Interview TIPS

1) Can the AMI copied to Different region

Yes, AMI can be copied to different region, but the AMI will get different AMI ID.
2) Is it possible to limit an user to a region wise resource ? Eg: User name : martin , should have access only to an EC2 instance in Mumbai , not to any other resources.

Yes it is possible. We need to use the "condition" clause in Policy Generator. 
3) What is Managed and Inline policy in IAM policies.

Managed Policy - A Policy which is reusable (i.e) it can be assigned to mutltiple users if created.

Inline Policy - A policy which is specific to only one use and can't be assigned to multiple users. This will be created by selecting the particular user or group then select add inline policy option to add this type policy. 
4) What is ARN and what is the format of ARN.

Amazon Resource Names (ARNs) uniquely identify AWS resources.

Format : 

arn:partition:service:region:account-id:resource
arn:partition:service:region:account-id:resourcetype/resource
arn:partition:service:region:account-id:resourcetype:resource

Eg: arn:aws:s3:::my_corporate_bucket/exampleobject.png

5) Why in S3 ARN format  fourth and fifth fields are empty

Because that is region and 12 digit account id. S3 name is unique ir -respective of region and Account so to identify the bucket name is enough.

6) Can the IAM policy name can be changed post creation

No, IAM policy name can't be changed post creation

7) If there is an  conflict in IAM policy that one policy  says   access   to AWS resource and other policy denies permission to resource what will happen

If there is conflict between both allow and deny policy, then AWS will simply deny the access.

8) Can a subnet be associated with Multiple NACL's

No, A subnet can be associated with only one network ACL at a time, however You can associate a network ACL with multiple subnets.  When you associate a network ACL with a subnet, the previous association is removed.

9) What is user data

When you launch an instance in Amazon EC2, you have the option of passing user data to the instance that can be used to perform common automated configuration tasks and even run scripts after the instance starts. You can pass two types of user data to Amazon EC2: shell scripts and cloud-init directives.

User data is limited to 16 KB. User data is executed only at launch. If you stop an instance, modify the user data, and start the instance, the new user data is not executed automatically.

10) What is Horizontal and Vertical Scaling

Horizontal scaling means that you scale by adding more machines into your pool of resources whereas Vertical scaling means that you scale by adding more power (CPU, RAM) to an existing machine

11) Does Amazon, AWS has the option for vertical auto scaling of EC2 instance?

No, this is not native available within EC2 Auto Scaling Groups.

12) Architectural Practice - Designing a three tier Structure

1) While designing the architecture HA is the main thing to be considered 
2) Route 53, ELB, S3 are managed by AWS and are HA in nature.
3) Three tier arch in Example - Web tier, App Tier and DB Tier 
4) To design above components in HA below are the AWS services to be used. 
5) Always consider using multi AZ
6) Consider using Autoscaling for EC2 instances.
7) If you want to replicate complete region.
8) NAT gateway is available only one region. When - If there is conflict between both allow and deny policy, then AWS will simply deny the access.

13) What are the states of Cloudwatch Alarm

a) OK                                — The metric is within the defined threshold
b) ALARM                         — The metric is outside of the defined threshold
c) INSUFFICIENT_DATA — The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state

14) What is the difference between Security group and Iptables

The security groups add no load to your server - they are processed externally, and block traffic to and from your server, independent of your server. This provides an excellence first line of defense that is much more resilient than one residing on your server.

However, security groups are not state-sensitive, you cannot have them respond automatically to an attack for instance. IPTables are well suited to more dynamic rules - either adapting to certain scenarios, or providing finer grained conditional control.

Ideally you should use both to complement each other - block all the ports possible with your security group, and use IPTables to police the remaining ports and protect against attacks.

One thing is for sure - if you use security groups, the filtered traffic never reaches your server, so it reduces the load the server needs to take to process firewall rules. This is important if you talk about DDoS.

The security groups seems to have just simple filtering rules, while with iptables you can do really fancy things. But do you need them? Personally I would filter as much as possible with security groups and then make next stage on iptables if you need something more sophisticated than security groups allows. Nothing prevents you also from setting the same filters on both - you would be then double protected ;-)

15) Can we subscribe SQS to SNS in different region.

 Yes, you can subscribe an SQS queue in one region to an SNS topic in another region

 16) How to change the user security access key

 IAM - Select User Name - Select Security Credentials tab -> Here you can see the access key and can modify/add new access key.

17) What is the type of Scaling Auto Scaling Provide

AWS Auto Scaling service provides horizontal scaling

 18) Which service provides vertical Scaling

 Amazon RDS alone provides vertical scaling. 

1 comment:

Subscribe to: Comments (Atom)