Chapter 11: Additional Key Services

1. B, C, E. Amazon CloudFront can use an Amazon S3 bucket or any HTTP server, whether or not it is running in Amazon EC2. A Route 53 Hosted Zone is a set of DNS resource records, while an Auto Scaling Group launches or terminates Amazon EC2 instances automatically. Neither can be specified as an origin server for a distribution.

• 可以配置成Cloudfront的源的内容如下：
• S3 bucket：myawsbucket.s3.amazonaws.com
• 被配置成网站的S3 BUCKET：http://bucket-name.s3-website-us-west-2.amazonaws.com
• AWS Elemental Mediastore container：mymediastore.data.mediastore.us-west-1.amazonaws.com
• AWS Elemental MediaPackage endpoint：mymediapackage.mediapackage.us-west-1.amazon.com
• AWS ec2 instace： ec2-203-0-113.25.compute-1.amazonaws.com
• load banlancer： my-load-banlancer-12345679.us-west-1.elb.amazonaws.com
• 你自己的网站： http://example.com

2. A, C. The site in A is “popular” and supports “users around the world,” key indicators that CloudFront is appropriate. Similarly, the site in C is “heavily used,” and requires private content, which is supported by Amazon CloudFront. Both B and D are corporate use cases where the requests come from a single geographic location or appear to come from one (because of the VPN). These use cases will generally not see benefit from Amazon CloudFront.

• CloudFront用途1：做动态网站的就近接入
• CloudFront用途2： 用来做内容cache，供用户就近访问的。
• CloudFront不适用场景：只是在部分地区有使用用户，以及使用vpn的用户；

3. C, E. Using multiple origins and setting multiple cache behaviors allow you to serve static and dynamic content from the same distribution. Origin Access Identifiers and signed URLs support serving private content from Amazon CloudFront, while multiple edge locations are simply how Amazon CloudFront serves any content.

• 使用multiple origins 设置不同的静态内容使用不同的origins服务器；
• 使用multiple cache 可以设置不同的cache策略；

4. B. Amazon CloudFront OAI is a special identity that can be used to restrict access to an Amazon S3 bucket only to an Amazon CloudFront distribution. Signed URLs, signed cookies, and IAM bucket policies can help to protect content served through Amazon CloudFront, but OAIs are the simplest way to ensure that only Amazon CloudFront has access to a bucket.

• CloudFront的OAI功能就是用来设定 S3的内容只允许CloudFront访问；

5. C. AWS Storage Gateway allows you to access data in Amazon S3 locally, with the Gateway-Cached volume configuration allowing you to expand a relatively small amount of local storage into Amazon S3.

• AWS Storage Gateway 将本地软件设备与基于云的存储相连接，从而在本地 IT 环境与 AWS 存储基础设施间提供具备数据安全功能的无缝集成。您可以使用此服务将数据存储到 AWS 云，利用经济高效的可扩展存储来帮助保持数据安全性。 提供了文件网关、卷网关（存储卷、缓存卷）、磁带网关三种能力；
• 卷网关-缓存卷：将数据存储在 Amazon Simple Storage Service (Amazon S3) 中并本地保留经常访问的数据子集的副本。缓存卷不仅有助于节省大量主存储成本，而且最大程度地减小了本地扩展存储的需求。您还可以保留对经常访问的数据的低延迟访问。
• 卷网关-存储卷： 如果需要对整个数据集进行低延迟访问，请首先将本地网关配置为将所有数据存储在本地。然后以异步方式将此数据的时间点快照备份到 Amazon S3。此配置提供了经久、价格低廉且可以恢复到本地数据中心或 Amazon EC2 的场外备份。例如，如果您出于灾难恢复目的需要替代容量，则可以将备份恢复到 Amazon EC2。

6. B. Simple AD is a Microsoft Active Directory-compatible directory that is powered by Samba 4. Simple AD supports commonly used Active Directory features such as user accounts, group memberships, domain-joining Amazon Elastic Compute Cloud (Amazon EC2) instances running Linux and Microsoft Windows, Kerberos-based Single Sign-On
   (SSO), and group policies.

• AWS的目录服务支持：Amazon Cloud Directory、Amazon Cognito、Microsoft AD、AD Connector、SimpleAD
• Simple AD is a Microsoft Active Directory–compatible directory that is powered by Samba 4 and hosted on the AWS cloud.
• Microsoft AD:Microsoft AD is a Microsoft Active Directory hosted on the AWS Cloud. It integrates most Active Directory features with AWS applications.
• Amazon Cognito：Amazon Cognito is a user directory that adds sign-up and sign-in to your mobile app or web application using Amazon Cognito User Pools.
• AD connector：AD Connector uses your existing on-premises Microsoft Active Directory to access AWS applications and services.
• Amazon Cloud Directory：With Cloud Directory, you can organize application data into multiple hierarchies to support many organizational pivots and relationships across directory information.

