FIT5225
Jun 1, 2026
All files
- 先帮你把最重要的一句话钉死:FIT5225 没有 final exam。你的总评来自 两次监考小测(15%+15%)+ 两个重项目(CloudEco 30% + Multicloud 小组 40%),四部分彼此独立、互相“救不了分”。所以你现在要做的是:项目要尽早跑通部署;小测要靠“辨析 + 读图 + 认片段”拿分。[1]Source: asksia-bible-fit5225-bilingual.pdfFIT5225 . MONASH UNIVERSITY 中英双语版 · BILINGUAL EDITION 英文主讲,中文随行 一考试要点与术语保留英文原词 There is no final exam. Your mark is two invigilated quizzes (15% + 15%) plus two heavy build/deploy projects - the CloudEco individual app (30%) and a multicloud group deployment (40%). The quizzes are conceptual: concept distinctions, architecture-diagram reading and config-snippet recognition across all twelve weeks. This book drills the distinctions and doubles as your architecture / AWS reference for the builds. Independent study companion. Not affiliated with or endorsed by Monash University. Corrections: takedowns@asksia. ai PREFACE - HOW TO USE THIS BOOK Distinctions, not memory; diagrams, not dumps 重在辨析,不靠死记;重在图示,不靠堆砌 The quizzes are conceptual - tell the models apart, read the diagram, recognise the snippet quiz 偏概念 -- 区分各模型、读懂图示、识别片段 This is not a transcript of the lecture decks or a re-run of the labs. It is a self-contained course in the concepts FIT5225 examines - each idea stated plainly, each architecture shown as an original schematic, every classic confusion flagged. You learn the hands-on build in the CloudEco and multicloud projects; the quizzes test whether you can tell two things apart, read a labelled diagram and reason about a small config snippet. That is exactly what these pages drill. - 这不是讲义 deck 的逐字记录,也不是lab 的重跑。它是一门自成体系的课程,聚焦于 FIT5225 所考查的概念 -- 每个理念都平 实陈述,每张架构都以原创示意图呈现,每个经典混淆点都被标出。动手 build 你会在 CloudEco 与 multicloud 项目中学到;而 quiz 考查的是你能否 区分两样事物、读懂带标注的图、对一小段 config 片段进行推理。这正是这些页面所要反复操练的。 - A 1 . LEARN the stack 1 · LEARN 学这套 stack You haven't done the topic yet. Read a chapter top to bottom. Every idea opens with a one-line TL;DR, then define - diagram - explain - worked example - trap. The figures are original schematics of standard cloud architecture - learn the picture cold, because the quizzes show you one. 你还没学过这个主题。把一章从 头读到尾。每个理念以一行 TL;DR 开头,然后是定义→图 解→ 解释→ 演练示例 → 陷 阱。图都是标准云架构的原创示 意图 -- 把图记得滚瓜烂熟,因 为测验会给你看图。 B 2 . COMPARE the trade-offs 2 • COMPARE 比较各种权衡 You've seen the lecture. Cover the comparison tables and re- derive each row - VM vs container, Type-1 vs Type-2, IaaS/PaaS/SaaS, SG vs NACL, User Pool vs Identity Pool. The quiz pays for the distinction, not the definition you can half- remember. 你已经看过讲座。盖住对比表 格,把每一行重新推导出来 --- VM vs 容器、Type-1 vs Type- 2. laaS/PaaS/SaaS, SG vs NACL, User Pool vs Identity Pool。测验给分的是区别,而不 是你只能记个大概的定义。 C 3 . BUILD the projects 3 · BUILD 做项目 It's project time. Use the AWS / architecture chapters as a reference: match the need to the service, justify the design, read your own diagram back. The blueprint overleaf shows the weights and exactly what each quiz tests. 到项目阶段了。把AWS/架构 各章当作参考:把需求匹配到服 务、为设计辩护、把自己画的图 复述出来。后页的蓝图展示了各 部分权重以及每次测验究竟考什 么。 FIT5225 . Cloud Computing and Security . AskSia Library[2]Source: asksia-bible-fit5225-bilingual.pdfi The one spine that runs the whole unit 贯穿整个单元的那条主线 FIT5225 climbs a single ladder of abstraction: physical machine - virtual machine - container - orchestrated container - managed service - function. At each rung you give up control of more of the stack and focus more on your application - and a shared-responsibility line moves up with you, deciding who secures what. Internalise that one ladder and most of the course's distinctions fall out of it automatically. FIT5225 攀登的是一条单一的抽象阶梯:物理机→ 虚拟机→ 容器→ 编排后的容器→ 托管服务 → 函数。每上一阶, 你都放弃对栈中更多部分的控制,而更专注于你的应用 -- 而一条责任共担分界线也随你上移,决定谁来保护什么。把 这一条阶梯内化,本课程的多数区分便自然而然地从中导出。 THE LADDER OF ABSTRACTION metal > VM > container > orchestration > managed service > serverless function less control of the stack . more focus on the app . the responsibility line rises with you ! The most important strategic fact about FIT5225 关于 FIT5225 最重要的战略事实 There is no exam to rescue a weak project, and no project to rescue a weak quiz - the four pieces are independent. The 70% of marks in the two projects are won by building and deploying real cloud applications, so start them early; the 30% in the two quizzes is won by crisp recall of distinctions under invigilated, closed conditions. Treat them as two different games: ship the builds, drill the comparisons. 没有考试来挽救薄弱的项目,也没有项目来挽救薄弱的测验 -- 四个部分彼此独立。两个项目占 70% 的分,靠构建并部 署真实的云应用来赢得,所以要尽早开始;两次测验的 30% 靠在监考、闭卷条件下对区别的清晰回忆来赢得。把它们 当作两种不同的游戏:交付构建、演练对比。 i How this book was built - and the two-layer rule 本书是如何构建的 -- 以及双层规则 Standard cloud, CS and AWS knowledge is stated plainly (it is canonical - the NIST five characteristics are a published definition, the shared-responsibility split is a fact, a VPC topology is a fact). The unit's own assessment briefs - the CloudEco individual project and the multicloud group project - are paraphrased by system type only, never copied; their per-student model files, FAQ and rubric are course-proprietary. Quiz status: the two tests are invigilated - treat them as closed / no bring-in. Verify weights, dates and quiz instructions on your own Monash Canvas (learning. monash. edu). 标准的云、CS与 AWS 知识被直白陈述(它们是公认的 -- NIST 五大特征是已发布的定义,责任共担的划分是事实, VPC 拓扑是事实)。本单元自己的评估要求 -- CloudEco 个人项目和 multicloud 小组项目 -- 仅按系统类型转述,绝 不照抄;它们针对每位学生的模型文件、FAQ 和评分标准属于课程专有内容。测验状态:两次测验均有监考 -- 按闭卷 / 不可带入处理。请在你自己的 Monash Canvas (learning. monash. edu) 上核实权重、日期和测验说明。 FIT5225 . Cloud Computing and Security . AskSia Library THE BLUEPRINT - THE ASSESSMENT BLUEPRINT 70% BUILD . 30% QUIZ No exam - two builds and two quizzes 没有期末考试 -- 两个项目 build 加两次 quiz CloudEco 30% . Multicloud group 40% . Quiz 1 15% . Quiz 2 15% CloudEco 30% · Multicloud JE 40% · Quiz 1 15% . Quiz 2 15% Your mark is four independent pieces and none of them is a final exam. Seventy per cent is won by building and deploying real cloud applications; thirty per cent is won by two invigilated, conceptual quizzes. Nothing backstops anything - every piece must stand on its own. 你的分数由四个相互独立的部分构成,而 其中没有一项是期末考试。七成分数靠 构建并部署真实的云应用 赢得;三成分数靠两 场 监考的概念性 quiz 赢得。没有任何一项能为另一项兜底 -- 每一项都必须独立站得住脚。 30% A1 CLOUDECO (SOLO) A1 CloudEco (个人) 40% A2 MULTICLOUD (GROUP) A2 multicloud (小组) 30% TWO QUIZZES (15+15) 两次测验 (15+15) 0 FINAL EXAM 期末考试 The four assessment pieces[11]Source: asksia-cheatsheet-fit5225.pdfSQS SNS Model pull queue push pub/sub QUIZ REVISION . CLOSED- BOOK Quiz revision aid . check the official unit guide for assessment . @ 2026 good luck. revise smart. YAML FIT5225 Cloud Computing and Security MONASH UNIVERSITY . FACULTY OF IT QUIZ REVISION Sem 1 2026 . SIDE 1 OF 2 Closed-book study aid . all topics SIDE 1/2 Microservices 0 · Quiz Blueprint READ FIRST * FIT5225 has no final exam: two invigilated quizzes (15% + 15%) plus an individual cloud app project (30%) and a group multicloud build (40%). Treat the quizzes as closed-book - confirm rules in your unit guide. The quizzes love distinctions: pick the right model from a description, read an architecture diagram, recognise a config snippet. Side 1 = concepts & tools (cloud -> VM -> container -> K8s -> REST/SOA). Side 2 = laC, AWS, serverless, security. Highest-yield comparisons (near-certain): SG vs NACL . containers vs VMs . laaS/PaaS/SaaS . type-1 vs type-2 . REST vs SOAP . idempotent verbs . AZ vs Region . cold start. -- SIA - When a question describes a scenario, map it to a named model first (which service model? which deployment? stateful or stateless?) - the distractors are always the adjacent term. 1 . Cloud Foundations[4]Source: asksia-bible-fit5225-bilingual.pdf★ What the quizzes actually test - three layers, in order quiz 实际考什么 -- 三个层次,依次递进 These are not code-from-blank exams. In order of frequency: (1) concept distinctions - VM vs container, Type-1 vs Type-2, IaaS/PaaS/SaaS, SOAP vs REST, idempotent vs not, SG vs NACL, User Pool vs Identity Pool, cold vs live migration; (2) architecture- diagram reading - a VPC, a K8s cluster, a serverless flow, the shared-responsibility split: what does each box do, what is mismanaged ?; (3) config-snippet recognition - a Dockerfile's instruction order, a docker/kubectl command, an IaC block, an IAM/S3 policy JSON, a NACL row. Read and reason, rarely author from scratch. 这些不是从空白写代码的考试。按频率高低:(1) 概念 区分 -- VM vs 容器、Type-1 vs Type-2、 laaS/PaaS/SaaS, SOAP vs REST, idempotent 5 否、SG vs NACL、User Pool vs Identity Pool、cold vs live migration; (2) 架构图解读 个 VPC、 一个 K8s 集群、一条 serverless 流程、责任共担的划 分:每个方框做什么,哪里被错误管理了 ?; (3)配 置片段识别 一个 Dockerfile 的指令顺序、一条 docker/kubectl 命令、一个 laC块、一段 IAM/S3 策略 JSON、一行 NACL。读懂并推理,极少需要从 头编写。 ✓ The strategy this dictates 由此决定的策略 Because the projects carry the most marks and take the most time, the dominant move is to scaffold the builds in the first weeks - pick services, sketch the architecture, get a deployment working - then iterate. For the quizzes, the cheapest marks are the comparison tables: every 'X vs Y' in this book is a likely question. Learn the row that distinguishes them, not just what each one is. 由于项目占分最多、耗时最长,主导性的做法是在头 几周就把构建搭起骨架 -- 选服务、勾勒架构、把一 次部署跑通 -- 然后迭代。对于测验,最便宜的分是 对比表格:本书中每一个“X vs Y”都可能是一道题。 学会区分它们的那一行,而不只是各自是什么。 i Quiz status - closed, no bring-in quiz 形式 -- 闭卷,不可带入资料 The two quizzes are invigilated; treat them as closed / no bring-in study aids and check your own quiz instructions. The optional Week-12 case study / Oracle mock interview rewards a different skill - a full architecture diagram and a plain-English benefit pitch to a non-technical 'CEO' - so practise explaining the why, not just the what. 两次测验均有监考;把它们当作闭卷/不可带入的学习辅助,并核对你自己的测验说明。可选的第 12周案例研究 / Oracle 模拟面试奖励的是另一种技能 -- 一张完整的架构图,以及一段面向非技术“CEO”的大白话收益陈词 -- 所以要 练习解释为什么,而不只是是什么。 FIT5225 . Cloud Computing and Security . AskSia Library CONTENTS - CONTENTS One ladder of abstraction, twelve weeks 一条抽象阶梯,贯穿十二周 Foundations- virtualisation - containers orchestration - services - AWS- serverless - security 基础→ 虚拟化 → 容器 → 编排→ services → AWS → serverless → 安全 Ch Topic Core ideas Part I . Foundations & virtualisation (Weeks 1-2) 1 Cloud foundations & NIST 5 characteristics . laaS/PaaS/SaaS . shared responsibility . deployment models . → virtualisation economics . hypervisors . Type-1 vs Type-2 . migration Part II . Containers & orchestration (Weeks 3-4) 2 Containers & Docker containers vs VMs . Docker engine pipeline · images/layers/union FS · registries . Dockerfile → · lifecycle CLI . Compose 3 Container orchestration Swarm vs Kubernetes . Raft . control plane vs node . Pod/Deployment/Service . declarative → desired-state Part III . Services, laC & AWS (Weeks 5-8) 4 Web services & SOA REST vs SOAP . XML vs JSON . idempotent/safe verbs . monolith vs SOA vs microservices → 5 IaC & the AWS catalogue
-
1)这门课的“主线骨架”:一条抽象阶梯(背会它,很多辨析题会自动做)
- FIT5225 贯穿全课的一条“抽象阶梯”是:
- 物理机 metal → VM → container → orchestration(K8s)→ managed service → serverless function
