Adrian Cantrill Cards Flashcards

Question 1

Q

CLB VS ALB

Answer

A

ALB can route based on Layer 7
can handle multiple domains and can understand URL path
can handle multiple SSL Certs so permits consolidation onto a single ALB
CLB cannot understand Layer 7!
ALB Supports ECS, Lambda, etc.

Question 2

Q

When to use site-to-site VPN

Answer

A

Managed Service
HA by design
Connect non-AWS to AWS
Quick to set up and secure

Question 3

Q

Reserved instance billing

Answer

A

Used for constant steady-state usage
You exchange flexibility for discounts
Generally 1- or 3 year commitment, with options for 0 upfront or partial upfront, or full upfront.

Question 4

Q

Lambda key facts

Answer

A

Billed for execution time: max 15 mins.
Cold start (running environment created from new)
Warm start (environment reused)
Execution policy = IAM role providing permissions.

Question 5

Q

Service control policies

Answer

A

Account permissions boundaries. Limit what all users in an account can do, even the root user. Do not apply to the master account.

Question 6

Q

Relational databases

Answer

A

RDS Oracle
RDS MySQL
RDS MariaDB
RDS PostgreDB
RDS Aruora
RedShift (column)

Question 7

Q

VPC

Answer

A

Isolated network
network blast isolation
One or more IPv4 CIDRs (/28->/16)
Can have IPv6 allocated
Region resilient

Question 8

Q

CloudHSM

Answer

A

Uses industry standard API
Same architecture as KMS (CMK/DEK)
FIPS 140-2 level 3
Exclusive control

Question 9

Q

CLB end-to-end encryption

Answer

A

For an unbroken end-to-end encryption connection, pick a TCP listener so that the LB won’t decrypt the connection. The CLB doesn’t need any SSL cert installed on it.

Question 10

Q

7-Layer ISO model

Answer

A

Layer 7: Application
Layer 6: Presentation
Layer 5: Session
Layer 4: Transport
Layer 3: Network
Layer 2: Data Link
Later 1: Physical

Please Do Not Throw Salty Peanut Away

Question 11

Q

When not to use Site-to-Site VPN

Answer

A

Low latency
Consistent latency
High Speed
Non-internet transit

Question 12

Q

CloudFront geo restriction

Answer

A

White list/Black list
Location only (country code)
Cannot use any other field/aspect of customer sessions

Question 13

Q

What is an edge location?

Answer

A

A smaller infrastructure unit. Edge locations are capable of running limited edge computing and are generally used by CloudFront for content distribution. They are located as close to major population center as possible.

Question 14

Q

What is an AZ

Answer

A

An availability zone (an isolated unit of AWS infrastructure).
A region can have one or more AZs.
One failing AZ should be isolated from others.
AZs might be 1 building or more.
AZs can have many isolated units of compute, storage, and networking.

Question 15

Q

Internet gateway

Answer

A

Associated with one VPC and a VPC can have one IGW
Translate Private IP to and from Public/EIP
Needs an RT (Route Table) route
Highly available by design across all AZs used for public internet access IPv4/6

