Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA Cloud+ CV0-003 Exam: 200+ Most Important Cloud Computing Facts (Domain-Wise)
Source: https://www.fatskills.com/cloud-computing/chapter/comptia-cloud-cv0-003-exam-200-most-important-cloud-computing-facts-domain-wise

CompTIA Cloud+ CV0-003 Exam: 200+ Most Important Cloud Computing Facts (Domain-Wise)

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~24 min read

These are the distilled, key facts about Cloud Computing for the CompTIA Cloud+ exam.

 

Domain 1.0: Cloud Architecture and Design

There are four cloud deployment models: public, private, community, and hybrid cloud.
Cloud computing is offered in three different service models: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).
There are three well-known public cloud platform providers: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).
A hybrid cloud is a construct when both public cloud and a private clouds are used concurrently.
A private cloud is a single-tenant environment where the organization using it (the tenant) does not share resources with other users.
Public clouds are offered by cloud providers over the Internet for consumption by several cloud customers and resources are leveraged in a shared model.
The term community cloud refers to a shared cloud computing environment that is targeted to a limited set of organizations with common set of goals.
Multitenancy implies that customers of a cloud vendor are using the shared computing resources.
Serverless is a cloud-native environment that lets developers to build and run applications without having to manage servers.
The shared security responsibility model defines the responsibilities that a cloud provider will bear versus the responsibilities that a cloud consumer would bear in terms of security for applications, data, containers, and workloads in the cloud.
Business and technical requirements should outline the need for software and hardware specifications in the cloud, including current and future capacity planning.
Cloud templates can be used to automate the creation of different types of cloud resources and typically use a well-defined data format, such as JavaScript Object Notation (JSON) or YAML Ain’t Markup Language (YAML).
Licensing can be of various types in cloud from pay as you go (PAYG) or subscription based to perpetual licensing that is a traditional software licensing model.
Trend analysis allow consumers to understand baselines, patterns, and anomalies.
A baseline is statistical information that demonstrates the system load of a resource when under “normal” usage.
An anomaly occurs when statistical information deviates from that standard or norm.
Performance capacity planning is determining the number of available resources based on performance.
A hypervisor is a process that separates a computer’s operating system and applications from the underlying physical hardware.
Type 1 hypervisors are also called bare metal or native hypervisors and are directly installed to a server’s hardware (e.g., ESXi).
Type 2 hypervisors run on the physical server’s existing operating system. These are also called hosted hypervisors.
An affinity rule establishes a relationship between a VM and a host by telling the hypervisor to keep specific entities together.
An anti-affinity rule establishes a relationship between a VM and a host by telling the hypervisor to keep specific entities separate to keep traffic and workloads balanced on available hosts.
Cloud providers usually oversubscribe their data centers to leverage the spare capacity and offer resources to more customers and, hence, try to maximize their profits.
Regions are geographic locations in which public cloud service provider’s data centers are located.
Availability zones (AZs) are isolated locations (or individual data centers) within the regions.
Containers are packages of essential software that contain all of the necessary elements to run an application or code without all operating system elements. They are much leaner and agile compared to the virtual machines.
Clustered servers provide fault-tolerant systems and high availability for crucial systems.
Load balancing is the process of distributing network traffic across multiple servers and leveraging all available compute capacity as equally as possible across server farms.
Scalability is the ability for a resource to adapt to growing demands.
A cloud resource can be configured for vertical scaling, i.e., by increasing size of the resource’s compute, storage and so on.
Horizontal scaling increases the number of resources by creating new copies of the resources to the pool of resources.
Auto-scaling is the scaling process that happens automatically without human intervention. It can include scaling out (expanding the number of resources in resource pool) and scaling in (reducing the number of resources in the resource pool).
Cloud bursting allows consumers to make use of the resources of a cloud provider by essentially augmenting the ability of the private cloud to scale by using the resources of a public cloud.
Organizations must follow regulations, compliance, and other regulatory specifics while using the cloud.
With a SaaS solution, the entire application is hosted and maintained by the cloud vendor–for example, Salesforce, Dropbox, Gmail, M365, and DocuSign.
With a PaaS solution, the cloud vendor provides a platform that developers can leverage to install or develop a software solution without maintaining the underlying infrastructure.
With an IaaS solution, the cloud vendor provides the infrastructure for consumers to install their operating system or software solution, and consumers are expected to maintain the underlying operating system updates and patches.
An SLA is designed to protect both the cloud vendor and the customer by clearly defining the levels of service that the cloud vendor will provide within the outlined constraints.
In a development environment an organization can develop new software or modify existing software.
Quality assurance is a process in which an organization can test the upgrade procedures against data, hardware, and software that closely simulate the production environment.
A staging environment is a near exact replica of a production environment for software testing.
Blue-green deployment is a methodology for releasing new code into the production environment by reducing risk and minimizing downtime. The old and the new instances of the application run in parallel at the same time in production, and a load balancer switches traffic from the older version to the newer version.
A disaster recovery environment is used specifically if the production environment is compromised to ensure business continuity.
Vulnerability testing, also known as vulnerability assessment, is a process that detects and classifies security loopholes in the infrastructure or applications.
Penetration testing, or pen testing, is a simulated cyberattack in which authorized professional ethical hackers try to break into corporate networks to find weaknesses.
Performance testing is a way to evaluate how responsive a solution is when a certain amount of workload is placed on the solution.
Regression testing aims at testing the existing software applications to make sure that an intended change or any new code addition does not affect any existing functionality.
Functional testing seeks to establish if each application feature works as per the software requirements.
Usability testing aims at evaluating an application or service by testing it with a representative set of pilot users.
Test environments should be isolated from development environments.
Staging environments reduce the risk of introducing issues before solutions are deployed in production.

