Skip to content

Instantly share code, notes, and snippets.

@tombasche

tombasche/csa_notes.md

Last active March 29, 2021 14:54
Show Gist options
  • Save tombasche/3bcb4503ec4a67261a6f173adc8a0cc0 to your computer and use it in GitHub Desktop.
Save tombasche/3bcb4503ec4a67261a6f173adc8a0cc0 to your computer and use it in GitHub Desktop.
Download ZIP
AWS CSA Notes
Raw
csa_notes.md

AWS SA Exam Tips

General

What hypervisor does EC2 use?

  • Nitro (was 'Xen')

What are the different virtualization types?

  • HVM
  • PV

How do I view line items for each unique combination of AWS produce, usage type and operation?

  • Cost and Usage Reports

What is the difference between IOPS (I/O operations per second) and Throughput?

  • IOPS are a measure of how fast we can read/write to a disk
  • Throughput is a measure of how much data we can move at a time

What are the two consistency models?

  • ACID
    • Atomic
    • Consistent
    • Isolated
    • Durable
  • BASE
    • Basically available
    • Soft-state, not instantly consistent
    • Eventual consistency

S3

What is the maximum number of buckets per account?

  • 100, but can be requested up to 1000

What is the default encryption method in S3?

  • SSE-S3
    • S3 Managed. 256-bit AES

Which encryption scheme uses managed keys with auditing?

  • SSE-KMS
    • Uses a key stores in KMS (customer master keys - CMKs)
    • Can set up audit trail to see who used the keym and the keys require permissions set

Which encryption allows for BYO encryption keys?

  • SSE-C

  • Customer provided encryption key

  • Key is provided as part of request and you manage the keys separately.

  • HTTPS only

  • What is the virtual hosted URL style?

  • bucketname.s3.region.amazonaws.com

  • bucket name first, then s3, then region then amazonaws.com

  • What is the legacy URL style?

  • bucket-name.s3.amazonaws.com

  • bucket name first, then s3 then amazonaws.com

  • What is the static website URL style?

  • S3 static hosting can be own domain or bucket name 1st, s3-website 2nd followed by region

  • Why use multipart S3 Upload?

    • Improved throughput
    • Quick recovery from network issues
    • Pause and resume object uploads
    • Begin an upload before you know the final object size

  • What is S3 Object-lock

    • Can only be enabled on new buckets. Contact support to turn it on for existing buckets
    • Enables versioning on the entire bucket
    • Versioning can't be suspended once object lock is enabled, and object lock can't be disabled

  • Limits of S3 Cross-Region Replication

    • Can't replicate objects encrypted with SSE-C
    • Doesn't replicate retroactively
    • Doesn't chain replication

S3 Glacier

  • How to retrieve data? using the Glacier API, or through the AWS Console

  • Fastest way to retrieve data? Expedited - lets you get data in < 5 minutes

  • Standard = 3-5 hours

  • How to get petabytes of data out of glacier? Bulk - retrieve petabytes of data within 5-12 hours. Lowest cost option

EC2

Different Instance Types

  • F - FPGA
  • I - IOPS
  • G - Graphics
  • H - High disk throughput
  • T - burstable and general purpose
  • D - Density
  • R - RAM (memory optimised)
  • M - Main choice for general purpose apps
  • C - Compute optimised
  • P - GPU optimised
  • X - Extreme memory
  • Z - Extreme memory + CPU
  • A - Arm-based workloads
  • U - Bare metal

What is the maximum number of instances per region?

  • 20

How to purchase instances for a predictable usage pattern?

  • Reserved instances

Time periods for reserved instances?

  • 1 or 3 years

What is the billing for on demand instances?

  • Per second, unless they are Windows instances in which case they are billed the full hour

What is the discount for using spot instances?

  • Up to 90%

What are spot instances used for?

  • Fault tolerant or containerised workloads

What are dedicated hosts good for?

  • Maintaining corporate licensing
  • If you need your own physical hardware
  • On Demand
    • Per second billing
  • Reserved (Capacity reversation for contract terms)
    • Can purchase instances for steady predictable usage over 1 or 3 year periods
  • Spot Instances
    • Up to 90% discount. Containerised workloads, fault tolerant processing etc.
  • Dedicated Hosts
    • Hella expensive - you get your own physical hardware
    • Use for corporate licensing e.g. SQL Server / Oracle etc.