Question 16

Q

S3 transfer acceleration

Answer

A

Provides new endpoint (via CloudFront).

- ````````````````````````````````````````

Question 17

Q

S3 transfer acceleration

Answer

A

Provides new endpoint
Uses the AWS global network for transit
Entry point is a local CF (CloudFront) location, backhauled to bucket location
MUCH faster than using S3 directly

Question 18

Q

EMR types

Answer

A

Master Node (can only have one in a EMR cluster)
Core Nodes
Task Nodes

Question 19

Q

CLB vs ALB

Answer

A

ALB can route based on Layer 7
ALB can handle multiple domains and can understand URL paths
ALB can handle multiple SSL Certs, so permits consolidation onto a single ALB
CLB cannot understand Layer 7
ALB supports ECS, Lambda, etc.

Question 20

Q

Persistent Data

Answer

A

Data that exists beyond the lifetime of the thing it’s attached to. An EBS volume continues operating after a machine is shut down, restarted, or terminated (if that option is selected)

Question 21

Q

Cross-zone load balancing

Answer

A

A setting that is default on ALB and optional on CLB. Allows an ELB node to distribute connections to instances/targets outside its AZ for a more even distribution of connections across AZs.

Question 22

Q

X-Forwarded-For

Answer

A

The ‘X-Forwarded-For’ request header helps you identify the IP address of a client when you use an HTTP or HTTPs load balancer. It adds the source IP of the original front-end viewer (The originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer).

Question 23

Q

CloudFormation stack

Answer

A

Created from a template. Maps logical resources in a template to physical resources in AWS. The lifecycle of a stack is linked to resources. Creations, updates, and deletions to the stack do the same to physical resources.

Question 24

Q

IAM Group

Answer

A

Not a principle; cannot be referenced in policies
Has IAM users as members
Can have policies associated (inline or managed)
cannot be “logged in to” - has no credentials.

Question 25

Q

AWS GraphDB service

Question 26

Q

CloudFormation template

Answer

A

Used to create a stack
Parameters, resources, mappings, conditions, and outputs
Apply a template (YAML/JASON) to create one or more stacks

Question 27

Q

Proxy Protocol

Answer

A

If TCP is used for the front and back end, the LB makes a connection to your instance. The ELB’s IP will show as the source. Proxy Protocol includes an additional field with the original source IP address. (TCP only)

Question 28

Q

What can you control with CloudFront behaviour?

Answer

A

Protocol policy
Path patterns
Http methods
Query String forwarding
Cookie forwarding
Lambda function association
Object caching
HTTP caching
Request header caching
Object compression
TTL
Viewer access restrictions

Question 29

Q

You want to ensure that you capture authentication activities on your account in CloudTrail. These are not API calls. How can you do this?

Answer

A

Enable Management events (default) when configuring a Trail.

Note: The CloudTrail Event history feature supports only management events. Not all management events are supported in event history.

Question 30

Q

What are the global and regional characteristics of S3?

Answer

A

S3 is a global service with region specific presence. Buckets are globally available and unique. But objects live in a particular region. Each account has a limit of 100 buckets, but unlimited prefixes.

Question 31

Q

What AWS services provides data that can be useful through Athena?

Answer

A

Athena can access logs from CloudTrail, CloudFront, all Load Balancers, and Amazon VPC Flow Logs.

Question 32

Q

You want to query a cats table based on appointment type. The partition key is catID and the sort key is cat name. How can you efficiently query based on another column?

Answer

A

To speed up queries on non-key attributes, you can create a global secondary index. A global secondary index contains a selection of attributes from the base table, but they are organised by a primary key that is different from that of the table. The index key does not need to have any of the key attributes from the table. It doesn’t even need to have the same key schema as a table.

Question 33

Q

How can you restore a database after deleting the Master?

Answer

A

Database backups enable you to restore a database even after the Master is gone. However, they have a default retention period of 35 days, after which they will be deleted. (Sean - this is referring to AWS auto-backup).

Question 34

Q

How can you restrict access to S3 objects within a date range?

Answer

A

Use S3 ACLs.

Question 35

Q

What purchasing options can you use to pay for RedShift compute nodes?

Answer

A

On-demand or
Reserved instances

Note: spot instances is not available for RedShift compute nodes

Question 36

Q

How do EC2 instances, on-premise VMs and servers become manageable by SSM?

Answer

A

By installing Systems Manager Agent, applying appropriate IAM permissions (EC2 only) and activations for on-premise servers.

Question 37

Q

What are the four invocations for a Lambda@Edge function?

Answer

A

Viewer request
Viewer response
Origin request
Origin response

Question 38

Q

You want to keep CloudTrail events longer than 90-day retention period. What can you do?

Answer

A

Configure Trails to deliver CloudTrail events to S3. And optionally enable file encryption and validation to prevent files from tampering.

Note: by default, log files are stored indefinitely

Question 39

Q

What are the two sides of a CloudFront edge called?

Answer

A

The Origin, origin protocol, and origin fetch are where the cached content originate.
The Viewer and Viewer Protocol are the client side or the edge.

Question 40

Q

Yu create a DynamoDB table with a partition key of CatID. Your CatIDs range from 0001 to 0004. You end up with lots of records for each cat, exceeding 10GB per cat. You notice that performance for reading and writing starts to slow down. What could be the problem?

Answer

A

Dynamo has had to create more partitions for each CatID. But since the partition key is CatID, Dynamo still limits the RCU/WCUs to 3000/1000 across all partitions for that CatID. You need to consider a partition key that has more values than 0001-0004.

Question 41

Q

You’ve configured VPC peering between VPC A and VPC B. When you try to ping an EC2 instance in B from A, you don’t get a response. What would you check?

Answer

A

Check the default route table for the subnet in A where the pinging instance lives. It needs to have a route to the CIDR range of VPC B, configured as a Peering Connection with the ID of the peering connection. The same is true of VPC B, which needs a default route table entry for VPC A.
Check NACL for both VPCs to ensure there are no inbound or outbound restrictions.
Lastly, check the security groups for both sides of the communication to ensure sufficient allowances for inbound and outbound traffic between the two. (Me: such as ICMP protocol is allowed)

Question 42

Q

How does AWS IoT enable you to communicate with devices or systems from other manufacturers?

Answer

A

AWS uses MQTT, which is an industry standard protocol that other devices and systems likely use.

Me:
What is MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks.

Question 43

Q

What service can you use when your data security requirements need FIPS 140-2?

Answer

A

KMS or CloudHSM comply with FIPS 140-2
Note:
KMS provides only AWS API access. It does not provide industry standard API access.
(CloudHSM provides exclusive control)

Question 44

Q

What is separation of roles in KMS?

Answer

A

Administration of KMS, such as key management, may not have permissions to decrypt keys or data. Users of KMS may not have admin privileges, but can ask KMS to encrypt and decrypt data.

Question 45

Q

What is a CloudFormation Custom Resource?

Answer

A

A customer resource is a resource either in AWS or 3rd party that a CloudFormation template asks for as part of the stack. It uses messaging: SNS or Lambda, to trigger that resource to create/update/delete

Me: a custom resource is a resource that is not available as AWS CloudFormation resource types. Custom resource enable you to write custom provisioning logic in template logic in the template that AWS CF runs anytime you create, update or delete stacks.

Question 46

Q

When using S3 transfer acceleration, what is the endpoint that the client uses for a bucket?

Answer

A

CloudFront local endpoint. Then the upload traverses the AWS backbone

Question 47

Q

What is CORS?

Answer

A

Cross origin resource sharing. This is a security measure that a server can use to control what other servers can access resources on it.

Question 48

Q

When using S3 transfer acceleration, what is the end point that the client uses for a bucket?

Answer

A

A CloudFront local endpoint. Then the upload traverses the AWS global network.

Question 49

Q

How can a resource in a private subnet access Amazon S3?

Answer

A

By creating an private access point, in this case a private access point gateway. This was my answer. Need to revisit. It is correct, but not complete

Question 50

Q

What kind of transformation can you do to a Firehose stream?

Answer

A

Use a Lambda function to manipulate records or change the format to Parquet or ORC with a checkbox

Me: when you enable Kinesis Data Firehose data transformation, Kinesis Data Firehose buffers incoming data up to 3 MB by default (the size can be adjusted via API). Firehose then invokes the specifies Lambda function asynchronously with each buffered batch using the AWS Lambda to Kinesis Data Firehose.

Apache ORC: the smallest, fastest columnar storage for Hadoop workloads
Apache Parquet is a columnar storage format for Hadoop workloads

Question 51

Q

When configuring instance types for an ElasticSearch cluster, what choices should you consider?

Answer

A

The master node has much lower CPU and memory requirements, so it can be smaller. The data nodes to do the work and should be bigger

Question 52

Q

How does RedShift ensure durability of your data in the cluster

Answer

A

Each of the slices on your compute nodes have the advertised amount of data available to them according to the Management Console. But Redshift also reserves the same amount for replication of slice from other nodes, similar to RAID 5 with a disk array.

Question 53

Q

What’s a Logical Resource in CloudFormation?

Answer

A

The name the template uses to describe physical resources that CF creates. The physical resources acquire cryptic IDs only at the time of creation. The logical resource makes it easier to identify those resources.

Question 54

Q

What are some of the constraints of a DX connection?

Answer

A

Each connection has a bandwidth limit. Not encrypted, must have BGP support for routing

Question 55

Q

Where is the cluster in an Aurora Serverless dB?

Answer

A

It’s in the VPC you specify when creating the cluster. Aurora Serverless allocates ACUs into your cloister from a warm pool it maintains for all customers. The proxy manages connection from your applications to the cluster and movement of the ACUs in and out of your VPC. The proxy also manages migrating cache data from one ACU to another when capacity changes. Keep in mind, Serverless uses the same Cluster Storage Volumetier that Aurora uses, so Serverless is only managing the compute tier since the storage tier is already Serverless and multi-tenant.

Question 56

Q

What are the various node types of an EMR cluster?

Answer

A

An EMR cluster can have only one Master node. It also can have Core Nodes that run HDFS and manage tasks. And optionally Task Nodes which executes tasks but have no storage system. You cannot change the Master node instance type after creating the cluster. You can change Core and Task node instances types.

Question 57

Q

Since RDS doesn’t allow root access to the console, how can admins manage the configuration of the database?

Answer

A

Parameter groups and option groups provide the parameters admins need.

Question 58

Q

What can you do to improve the performance of a Lambda function?

Answer

A

Declare resource objects as singletons outside of the lambda_handler() (me: it like a global variable in c to avoid instantiation for each Lambda function instance). They may be available to the next instance of the function, but declare them as NULL and do NULL checks in the handler or sub-functions.

Me: state dehydration and cold start up library loading slows Lambda function down. So Lambda function will have a better performance when it is stateless and a programming language that loads fast.

Question 59

Q

What are the two types of groups EMR can use for managing instances?

Answer

A

Uniform instance Groups and Fleet instance Groups

Question 60

Q

How can you introduce new versions of an API without breaking applications that depend on the current version?

Answer

A

Use stages (me: see Lambda function versioning as an example)

Question 61

Q

How can you configure ElasticSearch for the best HA?

Answer

A

Configure three master nodes: the master and two eligible masters. Also have at least three data nodes across AZs. By having three of each, ES can use a quorum to determine the next election if one fails (me: assuming that only one AZ will fail in a given time).

Question 62

Q

What are the three minimum parts to an IAM policy statement?

Answer

A

Effect, Action, Resource. And additionally, Condition

Question 63

Q

What’s the fastest way to recover to a previous point of an Aurora DB?

Answer

A

Backtrack instead of restore from a backup.

Question 64

Q

What is the main network security difference between ALB and NLB

Answer

A

ALBs terminate the client request then establish a new connection to the target group because encryption operates at layer 7. NLBs examining only the layer four header, simply pass on the layer 5+ portion of the packet which may or may not be encrypted. This enables an end-to-end pass-through of encrypted layer 7, improving performance (me: and allow for end-to-end encryption (better data protection)

Answer 64

A

Use an ALB and enumerate the various HTTP response codes for the health check. CLB doesn’t support Layer 7 where HTTP resides.

Answer 65

A

Design it to run in any account or location without modifications or user input.

Answer 66

A

On-demand capacity will always manage the RCU/WCU and storage requirements for the incoming load. Auto scaling sets and upper limits and can be slow. Provisioned capacity also sets a limit.

Answer 67

A

Define the updates to the ticket availability and the purchase steps as a transaction. That way, DynamoDB commits all of the updates as a single atomic unit.

me: each transaction can include up to 10 unique items or up to 4MB of data, including conditions.

TransactWriteItems
TransactReadItems

Three read options:

eventual consistency
strong consistency
transactional

Two for write:

standard
transactional.

Transactions are enabled for all single-region DynamoDB tables and are disabled on global tables by default.

Items are not locked during a transaction. DynamoDB transactions provide serialisable isolation. If an item is modified outside of a transaction while the transaction is in process, the transaction is canceled and an exception is thrown with details about which item or items cause the exception.

Answer 68

A

me: The question is not properly written

Answer from LinuxAcademy:

VPC peering is not transitive. VPC B need to have a VPC peering connection to VPC C.

Answer 69

A

Event driven
Capable of scaling from very low capacity to very high capacity
Only pay for what the demand requires.

me: it question implies Lambda Serverless, not e.g. DynamoDB on-demand. DynamoDB is a Serverless database service.

Answer 70

A

When the application positively needs the capacity and the demand is not steady, e.g. sparky.

Answer 71

A

Subnets don’t have security groups. Security groups are assigned to network interfaces.

Answer 72

A

Neptune is a graph DB that is highly scalable with 15 read replicas across three AZs in a region. It can hold up to 64 TB of data with encryption at rest.

Answer 73

A

Viewer request and viewer response

Origin request and origin response

Answer 74

A

Access to Parameter Store and access to master key (CMK) used to encrypt the credentials in Parameter Store.

Answer 75

A

Classic LB or ALB. NLB does not support UDP, only TCP.

Answer 76

A

PKCS#11, java cryptography extensions (JCE), Microsoft cryptoNG (CNG). These are APIs. It does not provide any AWS APIs, meaning that it cannot integrate with other AWS Services offering encryption.
