1. MAAREK Flashcards

Question

SSM Manager

Answer 1

By default, the SSM manager is already installed on Amazon Linux 2 The SSM manager can work on both vMs and on-premises instances

Answer 2

1. Permission issues 2. Corrupt reinstall the agent

Answer 3

To Automate patching and managing resources at group level

Answer 4

the configuration scrip for all planned operations

Answer 5

SSM does not need SSH or HTTP, the agent connects to ssm by itself

Answer 6

1. Executes the Document 2. Error and Rate control 3. Integrated with IAM and Cloudtrail 4. Runs command on multiple instances and groups 5. No need for SSH(Magical) 6. Command output printed on the screen or can be sent to S3 or cloud watch 7. Status can be viewd on console 8. Can be invoked using events Brige

Answer 7

aws ssm get-parameters --names

Answer 8

(SSM) Inventory is a feature that enables you to collect metadata from your managed instances. It provides a detailed view of your infrastructure, making it easier to understand its current state and track changes over time. Here's a brief overview of how SSM Inventory works: Data Collection: You can configure SSM Inventory to collect information such as installed applications, network configurations, OS updates, and more from your EC2 instances or on-premises servers. Resource Data Sync: Collected data can be stored in an Amazon S3 bucket or in an AWS Systems Manager Association. This allows you to centralize and aggregate inventory data from multiple AWS accounts and regions. Querying and Reporting: You can use AWS Config or the AWS Systems Manager Console to query and generate reports based on the collected inventory data. This helps you understand the state of your resources and their configurations. Automation: You can use inventory data to create automation workflows, such as triggering actions based on changes detected in the environment. To set up SSM Inventory, you typically need to: Configure Inventory Collection: Use SSM Documents to specify what inventory data you want to collect. These documents are associated with an inventory configuration. Define Inventory Configurations: Create an inventory configuration that references your SSM Documents. This configuration specifies the type of data you want to collect. Attach Inventory Configurations: Associate inventory configurations with your managed instances. View and Query Data: Use the AWS Management Console, AWS CLI, or APIs to view and query the collected inventory data.

Answer 9

manages the state of nodes in a group, ensuring that the inventory is always equal to the defined state

Answer 10

* data can be viewed on the console, * stored on s3, * Querried and analyzed using quicksight and Athena

Answer 11

Always redirect a specific client request to a particular server/instance by adding a cookie to the request Can cause load imbalance

Answer 12

If a target group contains only unhealthy targets, ELB routs requests across its unhealthy targets. This is usually the case during warmup/booting

Answer 13

ELB Access Logs are encrypted by default

Answer 14

Resource policy - another resource invoking lambda (Synchronous invocation) Execution Policy - Lambda polling another service for jobs(Asynchronous)

Answer 15

DLM does not work with instance store

Answer 16

- Uses Tags to identify resources - DLM Creates snapshots and AMIs - Cant be used to manage - Snapshots/AMIs created outsid DLM - can not be used to manage instance store backed AMIs

Answer 17

- Max 16 instances - File system that must be cluster-aware - can only happen within a single AZ

Answer 18

After EBS size is increased, partitioning must be carried out befor the new space is useable. You cannot redue the size of an ebs volume

Answer 19

certain operations can be performed on the go, while some cant. In Place - - LifeCycle Policy - Throughput mode and provisioned throughput number - EFS Access Point Requires Migration (using Datasync)- - encryption - Decryption - Performance mode(eg, max i/o)

Answer 20

replicates only newer objects, in order to replicate older files, use s3 BatchReplication

Answer 21

requires 24-48hrs after activation in order to start generating data analysis reports. Its recommendation does not work for Standard IA and Glacier

Answer 22

recommended for objects above 100MB mandatory for objects > 5G

Answer 23

Upload and download

Answer 24

retrieving only the data needed as against having to retrieve a bulk before filtering or ETL using sql. It’s only meant to use for a subset of data.