 

Domain 2.0: Security

 

Identification is the process in which a user provides some sort of value, such as a username, to indicate who he or she is.
A role is a way to grant user accounts access to cloud resources.
Authentication factors are something you are, something you have, something you know, somewhere you are, and something you do.
Privileged access management (also referred to as PAM) is the process of administering the privileged access. The goal is to enforce a security principle called least privilege.
User account life-cycle management goes through three phases: creation of account, updating of account, and deletion of account.
Role-based access control (RBAC) is a method of restricting access to cloud resources based on the roles of individual users within an organization.
Mandatory access control (MAC) is a model of access control whereby access is granted on a need-to-know basis.
Discretionary access control (DAC) is an identity-based access control model that provides users a certain amount of control over their data, where data owners can define the access permissions for specific users or groups of users.
Directory services are designed to store information about an organization. Lightweight Directory Access Protocol (LDAP) is a protocol that is used by directory services.
Multifactor authentication (MFA) is a method of authenticating a user that requires more than one way of verifying the identity of that user–for example, using a password with biometrics (retina scan or palm scan) or pin off a secure token.
Username and password combinations are the most common form of authentication.
Token-based authentication is a strong form of requiring possession of the token item.
A federation system allows accessibility from each domain. Accounts in one area can be granted access rights to any other resource, whether local or remote within the domains.
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications in an organization by using just one set of credentials.
Security Assertion Markup Language (SAML) offers single sign-on capabilities.
Public key infrastructure (PKI) is the framework of encryption and cybersecurity that protects communications between the server and the client.
PKI relies on asymmetric key cryptography using certificates, which are digitally signed blocks of data issued by a CA.
Cryptographic technology provides for confidentiality, integrity, nonrepudiation, and authentication.
Symmetric key algorithms depend on a shared single key for encryption and decryption. Examples include DES, 3DES, RC5, and AES.
Asymmetric key algorithms use a public key for encryption and a private key for decryption. Examples include the RSA, Diffie-Hellman, El Gamal, and elliptic curve cryptography standards.
Proven, well-known cryptographic technologies should be used in implementations.
Key Management Service (KMS) provides unified key management across multiple cloud providers.
Encryption is a process that scrambles a message such that it can be read only by the intended recipient of the message.
Symmetric encryption leverages the same key to encrypt and decrypt the data.
Asymmetric encryption leverages different keys to encrypt and decrypt the data. One key is referred to as the public key, and the other is called the private key.
Data integrity implies the completeness and consistency of data uninfluenced by external factors from sender to receiver.
Hashing is the process of transforming any given key or a string of characters into another value.
MD5, SHA-1, SHA-2, and SHA-3 are examples of hashing algorithms.
A digital signature verifies digital information such as email messages and confirms that the information originated from the signer and has not been altered. It is an electronic form of signature.
Data classification is the process of organizing data into well-defined categories that represent different types of data, mainly for security purposes. There are usually four classifications for data: public, internal-only, confidential, and restricted.
Legal hold indicates how long specific data must be stored and how it should be made available in the event it is needed.
Versioning is the process of keeping track of file content changes over time. A common example is Git.
Data loss prevention (DLP) is used to detect and prevent data exfiltration or data breaches.
A Cloud Access Security Broker (CASB) is a cloud-based (or on-premises) security software placed between users and cloud services.
Access controls includes MAC, DAC, ABAC, and RBAC.
Regarding logical controls, two models exist for the assignment of permissions and rights: user-based and role- or group-based.