CloudHSM also supports FIPS 142-2 at level 3 which is higher than KMS. (Me: FIPS 142-2 at level 2)

Answer 77

A

Create, Update or Delete resources

Answer 78

A

Since customers pay for Athena by the amount of data it scans, reduce the amount of data scanned by partition data, organise it into columnar format to reduce the number of columns Athena sees during a query.

Answer 79

A

XML, JSON, CSV, TSV, Apache Avro, Apache ORC and Apache Parquet

me:
Avro is a row-oriented remote procedure call and data serialisation framework developed within Apache’s Hadoop project. It uses JASON for defining data types and protocols, and serialises data in a compact binary format.

Answer 80

A

Metadata about network traffic into and out of the VPC, including address, port, protocol and more. Logs do not include information about DHCP, AWS DNS, or license activation requests. This is not a network monitor.

Answer 81

A

The cluster endpoint refers to the master for read and write. The reader endpoint refers to all replicas as a cluster. Readers get directed to any replica, improving scalability of Aurora for read-intensive workload. Instance endpoints refer to any specific instance. Custom endpoints allows you to configure groups of instances behind an endpoint.

me: Amazon Aurora typically involves a cluster of DB Instances instead of a single instance. Each connection is handled by a specific DB instance. When you connect to an Aurora cluster, the host name and port that you specify point to an intermediary handler called an endpoint. Aurora uses endpoint mechanism to abstract these connections. Thus, you don’t have to hardcore all the host names or write your own logic for load balancing and rerouting connections when some DB Instances aren’t available.

For certain Aurora tasks, different Instances or groups of Instances perform different roles. For example, the primary instance handles all the data definition language (DDL) and data manipulation language (DML)statements. Up to 15 Aurora Replicas handle read-only query traffic.

Answer 82

A

They are uni-directional request/response calling patterns that use HTTP semantics with query string arguments. Behind the API, a service performs a task and returns the result to the caller.

Answer 83

A

Cluster — the collection of resources ECS can use to run your containers
Service — ECS or Fargate runtime responsible for managing container tasks
Task definition — a configuration file that tells ECS what containers it should create and how they interact with the outside world;
Container definition —

Answer 84

A

Identify significant points in the question.
Identify similar answers, but understand the differences.
Look for disqualifying facts in answers, based on point 1.
Eliminate any generally bad answers.
Pick between remaining answers using judgement.

Answer 85

A

Configure a Trail with ‘Apply to all regions’ selected and ‘Apply to my Organisation’.

Answer 86

A

OK, Alarm, Insufficient Data

Answer 87

A

Only if versioning is enabled, S3 creates new versions with the same name (me: same name but with unique IDs, each and every object stored in S3 have globally unique object ID regardless versioned or not). Objects have object IDs that are unique. Versions can live in different storage tiers in S3 using lifecycle policies. Delete actions mark objects for deletion.

me: when versioning is enabled, a simple DELETE cannot permanently delete an object. Instead, Amazon S3 inserts a delete marker in the bucket, and that maker becomes the current version of the object with a new ID. When you try to GET an object whose current version is a delete marker, Amazon S3 behaves as though the object has been deleted ( event though it has not been erased) and return a 404 error.
To permanently delete versioned objects, you must use DELETE ObjectVersionId.

Answer 88

A

Formerly, Public VIFs were limited to a region
Formerly, Private VIFs are attached to a VPG which is associated with a VPC
Now using BGP, the Public VIF advertises all public zone AWS service endpoints in all regions.
*Public zone endpoints do not require or event allow a DX to a access the Internet
Now, using DX gateway, customers can use a single Private VIF to a DXGW, then connect to any VPGW in any region; DX GW uses BGP to advertise the networks it can access back to the VIF, reducing admin overhead.
*These Private VIFs are not transitive.

Answer 89

A

KMS or CloudHSM comply with FIPS 142-2.

Note: KMS provides only AWS API access. It does not provide industry standard API access. On the contrary, CloudHSM provides only the industry standard API PKCS#11, JCE (Java cryptography extension) and CNG (Microsoft cryptoNG) and it is not integrated with AWS services to prove crypto services like KMS does.

Answer 90

A

DR Mc GIFT PX

Dr. Mc Gift PX

DR Mc FIGHT PX

Answer 91

A

SQS does not support multiple consumers of messages on a queue nor does it support replay. You should recommend kinesics data streams for this requirement.

Answer 92

A

Use a Lambda function pre-processor on the KDA application. The Lambda function can inspect each message and any missing field with default values.

Answer 93

A

me: AWS Public zone or in your VPC.

By default, they live in a region but outside the customer’s VPC. It thus has access to the internet. Customers can also configure VPC Lambda functions where all the networking restrictions do the subnet and security group apply. The VPC Lambda function still runs in a sandbox outside of the VPC and exposes itself through an ENI in the VPC. For this reason, cold starts are even slower.

New: RemoteNAT enables multiple VPC Lambda functions to share the same network interface in a VPC, thus speeding up the start time.

Answer 94

A

Reduce latency for database lookups, improved availability if the cache is HA, stateless micro service design support by offloading state to a cache, and reduced costs/impact on databases by offloading cache-able reads to the memory cache.

Answer 95

A

Update with no interruption
AWS CF updates the resource without disrupting operation of that resource and without changing the resource’s physical ID. for example, if you update any property on an AWS::CloudTrail::Trail resource, AWS CloudFormation updates the trail without disruption.
Update with some interruption
AWS CF updates the resource with some interruption and retains the Physical ID. for example, if you update certain properties on an AWS::EC2::Instance resource, the instance might have some interruption while AWS CloudFormation and AWS CF and Amazon EC2 reconfigure the instance.
Replacement
AWS CF recreates the resource during an update, which also generates a new physical ID. AWS CF creates the replacement resource first, changes references from other dependent resources to point to the replacement resource, and then deletes the old resource. For example, if you update Engine property of an AWS::RDS::DBInstance resource type, AWS CouldFormation creates a new resource and replaces the current DB instance resource with the new one.

AutoScaling Group: no interruption
you can use the AutoScalingRollingUpdate policy to control how AWS CF handles rolling updates or an Auto Scaling group. This common approach keeps the same Auto Scaling group, and then replaces the old instances based on the parameters that you set.

EBS: change instance type - replacement
Change size, interruption

EC2:
Resizing - interruption
Change type - replacement
Moving to a different AZ, replacement

Answer 96

A

There is no standby in Aurora. Replicas, up to 15 per region, serve as promotable to master instances.

Answer 97

A

KMS facilitates progressive encryption: a CMK encrypted a data encryption key (DEK) which encrypts data. The encrypted DEK then used to decrypt data (after it is decrypted by using the CMK).

Answer 98

A

A small function that does something narrow and well. Accept an input, and produce an output.

me: just like an RESTful function in a micro-service architecture - do one thing, and do it well.

Answer 99

A

CloudTrail events log all API activities in your account. The user who deleted an IAM role will appear there as an event.

Answer 100

A

Lower cost option: One DX, one VPN over internet
Better performance option: two DX — separate customer routers, separate links to DX location, separate DX location routers (me: have a physically separated redundant DX link)

Answer 101

A

DynamoDB enables Adaptive Capacity by default. This allocates RCU/WCU dynamically across partitions while still staying below the total hard limit of the table.

Me: Instant Adaptive Capacity (new 2019)
- Scalability and performance even for imbalanced workload:
* Dynamic partitioning for storage and throughput
* Automatic isolation of frequently accessed items
* Automatic boosting if table is consuming less than provisioned.
Note: max capacity (high water mark) will be automatically increased (on-demand model)

Answer 102

A

Task, pass, choice, fail, succeed, parallel, wait.

Answer 103

A

A persistent session-oriented protocol/API best suited for data streaming, interactive applications, event management applications.

Answer 104

A

The VPC must have an IGW, and the subnet must have a default route to the IGW by associating with a VPC route table that has a route to the IGW.

Answer 105

A

Configure a Trail to stream to a CloudWatch Log Group

Answer 106

A

Configure a Trail to stream to a CloudWatch Log group

Answer 107

A

Subnets, Transit Gateways, resolver rules, license configurations.
Accounts cannot share subnets inside of the default VPC, nor use subnets that are owned by the owner of the resource. Likewise, a share cannot share security groups not owned by the resource owner. The resource owner can remove sharing from resources in use by others and those shares will continue until released.

Answer 108

A

Long-Running Clusters and Data Warehouses On-Demand: On-Demand or instance-fleet mix Spot or instance-fleet mix

Cost-Driven workloads: Spot Spot Spot

Data-Critical workloads On-Demand: On-Demand Spot or instance fleet mix

Application Testing: Spot Spot Spot

Answer 109

A

Use reserved instances in the necessary AZs

Answer 110

A

It’s specifying a value that needs to be globally unique. Thus, any use of the template after the first run will not be able to create the bucket since it will be a duplicate name.

Answer 111

A

Organisational boundaries->user/role boundaries->role policies->effective permissions

Answer 112

A

Cluster - the collection of resources ECS can use to run your containers
Service - ECS or Fargate runtime responsible for managing container task
Task definition - a configuration file that tells ECS what containers it should create and how they interact with the outside world;
Container definition - a configuration file which is used in a task definition to describe the different containers that are launched as part of a task

Answer 113

A

Save all your configurations. Then, you can revert to a saved configuration.

Answer 114

A

By configuring a Trail to stream to a CloudWatch Log Group

Answer 115

A

Use a Behaviour that restricts viewer access based on signed URLs or signed cookies.

Answer 116

A

Use CF to delete the stack completely. It uses the Logical/Physical resource mapping to track all resources it created so that it can delete them using the template.

Answer 117

A

Publish message to $aws/rules/rule name which sends the message directly to an IoT Rule without the pub/sub features of IoT Topics.

Answer 118

A

Create an IAM policy that Allows all the actions on the Dynamo table that the Sales_Managers (and others who adopt this policy) need. Use a Condition that uses a variable that looks for the ID of the SalesRep_ID requested in the query. Only allows access to the records associated with this Sales_Manager.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:GetItem",
                "dynamodb:BatchGetItem",
                "dynamodb:Query",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "dynamodb:DeleteItem",
                "dynamodb:BatchWriteItem"
            ],
            "Resource": ["arn:aws:dynamodb:*:*:table/table-name"],
            "Condition": {
                "ForAllValues:StringEquals": {
                    "dynamodb:Attributes": [
                        "column-name-1",
                        "column-name-2",
                        "column-name-3"
                    ]
                },
                "StringEqualsIfExists": {"dynamodb:Select": "SPECIFIC_ATTRIBUTES"}
            }
        }
    ]
}

Answer 119

A

It uses Streams to capture all changes to one table to the other tables in other regions. You configure a Global Table by enabling Streams (Old and New), then adding Regions where you want to replicas. All tables are masters and stream their changes to the other replicas.

Answer 120

A

Web Identity Federation, SAML and cross account trust

Answer 121

A

Aurora provisioned with read replica instances will promote to Master within 1 minute. Aurora serverless needs to create ACU, Proxy and connections in the new AZ, which will take longer.

ACU: Aurora Capacity Unit
Aurora Serverless and Failover:
If the DB instance for an Aurora Serverless DB cluster becomes unavailable or the Availability Zone (AZ) it is in fails, Aurora recreates the DB instance in a different AZ. We refer to this capability as automatic multi-AZ failover.

This failover mechanism takes longer than for an Aurora Provisioned cluster. The Aurora Serverless failover time is currently undefined because it depends on demand and capacity availability in other AZs within the given AWS Region.

Me: when you work with Aurora without Aurora Serverless (provisioned DB clusters), you can choose your DB instance class size and create Aurora Replicas.This model works well with when the database workload is predictable, because you can adjust capacity manually based on the expected workload.

With Aurora Serverless, you can create a database endpoint without specify the DB instance class size. You set the minimum and maximum capacity. With Aurora Serverless, the database endpoint connects to a proxy fleet that routes the workload to a fleet of resources that are automatically scaled.
Because of the proxy fleet. Aurora Serverless manages the connections automatically. Scaling is rapid because it uses a pool of “warm” resources that are always ready to service requests. Storage and processing are seperate, so you can scale down to zero processing and pay only for storage.

Aurora Serverless introduces a new serverless DB engine mode for Aurora DB clusters. Non-Serverless DB cluster use the provisioned DB engine mode.

Answer 122

A

Reference a resource option. Elsewhere in the script, enumerate all the valid values for that option. Optionally, provide a default so that the user does not have to make a choice.

Answer 123

A

Snowball >= 10TB
SnowEdge >= 10 TB with Edge comput
Snowmobile >= 100TB, arrange.

File Gateway. Snowball becomes economical only from 10TB or higher and when time is short. In this case, the customer has time and the amount of data is less than 10TB.
Me: this recommendation assumes that the link bandwidth is big enough and the file transfer does not impact all other activities on the link.

Answer 124

A

To speed up queries on non-key attributes, you can create a global secondary index. A global secondary index contains a selection of attributes from the base table, but they are organised by a primary key that is different from that of the table. The index key does not need to have any of the key attributes from the table. It doesn’t even need to have the same key schema as a table. (me: The global secondary index creates a new table that is hidden)

Answer 125

A

When speed of setup is critical; VPN takes minutes, DX takes days - weeks
Cost can be lower for spiky or sporadic usage
When network QoS is not critical. VPN performance depends on customer router CPU due to encryption; the ISP network connection over the internet is not consistent.

Answer 126

A

It uses Stream to capture all changes to one table to the other tables in other regions. You configure a Global Table by enabling Streams (Old and New), then by adding Regions where you want replicas. All tables are masters and stream their changes to the other replicas.

Answer 127

A

(Me: launch configuration is immutable after saving)
- AMI,
- instance type,
- purchase options: on-demand, RI, sport,
- IP addressing,
- user data,
- CW detailed monitoring option,
- amount and type of storage,