Answer 25

to perform bulk operations on existing S3 objects with a single request eg, modify object metadata modify object properties copy objects between s3 buckets encrypt an unencrypted object modify acl tags restore objects from S3 glacier invoke lambda function to perform a custom operation on an object

Answer 26

comprehensive report on the objects in our bucket

Answer 27

you can place a file into S3 Glacier same minute you create it. Glacier operates two types of policy **Glacier Vault** - like a bucket in Glacier

Answer 28

**Expedited** (Minutes to seconds) - you will need to purchase capacity unit **Standard** 3-5hrs **Bulk** 5-12Hrs ** In between the restoration time, there has to be some sort of a Notification job to facilitate the asynchronous process; S3 Events Notification(restore initiated and complete) or Events bridge

Answer 29

Strong access Policies for strict regulatory or compliance on the files in glacier. Vault lock is immutable/irreversible Vault lock is completed by re-entering the lock iD back into the vault lock

Answer 30

This is not possible via the console, you would have to use the API, CLI or SDK

Answer 31

Divide and conquer algorithms Split and upload files in parallel, then concatenate them at the receiving end. - Multipart upload is done in part and in any order - recommended for uploading files >100MB and - mandatory for files >5GB Use life cycle policies to handle the failed upload(There's a lifecycle preset for Multipart) **Multipart is only available via CLI/SDK

Answer 32

Serverless machine Queries and analysis files in S3 without moving the data using SQL.

Answer 33

**use columnar data** for cost savings. They perform fewer and faster scan. eg, (ORC, Apache Parquet) **Compress data for smaller** retrievals Partition your files to ease queries. use folder/path structure to ease queries, directly querying a specific directory/prefix Performs better with larger files

Answer 34

Uses API calls to and from KMS for decryption, this may result into a situation whereby KMS may run into throttling.

Answer 35

All SSE-C must be encrypted in transit

Answer 36

condition "aws:securetransport": true

Answer 37

Can only be done over CLI and not allowed in the console

Answer 38

- Only Root user can enable - Can only be enabled via the AWS CLI, AWS SDK, or the Amazon S3 REST API

Answer 39

Compliance - Strict and immutable Government - privileged principals can change versions and retention mode retention period for both is fixed

Answer 40

- can protect the object indefinitely irrespective of the retention mode or period - the identity with the permission can deactivate this mode(internet or vpc)

Answer 41

is a scaled-down bucket policy to specific prefixes. this policy grants exclusive access to specific prefixes/directories and limits all access to that prefix a single access point policy can contain access to more than one prefix each access point will have its own DNS name

Answer 42

This is also known as an access point policy allowing access to a target prefix from the vpc

Answer 43

there's an implicit creation of CRR when a cross-region access point is created.

Answer 44

Fsx for windows can also be mounted on a Linux server

Answer 45

for HPC R/W with S3 is seamless accesible via Dx and VPN resides on single AZ Scratch file system - single copy of data Persistent file system - Duplicates data in same az, but can persist data to S3

Answer 46

gateway for windows

Answer 47

for migrating NET ON TAP servers to AWS. compatible with all popular OS

Answer 48

file gateway - Linux compliant - file system(SMB,NFS) backs up to S3 Volume gateway - For Block storage - Cached or Stored gateway applies to the nature of the Local Configuration

Answer 49

File Gateway(Linux file system) - Restart Volume gateway(Block Storage management) - Stop gateway, retart server, then start/ attach gateway

Answer 50

Fully automated OS patching, fully managed DB, no user access for underlying instance

Answer 51

RR - Asynchronous - On fail over promotion, application has to update read/writer endpoint Multi-AZ - Synchronous replication - Inter AZ-Transfer fee = free - Auto failover to Standby in case of AZ failure

Answer 52

On the go, Zero downtime operation. Just modify

Answer 53

the threshold sets a limit for the Autoscaling

Answer 54

allows users to login to the database using their IAM credentials.

Answer 55

**Multi-AZ DB Cluster** Creates a DB cluster with a primary DB instance and two readable standby DB instances, with each DB instance in a different Availability Zone (AZ). Provides high availability, data redundancy and increases capacity to serve read workloads. **Multi-AZ DB instance** Creates a primary DB instance and a standby DB instance in a different AZ. Provides high availability and data redundancy, but the standby DB instance doesn't support connections for read workloads. **Single DB instance** Creates a single DB instance with no standby DB instances.

