills, AWS cost explorer, AWS budget, AWS cost and usage report tools. Benefits of moving to the cloud Delivers a flexible, reliable, scalable, and secure cloud computing environment with high quality global network performance. Region A region is a geographical area with one or more availability zones. Provides full redundancy and connectivity to the network. Typically consists of two or more availability zones. AWS has 22 regions worldwide What should you consider when selecting a region Data governance and legal requirements, proximity to customers (latency), services available within the region, costs (vary by region). Availability Zone A fully isolated partition of the AWS infrastructure. There are currently 69 zones worldwide. They consist of discrete data centers (typically three) and are designed for fault isolation. They are interconnected with other availability zones by using high speed private networking. What should you consider when selecting an Availability Zone AWS recommends replicating data and resources across availability zones for resiliency. Space apart from each other should be considered so disasters have less effect. Edge Location Where end users access services located at AWS. Caches content closer to users. They are data centers that deliver a better real-time user experience. Reduced latency because it is so close to users. Located in most of the major cities (69 in total). Core AWS services Compute(virtual, automatic scaling, and load balancing), Networking, and Storage (object, block, and archive). Design principles for the Security Pillar of the Well Architectured Framework Implement a strong identity foundation Enable traceability Apply security at all layers Automate security best practices Protect data in transit and at rest Keep people away from data Prepare for security events Implement a strong identity foundation implement the principle of least privilege and enforce separation of duties. Centralize identity management and aim to eliminate static credentials. Enable traceability monitor, alert, and audit actions and changes to your environment in real time. Integrate log and metrics to auto investigate and take action. Apply security at all layers use multiple security controls on all layers. Shared Responsibility Model The customer and AWS are both responsible for certain things. Customer - responsible for security IN the cloud - encryption of data at rest and transit. Ensure the network is configured for security and that credentials and logins are managed safely. Security groups and operating systems on compute instances. AWS- responsible for security OF the cloud - operates, manages, and controls the components from the bare metal host OS and hypervisor virtualization layer down to the physical security of the facilities where the services operate. AWS is essentially responsible for protecting the global infrastructure that runs all the services that are offered in the AWS cloud. Physical security, Hardware security, software infrastructure and network infrastructure like routers, switches, and load balancers. Automate security best practices automate software-based security to improve your ability to securely scale more rapidly and cost effectively. Protect data in transit and at rest classify your data in sensitivity levels and use mechanisms to protect like encryption, tokenization, and access control. Keep people away from data use tools to reduce or eliminate the need for direct access or manual processing of data. This reduces mishandling or modification and human error. Prepare for security events have incident management and investigation policy and processes that align to the organizational requirements. Responsibilities divided for IaaS Services managed by the customer ex: Amazon EC2, EBS, and VPC Responsibilities divided for PaaS Services managed by AWS ex: AWS Lambda, RDS, Elastic Beanstalk Responsibilities divided for SaaS Services managed by AWS ex: AWS Trusted Advisor, Shield, and Chime IAM Identity access management allows you to control access to compute, storage, database, and application services in the AWS cloud. IAM policy a doc. That defines permissions to determine what users can do in the AWS account. Policies can also explicitly deny access IAM users a person or application that is defined in an AWS account. Must have a unique name with no spaces and have a set of security credentials. IAM groups a collection of IAM users IAM roles a tool for granting temporary access to specific AWS resources in an AWS account MFA multi factor authentication provides increased security. In addition to username and password, it also requires a unique authentication code to access. Must provide an MFA token in addition to regular sign in credentials. Least privilege by default, IAM users do not have permissions. Grant only the minimal user privileges needed to each user. Why is monitoring important To ensure everything stays running smoothly and proper processes are put into action to combat certain breaches. CloudTrail helps monitor by tracking user activity on the account. Latest 90 days of activity. Logs all API requests to resources in your account. Cognito lets you add user sign-up and authentication to your MOBILE and web apps. Shield