- key pair.
To make changes after saving, you must create a completely new launch config, then change the LC association in the AS group.

Answer 128

A

Configure a VPC Endpoint (Gateway type). Configure the endpoint to update the route table for the private subnet needing access. This avoid NAT gateways or egress-only IGWs, leaving the private subnet private.

Answer 129

A

Provisioned, parallel query, or Serverless

Answer 130

A

The table is a set of columns that have the name and data type of the fields in the data files you want to query. It also contains a pointer to the S3 location where these data files sit.

Answer 131

A

Amazon MQ offers support for a number of standard protocols and is an open source project, so the API is likely familiar to the customer. Unlike SQS and SNS, Amazon MQ is deployed with private endpoints in the customer’s VPC with no public access required for applications within the VPC. It’s also available in an active/standby configuration across multiple AZs in a region.
(Me: MQ is not fully integrated with AWS eco-system such as monitoring using CloudWatch, CloudTrails, etc. control plane or the data plane).

Answer 132

A

General Purpose gp2: SSD
Default for most workloads. Burst to 3,000 IOPS with credits 1GB - 16TB.
Provisioned IOPS SSD io1: SSD
Mission critical, sustained IOPS
Suited for Large database 4GB - 16TB
Provisioned IOPS to 64,000

- Throughput Optimised st1: HDD
Low cost
Frequently accessed data, streams, media; not boot volume
500GB - 16TB
500 IOPS

- Cold HDD sc1: HDD
Low cost
Infrequent access
Not boot volume
500 GB - 16 TB
250 IOPS

Answer 133

A

Applications and the required library versions

Answer 134

A

With EC2, you define the instance type and are responsible for the cluster. With Fargate, you don’t. You define tasks and let ECS/Fargate obtain the container hosts to run those tasks.

Answer 135

A

You can’t. Any origin server must offer public access to CloudFront.

Answer 136

A

Shield is a DDoS protection layer in front of WAF. Standard is free and always on (me: network layer DDoS protection). Advanced provides WAF, DDoS mitigation’s, visibility and reporting, DDoS response team support, and cost protection due to attacks. Shield also protects EIPs.

Answer 137

A

In a VPC you specify. By default, it uses the default VPC, but you can specify a customer VPC in your account. To access S3 data, you need to configuration NAT or internet gateway for the public S3 endpoint, or create a VPC endpoint for S3.

Answer 138

A

using default values in parameter lists (avoiding human input),
use ParameterStore for system and customer values,
Pseudo Parameters for CF-wide values such as region, partition, account ID, stack ID and more,
Intrinsic Functions (for AZs in a region, more),
Don’t specify the PhysicalID or a resource (and CF will create a unique one for you.

Answer 139

A

HVM uses newer generation of CPUs that allows guest OSs to interact with CPU, memory, network, local storage and the motherboard bypassing the hypervisor.

Unlike paravirtualisation, HVM avoids emulation, speeding up performance of guest OSs.

Next, AWS introduced Nitro in 2017, bringing hardware virtualisation to all aspects of the guest OS access to the hardware. This results in near bear metal performance.

Answer 140

A

Memory, file system, applications. For these, customers need to install the CloudWatch Agent.

Answer 141

A

Long running - create, continue to run jobs, queries , host databases
Interactive - create, then log on using SSH and work from the console
Transient - create, run a job, terminate.

Answer 142

A

Cross origin resource sharing. This is a security measure that a server can use to control what other servers can access resources on it (me: using http)

Answer 143

A

Very low latency connections and REST APIs for queries. Also it doesn’t involve cluster infrastructure running a customer’s environment.

Answer 144

A

All nodes are in a single AZ, subnet and security group for minimum latency (me: and data movement cost - cross AZ data traffic will be charged at a price)

Answer 145

A

At the Log Group level which is a group of related Log Streams

Answer 146

A

Install CloudWatch Agent on the EC2 instance. Configure it to tail the logs in /var/logs. It will pick up each entry in the log file and send them as Log events using a Log Stream.

Answer 147

A

It lives outside of OpsWorks in a repository you specify, such as Git.
You provide the URL and the credentials to OpsWorks in the Apps recipe, you specify the deployment targets using a deployment recipe.

Answer 148

A

They are uni-directional request/response calling patterns that use
HTTP semantics with query string arguments. Behind the API, a service performs a task and returns the result to the caller.

Answer 149

A

Enable the Data API to expose the REST APIs of the database through the Proxy layer.

Answer 150

A

SQS FIFO supports up to 300 messages per second with guaranteed ordering and no duplicates.

Answer 151

A

ElasticSearch cluster run in a dedicated network not part of the customer’s account. For private VPC access, ElasticSearch will expose itself to the customer VPC using interface endpoints. The customer can assign a security group to the cluster. For public access, the cluster is accessible directly from the internet.

Answer 152

A

AZs, regions, global edge services

Answer 153

A

Scale UP the instance type(s) of the cluster to a larger EC2 type. Since there is only one write instance, the only option is scaling UP.

Answer 154

A

There is not standby in Aurora DB. up to 15 read replicas in a region, all are promotable to master instances.

Answer 155

A

S3 is a global service with region-specific presence. Buckets are globally globally available and unique. But objects live in a particular region. Each account has a limit of 100 buckets, but unlimited prefixes.

Answer 156

A

Configure WAF in front of the CF distribution

Answer 157

A

The ALB Service is outside of the VPC across the regions. ALB will deploy an ALB node with the appropriate IP address in each AZ you’ve selected.

Answer 158

A

Make sure Requestor and Acceptor DNS resolution is configured for the peering connection. This will ensure that the requestor doesn’t need to go over the Internet for the ping.

Me: (AWS 2016)
You can now enable resolution of public DNS host name to private IP addresses when queried from the peering VPC. This functionality is also supported cross-account so the two VPCs can be in different accounts.
You can enable DNS resolution support for VPC peering using AWS Management Console, AWS CLI, through SDKs.

Answer 159

A

Database (auto) backups enable you to restore a database even after the Master is gone. However, they have a default retention period of 35 days, after which they will be deleted.

Answer 160

A

Using logs it exports to CloudWatch Logs using a service-linked role.

Answer 161

A

You don’t configure capacity on Aurora Serverless. You configure Aurora Capacity Units (ACUs) which are 1 CPU and 2GB of RAM.

Answer 162

A

Administrators of KMS such as key management may not have permissions to decrypt Keys or data. Users of KMS may not have admin privileges, but can ask KMS to encrypt or decrypt data.

Answer 163

A

Spot fleet

Answer 164

A

Put reference data in S3 then define a reference table that enables the SQL query to treat the lookup data as a table.

Answer 165

A

(Me: the question is not clear)
Guard Duty uses ML to monitor a number of AWS data sources, such as VPC flow logs, R53, CloudTrail, threat intel, CloudWatch events, account activity.
It generates findings into the Guard Duty console. A trusted IP list excludes these IPs from Guard Duty scanning. Threat lists tell GD additionally what to watch across all accounts.

Answer 166

A

OpsWorks offers most of the control over deployments that CloudFormation offers, but still provides minimal config options. It offers Chef or Puppet as the deployment frameworks.

Answer 167

A

On demand capacity reservations. No up-front, but you get the capacity when you need it.
(Me: no pricing discount which is apply to account billing in regions, On demand capacity reservations is applied to AZs. Can be cancelled at any time)

Answer 168

A

In a region, an AZ, a subnet, behind a security group.

Answer 169

A

Docker, multi-container Docker, java, node.js, tomcat, python, ruby, .NET, Go, PHP, Docker Go, Docker GlassFish, Docker Python.

Answer 170

A

If the instance is running as an IAM role, the IAM role info is available in the instance meta data for the application to use

Instance profile - if you use console to create a role for EC2, the console automatically creates an instance profile and give the same name as the role;
If you manage via CLI, you create roles and instance profiles as seperate actions - you must know the names of your instance profile

Instance Metadata - data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups.

Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods. Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as passwords or long-lived encryption keys, as user data.

Answer 171

A

Assign it an execution role appropriate for what it needs to access.

Answer 172

A

Query filters do not reduce the amount of items that DynamoDB searches for the query results. Only sort keys do that.

Answer 173

A

Have them all use the same security group. That security group should have a rule that ALLOWS traffic from that same security group ID.

Protocol type, Protocol number, Ports, Source IP
All Traffic, All, All, ‘The Security Group ID’

Answer 174

A

When the application can tolerate loss of an instance, such as big data systems, stateless web clusters, or dev test or experiments what time of finish is not critical.

Answer 175

A

Hardware platform or cluster and capacity scaling are fully managed,
pay only what you use (compute and resources),
suitable for unknown usage pattern or spiky workload (non-steady workloads).
Event driven.

Answer 176

A

Application Load Balancer

Feature rich, layer 7 load-balanced platform
Content-based routing allows requests to be routed to different applications behind a single load balancer: path based routing or host-based routing
support for micro-services (Lambda) and container based applications, including deep integration with Amazon Elastic Container Service (Amazon ECS)

It is a best practice that you upload SSL Certificates to ACM. If you’re using certificate algorithms and key sizes that aren’t currently supported by ACM or the associated AWS resources, then you can also upload an SSL certificate to IAM using CLI.

Application Load Balancer

(HA) Automatically scales capacity to handle the number of incoming requests
(Health checks) ALB allows the user specify a range of HTTP response codes that define instance health
(Sticky session) ALB only supports the cookies generated by the load balancer
(VPC support) Yes, but without EC2-classic
(Dynamic Port Mapping) Yes, ALB supports dynamic port mapping using the EC2 Container Service
(Supported protocol) HTTP, HTTPS, HTTP/2, WebSockets
(CloudWatch metrics) Per port and path monitoring, Range HTTP response codes, Connection per hour, Overall traffic volume
(Access Logs) ALB supports type of request (HTTP, HTTPS, HTTP/2, WebSockets), and the target Amazon Resource Name.
(Backend Server AuthN) Supported by ALB
(Deletion Protection) Supported by ALB
(Path-Based Routing) Supported by ALB

Me: if you are building an API and wanted to leverage AuthN/Z, request validation, rate limiting, SDK generation, direct AWS service backend, use AWS API Gateway. If you want to add Lambda to an existing web app behind ALB you can now just add it to the needed route.

API gateway integrates with IAM natively, it has done all the heavy lifting for you.

ALB vs API Gateway:
https://serverless-training.com/articles/api-gateway-vs-application-load-balancer-technical-details/

Answer 177

A

Two or sixteen for DC2 node type or four or sixteen for RA3 node type. The leader node distributes work to the slices. The Load or Copy commands get data from e.g. S3 and distribute it to the slices. Slices have dedicated storage and CPU capacity. When loading data, the leader node distributes it according to your distribution style configuration: all, even, key or auto.

Answer 178

A

RTMP (Real Time Media Protocol) is only option that supports Adobe Flash.

Answer 179

A

4 KB/sec. That can be five read operations of 4K or less, one or more operations of more than 4K. Also, Dynamo caches up to 300 CUs so that they’re available for spikes.

Answer 180

A

It’s a region-based cache of the origin server content. This is the first place a CDN server checks on an origin fetch. If this misses, then the fetch goes to the origin.

Answer 181

A

If only a single node, the leader and compute nodes are co-located on a single instance. Greater than one, Redshift creates a dedicated leader node free of charge. So the two-node example will include three instances.

Answer 182

A

Update with no interruption (e.g. updating a CloudTrail property)
Update with some interruption (e.g. change an instance type)
Replacement (e.g. change the engine type of an RDS database)

Answer 183

A

Create a bucket policy that allows principal:* (me: anonymous access)

Answer 184

A

With forward, the ALB forwards the HTTP request and arguments to the destination you’ve configured in the ALB forwarding rule. (Me: server side redirect)
With redirect, the ALB returns a different URL to the client browser that the browser then needs to use to make the request again. This slightly slower than forwarding. (Me: client side redirect)

Answer 185

A

Simple AD, Microsoft Active Directory (AD), AD connector, Amazon Cloud Directory, and Amazon Cognito.

Amazon Cloud Directory enables you to build flexible cloud-native directories for organising hierarchies of data along multiple dimensions. While traditional directory solutions, such as Active Directory and other LDAP-based directories, limit you to a single hierarchy, Cloud Directory offers you the flexibility to create directories with hierarchies that span multiple dimensions. For example, you can create an organisational chart that can be navigated through separate hierarchies for reporting structure, location, and cost centre.

Answer 186

A

VMs run on top of a hypervisor， abstracting the hardware。
VMs contain the OS and applications.
The isolation boundary is the VM.
Many VMs can run on the same hypervisor

Containers run on top of the OS but further isolate applications.
With a container engine, like Docker, applications and their dependencies can run isolated from each other on the same OS/VM.
Containers don’t have dedicated memory like a VM does, so you can pack more applications on hardware by using containers rather than just using VMs.
But, containers are not isolated from each other regarding security.
Containers can start very quickly compared to VMs in seconds, sometimes MS.

(Me: things are changing fast in AWS, e.g. Lambda is running inside a VM that is so light it can compete with container in resources they consumes and cold start time and at the same time have the security isolation at a VM level)

Answer 187

A

It provides a single IPV4 address for all devices behind it, saving on scarce IPV4 addresses. IPV6 doesn’t have this constraint, thus NAT isn’t as relevant in IPV6.

Answer 188

A

Viewer Request
Viewer Response
Origin Request
Origin Response

Answer 189

A

Legal holds and retention polices. This prevents objects from deletion.
Versioning must be enabled.
Object locks must be set at time of creating the bucket

me: To use Amazon D3 object lock, follow these basic steps:
1. Create a new bucket with Amazon S3 object lock enabled.
2. (Optional) Configure a default retention period for objects placed in the bucket.
3. Place the objects that you wanted to lock in the bucket.
4. Apply a retention period, a legal hold, or both, to the objects that you want to protect.

(Me: With Amazon S3 object lock, you can store objects using a write-once-read-many (WORM) model. You can use it to prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely. Amazon S3 object lock helps you meet regulatory requirements that required WORM storage, or simply add another layer of protection against object changes and deletion.
-A retention period specifies a fixed period of time during which an object remains locked.
- A legal hold provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods.
An object version can have both a retention period and a legal hold, one but not the other, or neither.