Answer 56

1. endpoint 2. Security group ingress setting: protocol: MysQL/MariaDB port 3306

Answer 57

If one of these instances (secondary) is launched in a private subnet and the primary is launched in a public subnet, after a Multi-AZ failover the RDS instance becomes inaccessible to the public network because the promoted secondary (new primary) instance was launched in the private subnet. 2. In addition to disabling public access at the subnet level, Amazon RDS provides a feature to enable or disable public access to the respective instances. Even if an instance is launched in a public subnet for any reason, it’s still possible to disable internet access to the instance by disabling public access. **When you disable public access on the RDS instance, RDS end point resolve to private IP address only and accessible to the instances in the same VPC** (or VPC connected via other means like VPC peering). 3. If all your applications servers are in the same VPC as your RDS instance, consider disabling public access to the instance. Furthermore, to help developers or admins who need access to the RDS instance to perform required tasks, create bastion instances in the same VPC as the RDS instances. These bastion instances have public access (with proper security group rules), and users (developers and admins) can connect to the bastion instances via the internet and connect to the RDS instance from the respective bastion instances 3. In addition to having least privilege to AWS APIs, it’s very important to perform regular audits on the security rules to ensure that public access to any instance isn’t enabled due to human or automation errors. In these cases, it’s recommended to use AWS Config to create rules to check for any changes and perform remediation automatically. For example, we can create an AWS Config rule to identify any RDS instances with public access enabled and perform remediation using managed rules (rds-instance-public-access-check). In a similar way, we can utilize existing managed rules or create custom rules to perform required checks and remediation. 4. Restrict access to cloud users on Amazon RDS using IAM 5,6,7. Additional logging and monitoring You can use the following services and features for additional logging and monitoring: AWS CloudTrail – CloudTrail provides a record of actions taken by a user, role, or AWS service in Amazon RDS. CloudTrail captures all API calls for Amazon RDS as events, including calls from the Amazon RDS console and from code calls to Amazon RDS API operations. It’s important to monitor the API calls to understand the different operations performed by the users and applications in your AWS account. This can help you perform audits on different operations and manage permissions. It’s also helpful to provide an incident report when unintended operations are run on Amazon RDS resources. For more information, refer to Monitoring Amazon RDS API calls in AWS CloudTrail. Amazon RDS recommendations – This feature is enabled by default and provides recommendations on different details related to the DB instances, read replicas, and parameter groups. These recommendations provide best practice guidance by analyzing DB instance configuration, usage, and performance data. For example, any pending engine version upgrades or instance maintenance operations are included in the recommendations. You can consider taking action on the provided recommendations immediately or in the following maintenance window. Amazon RDS event notifications – Event notifications are the best way to track changes and get notifications when an Amazon RDS event occurs. For example, if you subscribe to a configuration change category for a DB security group, you’re notified when the DB security group is changed. This helps you address unintended changes immediately and take appropriate action to remediate them. AWS Trusted Advisor – Trusted Advisor draws upon best practices learned from serving hundreds of thousands of AWS customers and helps close any security gaps in your AWS account. With respect to Amazon RDS security, Trusted Advisor checks for any security group access risks. For more information, refer to AWS Trusted Advisor check reference. Automatic minor version upgrades

Answer 58

outside vpc(in aws owned vpc lambda can only talk to your public endpoints) Launch Lambda in a vpc so as you do not have to expose your rds to the public Once defined, lambda will create an ENI using the right permissions

Answer 59

lambda scales out and is overpowering the RDS, Solution? RDS PROXY

Answer 60

if the RDS Proxy is in a pubic subnet, then no need to deploy lambda in the vpc. RDS closes idle collections(handles lambda scale-in) RDS proxy supports IAM Auth Supports DB Password Auth is inherently Autoscaling