7. C. AWS KMS CMKs are the fundamental resources that AWS KMS manages. CMKs can never leave AWS KMS unencrypted, but data keys can.

• AWS KMS 中的主要资源是客户主密钥 (CMK)。您可以使用 CMK 加密和解密最多 4 千字节 (4096 字节) 的数据。通常情况下，您可以使用 CMK 生成、加密和解密[数据密钥]，您在 AWS KMS 之外使用这些密钥来加密您的数据。此策略称为[信封加密]。
• AWS KMS 会存储、跟踪和保护您的 CMK。使用 CMK 时，可通过 AWS KMS 访问它。CMK 绝不会使 AWS KMS 处于未加密状态。 此策略与 AWS KMS 返回给您的数据密钥不同，数据密钥可为明文形式。AWS KMS 不会存储、管理或跟踪您的数据密钥。

8. D. AWS KMS uses envelope encryption to protect data. AWS KMS creates a data key, encrypts it under a Customer Master Key (CMK), and returns plaintext and encrypted versions of the data key to you. You use the plaintext key to encrypt data and store the encrypted key alongside the encrypted data. You can retrieve a plaintext data key only if you have the encrypted data key and you have permission to use the corresponding master key.

• AWS KMS 使用信封加密去保护数据。就是kms创建了一个data key，通过CMK加密保存，然后返回一个文本及版本。你可以用这个data key去加密数据，然后将加密key和被加密后的数据一起保存。这个策略就是信封加密；

9. A. AWS CloudTrail records important information about each API call, including the name of the API, the identity of the caller, the time of the API call, the request parameters, and the response elements returned by the AWS Cloud service.

• 利用 AWS CloudTrail，可获取您账户的 API 调用历史记录，包括通过 AWS 管理控制台、AWS 软件开发工具包、命令行工具、较高级 AWS 服务进行的 API 调用，进而监控您在云上的 AWS 部署。您还可以确定哪些用户和账户为支持 CloudTrail 的服务调用了 AWS API、发出调用的源 IP 地址以及调用发生的时间。
• 您可将 CloudTrail 集成到使用 API 的应用程序、为您的组织自动创建跟踪、检查跟踪的状态和控制管理员启用和关闭 CloudTrail 日志记录的方式。

10. B, C. Encryption context is a set of key/value pairs that you can pass to AWS KMS when you call the Encrypt, Decrypt, ReEncrypt, GenerateDataKey, and GenerateDataKeyWithoutPlaintext APIs. Although the encryption context is not included in the ciphertext, it is cryptographically bound to the ciphertext during encryption and must be passed again when you call the Decrypt (or ReEncrypt) API. Invalid ciphertext for decryption is plaintext that has been encrypted in a different AWS account or ciphertext that has been altered since it was originally encrypted.
11. B. Because the Internet connection is full, the best solution will be based on using AWS Import/Export to ship the data. The most appropriate storage location for data that must be stored, but is very rarely accessed, is Amazon Glacier.

• 数据量15T，不被访问这种场景比较适合Glacier，迁移上云建议使用import/Export
• snowball就是import/export的实现方案，就是通过存储设备进行迁移；

12. C. Because the job is run monthly, a persistent cluster will incur unnecessary compute costs during the rest of the month. Amazon Kinesis is not appropriate because the company is running analytics as a batch job and not on a stream. A single large instance does not scale out to accommodate the large compute needs.

• EMR从S3获取数据是不收费的，月度执行24小时一次的分析任务，从性价比考虑，建议直接使用临时的EMR集群；

13. D. The Amazon Kinesis services enable you to work with large data streams. Within the Amazon Kinesis family of services, Amazon Kinesis Firehose saves streams to AWS storage services, while Amazon Kinesis Streams provide the ability to process the data in the stream.

• Amazon Kinesis服务是让我们在线处理不限量的数据的方案。
• 使用 Kinesis Video Streams 捕获、处理并存储视频流以用于分析和机器学习。
• 使用 Kinesis Data Streams 构建可使用常用流处理框架分析数据流的自定义应用程序。
• 使用 Kinesis Data Firehose 将数据流加载到 AWS 数据存储。
• 使用 Kinesis Data Analytics 通过 SQL 分析数据流

14. C. Amazon Data Pipeline allows you to run regular Extract, Transform, Load (ETL) jobs on Amazon and on-premises data sources. The best storage for large data is Amazon S3, and Amazon Redshift is a large-scale data warehouse service.