Amazon S3 object lock works only in versioned buckets, and retention periods and legal holds apply to individual object versions. When you lock an object version, Amazon S3 stores the lock information in the metadata for that object version. Placing a retention period or legal hold on an object protects only the version specified in the request. It doesn’t prevent new versions of the object from being created. If you. Put an object into a bucket that has the same key name as an existing, protected object, Amazon S3 creates a new version of that object, stores it in the bucket as requested, and reports the request as completed successfully. The existing, protected version of the object remains locked according to its retention configuration.)

Answer 190

A

Cross Origin Resource Sharing is a security measure that a server can use to control what other servers can access resources on it.

Answer 191

A

Docker,
multi-Container Docker,
Docker Python,
Docker GlassFish,
Docker Go,
tomcat,
python,
java,
node.js,
.NET,
Go,
PHP
Ruby

Answer 192

A

Simple
Failover
Weighted
Geo location
Geo-proximity
Latency
Multi-value answer.

Me:
geo-proximity - use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.
multi-value - use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.

Answer 193

A

Create a new instance and switch over then done.å

Answer 194

A

Configure the volume to a larger size.

Me:
You can resize an EBS volumes without downtime.
1. Login to your AWS console
2. Choose “EC2” from the services list
3. Click on “Volumes” under EBS menu
4. Choose the volume that you want to resize, right click on “Modify Volume”
The above steps will increase the “physical’ size of the disk attached to the instance.
You’ll then need to log on to the instance to resize the partition of the disk and resize the file system on that partition.

Answer 195

A

EMR cluster is deployed in a subnet of your chosen in your VPC to minimise the latency. Security Groups will be added and they are fully managed by Amazon EMR.

When the cluster is launched, Amazon EMR adds security groups based on whether the cluster is launching into VPC private or public subjects.
Security Groups are managed by Amazon EMR.
To manage the cluster on a VPC, Amazon EMR attaches a network device to the master node and manages it through this device. If you modify this device in any way, the cluster will fail.

Create a cluster using the Amazon EMR console

Open the console
Choose Create Cluster
Choose Go to advanced options
In the Hardware Configuration section, for Network， select the VPC ID
Select Subnet ID
Configure NAT instance and S3 endpoint if haven’t already done so.

Answer 196

A

Resource policies, identity polices, and Access Control List (ACL)

Answer 197

A

Network Mode valid values:

none
bridge
awsvpc
host

Bridge — allow all containers to interact with internal networking to the host.
Host — map containers to host networking; e.g. map container port 80 to host port 80; can only run one container on a host with the same host networking requirement.
AWS VPC — map a VPC ENI to a container task. This is how Fargate works. If using EC2 mode, this can produce a lot of ENIs. Some EC2 instance types have ENI limits, so the ECS may only be able to launch a few containers.
(The above maybe outdated. Check out reinvent 2019 on Fargate: there will only be one ENI in VPC for fargate).

These networking types are for Linux. For Windows, the only networking type is NAT.

awsvpc — network mode give Amazon ECS tasks the same networking properties as Amazon EC2 instances: when you create the awsvpc network mode in your task definitions, every task that is launched from that task definition gets its own elastic network interface (ENI) and a primary private IP address.
The task networking feature simplifies container networking and gives you more control over how containerised applications communicate with each other and others services within your VPC.

Answer 198

A

Task
Wait
Succeed
Fail
Pass
Parallel
Choice

Answer 199

A

Assign it an execution role appropriate for what it needs to access.

Answer 200

A

Replace the classic load balancers with an ALB and configure

the forwarding rules to each of the different websites.
An SSL cert for each website you support.

Answer 201

A

Provisioning a spot fleet.

Answer 202

A

Documents can contains embedded objects like sub-documents, lists and arrays, similar to how an RDBMS schema would have these things as separate tables with reference keys to join them.

Answer 203

A

You may not have three partition keys that you’re rotating evenly while PUTting records. Thus, you’re maximising one shard, but under-using the others.

Me:
Advantage of Using the KPL
KPL has two modes: sync and async, async provides high performance.

KPL implements complex logics so that you don’t have to.
KCL make it easy for consumer-side developers (Java)

Producer monitoring using CloudWatch. KPL emits throughput, error, and other metrics to CloudWatch and configurable to monitor at the stream, shard, or producer level.

KPL is not the same as AWS SDK. AWS SDK directly work with Kinesis Data Stream APIs

Each shard can support up to 1000 put records per second.
Max size of a data blob (the payload before base64 encoding) within one record is 1 MB.

Answer 204

A

Use an ALB and enumerate the various HTTP response codes for the health check. CLB doesn’t support Layer 7 where HTTP resides.

(Me: CLB supports HTTP, HTTPs and TCP)
Before you start using Elastic Load Balancing, you must configure one or more listeners for your Classic Load Balancer. A listener is a process that checks for connection requests. It is configured with a protocol and a port for front-end (client to load balancer) connections, and a protocol and a port for back-end (load balancer to back-end instance) connections.

CLB supports

HTTP
HTTPS (secure HTTP)
TCP
SSL (secure TCP)

Answer 205

A

Instances, IP addresses or a Lambda function.

Instance or IP addresses can include EC2 instances, ECS or EKS containers.

Answer 206

A

By installing Systems Manager Agent on these VMs.
Applying appropriate IAM permissions (EC2 only)
Activations for On-premise servers.

Answer 207

A

ElasticSearch clusters run in a dedicated network not part of the customer’s account. For private VPC access, ElasticSearch will expose itself to the customer VPC using interface endpoints. The customer can assign a security group to the cluster. For public access, the cluster is accessible directly for the internet.

Me:
- Cannot be hosted in your VPC (or AWS’ public zone, like S3)
- interface endpoint for private access
- customer can assign security group to the cluster
- internet for public access
-

Answer 208

A

Reliable ordered messaging
Message groups
Composite messaging (Me: queue and topic? Or SNS + SQS)
And more …
Me::
Easy to migrate existing messaging service
Support existing protocols

AWS MQ (Apache activeMQ) it has two main concepts: topic and queues
With a queue, you can have multiple consumers of a queue and each message will be delivered once; if there are no consumers when the message arrives, it sits in the queue until a consumer arrives.
With a topic you can have multiple consumers and each message will be delivered in December to each consumer, but if a consumer is offline when a message arrives they miss it.

SQS offers serverless queues - you don’t have to pay for the infrastructure, just the messages you send and receive.

SNS is comparable to serverless topics. It will notify your services when a message arrives, but if you’re offline you can miss it. SNS can feed into SQS, so if you have some service that may be up and down, you can guarantee it gets SNS messages by queueing them in SQS for it to consume on its schedule.

Answer 209

A

ElasticSearch (Lucerne)
Logstash or Beats, and
Kibana for visualisation

Me:
Logstash: collect, Parse, Transform Logs
Beats: are lightweight data shippers that you install as agents on your servers to send specific types of operational data to ElasticSearch. Logstash has a larger footprint, but provides a broad array of input.

Answer 210

A

Two 80TB snowballs daisy-chained together.
Each Snowball can hold 50 or 80TB. Daisy-chaining avoids having to partition the source data and instead, treat the two snowballs as a single storage unit of 160TB.

50TB — US region only.
Question: how many snowball devices can be daisy-chained together?

Answer 211

A

At the CloudWatch Log Group level, which is a group of related Log Streams.

Answer 212

A

You can have CloudTrail deliver log files from multiple AWS accounts into a single Amazon S3 bucket. For example, you have four AWS accounts IDs 1111111111, 222222222, 33333333333, and 44444444444444, and you want to configure CloudTrail to deliver log files from all four of these accounts to a bucket belonging to account 1111111111111. Steps are:

Turn on CloudTrail in the account where the destination bucket will belong (1111111111111 in this example). Do not turn on CloudTrail in any other accounts yet.
Update the bucket policy on your destination bucket to grant cross-account permissions to CloudTrail.
Turn on CloudTrail in the other accounts you want (222222222222, 333333333333, 444444444444 in this example). Configure CloudTrail in these accounts to use the same bucket belonging to the account that you specified in step 1 (1111111111111111 in this example).

If you have created an organisation in AWS Organisations, you can create a trail that will log all events for all AWS accounts in that organisation. This is sometimes referred to as an organisation trail. You can ask choose to edit an existing trail in the master account and apply it to an organisation, making it an organisation trail. Origination trails log events for the master account and all member accounts in the organisation.

Answer 213

A

assigned it an execution role appropriate for what it needs to access

Answer 214

A

It’s one of the schema definitions that describes the columns and data types of the data. You create them using the Athena interface, API or CLI, or the Glue Data Crawler can create them.

Answer 215

A

AWS KMS service (only AWS API access)

2. CloudHSM service (industry API/protocol such as #PKCS11

Answer 216

A

It allows you to exclude events from a stream based on a text pattern

Answer 217

A

Customer Master Key. this is the core of KMS.

When crypt or decrypt a data key, the execution is inside KMS. Master key is kept in KMS, it cannot be exported.

CMK is used by the envelop encryption method: master key is used to encrypt data keys, data keys are used to encrypt data.

Note, RedShift employs more layered data protection, but the concept is the same.

KMS is regional, it cannot be shared across region. E.g. data encrypted in one region, cannot be decrypted in another region.

S3 bucket object cross region replication deployed complex key management to achieve the safe data transfer.

Answer 218

A

me: Based on the object storage type, size and outbound data transfer volume (no inbound data transfer fee)

Based on the storage tier
1. Standard Storage (1 month/minimum, no min duration), requests (PUT/GET), and transfer out.
2. IA - same as Standard except 1 month min for 128 MB storage, fee for retrieval.
3. One Zone (Reduced durability): same as IA, but cheaper
4. Intelligent Tiering: for a fee, IT moves your object to the optimum price tier. You still pay the tier.
Lifecycle rules can do this according to your explicit policies. Lifecycle rules can only go in one direction, not back and forth like intelligent Tiering.

Answer 219

A

The workflow for updating a stack is no different from creating a stack: the user defines the resource updates then executed the new/modified stack template.
Change Sets allow a junior developer to create the template for change, but simply save and notify others of the proposed change, without having permissions to run the Change Set. Senior developer can review the Change Set then run it if approved.

me: Updating a stack does not provide any release management process control, such as review and approve process before the changes going to be made.

Answer 220

A

Trust Policy, defining who can assume the role.

Permissions policy, defining what the role can do.

Answer 221

A

A sequence of Log Events from the same source.
A log event is a line from CloudWatch containing the CloudWatch Log timestamp and the event message, also containing a timestamp of the actual event time.

Answer 222

A

ALB supports federated identity such as OAUTH, and if configured, it will forward the request to the IDP such as Facebook before letting the request through to the target group.

Me: OpenID Connect compliant IdP. It works with Amazon Cognito.

Answer 223

A

Legal holds and retention policies. This prevents object from deletion. Versioning must be enabled. Object locks must be set (me: enabled) at time of creating the bucket.

me:

S3 bucket must enable versioning and locking during creation.
Object locking applies to a particular object version.
It is Write Once Read Many times (WORM) - it is immutable once locked.
An object version can have all the locking permutations (none, retention, retention + Legal hold, Legal hold)
Locking can be removed manually.

Answer 224

A

Formerly, Public VIFs were limited to a region
Formerly, Private VIFs are attached to a VPG which is associated with a VPC
NOW using BGP, the Public VIF advertises all public zone AWS service endpoints in all regions
* Public Zone endpoints do not require or even allow a DX to access the internet
NOW using DX Gateway, customers can use a single Private VIF to a DX GW, then connect to any VPGW in any region; DX GW uses BGP to advertise the networks it can access back to the VIF, reducing admin overhead
* These Private VIFs are not transitive.

Me: when to order a DX, a few things to know (or requirements)
Takes time to establish,
expensive to maintain,
Must chose a speed: < 1GB, 1GB, 10GB
Must establish a single mode finer connection between the data location and DX Partner location.
must have a router at the data location that supports BGP, w/MD5 authentication, VLAN (802.11q), completes LOA/?
Must have a router at DX location

Answer 225

A

Managed Cluster -
Managed container runtime - e.g. Fargate
Task definition
Container definition

Answer 226

A

Serverless
Provisioned
Parallel query

Answer 227

A

ACM only supports certain AWS services that explicitly intergrate with it, such as CloudFront, ELB, ElasticBeanstalk (EBS), and API Gateway. R53 also uses ACM for DNS checks during certificate issuing (to ensure that you own the domain).

CloudFront
ELB
EBS
API Gateway
Route 53 (for domain ownership validation)

Me: ACM does not supply certificates to an EC2 instance

Answer 228

A

S3
Kinesis (Firehose)
Data Pipeline

Me:
AWS Data Pipeline is a web service that helps you reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals.
With AWS Data Pipeline, you can regularly access your data where it’s stored, transform and prop EDS it at scale, and efficiently transfer the results to AWS services such as Amazon S3, Amazon RDS, Amazon DynamoDB, and Amazon EMR.
1. S3
2. RDS
3. DynamoDB
4. EMR

Answer 229

A

Using logs that it exports to CloudWatch Logs using a server-linked role.

Answer 230

A

IAM,
R53
CloudFront

All are global services.

Answer 231

A

Use SQS fan out.
Create several SQS queues. Get the ARN of each queue, then configure the SNS topic to publish to these ARNs. Each will get the message and be able to process it as they need.```

Answer 232

A

Create a bucket policy that allows principal:*

me: Set S3 policy to allow anonymous access to the S3 bucket or the pages in question.

Answer 233

A

Aurora Global Database replicates cluster volume data from one region to a cluster volume in another in less than 1 second. Replicas in other regions attached to that region’s cluster volume for low-latency read replicas. They can promote to Master in less than one minute. This is lower latency and faster promotion time than MySQL cross-region read replication.

Answer 234

A

A Primary Key.
A primary key can have just have a partition key (hash). It can also have a sort key, which is another column. The combination of the two columns must be unique. E.g., the columns could be SSID and appointment date. In this case, the appointment data must be unique for every unique SSID.
Data types for the columns can be string, binary, or number.

Answer 235

A

(Me: this is a tricky question. It is test the following line (understanding)):