a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Network Firewall easy deploying of essential network protections for all of your VPC's. CDN Content Delivery Network a globally distributed network or points of presence whose purpose is to provide faster content delivery. Essentially tons of copies of data that get closer and closer to a user to reduce latency and survive faults much easier. Also gets rid of the central server for all content delivery and replaces it with a web of content delivery. High content loading speeds because there is less distance between the two objects in communication. VPC Virtual Private Cloud your own private data center within the AWS infrastructure. Subnets help you segregate and operate individually with certain groups to maintain proper security and grouping. These subnets cannot traverse more than one availability zone (a physical data center in a specific region). A peering connection allows you to route traffic between two VPC's privately (can span across regions). Public vs Private subnets the difference between these two is the route the traffic takes out to the internet - the Internet Gateway (IGW) or the NAT Gateway (NGW). Route tables allow the traffic to be transmitted outside of the VPC because traffic that stays inside does not need to be routed. DNS Domain Name System domains (ex: ) were created to make it much easier to reach the exact location of a website without having to remember it's numeric address (IP). When you register a domain, you get a web address but not a website. You can have a domain and no website, but you can't have a website and no domain. DNS is overseen by the internet corporation for assigned names and numbers (ICANN). IP addresses Internet protocol addresses unique to each client machine in a network. Each of the four sections can be any value from 0 to 255 and the combined total of the four numbers for an IP address is 32 bits in binary form for IPv4. CIDR - Classless Inter-Domain Routing is a common method to describe networks. It adds a slash followed by a number that tells you how many of the bits are fixed for the network identifier. CIDR is a way to express a group of IP addresses that are consecutive to each other. Ex: 192.0.2.0/24 tells us that the first 24 bits are fixed in this 32 bit format. The last 8, however, are flexible, telling us that because it is in binary format 2^8 (256) is how many IP addresses are available for the network which range from 192.0.2.0 to 192.0.2.255. Another example is 192.0.2.0/16 which means 2^16 (65,536) IP addresses are available from 192.0.2.0 to 192.0.255.255. A completely fixed IP ex: 192.0.2.0/32 represents a single IP address. This type is helpful when you want to set up a firewall rule and give access to a specific host. The internet, in which every bit is flexible, is represented as 0.0.0.0/0. ACL Access Control Protocol these act at the subnet level. It acts as another optional layer of security by acting as a firewall for controlling traffic in and out of one or more subnets. Every subnet must be associated with a network ACL and if they are not explicitly assigned then the default ACL is assigned. You can associate a network ACL with multiple subnets but each subnet can only have one ACL it is assigned to. Has inbound and outbound rules and each rule can either allow or deny traffic. The default allows all inbound and outbound IPv4 traffic and , if applicable, IPv6 traffic. ACL's are stateless so no information about a request is maintained after the request is processed. Security groups instance level allow rules only State All rules are evaluated first ACL -- subnet level subnet level allow and deny rules stateless rules are evaluated in number order Route 53 Is a highly available and scalable Domain Name System web service. It is used to route end users to internet apps by translating domain names into numeric IP addresses. Connects users to infrastructure running both in AWS and outside of AWS as well. Is also used to health check resources. Enables you to register domain names. CloudFront A content delivery service. Establishes and maintains secure connections closer to the requester. It is different from traditional content delivery solutions because it enables you to quickly obtain the benefits of high performance content delivery without negotiated contracts, high prices, or minimum fees. Pay as you go pricing. Compute service Physical servers comprised of the processing, memory, and storage required to run an operating system. Can be in the forms of virtual machines, docker, container orchestration, hybrid cloud, Kubernetes, and many more. To host running applications or process data- actions that require compute resources, including processing power (CPU) and memory (RAM). Container Containers package applications, frameworks, and libraries together and can ship it out to testers or operation engineers. This is a standardized container so you can build, ship, and run anywhere. How do containers change how applications are deployed? his changes how applications are deployed drastically from reducing update time to making operation engineer's lives a whole lot easier for setup of many different applications on the same server. EC2 provides resizable virtual machines. (IAAS) You choose