- 越往上:你越少控制底层栈、越专注应用;同时 shared responsibility(责任共担)分界线会上移:谁负责安全、负责配置,会随服务模型变化。[2]Source: asksia-bible-fit5225-bilingual.pdfi The one spine that runs the whole unit 贯穿整个单元的那条主线 FIT5225 climbs a single ladder of abstraction: physical machine - virtual machine - container - orchestrated container - managed service - function. At each rung you give up control of more of the stack and focus more on your application - and a shared-responsibility line moves up with you, deciding who secures what. Internalise that one ladder and most of the course's distinctions fall out of it automatically. FIT5225 攀登的是一条单一的抽象阶梯:物理机→ 虚拟机→ 容器→ 编排后的容器→ 托管服务 → 函数。每上一阶, 你都放弃对栈中更多部分的控制,而更专注于你的应用 -- 而一条责任共担分界线也随你上移,决定谁来保护什么。把 这一条阶梯内化,本课程的多数区分便自然而然地从中导出。 THE LADDER OF ABSTRACTION metal > VM > container > orchestration > managed service > serverless function less control of the stack . more focus on the app . the responsibility line rises with you ! The most important strategic fact about FIT5225 关于 FIT5225 最重要的战略事实 There is no exam to rescue a weak project, and no project to rescue a weak quiz - the four pieces are independent. The 70% of marks in the two projects are won by building and deploying real cloud applications, so start them early; the 30% in the two quizzes is won by crisp recall of distinctions under invigilated, closed conditions. Treat them as two different games: ship the builds, drill the comparisons. 没有考试来挽救薄弱的项目,也没有项目来挽救薄弱的测验 -- 四个部分彼此独立。两个项目占 70% 的分,靠构建并部 署真实的云应用来赢得,所以要尽早开始;两次测验的 30% 靠在监考、闭卷条件下对区别的清晰回忆来赢得。把它们 当作两种不同的游戏:交付构建、演练对比。 i How this book was built - and the two-layer rule 本书是如何构建的 -- 以及双层规则 Standard cloud, CS and AWS knowledge is stated plainly (it is canonical - the NIST five characteristics are a published definition, the shared-responsibility split is a fact, a VPC topology is a fact). The unit's own assessment briefs - the CloudEco individual project and the multicloud group project - are paraphrased by system type only, never copied; their per-student model files, FAQ and rubric are course-proprietary. Quiz status: the two tests are invigilated - treat them as closed / no bring-in. Verify weights, dates and quiz instructions on your own Monash Canvas (learning. monash. edu). 标准的云、CS与 AWS 知识被直白陈述(它们是公认的 -- NIST 五大特征是已发布的定义,责任共担的划分是事实, VPC 拓扑是事实)。本单元自己的评估要求 -- CloudEco 个人项目和 multicloud 小组项目 -- 仅按系统类型转述,绝 不照抄;它们针对每位学生的模型文件、FAQ 和评分标准属于课程专有内容。测验状态:两次测验均有监考 -- 按闭卷 / 不可带入处理。请在你自己的 Monash Canvas (learning. monash. edu) 上核实权重、日期和测验说明。 FIT5225 . Cloud Computing and Security . AskSia Library THE BLUEPRINT - THE ASSESSMENT BLUEPRINT 70% BUILD . 30% QUIZ No exam - two builds and two quizzes 没有期末考试 -- 两个项目 build 加两次 quiz CloudEco 30% . Multicloud group 40% . Quiz 1 15% . Quiz 2 15% CloudEco 30% · Multicloud JE 40% · Quiz 1 15% . Quiz 2 15% Your mark is four independent pieces and none of them is a final exam. Seventy per cent is won by building and deploying real cloud applications; thirty per cent is won by two invigilated, conceptual quizzes. Nothing backstops anything - every piece must stand on its own. 你的分数由四个相互独立的部分构成,而 其中没有一项是期末考试。七成分数靠 构建并部署真实的云应用 赢得;三成分数靠两 场 监考的概念性 quiz 赢得。没有任何一项能为另一项兜底 -- 每一项都必须独立站得住脚。 30% A1 CLOUDECO (SOLO) A1 CloudEco (个人) 40% A2 MULTICLOUD (GROUP) A2 multicloud (小组) 30% TWO QUIZZES (15+15) 两次测验 (15+15) 0 FINAL EXAM 期末考试 The four assessment pieces[9]Source: asksia-bible-fit5225-bilingual.pdfdeclarative vs imperative · Terraform/CloudFormation/Ansible · EC2/S3/VPC/RDS/DynamoDB/ELB → Part IV . Serverless & security (Weeks 9-11) 6 Serverless & FaaS Lambda + API Gateway + DynamoDB . event flows . cold start . trade-offs vs EC2 → 7 Cloud security CIA . 4 A's . VPC/SG/NACL . Cognito . encryption . defense-in-depth . compliance → Walk in ready 8 Glossary & distinction every term . every 'X vs Y', side by side → map 9 Quiz drill & answers distinctions, diagram reads, snippet recognition → i Why this order 为何采用这个顺序 FIT5225 climbs the abstraction ladder in order - the physical machine is virtualised into VMs (W2), VMs give way to lighter containers (W3), containers are orchestrated at scale (W4), exposed as web services (W5), provisioned as code on AWS (W6-8), reduced to functions (W9), and secured throughout (W10-11). We keep that order because the quizzes test the distinctions between adjacent rungs. This three-chapter sample covers the foundation (Weeks 1- 3): get virtualisation and containers cold and everything above them is easier. FIT5225 按顺序攀登抽象阶梯––物理机被虚拟化成 VM(W2),VM 让位于更轻的容器(W3),容器被大规模编排 (W4),暴露为 web services (W5),在 AWS 上以代码预配(W6-8),缩减为函数(W9),并自始至终被保护 (W10-11)。我们保持这一顺序,因为测验考查相邻阶梯之间的区别。这份三章样本覆盖基础(第1-3周):把 virtualisation 和容器学透,其上的一切都更轻松。 FIT5225 . Cloud Computing and Security . AskSia Library NIST . 5 CHARACTERISTICS - CH 1 . CLOUD FOUNDATIONS & VIRTUALISATION WEEKS 1-2 What 'the cloud' actually is - and the engine under it “the cloud (云)”到底是什么 -- 以及其底层引擎 Part I - Weeks 1-2 . the bottom two rungs of the abstraction ladder 第 1部分 -- 第1-2周 · 抽象阶梯最底下两级 "The cloud" is not a marketing word here - it has a precise, published definition. FIT5225 starts by pinning that definition down (the NIST five essential characteristics, the three service models, the four deployment models), then drops one level to the technology that makes it possible: virtualisation. Almost every quiz in this unit opens here, because every distinction above - containers, orchestration, serverless - is defined against these foundations. 在这里,“the cloud(云)”不是一个营销词 -- 它有精确、已发布的定义。FIT5225 一上来就把这个定义钉死(NIST 五项基本特 征、三种服务模型、四种部署模型),然后下沉一级,讲使其成为可能的技术:virtualisation(虚拟化)。本单元几乎每一场 quiz都 从这里开篇,因为上面的每一个辨析 -- 容器、编排、serverless -- 都是 相对于 这些基础来定义的。 i TL; DR - the five moves of this chapter TL;DR -- 本章的五个动作 (1) State the NIST definition and its five essential characteristics. (2) Tell IaaS / PaaS / SaaS apart by who manages what. (3) Read the shared-responsibility line - security of vs in the cloud. (4) Name the deployment model (public / private / community / hybrid) and the CapEx-OpEx economics. (5) Drop a level to virtualisation - hypervisors, Type-1 vs Type-2, full vs para, and migration. (1) 陈述 NIST 定义及其五大基本特征。(2)按谁管理什么区分 laaS / PaaS / SaaS。(3)读懂责任共担分界线 云本身的安全 vs 云之中的安全。(4)说出部署模型(public / private / community / hybrid) 以及 CapEx→OpEx 的 经济学。(5) 下沉一层到 virtualisation -- hypervisor、Type-1 vs Type-2、full vs para,以及 migration。 1. 1 The NIST definition & five essential characteristics 1. 1 NIST 定义与五项基本特征
- 你做题的统一套路(尤其 MCQ/简答):
- 先把场景“映射”到这条阶梯的某一阶:它到底是 VM?容器?K8s?托管服务?函数?
- 再问两句:谁管什么(IaaS/PaaS/SaaS)?谁负责安全(shared responsibility)?
- 这就是出题人的“干扰项”来源:通常错项就是“相邻一阶/相邻概念”。[4]Source: asksia-bible-fit5225-bilingual.pdf★ What the quizzes actually test - three layers, in order quiz 实际考什么 -- 三个层次,依次递进 These are not code-from-blank exams. In order of frequency: (1) concept distinctions - VM vs container, Type-1 vs Type-2, IaaS/PaaS/SaaS, SOAP vs REST, idempotent vs not, SG vs NACL, User Pool vs Identity Pool, cold vs live migration; (2) architecture- diagram reading - a VPC, a K8s cluster, a serverless flow, the shared-responsibility split: what does each box do, what is mismanaged ?; (3) config-snippet recognition - a Dockerfile's instruction order, a docker/kubectl command, an IaC block, an IAM/S3 policy JSON, a NACL row. Read and reason, rarely author from scratch. 这些不是从空白写代码的考试。按频率高低:(1) 概念 区分 -- VM vs 容器、Type-1 vs Type-2、 laaS/PaaS/SaaS, SOAP vs REST, idempotent 5 否、SG vs NACL、User Pool vs Identity Pool、cold vs live migration; (2) 架构图解读 个 VPC、 一个 K8s 集群、一条 serverless 流程、责任共担的划 分:每个方框做什么,哪里被错误管理了 ?; (3)配 置片段识别 一个 Dockerfile 的指令顺序、一条 docker/kubectl 命令、一个 laC块、一段 IAM/S3 策略 JSON、一行 NACL。读懂并推理,极少需要从 头编写。 ✓ The strategy this dictates 由此决定的策略 Because the projects carry the most marks and take the most time, the dominant move is to scaffold the builds in the first weeks - pick services, sketch the architecture, get a deployment working - then iterate. For the quizzes, the cheapest marks are the comparison tables: every 'X vs Y' in this book is a likely question. Learn the row that distinguishes them, not just what each one is. 由于项目占分最多、耗时最长,主导性的做法是在头 几周就把构建搭起骨架 -- 选服务、勾勒架构、把一 次部署跑通 -- 然后迭代。对于测验,最便宜的分是 对比表格:本书中每一个“X vs Y”都可能是一道题。 学会区分它们的那一行,而不只是各自是什么。 i Quiz status - closed, no bring-in quiz 形式 -- 闭卷,不可带入资料 The two quizzes are invigilated; treat them as closed / no bring-in study aids and check your own quiz instructions. The optional Week-12 case study / Oracle mock interview rewards a different skill - a full architecture diagram and a plain-English benefit pitch to a non-technical 'CEO' - so practise explaining the why, not just the what. 两次测验均有监考;把它们当作闭卷/不可带入的学习辅助,并核对你自己的测验说明。可选的第 12周案例研究 / Oracle 模拟面试奖励的是另一种技能 -- 一张完整的架构图,以及一段面向非技术“CEO”的大白话收益陈词 -- 所以要 练习解释为什么,而不只是是什么。 FIT5225 . Cloud Computing and Security . AskSia Library CONTENTS - CONTENTS One ladder of abstraction, twelve weeks 一条抽象阶梯,贯穿十二周 Foundations- virtualisation - containers orchestration - services - AWS- serverless - security 基础→ 虚拟化 → 容器 → 编排→ services → AWS → serverless → 安全 Ch Topic Core ideas Part I . Foundations & virtualisation (Weeks 1-2) 1 Cloud foundations & NIST 5 characteristics . laaS/PaaS/SaaS . shared responsibility . deployment models . → virtualisation economics . hypervisors . Type-1 vs Type-2 . migration Part II . Containers & orchestration (Weeks 3-4) 2 Containers & Docker containers vs VMs . Docker engine pipeline · images/layers/union FS · registries . Dockerfile → · lifecycle CLI . Compose 3 Container orchestration Swarm vs Kubernetes . Raft . control plane vs node . Pod/Deployment/Service . declarative → desired-state Part III . Services, laC & AWS (Weeks 5-8) 4 Web services & SOA REST vs SOAP . XML vs JSON . idempotent/safe verbs . monolith vs SOA vs microservices → 5 IaC & the AWS catalogue[11]Source: asksia-cheatsheet-fit5225.pdfSQS SNS Model pull queue push pub/sub QUIZ REVISION . CLOSED- BOOK Quiz revision aid . check the official unit guide for assessment . @ 2026 good luck. revise smart. YAML FIT5225 Cloud Computing and Security MONASH UNIVERSITY . FACULTY OF IT QUIZ REVISION Sem 1 2026 . SIDE 1 OF 2 Closed-book study aid . all topics SIDE 1/2 Microservices 0 · Quiz Blueprint READ FIRST * FIT5225 has no final exam: two invigilated quizzes (15% + 15%) plus an individual cloud app project (30%) and a group multicloud build (40%). Treat the quizzes as closed-book - confirm rules in your unit guide. The quizzes love distinctions: pick the right model from a description, read an architecture diagram, recognise a config snippet. Side 1 = concepts & tools (cloud -> VM -> container -> K8s -> REST/SOA). Side 2 = laC, AWS, serverless, security. Highest-yield comparisons (near-certain): SG vs NACL . containers vs VMs . laaS/PaaS/SaaS . type-1 vs type-2 . REST vs SOAP . idempotent verbs . AZ vs Region . cold start. -- SIA - When a question describes a scenario, map it to a named model first (which service model? which deployment? stateful or stateless?) - the distractors are always the adjacent term. 1 . Cloud Foundations
-
2)测验(Quiz)到底怎么考:三种题型,按频率从高到低
- 你的资料明确说:两次 quiz 不是“从零写代码”,而是“读懂并推理”。频率顺序是:[4]Source: asksia-bible-fit5225-bilingual.pdf★
What the quizzes actually test - three layers, in order
quiz 实际考什么 -- 三个层次,依次递进
These are not code-from-blank exams. In order of frequency: (1) concept distinctions - VM vs container, Type-1 vs Type-2, IaaS/PaaS/SaaS, SOAP vs REST, idempotent vs not, SG vs NACL, User Pool vs Identity Pool, cold vs live migration; (2) architecture- diagram reading - a VPC, a K8s cluster, a serverless flow, the shared-responsibility split: what does each box do, what is mismanaged ?; (3) config-snippet recognition - a Dockerfile's instruction order, a docker/kubectl command, an IaC block, an IAM/S3 policy JSON, a NACL row. Read and reason, rarely author from scratch.
这些不是从空白写代码的考试。按频率高低:(1) 概念 区分 -- VM vs 容器、Type-1 vs Type-2、 laaS/PaaS/SaaS, SOAP vs REST, idempotent 5 否、SG vs NACL、User Pool vs Identity Pool、cold vs live migration; (2) 架构图解读 个 VPC、 一个 K8s 集群、一条 serverless 流程、责任共担的划 分:每个方框做什么,哪里被错误管理了 ?; (3)配 置片段识别 一个 Dockerfile 的指令顺序、一条 docker/kubectl 命令、一个 laC块、一段 IAM/S3 策略 JSON、一行 NACL。读懂并推理,极少需要从 头编写。
✓ The strategy this dictates 由此决定的策略
Because the projects carry the most marks and take the most time, the dominant move is to scaffold the
builds in the first weeks - pick services, sketch the architecture, get a deployment working - then iterate. For the quizzes, the cheapest marks are the
comparison tables: every 'X vs Y' in this book is a likely question. Learn the row that distinguishes them, not just what each one is.
由于项目占分最多、耗时最长,主导性的做法是在头 几周就把构建搭起骨架 -- 选服务、勾勒架构、把一 次部署跑通 -- 然后迭代。对于测验,最便宜的分是 对比表格:本书中每一个“X vs Y”都可能是一道题。 学会区分它们的那一行,而不只是各自是什么。
i Quiz status - closed, no bring-in
quiz 形式 -- 闭卷,不可带入资料
The two quizzes are invigilated; treat them as closed / no bring-in study aids and check your own quiz
instructions. The optional Week-12 case study / Oracle mock interview rewards a different skill - a full architecture diagram and a plain-English benefit pitch to a non-technical 'CEO' - so practise explaining the why, not just the what.
两次测验均有监考;把它们当作闭卷/不可带入的学习辅助,并核对你自己的测验说明。可选的第 12周案例研究 / Oracle 模拟面试奖励的是另一种技能 -- 一张完整的架构图,以及一段面向非技术“CEO”的大白话收益陈词 -- 所以要 练习解释为什么,而不只是是什么。
FIT5225 . Cloud Computing and Security . AskSia Library
CONTENTS
- CONTENTS
One ladder of abstraction, twelve weeks
一条抽象阶梯,贯穿十二周
Foundations- virtualisation - containers orchestration - services - AWS- serverless - security 基础→ 虚拟化 → 容器 → 编排→ services → AWS → serverless → 安全
Ch Topic Core ideas
Part I . Foundations & virtualisation (Weeks 1-2)
1 Cloud foundations & NIST 5 characteristics . laaS/PaaS/SaaS . shared responsibility . deployment models . → virtualisation economics . hypervisors . Type-1 vs Type-2 . migration
Part II . Containers & orchestration (Weeks 3-4)
2 Containers & Docker containers vs VMs . Docker engine pipeline · images/layers/union FS · registries . Dockerfile → · lifecycle CLI . Compose
3 Container orchestration Swarm vs Kubernetes . Raft . control plane vs node . Pod/Deployment/Service . declarative → desired-state
Part III . Services, laC & AWS (Weeks 5-8)
4 Web services & SOA REST vs SOAP . XML vs JSON . idempotent/safe verbs . monolith vs SOA vs microservices →
5 IaC & the AWS catalogue[3]Source: asksia-bible-fit5225-bilingual.pdf—
Keep 3 copies, on 2 media, with 1 off-site.