S3 is not a custom origin and CF configuration will match the same protocol as the client connection. (Me: whatever client set, S3 will match it. If client use http, S3 will use http)

If you need a different protocol to the origin, configure a custom origin. When specifying an origin such as www., the Origin configuration offers several TLS options and protocol policies

Me: when your origin is an S3 bucket, you options for using HTTPS for communications with CloudFront depend on how you’re using the bucket.

If your S3 bucket is configured as a website endpoint, you cannot configure CloudFront to use HTTPS to communicate with your origin because S3 doesn’t support HTTPS connection in that configuration.
When your origin is an S3 bucket that supports HTTPS communication, CloudFront always forwards requests to S3 by using the protocol that viewers used to submit the requests.

The default setting for the Origin Protocol Policy setting is Match Viewer and cannot be changed.

Answer 236

A

In a region, an AZ, a VPC, a subnet, behind a security group.

Answer 237

A

Simple AD
MS Active Directory (AD)
AWS AD connector
AWS Cloud Directory
Cognito

Answer 238

A

2, 4 and 16 depends on the node type.
2 or 16
4 or 16

The leader node distributes work to the slices.
The Load or Copy commands get data from e.g. S3 and distribute it to the slices.
Slices have dedicated storage and CPU capacity.
When Lorain data, the leader node distributes it according to your distribution style configuration: all, even key or auto.

Answer 239

A

Linux:

none
bridge
host
aws vpc - map a VPC ENI to a container task. This is how Fargate works. If using EC2 mode, this can produce a lot of ENIs.

Windows:
1. NAT

Answer 240

A

Enable DynamoDB Streams for New items. Then create a trigger (Lambda function) that captures the new items and updates a web page.

Answer 241

A

Name
LC template (Launch Template)
version
Min
Max
Desired instance count
VPC
Subnets
Health checks
Load balancing
Scaling policies
Change notifications
Tags

Answer 242

A

KDS (Kinesis Data Stream)
Direct PUTs (using Kinesis API directly)

Me: you can configure Amazon Kinesis Data Streams to send information to a Kinesis Data Firehose delivery stream.
Important:
If you use the Kinesis Producer Library (KPL) to write data to a Kinesis data stream, you can use aggregation to combine the records that you write to that Kinesis data stream. If you then use that data stream as a source for your Kinesis Data Firehose delivery stream, Kinesis Data Firehose de-aggregates the records before it delivers them to the destination. If you configure your delivery stream to transform the data, Kinesis Data Firehose de-aggregates the records before it delivers them to AWS Lambda.

Answer 243

A

It’s a region-based cache of the origin server content. This is the first place a CDN server checks on an origin fetch. If this misses, then the fetch goes to the origin.

Answer 244

A

You don’t provision EFS volume size. EFS allocate what you consume.

Answer 245

A

Web Identity Federation (OID Connect/OAuth)
SAML
Cross-account trust

Answer 246

A

Local DB users, or

IAM

Answer 247

A

a CloudFront local endpoint. Then the upload traverses the AWS backbone.
me: Edge location endpoint.

Answer 248

A

to get the additional capacity a workload needs during predictable spikes in demand, like an ecommerce site.

me: When the traffic pattern is well known

Answer 249

A

it is FIPS 140-2 level 3 complaint

PKCS#11 API
JCE API
Microsoft CryptoNG (CNG) API

It does not support AWS API, unlike KMS, only support AWS API.
It is not integrated with other AWS services offering encryption.

Answer 250

A

Declare resource objects as a singletons outside of the lambda_handler(). They ‘may’ be available to the next instance of the function, but declare them as NULL and do NULL checks in the handler or sub-functions.

Answer 251

A

The AMI creator’s account plus any other accounts the configuration names. It can also be public.

Answer 252

A

The owner enters registration information into the ACM form including the domain name.
ACM validates the domain name using R53 or your other register
Once validated, ACM issues the certificate containing public and private keys. Private keys is encrypted using KMS.
The certificate is now available to any AWS integrated service.
When these services need to use the private key to decrypt content, they use KMS to decrypt the key, hold it in the memory, and use it to decrypt the publicly encrypted content.

Answer 253

A

Transit Gateway.
Transit means that this service enables transitive connections from on-premise VPN connections to AWS VPCs. It support true hub and spoke topology.
It’s available through VPN and DX. It can attach to multiple AZs, accounts, and regions via transit gateway attachments for VPN or VPC.

Answer 254

A

Cross-stack references allow you to isolate stacks according to role or frequency of change.
Using an export statement, one stack can announce the ID of a resource. Then, anther stack can import that ID and use it as part of its resource creation, e.g., reference a VPC ID when creating a new subnet or security group.
Cross-stack references re-use running stack resources, unlike nested stacks, which re-used templates but create new resources.

Answer 255

A

The AS group determines where and when to launch instances. The launch configuration determines how.

Answer 256

A

Complex data types: Redis
Vertical scaling: Memcached supports multi-threading
Horizontal scaling (read): Redis
Backup and restore: Redis
HA: Redis supports replication between nodes
Transaction: Redis
Geo-special data type: Redis
Simple, limited feature set: Memcached
Rich feature set: Redis

Answer 257

A

Path patterns
Protocol policy
HTTP methods,
HTTP caching
Request header caching
Object caching
TTL
Cookie forwarding
Query string forwarding
viewer access restrictions
Object compression
Lambda function associations

Answer 258

A

General Purpose gp2: SSD
- Default for most workloads. Burst to 3,000 IOPS with credits, 1GB-16TB
Provisioned IOPS SSD io1: SSD
- mission critical, sustained IOPS Large databases, 4GB - 16TB, provisioned IOPS to 64,000
Throughput Optimised st1: HDD
- low cost, Frequently accessed data, streams, media; not boot volume, 500GB-16TB, 500 IOPS
Cold HDD sc1: HDD
- low cost, infrequent access, not boot volume, 500GB - 16TB, 250 IOPS

Answer 259

A

DynamoDB enables Adaptive Capacity by default. This allocates RCU/WCU dynamically across partitions while staying below the total hard limit of the table.

Me: this looks like an updated answer: you don’t need to do anything to managing hot spot any more. DynamoDB’s adaptive capacity will balance the load at the table level, not at the partition level so that unused RCU/WCU for a given partition can be used by the hot spot partition.

Answer 260

A

S3
RedShift
ElasticSearch (+Kibana),
Splint
Kinesis Analytics!

Answer 261

A

If you want to retain versions indefinitely, assign versions to cheaper storage classes, like one zone IA. If you can use a lifecycle policy to delete older versions.

Answer 262

A

Docker
Multi-Container Docker
Docker python
Docker go
Docker GlassFish
PHP
Go
.NET
Java
Ruby
Python
Node.js
tomcat

Answer 263

A

ALB - Layer 7, SSL termination, integration with ACM for cert management, request forwarding based on URL path, support more than one domain, support target groups based on path or IP addresses, able to load balancing across AZs. Does not support TCP or UDP. Embedded WAF, has authentication capability and support Lambda function,
ELB - high volume and low latency, support PrivateLink. TCP and UDP, support end to end SSL

Answer 264

A

A container for a collection of Log Streams that share the same retention, monitoring, access control, and metric filters.

Answer 265

A

SCP is at Organisational level, permission boundary is at Identity level.

Answer 266

A

Every VPC has exactly one. It consumes one RFC 1918 IP address. It’s +1 of the subnet’s IP address.

Answer 267

A

Identity policies (SCP, Permission Boundary Policy), resource policies and ACL

Answer 268

A

The first two fields are the path components. The final field is the parameter name.

Answer 269

A

Athena can access logs from

CloudTrail
CloudFront
Load Balancers
VPC Flow Logs

Answer 270

A

Configure Trails to deliver CloudTrail events to S3. Also enable file encryption and validation to protect the files from tampering.

(Me, could also stream event to CloudWatch log group)

Answer 271

A

EC2: some interruption (me: e.g. you can dynamically change the instance type by stop and start the instance)
RDS: replacement
AutoScaling: no interruption
EBS: no interruption

Answer 272

A

The origin, origin protocol, and origin fetch are where the cached content originate.
The viewer, viewer protocol are the client side of the edge.

Answer 273

A

Partitions are based on

Provisioned storage capacity, and
provisioned RCU/WCU capacity.

Since you provisioned 10,000 WCUs and a partition can support only 1000 WCUs, DynamoDB created 10 partitions.

me: this time, the WCU limitation is a key decider, if WCU were not over the limit, then storage size limit would kick in and it would create four partitions because each partition can only support 10 GB.

Answer 274

A

EFS

EFS: low, consistent latency, 10+ GB per second throughput.
EBS (provisioned IOPS): lowest, consistent latency, up to 2GB per second

Amazon EFS file systems are distributed across an I constrained number of storage servers. This distributed data storage design enables file systems to grow spastically to petabyte scale and enables massively parallel access from Amazon EC2 instances to your data. The distributed design of Amazon EFS avoids the bottlenecks and constraints inherent to traditional file servers. The distributed design of Amazon EFS avoids the bottlenecks and constraints inherent to traditional file servers.

This distributed data storage design means that multithreaded applications and applications that concurrently access data from multiple Amazon EC2 instances can drive substantial levels of aggregate throughput and IOPS. Big data and analytics workloads, media processing workflows, content management, and web serving are examples of these applications.

Answer 275

A

Simple feature set: Memcached
Rich feature set: Redis
Vertical scaling: Memcached support multi-threading
Horizontal scaling (read): Redis
Transaction: Redis
Backup and restore: Redis
Complex data types: Redis
Geo-special data type: Redis
HA: Redis - supports replication between nodes

Answer 276

A

Provision the cluster in the same region as your S3 data
Choose the appropriate instance type for the workload: general purpose M, compute optimised, storage, memory optimised

Answer 277

A

X.509 v3 SSL or TLS

me: an SSL/TLS X.509 certificate is a digital file that’s for Secure Socket Layer (SSL) or Transport Layer Security (TLS). The certificate fulfils tow functions. First the certificate can assist with authenticating and verifying the identity of a host or site. Second, it enables the encryption of information exchanged via a website.
An SSL/TLS certificate is one of the most popular types of X.509 certificates, or a type of public key certificate which uses the X.509 standard. X.509 certificates contain a public key and the identity of a hostname, organisation, or individual. When a certificate authority (CA) signs them or another entity validates them, the owner of that certificate can leverage the public key to establish secure connections with another party or validate documents someone digitally signed using the corresponding private key.

Answer 278

A

Kinesis Data Stream (KDS) supports VPC Endpoints (Private Endpoints).

Answer 279

A

Backtrack instead of restore from backup.

Answer 280

A

You could choose Lambda functions, but they will invoke and process immediately. That may be a problem under heavy load depending on the resources the Lambda function needs for processing. For more flexible, de-coupled processing, SQS queues allow the consuming applications to work at their pace while the Queue holds the messages for processing.

Answer 281

A

No, it is not reusable - it’s specifying a value that needs to be globally unique. Thus, any use of the template after the first run will not be able to create the bucket since it will be a duplicate name.

Me:
What we could do to ensure the reusability:
1. Use default values for the Parameter List (avoiding human input)
2. Use Parameter Store for system and customer values
3. Pseudo Parameter for CF wide values, e.g. region, partition, account id, and more
4. Intrinsic function for AZs, VPCs, Subnet, and more
5. Don’t specify resource physical id, CloudFormation will produce unique physical ids at the time of resource creation.

Answer 282

A

Provisioned, Parallel Query or Serverless

Answer 283

A

When workload is not steady and peak time is irregular.

Answer 284

A

Restore from a backup. Be mindful that auto backup copy have a retention period of 35 days by default.

Answer 285

A

Because browers that support SNI only refer to the hostname they are trying to connect. Without SNI, the CloudFront configuration needs to specify a static IP address since that’s what older browsers will be using.

Answer 286

A

Subnets,
Transit gateways,
Resolver rules,
License configurations.

Accounts cannot Share subnets inside of the default VPC, nor use subnets that are owned by the owner of the owner of the resource. Likewise, a share cannot share security groups not owned by the resource owner. Likewise, a share cannot share security groups not owned by the resource owner. The resource owner can remove sharing from resources in use by others and those shares will continue until released.

Answer 287

A

It bundles applications by version in application source bundles.

Answer 288

A

A custom resource is a resource either in AWS or 3rd party that a CF template asks for as part of the stack. It uses messaging: SNS or Lambda, to trigger that resource to Create/Update/Delete itself.

Answer 289

A

Use an OpsWorks stack and compose the web tier using the ECS cluster. Compose the other tiers natively in OpsWorks.

Answer 290

A

Enable the Data API to expose the REST APIs of the database through the Proxy Layer.

Answer 291

A

On-demand

2. Reserved instances

Answer 292

A

Configure one per AZ, each in a public subnet.

Me: and instances in the private subnets connect to it

Answer 293

A

me: EMR or Redshift?

Redshift can handle up to two petabytes. When properly designed and optimised, databases in Redshift can query multiple petabytes of data and return results in seconds.

Me: two key points - up to two petabytes, query in seconds.

Answer 294

A

Subnets don’t have security groups. Security groups are assigned to network interfaces (ENI).

Answer 295

A

VPC peering allows this. Configure the security group of the trusting VPC with the accountID and subnetID of the trusted consumer. This only works within the same region. Across regions, use the VPC ID of the requesting VPC.

PrivateLink,
VPC peering
Transit Gateway

Answer 296

A

Use S3 ACL

Me: ACLs are resource-based access policies that grant access permissions to buckets and objects.
By default, the owner, which is the AWS account that created the bucket, has full permissions.

Each permission you grant for a user or group adds an entry in the ACL that is associated with the bucket.

Answer 297

A

By default, they live in a region but outside the customer’s VPC. It thus has access to internet.
Customers can also configure VPC Lamba functions where all the network restrictions of the subnet and security group apply. The VPC Lambda function still runs in a sandbox outside of the VPC and exposes itself through an ENI in the VPC. For this reason, cold starts are even slower.
NEW: remoteNAT enables multiple VPC Lambda functions to share the same the same network interface in a VPC, thus speeding up the start time.

Answer 298

A

Memory,
File system
Applications.

For these, customers need to install the CloudWatch Agent.

Answer 299

A

General purpose SSD gp2: SSD
Default EBS type, boot volume, 1GB-16TB, 3,000 IOPS burst with credits
Provisioned IOPS SSD io1: SSD
Mission critical, sustained throughput larger databases, provisioned IOPS to 64,000 IOPS
4GB - 16TB
Optimised HDD st1: HDD
frequently accessed data, streams, media, Not boot volume, low cost, 500 IOPS, 500GB - 16TB
Cold HDD: HDD
infrequent accessed data, not boot volume, lowest cost, 250 IOPS, 500GB-16TB

Answer 300

A

Very low latency connections and REST APIs for queries.