the OS, size, and resource capabilities of the servers that you launch. Most popular service. Lambda a zero-administration serverless compute solution. (SAAS) You pay only for the compute time you use. Enables you to run code without provisioning or managing servers. Also enables massive scalability at a lower cost. Elastic Beanstalk provides a simple way to run and manage web applications. (PAAS) Facilitates the quick deployment of applications that you create by providing all the application services that you need. AWS manages the OS, the application server, and the other infrastructure components so you can focus purely on developing your app code. Options while setting up an EC2 Instance (9) AMI, Instance type, network settings, IAM role, user data, storage options, tags, security group, and key pair. EC2 console to use a visual aid in managing instances, security groups, etc. Settings you specified will be visible in the description panel. EC2 CLI Command Line Interface - makes it easier to automate cloud infrastructure. Gives you the ability to automate the entire process of controlling and managing AWS services through scripts. EC2 SDK Software development kits - simplifies use of the AWS services by providing a set of libraries that are consistent and familiar for Java developers. How does Elastic Beanstalk provide PaaS It provides all the application services that you need. AWS manages the OS, the application, and the other infrastructure components so that you can focus on developing your application code. 'serverless' and which service is 'serverless' The cloud provider handles the complexity of managing individual servers and provides a paid service that will execute a piece of code on demand triggered through requests and events with the consumer only being charged for the duration of the execution. Lambda is serverless. What AWS services help us to use containers Elastic container service, Elastic Kubernetes service, Fargate, and Elastic container registry. basic benefits of Cloud Storage more reliable, scalable, and more secure than traditional on-premises storage systems. Pay as you go, utility billing, global availability, ease of use, off-site security. disadvantages of Cloud Storage perhaps lowered security because it is no longer data under the jurisdiction of the company and they just have to trust the cloud provider is secure. Data access and optical link costs can run way up if volume heavily increases. Performance degradation happens if the in-house applications need to access the cloud information. Cost can be high if they are constantly moving information from cloud to on-site and vice versa. basic AWS storage options EBS, S3, EFS, Glacier EBS Persistent storage - retains data even when the power is off. It is designed for high availability and durability. With the offering of block storage, the system is typically faster and uses less bandwidth, but they can cost more than object level storage. Data storage with a file system. EBS is directly attached to the instances and for this reason, they can be used to run a database with an amazon EC2 instance. GREAT FOR USE when needing storage that requires frequent updates such as a system drive for an instance or storage for a database application. Uses snapshots. USES: boot volumes, data storage with a file system, database hosts, enterprise applications. S3 Object storage that is built to store and retrieve any amount of data from anywhere. Uses BUCKETS to store the data. Virtually unlimited storage. Objects can be up to 5TB in size. Data is redundantly stored across multiple AWS facilities within your selected region. Designed for SEAMLESS scaling. Auto manages your storage behind your bucket while your data grows. Can be accessed from anywhere using the management console, command line, or SDK. GREATE FOR USE: storing application assets, static web hosting, backup and disaster recovery, staging area for big data, etc. VERY flexible object static storage. Pay for GB's per month. Transfer out of the region, and put, copy, post, list, and get requests. Do not pay for transfer in, transfer out to the same region. EFS Offers a simple interface that enables you to create and configure file systems quickly and easily. Built to dynamically scale on demand without disrupting applications. GREAT FOR USE - with big data and analytics, media processing workflows, content management, web serving, and home directories. Glacier Best for data archiving and long-term backup. Extremely low cost to store but you cannot retrieve your data immediately when you want it. Common use cases are- media asset archiving, healthcare information archiving, regulatory and compliance archiving, scientific data archiving, digital preservation, magnetic tape replacement. AWS Database Services An organized collection of data stored and accessed electronically from a computer system. Self Managed Database scaling, fault tolerance, and availability are managed by you. Benefits include: more fine-tuned control over how your solution handles changes in load, errors, and situations where resources become unavailable. Benefits include: only having to configure the services. Managed database scaling, fault tolerance, and availability are typically built in to the service