A web application firewall (WAF) protects the application layer and is specifically designed to analyze HTTP(S) requests and responses.
VLAN, VxLAN, and GENEVE are three commonly used network segmentation techniques.
Transport Layer Security (TLS) is a cryptographic protocol used to secure data transfer and authenticate systems.
Layer 2 tunneling protocol (L2TP) performs the tunneling at Layer 2 of the OSI model.
System hardening includes disabling unnecessary ports and services.
Blacklisting is the process of creating a list of servers, sites, or resources that should be blocked from being accessed.
IPsec (IP Security) is a protocol that is designed to allow the transport of data between network nodes in a secure manner via a virtual private network (VPN).
Whitelisting allows the creation of a list of servers, sites, or resources that you want to permit access to.
Tunneling is the process of transporting data securely over a network via an encrypted connection.
Microsegmentation is used mostly with virtual networks and is a security feature that allows administrators to logically divide network resources into groups and apply a different set of security rules to each group.
Vulnerability scanners are tools that can automatically scan resources within your cloud infrastructure looking for vulnerabilities.
A port scanner is a tool that probes network ports on a system to determine which logical ports are open or accepting incoming connections.
Credentialed scans leverage a local user account for credentials on the computer being scanned, which allows the scanner to do a more thorough scanning than without credentials.
Network scanning is targeted to gather information regarding networked and connected computing systems.
An agent-based scan is executed from an application that is installed locally on a system or PC.
A security patch is a specific type of software update that is designed to address a vulnerability.
A rollup is a collection of hot fixes.
A risk register is a document that security professionals and project managers use as part of risk management.
A call tree is used to clearly define who to contact, when to make the contact, and how to contact each person in the event of an incident.
A tabletop is an exercise in which individuals of an incident response team are gathered and presented with a scenario. The goal is to walk through the steps that would be taken to handle the incident.

The SANS Institute has described the following six phases of Incident Response:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned

Containment is the process of ensuring that the systems that have been affected by the incident no longer pose a threat or an issue.
Isolation is the process of separating systems that have been affected by an incident.
The chain of custody is a document that describes how evidence is handled during the lifecycle of evidence gathering.
Root cause analysis is part of the postincident process that helps determine the primary cause of the incident.
A proxy server is a system that facilitates the communications between a client and a server.
SNMP utilizes two primary components: SNMP agents and the SNMP manager.
The Syslog protocol allows devices to send log messages to a Syslog server.
Log automation is the process of automatically performing an action based on a specific log entry.
A baseline is an established norm that can be used to determine any deviations from normal.
Tagging is a feature in which metadata is applied to cloud resources for better cost and resource management.
An intrusion protection system (IPS) both monitors for intrusions and can take action if an intrusion is detected.
An intrusion detection system (IDS) is designed to determine whether an intrusion has occurred on a network or a host. It can only generate alerts.
A host-based IDS (HIDS) is installed on systems and monitors the state of the system itself.
A hardened baseline is a set of requirements for each system you deploy.
When software is released, either internally or externally, the release is referred to as a build.
In a canary release, new features are released to a specific set of Beta testers.
An application programming interface (API) is a mechanism used to provide integration between client/server or different software.
File-system encryption refers to encrypting the data at rest.
Endpoint detection and response (EDR) software offers protection from malware for endpoints.
In Linux every file and directory has standard permissions, also called read, write, and execute permissions.
Cloud and operating system user accounts can be merged together into a group.
An account lockout policy defines the situations in which, an account is locked.
 

