2020年3月23日 星期一

AWS 學習筆記 (六) : AWS Certified Cloud Practitioner Exam 準備

上完必修的三堂線上課程 (Business Professional, Technical Professional, and Cloud Economics) 後就可以開始準備 AWS 基礎級的 Cloud Practitioner Exam 認證了.

此認證考試包含四個領域 (domain) :
  1. Cloud Concepts : 佔 28%
  2. Security and Compliance : 佔 24%
  3. Technology (core concepts) : 佔 36%
  4. Billing and Pricing : 佔 12% (問題較刁鑽)
參加認證者應有 6 個月以上 AWS 使用經驗 (非強制, 只要 AWS 知識夠充分與熟悉即可報考). 其中 Billing and Pricing 考題較細微 (detail-oriented), 需記憶支援計畫 (support plan) 與使用服務時之不同計費方式及其優缺點.

AWS 認證有 9 個, 網址 : http://aws.amazom.com/certification

AWS Certified Cloud Practitioner Exam : AWS 基礎認證 (CCP) :
  • 認證費 100 美元 (每次)
  • 全部是選擇題 (單複選) (有英日韓簡體中文可選, 建議用英文)
  • 題數 65 題, 時間 90 分鐘 
  • 可線上或到測試中心考試
  • 以 70% 為及格標準 (只能錯 19 題)


一. 雲端概念 : 

上雲的好處 :
  • 毋須實體的伺服器與接線 (cabling)
  • 毋須建置伺服機房 (server room) 與維護
  • 毋須硬體更換與採購 
何謂雲端計算 :

雲端計算提供客戶可線上選用的計算, 儲存, 資料庫, 應用程式, 以及其他的 IT 資源 (On-demand delivery of compute, database storage, application, and other IT resources).

雲端收費採 Pay-as-you-go 模式, 即用多少付多少 (Pay what you use and when you use it), 較有彈性 (pay when and what you consume).

虛擬機器監視器 Hypervisor : 用來建立與執行虛擬機器的軟硬體與韌體.

雲端的優點 (advantages) :
  • trade capital expenses with various expense (資本費用轉為變動費用)
  • benefits from massive economies of scale (從經濟規模獲益)
  • stop guessing capacity (不須猜測備載容量)
  • increase speed and agility (提升速度與靈活性)
  • go global in minutes (快速進入全球市場)
雲端的特點 : flexibility, scalability, and affordability (good fit)

雲端計算的三種模型 (必考) :
  • IaaS : Infrastructure as a Service (彈性最大擁有最多控制權)
  • PaaS : Platform as a Service (彈性次大)
  • SaaS : Software as a Service (彈性最小, 用戶可直接使用應用服務)
與地端 (on-premises) 營運管理經驗最類似的是 IaaS. Google Drive (SaaS) 免費使用者 (Free tier) 可享有 15GB 使用容量.

Well-architected frmework : build the most secure, durable, and high-performing IT infrastructure. 其五個支柱 (pillars, 必考) 如下 :
  • avoids unnecessary cost (granular cost)
  • reliability
  • efficiency
  • security
  • operational excellence
AWS 是甚麼 :
  • 2002 : Amazon Web Services 發布
  • 目前擁有超過 100 萬活躍用戶
  • 亞馬遜有超過 10% 營收來自 AWS
AWS 為企業與機構透過 Internet 以 pay-as-you-go 計價模式提供 IT 基礎設施服務, 可為其節省時間, 金錢, 以及人力.

AWS 服務分為 23 個 Service Groups, 其中最常用也幾乎必用的是 Compute, Storage, 與 Database 這三個服務 :
  • Compute: provide virtual server hosting, container management, and serverless computing (例如 EC2, 此為 AWS 骨幹服務).
  • Storage: provide storage for both in-use (例如 EFS 或 S3) and archival files (例如 Glacier)
  • Database: provide relational, NoSQL database, and petabyte-scale data warehouse service (例如 AWS RedShift)
AWS 免費帳戶 : http://aws.amazom.com/free. 主要有三種免費類型 :
  • Always free : 免費期間到期後繼續有效, 所有客戶均適用
  • 12-month free : 每一種服務均有其額度 (容量或時間等), 超過時會計費
  • Trial : 某些服務提供免費試用
注意, 免費帳戶並非可以無限制使用所有 AWS 資源, 須注意它們有不同程度之限制.