Answer 61

Parameter Group is a collection of database engine parameter values that can be applied to one or more database instances. These parameter groups allow you to configure various settings for your RDS instance, including security, performance, and behavior. A Parameter Group in Amazon RDS is a set of parameters that define the configuration settings for a particular database engine. These parameters can control various aspects of the database, such as memory allocation, logging, backup behavior, and security settings. Importance: Parameter groups are important because they allow you to customize the behavior of your database instances without modifying the instance itself. This helps in maintaining consistency across multiple instances and makes it easier to manage and update configurations. Use Cases: Security: You can use parameter groups to set security-related parameters, such as controlling access, enabling encryption, or configuring SSL. Performance: Parameters related to performance tuning, cache sizes, and query optimization can be adjusted using parameter groups. Behavior: Parameters that govern the behavior of the database engine, such as the handling of connections, transaction timeouts, and logging, can be configured. Dynamic Nature: Explanation: Parameter groups are dynamic, meaning you can modify the parameter values in a group at any time, and these changes will be applied to the associated database instances. Example: If you need to adjust the maximum number of allowed connections or change the log retention period, you can do so by modifying the parameter group without requiring a reboot of the RDS instance. In summary, Parameter Groups in Amazon RDS play a crucial role in configuring and customizing the behavior of your database instances, and their dynamic nature allows for flexibility in adapting to changing requirements.

Answer 62

DB instance always needs a restart in order to kickstart a parameer group into action

Answer 63

Both Backup and snapshots will create a new database. They do not do an in-place restore

Answer 64

Manual snapshots can be shared, while Automated snapshots cannot be shared.

Answer 65

Amazon RDS recommendations – This feature is enabled by default and provides recommendations on different details related to the DB instances, read replicas, and parameter groups. These recommendations provide best practice guidance by analyzing DB instance configuration, usage, and performance data. For example, any pending engine version upgrades or instance maintenance operations are included in the recommendations. You can consider taking action on the provided recommendations immediately or in the following maintenance window.

Answer 66

RDS event notifications – Event notifications are the best way to track changes and get notifications when an Amazon RDS event occurs. For example, if you subscribe to a configuration change category for a DB security group, you’re notified when the DB security group is changed. This helps you address unintended changes immediately and take appropriate action to remediate them.

Answer 67

- Multipart upload - SSE-C - CSE must be encrypted(securetransportenable-true) - upload files straight to glacier

Answer 68

to be able to access VM-level logs, Cloudwatch uses its native rds agent to gather system-level metrics

Answer 69

once enabled(right click, modify), **RDS performance Insight can filter metrics by** - By waits - which resource?(CPU,IO, etc) - By SQL statements - which sql querry ? - By Hosts - which Host - By users - who?

Answer 70

Distributed writes ( two copies of write per AZ

Answer 71

both acts as a single access point to all RR and write heads. Under the hood, aurora performs Autoscaling on RR to maintain the required number of RR while maintaining a single access point; Reader endpoint. Maintaining a Single Access Point (Reader Endpoint): Despite autoscaling on Read Replicas, Aurora maintains a single access point for read operations through the Reader endpoint. This simplifies the application's connection management, as the application can always connect to the same endpoint for read operations, and Aurora handles the distribution of those reads across available replicas.

Answer 72

There's a minimum instance requirement to enable a cross region cluster

Answer 73

PITR (Backup)- is a recovery process, and RDS/Aurora recovery involve restoring the db; spinning up a new db. Backtracking - in-place restore, simply rewind to an earlier time (<=72hrs)

Answer 74

Must be done at Launch time. Optionally, on a running DB, encryption can only be done via snapshot and restore process.

Answer 75

short-term logs. Retainable logs would include the use of cloudwatch.

Answer 76

Yes, RDS snapshot can be migrated to Aurora

Answer 77

Aurora follows the declared priority: 1. Highest priority is promoted first 2. Or the Replica with the largest size in a case of equal priority 3. else, a random Replica

Answer 78

Makes our db stateless by taking off all the read workload from the db Can be used to store session data to enhance statefulness

Answer 79

use of elasticache would neccesitate heavy application code changes

Answer 80

HA Backup and restore features Data durability Multi-AZ with Auto-failover Sets and sorted sets support

Answer 81

- Multinode for partitioning of data(Sharding), but all in a single AZ - No HA - No data persistence - No backup and restore - Multithreaded architecture

Answer 82

Each reddis cluster has one write node and max 5 RR All replicas are asynchronous Primary Node does R/W One shard = One cluster Cluster mode disabled: Data is replicated betweeen shards/Nodes Cluster mode enabled: Data is spread between shards