Disaster recovery (DR)
—
A full duplicate site ready to take over with no degradation; tested ≥ twice yearly.
i How to use this glossary in revision
复习时如何使用这份术语表
Terms are in teaching order - the same pillar spine the quizzes walk. Two passes: EN-meaning (cover the right column), then meaning-EN (cover the term). The handful to over-learn for the security quiz: SG vs NACL, Cognito
User Pool vs Identity Pool, shared responsibility, idempotent HTTP verbs, and container vs VM - they are tested almost verbatim.
术语按教学顺序排列 -- 与测验所走的支柱主线相同。两遍:EN→释义(盖住右栏),再 释义→EN(盖住术语)。为安 全测验要过度学习的少数几项:SG vs NACL、Cognito User Pool vs Identity Pool、责任共担、idempotent HTTP 动词,以及容器 vs VM -- 它们几乎是逐字被考的。
FIT5225 . Cloud Computing and Security . AskSia Library
—
—
—
PRACTICE Q1-Q5
- CHAPTER . PRACTICE BANK & WORKED SOLUTIONS
MIRRORS THE 2 QUIZZES
Drill the quiz, FIT5225 style 按 FIT5225 风格刷 quiz
Twenty fresh items across the three quiz shapes - concept distinctions, diagram reading, config-snippet recognition, each worked
横跨三类 quiz 题型的二十道全新题目 -- 概念辨析、读图、识别配置片段,每题均有解析
The one-line takeaway. The two FIT5225 quizzes are not code-writing exams. They test, in order of frequency: (1) concept distinctions, (2) architecture-diagram reading, and (3) config-snippet
recognition. This bank gives fresh items in all three shapes, each fully worked. Cover the answer, decide, then check.
一句话要点。FIT5225 的两次测验不是写代码的考试。它们按频率高低考查:(1)概念区分、(2)架构图解读,以及(3)配 置片段识别。本题库以这三种形态给出全新题目,每题都完整作答。盖住答案、先判断、再核对。
★ Fresh stems - the quiz STYLE, not the quiz
全新题干一 一考的是 quiz 的“风格”,而非原题
These are AskSia-authored items written in the FIT5225 style; they are not real quiz questions. The standard cloud/AWS facts are canonical. Treat quizzes as invigilated / closed-book - check your own exam instructions.
这些是AskSia 自撰的题目,以FIT5225 风格写成;它们不是真实的测验题。标准的云/AWS 事实是公认的。把测验当 作有监考/闭卷 -- 核对你自己的考试说明。
Q1-05 Concept-distinction MCQs
Q1-Q5 概念辨析型 MCQ
Q1 SG VS NACL concept MCQ
- (1) 概念辨析(concept distinctions):最常考、最容易拿分
- (2) 架构图读图(architecture-diagram reading):给你 VPC / K8s / serverless flow / shared-responsibility 图,让你标注与找问题
- (3) 配置片段识别(config-snippet recognition):Dockerfile、docker/kubectl 命令、IaC 片段、IAM/S3 policy JSON、NACL 行等
-
3)你必须“过度学习”的高频核心考点(几乎必考对比对)
下面这些在 bible / cheatsheet 里被反复点名为高频对比或“几乎逐字考”:
-
3.1 SG vs NACL(安全测验三大必考之一)
- 必背“签名差异”(一口气说出来):[5]Source: asksia-bible-fit5225-bilingual.pdfWho, and what may they do?
Data
Encryption at rest + in transit, KMS, TLS
Confidentiality + integrity
Strategy
Defence in depth, Well-Architected pillar
No single point of failure
Resilience
DR, Multi-AZ/regions, 3-2-1 backups, compliance
Survive failure + meet the law
Goal (CIA) - control (4 A's / encryption / network) - owner (shared responsibility). If you can run that chain on any scenario, the security quiz is yours.
目标(CIA)→控制(4个A/加密/网络)→负责人(责任共担)。如果你能对任何场景跑通这条链,安全测验就是你 的了。
FIT5225 . THE SECURITY CAPSTONE IN ONE BREATH
★ The three near-certain quiz items
三个几乎必考的 quiz 考点
(1) SG vs NACL - stateful/stateless, instance/subnet, allow-only vs allow+deny. (2) Cognito User Pool (authn) vs Identity Pool (authz). (3) Shared responsibility - who owns what across laaS/PaaS/SaaS. Get these three crisp and you have the high-frequency marks.
(1) SG vs NACL-stateful/stateless, instance/subnet, 1X allow vs allow+deny. (2) Cognito User Pool (authn) vs Identity Pool (authz)。(3)责任共担 -- 在 laaS/PaaS/SaaS 中谁负责什么。把这三点弄清晰,高频分 数就到手了。
FIT5225 . Cloud Computing and Security . AskSia Library
GLOSSARY
- CHAPTER . GLOSSARY 1
EN + 中文
Bilingual glossary - every examinable cloud/security term
双语术语表 -- 每一个可考的 cloud/security 术语
English term . X . one-line meaning - grouped by the unit's pillars 英文术语 · 中文 · 一句话释义 -- 按本单元的支柱分组
A fast reference for the vocabulary FIT5225 actually examines, ordered along the unit's pillar spine -
foundations - virtualisation / containers - orchestration - web services / SOA - AWS - serverless - security. The +X column is filled in the bilingual build; for now cover the right-hand meaning and recite from the term, then flip and recall the term from the meaning.
这是对 FIT5225 实际考查词汇的快速参考,按本单元的支柱主线排列 -- 基础→ virtualisation / 容器→ orchestration → web services / SOA → AWS → serverless → 安全。中文一列在双语版本中填入;现在先盖住右侧的释义、看术语背诵, 再翻过来从释义回忆术语。
Term (EN)
中文 One-line meaning
Cloud foundations 云计算基础[6]Source: asksia-bible-fit5225-bilingual.pdfDENY
020 DOCKER RUN COMMAND
snippet read
What does this command do, flag by flag?
DOCKER RUN
docker container run -d -p 80:8000 - - name web myapp : latest
FIT5225 . Cloud Computing and Security . AskSia Library
Q18-Q20 Worked answers - snippets
1 Q18. The Allow lets the App role GetObject (read) any object in the reports bucket. The explicit Deny blocks everyone (Principal: * ) from all S3 actions on reports/ secret / *. Because an explicit Deny always overrides any Allow, even the App role cannot read the secret / prefix - it can read everything else in the bucket.
Q18。那条 Allow 让 App role 对 reports bucket 中的任意对象 GetObject (读取)。那条显式 Deny 阻止所有人 (Principal: * ) 对 reports/secret/*执行一切S3 操作。由于显式 Deny 永远压过任何 Allow,即便是 App role 也不能读取 secret/ 前缀 -- 但它能读取 bucket 中其余一切。
2 Q19. The request reaches the DB: rule 100 allows inbound TCP 3306 from the web subnet 10. 0. 1. 0/24. The return traffic is BLOCKED, however - a NACL is stateless, so the reply (going outbound to the web tier's ephemeral ports) needs its own outbound ALLOW rule, which isn't shown. Without an outbound rule for ports 1024-65535 back to 10. 0. 1. 0/24, the connection silently fails. (A Security Group, being stateful, would have allowed the return automatically. )
Q19。请求到达了 DB:规则 100 允许来自 web subnet 10. 0. 1. 0/24 的入站 TCP 3306。然而返回流量被阻断 NACL 是stateless 的,所以那条回复(出站发往 web 层的临时端口)需要它自己的出站 ALLOW 规则,而图中并未给 出。没有一条针对 1024-65535 端口、回往 10. 0. 1. 0/24 的出站规则,连接便悄然失败。(Security Group 由于是 stateful 的,会自动放行返回流量。)
3 Q20. docker container run creates + starts a container from myapp : latest. - d = detached (runs in the background as a daemon); - p 80 : 8000 = maps host port 80 to container port 8000 (host:container); - - name web = names the container web for easy reference. So the app, listening on 8000 inside, is reachable on port 80 of the Docker host.
Q20。docker container run 从 myapp:latest 创建并启动一个容器 。- d =detached(作为守护进程在后台运 行) ;- p 80:8000 =把主机端口 80 映射到容器端口 8000 (host:container); -- name web =把容器命名为 web 以 便引用。所以那个在内部监听8000 的应用,可在 Docker 主机的端口 80 上访问。
Across all 20: name the distinction, read the diagram for right-subnet / missing-NAT / illegal- transitive-peering, and read each snippet line by line. That is the whole quiz.
贯穿全部 20 题:说出区别,看图找 正确 subnet/缺失 NAT/非法传递 peering,并逐行读每个片段。这就是整场测 验。
FIT5225 . THE PATTERN BEHIND EVERY QUIZ ITEM
★ The highest-yield recognition facts
收益最高的识别性事实
(1) Explicit Deny > Allow in IAM. (2) A stateless NACL needs a separate outbound rule for return traffic; a stateful SG does not. (3) Dockerfile layer order (deps before source) for caching. (4) -p host : container port mapping. (5) kubectl apply - f = declarative desired state.
(1) IAM 中 Explicit Deny > Allow。(2)一个无状态的 NACL 需要为返回流量设一条单独的出站规则;有状态的 SG 则不需要。(3) Dockerfile 的 layer 顺序(依赖先于源码)以利缓存。(4) -p host:container 端口映射。(5) kubectl apply -f =声明式期望状态。
FIT5225 . Cloud Computing and Security . AskSia Library
AskSia Library
STUDY BIBLE . ASKSIA FACULTY OF IT . MASTER OF IT SEMESTER 1 . 2026
I
on - demand . over the network
THE COMPLETE STUDY BIBLE
Cloud Computing & Security 云计算与安全
LEARN THE STACK, COMPARE THE TRADE-OFFS, BUILD THE PROJECTS - EVERY DISTINCTION THE QUIZZES LOVE, ON ONE SPINE.
完整双语学习圣经[27]Source: asksia-cheatsheet-fit5225.pdfLayered security so no single failure is fatal: a strong identity foundation, least privilege, traceability, security at all layers (VPC + SG + NACL), automate best practices, protect data in transit & at rest, keep people away from data, prepare for events.
IR lifecycle: Prevent > Detect > Respond > Recover > Learn. Threats: MitM, DoS/DDoS, phishing, VM escape/hopping. Detection = logging + centralised analysis + actionable events (playbooks) + automated response.
23 . Backup & Compliance 3-2-1 3-2-1 rule: 3 copies, 2 media, 1 offsite. DR site = full duplicate (no degradation), test ≥twice/yr; AES-256 offsite backups kept 30 days. Data remanence -> DoD 5220. 22-M / NIST sanitisation. AZs separate faults; regions give compliance & reliability.
Regimes: HIPAA (health), PCI-DSS (card), GDPR (privacy). Standards: ISO 27001/27002, NIST SP 800-144/145, ITIL, Cloud Security Alliance. Data may reside cross-border - compliance is a top cloud risk alongside loss of governance and provider lock-in. KPMG data life cycle: Generate -> Use -> Transfer -> Transform > Store -> Archive -> Destroy. Threats are ranked by impact/criticality, often via attack trees.
24 . Quiz Traps
DON'T LOSE MARKS
TRAP
ANSWER
stateful firewall
SG (not NACL)
subnet-level + deny
NACL
no guest OS
container
safe to retry
idempotent (GET/PUT/DEL)
POST called twice
two resources
geographic area
Region (not AZ)
- SG(Security Group)是 stateful:允许入站后,返回流量自动放行
- NACL 是 stateless:入站允许不代表回包能出站,回包需要单独的出站 ALLOW 规则(通常是临时端口 1024–65535)
- 作用层级:SG 常被当作实例/ENI 级;NACL 是 subnet 级(题目常用“subnet-level + deny”暗示 NACL)[27]Source: asksia-cheatsheet-fit5225.pdfLayered security so no single failure is fatal: a strong identity foundation, least privilege, traceability, security at all layers (VPC + SG + NACL), automate best practices, protect data in transit & at rest, keep people away from data, prepare for events. IR lifecycle: Prevent > Detect > Respond > Recover > Learn. Threats: MitM, DoS/DDoS, phishing, VM escape/hopping. Detection = logging + centralised analysis + actionable events (playbooks) + automated response. 23 . Backup & Compliance 3-2-1 3-2-1 rule: 3 copies, 2 media, 1 offsite. DR site = full duplicate (no degradation), test ≥twice/yr; AES-256 offsite backups kept 30 days. Data remanence -> DoD 5220. 22-M / NIST sanitisation. AZs separate faults; regions give compliance & reliability. Regimes: HIPAA (health), PCI-DSS (card), GDPR (privacy). Standards: ISO 27001/27002, NIST SP 800-144/145, ITIL, Cloud Security Alliance. Data may reside cross-border - compliance is a top cloud risk alongside loss of governance and provider lock-in. KPMG data life cycle: Generate -> Use -> Transfer -> Transform > Store -> Archive -> Destroy. Threats are ranked by impact/criticality, often via attack trees. 24 . Quiz Traps DON'T LOSE MARKS TRAP ANSWER stateful firewall SG (not NACL) subnet-level + deny NACL no guest OS container safe to retry idempotent (GET/PUT/DEL) POST called twice two resources geographic area Region (not AZ)
- 规则能力:NACL 通常有 allow + deny;SG 通常是 allow-only(用它来做“默认拒绝”)[5]Source: asksia-bible-fit5225-bilingual.pdfWho, and what may they do? Data Encryption at rest + in transit, KMS, TLS Confidentiality + integrity Strategy Defence in depth, Well-Architected pillar No single point of failure Resilience DR, Multi-AZ/regions, 3-2-1 backups, compliance Survive failure + meet the law Goal (CIA) - control (4 A's / encryption / network) - owner (shared responsibility). If you can run that chain on any scenario, the security quiz is yours. 目标(CIA)→控制(4个A/加密/网络)→负责人(责任共担)。如果你能对任何场景跑通这条链,安全测验就是你 的了。 FIT5225 . THE SECURITY CAPSTONE IN ONE BREATH ★ The three near-certain quiz items 三个几乎必考的 quiz 考点 (1) SG vs NACL - stateful/stateless, instance/subnet, allow-only vs allow+deny. (2) Cognito User Pool (authn) vs Identity Pool (authz). (3) Shared responsibility - who owns what across laaS/PaaS/SaaS. Get these three crisp and you have the high-frequency marks. (1) SG vs NACL-stateful/stateless, instance/subnet, 1X allow vs allow+deny. (2) Cognito User Pool (authn) vs Identity Pool (authz)。(3)责任共担 -- 在 laaS/PaaS/SaaS 中谁负责什么。把这三点弄清晰,高频分 数就到手了。 FIT5225 . Cloud Computing and Security . AskSia Library GLOSSARY - CHAPTER . GLOSSARY 1 EN + 中文 Bilingual glossary - every examinable cloud/security term 双语术语表 -- 每一个可考的 cloud/security 术语 English term . X . one-line meaning - grouped by the unit's pillars 英文术语 · 中文 · 一句话释义 -- 按本单元的支柱分组 A fast reference for the vocabulary FIT5225 actually examines, ordered along the unit's pillar spine - foundations - virtualisation / containers - orchestration - web services / SOA - AWS - serverless - security. The +X column is filled in the bilingual build; for now cover the right-hand meaning and recite from the term, then flip and recall the term from the meaning. 这是对 FIT5225 实际考查词汇的快速参考,按本单元的支柱主线排列 -- 基础→ virtualisation / 容器→ orchestration → web services / SOA → AWS → serverless → 安全。中文一列在双语版本中填入;现在先盖住右侧的释义、看术语背诵, 再翻过来从释义回忆术语。 Term (EN) 中文 One-line meaning Cloud foundations 云计算基础
- 典型“片段推理”陷阱(你要会解释原因):
-
3.2 Cognito:User Pool vs Identity Pool(安全测验三大必考之一)
- 一句话对比(按资料用词):[5]Source: asksia-bible-fit5225-bilingual.pdfWho, and what may they do?
