Cloud Computing and AWS CloudTrail Quiz

Questions and Answers

What is the default retention period for events in CloudTrail's Event History?

• 60 days
• 120 days
• 90 days (correct)
• 30 days

Which type of events does CloudTrail log by default?

• Management Events (correct)
• Service Events
• API Events
• Data Events

Which of the following services logs events globally and directs them to us-east-1?

• Lambda
• EC2
• S3
• IAM (correct)

What must be enabled for a trail to log Data Events such as S3 object uploads?

Data Events (C)

How is a trail configured to log events for all regions?

All region trail (A)

What is the approximate delay in event logging for CloudTrail?

15 minutes (D)

What format does CloudTrail use to store events in an S3 bucket?

Compressed JSON files (B)

Which statement accurately describes how CloudTrail operates with regards to AWS services?

Regional services log events in the region created. (A)

What is a characteristic of on-demand self-service in cloud computing?

Allows immediate access through a user interface or command line interface (D)

Which cloud model combines the features of both public and private clouds?

Hybrid Cloud (B)

Which cloud service model allows clients to manage everything from data to facilities?

On-Premises (C)

What distinguishes a public cloud from a private cloud?

Public cloud services can be accessed by anyone over the internet (C)

In the Infrastructure as a Service (IaaS) model, what aspects does the vendor manage?

Facilities, servers, and operating system up to the OS level (C)

What is the key benefit of resource pooling in cloud computing?

Economies of scale leading to cost reductions (A)

What defines a multi-cloud strategy in cloud computing?

Using multiple public cloud services simultaneously (B)

What is one of the primary features of rapid elasticity in cloud services?

Automatic scaling of resources based on current load (A)

What is the role of CloudFormation in the AWS infrastructure?

To synchronize logical resources with physical resources in your AWS account. (B)

Which option correctly describes a namespace in CloudWatch?

A unique container for monitoring data that can be named freely, excluding AWS service names. (C)

In CloudWatch, what is the significance of dimensions?

They separate data points for different perspectives within the same metric. (D)

What triggers an alarm in CloudWatch?

The transition of metric states, such as OK or ALARM. (A)

Which statement reflects the Shared Responsibility Model correctly?

AWS is responsible for the security of the cloud infrastructure itself, while customers manage the security of their applications. (C)

What type of data does CloudWatch collect as metrics?

Dynamic, time-ordered sets of data points, such as CPU usage. (A)

What is a characteristic of an alarm state in CloudWatch?

It can perform automated actions or send notifications based on performance thresholds. (B)

What happens to an object that is not accessed for 30 days?

It shifts to Standard-IA. (D)

How many stacks can a single template create in CloudFormation?

An unlimited number of stacks. (B)

Which action is NOT part of S3 Object Lifecycle Management?

Replicating objects to a different region. (A)

When implementing S3 replication between different accounts, what must be done?

A bucket policy must be added on the destination account. (D)

What is the default behavior regarding object ownership in S3 replication?

Ownership of objects stays with the source bucket account. (B)

What is the maximum time an object can remain in Standard-IA before transitioning to Glacier?

180 days. (D)

Which statement about Intelligent-Tiering is correct?

It is beneficial for objects with unknown access patterns. (C)

In the context of S3 replication, what is the role of the IAM policy?

It allows the S3 service to read source bucket objects. (D)

What is the earliest an object can be purged after uploading?

90 days. (C)

What is the primary purpose of a Trust Policy in an IAM Role?

To specify which identities can assume the role. (A)

Which of the following best describes Temporary Security Credentials?

They are time-limited and need to be renewed through role reassumption. (B)

In a Break Glass Situation, what is required to justify accessing restricted resources?

An established reason for the elevated access. (A)

How does Web Identity Federation primarily facilitate access for applications with numerous users?

By allowing broader access through IAM roles. (A)

What happens when the Permissions Policy of an IAM Role is updated?

The permissions of previously granted temporary security credentials are also affected. (A)

What is the main advantage of using an IAM Role over attaching a policy directly to an identity?

Roles allow for better security and flexibility in assigning permissions. (A)

What does the Secure Token Service (STS) facilitate in the context of IAM Roles?

It generates temporary security credentials when a role is assumed. (D)

Which of the following statements about IAM Users and IAM Roles is accurate?

IAM Roles are primarily intended for short-term use by other identities. (A)

What is a benefit of splitting subnets into different tiers within a VPC?

It facilitates easier management of resources by function. (B)

Which of the following statements regarding the Custom VPC is accurate?