使用免費帳戶在 AWS 上架設 WordPress 部落格 : 架構為 EC2+Route 53, 並從 AWS 市集下載 WordPress AMI (WordPress Certified by Bitnami, 這是一個包含 WordPress 的伺服器模板 template).

AMI (Amazon Machine Image) : pre-configured servers in AWS Marketplace

Route 53 : domain name registrar (用來將 AWS 內部網址對映到 internet 的邏輯網址, 此網址可在 Route 53 購買, 一年約 12 美元)


二. 雲端安全 : 

Security 是 AWS 最重視的一個部分 (vital part of AWS), 此領域佔 CCP 認證題目的 24%, 重點是 AWS shared responsibility model (資安責任區分模型), 其中 Patching 是客戶與 AWS 共同分擔的資安責任, AWS 負責設備本身 (OF), 客戶負責 EC2 裡面的 OS 更新 (IN).

Shared responsibility model : the security of cloud computing infrastructures and data is a shared responsibility between the customer and AWS.

AWS is responsible for the security OF the cloud (the protection of the physical component of the infrastructure, including hardware, software, networking, etc.); while the customer is responsible for the security IN the cloud (the protection of varying levels of security functions, such as customer data, data encryption, IAM, firewall configuration, OS patching of VM, etc.).




AWS 的安全服務 (security service) 包含下列項目 :
  • Identity and Access Management (IAM)
  • Web Application Firewall (WAF)
  • AWS Shield
  • Amazon Inspector
  • AWS Trusted Advisor
  • Amazon GuardDuty
Well-architechted framework : 協助客戶免於來自雲端內外之安全威脅 (help secure from external and internal threat). 此安全框架有五個支柱 (pillars) :
  • operational excellence
  • security
  • reliability
  • performance efficiency
  • cost optimization
此五個支柱在 AWS 中實現如下具體資安保護 :
  • IAM (Identity and Access Management) 
  • Detective control : 可追蹤 traceability (Who did what, when?)
  • Infrastructure protection
  • Incident response : 
  • Data protection : 避免人接觸資料
關於 IAM :
  • 免費服務
  • 管理 AWS 的存取許可 (manage access permissions to resources & services)
  • 適用全部用戶 (apply to all-user access : globally across all regions)
  • 遵循最低權限原則 (principle of least privilege)
  • 可用來管理 Users, Federated Users, and IAM Roles
  • 可為特定允入許可建立一個 IAM role
Principle of least privilege : Who can access what? Every role has a set of access permission (no more or less than) necessary to complete its job, starting with minimal set of permissions.

Recommended Security Practice :
  • Shared Responsibility Model
  • 5 security pillars of the Well-Architected Framework
  • Principle of least Privilege
AWS 法遵守則 : https://aws.amazon.com/compliance
AWS 法遵計畫 : https://aws.amazon.com/compliance/programs

WAF (Web Application Firewall) :
  • 保護 App 的安全與可用性 (security and availability) : 避免網路攻擊
  • 保護 App 避免過度使用資源 (consume excessive resources) : 省錢 (cost efficiency)
  • 使 App 容易佈署與維護
  • 提升流量可見度 (traffic visibility)
AWS Shield : 可偵測 DDoS 攻擊並自動減輕 (automatic mitigation) 對 App 的影響, 減少 App 的 downtime 與 latency. AWS 提供兩種層次的 AWS shield :
  • Standard (標準版) : 自動啟用且免費, 可抵擋大部分的一般 DDoS 攻擊
  • advanced (進階版) : 提供與 AWS DDoS 處理團隊 24/7 聯繫, 並與 WAF 整合, 提供較高層級保護 (網路與傳輸層) 與自動流量監控, 因 DDoS 攻擊產生的可能費用飆升具有財務保護作用.
DDoS  (Distributed Denial of Service) : 利用大量重複的請求占用 IP 位址來使網站癱瘓的攻擊手法.

Amazon Inspector : 自動評估 App 所暴露之安全弱點 (vulnerability) 並產生資安評估報告, 可降低 App 在開發與佈署過程中所面臨之風險, 提升安全性與法遵程度 (improve security and compliance).