Data
Encryption at rest + in transit, KMS, TLS
Confidentiality + integrity
Strategy
Defence in depth, Well-Architected pillar
No single point of failure
Resilience
DR, Multi-AZ/regions, 3-2-1 backups, compliance
Survive failure + meet the law
Goal (CIA) - control (4 A's / encryption / network) - owner (shared responsibility). If you can run that chain on any scenario, the security quiz is yours.
目标(CIA)→控制(4个A/加密/网络)→负责人(责任共担)。如果你能对任何场景跑通这条链,安全测验就是你 的了。
FIT5225 . THE SECURITY CAPSTONE IN ONE BREATH
★ The three near-certain quiz items
三个几乎必考的 quiz 考点
(1) SG vs NACL - stateful/stateless, instance/subnet, allow-only vs allow+deny. (2) Cognito User Pool (authn) vs Identity Pool (authz). (3) Shared responsibility - who owns what across laaS/PaaS/SaaS. Get these three crisp and you have the high-frequency marks.
(1) SG vs NACL-stateful/stateless, instance/subnet, 1X allow vs allow+deny. (2) Cognito User Pool (authn) vs Identity Pool (authz)。(3)责任共担 -- 在 laaS/PaaS/SaaS 中谁负责什么。把这三点弄清晰,高频分 数就到手了。
FIT5225 . Cloud Computing and Security . AskSia Library
GLOSSARY
- CHAPTER . GLOSSARY 1
EN + 中文
Bilingual glossary - every examinable cloud/security term
双语术语表 -- 每一个可考的 cloud/security 术语
English term . X . one-line meaning - grouped by the unit's pillars 英文术语 · 中文 · 一句话释义 -- 按本单元的支柱分组
A fast reference for the vocabulary FIT5225 actually examines, ordered along the unit's pillar spine -
foundations - virtualisation / containers - orchestration - web services / SOA - AWS - serverless - security. The +X column is filled in the bilingual build; for now cover the right-hand meaning and recite from the term, then flip and recall the term from the meaning.
这是对 FIT5225 实际考查词汇的快速参考,按本单元的支柱主线排列 -- 基础→ virtualisation / 容器→ orchestration → web services / SOA → AWS → serverless → 安全。中文一列在双语版本中填入;现在先盖住右侧的释义、看术语背诵, 再翻过来从释义回忆术语。
Term (EN)
中文 One-line meaning
Cloud foundations 云计算基础[26]Source: asksia-cheatsheet-fit5225.pdflatency on first call
cold start
authn vs authz
user pool vs identity pool
desired state
declarative IaC
sync standby, failover
Multi-AZ (not replica)
authn before authz
user pool first
Fact Belt SIDE 2
SG stateful . NACL stateless . 1 subnet = 1 AZ Multi-AZ = HA . Read Replica = scale reads Spot ≤90% . Reserved ≤75% off S3 11-nines . DynamoDB = NoSQL, ms API GW + Lambda + DynamoDB . 3-2-1 backup
asksia. ai/cheatsheet/ monash-fit5225 . side 2/2
AskSia CHEATSHEET SERIES
Compiled by AskSia . mapped to the FIT5225 syllabus . asksia. ai/cheatsheet/monash- fit5225
SECURITY GROUP
State
stateful - return auto-allowed
stateless - in/out separate
Level
- User Pool = authn(认证):你是谁
- Identity Pool = authz(授权):你能做什么(发临时凭证、对接 AWS 权限)
- 应考反射:authn 在 authz 之前;题里画流程时常让你判断先后顺序。[26]Source: asksia-cheatsheet-fit5225.pdflatency on first call cold start authn vs authz user pool vs identity pool desired state declarative IaC sync standby, failover Multi-AZ (not replica) authn before authz user pool first Fact Belt SIDE 2 SG stateful . NACL stateless . 1 subnet = 1 AZ Multi-AZ = HA . Read Replica = scale reads Spot ≤90% . Reserved ≤75% off S3 11-nines . DynamoDB = NoSQL, ms API GW + Lambda + DynamoDB . 3-2-1 backup asksia. ai/cheatsheet/ monash-fit5225 . side 2/2 AskSia CHEATSHEET SERIES Compiled by AskSia . mapped to the FIT5225 syllabus . asksia. ai/cheatsheet/monash- fit5225 SECURITY GROUP State stateful - return auto-allowed stateless - in/out separate Level
-
3.3 Shared responsibility(责任共担)(安全测验三大必考之一)
- 你要能按服务模型说“你负责哪几层”(cheatsheet 版):[29]Source: asksia-cheatsheet-fit5225.pdfMODEL
YOU SECURE
On-prem
everything
IaaS
OS, runtime, app, data
PaaS
app + data
SaaS config + your data
The provider always owns hardware / virtualisation / networking; you always own your data & IAM config. STRIDE mitigations: Spoofing->authn, Tampering->hashing, Disclosure->encryption, DoS->throttling, Elevation-> least privilege. The mantra collapses to: if you can configure it, you secure it. 3W2H frames it: who to protect from, what to secure, when controls run, how to measure and monitor, and how to comply with regulation.
17 . VPC VIRTUAL NETWORK VPC = a logically isolated private network in AWS - own IP range, subnets, route tables, gateways. Public subnet (web/LB, route to internet) vs private subnet (DB/backend, no internet). 1 subnet = 1 AZ . . IGW - VPC > internet
· Route tables - direct traffic between subnets
RFC1918 private ranges: 10/8, 172. 16/12, 192. 168/16. NAT instance (deprecated) = EC2 in public subnet, manual, single point of failure. VPC Peering = direct VPC link (no transitive). VPC Endpoints = reach AWS services privately, no IGW. Flow Logs capture IP traffic for monitoring.
Default VPC = ready to use (all subnets route to internet) vs custom VPC = you configure it. The W10 lab builds a VPC with a public + private subnet, an SG and a NACL - exactly the diagram a quiz will hand you to label. IGW = two-way internet; NAT GW = outbound only (private subnet keeps no inbound exposure). Same-AZ private-IP traffic is free; NAT (per-hour + per- GB) and inter-region transfer are charged, so cost- aware design keeps chatty traffic inside one AZ.
18 . Security Groups vs NACLS
** SIGNATURE TABLE
REST VS TRANSIT In transit: SSL/TLS , IPSec, FTPS, SCP. At rest: Symmetric (AES, Triple DES; ≥256-bit, fast, one shared key) vs Asymmetric (PKI/public-key, key exchange). Integrity via hash checksums, CRC, MAC, digital signatures.
AWS KMS = managed keys; CloudHSM; user-managed keys; audit key use. S3: SSE-S3 / SSE-KMS / SSE-C. WAF & Shield (DDoS), GuardDuty for detection. Homomorphic encryption = compute on ciphertext (costly). Privacy/compliance: data lineage, provenance, remanence (residual data -> DoD sanitisation), commingling in multi-tenant storage.
22 . Defense in WELL-
Depth ARCHITECTED
- On-prem:你负责全部
- IaaS:你负责 OS / runtime / app / data
- PaaS:你负责 app + data
- SaaS:你负责配置(config)+ 你的数据
- 关键口诀(资料原意):“if you can configure it, you secure it(能配置的,就得你负责安全)”;且 provider 总会拥有硬件/虚拟化/网络,而你总要对数据与 IAM 配置负责。[29]Source: asksia-cheatsheet-fit5225.pdfMODEL YOU SECURE On-prem everything IaaS OS, runtime, app, data PaaS app + data SaaS config + your data The provider always owns hardware / virtualisation / networking; you always own your data & IAM config. STRIDE mitigations: Spoofing->authn, Tampering->hashing, Disclosure->encryption, DoS->throttling, Elevation-> least privilege. The mantra collapses to: if you can configure it, you secure it. 3W2H frames it: who to protect from, what to secure, when controls run, how to measure and monitor, and how to comply with regulation. 17 . VPC VIRTUAL NETWORK VPC = a logically isolated private network in AWS - own IP range, subnets, route tables, gateways. Public subnet (web/LB, route to internet) vs private subnet (DB/backend, no internet). 1 subnet = 1 AZ . . IGW - VPC > internet · Route tables - direct traffic between subnets RFC1918 private ranges: 10/8, 172. 16/12, 192. 168/16. NAT instance (deprecated) = EC2 in public subnet, manual, single point of failure. VPC Peering = direct VPC link (no transitive). VPC Endpoints = reach AWS services privately, no IGW. Flow Logs capture IP traffic for monitoring. Default VPC = ready to use (all subnets route to internet) vs custom VPC = you configure it. The W10 lab builds a VPC with a public + private subnet, an SG and a NACL - exactly the diagram a quiz will hand you to label. IGW = two-way internet; NAT GW = outbound only (private subnet keeps no inbound exposure). Same-AZ private-IP traffic is free; NAT (per-hour + per- GB) and inter-region transfer are charged, so cost- aware design keeps chatty traffic inside one AZ. 18 . Security Groups vs NACLS ** SIGNATURE TABLE REST VS TRANSIT In transit: SSL/TLS , IPSec, FTPS, SCP. At rest: Symmetric (AES, Triple DES; ≥256-bit, fast, one shared key) vs Asymmetric (PKI/public-key, key exchange). Integrity via hash checksums, CRC, MAC, digital signatures. AWS KMS = managed keys; CloudHSM; user-managed keys; audit key use. S3: SSE-S3 / SSE-KMS / SSE-C. WAF & Shield (DDoS), GuardDuty for detection. Homomorphic encryption = compute on ciphertext (costly). Privacy/compliance: data lineage, provenance, remanence (residual data -> DoD sanitisation), commingling in multi-tenant storage. 22 . Defense in WELL- Depth ARCHITECTED
-
3.4 Container vs VM(最常考辨析对之一)
- 这张表就是 quiz 出题母体:[10]Source: asksia-bible-fit5225-bilingual.pdfContainer vs VM -- quiz 赖以出题的那张表
Virtual Machines
Containers
Weight
Heavyweight
Lightweight
Virtualises
Hardware
The OS (OS-level)
OS
Each VM has its own guest OS
Share the host OS kernel
FIT5225 . Cloud Computing and Security . AskSia Library
Virtual Machines
Containers
Boot time
Minutes
Seconds / milliseconds
Overhead
CPU >10%, disk I-O >50%
CPU <5%, near-native I-O
Isolation
Full - stronger, more secure
Process-level - weaker, possibly less secure
! Quiz trap - the security direction
quiz 陷阱 -- 安全的方向
Containers win on weight, boot time and density - but lose on isolation. They share a kernel, so a kernel exploit can cross containers; a VM's hardware-level boundary is stronger. If a question asks for the strongest isolation / most secure, the answer is the VM, not the container. (And you can combine them: run containers inside a VM. )
容器在重量、启动时间和密度上取胜 -- 但在隔离性上落败。它们共享一个内核,因此一个内核漏洞可以跨容器;VM 的硬件级边界更强。如果题目要的是最强隔离/最安全,答案是VM,而非容器。(而且你可以把二者结合:在 VM 内部 运行容器。)
i TL; DR - the five moves of this chapter
TL;DR -- 本章的五个动作[4]Source: asksia-bible-fit5225-bilingual.pdf★
What the quizzes actually test - three layers, in order
quiz 实际考什么 -- 三个层次,依次递进
These are not code-from-blank exams. In order of frequency: (1) concept distinctions - VM vs container, Type-1 vs Type-2, IaaS/PaaS/SaaS, SOAP vs REST, idempotent vs not, SG vs NACL, User Pool vs Identity Pool, cold vs live migration; (2) architecture- diagram reading - a VPC, a K8s cluster, a serverless flow, the shared-responsibility split: what does each box do, what is mismanaged ?; (3) config-snippet recognition - a Dockerfile's instruction order, a docker/kubectl command, an IaC block, an IAM/S3 policy JSON, a NACL row. Read and reason, rarely author from scratch.
这些不是从空白写代码的考试。按频率高低:(1) 概念 区分 -- VM vs 容器、Type-1 vs Type-2、 laaS/PaaS/SaaS, SOAP vs REST, idempotent 5 否、SG vs NACL、User Pool vs Identity Pool、cold vs live migration; (2) 架构图解读 个 VPC、 一个 K8s 集群、一条 serverless 流程、责任共担的划 分:每个方框做什么,哪里被错误管理了 ?; (3)配 置片段识别 一个 Dockerfile 的指令顺序、一条 docker/kubectl 命令、一个 laC块、一段 IAM/S3 策略 JSON、一行 NACL。读懂并推理,极少需要从 头编写。
✓ The strategy this dictates 由此决定的策略
Because the projects carry the most marks and take the most time, the dominant move is to scaffold the
builds in the first weeks - pick services, sketch the architecture, get a deployment working - then iterate. For the quizzes, the cheapest marks are the
comparison tables: every 'X vs Y' in this book is a likely question. Learn the row that distinguishes them, not just what each one is.
由于项目占分最多、耗时最长,主导性的做法是在头 几周就把构建搭起骨架 -- 选服务、勾勒架构、把一 次部署跑通 -- 然后迭代。对于测验,最便宜的分是 对比表格:本书中每一个“X vs Y”都可能是一道题。 学会区分它们的那一行,而不只是各自是什么。
i Quiz status - closed, no bring-in
quiz 形式 -- 闭卷,不可带入资料
The two quizzes are invigilated; treat them as closed / no bring-in study aids and check your own quiz
instructions. The optional Week-12 case study / Oracle mock interview rewards a different skill - a full architecture diagram and a plain-English benefit pitch to a non-technical 'CEO' - so practise explaining the why, not just the what.
