Following are some frequently asked questions in AWS Basics
AWS, acronym for Amazon Web Services, is a cloud services platform provided by Amazon. AWS consists of more than 175 services, that includes Infrastructure as a Service (IaaS) services, Platform as a Service (PaaS) services, and Software as a Service (SaaS) services.
The 175 plus services includes services for various categories - compute, storage, databases, security, networking, content delivery, data warehousing, integration technologies, data lakes, analytics, blockchain, machine learning, artificial intelligence, etc.
AWS uses an elastic model, i.e. you can scale up or scale down the usage of the services as needed, and offers a pay-as-you-go approach for pricing.
This is a frequently asked AWS interview question. By asking this question, the interviewer wants to access your familiarity with the AWS platform. There are more than 175 services provided by AWS, and it is not possible to remember each of these services.
Best way to prepare for this question is to list the core categories - compute, storage, databases, security and identity management, networking & content delivery, and application integration; and then list the key services within these categories.
Compute - Hosting of virtual servers, Container management, Serverless computing
Amazon Elastic Compute Cloud (EC2)
Amazon Elastic Container Service (ECS)
Amazon Elastic Container Registry (ECR)
Amazon Elastic Kubernetes Service (EKS)
Amazon Simple Storage Service
Amazon Elastic File System
Amazon Elastic Block Storage
Security And Identity Management
AWS Identity And Access Management (IAM)
Networking and Content Delivery
Elastic Load Balancing
Amazon API Gateway
Amazon Route 53
Amazon Simple Notification Service (SNS)
Amazon Simple Queue Service (SQS)
AWS Region is a geographical region where clusters of Amazon data centers are located. Regions are designed to be isolated from each other, for stability and fault tolerance. Data and resources are not replicated across regions.
Regions are represented by region codes, Some examples of region codes are us-west-1 (US West North - California), us-west-2 (US West - Oregon), eu-west-1 Europe (London), etc.
To create most Amazon resources or services, such as an instance of EC2, you have to specify the Region that you want to create the resource in.
AWS Regions contains multiple isolated locations called Availability Zones, each of which contains an isolated data center.
Availability Zones within a region are connected with high bandwidth, low latency networking. You can distribute and replicate resources and data across Availability Zones, so that if a resource fails in one Availability Zone then it can be served from another Availability Zone within the region.
Availability Zones are represented by region codes, suffixed by letter. Some example of Availability Zones are us-west-1a, eu-west-1b, etc.
Some resources and services provided by AWS can be used across all AWS regions, i.e they are global and not region specific. In the AWS console, in cloud management, these are listed under AWS Global.
Some of the global services are IAM, Amazon S3, Server Certificates and CloudFront.
AWS platform provides the AWS Identity and Access Management (IAM) component that enables you to manage your AWS resources and services securely.
Following are the key features provided by IAM
IAM Users - Create new users in IAM, provide individual security credentials (access keys, passwords, multi-factor authentication), provide and manage individual access to AWS resources and services.
IAM Roles - create roles in IAM, provide and manage permissions for the roles, assign entities and services to roles.
Federated Users - Provide and manage access and permissions to AWS resources and services to enterprise users, without the need to create IAM users, by using solutions that support SAML and other federation APIs.
AWS compute refers to resources such as hosting of virtual servers, container management and serverless computing.
Following are the key compute components provided by AWS
Virtual machines - AEM provides the Amazon Elastic Compute Cloud (EC2) component, which offers hosting of virtual machines; with a choice of operating systems - Linux, Windows; and a choice of processors - Intel, AMD, NVIDIA, etc.
Containers - AWS provides Amazon Elastic Container service (ECS), a fully managed container orchestration service. AWS also provides Amazon Elastic Kubernetes Service (EKS), a fully managed Kubernetes service. AWS provides Amazon Elastic Container Registry (ECR) components which is a fully-managed Docker container registry that developers can use to store, manage, and deploy Docker container images.
Serverless - AWS provides AWS Lambda component that lets developers run code without provisioning or running servers. AWS provides AWS Fargate, a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS).
AWS provides three types of storage components - object storage, file storage, and block storage. It provides a range of services on top of these three storage components; to store, access, manage, and analyze data.
Object Storage - AWS provides Amazon Simple Storage Service (S3), an object storage service designed for scalability, availability, security, and performance.
File Storage - AWS provides three options for file storage. 1. Amazon Elastic File System (EFS), a scalable, fully managed, elastic, NFS file system. 2. Amazon FSx for Windows File Server; a scalable, fully managed, elastic, windows file server that is built on Windows server. 3. Amazon FSx for Lustre File Server; a scalable, fully managed, elastic, Lustre file server.
Block storage - AWS provides Amazon Elastic Block Storage (EBS); a high performance, highly scalable, block storage.