Answer 83

- Cache evictions(memory overload - swap usage - current Connection - CPU utilization - DatabaseMemoryUsagePercentage - NetworkBytesIn, NetworkBytesOut - ReplicationBytes - ReplicationLag

Answer 84

you can only scale RDS storage once in 6Hours

Answer 85

Can not be disabled

Answer 86

for sending custom metrics to cloudwatch

Answer 87

put-metric-data --namespace ‹value› [--metric-name ] [--unit < value›] [--value < value>] [--dimensions ] L--storage-resolution ] [--cli-input-json | --cli-input-yam1] [--generate-cli-skeleton ]

Answer 88

unified cloudwatch just does a consistent put-metric-data API calls regularly

Answer 89

for sending Custom metrics eg, logged in users count, RAM, Disk space, etc Resolution Standard: 1min High res: 1 or 5 or 15 or 30s Accepts data point from upto -14days past to 2hrs retrospect. Has the ability to segment metrics into attributes

Answer 90

- can display metrics from different accounts in different regions - you can change the time zone of the dashboard - you can setup automatic refresh - you can share dashboard with a non aws identity

Answer 91

Data Query feature/engine within cloudwatch that presents its result in both log lines(text) and a visualizer results(logs) can either be exported(*CreateExportTask API*) or saved for future use Can querry multiple log groups simultaneously

Answer 92

Not near real time - log data can take upto 24hrs to become available for export.

Answer 93

- for realtime log eventsfrom cloudwatch logs for processing and analytics. - data can be streamed to kineses - to lambda - you can specify the subscription filter of the target logs

Answer 94

The following issues can prevent the unified CloudWatch agent from pushing log events: - Out-of-sync metadata caused by creating an Amazon Machine Image (AMI) after the CloudWatch agent is installed - Using an outdated version of the CloudWatch agent - Failure to connect to the CloudWatch Logs endpoint - Incorrect account, Region, or log group configurations - Insufficient AWS Identity and Access Management (IAM) permissions - CloudWatch agent run errors - Timestamp issue To push log events to the CloudWatch service, the CloudWatch agent requires credentials from either the IAM user or the IAM role policy.

Answer 95

VPC Flow Logs is a feature that enables you to capture information about the **IP traffic going to and from network interfaces in your VPC**. Flow log data can be published to Amazon CloudWatch Logs and Amazon S3. After you've created a flow log, you can retrieve and view its data in the chosen destination.

Answer 96

To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. After you've created a NAT gateway, you must update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet.

Answer 97

If you want CloudFront to cache different versions of your objects based on the device that a user is using to view your content, we recommend that you configure CloudFront to forward one or more of the following headers to your custom origin: - CloudFront-Is-Desktop-Viewer - CloudFront-Is-Mobile-Viewer - CloudFront-Is-SmartTV-Viewer - CloudFront-Is-Tablet-Viewer you can't set the cache behavior of a CloudFront distribution to forward the User-Agent header. This is configured in the Origin Custom Headers setting.

Answer 98

An IAM Administrator account can suspend Versioning on an S3 bucket, but only the bucket owner can enable/suspend the MFA-Delete on the objects.

Answer 99

if you install and configure software applications on an EC2 instance, you might want those applications to be running before proceeding. In such cases, you can add a CreationPolicy attribute to the instance and then send a success signal to the instance after the applications are installed and configured. CreationPolicy: AutoScalingCreationPolicy: MinSuccessfulInstancesPercent: Integer ResourceSignal: Count: Integer Timeout: String

Answer 100

You can configure the scale-out policy to check the number of messages in your SQS queue and then verify that your Auto Scaling group has launched an additional EC2 instance. Similarly, you can test your scale-in policy by decreasing the number of messages in your SQS queue and then verifying that the Auto Scaling group has terminated an EC2 instance.

Answer 101

Run Command - AWS System Manager Run Command to automate common administrative tasks and execute scripts remotely. Run Command enables you to automate common administrative tasks and perform adhoc configuration changes at scale. Automation -it is used to create custom workflows and not to remotely configure managed instances at scale. Session Manager - mainly used to quickly and securely access your Windows and Linux instances. It cannot automate administrative tasks and execute shell scripts remotely.