两次测验均有监考;把它们当作闭卷/不可带入的学习辅助,并核对你自己的测验说明。可选的第 12周案例研究 / Oracle 模拟面试奖励的是另一种技能 -- 一张完整的架构图,以及一段面向非技术“CEO”的大白话收益陈词 -- 所以要 练习解释为什么,而不只是是什么。
FIT5225 . Cloud Computing and Security . AskSia Library
CONTENTS
- CONTENTS
One ladder of abstraction, twelve weeks
一条抽象阶梯,贯穿十二周
Foundations- virtualisation - containers orchestration - services - AWS- serverless - security 基础→ 虚拟化 → 容器 → 编排→ services → AWS → serverless → 安全
Ch Topic Core ideas
Part I . Foundations & virtualisation (Weeks 1-2)
1 Cloud foundations & NIST 5 characteristics . laaS/PaaS/SaaS . shared responsibility . deployment models . → virtualisation economics . hypervisors . Type-1 vs Type-2 . migration
Part II . Containers & orchestration (Weeks 3-4)
2 Containers & Docker containers vs VMs . Docker engine pipeline · images/layers/union FS · registries . Dockerfile → · lifecycle CLI . Compose
3 Container orchestration Swarm vs Kubernetes . Raft . control plane vs node . Pod/Deployment/Service . declarative → desired-state
Part III . Services, laC & AWS (Weeks 5-8)
4 Web services & SOA REST vs SOAP . XML vs JSON . idempotent/safe verbs . monolith vs SOA vs microservices →
5 IaC & the AWS catalogue
- VM:heavyweight,虚拟化的是硬件,每个 VM 有自己的 guest OS;启动分钟级;隔离更强
- Container:lightweight,OS-level(共享 host kernel);启动秒/毫秒级;密度更高但隔离更弱
- “安全方向”陷阱(必背):
-
3.5 REST vs SOAP + HTTP verbs(safe / idempotent)
- 资料明确:REST vs SOAP 是高频对比;并且会考 哪些动词 safe、哪些 idempotent、为什么 POST 不是。[4]Source: asksia-bible-fit5225-bilingual.pdf★ What the quizzes actually test - three layers, in order quiz 实际考什么 -- 三个层次,依次递进 These are not code-from-blank exams. In order of frequency: (1) concept distinctions - VM vs container, Type-1 vs Type-2, IaaS/PaaS/SaaS, SOAP vs REST, idempotent vs not, SG vs NACL, User Pool vs Identity Pool, cold vs live migration; (2) architecture- diagram reading - a VPC, a K8s cluster, a serverless flow, the shared-responsibility split: what does each box do, what is mismanaged ?; (3) config-snippet recognition - a Dockerfile's instruction order, a docker/kubectl command, an IaC block, an IAM/S3 policy JSON, a NACL row. Read and reason, rarely author from scratch. 这些不是从空白写代码的考试。按频率高低:(1) 概念 区分 -- VM vs 容器、Type-1 vs Type-2、 laaS/PaaS/SaaS, SOAP vs REST, idempotent 5 否、SG vs NACL、User Pool vs Identity Pool、cold vs live migration; (2) 架构图解读 个 VPC、 一个 K8s 集群、一条 serverless 流程、责任共担的划 分:每个方框做什么,哪里被错误管理了 ?; (3)配 置片段识别 一个 Dockerfile 的指令顺序、一条 docker/kubectl 命令、一个 laC块、一段 IAM/S3 策略 JSON、一行 NACL。读懂并推理,极少需要从 头编写。 ✓ The strategy this dictates 由此决定的策略 Because the projects carry the most marks and take the most time, the dominant move is to scaffold the builds in the first weeks - pick services, sketch the architecture, get a deployment working - then iterate. For the quizzes, the cheapest marks are the comparison tables: every 'X vs Y' in this book is a likely question. Learn the row that distinguishes them, not just what each one is. 由于项目占分最多、耗时最长,主导性的做法是在头 几周就把构建搭起骨架 -- 选服务、勾勒架构、把一 次部署跑通 -- 然后迭代。对于测验,最便宜的分是 对比表格:本书中每一个“X vs Y”都可能是一道题。 学会区分它们的那一行,而不只是各自是什么。 i Quiz status - closed, no bring-in quiz 形式 -- 闭卷,不可带入资料 The two quizzes are invigilated; treat them as closed / no bring-in study aids and check your own quiz instructions. The optional Week-12 case study / Oracle mock interview rewards a different skill - a full architecture diagram and a plain-English benefit pitch to a non-technical 'CEO' - so practise explaining the why, not just the what. 两次测验均有监考;把它们当作闭卷/不可带入的学习辅助,并核对你自己的测验说明。可选的第 12周案例研究 / Oracle 模拟面试奖励的是另一种技能 -- 一张完整的架构图,以及一段面向非技术“CEO”的大白话收益陈词 -- 所以要 练习解释为什么,而不只是是什么。 FIT5225 . Cloud Computing and Security . AskSia Library CONTENTS - CONTENTS One ladder of abstraction, twelve weeks 一条抽象阶梯,贯穿十二周 Foundations- virtualisation - containers orchestration - services - AWS- serverless - security 基础→ 虚拟化 → 容器 → 编排→ services → AWS → serverless → 安全 Ch Topic Core ideas Part I . Foundations & virtualisation (Weeks 1-2) 1 Cloud foundations & NIST 5 characteristics . laaS/PaaS/SaaS . shared responsibility . deployment models . → virtualisation economics . hypervisors . Type-1 vs Type-2 . migration Part II . Containers & orchestration (Weeks 3-4) 2 Containers & Docker containers vs VMs . Docker engine pipeline · images/layers/union FS · registries . Dockerfile → · lifecycle CLI . Compose 3 Container orchestration Swarm vs Kubernetes . Raft . control plane vs node . Pod/Deployment/Service . declarative → desired-state Part III . Services, laC & AWS (Weeks 5-8) 4 Web services & SOA REST vs SOAP . XML vs JSON . idempotent/safe verbs . monolith vs SOA vs microservices → 5 IaC & the AWS catalogue[12]Source: asksia-bible-fit5225-bilingual.pdfkubectl apply -f f. yaml declaratively create/update from a manifest kubectl get pods / svc / deploy list objects (current state) kubectl describe pod <name> detailed status / events for one object kubectl scale deploy web -- replicas=5 imperatively change replica count kubectl logs <pod> / kubectl delete -f f. yaml read logs / remove objects ★ Exam reflex for any K8s prompt 面对任何 K8s 题目的应考条件反射 Plane or node? Object or Service? Desired vs current? (1) Name the component and whether it's control-plane (decides) or worker (runs). (2) Identify the object - Pod (unit), Deployment (scale/rollout), Service (stable LB by label). (3) Remember Kubernetes always drives current - desired via a watch loop. 平面还是节点?对象还是 Service?期望 vs 当前?(1)说出组件名,并判断它是控制平面(决策)还是 worker(运 行)。(2)识别对象 -- Pod (单元)、Deployment (扩展/发布)、Service(按 label 提供稳定的负载均衡)。(3)记 住 Kubernetes 始终通过监视循环驱动当前→期望。 "Declare the goal, not the steps - then trust the loop to keep reaching it. " “声明目标,而非步骤 -- 然后信任那个循环不断去逼近它。” THE DECLARATIVE DESIRED-STATE REFLEX FIT5225 . Cloud Computing and Security . AskSia Library WEB SERVICES . FORMATS CH . WEB SERVICES & SOA WEEK 5 Talking between machines, over the web 机器之间,通过 web 通信 Week 5 - marshalling, REST/SOAP, SOA & microservices . ULO1, ULO2 第5周 -- marshalling、REST/SOAP、SOA 与 microservices · ULO1, ULO2 A web service lets a client program in one organisation talk to a server in another over HTTP - no human in the loop - to read and change remote resources. To do that, two machines that store data differently must agree on a wire format and a set of operations. Web services are the building block that enables SOA and, ultimately, microservices. 一个 web service 让某组织内的客户端程序通过 HTTP 与另一组织的服务器通信 -- 无需人工介入 -- 以读取和修改远程资 源。要做到这一点,两台以不同方式存储数据的机器必须就一种线上格式(wire format)和一组操作达成一致。Web services 是支撑 SOA、并最终支撑 microservices 的基石。 - i TL; DR - the four moves of this chapter TL;DR -- 本章的四个动作 (1) Marshalling + a shared format (XML / JSON) move data between unlike machines; URI _ URL/URN name the endpoints. (2) SOAP vs REST - protocol vs architectural style (the big table). (3) HTTP verbs: which are safe, which are idempotent - and why POST is neither. (4) SOA principles - microservices (API gateway, database-per- service, async queues) and the monolith/SOA/microservices trade-off. (1) Marshalling +一种共享格式 (XML / JSON)在异构机器之间搬运数据;URI 2 URL/URN 命名端点。(2) SOAP vs REST -- 协议 vs 架构风格(那张大表)。(3) HTTP 动词:哪些是 safe,哪些是 idempotent -- 以及为何 POST 两者都不是。(4) SOA 原则→ microservices (API gateway、database-per-service、异步队列)以及 monolith / SOA / microservices 的权衡。
- 你至少要背住 cheatsheet 的“事实腰带”:[24]Source: asksia-cheatsheet-fit5225.pdfdesired replica count
ReplicaSet
Fact Belt SIDE 1
majority > n/2 of nodes to elect a Leader (Raft)
GET/PUT/DELETE idempotent . POST not container = OS-level . VM = hardware- Level
Pod = atomic unit . etcd = state store IaaS-PaaS-SaaS = you manage less
asksia. ai/cheatsheet/ monash-fit5225 . side 1/2
AskSia CHEATSHEET SERIES
QUIZ REVISION . CLOSED- BOOK
Compiled by AskSia . mapped to the FIT5225 syllabus . asksia. ai/cheatsheet/monash- fit5225
8 . Web Services SOA BUILDING BLOCK An interface for a program to call a server across the Internet (HTTP) without human supervision; CRUD on resources. Data via XML or JSON ( marshalling = flatten to bytes; unmarshalling = reassemble). Building block that enables SOA; language/platform independent.
XML VS JSON
XML - W3C markup, tags describe structure, namespaces (xmlns) + XSD typing, can display data, verbose (bigger/slower). JSON - lightweight, arrays, human-readable, native objects, scalar types, no built- in typing - the easier alternative.
URI _ URL (locator) + URN (name). A web-service endpoint is a URL. Marshalling is needed because machines differ (int size, float format, ASCII vs Unicode) - both ends agree an external data representation. A web service is language- and platform-independent (Java, PHP, . NET, C), which is what lets services written in different stacks interoperate.
7b . K8s API Objects DECLARATIVE · Pod - smallest deployable unit (NOT the container); wraps 1+ containers sharing IP/network/volumes; mortal (dies -> new ID/IP); runs on a single node
· Service - stable DNS/IP/port for dynamic pods; load-balances via label selector (L4, no L7)
Declarative kubectl apply -f deploy . yaml vs imperative kubectl run . . . . You declare desired state ; K8s reconciles.
7c . Raft Consensus LEADER ELECTION
Consensus = machines agree on one source of truth surviving failures (replicated state machine). States: Follower > Candidate > Leader.
Followers get heartbeats (AppendEntries). On election timeout (100-500ms) a follower becomes candidate, increments the term, votes self, sends RequestVote. Wins on a majority > leader. Split vote -> new term, re-elect.
- GET / PUT / DELETE 是 idempotent
- POST 不是 idempotent(重复调用会产生额外效果)
-
3.6 IaC(Infrastructure as Code)与“幂等 / 声明式”的一整套辨析
- IaC 的定义:用机器可读的定义文件预配数据中心/基础设施,而不是控制台手点。[20]Source: asksia-cheatsheet-fit5225.pdfetcd uses Raft so the cluster store survives a manager failure - this is why you run an odd number (3/5) of control-plane nodes. Servers communicate via RPCs; a leader holds office for the duration of its term. 7d . Packaging an App DESIRED STATE 1. Package the app as a container image 2. Wrap it in a Pod 3. Declare it via a manifest to a higher controller (Deployment) 4. POST the desired state to the cluster via the API server K8s watch loops then reconcile current-> desired - giving self-healing, scaling and zero-downtime rollouts for free. This declarative model is the unit's recurring theme: you describe the what, not the how. Other controllers: DaemonSet (one pod per node), StatefulSet (stable identity/storage), CronJob (scheduled). Multi-container pod patterns: sidecar, log scraper, service mesh. A Service routes by label selector - it never targets a pod IP directly, since pods are mortal. Containers in one pod talk over localhost ports, sharing the pod's single IP. Quiz revision aid . check the official unit guide for assessment . @ 2026 flip + for side 2 . IaC, AWS, serverless & security GRANULARITY MOTTO EC2, OpenStack FOUNDATIONS . NIST & service models . Virtualisation . Containers vs VMs . Docker . Kubernetes . Raft . REST/SOA . FIT5225 Cloud Computing and Security MONASH UNIVERSITY . FACULTY OF IT QUIZ REVISION Sem 1 2026 . SIDE 2 OF 2 laC . AWS . serverless . security SIDE 2/2 PLATFORM & SECURITY . IaC . AWS catalogue . Serverless/FaaS . CIA . Shared responsibility . VPC . SG vs NACL . IAM . Cognito 10 . Infrastructure as MACHINE - Code READABLE IaC = provision data centres through machine- readable definition files , not manual config. Pros: less human error, fast/repeatable, shareable, easy replication. Cons: more upfront knowledge, harder to debug.[22]Source: asksia-cheatsheet-fit5225.pdfEC2, OpenStack FOUNDATIONS . NIST & service models . Virtualisation . Containers vs VMs . Docker . Kubernetes . Raft . REST/SOA . FIT5225 Cloud Computing and Security MONASH UNIVERSITY . FACULTY OF IT QUIZ REVISION Sem 1 2026 . SIDE 2 OF 2 laC . AWS . serverless . security SIDE 2/2 PLATFORM & SECURITY . IaC . AWS catalogue . Serverless/FaaS . CIA . Shared responsibility . VPC . SG vs NACL . IAM . Cognito 10 . Infrastructure as MACHINE - Code READABLE IaC = provision data centres through machine- readable definition files , not manual config. Pros: less human error, fast/repeatable, shareable, easy replication. Cons: more upfront knowledge, harder to debug. DECLARATIVE VS IMPERATIVE * Declarative - specify the desired state, the tool finds the actions (Terraform, CloudFormation). Imperative - specify the steps, the tool executes them (Ansible). Idempotency = applying the same config repeatedly converges to the same end state. OTHER AXES Mutable (update in place) vs immutable (recreate to change). Agent vs agentless. Push (server pushes via SSH) vs pull (agent fetches). Provisioning tools (Terraform/CFN) stand up infrastructure; config- management tools (Ansible/Chef/Puppet) configure what's inside. 10b . IaC Tools RECOGNISE THE FILE TOOL STYLE LANG Terraform declar. · multi-cloud
- 四条常考坐标轴(你要会拿来分类工具):[7]Source: asksia-bible-fit5225-bilingual.pdfWEEKS 6-8 . RECAP
RECAP & QUIZ TRAPS
Weeks 6-8 in one screen
第 6-8 周浓缩于一屏
The distinctions the class tests reward - memorise the pairs class test 看重的辨析 -- 把这些配对背下来
The IaC mental model
laC 的心智模型
- laC = machine-readable definition files, not console clicks.
| laC =机器可读的定义文件,而非点控制台。
- Four axes: declarative/imperative,
mutable/immutable, agent/agentless, push/pull.
四条轴:declarative/imperative、mutable/immutable、 agent/agentless, push/pull.
- Idempotency = apply N times - same end state (safe to re-run).
ldempotency(幂等性) =应用 N 次→相同的最终状态 (可安全重跑)。
- Declarative+provisioning = Terraform / CloudFormation; imperative+config = Ansible / Chef / Puppet.
Declarative + provisioning = Terraform / CloudFormation; imperative + config = Ansible / Chef / Puppet.
- Multi-cloud - Terraform/Pulumi; AWS-only -+ CloudFormation.
多云→ Terraform/Pulumi; 仅 AWS→ CloudFormation.
The AWS skeleton
AWS 骨架
- Region = geography . AZ = isolated data centre . Edge = CDN cache.
Region =地理区域 · AZ=隔离的数据中心 · Edge = CDN 缓存。
→ Multi-AZ = HA within a region; Multi-Region = compliance + region-failure.
Multi-AZ =region 内的 HA; Multi-Region =合规 + region 级故障。
! The four quiz traps to pre-load
需预先装入脑中的四个 quiz 陷阱
SQS vs SNS: pull queue (one consumer) vs push pub/sub (many subscribers). EBS vs S3: block disk on one EC2 in one AZ vs object store via API, 11-nines. On-Demand vs Spot: unpredictable/safe vs cheap/reclaimable (no stateful work). AZ vs Region: isolated data centre vs whole geography (and Edge is neither).