2. Also, it doesn’t involve cluster infrastructure running in a customer’s environment.

Answer 301

A

If the instance is running as an IAM role, the IAM role info is available in the instance meta data for the application to use.

http://169.254.169.254/latest/meta-data …./credential

Me: instance profile?

Answer 302

A

Cross-stack references allow you to isolate stacks according to role or frequency of change.
Using export statement, one stack can announce the ID of a resource. Then, another stack can import that ID and use it as part of its resource creation, e.g. , reference a VPC ID when creating a new subnet or security group.
Cross-stack references re-use running stack resources, unlike nested stacks, which re-used stack templates but create new resources.

Answer 303

A

AWS WAF is a layer 7 firewall that can run in front of CloudFront, API Gateway or ELB. It combines conditions and rules then uses a web ACL to grant or deny traffic.

Me: a web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distribution, Amazon API Gateway API, or Application Load Balancer responds to.
You can use criteria like the following to allow or block requests:
1. IP address origin of the request
2. Country of origin of the request
3. String match or regular expression (Reyes) match in a part of the request
4. Size of a particular part of the request
5. Detection of malicious SQL code or scripting
etc.
This criteria is provided inside the rules that you include in your web ACL and in rule groups that you use in the web ACL. It’s specified in the rule statement.

Answer 304

A

By installing the SM agent on the VM and servers to be managed and applying appropriate IAM permissions (EC2 only) and activation for on-premise servers.

Answer 305

A

KDA uses an in-application output stream that serves as the result set.
The KDA SQL application can direct the result set to KDS, KDF.
Also, a SQL application can send errors to an in-application error stream that goes to a different destination.

Answer 306

A

Similar to AuroraDB, it separates compute from storage.
You decide what type and how many dB instances you want across AZs in a region.
The Master is the read/write node.
The other instances are Read instances (replicas) that can promote to Master.
They all interact with the Cluster Storage Volume which manages six copies of all data across three AZs.

Answer 307

A

Use CF to delete the stack completely. It uses the Logical/Physical resource mapping to track all resources it created so that it can delete them using the template.

Answer 308

A

me:
for both VPC
1. Routing
2. Security group
3. NACL

Answer 309

A

You’re assigning it to the primary network interface, not the instances.

Answer 310

A

It lives outside of OpsWorks in a repository you specify, such as Git. You provide the URL and the credential to OpsWorks in the Apps recipe. Likewise, you specify the deployment targets using a deployment recipe.

Answer 311

A

Stack sets enable an account admin to run stack templates across multiple accounts and multiple regions.
The two sides of the transaction are the Admin account and Target account. It also requires two defined roles: AWSCloudFormationStackSetAdministrationRole and the AWSCloudFormationExecutionRole.

Answer 312

A

Documents can contain embedded objects like sub-documents, lists and arrays, similar to how an RDBMS schema would have these things AWS separate tables with reference keys to join them.

Me: joined during the record creation - need to know the relationship before hand, cannot support adhoc queries like RDBMS do.

Answer 313

A

Performance:
Per-operation latency
EFS - lowest, consist latency
EBS provisioned IOPS - low, consist latency

Throughput scale
EFS - 10+ GB per second
EBS Provisioned IOPS - up to 2 GB per second

Answer 314

A

Nested stacks are static template statement that include template references to other templates. They declare the order of resource creation and reference another template.
On execution, they create new resources in order of the dependency statements. Unlike cross-stack references that refer to running resources, nested stacks create new resources by reuse template code.

me:
Nested stack reuses existing stack templates as part of its stack for creating new resources
Cross-tack reuses running stack resources as part of its stack to create new resources

Answer 315

A

SCPs offer central control over the maximum available permissions for all accounts in your organisation, allowing you to ensure your accounts stay within your organisation’s access control guidelines.
A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity

Me: Permission Boundary is a new IAM feature that makes it easier for you to delegate permissions management to trusted employees. As your organisation grows, you might want to allow trusted employees to configure and manage IAM permissions to help your organisation scale permission management and move workloads to AWS faster. For example, you might want to grant a developer the ability to create and manage permissions for an IAM role required to run an application on EC2.

A permissions boundary is an advanced feature that allows you to limit the maximum permissions that a principle can have.

Answer 316

A

It configures SSM, defining what SSM does.
It can be in JSON or YAML
It controls all the functionality of SSM in your account.
They are similar to CloudFormation templates.

Answer 317

A

Access to Parameter Store and access to the customer master key (CMK) used to encrypt the credential in Parameter Store.

Answer 318

A

Instance storage type.
It’s IOPS up to 80,000 IOPS and 1,750MB/s throughput. Me: it does not sound correct.
EBS provisioned IOPS: up to 64,000 IOPS.

Answer 319

A

Multi security groups, additional network interfaces, additional storage volumes, advanced configurations: elastic graphics, elastic inference, T2/T3 unlimited
Also, you can modify and reused LTs; they can be the starting point for a new LT or version them with updates.

Answer 320

A

Organisational boundaries (SCP)—>user/role boundaries (permissions boundary policy)—>role policies (identity permissions policy) —> effective permissions

Me: resource access control list is not a policy?

Answer 321

A

If you want to retain versions indefinitely, assign versions to cheaper storage classes, like one zone IA, otherwise, you can use a lifecycle policy to delete older versions.

Answer 322

A

SQS does not support multiple consumers of messages on a queue or does it support replay. You should use Kinesis Data Streams for this requirement.

Answer 323

A

A persistent session-oriented protocol/API best suited for data streaming, interactive applications, event management applications.

Answer 324

A

By automating DR through CF, organisations can opt for lower-cost backup and restore or pilot-light techniques because CF will do the recovery faster than manual operations. This faster recovery may make the normally faster but more expensive Warm or active-active techniques less necessary for some organisations.

Answer 325

A

By default, they live in a region outside the customer’s VPC. It thus has access to the internet.
Customers can also configure VPC Lambda functions where all the networking restrictions of the subnet and security group apply.
The VPC Lambda function still runs in a sandbox outside of the VPC and exposes itself through an ENI in the VPC.
For this reason, cold starts are even slower. (May not true, see blow update)

NEW: RemoteNAT enables multiple VPC Lambda functions to share the same network interface in a VPC, thus speeding up the start time.

Answer 326

A

AWS WAF is a layer 7 firewall that can run in front of ELB, CloudFront or API Gateway. It combines conditions and rules then uses a web ACL to grant or deny traffic.

Answer 327

A

Explicit deny, explicit allow, implicit deny

Answer 328

A

The cluster endpoint refers to the Master for read and write.
The reader endpoint refers to all replicas as a cluster.
Readers get directed to any replica, improving scalability of Aurora for read-intensive workloads.
Instance endpoints allow you to configure groups of instances behind an endpoint.

Answer 329

A

xLBs deploy to an AZ with an ENI in any subnet that need to be exposed the LB (me: exposing the target groups to xLBs)

Answer 330

A

Step scaling (based on %CPU load increase),
target tracking (tracking overall CPU level on all instances),
simple (no steps)

Wth step scaling and simple scaling, you choose scaling metrics and threshold values for the CloudWatch alarms that trigger the scaling process.

AWS strongly recommend that you use a target tracking scaling policy to scale on a metric like average CPU utilisation or the RequestCountPerTarget metric from the Application Load Balancer.

The main issue with simple scaling is that after a scaling activity is started, the policy must wait for the scaling activity or health check replacement to complete and the cool down period to expire before responding to additional alarms. Cool down periods help to prevent the initiation of additional scaling activities before the effects of previous activities are visible.
In contrast, with step scaling the policy can continue to respond to additional alarms, even while a scaling activity or health check replacement is in progress.

Answer 331

A

You may not have three partition keys that you’re rotating evenly while PUTting records. Thus, you’re maximising one shard, but under-using the others.

Answer 332

A

An ephemeral port - one that specifies a range of port numbers to avoid having to have a matching outbound rule for all inbound rules.

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
Ephemeral ports:
If an instance in your VPC is the client imitating a request, your network ACL must have an inbound rule to enable destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, and so on).
In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you can open ephemeral ports 1024-65535. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. Ensure that you place the deny rules earlier in the table that the allow rules that open the wide range of ephemeral ports.

Ephemeral:
Lasting for a very short time.
“fashions are ephemeral: new ones regularly drive out the old”.

Answer 333

A

Reserved Instance in the necessary AZs

Answer 334

A

It’s in the VPC you specify when creating the cluster.
Aurora Serverless allocates ACUs into your cluster from a warm pool it maintains for all customers.
The proxy manages connections from your applications to the cluster and movement of the ACUs in and out of your VPC.
The proxy also manages migrating cache data from one ACU to another when capacity changes.
Keep in mind, Serverless uses the same Cluster Storage Volume tier that Aurora uses, so Serverless is only managing the compute tier since the storage tier is already serverless and multi-tenant.

Answer 335

A

Some services don’t support security groups. Only NACLs will work.

Answer 336

A

Same AZ, another AZ in the region, or another region.
Replication is asynchronous.
Direct replicas from the Master are Tier 1.
You can specify Tier 2 replicas off the Tier 1 replicas as well.
You can promote a RR to Master. This is useful for rapid DR in another region.

Answer 337

A

A CloudWatch Log Group is a collection of log streams that have the same retention period, access permission, monitoring and metric filters.

Answer 338

A

me: an internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
An internet gateway serves two purposes: to provide a target in your VPC route table for internet-routable traffic, and to perform network network address translation (NAT) for instances that have been assigned public IP addresses.
In internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic.
IGW enable access to or from the internet for instances in a subnet in a VPC. IGW is for a region, not for a particular subnet.

Answer 339

A

The name the CF template uses to describe physical resources that CF creates.
The physical resources acquire cryptic IDs only at the time of creation.
The logical resource make it easier to identify those physical resources.

Answer 340

A

Parameter group and options groups provides the parameters admins need.

Answer 341

A

no HA: a single Customer Gateway device, single internet connection, and single tunnel endpoint;
Partial HA: a single Customer Gateway device, single Internet connection, and two tunnel endpoints in separate AZs;
HA: two Customer Gateway devices, two internet connections, and two tunnel endpoints in separate AZs for each network connection, this uses dynamic routing/BGP
(Me: the on-premise side need to have a router support BGP).

Answer 342

A

Long-Running Clusters and Data Warehouses On-Demand On-Demand or instance-fleet mix Spot or instance-fleet mix.
Cost-Driven workloads Spot Spot Spot
Data-Critical workloads On-Demand Spot or instance-fleet mix
Application Testing Spot Spot Spot

Me:
When you set up a cluster, you choose a purchasing option for EC2 instances. You can choose to use On-Demand instances, Spot Instances, or both.
your choice to use instance groups or instance fleets in your cluster determines how you can change instance purchasing options while a cluster is running. If you choose uniform instance groups, the instance type and purchasing option apply to all EC2 instances in each instance group, and you can only specify the purchasing option for an instance group when you create it.
If you choose instance fleets, you can change purchasing options to fulfil a target capacity that you specify.

Answer 343

A

It’s one of the schema definitions that describes the columns and data types of the data.
It can be created manually using Athena Interface, API or CLI, or
It can be created automatically using Glue Data Crawler.

Answer 344

A

The DocumentDB Cluster Storage Volume takes daily snapshots and stores them in S3.
DocumentDB also records incremental transactions between snapshots to provide point-in-time recovery.
You also define a retention period for all data.

Answer 345

A

Stack sets enable an account admin to run stack templates across multiple accounts and multiple regions.
The two side of the transaction are the Admin account and Target account.
It also requires two defined roles:
- AWSCloudFormationStackSetAdminstrationRole
- AWSCloudFormationStackSetTargetRole?

Answer 346

A

They cannot reference other resources, only ports and IP address ranges. Security groups, however, can refer to the ID of another security group to allow traffic from it.

Answer 347

A

VM
1. VMs run on top of a hypervisor, abstracting the hardware.
2. VMs contain the OS and applications.
3. The isolation boundary is VM.
4. Many VMs can run on the same hypervisor.
Container
1. Containers run on top of the OS but further isolate applications.
2. With Container engine, like Docker, applications and their dependencies can run isolated from each other on the same OS/VM.
3. Containers don’t have dedicated memory like a VM does, so you can pack more applications on hardware by using containers rather than just using VMs.
4. But, containers are not isolated from each other regarding security.
5. Containers can start very quickly compared to VMs — in seconds, sometimes MS.

Answer 348

A

Amazon MQ offers support for a number of standard protocols and is an open source project, so the API is likely familiar to the customer. Unlike SQS or SNS, Amazon MQ is deployed with private endpoints in the customer’s VPC with no public access required for applications within the VPC. It’s also available in an active/standby configuration across multiple AZs in a region.

Answer 349

A

Region
The owner
Launch permissions
Architecture (32-bit or 64-bit)
OS,
Storage for the root device.
Block device mapping of all storage volumes?

Once created, the AMI creates snapshots of any EBS volumes described in the AMI and holds pointers to them.
If the instances type uses instance volumes, the AMI creation bundles the instance definition and instance store into files and saves them to S3.

Answer 350

A

Use a Lambda function to manipulate records or change the format to Parquet or ORC with a checkbox.

Answer 351

A

CSV
TSV
XML
JSON
Parquet
ORC

Answer 352

A

OpsWorks offers most of the control over deployments that CloudFormation offers, but still provides minimal config options. It offers Chef or Puppet as the deployment framework.

Me:
OpsWorks is for development deployment vs SSM is for operational support.
CloudFormation defines AWS Resources that needs to be created/updated/deleted while Elastic Beanstalk provides a versioned application hosting environments.