• AWS Data Pipeline 是一项 Web 服务，让您能够实现数据移动和转换的自动化。通过 AWS Data Pipeline，您可以定义以数据为目标的工作流程，这样一来，任务便可以根据之前任务是否成功完成来执行后续操作。
• S3一般是进行大数据计算的最佳存储
• Redshift用来做数据仓库
• EMR用来作为数据分析使用的组件

15. B. Amazon Kinesis Firehose allows you to ingest massive streams of data and store the data on Amazon S3 (as well as Amazon Redshift and Amazon Elasticsearch).

• 使用 Kinesis Data Firehose 将数据流加载到 AWS 数据存储

16. C. AWS OpsWorks uses Chef recipes to start new app server instances, configure application server software, and deploy applications. Organizations can leverage Chef recipes to automate operations like software configurations, package installations, database setups, server scaling, and code deployment.

• AWS Opswork：AWS OpsWorks 提供了一种简单灵活的方法来创建和管理堆栈及应用程序。使用 AWS OpsWorks，您可以预置 AWS 资源、管理它们的配置、为这些资源部署应用程序，以及监控它们的运行状况。

17. A. With AWS CloudFormation, you can reuse your template to set up your resources consistently and repeatedly. Just describe your resources once and then provision the same resources over and over in multiple stacks.

• AWS CloudFormation：借助 AWS CloudFormation，您可以有预见性地、重复地创建和预置 AWS 基础设施部署。它可以帮助您利用 AWS 产品 (如 Amazon EC2、Amazon Elastic Block Store、Amazon SNS、Elastic Load Balancing 和 Auto Scaling) 在云中构建高度可靠、高度可扩展且经济高效的应用程序，为您免除创建和配置底层 AWS 基础设施之忧。借助 AWS CloudFormation，您可以使用模板文件，将资源集作为一个单元 (堆栈) 进行创建和删除。

18. B. AWS Trusted Advisor inspects your AWS environment and makes recommendations when opportunities exist to save money, improve system availability and performance, or help close security gaps. AWS Trusted Advisor draws upon best practices learned from the aggregated operational history of serving hundreds of thousands of AWS customers.

• AWS 的Trusted Advisor 用来分析AWS的环境并提供优化建议，帮助企业客户省钱；

19. A. AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config, you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing.

• AWS Config 提供了与您的 AWS 账户关联的资源的详细信息，包括如何配置这些资源、这些资源如何彼此关联以及各种配置及其关系如何随时间发生变化。

20. D. AWS Elastic Beanstalk is the fastest and simplest way to get an application up and running on AWS. Developers can simply upload their application code, and the service automatically handles all the details such as resource provisioning, load balancing, Auto Scaling, and monitoring.

• AWS Elastic Beanstalk：您可以在 AWS 云中快速部署和管理应用程序，而无需为运行这些应用程序的基础设施操心。AWS Elastic Beanstalk 可降低管理的复杂性，但不会限制选择或控制。您只需上传应用程序，AWS Elastic Beanstalk 将自动处理有关容量预配置、负载均衡、扩展和应用程序运行状况监控的部署细节。

知识点总结

• Know the basic use cases for amazon CloudFront. Know when to use Amazon CloudFront (for popular static and dynamic content with geographically distributed users) and when not to (all users at a single location or connecting through a corporate VPN).

• 了解CloudFront的使用场景

• 适用场景：静态加速、动态内容基于地理位置就近接入边缘节点；

• 不适用场景：单一地理位置，或者通过VPN访问；

• Know how amazon CloudFront works. Amazon CloudFront optimizes downloads by using geolocation to identify the geographical location of users, then serving and caching content at the edge location closest to each user to maximize performance.

• 了解CloudFront的工作机制。他基于用户地址位置优化了下载，主要是通过 将内容缓存到边缘节点来提升访问性能；

• Know how to create an amazon CloudFront distribution and what types of origins are supported. To create a distribution, you specify an origin and the type of distribution, and Amazon CloudFront creates a new domain name for the distribution. Origins supported include Amazon S3 buckets or static Amazon S3 websites and HTTP servers located in Amazon EC2 or in your own data center.

• 了解如何去创建一个AWS CloudFront分布式服务。

• 支持的orgins：S3 bucket、基于bucket的网站、 mediastore container、MediaPackage endpoint，ec2 instance、loadbalancer、自己的网站；

• CloudFront会为这个分布式创建一个域名

• Know how to use amazon CloudFront for dynamic content and multiple origins.

