AWS - Amazon · 2018年5月15日

AWS – 错题本(2)

需要补习VPC章节。

这个就比较难记了,唯一的方法是记住所有CloudWatch支持的默认Metric,其余的都应该是Customized。参考文章《List the Available CloudWatch Metrics for Your Instances

  1. CPU
  2. Disk (read/write)
  3. Network
  4. StatusCheck
  5. EBS (read/write)
  6. AutoScaling

不知道这样够不够。还一个,默认Metric是5分钟一记录,如果enable detailed monitoring的话是1分钟一记录。

Best practices are usually to implement proxy solutions to provide URL and web content filtering, IDS/IPS, DLP, monitoring, and advanced threat protection.

这个解释有点牵强,但是好吧。

我当时认为这里面没有正确的选项,因为应该用ACL,掩码应该是32位的,选项里没有。

好吧我理解错了。在我的笔记中清楚地记录着如下文字:

Security Groups cannot block the specific IP address, but ACL can.

两者都可以添加基于IP地址为规则,但是不同的是,Security Group只能加Allow的规则,不能加Block的规则。

而在此题中,是Allow规则。出题者特意不让我们选ACL的选项,所以故意把掩码写成了0。

 

When you launch an instance, you must select an AMI that’s in the same region. If the AMI is in another region, you can copy the AMI to the region you’re using. For more information, see Copying an AMI.

IAM does not have single-use password policy and simply creating IAM users for privileged accounts is not sufficient to enforce frequent rotation of passwords.

我擦所以我选择的其实是对的么?!

Monitoring the Status of Your Volumes

Volume status checks are automated tests that run every 5 minutes and return a pass or fail status. If all checks pass, the status of the volume is ok. If a check fails, the status of the volume is impaired. If the status is insufficient-data, the checks may still be in progress on the volume. 

不懂单词的痛啊,insufficient是“不足的,缺乏的“的意思……

The following is taken from the PDF version of the ec2 documentation, page 661

=============================================================

Note To move data from an unencrypted volume to an encrypted volume, you can also create a snapshot of the unencrypted volume, create an encrypted copy of that snapshot, and then restore the encrypted snapshot to a new volume, which will also be encrypted.

To migrate data between encrypted and unencrypted volumes

1. Create your destination volume (encrypted or unencrypted, depending on your use case) by following the procedures in Creating an Amazon EBS Volume (p. 616). 2. Attach the destination volume to the instance that hosts the data you would like to migrate. For more information, see Attaching an Amazon EBS Volume to an Instance (p. 620). 3. Make the destination volume available by following the procedures in Making an Amazon EBS Volume Available for Use (p.621). For Linux instances, you can create a mount point at /mnt/destination and mount the destination volume there. 4. Copy the data from your source directory to the destination volume. 

好吧我又没有好好看题,第四个选项缺一步将现有的snapshot加密,然后再恢复。

The server side encryption can either have either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key.

Amazon S3 never stores the user’s encryption key. The user has to supply it for each encryption or decryption call.

不懂这个问题。

http://jayendrapatil.com/tag/cloudwatch/ 里有这道题,解释为排除法:

第一个选项,CloudWatch metrics are regional.

第三个选项,Can’t add SNMP traps to DynamoDB as it is a managed service.

第四个选项,Can’t add agents to DynamoDB as it is a managed service.

什么叫managed service?

在http://jayendrapatil.com/category/aws/risk-and-compliance/ 里有讲:

Key Risk and Compliance Questions

  • Auditing IT
    • Auditing for most layers and controls above the physical controls remains the responsibility of the customer
    • AWS ISO 27001 and other certifications are available for auditors review
    • AWS-defined logical and physical controls is documented in the SOC 1 Type II report and available for review by audit and compliance teams
  • Data center tours
    • As AWS host multiple customers, AWS does not allow data center tours by customers, as this exposes a wide range of customers to physical access of a third party.
    • An independent and competent auditor validates the presence and operation of controls as part of our SOC 1 Type II report.
    • This third-party validation provides customers with the independent perspective of the effectiveness of controls in place.
    • AWS customers that have signed a non-disclosure agreement with AWS may request a copy of the SOC 1 Type II report.
  • Third-party access
    • AWS strictly controls access to data centers, even for internal employees.
    • Third parties are not provided access to AWS data centers except when explicitly approved by the appropriate AWS data center manager per the AWS access policy

pessimistic = 悲观的,保守的

Amazon DynamoDB的文档里写着其支持Conditional Writes:

Conditional Writes

By default, the DynamoDB write operations (PutItemUpdateItemDeleteItem) are unconditional: each of these operations will overwrite an existing item that has the specified primary key.

DynamoDB optionally supports conditional writes for these operations. A conditional write will succeed only if the item attributes meet one or more expected conditions. Otherwise, it returns an error.

在Amazon S3的文档里说:Amazon S3 achieves high availability by replicating data across multiple servers within Amazon’s data centers.

这里的Amazon‘s data centers就是AZ吧。

但是S3也有一个Cross-Region Replication(CRR)的feature啊。

好吧,和11题一起看的话,S3支持在同一个Region里的自动跨AZ备份。

 

 

 

 

 

Access key is nowhere in the picture while connecting to the instance. it is used for AWS CLI.

又看错题目了!!!这里是Instance store,不是EBS!!!只要一停就会丢失!

如果是AD integration的问题的话:

  1. User <-> AD Authenticated
  2. AD -> SAML Assertion
  3. User -> AWS sign-in Endpoint (https://signin.aws.amason.com/saml)
  4. AWS management Console

From difference_in_admin_and_power :

First – a best practice, you generally want to use the root account for as few functions as possible – maybe to create an Admin user, lock down the root account using MFA and such but that’s it. The main difference between a IAM roles with Administrator Access and Power User access is that Power User’s can do everything that an Admin user can do EXCEPT that Power Users cannot manage IAM users or groups.

 

首先读好题,是使用VPC Wizard。

VPC CIDR -> VPC name -> Public subnet -> DNS hostname -> Create

Internet Gateway被创建了,并且attach到刚创建的VPC。

默认路由被创建了,指向的是IGW。

Wizard里没有private subnets的选项啊。。。

在Amazon S3的文档Server Access Logging中有说:

To track requests for access to your bucket, you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any. Access log information can be useful in security and access audits. It can also help you learn about your customer base and understand your Amazon S3 bill.

和CloudWatch无关。