Add Stuff

Question 1

T/F: DataSync can only be used to transfer data with an on-premise source and a destination within an AWS VPC.

What is the difference between the following 2 DataSync modes?

• Transfer only data that has changed
• Transfer all data

Answer 1

F: ex – A solution needs to copy files from an Amazon S3 bucket to an Amazon Elastic File System (Amazon EFS) file system and another S3 bucket.

• Transfer only data that has changed – DataSync copies only the data and metadata that differs between the source and destination location.
• Transfer all data – DataSync copies everything in the source to the destination without comparing differences between the locations.

https://docs.aws.amazon.com/datasync/latest/userguide/configure-metadata.html

Question 2

___________ Acts as a managed service to create, publish, and secure APIs at scale. Allows the creation of API endpoints that can be integrated with other web applications.

Answer 2

Amazon API Gateway: Acts as a managed service to create, publish, and secure APIs at scale. Allows the creation of API endpoints that can be integrated with other web applications.

Question 3

___________ is Used to capture and upload streaming data to other AWS services. For example, you can store captured customer activity across different web applications to process analytics and make predictions in an Amazon S3 bucket.

Answer 3

Amazon Kinesis Data Firehose: Used to capture and upload streaming data to other AWS services. In this case, you can store the information in an Amazon S3 bucket.

Question 4

____________ Provides a way to control access to your APIs using Lambda functions. Allows you to implement custom authorization logic and ensures that the authorization step is performed securely.

Answer 4

API Gateway Lambda Authorizer: Provides a way to control access to your APIs using Lambda functions. Allows you to implement custom authorization logic. This solution offers scalability, the ability to handle unpredictable surges in activity, and integration capabilities. Using a Lambda API Gateway authorizer ensures that the authorization step is performed securely.

Question 5

______________ is an in-memory data store that can be used to store session data. It offers high availability and persistence options, making it suitable for maintaining session state.

Answer 5

Amazon ElastiCache for Redis: Redis is an in-memory data store that can be used to store session data. It offers high availability and persistence options, making it suitable for maintaining session state.

Question 6

What would you use if you need to ensure that sticky sessions can still be maintained even if an EC2 instance is unavailable or replaced due to scaling automatic (e.g., ensure Sticky sessions when using auto-scaling group).

Answer 6

Sticky sessions and auto-scaling group: Using ElastiCache for Redis enables centralized storage of session state, ensuring that sticky sessions can still be maintained even if an EC2 instance is unavailable or replaced due to scaling automatic.

Question 7

In what situation with microservices is it advantageous to use the API Gateway over an ALB to direct incoming requests to the appropriate microservices housed on an EKS backend?

Answer 7

Use Amazon API Gateway to connect requests to Amazon EKS what you want to be cost effective.

You are charged for each hour or partial hour that an application load balancer is running, and the number of load balancer capacity units (LCUs) used per hour. With Amazon API Gateway, you only pay when your APIs are in use.

https://aws.amazon.com/blogs/containers/integrate-amazon-api-gateway-with-amazon-eks/

Question 8

When using ElastiCache for Redis, what configuration would be the most appropriate option to achieve high availability at both the node level and the AWS Region level?

Answer 8

Multi-AZ Redis Replication Groups with shards containing multiple nodes is the most appropriate option to achieve high availability at both the node level and the AWS Region level in Amazon ElastiCache for Redis.

Question 9

What ElatiCache Redis configuration provides high availability at a region level?

Answer 9

Multi-AZ Redis Replication Groups: Amazon ElastiCache provides Multi-AZ support for Redis, allowing the creation of replication groups that span multiple availability zones (AZs) within a region. This guarantees high availability at a regional level.

Question 10

What ElatiCache Redis configuration provides scalability and redundancy at the node level contributing to high availability and performance?

Answer 10

Shards with Multi-node: Shards within the replication group can contain multiple nodes, providing scalability and redundancy at the node level. This contributes to high availability and performance.