Hybrid networking allows a Custom VPC to connect to external networks. (C)

What is the maximum size of an IPv4 CIDR block that can be allocated for a VPC?

/16 prefix (D)

What is the main function of the DNS provided by Route 53 in a VPC?

To provide DNS hostnames for instances with public IPs. (C)

Which statement correctly describes the purpose of dedicated tenancy in a Custom VPC?

It locks resources to dedicated hardware at a premium cost. (D)

How does splitting a /16 subnet into 16 parts affect the individual subnet sizes?

Each subnet becomes a /20. (C)

Which IPv6 CIDR block size can typically be assigned to a VPC?

/56 (A)

What is a consequence of not allowing explicit configuration for traffic in and out of a VPC?

Traffic is isolated, preventing external access unless configured. (C)

Flashcards

Public Cloud

A cloud computing model where you use one public cloud provider like AWS, Azure, or Google Cloud.

Private Cloud

A cloud computing model where you use on-premises infrastructure to create a private cloud environment. It must meet the five requirements of cloud computing.

Multi-Cloud

A cloud computing model where you use multiple public cloud providers in a single deployment.

Hybrid Cloud

A cloud computing model where you use a mix of public and private cloud resources.

On-Premises

A cloud computing model where you manage all components from data to facilities.

Data Center Hosting

A cloud computing model where you place your equipment in a vendor-managed building. You only pay for the facilities.

Infrastructure as a Service (IaaS)

A cloud computing model where the vendor manages everything up the operating system. You pay for the resources you use.

Platform as a Service (PaaS)

A cloud computing model where the vendor manages the platform, allowing you to focus on your application.

IAM Role Permissions Policy

A policy that defines what permissions an IAM role is allowed to perform.

IAM Role Trust Policy

A policy that defines which identities are allowed to assume an IAM role.

Temporary Security Credentials (TSC)

Temporary security credentials that are granted to an identity when they assume an IAM role. These credentials have a limited time validity and need to be renewed.

Lambda Execution Role

An IAM role that provides a dedicated identity for Lambda functions, allowing them to access required AWS services.

Emergency Role

A specialized IAM role designed for emergency access to resources that are not normally accessible by a team. This allows for controlled access in critical situations.

ID Federation

A mechanism that allows external identity providers to manage access to AWS resources by allowing users from those providers to assume an IAM role in AWS.

Web Identity Federation

A feature used to allow web applications to issue temporary AWS credentials to users, enabling broader access based on IAM roles.

What is an AWS CloudFormation stack?

An active representation of a template. It's a living, dynamic version of the template in AWS. One template can create many stacks.

What is AWS CloudWatch?

A collection and management service for operational data from AWS services, applications, and on-premises solutions. It includes metrics, logs, and events.

What is a Namespace in AWS CloudWatch?

A container for monitoring data in AWS CloudWatch. It can be named anything, as long as it's not an AWS service name. All metric data for a specific service is stored in its own namespace.

What is a Metric in AWS CloudWatch?

A time-ordered set of data points that monitor a specific aspect of your AWS resources or services, such as CPU usage, network traffic, or disk I/O.

What are Alarms in AWS CloudWatch?

A feature in AWS CloudWatch that monitors the state of a metric. When a metric reaches a predefined threshold, an alarm is triggered, which can send notifications or perform actions.

What is the Shared Responsibility Model in AWS?

AWS is responsible for the security of the cloud infrastructure, including access control, physical security, and network security. Customer: Responsible for the security in the cloud, including data encryption, access control policies, and application security.

What is High Availability (HA) in AWS?

The ability of a system to continue operating despite failures or disruptions. It can be achieved through redundancy, fault tolerance, and disaster recovery mechanisms.

What is Fault Tolerance (FT) in AWS?

The ability of a system to withstand failures within its components without compromising its functionality. It's a critical aspect of high availability and often involves redundant components and failover mechanisms.

S3 Lifecycle Management

A process in Amazon S3 where objects automatically transition between storage classes based on access patterns, reducing storage costs.

Transition Action

A type of S3 lifecycle action that moves objects to a different storage class based on specified timeframes.

Expiration Action

A type of S3 lifecycle action that removes older versions of objects after a specified time, keeping costs down.

S3 Replication

A feature in S3 that replicates objects from a source bucket to a destination bucket, ensuring data availability and redundancy.

Same-Region Replication (SRR)

S3 replication that copies objects to a destination bucket within the same AWS region.

Cross-Region Replication (CRR)

S3 replication that copies objects to a destination bucket in a different AWS region.