What is a spot block?

  • Spot instances that run for the desired duration without interruption

How do I stop an instance being terminated?

  • Use termination protection, which is off by default

Why hibernate an instance instead of stopping?

  • Hibernating provides a 'warm-start' capability. RAM contents are saved to the EBS root volume and reloaded when the instance is restarted. Hibernation is also not charged

How do I move an EC2 instance from one AZ to another?

  • Take a snapshot, create an AMI from the snapshot and then launch from the AMI in the new AZ

What about across regions?

  • Same as above, but have to move the AMI to the new region

Can you change tenancy of an instance?

  • Tenancy can only be changed between variants of 'Dedicated' by stopping and starting the instance
  • A stopped instances tenancy can be changed to default from dedicated using the CLI, API or SDK

EBS and EFS

How do I take an application-consistent snapshot of an EBS volume?

  • Application-consistent snapshots should be taken when the instance is stopped

True or False, EBS volumes can be changed on the fly?

  • True

How to encrypt an EBS volume?

  • Create a snap of the original volume
  • Create a copy and select encrypt
  • Create AMI from encrypted snapshot
  • Launch instance from encrypted AMI

True or False? Root device volumes can be encrypted?

  • True

What is EFS (Elastic File System) used for?

  • Attaching file system to multiple EC2 instances
  • Has read after write consistency
  • Scales up to petabytes
  • Distributed and highly resilient

EC2 Networking

Where does an Elastic IP (EIP) exist?

  • An elastic IP exists per region

What is an ENI for?

  • Basic networking

What is the throughput of an enhanced network adapter?

  • 10GBps up to 100GBps

What is the Elastic Fabric Adaptor suited for?

  • HPC, ML, OS bypass
  • Incredibly fast network throughput

Placement Groups

  • Names must be unique within account

What is a clustered placement group and what is it suited for?

  • Instances placed in the same availability zone (AZ)
  • High performance computing, low latency, hardware being together

What is a spread placement group and what is it suited for?

  • Instances in a group spanning an AZ
  • Fault tolerance, withstanding loss of an AZ

What's the maximum number of instances in a spread placement group?

  • 7

What is a partitioned placement group and what is it suited for?

  • multiple instances on separate hardware
  • Fault tolerance if a piece of hardware in the data center goes bye-bye

Security

What would you use to centrally manage and configure firewalls?

  • AWS Firewall Manager

What is AWS WAF used for?

  • Block IPs, countries, XSS, etc
  • Attached to load balancers or Cloudfront distribution
  • Can also block SQLI or XSS exploits

When would you need to purchase AWS Shield Advanced?

  • To protect EC2 instances from a DDoS attack
  • AWS Shield protects Cloudfront and Route53 and is at no extra cost

How to block IP addresses?

  • Use NACL's for a particular subnet to deny specific IP addresses

What happens when a security group is used with an Application Load Balancer (ALB)?

  • Traffic is terminated at the ALB security group, unlike with a Network Load Balancer which will pass through

How to set up AWS Firewall Manager?

  • Must be part of AWS Organisations
  • Have an associated administrator account
  • Enable AWS Config

KMS (Key Management Service)

What is KMS?

  • Regional secure key management service which supports encryption and decryption
  • Can manage customer master keys (CMKs)
  • Ideal for encrypting S3 objects, database passwords and API keys etc.
  • Pay per API call

DynamoDB

What are the two consistency options and what's the default?

  • Eventual consistency (default)
  • Strongly consistent (for needing updates <1s old)

What makes a sort key well-designed?

  • Related information is gathered in one place for efficient querying. Range queries become efficient.

Is DynamoDB spread across regions by default?

  • Yes, it's spread across 3 geographic regions

How are you charged for using DynamoDB?

  • Depends on the usage mode specified
    • On-demand capacity mode charges you for reads and writes
    • Provisioned capacity mode charges you based on predictable reads/writes
  • Data storage priced as follows:
    • First 25GB per month is free
    • $0.25 per GB/month thereafter

What is the maximum size of a row in DynamoDB?