Question 11

What EC2 option allows ec2 instances to persist their in-memory state to Amazon EBS? When in use, it allows an instance to quickly resume with its previous memory state intact. This is particularly useful for reducing startup time and loading memory quickly.

Answer 11

EC2 On-Demand Instances with Hibernation: Hibernation allows EC2 instances to persist their in-memory state to Amazon EBS. When an instance is hibernated, it can quickly resume with its previous memory state intact. This is particularly useful for reducing startup time and loading memory quickly.

Question 12

What auto scaling feature allows you to keep a specific number of instances running even when demand is low, which can be used to help reduce the time it takes for an instance to become fully productive?

Answer 12

EC2 Auto Scaling Warm Pools: Auto Scaling warm pools allow you to keep a specific number of instances running even when demand is low. Warm pools keep instances in a state where they can respond quickly to increased demand. This helps reduce the time it takes for an instance to become fully productive.

Question 13

Making use of serverless, what does Step Functions do?

Answer 13

AWS Step Functions allow you to orchestrate and scale distributed processing using map state. Map state can process elements in a large data set in parallel by distributing work across multiple resources.

Step Functions is serverless, so there are no servers to manage. It will automatically scale based on demand.

AWS Step Functions is a fully managed service that makes it easier to coordinate the components of distributed applications and microservices using visual workflows. Building applications from individual components that each perform a discrete function helps you scale more easily and change applications more quickly.

Step Functions is a reliable way to coordinate components and step through the functions of your application. Step Functions provides a graphical console to arrange and visualize the components of your application as a series of steps. This makes it easier to build and run multi-step applications.

Step Functions automatically triggers and tracks each step and retries when there are errors, so your application executes in order and as expected. Step Functions logs the state of each step, so when things do go wrong, you can diagnose and debug problems more quickly.

https://docs.aws.amazon.com/step-functions/latest/dg/use-dist-map-orchestrate-large-scale-parallel-workloads.html

Question 14

Describe the feature of AWS Step Functions that is known as Using Map state in Distributed mode

Answer 14

Using map state in distributed mode will automatically take care of parallel processing and scaling. Step Functions will add more workers to process the data as needed.

To set up a large-scale parallel workload in your workflows, include a Map state in Distributed mode. The Map state processes items in a dataset concurrently. A Map state set to Distributed is known as a Distributed Map state. In Distributed mode, the Map state allows high-concurrency processing. In Distributed mode, the Map state processes the items in the dataset in iterations called child workflow executions. You can specify the number of child workflow executions that can run in parallel. Each child workflow execution has its own, separate execution history from that of the parent workflow.

Question 15

T/F

There is nothing preventing you from transitioning objects to S3 Standard-IA or S3 One Zone-IA immediately after upload. For example, you can create a Lifecycle rule to transition objects to the S3 Standard-IA storage class one day after you create them.

Answer 15

F

Before you transition objects to S3 Standard-IA or S3 One Zone-IA, you must store them for at least 30 days in Amazon S3. For example, you cannot create a Lifecycle rule to transition objects to the S3 Standard-IA storage class one day after you create them. Amazon S3 doesn’t support this transition within the first 30 days because newer objects are often accessed more frequently or deleted sooner than is suitable for S3 Standard-IA or S3 One Zone-IA storage. Similarly, if you are transitioning noncurrent objects (in versioned buckets), you can transition only objects that are at least 30 days noncurrent to S3 Standard-IA or S3 One Zone-IA storage.

https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-transition-general-considerations.html

Question 16

What feature in AWS Lake Formation is designed to implement row-level and cell-level security?

Answer 16

Data filters in AWS Lake Formation are designed to implement row-level and cell-level security. It is used to control access at the data level and is an appropriate approach for a secure solution to prevent access to parts of the data that contain sensitive information.

Question 17

_____________ provides a comprehensive solution for monitoring and analyzing containerized applications, including those running on Amazon Elastic Kubernetes Service (Amazon EKS). Collects performance metrics, logs, and events from EKS clusters and containerized applications, allowing you to gain insight into their performance and health.