AWS supports the following Database types
Relational - Amazon Aurora, Amazon RDS, Amazon Redshift
Key-value - Amazon DynamoDB
In-memory - Amazon Elasticache for Memcached, Amazon Elasticache for Redis
Document - Amazon DocumentDB
Graph - Amazon Neptune
Time series - Amazon Timestream
Ledger - Amazon QLDB
AWS supports the following components to support Networking and Content Delivery
Amazon Virtual private Cloud (VPC)
Elastic Load Balancing
AWS Global Accelerator
AWS Transit Gateway
Amazon Route 53
AWS Direct Connect
AWS Virtual Private Network (VPN)
- Amazon CloudFront
AWS App Mesh
AWS Cloud Map
Amazon API Gateway
Following are some frequently asked questions in AWS Identity And Access Management (IAM)
AWS Identity And Access Management (IAM) is a webservice provided by AWS platform that provides access control capabilities (authentication and authorization) to AWS resources.
AWS Identity And Access Management (IAM) provides the following key capabilities.
1. Access control to AWS resources - IAM enables fine-grained access control to AWS resources and APIs. IAM enables access control by specific conditions like - by time of day, by originating IP address, by SSL, by MFA etc.
2. Multi-factor authentication (MFA) - IAM provides the capability for MFA, which augments the basic authentication with MFA token/device based authentication.
3. Federated access - IAM provides the capability to grant access for AWS resources to existing employees of a company, using the companies existing identity system.
4. Analytics - IAM provides reporting capabilities to analyze the access provided across AWS resources and services.
AWS provides three different identities - Users, User Groups, and Roles - to manage access to AWS resources.
IAM Users - Users are individual entities (can be real people or applications) in IAM, who can be provided with individual security credentials (access keys, passwords, multi-factor authentication), and individual access to AWS resources and services.
User Groups - User groups are collection of users. Permissions can be set on groups so that all users within a group have the same permissions.
IAM Roles - IAM roles are entities that can be created and assigned specific permissions. A role can be assumed by anyone who needs it, and is not associated with a single group or entity.
Root user is the user id (email id) and password used to first create the AWS account. Root user has complete access to all the AWS services and resources in the account. After creating the AWS account, it is recommended to create a separate admin user to manage admin and everyday tasks, instead of using the root user.
Following are some best practices to manage access to AWS resources.
Do not use root account - Your root account has access to all your AWS resources and services, hence it is a best practice to not share or use it.
Use Groups - Instead of giving access to AWS resources and services for individual users - create groups, give needed access to the groups, and add users to the groups - so that all users within a group has the same access.
Enable Multi-factor Authentication (MFA) - It is a best practice to enable MFA for privileged users such as admins. MFA adds an extra layer of protection on top of basic user-id and password based authentication.
Grant least privileges - Grant only the minimum required permissions for the user or group.
Policies are objects in AWS that are associated with an entity (users, groups, roles) or AWS resources to define their permissions. Policies are stored in AWS as JSON objects. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies.
Following are some key elements in a policy JSON schema.
Version - Specifies the version of the policy language.
Statement - Main policy element that contains the following elements. You can have more than one statement in a policy.
Sid - Statement ID that differentiates between statements.
Effect - Indicates if the policy allows or denies access. Possible values are 'Allow' or 'Deny'.
Principal - The account, user, or role for whom access is allowed or denied. This is applicable only for resource-based policies.
Action - Specifies the list of actions that the policy allows or denies.
Resource - Specifies the list of resources to which the policy applies. This is only applicable for IAM permissions policy.
Condition - Specifies the circumstances under which the policy grants permissions.
Following are some frequently asked questions in Amazon Elastic Cloud Compute (EC2)
Amazon Elastic Cloud Compute (EC2) is a service provided in the AWS cloud platform that provides secure and resizable compute capacity.
Amazon Elastic Cloud Compute (EC2) provides options for processor, storage, networking, and operating system - that you can choose based on your needs and create your own virtual computing environments (Amazon EC2 Instances) - which you can scale up or down as needed.
Amazon Elastic Cloud Compute (EC2) provides various APIs, interfaces, and management tools to create and manage the EC2 instance.
Amazon Machine Image (AMI) is a template that provides the information required to launch an Amazon EC2 instance. You can use an AMI provided by AWS, use an or customize and create your own AMI.
Amazon Machine Image (AMI) is a configuration template that provides the information required to launch an Amazon EC2 instance. You can use an AMI provided by AWS, use an or customize and create your own AMI.
There are three ways to access Amazon EC2
Amazon EC2 console - A web-based user interface.
AWS Command Line Interface (CLI) - A command line interface that provides commands to support AWS resources including Amazon EC2.
AWS Tools for Windows PowerShell - A Windows PowerShell interface that provides commands to support AWS resources including Amazon EC2.
There are four different pricing models for using the Amazon EC2 instances.