  • The combined Value and Name must not exceed 400KB

VPC

Can a subnet span multiple AZ's?

  • No, 1 AZ = 1 Subnet

What is the limit on VPC's per account?

  • 5

True or False, the default VPC is public facing?

  • True
  • The default NACL created allows any inbound and outbound connection

What is an Egress-only gateway used for?

  • Allow IPv6 out but not allow communication in

What is created alongside a custom VPC?

  • Route table
  • Network Access Control List (NACL)
  • Security Group

Can you peer VPC's with overlapping CIDR blocks?

  • No

Can you peer VPC's across accounts?

  • Yes

Security Groups

What are the rules for the default security group?

  • Inbound denied
  • Outbound open

What are the possible targets for a security group? * Another Security Group * A Prefix list ID for an AWS service * A Range of ipv4 addresses

Network ACLs

What are network ACLs?

  • A form of access control applied to a subnet within a VPC
  • It applies to all instances within a subnet

How is access control evaluated once a request comes into or out of a subnet?

  • Rules are applied NACL in -> SG in -> SG out -> NACL out

VPC Flow logs

What can you monitor with a VPC flow log?

  • Subnet
  • VPC
  • Elastic Network Interface (ENI)

Where do the logs go?

  • Cloudwatch
  • Any third-party logging application can also consume the logs

Why use a NAT Gateway instead of a NAT instance?

  • NAT gateway is newer, has fault tolerance, managed service
  • NAT instance is a single point of failure
  • Have to disable source/destination check on NAT instance

AWS Global Accelerator

  • A service used to reduce latency from customers to ELB and EC2 instances.
  • Utilises edge locations to reduce latency and improve throughput.
  • Uses static IP

Can I provide my own IP address to global accelerator?

  • Yes

Applications and Messaging

Kinesis

What are Kinesis Streams used for?

  • Storing streaming data and streaming it out to consumers

What is a shard?

  • A partition of data stored within streams

What is Kinesis Firehose used for?

  • Streaming data into data stores and analytics tools such as S3, Redshift, ElasticSearch and Splunk
  • Concepts include source and destination for delivery streams.
  • No storage, but must be actioned on or transformed

What is Kinesis Analytics?

  • For analysing data on the fly and can be used in Streams or Firehose

What is Amazon MQ used for?

  • Messaging from on-premises -> Cloud

SQS

What is Amazon SQS?

  • Simple reliable pull-based message queue
  • Order not guaranteed and message can be delivered more than once
  • A way to decouple infrastructure

What is the default retention period for an SQS message?

  • 4 days

How long can a message stay in a queue?

  • 14 days

How do I maintain strict ordering and once-only delivery of SQS messages?

  • Use SQS FIFO

What is the visibility time-out?

  • The amount of time that the message is invisible in the SQS queue after a reader picks up the message. If the job fails, then the message will become visible and may be delivered twice. Otherwise it will be deleted from the queue. Maximum is 12 hours

Difference between long-polling and short-polling?

  • Short polling means polling the queue in short intervals, whereas long polling is a way to save money by not polling as frequently

SWF (Simple Workflow)

How long can an SWF workflow execution last?

  • Up to 1 year

What's the difference between SWF and SQS?

  • SWF has a task-oriented API whereas SQS is message-oriented.
  • SWF tasks are assigned only-once and never duplicated
  • SWF keeps track of state

SNS (Simple Notification Service)

What is SNS?

  • Instantaneous push-based messaging (no polling)
  • Pay as you go

What is Amazon App Sync?

  • Managed GraphQL

SES (Simple Email Service)

What is SES?

  • A managed email platform where you can provide your own email domain.
  • Suitable for marketing emails e.g. Mailchimp
  • Pay per volume

Why might you see timeouts?

  • SES throttles port 25 (the default JavaMail API port)

RDS

Which RDBMS can't do read replicas or multi a-z in RDS?

  • Microsoft SQL Server
  • MariaDB also can't support Multi A-Z AND Read replicas

Over what time period do automated backups take a snapshot?