Answer 17

Amazon CloudWatch Container Insights provides a comprehensive solution for monitoring and analyzing containerized applications, including those running on Amazon Elastic Kubernetes Service (Amazon EKS). Collects performance metrics, logs, and events from EKS clusters and containerized applications, allowing you to gain insight into their performance and health. CloudWatch Container Insights integrates with CloudWatch Logs, allowing you to view logs and metrics in the CloudWatch console for analysis. Provides a centralized location to collect, aggregate, and summarize metrics and logs for your customer-facing application’s microservices architecture.

Question 18

____________ is a threat detection service that continuously monitors malicious activity and unauthorized behavior in AWS accounts. Analyzes VPC flow logs, AWS CloudTrail event logs, and DNS logs for potential threats.

Answer 18

Amazon GuardDuty is a threat detection service that continuously monitors malicious activity and unauthorized behavior in AWS accounts. Analyzes VPC flow logs, AWS CloudTrail event logs, and DNS logs for potential threats. GuardDuty findings can be sent to AWS Security Hub, which acts as a central hub for monitoring security alerts and compliance status across all AWS accounts.

Question 19

___________ consolidates and prioritizes findings from multiple AWS services, including GuardDuty, and provides a unified view of security alerts. This tool can integrate with third-party security tools and allows the creation of custom actions to remediate security findings.

Answer 19

Security Hub consolidates and prioritizes findings from multiple AWS services, including GuardDuty, and provides a unified view of security alerts. Security Hub can integrate with third-party security tools and allows the creation of custom actions to remediate security findings. This solution provides continuous monitoring, detection, and reporting of malicious activities in your AWS account, including S3 bucket access patterns.

Question 20

What 2 products when combined provide continuous monitoring, detection, and reporting of malicious activities in your AWS account, including S3 bucket access patterns?

Answer 20

GuardDuty & SecurityHub

Amazon GuardDuty is a threat detection service that continuously monitors malicious activity and unauthorized behavior in AWS accounts. Analyzes VPC flow logs, AWS CloudTrail event logs, and DNS logs for potential threats. GuardDuty findings can be sent to AWS Security Hub, which acts as a central hub for monitoring security alerts and compliance status across all AWS accounts. AWS Security Hub consolidates and prioritizes findings from multiple AWS services, including GuardDuty, and provides a unified view of security alerts. Security Hub can integrate with third-party security tools and allows the creation of custom actions to remediate security findings. This solution provides continuous monitoring, detection, and reporting of malicious activities in your AWS account, including S3 bucket access patterns.

Question 21

___________ are applied at the root level of an AWS organization to set fine-grained permissions for all accounts in the organization.

Answer 21

Service control policies (SCPs) are applied at the root level of an AWS organization to set fine-grained permissions for all accounts in the organization. By creating an SCP that explicitly prohibits changes to CloudTrail, you can enforce this policy across all downstream accounts. This approach, for example, ensures that even if individual developers have root access to their AWS accounts, they will not be able to modify CloudTrail settings due to SCP restrictions.

Question 22

_______________ is a fully managed analytics solution that provides organization-wide visibility into object storage usage, activity trends, and helps identify cost-saving opportunities. It is designed to minimize operational overhead and provides comprehensive information about your S3 usage.

Answer 22

S3 Storage Lens is a fully managed analytics solution that provides organization-wide visibility into object storage usage, activity trends, and helps identify cost-saving opportunities. It is designed to minimize operational overhead and provides comprehensive information about your S3 usage.

Incompleteness Reporting: S3 Storage Lens allows you to configure metrics, including multi-part incomplete uploads, without the need for complex configuration. It provides a holistic view of your storage usage, including the status of loads from various parties, making it suitable for compliance and cost monitoring purposes.

S3 storage lens is specifically designed to obtain information about S3 usage.

Question 23

_______ is a fully managed graph database, and ________ allows you to capture changes to the database. This option provides a fully managed solution for storing and monitoring database changes, minimizing operational overhead. Both storage and change monitoring are handled by it.

