gaspersic/devops-exercises
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add a couple of AWS exercises

Browse Source 
Questions as well were added.
This commit is contained in:
abregman
2021-11-12 14:05:05 +02:00
parent af7e1a9007
commit 43d714fa12
15 changed files with 971 additions and 545 deletions
Download Patch File Download Diff File Expand all files Collapse all files

222
exercises/aws/README.md
View File

@ -6,18 +6,34 @@
|Name|Topic|Objective & Instructions|Solution|Comments|
|--------|--------|------|----|----|
| Create a User | IAM | [Exercise](create_user.md) | [Solution](solutions/create_user.md) | |
| Password Policy | IAM | [Exercise](password_policy_and_mfa.md) | [Solution](solutions/password_policy_and_mfa.md) | |
| Create a role | IAM | [Exercise](create_role.md) | [Solution](solutions/create_role.md) | |
| Credential Report | IAM | [Exercise](credential_report.md) | [Solution](solutions/credential_report.md) | |
| Access Advisor | IAM | [Exercise](access_advisor.md) | [Solution](solutions/access_advisor.md) | |
| Create a User | IAM | [Exercise](create_user.md) | [Solution](solutions/create_user.md) | Easy |
| Password Policy | IAM | [Exercise](password_policy_and_mfa.md) | [Solution](solutions/password_policy_and_mfa.md) | Easy |
| Create a role | IAM | [Exercise](create_role.md) | [Solution](solutions/create_role.md) | Easy |
| Credential Report | IAM | [Exercise](credential_report.md) | [Solution](solutions/credential_report.md) | Easy |
| Access Advisor | IAM | [Exercise](access_advisor.md) | [Solution](solutions/access_advisor.md) | Easy |
#### AWS - EC2
|Name|Topic|Objective & Instructions|Solution|Comments|
|--------|--------|------|----|----|
| Launch EC2 web instance | EC2 | [Exercise](launch_ec2_web_instance.md) | [Solution](solutions/launch_ec2_web_instance.md) | Easy |
| Security Groups | EC2 | [Exercise](security_groups.md) | [Solution](solutions/security_groups.md) | Easy |
| IAM Roles | EC2 + IAM | [Exercise](ec2_iam_roles.md) | [Solution](solutions/ec2_iam_roles.md) | Easy |
#### AWS - Lambda
|Name|Topic|Objective & Instructions|Solution|Comments|
|--------|--------|------|----|----|
| Hello Function | Lambda | [Exercise](hello_function.md) | [Solution](solutions/hello_function.md) | |
| URL Function | Lambda | [Exercise](url_function.md) | [Solution](solutions/url_function.md) | |
| Hello Function | Lambda | [Exercise](hello_function.md) | [Solution](solutions/hello_function.md) | Easy |
| URL Function | Lambda | [Exercise](url_function.md) | [Solution](solutions/url_function.md) | Easy |
#### AWS - Misc
|Name|Topic|Objective & Instructions|Solution|Comments|
|--------|--------|------|----|----|
| Budget Setup | Budget | [Exercise](budget_setup.md) | [Solution](solutions/budget_setup.md) | Easy |
| No Application :'( | Troubleshooting | [Exercise](no_application.md) | [Solution](solutions/no_application.md) | Easy |
### AWS Self Assessment
@ -151,7 +167,7 @@ There can be several reasons for that. One of them is lack of policy. To solve t
</b></details>
<details>
<summary>What statements AWS IAM policies support?</summary><br><b>
<summary>What statements AWS IAM policies are consist of?</summary><br><b>
* Sid: identifier of the statement (optional)
* Effect: allow or deny access
@ -194,7 +210,7 @@ This policy permits to perform any action on any resource. It happens to be the
IAM Access Advisor
</b></details>
#### AWS - Compute
#### AWS - EC2
<details>
<summary>What is EC2?</summary><br><b>
@ -209,6 +225,17 @@ Read more [here](https://aws.amazon.com/ec2)
True. As opposed to IAM for example, which is a global service, EC2 is a regional service.
</b></details>
<details>
<summary>What are some of the properties/configuration options of EC2 instances that can be set or modified?</summary><br><b>
* OS (Linux, Windows)
* RAM and CPU
* Networking - IP, Card properties like speed
* Storage Space - (EBS, EFS, EC2 Instance Store)
* EC2 User Data
* Security groups
</b></details>
<details>
<summary>What is AMI?</summary><br><b>
@ -225,12 +252,22 @@ Read more [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html)
</b></details>
<details>
<summary>What is instance type?</summary><br><b>
<summary>What is an instance type?</summary><br><b>
"the instance type that you specify determines the hardware of the host computer used for your instance"
Read more about instance types [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html)
</b></details>
<details>
<summary>Explain the instance type naming convention</summary><br><b>
Let's take for example the following instance type: m5.large
`m` is the instance class
`5` is the generation
`large` is the size of the instance (affects the spec properties like vCPUs and RAM)
</b></details>
<details>
<summary>True or False? The following are instance types available for a user in AWS:
@ -241,6 +278,30 @@ Read more about instance types [here](https://docs.aws.amazon.com/AWSEC2/latest/
False. From the above list only compute optimized is available.
</b></details>
<details>
<summary>Explain each of the following instance types:
* "Compute Optimized"
* "Memory Optimized"
* "Storage Optimized"</summary><br><b>
Compute Optimized:
* Used for compute-intensive tasks
* It has high performance processors
* Use cases vary: gaming serves, machine learning, batch processing, etc.
Memory Optimized:
* Used for processing large data sets in memory
* Other use cases: high performance, databases, distributed cache stores
Storage Optimized:
* Used for storage intensive tasks - high read and write access to large data sets
* Use cases: databases, OLTP system, distributing file systems
</b></details>
<details>
<summary>What is EBS?</summary><br><b>
@ -257,6 +318,73 @@ Spot - Enables you to bid whatever price you want for instances or pay the spot
Dedicated Hosts - physical EC2 server dedicated for your use.
</b></details>
<details>
<summary>True or False? Reserved instance has to be used for a minimum of 1 year</summary><br><b>
True.
</b></details>
<details>
<summary>Explain the following types of reserved instances:
* Convertible Reserved Instances
* Scheduled Reserved Instances</summary><br><b>
* Convertible Reserved Instances: used for long running workloads but used when instance type might change during the period of time it's resreved
* Scheduled Reserved Instances: when you need to reserve an instance for a long period but you don't need it continuously (so for example you need it only in the morning)