SQS vs SNS: 拉取队列(一个消费者) vs 推送 pub/sub (众多订阅者)。EBS vs S3: 单 AZ 单 EC2 上的块磁盘 vs 经 API 访问的对象存储,11个 9。
On-Demand vs Spot: 不可预测 /安全 vs 便宜/可 被收回(不放有状态工作)。AZ vs Region: 隔离的数 据中心 vs 整片地理区域(而 Edge 两者都不是)。
★ The reference architecture in one line 一句话概括参考架构
- declarative / imperative
- mutable / immutable
- agent / agentless
- push / pull
- 幂等(idempotency)定义(必须一口气说出):
- apply N 次 → 最终状态相同(可安全重跑)。[7]Source: asksia-bible-fit5225-bilingual.pdfWEEKS 6-8 . RECAP RECAP & QUIZ TRAPS Weeks 6-8 in one screen 第 6-8 周浓缩于一屏 The distinctions the class tests reward - memorise the pairs class test 看重的辨析 -- 把这些配对背下来 The IaC mental model laC 的心智模型 - laC = machine-readable definition files, not console clicks. | laC =机器可读的定义文件,而非点控制台。 - Four axes: declarative/imperative, mutable/immutable, agent/agentless, push/pull. 四条轴:declarative/imperative、mutable/immutable、 agent/agentless, push/pull. - Idempotency = apply N times - same end state (safe to re-run). ldempotency(幂等性) =应用 N 次→相同的最终状态 (可安全重跑)。 - Declarative+provisioning = Terraform / CloudFormation; imperative+config = Ansible / Chef / Puppet. Declarative + provisioning = Terraform / CloudFormation; imperative + config = Ansible / Chef / Puppet. - Multi-cloud - Terraform/Pulumi; AWS-only -+ CloudFormation. 多云→ Terraform/Pulumi; 仅 AWS→ CloudFormation. The AWS skeleton AWS 骨架 - Region = geography . AZ = isolated data centre . Edge = CDN cache. Region =地理区域 · AZ=隔离的数据中心 · Edge = CDN 缓存。 → Multi-AZ = HA within a region; Multi-Region = compliance + region-failure. Multi-AZ =region 内的 HA; Multi-Region =合规 + region 级故障。 ! The four quiz traps to pre-load 需预先装入脑中的四个 quiz 陷阱 SQS vs SNS: pull queue (one consumer) vs push pub/sub (many subscribers). EBS vs S3: block disk on one EC2 in one AZ vs object store via API, 11-nines. On-Demand vs Spot: unpredictable/safe vs cheap/reclaimable (no stateful work). AZ vs Region: isolated data centre vs whole geography (and Edge is neither). SQS vs SNS: 拉取队列(一个消费者) vs 推送 pub/sub (众多订阅者)。EBS vs S3: 单 AZ 单 EC2 上的块磁盘 vs 经 API 访问的对象存储,11个 9。 On-Demand vs Spot: 不可预测 /安全 vs 便宜/可 被收回(不放有状态工作)。AZ vs Region: 隔离的数 据中心 vs 整片地理区域(而 Edge 两者都不是)。 ★ The reference architecture in one line 一句话概括参考架构[22]Source: asksia-cheatsheet-fit5225.pdfEC2, OpenStack FOUNDATIONS . NIST & service models . Virtualisation . Containers vs VMs . Docker . Kubernetes . Raft . REST/SOA . FIT5225 Cloud Computing and Security MONASH UNIVERSITY . FACULTY OF IT QUIZ REVISION Sem 1 2026 . SIDE 2 OF 2 laC . AWS . serverless . security SIDE 2/2 PLATFORM & SECURITY . IaC . AWS catalogue . Serverless/FaaS . CIA . Shared responsibility . VPC . SG vs NACL . IAM . Cognito 10 . Infrastructure as MACHINE - Code READABLE IaC = provision data centres through machine- readable definition files , not manual config. Pros: less human error, fast/repeatable, shareable, easy replication. Cons: more upfront knowledge, harder to debug. DECLARATIVE VS IMPERATIVE * Declarative - specify the desired state, the tool finds the actions (Terraform, CloudFormation). Imperative - specify the steps, the tool executes them (Ansible). Idempotency = applying the same config repeatedly converges to the same end state. OTHER AXES Mutable (update in place) vs immutable (recreate to change). Agent vs agentless. Push (server pushes via SSH) vs pull (agent fetches). Provisioning tools (Terraform/CFN) stand up infrastructure; config- management tools (Ansible/Chef/Puppet) configure what's inside. 10b . IaC Tools RECOGNISE THE FILE TOOL STYLE LANG Terraform declar. · multi-cloud
- 工具对照(高频):[7]Source: asksia-bible-fit5225-bilingual.pdfWEEKS 6-8 . RECAP
RECAP & QUIZ TRAPS
Weeks 6-8 in one screen
第 6-8 周浓缩于一屏
The distinctions the class tests reward - memorise the pairs class test 看重的辨析 -- 把这些配对背下来
The IaC mental model
laC 的心智模型
- laC = machine-readable definition files, not console clicks.
| laC =机器可读的定义文件,而非点控制台。
- Four axes: declarative/imperative,
mutable/immutable, agent/agentless, push/pull.
四条轴:declarative/imperative、mutable/immutable、 agent/agentless, push/pull.
- Idempotency = apply N times - same end state (safe to re-run).
ldempotency(幂等性) =应用 N 次→相同的最终状态 (可安全重跑)。
- Declarative+provisioning = Terraform / CloudFormation; imperative+config = Ansible / Chef / Puppet.
Declarative + provisioning = Terraform / CloudFormation; imperative + config = Ansible / Chef / Puppet.
- Multi-cloud - Terraform/Pulumi; AWS-only -+ CloudFormation.
多云→ Terraform/Pulumi; 仅 AWS→ CloudFormation.
The AWS skeleton
AWS 骨架
- Region = geography . AZ = isolated data centre . Edge = CDN cache.
Region =地理区域 · AZ=隔离的数据中心 · Edge = CDN 缓存。
→ Multi-AZ = HA within a region; Multi-Region = compliance + region-failure.
Multi-AZ =region 内的 HA; Multi-Region =合规 + region 级故障。
! The four quiz traps to pre-load
需预先装入脑中的四个 quiz 陷阱
SQS vs SNS: pull queue (one consumer) vs push pub/sub (many subscribers). EBS vs S3: block disk on one EC2 in one AZ vs object store via API, 11-nines. On-Demand vs Spot: unpredictable/safe vs cheap/reclaimable (no stateful work). AZ vs Region: isolated data centre vs whole geography (and Edge is neither).
SQS vs SNS: 拉取队列(一个消费者) vs 推送 pub/sub (众多订阅者)。EBS vs S3: 单 AZ 单 EC2 上的块磁盘 vs 经 API 访问的对象存储,11个 9。
On-Demand vs Spot: 不可预测 /安全 vs 便宜/可 被收回(不放有状态工作)。AZ vs Region: 隔离的数 据中心 vs 整片地理区域(而 Edge 两者都不是)。
★ The reference architecture in one line 一句话概括参考架构[23]Source: asksia-cheatsheet-fit5225.pdfHCL2
CloudFormation
declar. · AWS only
JSON/YAML
Ansible
imperative . cfg mgmt
Pulumi
imperative . code
TS/Py/Go
Terraform builds an execution plan for approval before applying; multi-cloud (AWS/Azure/GCP). CloudFormation = AWS templates (Resources / Properties / Outputs, e. g. AWS :: S3 :: Bucket); nested/modular. Ansible = SSH push, YAML playbooks (hosts->roles->tasks). Pulumi writes laC in real languages (TS/Go/Python). Idempotency means re- running a plan is safe - it only changes drift.
11 . AWS Global Infra
* AZ VS REGION
Region = separate geographic area (≥2 AZs). Availability Zone = one+ discrete data centres with redundant power/network, isolated faults. Edge Locations = CDN cache points (CloudFront), 400+. Multi-AZ = high availability (survive a DC failure); multi-Region = compliance/latency/DR. A subnet lives in exactly one AZ; it can't stretch across regions. SIA - Trap: a Region contains AZs. "Redundant power, one+ data centre" = AZ; "geographic area" = Region; "CDN cache near users" = Edge.
11b . Version Control UNDERPINS IAC IaC files live in a CVS (track changes, revert, branch/merge, redundancy). Types: local (RCS) . centralised (SVN) . distributed ( Git, Torvalds 2005). Hosts: GitHub, Bitbucket, GitLab. Terms: trunk/baseline, branch/fork, commit/check-in, checkout, clone, pull/push/fetch, tag - the group project uses a private repo shared with the teaching team.
Why IaC: manual config is error-prone, slow and inconsistent; code is repeatable, reviewable and reduces vendor lock-in. Infrastructure automation more broadly = streamline provisioning, config, deployment and management via code to cut human error at scale.
12 . AWS Compute EC2 PRICING EC2 = resizable VMs; launched from an AMI (OS+config template). Lifecycle Pending-> Running-> Stopping-> Terminated (cost while Running). Bootstrapping via User Data.
OPTION
SAVE
USE FOR
On-Demand
- Terraform / CloudFormation:declarative + provisioning(Terraform 多云;CloudFormation 偏 AWS-only)
- Ansible / Chef / Puppet:imperative + config management(更偏“配置里面的东西”)
-
3.7 AWS 基础读图:Region / AZ / Edge + “1 subnet = 1 AZ”
- 一句话区分:[7]Source: asksia-bible-fit5225-bilingual.pdfWEEKS 6-8 . RECAP
RECAP & QUIZ TRAPS
Weeks 6-8 in one screen
第 6-8 周浓缩于一屏
The distinctions the class tests reward - memorise the pairs class test 看重的辨析 -- 把这些配对背下来
The IaC mental model
laC 的心智模型
- laC = machine-readable definition files, not console clicks.
| laC =机器可读的定义文件,而非点控制台。
- Four axes: declarative/imperative,
mutable/immutable, agent/agentless, push/pull.
四条轴:declarative/imperative、mutable/immutable、 agent/agentless, push/pull.
- Idempotency = apply N times - same end state (safe to re-run).
ldempotency(幂等性) =应用 N 次→相同的最终状态 (可安全重跑)。
- Declarative+provisioning = Terraform / CloudFormation; imperative+config = Ansible / Chef / Puppet.
Declarative + provisioning = Terraform / CloudFormation; imperative + config = Ansible / Chef / Puppet.
- Multi-cloud - Terraform/Pulumi; AWS-only -+ CloudFormation.
多云→ Terraform/Pulumi; 仅 AWS→ CloudFormation.
The AWS skeleton
AWS 骨架
- Region = geography . AZ = isolated data centre . Edge = CDN cache.
Region =地理区域 · AZ=隔离的数据中心 · Edge = CDN 缓存。
→ Multi-AZ = HA within a region; Multi-Region = compliance + region-failure.
Multi-AZ =region 内的 HA; Multi-Region =合规 + region 级故障。
! The four quiz traps to pre-load
需预先装入脑中的四个 quiz 陷阱
SQS vs SNS: pull queue (one consumer) vs push pub/sub (many subscribers). EBS vs S3: block disk on one EC2 in one AZ vs object store via API, 11-nines. On-Demand vs Spot: unpredictable/safe vs cheap/reclaimable (no stateful work). AZ vs Region: isolated data centre vs whole geography (and Edge is neither).
SQS vs SNS: 拉取队列(一个消费者) vs 推送 pub/sub (众多订阅者)。EBS vs S3: 单 AZ 单 EC2 上的块磁盘 vs 经 API 访问的对象存储,11个 9。
On-Demand vs Spot: 不可预测 /安全 vs 便宜/可 被收回(不放有状态工作)。AZ vs Region: 隔离的数 据中心 vs 整片地理区域(而 Edge 两者都不是)。
★ The reference architecture in one line 一句话概括参考架构[23]Source: asksia-cheatsheet-fit5225.pdfHCL2
CloudFormation
declar. · AWS only
JSON/YAML
Ansible
imperative . cfg mgmt
Pulumi
imperative . code
TS/Py/Go
Terraform builds an execution plan for approval before applying; multi-cloud (AWS/Azure/GCP). CloudFormation = AWS templates (Resources / Properties / Outputs, e. g. AWS :: S3 :: Bucket); nested/modular. Ansible = SSH push, YAML playbooks (hosts->roles->tasks). Pulumi writes laC in real languages (TS/Go/Python). Idempotency means re- running a plan is safe - it only changes drift.
11 . AWS Global Infra
* AZ VS REGION
Region = separate geographic area (≥2 AZs). Availability Zone = one+ discrete data centres with redundant power/network, isolated faults. Edge Locations = CDN cache points (CloudFront), 400+. Multi-AZ = high availability (survive a DC failure); multi-Region = compliance/latency/DR. A subnet lives in exactly one AZ; it can't stretch across regions. SIA - Trap: a Region contains AZs. "Redundant power, one+ data centre" = AZ; "geographic area" = Region; "CDN cache near users" = Edge.
11b . Version Control UNDERPINS IAC IaC files live in a CVS (track changes, revert, branch/merge, redundancy). Types: local (RCS) . centralised (SVN) . distributed ( Git, Torvalds 2005). Hosts: GitHub, Bitbucket, GitLab. Terms: trunk/baseline, branch/fork, commit/check-in, checkout, clone, pull/push/fetch, tag - the group project uses a private repo shared with the teaching team.
Why IaC: manual config is error-prone, slow and inconsistent; code is repeatable, reviewable and reduces vendor lock-in. Infrastructure automation more broadly = streamline provisioning, config, deployment and management via code to cut human error at scale.
12 . AWS Compute EC2 PRICING EC2 = resizable VMs; launched from an AMI (OS+config template). Lifecycle Pending-> Running-> Stopping-> Terminated (cost while Running). Bootstrapping via User Data.