Replication Configuration

A configuration that defines where, when, and how S3 objects will be replicated to a destination bucket.

Replication Role

An IAM role that grants permission to the S3 service to access the source bucket and replicate objects to the destination bucket.

What is AWS CloudTrail?

A service that records events (API calls, management actions) occurring in your AWS account, providing detailed logs for auditing, security analysis, and compliance.

What are Management Events in CloudTrail?

Provides information about actions taken on AWS resources within your account, like creating an EC2 instance or terminating one.

What are Data Events in CloudTrail?

Logs events related to data interactions, such as uploading objects to S3 or invoking a Lambda function. They are not enabled by default and must be explicitly activated for a trail.

What is an 'All Region' CloudTrail?

A collection of trails that covers every AWS region within your account. As new regions are added, they are automatically included in the trail.

Where do global AWS services log their events in CloudTrail?

AWS services that operate globally, like Identity and Access Management (IAM), Security Token Service (STS), and CloudFront, log their events exclusively in the us-east-1 region.

What is an Organizational Trail in CloudTrail?

A feature that allows you to combine multiple trails into a single entity, serving as a centralized management point for all API calls and management events in an organization.

Is CloudTrail real-time?

CloudTrail is not real-time. There is a delay, typically around 15 minutes, between an event occurring and it being logged in CloudTrail.

What is a CloudTrail Trail?

CloudTrail logs events for the AWS region in which the trail is created. It's a regional service, meaning each region has its own set of trails.

Subnet Placement and Tiering

A subnet is situated within a single Availability Zone (AZ). It's beneficial to organize subnets into tiers, like 'web', 'application', 'database', and 'spare'. With at least 3 AZs per Region, aim for at least one subnet per AZ plus a spare subnet.

What is a Custom VPC?

A VPC is a secure, isolated network inside AWS. It acts like a private cloud, allowing you to control incoming and outgoing traffic. Any issues are confined to the VPC and its connections. It offers flexible configuration and allows connections to on-premises or other cloud networks.

IPv4 CIDR Blocks in a VPC

A VPC uses one mandatory private IPv4 CIDR block. The block can range from a /28 prefix (16 IPs) to a /16 prefix (65,536 IPs). You can add up to 5 secondary IPv4 blocks.

IPv6 in a VPC

VPCs have a single assigned IPv6 /56 CIDR block. IPv6 address ranges are either allocated by AWS, with no choice, or you can choose to use your own owned IPv6 addresses. Remember that IPv6 addresses are considered public by default unlike IPv4 private addresses.

DNS in VPC

A VPC uses DNS provided by Route 53, accessible at the VPC's base IP address plus 2. For example, a VPC with 10.0.0.0 would have DNS at 10.0.0.2. There are options to control how DNS works: edit DNS hostnames to allow instances with public IPs in the VPC to receive public DNS hostnames.

VPC Tenancy Options

Default Tenancy allows you to choose dedicated hardware later for individual resources. Dedicated Tenancy locks all resources created in a VPC to dedicated hardware, which comes at a premium cost. It's a more secure option for sensitive workloads.

VPC Sizing: Range Breakdown

Consider the number of ranges, at 10 ranges per AWS account, and the regions (US with 3 regions, Europe and AUS with 1 region each) with 2 ranges per region. Understand the breakdown of ranges within each account.

VPC Sizing: AZs and Subnet Tiers

When sizing your VPC, aim to divide subnets into tiers based on their function (e.g., web, application, database, spare). Consider splitting your network into at least 4 Availability Zones to create a spare subnet and ensure you have at least one subnet in each AZ.

Study Notes

AWS Certified Solutions Architect - Associate Master Cheat Sheet Study Notes

• Cloud Computing Fundamentals:

  • On-Demand Self-Service: Provision and terminate services via a UI/CLI without human interaction.
  • Broad Network Access: Access services over any network using standard protocols.
  • Resource Pooling: Economies of scale through shared resources.
  • Rapid Elasticity: Auto-scale resources to meet demand.
  • Measured Service: Pay for what you use.

• AWS Fundamentals:

  • AWS Support Plans: Basic (free), Developer, Business, and Enterprise.
  • Public vs. Private Services:
    • Public Cloud: uses a public cloud provider like AWS, Azure, or Google Cloud.
    • Private Cloud: on-premises cloud infrastructure.
    • Multi-cloud: uses more than one public cloud in a single deployment
    • Hybrid cloud: uses both private and public clouds in one environment

• AWS Global Infrastructure:

  • Regions: Specific geographic areas for AWS infrastructure (e.g., Ohio, California, Singapore).
  • Edge Locations: Local distribution points for faster data access for customers.
  • Management: Regions are connected, and some services are global (e.g., IAM).