Answer 23

Amazon Neptune is a fully managed graph database, and Neptune Streams allows you to capture changes to the database. This option provides a fully managed solution for storing and monitoring database changes, minimizing operational overhead. Both storage and change monitoring are handled by Amazon Neptune.

Question 24

T/F
DataSync does not have the capability to verify data integrity. Therefore if you want to ensure that Amazon S3 data matches the source you need additional service s or code.

Answer 24

F

DataSync automatically verifies data integrity, ensuring that Amazon S3 data matches the source.

Question 25

___________ is designed for ledger-style applications, providing a transparent, immutable, and cryptographically verifiable record of transactions. It is suitable for use cases where an immutable and transparent record of all changes is needed.

Answer 25

Quantum Ledger database (Amazon QLDB)

Question 26

__________ is specifically designed to discover detailed information about servers, applications, and dependencies, providing a complete view of the on-premises environment.

Answer 26

AWS Application Discovery Service

AWS ADS

Question 27

_____________ is a fully managed graph database service that is optimized for storing and querying graph data. It is specifically designed to handle complex relationships such as many-to-many
relationships and multi-level connections efficiently.

Answer 27

Amazon Neptune

● With Neptune, you can use graph traversal algorithms to find mutual connections up to five levels with high
performance.
● This solution is well-suited for the requirements of efficiently querying complex relationship data.

Question 28

_________ is a service that helps discover, classify, and protect sensitive data stored in AWS. It uses machine learning algorithms and managed identifiers to detect various types of sensitive information, including personally identifiable information (PII) and financial information.

Answer 28

Macie

By configuring Amazon Macie to run a data discovery job with the appropriate managed
identifiers for the required data types (such as passport numbers and credit card numbers), the
company can identify and classify any sensitive data present in the S3 bucket.

Question 29

___________ is a type of organization policy that you can use to manage permissions in your organization. These offer central control over the maximum available permissions for all accounts in your organization.

Answer 29

Service control policy

SCPs help you to ensure your accounts stay within your
organization’s access control guidelines. SCPs are available only in an organization that has all
features enabled.

Question 30

T/F

SCPs are available only in an organization that has all features enabled.

Answer 30

T

Question 31

______________ is specifically designed for IPv6-only VPCs and provides
outbound IPv6 internet access while blocking inbound IPv6 traffic. It satisfies the requirement of preventing external services from initiating connections to AWS services while allowing the instances to initiate outbound communications.

Answer 31

egress-only internet gateway (EIGW)

Question 32

T/F

EBS Multi-Attach is supported exclusively on Provisioned IOPS SSD (io1 and io2) volumes.

Answer 32

T

Question 33

_______________ is a fully managed integration service that allows you to securely transfer data between different SaaS applications and AWS services. It provides built-in encryption options and
supports encryption in transit using SSL/TLS protocols.

Answer 33

Amazon AppFlow

With AppFlow, you can configure the data
transfer flow from Salesforce, for example, to Amazon S3, ensuring data encryption at rest by utilizing AWS KMS CMKs.

Question 34

_______________ is a service that helps visualize and understand the architecture of your workloads across multiple AWS accounts and Regions. It automatically discovers and maps the relationships between resources, providing an accurate representation of the architecture.

Answer 34

Workload Discovery on AWS

Question 35

What feature in Lake Formation allows you to define tags and tag-based
policies to grant selective access to the required data for another team’s accounts in your organization?

Answer 35

Lake Formation’s tag-based access control

This
approach allows you to control access at a granular level without the need to copy or move the data to a common account or manage permissions individually in each account. It provides a
centralized and scalable solution for securely sharing data across accounts with minimal
operational overhead.

Question 36

How many secondary CIDR blocks can be added after creation of the VPC?

Answer 36

can add up to four secondary CIDR blocks after creation of the VPC.

Question 37

_____________ is a fully managed batch processing service that can be used to easily run batch jobs on Amazon EC2 instances. It can scale the number of
instances to match the workload, allowing the batch job to be completed in the desired time frame with minimal operational overhead.

Answer 37

AWS Batch