</b></details>
<details>
<summary>True or False? In EC2 On Demand, you pay per hour when using Linux or Windows and per second (after first minute) when using any other operating system</summary><br><b>
False. You pay per second (after the first minute) when using Windows or Linux and per hour for any other OS.
</b></details>
<details>
<summary>You need an instance for short-term and the workload running on instance must not be interrupted. Which pricing model would you use?</summary><br><b>
On Demand is good for short-term non-interrupted workloads (but it also has the highest cost).
</b></details>
<details>
<summary>You need an instance for running an application for a period of 2 years continuously, without changing instance type. Which pricing model would you use?</summary><br><b>
Reserved instances: they are cheaper than on-demand and the instance is yours for the chosen period of time.
</b></details>
<details>
<summary>You need an instance for two years, but only between 10:00-15:00 every day. Which pricing model would you use?</summary><br><b>
Reserved instances from the "Scheduled Reserved Instances" type which allows you to reserve for specific time window (like 10:00-15:00 every day).
</b></details>
<details>
<summary>You need an instance for running workloads. You don't care if they fail for a given moment as long as they run eventually. Which pricing model would you use?</summary><br><b>
Spot instances. The discount potential is the highest compared to all other pricing models. The disadvantage is that you can lose the instance at any point so, you must run only workloads that you are fine with them failing suddenly.
</b></details>
<details>
<summary>You need a physical server only for your use. Which pricing model are you going to use?</summary><br><b>
EC2 Dedicated Host
</b></details>
<details>
<summary>What are some of the differences between dedicated hosts and dedicated instances?</summary><br><b>
In dedicated hosts you have per host billing, you have more visibility (sockets, cores, ...) and you can control where instance will be placed.<br>
In dedicated instances the billing is per instance but you can't control placement and you don't have visibility of sockets, cores, ...
</b></details>
<details>
<summary>For what use cases, EC2 dedicated hosts are useful for?</summary><br><b>
* Compliance needs
* When the software license is complex (Bring Your Own License) and doesn't support cloud or multi-tenants
* Regulatory requirements
</b></details>
<details>
<summary>What are Security Groups?</summary><br><b>
@ -264,6 +392,37 @@ Dedicated Hosts - physical EC2 server dedicated for your use.
More on this subject [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)
</b></details>
<details>
<summary>True or False? Security groups only contain deny rules</summary><br><b>
False. Security groups only contain allow rules.
</b></details>
<details>
<summary>True or False? One security group can be attached to multiple instances</summary><br><b>
True
</b></details>
<details>
<summary>True or False? Security groups are not locked down to a region and VPC (meaning you don't have to create a new one when switching regions)</summary><br><b>
False. They are locked down to regions and VPC.
</b></details>
<details>
<summary>True or False? By default, when using security groups, all inbound traffic to an EC2 instance is blocked and all outbound traffic is allowed</summary><br><b>
True
</b></details>
<details>
<summary>What is the advantage of referencing security groups from a given security group?</summary><br><b>
Imagine you have an instance referencing two security groups, allowing to get inbound traffic from them.<br>
Now imagine you have two instances, each using one of the security groups referenced in the instance we've just mentioned. This means you can get traffic from these two instances because they use security groups which referenced in the instance mentioned at the beginning. No need to use IPs.
</b></details>
<details>
<summary>How to migrate an instance to another availability zone?</summary><br><b>
</b></details>
@ -285,9 +444,42 @@ Learn more about EC2 RI [here](https://aws.amazon.com/ec2/pricing/reserved-insta
</b></details>
<details>
<summary>You would like to invoke a function every time you enter a URL in the browser. Which service would you use for that?</summary><br><b>
<summary>What bootstrapping means and how to use it in AWS EC2?</summary><br><b>
AWS Lambda
Bootstrapping is about launching commands when a machine starts for the first time.
In AWS EC2 this is done using the EC2 user data script.
</b></details>
<details>
<summary>You get time out when trying reach your application which runs on an EC2 instance. Specify one reason why it would possibly happen</summary><br><b>
Security group isn't configured properly.
</b></details>
<details>
<summary>What is the AWS Instance Connect?</summary><br><b>
[AWS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html): "Amazon EC2 Instance Connect provides a simple and secure way to connect to your Linux instances using Secure Shell (SSH)."
</b></details>
<details>
<summary>You try to run EC2 commands in an EC2 instance you've just created but it fails due to missing credentials. What would you do?</summary><br><b>
DO NOT configure AWS credentials on the instance (this means anyone else in your account would be able to use and see your credentials).<br>
The best practice is to attach an IAM role with sufficient permissions (like `IAMReadOnlyAccess`)
</b></details>
<details>
<summary>True or False? Cancelling a Spot instance request terminates the instance</summary><br><b>
False. When you cancel a Spot instance request, you are not terminating the instances created by it.<br>
To terminate such instances, you must cancel the Spot instance request first.
</b></details>
<details>
<summary>What are Spot Flees?</summary><br><b>
Set of Spot instance and if you want, also on-demand instances.
</b></details>
#### AWS - Lambda
@ -914,6 +1106,12 @@ Allows you to connect your corporate network to AWS network.
AWS CodeDeploy
</b></details>
<details>
<summary>You would like to invoke a function every time you enter a URL in the browser. Which service would you use for that?</summary><br><b>
AWS Lambda
</b></details>
<details>
<summary>What would you use for easily creating similar AWS environments/resources for different customers?</summary><br><b>