On-Demand Instances - No long term commitments, you pay for the instances you use by the second.
Savings Plans - You commit to consistent amount of usage, for a term of 1 or 3 years
Reserved Instances - You commit to a specific configuration, instance type and region - for a term of 1 or 3 years
Spot Instances - Use unused EC2 instances, which significantly reduces your costs.
You can use Amazon EC2 Auto Scaling to auto scale your EC2 instances. Amazon EC2 Auto Scaling provides three features for auto scaling - Fleet management, Dynamic scaling, and Predictive scaling.
Following are some frequently asked questions in Elastic Load balancer
Elastic Load Balancer, provided as part of the AWS platform, automatically distributes incoming traffic across multiple targets - like Amazon EC2 instances, containers, IP addresses, and Lambda functions - either in a single availability zone, or in multiple availability zones.
Elastic Load Balancer provides the following key features and benefits.
1. High Availability - Elastic Load Balancer ensures high availability of applications and targets by automatically distributing the load across these applications and targets.
2. Health checks - Elastic Load Balancer detects unhealthy applications and targets, stops send traffic to these applications and targets, and distributes the load among the remaining healthy applications and targets.
3. Security - Elastic Load balancer can be associated to security groups that are created and managed in a Virtual Private Cloud (VPC) - which provides additional security options.
4. Layer 4 or Layer 7 load balancing - Elastic Load Balancer has the capabality of load balancing Http/Https requests (Layer 7) as well as TCP/UDP requsts (Layer 4)
5. Monitoring - Elastic Load Balancer can integrate with Amazon CloudWatch to monotor performance of applications and to gather operationsl metrics.
6. TLS Termination - Elastic Load Balancer provides capabilities SSL/TSL decryption, so that you can offload this CPU intensive task away from your applications.
There are three different kinds of Elastic Load Balancers.
1. Application Load Balancer (ALB) - Load balances Http/Https traffic, at request level (Layer 7), across applications including microservices and containers, within Amazon Virtual Private Cloud (VPC).
2. Network Load Balancer (NLB) - Load balances TCP/UDP/TLS traffic, at connection level (Layer 4), across targets within Amazon Virtual Private Cloud (VPC).
3. Classic Load Balancer (CLB) - Load balances both Http/Https and TCP/SSL/TLS traffic, at request level and connection level, intended for applications built within the EC2-classic network.
If you have to load balance Http/Https requests then you can use Application Load Balancer. If you have to load balance TCP/UDP traffic, for low latency and extremely performant applications then you can use Network Load Balancer. If you load balance applications build on the classic EC2 network then you can use Classis Load Balancer.
Following are some frequently asked questions in Amazon Simple Storage Service (S3)
Amazon Simple Storage Service (S3) is an object storage service provided AWS platform with in-built capabilities for scalability, availability, security, and performance.
Amazon S3 stores data as objects within buckets. An object consists of a file containing the data and optionally metadata regarding the file. The object can be any kind of file - text, photo, video, etc. You can have multiple buckets, and each bucket can have multiple objects.
You can provide access control to the bucket - specify who can create, view, and delete objects in the bucket; and view access logs for the bucket and its objects.
There are various ways to manage access to Amazon S# buckets.
IAM - Manage access to S3 resources via AWS Identity And Access Management (IAM) Users, Groups, and Roles.
ACL - Manage access to S3 resources and individual objects via Access Control Lists (ACL)
S3 Access Points - Manage access to S3 data sets via S3 Access Points specific to each application.
S3 Bucket Policies - Manage access to S3 resources by configuring access policies and permissions at the bucket level, which apply to all objects within that bucket.
Amazon S3 Replication enables the replication of S3 objects by automatic, asynchronous copying of objects across Amazon S3 buckets. Data can be copied across different AWS accounts, as well as across different AWS Regions.
Amazon S3 Glacier is Amazon's data backup and archival storage service, which costs extremely low compared to the regular S3 storage.
You can store data in Amazon S3 Glacier on an ad-hoc basis depending on your application and functional rules. You can also use lifecycle rules to automatically archive objects from S3 to S3 Glacier based on the age of objects.
Following are some frequently asked questions in Amazon Elastic Block Storage (EBS)
Amazon Elastic Block Store (EBS) is a block level storage volume provided by AWS platform for use with Amazon Elastic Cloud Compute (EC2) instances.
Once Amazon Elastic Block Store (EBS) is mounted on to an EC2 instance, you can use it for a wide variety of purposes such as - for file systems, relational databases, non-relational databases, containerized applications, big data analytics etc.
Amazon Elastic Block Store (EBS) provides multiple volume types that you can choose based on your storage, performance and cost needs.
The volume types fall into two broad categories
1. SSD-backed storage - suitable for transactionla, high-performant workloads
2. HHD-backed storagesuitable for throughput intensive workloads such as bid-data analysis.