• Regions and AZs:

  • AWS regions are geographical areas.
  • Availability zones (AZs) are isolated within a region, offering fault tolerance.

• Cloud Service Models:

  • On-Premises: The user manages all components.
  • Hosting: Vendor managed facilities, user provides the equipment.
  • IaaS (Infrastructure as a Service): Vendor provides servers up to the operating system, user manages the application on top.
  • PaaS (Platform as a Service): Vendor manages facilities, application, and OS, user manages the configurations of the application.
  • SaaS (Software as a Service): Vendor manages everything, including software and data.

• AWS Support Plans:

  • Basic (free): One user; basic support.
  • Developer: One user, basic support, general guidance provided.
  • Business: Multiple users, support, personal guidance.
  • Enterprise: Technical account manager.

• CloudWatch Basics:

  • Metrics, logs, and event hub.
  • Used to collect and manage operational data.

• High Availability (HA), Fault-Tolerance (FT), and Disaster Recovery (DR):

  • Aims for high uptime, rapid recovery from failures, and disaster preparedness.
  • Fault tolerance ensures continoued proper working despite some components failing.
  • Disaster Recovery addresses recovery from potentially catastrophic events.

• Domain Name System (DNS):

  • DNS translates human-readable domain names to IP addresses.
  • Includes parts such as DNS clients, resolvers, zones, zone files, and nameservers.

• RDS (Relational Database Service):

  • Systems for storing and managing data.
  • Structure is defined via schemas comprised of tables.
  • SQL (Structured Query Language) is a feature used.

• Security Groups:

  • Boundaries that filter network traffic.
  • Attached to a resource.
  • Stateful rules.
  • Implicit deny.
  • Must be configured.

• Network Address Translation (NAT):

  • Changes source and destination of data packets to allow external access.
  • Requires an external public IP.

• EC2 (Elastic Compute Cloud):

  • Provides virtual machines (VMs) for compute.
  • Infrastructure as a service
  • Different instance types.
  • Bootstrapping via user data.

• IAM (Identity and Access Management):

  • Identity Policies: Statements allow or deny access to AWS resources.
  • Statement Components:
    • Statement ID (SID): Descriptive name for the statement.
    • Effect: Allow or Deny.
    • Actions: Specific operations.
    • Resources: Target resources.
  • Priority Level: Explicit Deny, Explicit Allow, and Default Deny (Implicit).
  • Policies: Inline Policies (individual) or Managed Policies (shared).
  • Users: For humans and applications accessing AWS services.
  • Groups: Logical groupings to manage permissions for multiple users.
  • Roles: Assumed roles grants permissions to other identities.

• S3 (Simple Storage Service):

  • Object storage.
  • Private by default.
  • Uses Object Keys for identification within the bucket
  • Uses Bucket Policies to control access
  • Versioning is used to keep multiple versions of any object.

• Static Hosting:

  • Enables to host static websites stored in S3.

• Encryption at Rest:

  • Data in storage is encrypted. User Data

• Encryption in Transit: Secure transmission of data over the Internet.

• Object Versioning and MFA Delete:

  • Retain historical versions of objects. Adds extra security.

• Cross-Account Access:

  • Allows access to resources in other AWS accounts through roles.

• VPC (Virtual Private Cloud):

  • Isolated network.
  • Has route tables and subnets.
  • Enables using private IP addresses or public address.

• Security Groups (and Network Access Control Lists (NACLs)):

  • Manage traffic in/out.

• Internet Gateway:

  • To connect to the internet.

• Gateway Endpoints:

  • Simplified access to public services within a VPC.

• Interface Endpoints:

  • Private access to public services.

• VPC Peering:

  • Networking connection between VPCs.

• Hybrid and Migration:

  • Site-to-Site VPN: Connects on-premises network to VPC.

• AWS Direct Connect: Direct connection to AWS network.

• Storage Gateway: Hybrid storage capabilities.

• Snowball/Snow Mobile: Physical devices to transfer large amounts of data.

• AWS Directory Service:

  • Manages on-premises directories in AWS.

• Advanced-VPC:

  • Detailed information about VPCs, including advanced features and concepts.

• CloudWatch Logs:

  • Logs data, configured per region.

• CloudWatch Events/EventBridge:

  • Orchestrates actions on other services in response to events.

• Route 53: DNS service.

  • Hosted Zones: Data structures for controlling DNS records.