AWS Certified SysOps Administrator Official Study Guide. Cole Stephen
Читать онлайн книгу.Management Service (AWS KMS) and stored in Amazon S3. For the AWS Lambda function to retrieve the key from Amazon S3 and decrypt with AWS KMS, you must update the IAM policy associated with the AWS Lambda function. More information on cryptography is provided in Chapter 3. (See Figure 1.2.)
FIGURE 1.2 AWS KMS operations with Lambda
Who is allowed to access the encrypted private key in Amazon S3? Who is allowed to decrypt it? This is determined by the IAM policies in the AWS application.
Where and how do we apply network firewall type rules? The AWS Lambda function will be communicating to the production Amazon EC2 instances on the SSH port 22. Let’s apply the least privilege principle here and ensure that only the AWS Lambda function is able to connect on port 22. We do this by creating security groups for both the production instances and the AWS Lambda function.
Many of the same services used in the three-tier architecture are used in the serverless design. Here are some of the unique services leveraged by this serverless architecture:
TABLE 1.2 Key Products: Serverless Design
Summary
Preparing for the certification exam requires comfort with a wide range of AWS services. One of the best ways to get comfortable is to use the AWS services themselves. Make sure that as part of your study, you take the time to create an account on AWS, log in to the AWS Management Console, launch the products, and get used to managing the various options. Practice builds the mental muscle memory that will give you the confidence in your answers.
Now that you know what types of architectures you will be dealing with and which products deserve the majority of your focus, let’s start looking through the various service families covered throughout the AWS Certified SysOps Administrator – Associate exam.
Exam Essentials
Each chapter in this book ends with a list of important concepts to study. This list is not comprehensive, as the material is covered in the chapter itself, but the concepts are a good place to do a quick review of important testing areas. Every chapter ends with a useful tip from AWS trainers who specialize in helping people pass their certification exams. Look to these tips for good test-taking strategies that complement your core AWS knowledge.
Understand how AWS Regions and Availability Zones work to provide geographic distribution of services. Know how to deploy your environment across multiple Availability Zones and how to use Amazon CloudFront to take advantage of AWS edge locations.
Understand the shared responsibility model and that it is foundational to understanding how to secure your environment in AWS. Know which parts of any given service are managed by AWS and which parts you are responsible for securing.
Understand how the IAM engine separates the authentication layer from the authorization process. Be familiar with the way that credentials are presented to AWS when an API is called.
Test Taking Tips
Time management is key for this exam. You only have 80 minutes – don’t waste them all on a question that has you stumped. Mark it for later review and move on. You will often be surprised that, when you come back to it later, the answer will be clear.
There is no penalty for wrong guesses. Make sure that you enter an answer for every question, even if you have no idea what the right answer might be. You won’t pass the exam if you guess every question, but it never hurts to try on the few that you might not know.
The AWS Certified SysOps Administrator – Associate exam is not designed to give you trick questions. If one answer seems obviously right, but another answer might be correct under special circumstances, go with the obvious answer. Dr. Theodore Woodward’s aphorism for his University of Maryland medical interns applies here: “If you hear hoof beats, think of horses not zebras.”
Multiple-choice questions require all answers to be correct; there is no partial credit for getting a portion correct. Pay extra attention to those questions when doing your review.
Plan on leaving time at the end of the exam for review. Even if you think you know an answer, you can mark it and return to it when you are done with the exam. Go through each one of those marked questions to make sure that you are still confident with those answers. Just be careful not to overthink your answer (remember “horses not zebras”).
Many questions have answer sets that are combinations of two pairs of answers. In AWS, everything is an API. In the next chapter, you will learn how to work with APIs and SDKs. So let’s start our engines and get on with the nitty gritty of working with AWS Services!
Review Questions
1. Which AWS Cloud service allows you to gain system-wide visibility into resource utilization, application performance, and operational health?
A. Amazon CloudWatch
B. AWS OpsWorks
C. AWS Identity and Management (IAM)
D. AWS CloudTrail
2. Which AWS Cloud service enables you to capture information about the IP traffic going to and from network interfaces in your VPC?
A. Amazon CloudWatch
B. AWS OpsWorks
C. AWS CloudFormation
D. Amazon VPC Flow Logs
3. Which AWS Cloud service enables governance, compliance, operational auditing, and risk auditing of your AWS account?
A. Amazon CloudWatch
B. AWS CloudTrail
C. Amazon Simple Storage Service (Amazon S3) Access Logs
D. Amazon Elastic Compute Cloud (Amazon EC2) Security Groups
4. What is the term used for an environment that extends an existing on-premises infrastructure into the cloud to connect cloud resouces to internal systems?
A. Scatter architecture
B. Multi-location architecture
C. Hybrid cloud architecture
D. There isn’t a term for this type of architecture.
5. Which of the following services acts as a virtual firewall that controls the traffic for one or more instances?
A. Network Access Control Lists (nACLs)
B. Security Groups
C. Availability Zones
D. Amazon Virtual Private Cloud (Amazon VPC)
6. A three-tier architecture is comprised of which of the following layers? (Choose three.)
A. Database layer
B. Front-end web server layer
C. Security layer
D. Application layer
7. Each AWS region is composed of two or more locations that provide you with the ability to introduce high availability, fault tolerance, and/or scale to your applications. What are these locations called?
A. Data centers
B. Edge locations
C. Compute centers
D. Availability Zones
8. What AWS Cloud service is designed to give you an easy way to establish a trusted relationship between your Active Directory and AWS?
A. Amazon Elastic Compute Cloud (Amazon EC2)
B.