AWS Trusted Adviser : 引導客戶遵循 AWS 最佳方案 (follow AWS best practices) 來配置 AWS 資源, 依據五種類別掃描客戶之 AWS 基礎設施 (proactive minitoring), 並可配合 CloudWatch 依據告警自動採取行動 :
  • Cost optimization
  • security
  • performance
  • fault tolerance
  • service limits
Trusted Adviser 有七個核心檢查項目 :
  • S3 bucket 允入權限
  • Security group 是否有不受限的 IP 埠
  • IAM 使用情形
  • MFA 的根帳號
  • EBS 公開快照
  • RDS 公開快照
  • Service limits
Amazon GuardDuty : 利用人工智慧全天候偵測潛在的安全威脅, 監控所有惡意與未授權行為, 並透過 CloudWatch 分析事件與發送告警.

Security 考試重點 :
  • Shared responsibility model :
    Customer : responsible for the security in the cloud.
    AWS : responsible for the security of the cloud.
  • The 5 pillars of well-architected framework :
    IAM, Detective Controls, Infrastructure Protection, Data Protection, Incident Response.
  • Principle of least privilege :
    Provide the least amount of access necessary to any entity; no more and no less.
  • security services :
    IAM, WAF, AWS Shield, Amazon Inspector, AWS Trusted Advisor, Amazon GuardDuty

三. 計費與帳務 : 

在 AWS Billing and Cost Management Dashboard (計費帳單儀錶板) 上可管理所使用之 AWS 費用 (pay for what you use) :
  • 估計與規劃 AWS 費用
  • 多重帳號可合併帳單 (consolidated billing)
  • 當費用接近臨界值時發出告警
  • 可用 Cost Explorer 將費用圖形化
  • 可根據標籤 (tag) 搜尋帳單
AWS 主要的帳單費用來源 :
  • Compute (EC2 啟用開始每小時計費)
  • Storage (S3 以所使用空間每 GB 為單位計費)
  • Outbound Data Transfer (上傳不用錢下載要錢, 同區域內服務之間進來的流量不計費)
儲存空間收費 S3 : $0.023/GB, Glacier : $0.004/GB, Glacier Archive $0.00099/GB. AWS 資料庫 Aurora 則是進出都收費 : 每百萬請求 $0.2 元.

管理費用的兩個計算器 :
  • TCO Calculator : 由於上雲不需要購置 upfront infrastructure, 且 AWS 採取 Pay-as-you-go 模式計費, 故 TCO 會降低. 
  • Pricing Calculator : 用來估算雲端架構解決方案之費用. 
AWS Free Tier (AWS 免費方案) : 依據時間, 空間, 以及請求次數等
  • always free (永久免費) : 例如 Lambda (100 萬請求/月)
  • 12-month free (一年免費) : 例如 EC2 (750小時/月)
  • Trials (試用) : 例如 SageMaker (250 小時/月)
AWS 支援計畫 :
  • Basic support plan (免費) : 只限帳戶與計費問題, 不受理技術問題
  • Developer support plan : 可提出無限次技術問題, US$29/月, 單人支援
  • Business support plan : $100/月或帳單的 3~10%, 無限次與多人支援
  • Enterprise support plan : 24/7 全天候無限次與多人支援 (15分鐘回應)
Basic 計畫是免費客戶使用的, Developer 計畫適合正在測試新功能或原型 (prototype) 者, Business 計畫適合上線的產品, 提供全套 AWS Trusted Adviser checks.

參考 :

Top 5 Amazon Web Services or AWS Courses to Learn Online — FREE and Best of Lot

2020-03-26 補充 :

練習題 PART 1 :

1.A company is migrating an application that is running non-interruptible workloads for a three-year time frame.
Which pricing construct would provide the MOST cost-effective solution?
A.Amazon EC2 Spot Instances
B.Amazon EC2 Dedicated Instances
C.Amazon EC2 On-Demand Instances
D.Amazon EC2 Reserved Instances
ANS : D

2.What can AWS edge locations be used for? (Select TWO.)
A.Hosting applications
B.Delivering content closer to users
C.Running NoSQL database caching services
D.Reducing traffic on the server by caching responses
E.Sending notification messages to end users
ANS : B, D