Domain 3.0: Deployment
 

Google Drive, Microsoft OneDrive, and Dropbox are examples of file subscription services.
Cloud vendors like RingCentral, Vonage, and Microsoft 365 Business Voice provide VoIP service. This service is considered as Communication as a Service (CaaS).
Cloud-based SaaS email providers include Microsoft Outlook, Zoho Mail, Yahoo! Mail, and Gmail.
A virtual desktop infrastructure (VDI) leverages the power of a virtual machine to provide virtual desktops to users.
A solution template may be designed to deploy a non-OS resource in the cloud.
NAT acts as a liaison between an internal network and the Internet across a routing device. It allows multiple computers to connect to the Internet using one IP address.
Network segregation, isolation, and segmentation are effective controls an organization can implement to mitigate the effect of a network intrusion.

Commonly used services and associated ports include the following:
- 15: Netstat
- 20 and 21: FTP
- 22: SSH/SFTP/SCP
- 23: Telnet
- 25: SMTP
- 53: DNS
- 80: HTTP
- 389: LDAP
- 443: HTTPS
- 636: LDAPS
- 989 and 990: FTPS
- 3389: RDP

In a cloud environment there are three types of storage resources: block, file, and object.
A storage-area network (SAN) is a network-accessible storage device designed for highspeed access to block storage.
Network-attached storage (NAS) is a file-based storage device.
A bucket is the container that is used to “hold” your object data.
Flash storage is any storage that is placed on a solid-state drive (SSD).
Spinning disks, also called magnetic drives, are traditional hard drives in which data is stored on rapidly spinning platters that are coated with a magnetic material.
Long-term storage typically refers to tape storage or cold storage.
NFS works by sharing a local file system (or part of a file system) using a collection of NFS server daemons.
Common Internet File System (CIFS) is a distributed file system protocol created by Microsoft. This protocol allows a user or administrator to share part of a file system.
Internet Small Computer System Interface (iSCSI) is a protocol that allows communication to block devices across the network.
Fibre Channel (FC) is a protocol that is designed to provide high-speed data transfer of storage devices. It can be used to connect systems to SANs, iSCSI, and local data storage.
Redundant Array of Independent Disks (RAID) is a way of storing the same data on multiple hard disks or solid-state drives to protect data in the case of a drive failure. RAID levels 0, 1, 5, 6, and 10 are available.

RAID organizes multiple disks into a large, high-performance logical disk:
- RAID 0: Striped disk array without fault tolerance
- RAID 1: Mirroring and duplexing
- RAID 5: Independent data disks with distributed parity blocks
- RAID 10: RAID 1 and RAID-0; requires a minimum of four disks