• CloudFront 设置Dynamic内容：主要是通过URL的param进行设计；

• CloudFront 设置多个源：针对不同的静态内容设置不同的源；

• Understand how to specify multiple origins for different types of content and how to use cache behaviors and path strings to control what content is served by which origin.

• 可以为不同类型的内容设置不同的源地址，同时可以基于路径设置源；

• Know what mechanisms are available to serve private content through amazon CloudFront. Amazon CloudFront can serve private content using Amazon S3 Origin Access Identifiers, signed URLs, and signed cookies.

• 了解CloudFront的私有内容如何使用。可以通过S3的 OAI功能、signed URL 和Signed cookies进行设置；

• Know the three configurations of AWS storage gateway and their use cases. Gateway-Cached volumes expand your on-premises storage into Amazon S3 and cache frequently used files locally. Gateway-Stored values keep all your data available locally at all times and also replicate it asynchronously to Amazon S3. Gateway-VTL enables you to keep your current backup tape software and processes while eliminating physical tapes by storing your data in the cloud.

• 了解三种AWS gateway的配置及使用场景。

• 文件网关：文件网关支持连接到 Amazon Simple Storage Service (Amazon S3) 的文件接口并将服务和虚拟软件设备组合在一起。通过使用此组合，可以使用行业标准文件协议（如网络文件系统 (NFS)）和服务器消息块 (SMB) 在 Amazon S3 中存储和检索对象。

• 卷网关Gateway-Cached volumes：缓存卷，存储在云端，本地做cache；

• 卷网关Gateway-Stored：存储卷，存储在本地，同步到云端S3

• 磁带网关Gateway-VTL : 利用虚拟磁带库，您可以采用经济高效且持久的方式在 Amazon Glacier 中对备份数据进行存档。虚拟磁带库提供了虚拟磁带基础设施，该基础设施可根据您的业务需求以无缝方式扩展，并可消除预配置、扩展和维护物理磁带基础设施的运营负担。
  Understand the value of AWS Directory Service. AWS Directory Service is designed to reduce identity management tasks, thereby allowing you to focus more of your time and resources on your business.

• 理解AWS Directory Service的价值。ADS 被用作减少身份管理任务；

• Know the AWS Directory Service Directory types. AWS Directory Service offers three directory types: AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also referred to as Microsoft AD、Simple AD、AD Connector

• 了解AWS Directory Service 的三种类型： Microsoft AD、Simple AD、AD Connector

• Know when you should use AWS Directory Service for Microsoft Active
  Directory. You should use Microsoft Active Directory if you have more than 5,000 users or need a trust relationship set up between an AWS hosted directory and your on-premises directories.

• 了解当你使用AWS Directory Service作为Microsoft AD的场景。当你拥有超过5000个用户，同时需要在AWS hosted目录和你的线下用户目录建立一个信任关系的时候；

• Understand key management. Key management is the management of cryptographic keys within a cryptosystem. This includes dealing with the generation, exchange, storage, use, and replacement of keys.

• 理解key的全生命周期管理。包括 generation, exchange, storage, use, and replacement of keys.

• Understand when you should use AWS KMS. AWS KMS is a managed service that makes it easy for you to create and control the symmetric encryption keys used to encrypt your data. AWS KMS lets you create keys that can never be exported from the service and which can be used to encrypt and decrypt data based on policies you define.

• 了解使用AWS KMS的场景。KMS是一个托管服务，帮你创建和控制秘钥去加密你的数据。AWS KMS允许你创建一个不会被导出的key的服务，这个key可以用来基于你的策略加解密数据；

• Understand when you should use AWS CloudHSM. AWS CloudHSM helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated hardware security module appliances within the AWS cloud.

• 理解什么时候使用AWS CloudHSM服务。这个服务帮助公司通过专属硬件安全模块加密云端数据；

• Understand the value of AWS CloudTrail. AWS CloudTrail provides visibility into user activity by recording API calls made on your account. This helps you to track changes made to your AWS resources and to troubleshoot operational issues. AWS CloudTrail makes it easier
  to ensure compliance with internal policies and regulatory standards.

• 理解AWS CloudTrail的作用。它提供了一个基于你的账户的可视化的活动调用记录。可以帮助你跟踪AWS资源的变更。定位操作问题。满足内外部的安全合规；

• Know the three services of Amazon kinesis and their use cases. Amazon Kinesis Firehose allows you to load massive volumes of streaming data into AWS. Amazon Kinesis Analytics enables you to easily analyze streaming data real time with standard SQL. Amazon
  Kinesis Streams enables you to build custom applications that process or analyze streaming data real time for specialized needs.