5
exercises/aws/budget_setup.md Normal file
View File

@ -0,0 +1,5 @@
## AWS - Budget Setup
### Objectives
Setup a cost budget in your AWS account based on your needs.

11
exercises/aws/ec2_iam_roles.md Normal file
View File

@ -0,0 +1,11 @@
## AWS EC2 - IAM Roles
### Requirements
1. Running EC2 instance without any IAM roles (so you if you connect the instance and try to run AWS commands, it fails)
2. IAM role with "IAMReadOnlyAccess" policy
### Objectives
1. Attach a role (and if such role doesn't exists, create it) with "IAMReadOnlyAccess" policy to the EC2 instance
2. Verify you can run AWS commands in the instance

15
exercises/aws/launch_ec2_web_instance.md Normal file
View File

@ -0,0 +1,15 @@
## AWS - Launch EC2 Web Instance
### Objectives
Launch one EC2 instance with the following requirements:
1. Amazon Linux 2 image
2. Instance type: pick up one that has 1 vCPUs and 1 GiB memory
3. Instance storage should be deleted upon the termination of the instance
4. When the instance starts, it should install:
1. Install the httpd package
2. Start the httpd service
3. Make sure the content of /var/www/html/index.html is `I made it! This is is awesome!`
5. It should have the tag: "Type: web" and the name of the instance should be "web-1"
6. HTTP traffic (port 80) should be accepted from anywhere

8
exercises/aws/no_application.md Normal file
View File

@ -0,0 +1,8 @@
## No Application :'(
### Objectives
Explain what might be possible reasons for the following issues:
1. Getting "time out" when trying to reach an application running on EC2 instance
2. Getting "connection refused" error

16
exercises/aws/security_groups.md Normal file
View File

@ -0,0 +1,16 @@
## AWS EC2 - Security Groups
### Requirements
For this exercise you'll need:
1. EC2 instance with web application
2. Security group inbound rules that allow HTTP traffic
### Objectives
1. List the security groups you have in your account, in the region you are using
2. Remove the HTTP inbound traffic rule
3. Can you still access the application? What do you see/get?
4. Add back the rule
5. Can you access the application now?