Compression is the process of reducing the size of a piece of data using a mathematical algorithm.
Data deduplication is the process of ensuring there is no redundant data within a storage resource.
Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides a client with its IP address as well as other related configuration information such as the subnet mask, default gateway, and (optionally) DNS server address.
IP Address Management (IPAM) is a suite of tools to enable end-to-end planning, deploying, managing, and monitoring of the IP address infrastructure.
Network Time Protocol (NTP) synchronizes the time of a computer client or server to another server or within a few milliseconds of stratum.
The Domain Name System (DNS) translates human-readable domain names (for example, www.hotmail.com) to machine-readable IP addresses.
Fully qualified domain name (FQDN) is the domain name of a host starting from the top of the DNS structure.
A top-level domain (TLD) is the last segment of a domain name–the part that comes after the final dot (e.g., in hotmail.com, .com is the TLD).
A subdomain is any domain that is a component of a larger domain; e.g., sales.onecoursesource.com is a subdomain across the domain onecoursesource.com.
An authoritative name server is one that returns results based on information stored locally on the system.
A Content Delivery Network (CDN) is a geographically distributed network of servers that help in content distribution to users with minimal latency.
A virtual private network (VPN) is a service that allows for a virtual network over a public network by creating an encrypted tunnel between source and destination. There are site-to-site, point-to-site, and client VPN options.
By using subnetting, a single class’s (A, B, C, D) IP address can be used to have smaller subnetworks that provide better network management capabilities.
Classless interdomain routing (CIDR) provides the flexibility of borrowing bits from the host part of the IP address and using them as Network in the network part of the subnet.
A cloud firewall is a resource that performs the same function as a regular firewall would on-premises. Cloud firewalls are commonly deployed in a VPC or a VNet.
A virtual private cloud (VPC) is a feature provided by cloud vendors like Google Cloud and AWS; it allows you to create a virtual network within your cloud account. Microsoft Azure’s equivalent to VPC is called Azure Virtual Network (VNet).
Virtualization allows you to place multiple operating systems on a single hardware platform or server.
Multithreading refers to the capability of a CPU core to execute multiple threads simultaneously.
A graphics processing unit (GPU) is a processor designed to handle graphics rendering data.
A hyperconverged infrastructure (HCI) combines servers and storage into a distributed infrastructure platform with software to create flexible building blocks for modern data centers.
Memory ballooning is a memory management feature used in virtualization platforms; it allows a host system to enlarge its pool of memory by leveraging unused memory by virtual machines.
Physical-to-virtual (P2V) migration refers to the migration of operating systems that reside on physical systems on-premises to the virtual environment in the cloud.
Virtual-to-virtual (V2V) migration refers to the lift and shift of virtual machines that reside on-premises to the virtual environment in cloud.
In vendor lock-in (also called proprietary lock-in) a customer deploys a resource in the cloud that is dependent on software or features that are only provided by a specific cloud vendor.
An access control list (ACL) is used to determine who is able to access a specific resource within your cloud environment. For example, a network access control list (NACL) can include a list of IP addresses or IP networks that are permitted to access resources in a VPC or VNet.
Cloud migrations can include migration of operating systems, databases, applications, virtual machines, containers, and much more.
 

Domain 4.0: Operations and Support

 

The performance of network is a critical component to ensure smooth operations in a cloud setup.
A jumbo frame is an Ethernet frame with a payload greater than the standard maximum transmission unit (MTU) of 1500 bytes.
Network latency is a measurement of how long it takes for a network packet to travel from the sender source to the receiver.
Multiprotocol Label Switching (MPLS) offers faster packet switching using labels instead of IP addresses over provider networks.
A software-defined network (SDN) decouples the network management operations (control plane) from the network forwarding (data plane) operation, which provides several advantages: centralized management, service insertion, agility, elasticity, and more.
Edge computing is a distributed architecture in which client data is processed at the periphery of the network, as close to the source of data as possible.
In context to software releases, in N-1, N refers to the most recent stable release of software, and N-1 refers to the previous most recent stable release of the software.
Colocation is a data center type in which a vendor provides equipment and space to an organization and the data center is often shared with other organizations.
Original equipment manufacturer (OEM) device drivers and firmware are software programs written by the vendor that manufactures the hardware device.
Roadmaps provide a timeline for the implementation of the product from start to finish.
Asset management ensures that all assets of an organization are managed in a structured manner.
With an active-passive upgrade, the upgrade is deployed to the active environment, and the passive environment is not changed.
In context of the cloud, capacity refers to the amount of availability of a specific resource, like network bandwidth, storage space, or compute power.
Upgrading a system is the process of enhancing an existing system to provide more features or better performance.
Migrating a system is the process of moving a resource from one physical location to another.
Rolling upgrades is the process of frequently providing updates to software.
A dashboard is a web-based graphic that provides you insight into your cloud environment.
Infrastructure as Code (IaC) is a process in which configuration files or scripts can be leveraged to deploy and manage resources, including virtual machines and containers. Terraform is a popular IaC tool.
Continuous integration (CI) and continuous deployment (CD) are two processes that, when combined, result in rapid and continuous release of software.
Version control software can handle the complicated task of maintaining different versions of source code; the most popular example is Git.
Configuration management (CM) is a systems engineering process for establishing and maintaining consistency of a product’s performance, based on a computer-readable configuration file in conjunction with a configuration management tool such as Ansible.
A playbook is a configuration file that is used to configure an instance or pipelines.
The process of deploying instances that relate to one another in a specific order is called orchestration sequencing.
An incremental backup includes all files that have changed since the last incremental or full backup.
A differential backup includes any files since the last full backup.
A full backup includes everything from the source that is backed up.
A snapshot provides a frozen image of the file system at the moment that the snapshot was created.
Data about data is metadata.
Retention defines how long backups should be stored before they are deleted.
A backup schedule defines how often you back up your data and what type of backup is performed.
A recovery point objective (RPO) designates the amount of data that will be lost or will have to be reentered due to network downtime.
A recovery time objective (RTO) designates the amount of actual time that can pass before the disruption begins to seriously impede normal business operations.
Mean time between failure (MTBF) is the average time before a product requires repair.
Mean time to recovery (MTTR) is the average time it takes to recover from a failure.
After a failover has occurred, it is important to recover restore the original system and revert the service back to the original system. This process is called failback.
To have a valid redundant resource, you need to replicate the active resource often enough to support your RPO.
A hot standby site is always available for immediate failover and this type of standby site provides the quickest availability.
A cold standby site needs to be provisioned before it is available because the backups must be used to restore services.
A disaster recovery (DR) kit includes all of the resources and tools needed to perform all of the operations of your disaster recovery plan.

 

Domain 5.0: Troubleshooting
 

Troubleshooting is based on very specific steps that you should follow:
- Identify the problem.
- Establish a theory.
- Test the theory.
- Establish a plan of action.
- Verify full system functionality.
- Document the findings.
Usually, organizations follow a Least Privilege policy in which user accounts are given only the access a user needs.

The following table identifies common REST API status codes:

Category and Code

Description

200

OK

201

Created

202

Accepted

204

No Content

400

Band Request

401

Unauthorized

403

Forbidden

404

Not Found

500

Internal Server Error

 

A network security group is designed to provide protection to a cloud network.
Some ciphers are no longer considered to be secure because the algorithm used to perform the encryption is vulnerable to hacking attempts–for example, DES, 3DES, RC4, and AES with CBC encryption cipher.
A cloud service provider (CSP) is the vendor that provides cloud services. A managed service provider (MSP) and CSP can be same for some customers because they manage the resources and offer cloud services.
In terms of networking, performance degradation refers to a decrease in response speed on the network.
Network latency refers to delays in communication across a network.
Jitter is the difference in the delay between packets.
Automation scripts provide a powerful means of automating the process of implementing resources in the cloud.
Tags in the cloud are used to classify resources based on their type or to group them for pricing purposes.
Integrating applications is an ongoing process as more applications move to the cloud and need integration with existing systems on-premises or in the cloud.

Automation (supporting) tools include
- Git: A software version control tool
- Gradle: A software build tool
- Jenkins: A build management tool
- Docker: A tool for managing containers
- Chef: A configuration management tool
- Ansible: Another configuration management tool

A deprecated feature implies that a cloud vendor may decide to leave it enabled but doesn’t recommend using it anymore and reserves the right to remove it in a future release.
With VPC peering or virtual network peering, a network connection is established between two or more VPCs/VNets.
An incorrectly configured route can result in not being able to send network packets outside the local network.
Static routing doesn’t change after it is has been set, unless the administrator manually changes the configuration.
In dynamic routing, routing paths can change automatically based on algorithms that indicate the best routing path to take.
A firewall is used to either permit or block network traffic based on rules or conditions–for example, the source IP of the network packet or the destination IP of the network packet, or the source/destination port.
Quality of service (QoS) is a feature that prioritizes traffic based on source, destination, type of packets/frames, and so on.
The pingcommand is used to check connectivity between two endpoints.
The traceroutecommand can be used to trace the path from one network to another, over the hops or networks in between leveraging the Internet Control Message Protocol (ICMP) echo packets.
The ipconfig/ifconfig/ipcommands display basic IP network settings for devices.
Packet capture (performed by a packet sniffer application) is a function that can intercept packets crossing over a specific computer network segment.
Cloud providers offer tools to monitor memory usage for an application, which can help you troubleshoot problems as well as view the metrics for memory utilization.
All cloud providers have a public website that shows the state of their services.



ADVERTISEMENT