Answer 102

Rules types 1. Managed Rules (Over 150) 2. Custom Rules (using Lambda) Config can either be triggered or Scheduled

Answer 103

Using config to trigger SSM Automation to reverse a Non-compiant Service State back to compliant. The SSM Automation Can invoke a lambda function, but not config to Lambda directly Aggregator - Centralize config findings from various accounts. Stacksets will be a better option

Answer 104

You must update your route tables to route your IPv6 traffic. For a public subnet, create a route that routes all IPv6 traffic from the subnet to the Internet gateway. For a private subnet, create a route that routes all Internet-bound IPv6 traffic from the subnet to an egress-only Internet gateway.

Answer 105

You can create three types of Amazon Route 53 health checks: 1. Health checks that monitor an endpoint - You can configure a health check that monitors an endpoint that you specify either by IP address or by domain name. At regular intervals that you specify, Route 53 submits automated requests over the internet to your application, server, or other resources to verify that it's reachable, available, and functional. Optionally, you can configure the health check to make requests similar to those that your users make, such as requesting a web page from a specific URL. 2. Health checks that monitor other health checks (calculated health checks) - You can create a health check that monitors whether Route 53 considers other health checks healthy or unhealthy. One situation where this might be useful is when you have multiple resources that perform the same function, such as multiple web servers, and your chief concern is whether some minimum number of your resources are healthy. You can create a health check for each resource without configuring notifications for those health checks. Then you can create a health check that monitors the status of the other health checks, and that notifies you only when the number of available web resources drops below a specified threshold. 3. Health checks that monitor CloudWatch alarms - You can create CloudWatch alarms that monitor the status of CloudWatch metrics, such as the number of throttled read events for an Amazon DynamoDB database or the number of Elastic Load Balancing hosts that are considered healthy. After you create an alarm, you can create a health check that monitors the same data stream that CloudWatch monitors for the alarm.

Answer 106

Unlike the Weighted, This routing policy does not let you control how much traffic is routed accross your resources. It's 50-50

Answer 107

You can associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded. To signal a resource, you can use the **cfn-signal helper script or SignalResource API**. AWS CloudFormation publishes valid signals to the stack events so that you track the number of signals sent. The creation policy is invoked only when AWS CloudFormation creates the associated resource. Currently, the only AWS CloudFormation resources that support creation policies are AWS::AutoScaling::AutoScalingGroup, AWS::EC2::Instance, and AWS::CloudFormation::WaitCondition.

Answer 108

It is possible to create an Alias record that points to a resource in another account. In this case the fully qualified domain name of the ALB must be obtained and then entered when creating the record set. This is the most cost-effective option as you do not pay for Alias records and there is minimal configuration required.

Answer 109

STOP/START (Amazon EBS-backed instances only): We move the instance to a new host computer (though in some cases, it remains on the current host). Public IPV4 is changed HIBERNATE (Amazon EBS-backed instances only): We move the instance to a new host computer (though in some cases, it remains on the current host). Public IPV4 is changed. The RAM is saved to a file on the root volume REBOOT/RESTART: The instance stays on the same host computer. Rebooting an instance is equivalent to rebooting an operating system. Public IPV4 is changed But Elastic IP is constant

Answer 110

dynamic content are not cacheable on CloudFront edge locations

Answer 111

You would have to install some default agents that should have natively come with the EC2 instance, such as SSM AGENT, etc

Answer 112

Signed URL - One User Per file Signed Cookies - Several Users to several files

Answer 113

S3 - Encrypts objects by default EFS and RDS - Encryption status cannot be changed after deployment

Answer 114

403 - Bucket policy issues 503 - High request rates for new buckets

Answer 115

AWS Shield Standard is automatically enabled to all AWS customers at no additional cost. AWS Shield Advanced is an optional paid service.

Answer 116

Note that most AWS outages a limited to a single az. Therefore, in a Multi-Az app behind an ASG, service health info might not be useful

Answer 117

Once you have an SSL Cert through ACM, you need to add it to your cloudfront distribution, then update cache behavoir to reroute traffic to HTTPS

Answer 118

AWS Systems Manager requires an IAM role for EC2 instances that it manages, to perform actions on your behalf. This IAM role is referred to as an instance profile. If an instance is not managed by Systems Manager, one likely reason is that the instance does not have an instance profile, or the instance profile does not have the necessary permissions to allow Systems Manager to manage the instance.