18
exercises/aws/solutions/budget_setup.md Normal file
View File

@ -0,0 +1,18 @@
## AWS - Budget Setup
### Objectives
Setup a cost budget in your AWS account based on your needs.
### Solution
1. Go to "Billing"
2. Click on "Budgets" in the menu
3. Click on "Create a budget"
4. Choose "Cost Budget" and click on "Next"
5. Choose the values that work for you. For example, recurring monthly budget with a specific amount
6. Insert a budget name and Click on "Next"
7. Set up an alert but clicking on "Add an alert threshold"
1. Set a threshold (e.g. 75% of budgeted amount)
2. Set an email where a notification will be sent
8. Click on "Next" until you can click on "Create a budget"

21
exercises/aws/solutions/ec2_iam_roles.md Normal file
View File

@ -0,0 +1,21 @@
## AWS EC2 - IAM Roles
### Requirements
1. Running EC2 instance without any IAM roles (so you if you connect the instance and try to run AWS commands, it fails)
2. IAM role with "IAMReadOnlyAccess" policy
### Objectives
1. Attach a role (and if such role doesn't exists, create it) with "IAMReadOnlyAccess" policy to the EC2 instance
2. Verify you can run AWS commands in the instance
### Solution
#### Console
1. Go to EC2 service
2. Click on the instance to which you would like to attach the IAM role
3. Click on "Actions" -> "Security" -> "Modify IAM Role"
4. Choose the IAM role with "IAMReadOnlyAccess" policy and click on "Save"
5. Running AWS commands now in the instance should work fine (e.g. `aws iam list-users`)

39
exercises/aws/solutions/launch_ec2_web_instance.md Normal file
View File

@ -0,0 +1,39 @@
## AWS - Launch EC2 Web Instance
### Objectives
Launch one EC2 instance with the following requirements:
1. Amazon Linux 2 image
2. Instance type: pick up one that has 1 vCPUs and 1 GiB memory
3. Instance storage should be deleted upon the termination of the instance
4. When the instance starts, it should install:
1. Install the httpd package
2. Start the httpd service
3. Make sure the content of /var/www/html/index.html is `I made it! This is is awesome!`
5. It should have the tag: "Type: web" and the name of the instance should be "web-1"
6. HTTP traffic (port 80) should be accepted from anywhere
### Solution
1. Choose a region close to you
2. Go to EC2 service
3. Click on "Instances" in the menu and click on "Launch instances"
4. Choose image: Amazon Linux 2
5. Choose instance type: t2.micro
6. Make sure "Delete on Termination" is checked in the storage section
7. Under the "User data" field the following:
```
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo "<h1>I made it! This is is awesome!</h1>" > /var/www/html/index.html
```
8. Add tags with the following keys and values:
* key "Type" and the value "web"
* key "Name" and the value "web-1"
9. In the security group section, add a rule to accept HTTP traffic (TCP) on port 80 from anywhere
10. Click on "Review" and then click on "Launch" after reviewing.
11. If you don't have a key pair, create one and download it.

21
exercises/aws/solutions/no_application.md Normal file
View File

@ -0,0 +1,21 @@
## No Application :'(
### Objectives
Explain what might be possible reasons for the following issues:
1. Getting "time out" when trying to reach an application running on EC2 instance
2. Getting "connection refused" error
### Solution
1. 'Time out' Can be due to one of the following:
* Security group doesn't allow access
* No host (yes, I know. Not the first thing to check and yet...)
* Operating system firewall blocking traffic
2. 'Connection refused' can happen due to one of the following:
* Application didn't launch properly or has some issue (doesn't listens on the designated port)
* Firewall replied with a reject instead of dropping the packets

55
exercises/aws/solutions/security_groups.md Normal file
View File

@ -0,0 +1,55 @@
## AWS EC2 - Security Groups
### Requirements
For this exercise you'll need:
1. EC2 instance with web application
2. Security group inbound rules that allow HTTP traffic
### Objectives
1. List the security groups you have in your account, in the region you are using
2. Remove the HTTP inbound traffic rule
3. Can you still access the application? What do you see/get?
4. Add back the rule
5. Can you access the application now?
### Solution
#### Console
1. Go to EC2 service - > Click on "Security Groups" under "Network & Security"
You should see at least one security group. One of them is called "default"
2. Click on the security group with HTTP rules and click on "Edit inbound rules".
Remove the HTTP related rules and click on "Save rules"
3. No. There is a time out because we removed the rule allowing HTTP traffic.
4. Click on the security group -> edit inbound rules and add the following rule:
* Type: HTTP
* Port range: 80
* Source: Anywhere -> 0.0.0.0/0
5. yes
#### CLI
1. `aws ec2 describe-security-groups` -> by default, there is one security group called "default", in a new account
2. Remove the rule:
```
aws ec2 revoke-security-group-ingress \
--group-name someHTTPSecurityGroup
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0
```
3. No. There is a time out because we removed the rule allowing HTTP traffic.
4. Add the rule we remove:
```
aws ec2 authorize-security-group-ingress \
--group-name someHTTPSecurityGroup
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0
```
5. yes