  • Daily

True / False, backups can be stored in any region

  • False - stored in same region as the database

What does the backup cost?

  • stored in s3 for free for the same size as the DB

  • Snapshots are created automatically

  • stored even after DB is deleted

  • final snapshot before you delete

How do you encrypt an existing RDS instance?

  • Create an encrypted RDS instance and migrate data manually into it.

What happens when you restore from a snapshot?

  • Restores create a new RDS instance from the snapshot with a new endpoint

  • What is Multi A-Z used for?

  • Synchronous replication in an active/passive setup for high-resiliency

  • Automatic failover if the primary fails

What is the replication for a read replica?

  • Asynchronous

What is the cheapest storage available for RDS?

  • Magnetic Storage (HDD)

Storage Gateway

What is Storage gateway?

  • On-premises storage replicated to AWS

What is a file gateway?

  • NFS & SMB file system
  • Stored as objects in S3 through an NFS mount point

What is a volume gateway?

  • iSCSI volume
  • Data written to these volumes can be backed up as snapshots to EBS
  • Stored Volumes (keeps all data locally and backs up incrementals to EBS)
  • Cached Volumes only store frequently accessed data on site

What is tape gateway?

  • Backing up tape to the cloud
  • Cheap as chips
  • VTL interface lets you abstract away actual tape

Route 53

  • Alias Record is used to point to a domain name at AWS services such as an Elastic Load Balancer, S3 Bucket or a CloudFront distribution
  • Can create an alias record at the zone apex

Elastic Load Balancer

How to have a static IP address with an Elastic Load Balancer?

  • Use a Network Load Balancer

What is an Application Load Balancer (ALB) best suited for?

  • Load balancing between EC2, RDS etc.
  • ALB supports intelligent-routing based on request path, HTTP headers etc.
  • Can support healthchecks
  • Can use Server Name Indication (SNI) to enable SSL

What is a Classic Load Balancer used for?

  • Load balancing EC2 instances at the lowest possible cost

What is cross-zone load balancing?

  • A setting which, when enabled, allows a load balancer to direct traffic across availability zones

What are path patterns useful for?

  • Path patterns are for when you want traffic of a specific path in the URL to go to a specific instance

Autoscaling

  • Groups
  • Configuration Templates
  • Scaling options

What are the different scaling options?

  • Maintain current instance levels
  • Scale manually
  • Scale based on a schedule
  • Scale based on demand
  • Use predictive scaling

API Gateway

What is it?

  • Like a 'front door' for applications in your AWS environment
  • Low cost and scales automatically

How would I prevent an attack?

  • Requests can be throttled / rate-limited

Can requests be cached?

  • Yes, requests which are identical will return an identical cached response

Cognito

What is Cognito?

  • Identify broker

What is federated authentication?

  • This is where a user can authenticate with a Web Identity Provider such as Google, Facebook or Amazon

What is the flow when authenticating with Web Identity Federation?

  • Authenticate with the provider, receive an authentication token, which is exchanged for AWS credentials

Difference between user pool and identity pool?

  • User pool handles user registration, authentication and account recovery (user-based)
  • Identity pools authorise access to AWS resources

Cloudwatch

What are the two types of monitoring plans?

  • Basic
  • Detailed

What are the default metric sending settings?

  • 5 minutes by default
  • 1 minute for detailed

Is it possible to view memory usage in Cloudwatch for an EC2 instance?

  • A custom metric must be created as AWS can see the instance, but not inside

Elasticache

Which cache option allows encryption at rest?

  • Redis

Lambda

Does Lambda scale up or out?

  • Each invocation of a lambda function creates a new function independently of any existing ones, thus it scales out.

How would I debug Lambda?

  • Use AWS X-Ray

What are the two types of Lambda triggers?

  • Synchronous and Asynchronous

ECS (Elastic Container Service)

What is ECS?

  • ECS is a managed container orchestration service.
  • Clusters can be created to manage fleets of deployments
  • EC2 instances can be used or serverless (Fargate)

Cloudfront

Can you use Cloudfront to 'speed up' EC2 instances?

  • Yes, a Cloudfront distribution can cache various things such as .html, .css files at edge locations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment