[AWS CCP] Dump 정리 -2

본 글은 https://hyunhp.tistory.com/ 포스트를 참고하여 작성되었습니다.

---

 

21. A company plans to migrate to AWS and wants to create cost estimates for its AWS use cases.
Which AWS service or tool can the company use to meet these requirements?

=> AWS Pricing Calculator (AWS 쓰기전 비용 미리 예측 서비스)

AWS 사용비용 미리 계산해주는 웹도구(예상 월비용 계산해줌)

A web-based tool that allows users to estimate the cost of using AWS services. It helps in understanding and estimating the costs associated with various AWS resources based on usage patterns, regions, and other parameters. Users can input their specific requirements to get an estimated monthly cost.

 

+ CloudWatch 

AWS 리소스 상태 실시간으로 감시하는 서비스(실시간 모니터링)

A monitoring and observability service for AWS resources.

+ AWS Cost Explorer

이미 사용한 비용을 분석하는 도구 (과거 데이터 분석)

지난달 비용 얼마나썼는지 이런거 그래프로 보여줌

키워드 : historical usage, visualize spending

A tool within the AWS Management Console that provides visualization and analysis of AWS costs and usage. It allows users to view, understand, and analyze their historical AWS costs and usage data. While it provides insights into existing costs, it is not primarily a tool for creating initial cost estimates.

+ AWS Budgets

예산 설정하고 초과하면 알려주는 서비스(비용 통제)(set budget)(alert)(threshold)

A service that allows users to set custom cost and usage budgets that alert them when they exceed their thresholds. It helps in managing costs by providing notifications based on cost and usage performance against defined budget targets. While it helps in budgeting and monitoring, it may not be the primary tool for creating detailed initial cost estimates.

 

=> CloudWatch = 모니터링 / Cost Explorer = 분석 / Budgets = 통제

---

22. Which tool should a developer use to integrate AWS service features directly into an application?

=> AWS Software Development Kit(SDKs)

프로그래밍 코드로 aws 서비스 사용할 수 있게 해주는 도구

code 이용(앱개발에 필요)(Python, java, javascript 등에서 사용 가능)

다양한 프로그래밍 언어 위한 api 제공

코드로 s3업로드, ec2 실행 가능

 

+ EC2 리소스 프로비저닝 방법

Region 안에 AZ 임대하는 방법은?

1) AWS management console

웹인터페이스(웹사이트로 접속)

2) AWS command line interface(CLI)

 access key로 이뤄짐

명령줄로 접속(검정색 창)

자동화 및 스크립팅 사용하여 수동 단계와 오류 줄임 > 콘솔에 비해 더 효율적이고 수동 오류가 줄어듦

3) AWS software development kit(SDK)

code 이용(앱개발에 필요)

다양한 프로그래밍 언어 위한 api 제공

---

23. Which of the following is a recommended design principle of the AWS Well-Architected Framework?

=> Learn to improve from operational failures.

장애나면 끝이 아니라 분석해서 더 좋은 시스템으로 개선해라 (대응 + 개선)

 

It emphasizes the importance of learning from failures and continuously improving the architecture based on operational experiences. This involves implementing mechanisms for monitoring, logging, and analyzing failures to enhance system resilience.

---

24. Using AWS Identity and Access Management (IAM) to grant access only to the resources needed to perform a task is a concept known as:

=> least privilege access(최소 권한 법칙)

필요한 것만 주고 나머지는 전부 막는다

Least privilege access means granting users or entities the minimum level of permissions required to perform their tasks, reducing the risk of unintended or malicious actions.

 

IAM에서는 사용자, 그룹, 역할 에 정확히 필요한 권한만 부여

---

25. Which AWS service or tool can be used to set up a firewall to control traffic going into and coming out of an Amazon VPC subnet?

=> AWS Firewall Manager

여러 계정/리소스 보안 한번에 관리

 

+ Security group

인스턴스(EC2) 방화벽

EC2에 적용, 들어오면 나가는건 자동 허용(Stateful)

 

+ Network ACL

서브넷 방화벽

네트워크 입구 차단기

서브넷 전체에 적용

양방향 규칙 필요

 

 

SG = 서버 보호 🖥️

NACL = 네트워크 보호 🌐

 

 

 

---

26. A company wants to operate a data warehouse to analyze data without managing the data warehouse infrastructure. Which AWS service will meet this requirement?

=> Amazon Redshift Serverless

Data warehouse 서비스
빅데이터 한번에 분석해주는 서비스

A fully managed, petabyte-scale data warehouse service in the cloud. It is specifically designed for analytics and data warehousing, offering fast query performance using SQL queries and integration with various business intelligence tools.

 

+ Amazon Aurora

RDS보다 성능 좋은 AWS 전용 DB

 

+ AWS Lambda

서버 없이 코드만 실행하는 서비스(serverless)

 

 

 

+ Amazon RDS

AWS가 관리해주는 관계형 DB

MySQL, PostgreSQL, Oracle 등 지원 

패치 자동, 백업 자동

---

27. How does AWS Cloud computing help businesses reduce costs? (Choose two.)

• A. AWS charges the same prices for services in every AWS Region.
• B. AWS enables capacity to be adjusted on demand.
• C. AWS offers discounts for Amazon EC2 instances that remain idle for more than 1 week.
• D. AWS does not charge for data sent from the AWS Cloud to the internet.
• E. AWS eliminates many of the costs of building and maintaining on-premises data centers.

=> B, E

 

A. AWS charges the same prices for services in every AWS Region

-> AWS pricing can vary by region based on factors such as infrastructure costs in different regions.

 

C. AWS offers discounts for Amazon EC2 instances that remain idle for more than 1 week

-> Businesses are billed for the provisioned capacity, whether or not it is actively used.

 

D. AWS does not charge for data sent from the AWS Cloud to the internet

-> While AWS provides data transfer out allowances, additional data transfer beyond these allowances is subject to charges.

---

28. A company wants to grant users in one AWS account access to resources in another AWS account. The users do not currently have permission to access the resources. Which AWS service will meet this requirement?

=> IAM role

Are used to delegate permissions to users, applications, or services. In the context of cross-account access, you can create an IAM role in the target account and define policies that grant access to the necessary resources. Users in the source account can assume the role to access resources in the target account. IAM roles are commonly used for cross-account access scenarios.

 

+ IAM group

여러 user 묶어서 한번에 권한 관리하는 그룹

Containers for IAM users. They are used to simplify the management of IAM policies by allowing you to attach policies to a group and automatically apply those policies to all users in the group. However, IAM groups are not directly used for cross-account access.

+ IAM tag

IAM 리소스에 붙이는 라벨

Are metadata that you can assign to IAM users, groups, roles, and policies. While tags are useful for organizing and managing resources, they are not the primary mechanism for granting cross-account access.

+ IAM Access Analyzer

누가 내 리소스에 접근가능한지 분석해주는 보안점검도구

A tool that helps identify resources that are shared with an external entity or are publicly accessible. It is used for analyzing access across accounts, but not specifically for setting up cross-account access.

 

+ IAM USER / Role / Policy (IAM의 구조)

1) IAM USER

실제 사람 또는 계정

로그인 가능, 고유한 계정, 개발자 및 관리자

 

2) IAM ROLE

임시로 권한 빌려쓰는것(로그인 계정 없음)

temporary credentials(임시 권한)

ex) EC2가 S3 접근해야할 때 EC2에 ROLE을 붙임->자동으로 권한 사용 가능

 

3) IAM POLICY

무슨 행동 할 수 있는지 정의한 규칙

---

29. Which task is the responsibility of AWS when using AWS services?

=> Maintenance of physical and environmental controls

 

+고객 책임

Management of IAM user permissions

Creation of security group rules for outbound access

Application of Amazon EC2 operating system patches

---

30. A company wants to automate infrastructure deployment by using infrastructure as code (IaC). The company wants to scale production stacks so the stacks can be deployed in multiple AWS Regions.
Which AWS service will meet these requirements?

=> AWS CloudFormation

인프라를 코드로 저장하는 서비스(IaC) > 개발, 테스트, 프로덕션같은 다양한 환경에서 배포의 일관성 보장 가능

같은 인프라를 반복해서 만들고싶다(완전 반복 자동화)

자동화, 코드로 인프라 생성, 여러 Region에 동일 배포

 

+ Amazon CloudWatch

AWS 리소스 상태 실시간으로 감시하는 서비스(실시간 모니터링)

A monitoring and observability service for AWS resources.

 

+ AWS Config

aws 리소스 설정 변경 이력 추적하는 서비스

이 보안 그룹 누가 바꿨지, 언제 퍼블릭으로 열렸지 등 추적 가능

A service that provides a detailed inventory of your AWS resources and their configurations, as well as configuration history. It helps you assess, audit, and evaluate the configurations of your AWS resources.

 

+ AWS Trusted Advisor

aws 사용을 더 잘하게 도와주는 서비스

- cost optimization

- performance

- security

- fault tolerance

- service limits

A service that provides recommendations to help optimize your AWS infrastructure for cost efficiency, performance, security, and fault tolerance. It offers best practices guidance.

---

31. Which option is an AWS Cloud Adoption Framework (AWS CAF) platform perspective capability?

=> Data architecture

platform perspective : 실제 클라우드 기술을 어떻게 구축하고 설계할것인가(인프라 설계, 데이터 구조, 네트워크, 아키텍처 설계) platform나오면? : architecture, infrastructure, networ, data design

 

A. Data architecture == Platform(기술설계)
B. Data protection == Security(보안)
C. Data governance == Governance(규정관리)
D. Data science == Business(비즈니스 가치) 

---

32. A company is running a workload in the AWS Cloud.
Which AWS best practice ensures the MOST cost-effective architecture for the workload?

=> Rightsizing

리소스를 필요한 만큼만 써서 비요 최소화하는것

Involves selecting the appropriate size and type of AWS resources to match the workload's actual needs. The focus is on optimizing costs by avoiding overprovisioning and ensuring resources are efficiently utilized. Regular reviews and adjustments contribute to ongoing cost-effectiveness.

 

---

33. A company is using a third-party service to back up 10 TB of data to a tape library. The on-premises backup server is running out of space. The company wants to use AWS services for the backups without changing its existing backup workflows. Which AWS service should the company use to meet these requirements?

=> AWS Storage Gateway

This is a hybrid cloud storage service that seamlessly integrates on-premises applications with cloud storage. It supports various storage protocols, including Amazon S3 and Amazon Glacier, and allows on-premises data to be backed up to AWS without changing existing workflows.

 

+ Amazon Elastic Block Store (Amazon EBS): This service provides block-level storage volumes primarily used with Amazon EC2 instances. It may not be the best fit for backup scenarios involving tape libraries.

+ Amazon Elastic Container Service (Amazon ECS): This service is for container orchestration and managing containerized applications. It is not directly related to back up scenarios or large-scale data storage.

+ AWS Lambda: This is a serverless compute service for running code in response to events.

---

34. Which AWS tool gives users the ability to plan their service usage, service costs, and instance reservations, and also allows them to set custom alerts when their costs or usage exceed established thresholds?

=> AWS Budgets

enables users to plan service usage, set custom cost and usage budgets, and receive alerts when costs or usage exceed predefined thresholds

 

+ Cost Explorer: Provides insights into AWS costs and usage, allowing users to analyze spending trends and breakdown costs by services, regions, and tags.

+ AWS Cost and Usage Report: Provides detailed data on AWS costs and usage, offering hourly or daily usage, costs, and resource-level details for in-depth analysis and auditing.

+ Reserved Instance Reporting: Provides insights into the utilization and coverage of Reserved Instances, helping users understand how effectively Reserved Instances are utilized.

 

---

35. Which tasks are the customer’s responsibility, according to the AWS shared responsibility model? (2개)

• A. Establish the global infrastructure.
• B. Perform client-side data encryption.(데이터 암호화)
• C. Configure IAM credentials.(사용자 권한 설정)
• D. Secure edge locations.
• E. Patch Amazon RDS DB instances. =>Amazon RDS는 AWS가 패치 관리함 (★)

E. Patch Amazon RDS DB instances: This is typically a task managed by AWS. AWS is responsible for applying updates and security patches to Amazon RDS DB instances to keep them up to date and secure. Customers are responsible for their data and configurations within the RDS instances.

+고객책임 = 데이터, 권한, 설정

 

+EC2 : 고객이 패치

+RDS : AWS가 패치

---

36. A developer has been hired by a large company and needs AWS credentials.
Which are security best practices that should be followed? (Choose two.)

• A. Grant the developer access to only the AWS resources needed to perform the job.
• B. Share the AWS account root user credentials with the developer.
• C. Add the developer to the administrator’s group in AWS IAM.
• D. Configure a password policy that ensures the developer’s password cannot be changed.
• E. Ensure the account password policy requires a minimum length

---

37. A company has multiple AWS accounts that include compute workloads that cannot be interrupted. The company wants to obtain billing discounts that are based on the company’s use of AWS services.
Which AWS feature or purchasing option will meet these requirements?

=> Consolidated billing

 

+ Spot Instances

These are spare EC2 instances available at a lower cost. However, they can be interrupted by AWS if the capacity is needed elsewhere. This option may not be suitable for workloads that cannot be interrupted.

 

---

38. A user wants to allow applications running on an Amazon EC2 instance to make calls to other AWS services. The access granted must be secure. Which AWS service or feature should be used?

=> IAM roles

Are used to grant secure and temporary access to AWS services. In this scenario, where a user wants to allow applications running on an Amazon EC2 instance to make calls to other AWS services, IAM roles should be used. IAM roles provide a secure way to delegate permissions to entities like EC2 instances without the need for long-term credentials.

 

+ security groups

 

+ aws firewall manager

 

+ iam user ssh keys

---

39. A company wants a fully managed Windows file server for its Windows-based applications.
Which AWS service will meet this requirement?

=> Amazon FSx

Service Primary purpose Support for Windows file servers

 

+ Amazon Elastic Kubernetes Service (Amazon EKS)

 

+ Amazon Elastic Container Service (Amazon ECS)

 

+ Amazon EMR

---

40. A company wants to migrate its NFS on-premises workload to AWS.
Which AWS Storage Gateway type should the company use to meet this requirement?

=> Amazon S3 File Gateway

Supports a file interface into Amazon S3 and allows storing and retrieving objects in Amazon S3 using industry-standard file protocols such as NFS. It is designed for scenarios where you want to integrate on-premises file-based applications with Amazon S3, making it suitable for migrating NFS workloads to AWS.

 

+ Tape Gateway: Is used for archiving data to Amazon S3 and Glacier. It is not designed for NFS workloads or migrating on-premises file-based workloads.

+ Volume Gateway: Is used for block storage volumes and might not be the most suitable option for NFS file workloads. It's more focused on block storage solutions.

+ Amazon FSx File Gateway: Provides a file interface to Amazon FSx file systems, which is compatible with Windows file servers. However, it may not be the optimal solution for migrating NFS workloads to AWS.