OPTION
SAVE
USE FOR
On-Demand
- Region = 一片地理区域(通常包含多个 AZ)
- AZ = 隔离的数据中心(或数据中心群),故障隔离
- Edge = CDN 缓存点(CloudFront)
- 读图硬规则(常拿来做判断题):
- 一个 subnet 只在一个 AZ 里(1 subnet = 1 AZ)。[21]Source: asksia-cheatsheet-fit5225.pdfThe provider always owns hardware / virtualisation / networking; you always own your data & IAM config. STRIDE mitigations: Spoofing->authn, Tampering->hashing, Disclosure->encryption, DoS->throttling, Elevation-> least privilege. The mantra collapses to: if you can configure it, you secure it. 3W2H frames it: who to protect from, what to secure, when controls run, how to measure and monitor, and how to comply with regulation. 17 . VPC VIRTUAL NETWORK VPC = a logically isolated private network in AWS - own IP range, subnets, route tables, gateways. Public subnet (web/LB, route to internet) vs private subnet (DB/backend, no internet). 1 subnet = 1 AZ . . IGW - VPC > internet · Route tables - direct traffic between subnets RFC1918 private ranges: 10/8, 172. 16/12, 192. 168/16. NAT instance (deprecated) = EC2 in public subnet, manual, single point of failure. VPC Peering = direct VPC link (no transitive). VPC Endpoints = reach AWS services privately, no IGW. Flow Logs capture IP traffic for monitoring. Default VPC = ready to use (all subnets route to internet) vs custom VPC = you configure it. The W10 lab builds a VPC with a public + private subnet, an SG and a NACL - exactly the diagram a quiz will hand you to label. IGW = two-way internet; NAT GW = outbound only (private subnet keeps no inbound exposure). Same-AZ private-IP traffic is free; NAT (per-hour + per- GB) and inter-region transfer are charged, so cost- aware design keeps chatty traffic inside one AZ. 18 . Security Groups vs NACLS ** SIGNATURE TABLE REST VS TRANSIT In transit: SSL/TLS , IPSec, FTPS, SCP. At rest: Symmetric (AES, Triple DES; ≥256-bit, fast, one shared key) vs Asymmetric (PKI/public-key, key exchange). Integrity via hash checksums, CRC, MAC, digital signatures. AWS KMS = managed keys; CloudHSM; user-managed keys; audit key use. S3: SSE-S3 / SSE-KMS / SSE-C. WAF & Shield (DDoS), GuardDuty for detection. Homomorphic encryption = compute on ciphertext (costly). Privacy/compliance: data lineage, provenance, remanence (residual data -> DoD sanitisation), commingling in multi-tenant storage. 22 . Defense in WELL- Depth ARCHITECTED Layered security so no single failure is fatal: a strong identity foundation, least privilege, traceability, security at all layers (VPC + SG + NACL), automate best practices, protect data in transit & at rest, keep people away from data, prepare for events. IR lifecycle: Prevent > Detect > Respond > Recover > Learn. Threats: MitM, DoS/DDoS, phishing, VM escape/hopping. Detection = logging + centralised analysis + actionable events (playbooks) + automated response. 23 . Backup & Compliance 3-2-1 3-2-1 rule: 3 copies, 2 media, 1 offsite. DR site = full duplicate (no degradation), test ≥twice/yr; AES-256 offsite backups kept 30 days. Data remanence -> DoD 5220. 22-M / NIST sanitisation. AZs separate faults; regions give compliance & reliability. Regimes: HIPAA (health), PCI-DSS (card), GDPR (privacy). Standards: ISO 27001/27002, NIST SP 800-144/145, ITIL, Cloud Security Alliance. Data may reside cross-border - compliance is a top cloud risk alongside loss of governance and provider lock-in. KPMG data life cycle: Generate -> Use -> Transfer -> Transform > Store -> Archive -> Destroy. Threats are ranked by impact/criticality, often via attack trees. 24 . Quiz Traps DON'T LOSE MARKS TRAP ANSWER stateful firewall[26]Source: asksia-cheatsheet-fit5225.pdflatency on first call cold start authn vs authz user pool vs identity pool desired state declarative IaC sync standby, failover Multi-AZ (not replica) authn before authz user pool first Fact Belt SIDE 2 SG stateful . NACL stateless . 1 subnet = 1 AZ Multi-AZ = HA . Read Replica = scale reads Spot ≤90% . Reserved ≤75% off S3 11-nines . DynamoDB = NoSQL, ms API GW + Lambda + DynamoDB . 3-2-1 backup asksia. ai/cheatsheet/ monash-fit5225 . side 2/2 AskSia CHEATSHEET SERIES Compiled by AskSia . mapped to the FIT5225 syllabus . asksia. ai/cheatsheet/monash- fit5225 SECURITY GROUP State stateful - return auto-allowed stateless - in/out separate Level
-
4)“读图题”你该怎么练:三套固定问法(考官要你说出来的点)
-
4.1 VPC 图(public vs private,IGW vs NAT,哪里该放什么)
-
你要能用一句话读出:[21]Source: asksia-cheatsheet-fit5225.pdfThe provider always owns hardware / virtualisation / networking; you always own your data & IAM config. STRIDE mitigations: Spoofing->authn, Tampering->hashing, Disclosure->encryption, DoS->throttling, Elevation-> least privilege. The mantra collapses to: if you can configure it, you secure it. 3W2H frames it: who to protect from, what to secure, when controls run, how to measure and monitor, and how to comply with regulation. 17 . VPC VIRTUAL NETWORK VPC = a logically isolated private network in AWS - own IP range, subnets, route tables, gateways. Public subnet (web/LB, route to internet) vs private subnet (DB/backend, no internet). 1 subnet = 1 AZ . . IGW - VPC > internet · Route tables - direct traffic between subnets RFC1918 private ranges: 10/8, 172. 16/12, 192. 168/16. NAT instance (deprecated) = EC2 in public subnet, manual, single point of failure. VPC Peering = direct VPC link (no transitive). VPC Endpoints = reach AWS services privately, no IGW. Flow Logs capture IP traffic for monitoring. Default VPC = ready to use (all subnets route to internet) vs custom VPC = you configure it. The W10 lab builds a VPC with a public + private subnet, an SG and a NACL - exactly the diagram a quiz will hand you to label. IGW = two-way internet; NAT GW = outbound only (private subnet keeps no inbound exposure). Same-AZ private-IP traffic is free; NAT (per-hour + per- GB) and inter-region transfer are charged, so cost- aware design keeps chatty traffic inside one AZ. 18 . Security Groups vs NACLS ** SIGNATURE TABLE REST VS TRANSIT In transit: SSL/TLS , IPSec, FTPS, SCP. At rest: Symmetric (AES, Triple DES; ≥256-bit, fast, one shared key) vs Asymmetric (PKI/public-key, key exchange). Integrity via hash checksums, CRC, MAC, digital signatures. AWS KMS = managed keys; CloudHSM; user-managed keys; audit key use. S3: SSE-S3 / SSE-KMS / SSE-C. WAF & Shield (DDoS), GuardDuty for detection. Homomorphic encryption = compute on ciphertext (costly). Privacy/compliance: data lineage, provenance, remanence (residual data -> DoD sanitisation), commingling in multi-tenant storage. 22 . Defense in WELL- Depth ARCHITECTED Layered security so no single failure is fatal: a strong identity foundation, least privilege, traceability, security at all layers (VPC + SG + NACL), automate best practices, protect data in transit & at rest, keep people away from data, prepare for events. IR lifecycle: Prevent > Detect > Respond > Recover > Learn. Threats: MitM, DoS/DDoS, phishing, VM escape/hopping. Detection = logging + centralised analysis + actionable events (playbooks) + automated response. 23 . Backup & Compliance 3-2-1 3-2-1 rule: 3 copies, 2 media, 1 offsite. DR site = full duplicate (no degradation), test ≥twice/yr; AES-256 offsite backups kept 30 days. Data remanence -> DoD 5220. 22-M / NIST sanitisation. AZs separate faults; regions give compliance & reliability. Regimes: HIPAA (health), PCI-DSS (card), GDPR (privacy). Standards: ISO 27001/27002, NIST SP 800-144/145, ITIL, Cloud Security Alliance. Data may reside cross-border - compliance is a top cloud risk alongside loss of governance and provider lock-in. KPMG data life cycle: Generate -> Use -> Transfer -> Transform > Store -> Archive -> Destroy. Threats are ranked by impact/criticality, often via attack trees. 24 . Quiz Traps DON'T LOSE MARKS TRAP ANSWER stateful firewall[29]Source: asksia-cheatsheet-fit5225.pdfMODEL YOU SECURE On-prem everything IaaS OS, runtime, app, data PaaS app + data SaaS config + your data The provider always owns hardware / virtualisation / networking; you always own your data & IAM config. STRIDE mitigations: Spoofing->authn, Tampering->hashing, Disclosure->encryption, DoS->throttling, Elevation-> least privilege. The mantra collapses to: if you can configure it, you secure it. 3W2H frames it: who to protect from, what to secure, when controls run, how to measure and monitor, and how to comply with regulation. 17 . VPC VIRTUAL NETWORK VPC = a logically isolated private network in AWS - own IP range, subnets, route tables, gateways. Public subnet (web/LB, route to internet) vs private subnet (DB/backend, no internet). 1 subnet = 1 AZ . . IGW - VPC > internet · Route tables - direct traffic between subnets RFC1918 private ranges: 10/8, 172. 16/12, 192. 168/16. NAT instance (deprecated) = EC2 in public subnet, manual, single point of failure. VPC Peering = direct VPC link (no transitive). VPC Endpoints = reach AWS services privately, no IGW. Flow Logs capture IP traffic for monitoring. Default VPC = ready to use (all subnets route to internet) vs custom VPC = you configure it. The W10 lab builds a VPC with a public + private subnet, an SG and a NACL - exactly the diagram a quiz will hand you to label. IGW = two-way internet; NAT GW = outbound only (private subnet keeps no inbound exposure). Same-AZ private-IP traffic is free; NAT (per-hour + per- GB) and inter-region transfer are charged, so cost- aware design keeps chatty traffic inside one AZ. 18 . Security Groups vs NACLS ** SIGNATURE TABLE REST VS TRANSIT In transit: SSL/TLS , IPSec, FTPS, SCP. At rest: Symmetric (AES, Triple DES; ≥256-bit, fast, one shared key) vs Asymmetric (PKI/public-key, key exchange). Integrity via hash checksums, CRC, MAC, digital signatures. AWS KMS = managed keys; CloudHSM; user-managed keys; audit key use. S3: SSE-S3 / SSE-KMS / SSE-C. WAF & Shield (DDoS), GuardDuty for detection. Homomorphic encryption = compute on ciphertext (costly). Privacy/compliance: data lineage, provenance, remanence (residual data -> DoD sanitisation), commingling in multi-tenant storage. 22 . Defense in WELL- Depth ARCHITECTED
- VPC:AWS 里逻辑隔离的私网(自定义 IP 段、subnet、route table、gateway)
- Public subnet:web/LB,路由可到互联网
- Private subnet:DB/backend,不直接暴露入站互联网
-
- IGW = 双向互联网
- NAT Gateway = 出站为主(private subnet 对外访问但不开放入站)
-
典型陷阱:
-
4.2 K8s 图:control plane vs worker、Pod/Deployment/Service
-
- 平面还是节点?(control-plane decides / worker runs)
- 对象还是 Service?(识别 Pod / Deployment / Service)
- desired vs current?(K8s 用 watch loop 把 current → desired)
-
必背对象一句话(cheatsheet 版):[24]Source: asksia-cheatsheet-fit5225.pdfdesired replica count ReplicaSet Fact Belt SIDE 1 majority > n/2 of nodes to elect a Leader (Raft) GET/PUT/DELETE idempotent . POST not container = OS-level . VM = hardware- Level Pod = atomic unit . etcd = state store IaaS-PaaS-SaaS = you manage less asksia. ai/cheatsheet/ monash-fit5225 . side 1/2 AskSia CHEATSHEET SERIES QUIZ REVISION . CLOSED- BOOK Compiled by AskSia . mapped to the FIT5225 syllabus . asksia. ai/cheatsheet/monash- fit5225 8 . Web Services SOA BUILDING BLOCK An interface for a program to call a server across the Internet (HTTP) without human supervision; CRUD on resources. Data via XML or JSON ( marshalling = flatten to bytes; unmarshalling = reassemble). Building block that enables SOA; language/platform independent. XML VS JSON XML - W3C markup, tags describe structure, namespaces (xmlns) + XSD typing, can display data, verbose (bigger/slower). JSON - lightweight, arrays, human-readable, native objects, scalar types, no built- in typing - the easier alternative. URI _ URL (locator) + URN (name). A web-service endpoint is a URL. Marshalling is needed because machines differ (int size, float format, ASCII vs Unicode) - both ends agree an external data representation. A web service is language- and platform-independent (Java, PHP, . NET, C), which is what lets services written in different stacks interoperate. 7b . K8s API Objects DECLARATIVE · Pod - smallest deployable unit (NOT the container); wraps 1+ containers sharing IP/network/volumes; mortal (dies -> new ID/IP); runs on a single node · Service - stable DNS/IP/port for dynamic pods; load-balances via label selector (L4, no L7) Declarative kubectl apply -f deploy . yaml vs imperative kubectl run . . . . You declare desired state ; K8s reconciles. 7c . Raft Consensus LEADER ELECTION Consensus = machines agree on one source of truth surviving failures (replicated state machine). States: Follower > Candidate > Leader. Followers get heartbeats (AppendEntries). On election timeout (100-500ms) a follower becomes candidate, increments the term, votes self, sends RequestVote. Wins on a majority > leader. Split vote -> new term, re-elect.[30]Source: asksia-cheatsheet-fit5225.pdfXML VS JSON XML - W3C markup, tags describe structure, namespaces (xmlns) + XSD typing, can display data, verbose (bigger/slower). JSON - lightweight, arrays, human-readable, native objects, scalar types, no built- in typing - the easier alternative. URI _ URL (locator) + URN (name). A web-service endpoint is a URL. Marshalling is needed because machines differ (int size, float format, ASCII vs Unicode) - both ends agree an external data representation. A web service is language- and platform-independent (Java, PHP, . NET, C), which is what lets services written in different stacks interoperate. 7b . K8s API Objects DECLARATIVE · Pod - smallest deployable unit (NOT the container); wraps 1+ containers sharing IP/network/volumes; mortal (dies -> new ID/IP); runs on a single node · Service - stable DNS/IP/port for dynamic pods; load-balances via label selector (L4, no L7) Declarative kubectl apply -f deploy . yaml vs imperative kubectl run . . . . You declare desired state ; K8s reconciles. 7c . Raft Consensus LEADER ELECTION Consensus = machines agree on one source of truth surviving failures (replicated state machine). States: Follower > Candidate > Leader. Followers get heartbeats (AppendEntries). On election timeout (100-500ms) a follower becomes candidate, increments the term, votes self, sends RequestVote. Wins on a majority > leader. Split vote -> new term, re-elect. etcd uses Raft so the cluster store survives a manager failure - this is why you run an odd number (3/5) of control-plane nodes. Servers communicate via RPCs; a leader holds office for the duration of its term. 7d . Packaging an App DESIRED STATE 1. Package the app as a container image 2. Wrap it in a Pod 3. Declare it via a manifest to a higher controller (Deployment) 4. POST the desired state to the cluster via the API server K8s watch loops then reconcile current-> desired - giving self-healing, scaling and zero-downtime rollouts for free. This declarative model is the unit's recurring theme: you describe the what, not the how. Other controllers: DaemonSet (one pod per node), StatefulSet (stable identity/storage), CronJob (scheduled). Multi-container pod patterns: sidecar, log scraper, service mesh. A Service routes by label selector - it never targets a pod IP directly, since pods are mortal. Containers in one pod talk over localhost ports, sharing the pod's single IP. Quiz revision aid . check the official unit guide for assessment . @ 2026 flip + for side 2 . IaC, AWS, serverless & security GRANULARITY MOTTO
