Exam Cram: AWS Cloud (IAM, EC2, VPC, S3, ELB/Auto Scaling, Organizations, VPC, DNS, Databases, Serverless, Migration, Monitoring, Security)

A comprehensive set of Q/A flashcards covering IAM, EC2 basics, and other core AWS services as presented in the lecture notes.

What is AWS Identity and Access Management (IAM) used for?

To securely control individual and group access to AWS resources, and to manage users, groups, access policies, roles, credentials, MFA, and API keys.

By default, what access do new IAM users have to AWS services?

New IAM users have NO access to any AWS services until explicit permissions are granted.

Is IAM global or region-specific?

IAM is global (not tied to a specific region) and does not apply to regions.

What is an IAM user?

An entity that represents a person or service and is granted access to an AWS account; you can have up to 5000 users per AWS account.

What is a root user in AWS IAM terms, and what are its permissions?

The root user is the account owner’s identity (email) with full administrative permissions that cannot be restricted.

What is an IAM group used for?

A collection of users with policies attached to them to assign permissions collectively; groups cannot be principals in policies.

What principle should guide IAM permissions?

Least privilege: assign the minimum permissions necessary; groups help implement this.

Can IAM groups be nested inside other groups?

No, you cannot nest groups (no groups within groups).

What is an IAM role?

A set of permissions that can be assumed by trusted entities to access resources; provides temporary security credentials via STS.

What are IAM policies and how do they work?

Documents that define permissions; written in JSON; by default permissions are denied; the most restrictive policy applies.

What are the main types of IAM policies?

Identity-based policies (attached to users, groups, or roles) and resource-based policies (attached to resources); also policy boundaries, AWS Organizations SCPs, and session policies.

What is an IAM policy evaluation principle noted in the notes?

All permissions are implicitly denied by default; the most restrictive policy takes effect.

What are best practices for IAM you should follow?

Lock away root access keys; create individual IAM users; use groups; grant least privilege; start with AWS managed policies; prefer customer-managed policies; use policy conditions; enable MFA; use roles for applications.

What is the difference between an IAM user and a service account?

An IAM user represents a person or service; service accounts are IAM users created to represent applications.

What is AWS Organizations and what does it manage?

A service to consolidate multiple AWS accounts into an organization for centralized management, including consolidated billing and organizational units with policies.

What are Service Control Policies (SCPs) in AWS Organizations?

Policies that manage the maximum permissions available in accounts or OUs; affect IAM users and roles in member accounts but not resource policies.

What is AWS Nitro System in relation to EC2?

The Nitro system is the foundation of modern EC2 instances, separating functions into specialized hardware with a Nitro Hypervisor and components like Nitro cards and Nitro enclaves for performance and security.

What are the two main EC2 instance placement group types and their purpose?

Cluster: packs instances in an AZ for low-latency networking; Partition: spreads instances across partitions to avoid sharing hardware; Spread: places a small group across distinct hardware to reduce correlated failures.

What is a NAT Instance vs NAT Gateway?

NAT Instance is managed by you (requires security group and maintenance); NAT Gateway is AWS-managed, HA within an AZ and scales automatically.

What is an EC2 instance lifecycle event related to stopping and terminating?

Stopping: EBS-backed, no charge for stopped instance, RAM data lost, Elastic IPs retained; Terminating: instance deleted, default EBS root volume may be deleted.

What is the AWS Nitro Enclaves feature?

Isolated compute environments that run with cryptographic attestation to protect highly sensitive data, with no persistent storage or external networking.

What are EC2 pricing options mentioned in the notes?

On-Demand, Reserved Instances, Spot Instances, Dedicated Instances, Dedicated Hosts, and Savings Plans.

What is the difference between EBS and instance store in EC2?

EBS volumes are persistent and can be detached/attached; instance store is ephemeral and data is lost when the instance stops; root EBS volumes are deleted on termination by default.

What is AMI and what does it include?

An Amazon Machine Image provides the information to launch an instance including root volume template, launch permissions, and block device mappings; AMIs are regional and can be copied to other regions.

What is instance metadata and user data?

Instance metadata is data about the running instance; user data is script or data provided at launch for configuration; accessible via special URLs.

What is an Elastic IP (EIP)?

A static public IP address that can be associated with an instance and moved between instances; provides stable address across reboots.

What are EC2 placement basics you should know?

Public/private IPs, Elastic IPs, instance metadata, user data, and region/AZ mapping for instances.

What is an EC2 key pair used for?

A cryptographic key pair used to securely connect to EC2 instances.

What is the difference between Public IP and Elastic IP in EC2 terms?

Public IP is assigned by default and released when the instance is stopped; Elastic IP is a persistent public IP that can be reassigned to another instance.

What is the NAT Gateway and what is its benefit?

A managed NAT service by AWS that provides high availability and scales automatically for private subnets to access the Internet.

What are EC2 instance metadata and user data URLs?

Metadata: http://169.254.169.254/latest/meta-data/; User data: http://169.254.169.254/latest/user-data.

What is the EC2 Evolution: Nitro System benefits?

Near bare-metal performance, higher network throughput, HPC optimizations, and improved security via hardware-assisted virtualization.

What is Amazon EBS and what is its key feature?

Elastic Block Store that provides persistent block storage for EC2; volumes can be attached/detached and persisted beyond instance lifetimes.

What is EFS and how does it differ from EBS?

Elastic File System; fully managed NFS-based file system that can be mounted by many instances across AZs; differs from EBS which is per-volume and AZ-bound.