3.Which is the MINIMUM AWS Support plan that provides technical support through phone calls?
A.Enterprise
B.Business
C.Developer
D.Basic
ANS : B

4.Under the AWS shared responsibility model, which of the following activities are the customer's responsibility? (Select TWO.)
A.Patching operating system components for Amazon Relational Database Server (Amazon RDS)
B.Encrypting data on the client-side
C.Training the data center staff
D.Configuring Network Access Control Lists (ACL)
E.Maintaining environmental controls within a data center
ANS : B, D

5.A customer would like to design and build a new workload on AWS Cloud but does not have the AWS related software technical expertise in-house.
Which of the following AWS programs can a customer take advantage of to achieve that outcome?
A.AWS Partner Network Technology Partners
B.AWS Marketplace
C.AWS Partner Network Consulting Partners
D.AWS Service Catalog
ANS : C

6.Which of the following services falls under the responsibility of the customer to maintain operating system configuration, security patching, and networking?
A.Amazon RDS
B.Amazon EC2
C.Amazon ElastiCache
D.AWS Fargate
ANS : B

7.Under the shared responsibility model, which of the following is the customer responsible for?
A.Ensuring that disk drives are wiped after use.
B.Ensuring that firmware is updated on hardware devices.
C.Ensuring that data is encrypted at rest.
D.Ensuring that network cables are category six or higher.
ANS : C

8.Which AWS service can be used to manually launch instances based on resource requirements?
A.Amazon EBS
B.Amazon S3
C.Amazon EC2
D.Amazon ECS
ANS : C

9.Which of the following is a correct relationship between regions, Availability Zones, and edge locations?
A.Data centers contain regions.
B.Regions contain Availability Zones.
C.Availability Zones contain edge locations.
D.Edge locations contain regions.
ANS : B

10.Which AWS services are defined as global instead of regional? (Select TWO.)
A.Amazon Route 53
B.Amazon EC2
C.Amazon S3
D.Amazon CloudFront
E.Amazon DynamoDB
ANS : A, D

11.The use of what AWS feature or service allows companies to track and categorize spending on a detailed level?
A.Cost allocation tags
B.Consolidated billing
C.AWS Budgets
D.AWS Marketplace
ANS : A

12. How should a customer forecast the future costs for running a new web application?
A.Amazon Aurora Backtrack
B.Amazon CloudWatch Billing Alarms
C.AWS Simple Monthly Calculator
D.AWS Cost and Usage report
ANS : D

13. Which AWS tools assist with estimating costs? (Select three.)
A.Detailed billing report
B.Cost allocation tags
C.AWS Simple Monthly Calculator
D.AWS Total Cost of Ownership (TCO) Calculator
E.Cost Eliminator
ANS : B, C, D

14.Which of the following is an advantage of consolidated billing on AWS?
A.Volume pricing qualification
B.Shared access permissions
C.Multiple bills per account
D.Eliminates the need for tagging
ANS : A

15.How should a customer forecast the future costs for running a new web application?
A.Amazon Aurora Backtrack
B.Amazon CloudWatch Billing Alarms
C.AWS Simple Monthly Calculator
D.AWS Cost and Usage report
ANS : D

16.Web servers running on Amazon EC2 access a legacy application running in a corporate data center.
What term would describe this model?
A.Cloud-native
B.Partner network
C.Hybrid architecture
D.Infrastructure as a service
ANS : C

2020-03-27 補充 :

今天找到下面這個論壇, 可找到 AWS 考題的題解與討論 :

https://www.examtopics.com/discussions/amazon/
# Exam4traning

5 則留言 :

YaMaHa 提到...

我也正想看看這個認證,
請問你最終花多少時間來取得 AWS Certified Cloud Practitioner Exam 認證?
看你的網索引從 2019年11月8日 到 2020年3月23日 好像就沒後續了,
不用6個月就能考到嗎?

小狐狸事務所 提到...

Hi, 我在去年 3 月底 (寫完這篇後) 就通過認證了, 之後在忙別的東西就一直沒在繼續, 今年可能會被指派參加 AWS SAA 認證.

YaMaHa 提到...

謝謝回覆,加油喔,祝成功!

小狐狸事務所 提到...

感謝您!

匿名 提到...

look and like