- Pod:最小部署单元(不是 container),可包含 1+ 容器,共享网络/卷
- Deployment:扩缩容与 rollout(维护期望副本数)
- Service:给动态 Pod 提供稳定入口(DNS/IP/port,按 label selector 负载均衡)
-
4.3 Serverless flow:Lambda + API Gateway + DynamoDB(以及 cold start)
-
cheatsheet 的“事实腰带”提到典型组合:API Gateway + Lambda + DynamoDB,并且 cold start 是高频辨析点。[26]Source: asksia-cheatsheet-fit5225.pdflatency on first call cold start authn vs authz user pool vs identity pool desired state declarative IaC sync standby, failover Multi-AZ (not replica) authn before authz user pool first Fact Belt SIDE 2 SG stateful . NACL stateless . 1 subnet = 1 AZ Multi-AZ = HA . Read Replica = scale reads Spot ≤90% . Reserved ≤75% off S3 11-nines . DynamoDB = NoSQL, ms API GW + Lambda + DynamoDB . 3-2-1 backup asksia. ai/cheatsheet/ monash-fit5225 . side 2/2 AskSia CHEATSHEET SERIES Compiled by AskSia . mapped to the FIT5225 syllabus . asksia. ai/cheatsheet/monash- fit5225 SECURITY GROUP State stateful - return auto-allowed stateless - in/out separate Level[11]Source: asksia-cheatsheet-fit5225.pdfSQS SNS Model pull queue push pub/sub QUIZ REVISION . CLOSED- BOOK Quiz revision aid . check the official unit guide for assessment . @ 2026 good luck. revise smart. YAML FIT5225 Cloud Computing and Security MONASH UNIVERSITY . FACULTY OF IT QUIZ REVISION Sem 1 2026 . SIDE 1 OF 2 Closed-book study aid . all topics SIDE 1/2 Microservices 0 · Quiz Blueprint READ FIRST * FIT5225 has no final exam: two invigilated quizzes (15% + 15%) plus an individual cloud app project (30%) and a group multicloud build (40%). Treat the quizzes as closed-book - confirm rules in your unit guide. The quizzes love distinctions: pick the right model from a description, read an architecture diagram, recognise a config snippet. Side 1 = concepts & tools (cloud -> VM -> container -> K8s -> REST/SOA). Side 2 = laC, AWS, serverless, security. Highest-yield comparisons (near-certain): SG vs NACL . containers vs VMs . laaS/PaaS/SaaS . type-1 vs type-2 . REST vs SOAP . idempotent verbs . AZ vs Region . cold start. -- SIA - When a question describes a scenario, map it to a named model first (which service model? which deployment? stateful or stateless?) - the distractors are always the adjacent term. 1 . Cloud Foundations
-
5)“认片段题”你要背的 5 个最高收益识别事实(背了直接赚分)
- (1) IAM:Explicit Deny 永远压过 Allow
- (2) NACL stateless:回包要单独出站规则;SG stateful 不需要
- (3) Dockerfile layer 顺序:依赖先于源码,利用缓存
- (4) docker run 里的
-p host:container端口映射 - (5)
kubectl apply -f:声明式 desired state
-
6)Docker / Dockerfile:最容易被“逐行问”的部分(按你资料里的例子背)
-
6.1 Dockerfile 排序原则(缓存题的标准答案)
-
经典写法(先拷依赖清单再装依赖):
-
6.2 docker build 结尾的 “.” 是什么(超常见陷阱)
-
6.3 docker run 命令逐 flag 解释(你要会像答案那样“逐项翻译”)
-
例子:
docker container run -d -p 80:8000 --name web myapp:latest
-
7)你现在最该怎么复习:把 30% quiz 和 70% project 当两种“不同游戏”
-
7.1 Quiz(30%):用“对比表 + 读图 + 片段识别”的打法
-
做题顺序建议(按资料的出题频率):[4]Source: asksia-bible-fit5225-bilingual.pdf★ What the quizzes actually test - three layers, in order quiz 实际考什么 -- 三个层次,依次递进 These are not code-from-blank exams. In order of frequency: (1) concept distinctions - VM vs container, Type-1 vs Type-2, IaaS/PaaS/SaaS, SOAP vs REST, idempotent vs not, SG vs NACL, User Pool vs Identity Pool, cold vs live migration; (2) architecture- diagram reading - a VPC, a K8s cluster, a serverless flow, the shared-responsibility split: what does each box do, what is mismanaged ?; (3) config-snippet recognition - a Dockerfile's instruction order, a docker/kubectl command, an IaC block, an IAM/S3 policy JSON, a NACL row. Read and reason, rarely author from scratch. 这些不是从空白写代码的考试。按频率高低:(1) 概念 区分 -- VM vs 容器、Type-1 vs Type-2、 laaS/PaaS/SaaS, SOAP vs REST, idempotent 5 否、SG vs NACL、User Pool vs Identity Pool、cold vs live migration; (2) 架构图解读 个 VPC、 一个 K8s 集群、一条 serverless 流程、责任共担的划 分:每个方框做什么,哪里被错误管理了 ?; (3)配 置片段识别 一个 Dockerfile 的指令顺序、一条 docker/kubectl 命令、一个 laC块、一段 IAM/S3 策略 JSON、一行 NACL。读懂并推理,极少需要从 头编写。 ✓ The strategy this dictates 由此决定的策略 Because the projects carry the most marks and take the most time, the dominant move is to scaffold the builds in the first weeks - pick services, sketch the architecture, get a deployment working - then iterate. For the quizzes, the cheapest marks are the comparison tables: every 'X vs Y' in this book is a likely question. Learn the row that distinguishes them, not just what each one is. 由于项目占分最多、耗时最长,主导性的做法是在头 几周就把构建搭起骨架 -- 选服务、勾勒架构、把一 次部署跑通 -- 然后迭代。对于测验,最便宜的分是 对比表格:本书中每一个“X vs Y”都可能是一道题。 学会区分它们的那一行,而不只是各自是什么。 i Quiz status - closed, no bring-in quiz 形式 -- 闭卷,不可带入资料 The two quizzes are invigilated; treat them as closed / no bring-in study aids and check your own quiz instructions. The optional Week-12 case study / Oracle mock interview rewards a different skill - a full architecture diagram and a plain-English benefit pitch to a non-technical 'CEO' - so practise explaining the why, not just the what. 两次测验均有监考;把它们当作闭卷/不可带入的学习辅助,并核对你自己的测验说明。可选的第 12周案例研究 / Oracle 模拟面试奖励的是另一种技能 -- 一张完整的架构图,以及一段面向非技术“CEO”的大白话收益陈词 -- 所以要 练习解释为什么,而不只是是什么。 FIT5225 . Cloud Computing and Security . AskSia Library CONTENTS - CONTENTS One ladder of abstraction, twelve weeks 一条抽象阶梯,贯穿十二周 Foundations- virtualisation - containers orchestration - services - AWS- serverless - security 基础→ 虚拟化 → 容器 → 编排→ services → AWS → serverless → 安全 Ch Topic Core ideas Part I . Foundations & virtualisation (Weeks 1-2) 1 Cloud foundations & NIST 5 characteristics . laaS/PaaS/SaaS . shared responsibility . deployment models . → virtualisation economics . hypervisors . Type-1 vs Type-2 . migration Part II . Containers & orchestration (Weeks 3-4) 2 Containers & Docker containers vs VMs . Docker engine pipeline · images/layers/union FS · registries . Dockerfile → · lifecycle CLI . Compose 3 Container orchestration Swarm vs Kubernetes . Raft . control plane vs node . Pod/Deployment/Service . declarative → desired-state Part III . Services, laC & AWS (Weeks 5-8) 4 Web services & SOA REST vs SOAP . XML vs JSON . idempotent/safe verbs . monolith vs SOA vs microservices → 5 IaC & the AWS catalogue[3]Source: asksia-bible-fit5225-bilingual.pdf— Keep 3 copies, on 2 media, with 1 off-site. Disaster recovery (DR) — A full duplicate site ready to take over with no degradation; tested ≥ twice yearly. i How to use this glossary in revision 复习时如何使用这份术语表 Terms are in teaching order - the same pillar spine the quizzes walk. Two passes: EN-meaning (cover the right column), then meaning-EN (cover the term). The handful to over-learn for the security quiz: SG vs NACL, Cognito User Pool vs Identity Pool, shared responsibility, idempotent HTTP verbs, and container vs VM - they are tested almost verbatim. 术语按教学顺序排列 -- 与测验所走的支柱主线相同。两遍:EN→释义(盖住右栏),再 释义→EN(盖住术语)。为安 全测验要过度学习的少数几项:SG vs NACL、Cognito User Pool vs Identity Pool、责任共担、idempotent HTTP 动词,以及容器 vs VM -- 它们几乎是逐字被考的。 FIT5225 . Cloud Computing and Security . AskSia Library — — — PRACTICE Q1-Q5 - CHAPTER . PRACTICE BANK & WORKED SOLUTIONS MIRRORS THE 2 QUIZZES Drill the quiz, FIT5225 style 按 FIT5225 风格刷 quiz Twenty fresh items across the three quiz shapes - concept distinctions, diagram reading, config-snippet recognition, each worked 横跨三类 quiz 题型的二十道全新题目 -- 概念辨析、读图、识别配置片段,每题均有解析 The one-line takeaway. The two FIT5225 quizzes are not code-writing exams. They test, in order of frequency: (1) concept distinctions, (2) architecture-diagram reading, and (3) config-snippet recognition. This bank gives fresh items in all three shapes, each fully worked. Cover the answer, decide, then check. 一句话要点。FIT5225 的两次测验不是写代码的考试。它们按频率高低考查:(1)概念区分、(2)架构图解读,以及(3)配 置片段识别。本题库以这三种形态给出全新题目,每题都完整作答。盖住答案、先判断、再核对。 ★ Fresh stems - the quiz STYLE, not the quiz 全新题干一 一考的是 quiz 的“风格”,而非原题 These are AskSia-authored items written in the FIT5225 style; they are not real quiz questions. The standard cloud/AWS facts are canonical. Treat quizzes as invigilated / closed-book - check your own exam instructions. 这些是AskSia 自撰的题目,以FIT5225 风格写成;它们不是真实的测验题。标准的云/AWS 事实是公认的。把测验当 作有监考/闭卷 -- 核对你自己的考试说明。 Q1-05 Concept-distinction MCQs Q1-Q5 概念辨析型 MCQ Q1 SG VS NACL concept MCQ
- 先刷所有 X vs Y 对比对(这是最便宜的分)
- 再练 带标注架构图:VPC、K8s、serverless flow、shared responsibility
- 最后练 短片段逐行解释:Dockerfile、docker/kubectl、IaC block、IAM policy、NACL 行
-
7.2 Projects(70%):尽早搭骨架、先跑通部署再迭代
-
资料明确建议的“赢法”:
-
关键现实提醒(很重要):
- 没有 final 来救项目分;也没有项目来救 quiz 分,所以每一块都要独立站住。[2]Source: asksia-bible-fit5225-bilingual.pdfi The one spine that runs the whole unit 贯穿整个单元的那条主线 FIT5225 climbs a single ladder of abstraction: physical machine - virtual machine - container - orchestrated container - managed service - function. At each rung you give up control of more of the stack and focus more on your application - and a shared-responsibility line moves up with you, deciding who secures what. Internalise that one ladder and most of the course's distinctions fall out of it automatically. FIT5225 攀登的是一条单一的抽象阶梯:物理机→ 虚拟机→ 容器→ 编排后的容器→ 托管服务 → 函数。每上一阶, 你都放弃对栈中更多部分的控制,而更专注于你的应用 -- 而一条责任共担分界线也随你上移,决定谁来保护什么。把 这一条阶梯内化,本课程的多数区分便自然而然地从中导出。 THE LADDER OF ABSTRACTION metal > VM > container > orchestration > managed service > serverless function less control of the stack . more focus on the app . the responsibility line rises with you ! The most important strategic fact about FIT5225 关于 FIT5225 最重要的战略事实 There is no exam to rescue a weak project, and no project to rescue a weak quiz - the four pieces are independent. The 70% of marks in the two projects are won by building and deploying real cloud applications, so start them early; the 30% in the two quizzes is won by crisp recall of distinctions under invigilated, closed conditions. Treat them as two different games: ship the builds, drill the comparisons. 没有考试来挽救薄弱的项目,也没有项目来挽救薄弱的测验 -- 四个部分彼此独立。两个项目占 70% 的分,靠构建并部 署真实的云应用来赢得,所以要尽早开始;两次测验的 30% 靠在监考、闭卷条件下对区别的清晰回忆来赢得。把它们 当作两种不同的游戏:交付构建、演练对比。 i How this book was built - and the two-layer rule 本书是如何构建的 -- 以及双层规则 Standard cloud, CS and AWS knowledge is stated plainly (it is canonical - the NIST five characteristics are a published definition, the shared-responsibility split is a fact, a VPC topology is a fact). The unit's own assessment briefs - the CloudEco individual project and the multicloud group project - are paraphrased by system type only, never copied; their per-student model files, FAQ and rubric are course-proprietary. Quiz status: the two tests are invigilated - treat them as closed / no bring-in. Verify weights, dates and quiz instructions on your own Monash Canvas (learning. monash. edu). 标准的云、CS与 AWS 知识被直白陈述(它们是公认的 -- NIST 五大特征是已发布的定义,责任共担的划分是事实, VPC 拓扑是事实)。本单元自己的评估要求 -- CloudEco 个人项目和 multicloud 小组项目 -- 仅按系统类型转述,绝 不照抄;它们针对每位学生的模型文件、FAQ 和评分标准属于课程专有内容。测验状态:两次测验均有监考 -- 按闭卷 / 不可带入处理。请在你自己的 Monash Canvas (learning. monash. edu) 上核实权重、日期和测验说明。 FIT5225 . Cloud Computing and Security . AskSia Library THE BLUEPRINT - THE ASSESSMENT BLUEPRINT 70% BUILD . 30% QUIZ No exam - two builds and two quizzes 没有期末考试 -- 两个项目 build 加两次 quiz CloudEco 30% . Multicloud group 40% . Quiz 1 15% . Quiz 2 15% CloudEco 30% · Multicloud JE 40% · Quiz 1 15% . Quiz 2 15% Your mark is four independent pieces and none of them is a final exam. Seventy per cent is won by building and deploying real cloud applications; thirty per cent is won by two invigilated, conceptual quizzes. Nothing backstops anything - every piece must stand on its own. 你的分数由四个相互独立的部分构成,而 其中没有一项是期末考试。七成分数靠 构建并部署真实的云应用 赢得;三成分数靠两 场 监考的概念性 quiz 赢得。没有任何一项能为另一项兜底 -- 每一项都必须独立站得住脚。 30% A1 CLOUDECO (SOLO) A1 CloudEco (个人) 40% A2 MULTICLOUD (GROUP) A2 multicloud (小组) 30% TWO QUIZZES (15+15) 两次测验 (15+15) 0 FINAL EXAM 期末考试 The four assessment pieces[8]Source: asksia-bible-fit5225-bilingual.pdf四项 assessment 组成部分 Component Weight What it really tests Game Winning move A2 - Multicloud app (group of 3- 4) 40% Build/deploy across >1 cloud; IaC; repo hygiene; teamwork + individual report The quizzes (30%) Drill distinctions. Tables, labelled diagrams, snippet reading No cross- rescue Each piece stands alone - no exam, no progress-mark net GenAI (A1) Permitted if disclosed - cite + append prompts; it is policy, not a hint Quiz 1 (invigilated) 15% Conceptual recall + applied reasoning, earlier weeks How to play the two games 如何玩转这两场游戏 The builds (70%) Start early. Architecture diagram + IaC + working deployment A1 - CloudEco (individual) 30% Build a scalable AWS app; justify the design; model file by student-ID Quiz 2 (invigilated) 15% Conceptual recall + applied reasoning, later weeks FIT5225 . Cloud Computing and Security . AskSia Library -
-
8)我需要你补 2 个信息,我就能把“复习重点”变成你自己的冲刺清单
- 你先告诉我两件事(任选用一句话回答就行):
- 你最紧张的是哪一部分?
- A 概念辨析(各种 X vs Y)
- B VPC/安全(SG vs NACL、shared responsibility、Cognito)
- C Docker / K8s 片段题
- D IaC / AWS 服务选型
- 你下一次监考 quiz 的日期是几号?(我好按“还剩几天”给你排每天刷什么)
- 你最紧张的是哪一部分?
- (可选)如果你愿意,我也可以把你这门课**最容易错的那几对辨析(比如 SG vs NACL、User Pool vs Identity Pool、容器 vs VM)**帮你记住,下次你一来我就先带你过这三对。
Ask Sia for quick explanations, examples, and study support.