Answer 119

Tags are used for organizing resources, not for controlling access. While they can be used in conjunction with IAM policies to allow or deny access, tags alone do not grant or deny access to Systems Manager. They are metadata to categorize your AWS resources and do not affect the operational aspects of AWS Systems Manager. Special note on Usage: User-defined tags are tags that you define, create, and apply to resources. After you have created and applied the user-defined tags, you can activate by using the Billing and Cost Management console for cost allocation tracking. Cost Allocation Tags appear on the console after you've enabled Cost Explorer, Budgets, AWS Cost and Usage reports, or legacy reports. When using AWS Organizations, you must use the Billing and Cost Management console in the payer account to mark the tags as cost allocation tags. You can use the Cost Allocation Tags manager to do this.

Answer 120

Interface Endpoint(Paid): Is a private connection via ENI, therefore it requires security group settings to connect the instance's private ip to the AWS service. Accessible via VPN, VPC peering Gateway Endpoint(free and scales more): Is more like an AWS Public service. It only requires a Route table configuration to the endpoint. Once targeted from the route table, this configuration directly exposes the instance to DynamoDb and S3 bucket

Answer 121

Amazon Inspector is an automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2), AWS Lambda functions, and container images in Amazon ECR and within continuous integration and continuous delivery (CI/CD) tools, in near-real time for software vulnerabilities and unintended ... Amazon Inspector helps you discover potential security issues by using security rules to analyze your AWS resources. Amazon Inspector monitors and collects behavioral data (telemetry) about your resources. To get started, you create an assessment target (a collection of the AWS resources that you want Amazon Inspector to analyze). Next, you create an assessment template (a blueprint that you use to configure your assessment). You use the template to start an assessment run, which is the monitoring and analysis process that results in a set of findings.

Answer 122

Enabling log file integrity validation in AWS CloudTrail allows for the detection of whether a log file was modified, deleted, or unchanged after CloudTrail delivered it. You can use AWS CLI commands to manually validate the integrity of the log files. This provides a cryptographically verifiable method of ensuring log files have not been altered.

Answer 123

Evictions occur when memory is over filled or greater than the maxmemory setting in the cache, resulting in the engine selecting keys to evict in order to manage its memory. The keys that are chosen are based on the eviction policy that is selected. You cannot add read replicas to a Memcached cluster.

Answer 124

1. All Healthchecks failed = Misconfigured sg, no Route table route ,target not in service, etc 2. HealthyHostCount dropping(eg, from 5 to 2) = health checks have failed, and the ALB has taken EC2 instances out of service

Answer 125

Amazon EC2 sends an EC2 Instance State-change Notification event to Amazon EventBridge when the state of an instance changes. eg: - pending - running - stopping - stopped - shutting-down - terminated

Answer 126

Run Command= To run live commands from managed or manual documents Automation: More of like a complete pipeline of commands and events State Manager: Maintain configuration consistency by reapplying configuration state,and view detailed configuration history and output. Quickly identify and remediate compliant and non-compliant machines across multiple accounts.

Answer 127

Route propagation allows a virtual private gateway to automatically propagate routes to the route tables. This means that you don't need to manually enter VPN routes to your route tables. You can enable or disable route propagation. Edge association use to route inbound VPC traffic to an appliance Route propagation enables the automatic propagation of routes from a gateway (like a transit gateway) to a route table.

Answer 128

Managing the health of the Linux operating systems" is incorrect. The operating systems of EC2 instances are managed by customers, not AWS

Answer 129

Over VPN, using their on-premises Active Directory user accounts to login to AWS IAM. They would then be able to access the AWS Management Console.