• Kinesis Firehose：将大量的数据存储在AWS；

• Kinesis Analytics：让你使用常规的SQL就能查询流数据；

• Kinesis Streams：帮助你构建定制化的应用，处理流式数据满足实时话的特定需求；

• Know what service Amazon EMR provides. Amazon EMR provides a managed Hadoop service on AWS that allows you to spin up large Hadoop clusters in minutes.

• 了解EMR提供的服务：一个托管的Hadoop服务，可以在几分钟内创建Hadoop集群；

• Know the difference between persistent and transient clusters. Persistent clusters run continuously, so they do not lose data stored on instance-based HDFS. Transient clusters are launched for a specific task, then terminated, so they access data on Amazon S3 via EMRFS.

• Hadoop Persistent clusters：存储在HDFS上的数据不会因为重启等问题丢失；

• Hadoop Transient clusters：存储在HDFS上的数据会因为集群重启丢失；

• Know the use cases for Amazon EMR. Amazon EMR is useful for big data analytics in virtually any industry, including, but not limited to, log processing, clickstream analysis, and genomics and life sciences.

• ERP是用来进行离线大数据分析的，主要场景包括不限于日志处理，点击流分析、生命科学分析等

• Know the use cases for AWS data pipeline. AWS Data Pipeline can manage batch ETL processes at scale on the cloud, accessing data both in AWS and on-premises. It can take advantage of AWS cloud services by spinning up resources required for the process, such as
  Amazon EC2 instances or Amazon EMR clusters.

• AWS Data Pipeline是一个云端可扩展的管理ETL批处理的服务。可以访问AWS云端数据与线下数据。可以很好的利勇AWS云服务资源来增强数据处理，如EC2和EMR。

• Know the types of AWS import/export services and the possible
  sources/destinations of each. AWS Snowball is Amazon shippable appliances supplied ready to ship. It can transfer data to and from your on-premises storage and to and from Amazon S3. AWS Import/Export Disk uses your storage devices and, in addition to transferring data in and out of your on-premises storage, can import data to Amazon S3,
  Amazon EBS, and Amazon S3; it can only export data from Amazon S3.

• 了解AWS的import/export服务：

• AWS的Snowball是一个数据邮寄服务。可以将数据从线下数据中心与AWS的S3之间进行传输。

• AWS Import/Export磁盘使用你自己的存储设备，可以将数据导入到S3/EBS。但是只能从S3进行数据导出；

• Understand the basics of AWS opsworks. AWS OpsWorks is a configuration management service that helps you configure and operate applications of all shapes and sizes using Chef. You can define an application’s architecture and the specification of each component including package installation, software configuration, and resources such as storage.

• AWS OPSWORKS是一个配置管理服务，帮助通过Chef进行应用软件的管理。可以定义一个应用架构，指定每个组件，以及安装包，软件配置及资源（如存储）

• Understand the value of AWS cloudformation. AWS CloudFormation is a service that helps you model and set up your AWS resources. AWS CloudFormation allows organizations to deploy, modify, and update resources in a controlled and predictable way, in effect applying version control to AWS infrastructure the same way you would do with software.

• AWS CloudFormation 是一个帮助构建AWS resources的服务。帮助你组织去部署、修改、升级资源，通过一个可控可预期的方式，支持多个版本管理；

• Understand the value of AWS elastic beanstalk. AWS Elastic Beanstalk is the fastest and simplest way to get an application up and running on AWS. Developers can simply upload their application code, and the service automatically handles all the details such as resource provisioning, load balancing, Auto Scaling, and monitoring.

• AWS Elastic Beanstalk是一个快速简单的部署应用到AWS的方式。开发人员可以简单的上传他们的应用diamante，服务会自动的处理所有的细节，如资源授权，负载均衡，弹性伸缩和监控；

• Understand the components of AWS elastic beanstalk. An AWS Elastic Beanstalk application is the logical collection of environments, versions, and environment configurations. In AWS Elastic Beanstalk, an application is conceptually similar to a folder.

• AWS Elastic Beanstalk application是一个逻辑集合，由环境，版本和环境配置等组成。在Beanstalk看来，一个应用是一个文件夹的概念；

• Understand the value of AWS config. AWS Config is a fully managed service that provides organizations with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config, organizations can discover existing and deleted AWS resources, determine their overall compliance against rules and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.

• AWS Config是一个提供资源目录管理、配置管理、配置变更通知等能力的托管服务；通过AWS Config，组织可以发现现有的以及删除的AWS自营，识别他们的全局规范是否违规，同时可以获取任何时刻的自营细节。这些能力支持合规设计、安全分析、资源变更分析和问题定位；