Answer 130

Metrics are containers for certain indexes about an instance or a service. Logs are text report on anticipated or unanticipTED events Note Metrics: Metrics are quantitative measures or data points that provide information about the performance or status of a system, service, or application. They are typically numerical values that can be collected over time, allowing for the analysis of trends, patterns, and anomalies. Metrics are used to monitor and evaluate the health and efficiency of a system, helping to identify issues or optimize performance. Examples of metrics include response time, error rate, CPU usage, memory usage, and throughput. Logs: Logs are records or entries generated by a system, application, or service to capture information about events, activities, or transactions. They are typically text-based and can include details about errors, warnings, user actions, and system events. Logs serve as a chronological record of what has happened within a system, and they are crucial for troubleshooting, debugging, and auditing. While logs can contain metrics, they also provide context and narrative information about the events that occurred. In summary, metrics are quantitative measurements that help monitor the performance of a system, while logs are textual records that provide a detailed account of events. While metrics are often used for trend analysis and alerting, logs are essential for diagnosing and understanding the context of issues. Both metrics and logs are crucial components of effective monitoring and troubleshooting in various IT and software contexts.

Answer 131

- You cannot copy an automated DB snapshot. - Snapshots exist on S3 but you cannot directly work with them. - You cannot create multi-AZ standby instances in another account

Answer 132

Amazon RDS handles failovers automatically so you can resume database operations as quickly as possible without administrative intervention. The primary DB instance switches over automatically to the standby replica if any of the following conditions occur: * An Availability Zone outage. * The primary DB instance fails. * The DB instance's server type is changed. * The operating system of the DB instance is undergoing software patching. * A manual failover of the DB instance was initiated using Reboot with failover. - Failure on the primary database and the DB instance type being changed are both conditions that would cause a failover event to occur.

Answer 133

AWS GuardDuty operates at the application layer, which corresponds to the OSI model's Layer 7 (Application Layer). GuardDuty is a managed threat detection service that continuously monitors for malicious activity and unauthorized behavior within your AWS accounts and workloads. GuardDuty analyzes events and logs generated by various AWS services, such as CloudTrail logs, VPC Flow Logs, and DNS logs, to identify potential security threats. It uses machine learning, anomaly detection, and threat intelligence to detect activities such as reconnaissance, privilege escalation, and communication with known malicious IP addresses. While GuardDuty operates at the application layer for analysis, it leverages data from multiple layers of the OSI model to provide a comprehensive view of potential security issues in your AWS environment. It's important to note that GuardDuty focuses on detecting threats and suspicious activities within the application layer, which includes services and protocols operating at higher levels of the OSI model.

Answer 134

When you share a portfolio using account-to-account sharing or Organizations, you are sharing a reference of that portfolio. The products and constraints in the imported portfolio stay in sync with changes that you make to the shared portfolio, the original portfolio that you shared. The recipient cannot change the products or constraints, but can add AWS Identity and Access Management (IAM) access for end users.

Answer 135

AWS Personal Health Dashboard provides alerts and remediation guidance when AWS is experiencing events that may impact you. While the Service Health Dashboard displays the general status of AWS services, Personal Health Dashboard gives you a personalized view into the performance and availability of the AWS services underlying your AWS resources. The dashboard displays relevant and timely information to help you manage events in progress and provides proactive notification to help you plan for scheduled activities. With Personal Health Dashboard, alerts are triggered by changes in the health of AWS resources, giving you event visibility, and guidance to help quickly diagnose and resolve issues.

Answer 136

You can only enable encryption for an Amazon RDS DB instance when you create it, not after the DB instance is created. However, because you can encrypt a copy of an unencrypted DB snapshot, you can effectively add encryption to an unencrypted DB instance. To do this you create a snapshot of your DB instance, and then create an encrypted copy of that snapshot. You can then restore a DB instance from the encrypted snapshot, and thus you have an encrypted copy of your original DB instance.

Answer 137

Transfer Acceleration: S3 Global accelerator; EC2, ELB, ECS Accelrator uses Edge location to transfer files into AWS. More of like a reverse f CDN, etc

Answer 138

Using Amazon CloudWatch alarm actions, you can create alarms that automatically **stop, terminate, reboot, or recover your EC2 instances.

Answer 139

click and apply with no downtime choose apply Immediately

Answer 140

There can be ELB connected to ec2 instances without Autoscaling group

Answer 141

EC2Rescue for EC2 Windows is a convenient, straightforward, GUI-based troubleshooting tool that can be run on your Amazon EC2 Windows Server instances to troubleshoot operating system-level issues and collect advanced logs and configuration files for further analysis. EC2Rescue simplifies and expedites the troubleshooting of EC2 Windows instances.