Answer 353

A

Redshift compliants with DSS, HIPPA and other security standards by supporting encryption in transit and at rest. It uses KMS (AWS Key Management Service) or CMK (Customer Master Key) for encryption keys.

Answer 354

A

The master node has much lower CPU and memory requirements, so it can be smaller. The data nodes do to work and should be bigger.

Answer 355

A

Name
LC template & version
Min, Max and desired instance count
VPC,
Subnet
Health check
Load balancing
scaling policies,
Change notifications
Tags

Launch template defined where and what
Scaling configuration defines when

Answer 356

A

Shield is a DDoS protection layer in front of WAF.
Standard is free, Shield Advanced provides WAF, DDoS mitigation, visibility and reporting, DDoS response team support, and cost protection due to attacks. Shield also protects EIPs。

me： AWS Shield Advanced for EIP extends the coverage of DDoS cost protection， which safeguards against scaling charges as a result of a DDoS attack。

Answer 357

A

HVM uses newer generation of CPUs that allow guest OS to interact with CPU, memory, network, local storage and the motherboard bypassing the hypervisor.
Unlike paravirtualisation, HVM avoids emulation, speeding up performance of guest OSs.
Next, AWS introduced Nitro in 2017, bringing hardware virtualisation to all aspects of the guest OS access to the hardware. This results in near bare metal performance.

Answer 358

A

Inbound traffic and outbound traffic

Subnet A —> Subnet B; Subnet B —> Subnet A

SA outbound rules
SB inbound rules
SB outbound rules
SA inbound rules

Answer 359

A

AMI baking isn’t flexible but faster launch.

User data is more flexible but possibly slower.

Answer 360

A

at the CloudWatch Log Group level, which is a group of related (collection of) Log Streams.

Answer 361

A

Athena can access logs from

CloudTrail
CloudFront
VPC Flows Logs
Load Balancers

Answer 362

A

A NAT gateway has a public IP address, but that’s used only for returning inbound traffic from an outgoing request by a private instance.

Answer 363

A

KDA has in-application input streams that are virtual tables for the SQL query.
These tables take input from KDS or KF and place the message as records in the stream. Or, they place a number of records in the Virtual Tables according to the duration of a window defined in the SQL procedure.

Answer 364

A

The AMI creator’s account plus any other accounts the configuration names.
It can also be public.

Answer 365

A

Use the version stages capability provided.

Answer 366

A

VPC Peering allows this.
Configure the security group of the trusting VPC with the accountID and subnetID of the trusted consumer. This only works within the same region.
Across regions, use the VPC ID of the requesting VPC.

Answer 367

A

It’s a message broker based on Apache MQ.
It support standard APIs such as AMQP, MQTT, OpenWire or STOMP.
It can function as a queue or topic and supports cardinality of 1:1 or 1:n

Answer 368

A

In a multi-master cluster, all DB instances can perform write operations.
There isn’t any failover when a writer DB instance becomes unavailable, because another writer DB instance is immediately available to take over the work of the failed instance.
We refer to this type of availability as continuous availability, to distinguish it from the high availability (with brief downtime during failover) offered by a single-master cluster.

Answer 369

A

DR McGIFT PX (DR McGIFPIX?)

D for Density
R for RAM
M - main choice for general purpose apps
C for Compute
G for Graphics
I for IOPS
F for FPGA
T - cheap general purpose (think T2 micro)
P for Graphics (think Pics)
X - Extreme Memory
General purpose
Memory optimised
Storage optimised
Network optimised
Big data optimised
Floating point computation optimised
GPU
ARM based

Answer 370

A

Six in total:

Simple
Failover
Geolocation
Weighted
Latency
multi-value answer
Geo-proximity

Answer 371

A

Effect
Action
Resource

Optional:

Condition
Principal (resource policy only)

Answer 372

A

The IoT Gateway maintains device status in device shadows. These are always available even though things may have sporadic access to the Gateway.

Answer 373

A

CloudWatch can report on metrics from CF, CloudTrail can report on API calls, and AWS config can report on configuration changes over time.

Answer 374

A

It’s a region-based cache of the origin server content.
This is the first place a CDN server checks on an Origin fetch.
If this misses, then the fetch goes to the origin.

Answer 375

A

You cannot.

Any custom origin server must offer public access to CloudFront.

Answer 376

A

{parameter_name}

You can use a parametrised template to customise a pipeline definition. This enable you to create a common pipeline definition but provide different parameters when you add the pipeline definition to a new pipeline.
When you create the pipeline definition file, specify variables using the following syntax: #{myVariable}.
It is required that the variable is prefixed by my. For example, the following pipeline definition file, pipeline-definition.json, including the following variable: myShellCmd, myS3InputLoc, and myS3outputLoc.
A pipeline definition has an upper limit of 50 parameters.

Answer 377

A

Use two Snowmobiles. Each Snowmobile can hold up to 100PB of data. Connected together, the transfer operation will see a single 200PB storage area.

Answer 378

A

PKCS#11, Java Cryptograph Extensions (JCE), MS CryptoNG (CNG). CloudHSM does not support AWS APIs.
CloudHSM compliant with FIPS 140-2 at level 3
KMS does not support CloudHSM.

Answer 379

A

Use SSM run commend to install CloudWatch agent on existing EC2 instances.

Answer 380

A

The Leader node can only distribute data by file. So a single file is all going to a single compute node. To take better advantage of the cluster, you should pre-process the large file into five, ten or any multiple of five files.

Me: is this a EMR cluster?

Answer 381

A

Identify significant points in the question
identify similar answers, but understand the differences
Look for disqualifying facts in answers, based on #1
Eliminate any generally bad answers.
Pick between remaining answers using judgement.

Answer 382

A

CloudHSM or KMS, they both comply with FIPS 140-2.
CloudHSM at Level 3, while AWS KMS at level 2.
CloudHSM support KPCS#11, Java Cryptography Extensions (JCE), MS CryptoNG (CNG), it does not provide AWS API access
KMS provides AWS API access only.

Answer 383

A

The ALB service is outside of the VPC across the regions. ALB will deploy an ALB node with the appropriate IP address in each AZ you’ve selected.

Answer 384

A

Install the CloudWatch agent on the EC2 instance.
Configure it to tail the logs in /var/logs. It will pick up each entry in the log file and send it them as Log events using a Log Stream.

Answer 385

A

If the instance is running as an IAM role, the IAM role info is available in the instance meta data for the applications to use.

Answer 386

A

Topics,
Queues,
Virtual Topics
Virtual Topics allows a single publisher to a topic deliver messages to any number of subscribes through a fan-out technique, similar to SNS fan out.

Answer 387

A

Permission to access the Parameter Store and permission to access the CMK used to encrypted the credentials stored in Parameter Store.

Answer 388

A

ElasticSearch (Lucene)
Logstash or Beats
Kibana for visualisation

Answer 389

A

Reduced latency for database lookups, improved availability if the cache is HA, stateful micro service design support by offloading state to a cache, and reduced costs/impact on databases by offloading cache-able reads to the memory cache.

Answer 390

A

It doesn’t. Only when traffic crosses a subnet do the NACL rules apply.

Answer 391

A

Using logs that it exports to CloudWatch Logs using a service-linked role.

Answer 392

A

It can reduce ACUs to Zero if there is no demand, reducing costs.

Answer 393

A

An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.

Answer 394

A

Owner
Launch permissions
Architecture
OS
Block device mapping
Once created, the AMI creates snapshots of any EBS volumes described in the AMI and holds pointers to them.
If the instance type uses instance volumes, the AMI creation bundles the instance definition and instance store into files and saves them to S3.

All AMIs are categorised as either backed by Amazon EBS or backed by instance store. The former means that the root device for an instance launched from the AMI is an Amazon EBS volume created from an Amazon EBS snapshot. The latter means that the root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3.
Boot time for an instance:
Amazon EBS-backed AMI - usually less than 1 minute
Amazon instance store-backed AMI - Usually less than 5 minutes

Answer 395

A

If you want to retain versions indefinitely, assign versions to cheaper storage classes, like one zone IA.
Otherwise, you can use a lifecycle policy to delete older versions.

Answer 396

A

Two snowmobile daisy-chained together as one partition. Each snowmobile has 100PB capacity.

Answer 397

A

MQ supports global brokers where brokers are deployed in AZs in multiple regions while keeping the entire Queue in sync.

Answer 398

A

CloudHSM is only accessible to the customer.

KPCS#11, JCE and MS CNG are the stanard APIs you could use to interact with CloudHSM.

Answer 399

A

default Route Tables associated with the subnets involved
NACLs that associated with subnet on both sides - inbound and outbound rules
Security Groups associated with the source EC2 instance or target EC2 instance.

Answer 400

A

Uniform Instance Groups and

2. Fleet Instance Groups

Answer 401

A

3,500 puts
5,000 gets per object partition.

Me:
S3 must maintain a ‘map’ of each bucket’s object names, or ‘keys’. Traditionally, some form of partitioning would be used to scale out this type of map. Given that S3 supports a lexigraphically-sorted list API, it would stand to reason that the key names themselves are used in some way in both the map and the partitioning scheme … and in fact that is precisely the case: each key in this ‘keymap’ is stored and retrieved based on the name provided when the object is first put into S3 - this means that the object names you choose actually dictate how AWS manage the keymap.
Internally, the keys are all represented in S3 as strings like this:
bucket/keyname
Further, keys in S3 are partitioned by prefix.

Answer 402

A

You can place a WAF in front of an API Gateway.
Web Application Firewall (WAF) can protect APIs against a range of threats including DDoS, known IP blacklists and much more.

Me. AWS Shield or AWS Shield Advance can provide DDoS protection, not WAF. AWS Shield is placed in front of WAF.

Answer 403

A

Configure WAF in front of the CF distribution.

Answer 404

A

AZs, regions and global edge services

Answer 405

A

Because APIs need to run 24/7 on infrastructure someone needs to manage and pay for. Thus, it’s ideal for pay as you go serverless implementation.

Me: in other words, autoscaling and pay per request without provisioning max capacity to cater for peak load is a big win/cost saving and support team costs (multi-tenant share cost model).

Answer 406

A

Create a R53 Resolver outbound endpoint. Create mapping for the on-premise DNS names that refer to the on-premise DNS IP address.

Answer 407

A

EBS or instance store.

Answer 408

A

Because browsers that support SNI only refer to the host by name that they are trying to connect. Without SNI, the CloudFront configuration needs to specify a static IP address since that’s what older browsers will be using.

Answer 409

A

a Docker file describes the OS and other software components of the container using layers. It’s similar to a file system.

A container image is like the disk. Or like an AMI. It describe the running container. Container images live in Docker Registries. A container is a running container image.

Containers map to resource like ports.

Answer 410

A

It creates an environment (based on web application or worker application) and deploys your application version into that environment.

CF creates stacks, which provision AWS resources (create, update, delete), but NOT applications.

Answer 411

A

24/7, time-based, or load-based.

Answer 412

A

Configure three master nodes: the master and two eligible maters.
Also have at least three data nodes across AZs. By having three of each, ES can use a quorum to determine the next election if one fails.

(Me: this is minimum configuration for a HA ElasticSearch cluster)

Answer 413

A

It lives in a VPC you specify.
By default, it uses the default VPC, but you can specify a custom VPC in your account.
To access S3 data, you need to configure a NAT or internet gateway for the public S3 point, or create a VPC endpoint for S3.

Answer 414

A

Use Enable TTL and specify the epoch of the duration items should remain in the table. DynamoDB constantly checks the timestamp of items and marks them for deletion once they exceed their date + epic > today.

Answer 415

A

Save all your configurations (as a version control). Then, you can revert to a saved configuration (thinking version rollback).

Answer 416

A

It uses Streams to capture all changes to one table to the other tables in other regions.
You configure a Global Table by enabling Streams (Old and New), then by adding Regions where you want to replicas. All tables are masters and stream their changes to the other replicas.

Answer 417

A

you can change the subnet to public and you can also enable encryption in transit and at rest.

Answer 418

A

When speed of setup is critical; VPN takes minutes, DX take days-weeks
Cost can be lower for spiky or sporadic usage.
When network QOS is not critical.
VPN performance depends on customer router CPU due to encryption; the ISP network connection over the Internet is not consistent.

Answer 419

A

Use the AWS VPC network mode.

Configure the security group that the container’s VPC uses to control what traffic gets in and out.

Answer 420

A

Cluster - the collection of resources ECS can use to run your containers
Service - ECS or Fargate runtime responsible for managing container tasks.
Task definition - a configuration file that tells ECS what containers it should create and how they interact with the outside world;
Container definition - Container definitions are used in task definitions to describe the different containers that are launched as part of a task.

Answer 421

A

Legal holds and retention policies - this prevents objects from deletion.

prerequisite:
Versioning must be enabled.
Object locks must be set at time of creating the bucket.

Answer 422

A

It’s the code behind the API that the API invokes. This could be a mock or the real implementation. Implementations can include Lambda functions, other AWS service like DynamoDB queries, (know the others!), or custom services hosted on EC2 or containers.

Answer 423

A

Select dual stack.

Answer 424

A

If you don’t need to change the node type, elastic resize is the fastest option. If you really need to also change the node type, then you’ll have to use classic resize, but it is the longest (24hr.) read-only mode.

Me:
Redshift now supports elastic resize across node types. Customers can change node types sighing minutes and with one simple operation using elastic resize.
Elastic resize across node type automates the steps of taking a snapshot, creating a new cluster, deleting the old cluster, and renaming the new cluster into a simple, quick, and familiar operation. Elastic resize operation can be run at any time or can be schedular to run at a future time. Customers can quickly upgrade their existing DS2 or DC2 node type-based cluster to the new RA3 node type with elastic resize.

Answer 425

A

ALBs terminate the client request then establish a new connection to the target group because encryption operates at layer 7.
NLB, examining only the layer 4 header, simply pass on the layer 5+ portion of the packet which may or may not be encrypted. This enables an end-to-end pass-through of encrypted layer 7 data, improving performance.
me: ALB will terminate the initial http request, modify it (add the X-Forwarded Headers）and initate a new http request directly to the instance。
If you need to terminate 100% on the instance itself you need to use NLB, not an ALB.

me:
ALB has a embedded WAF, it terminates SSL connections, client IP address is lost by
NLB supports SSL connection pass through, client IP address is preserved

Answer 426

A

Declare resource objects as singletons outside of the lambda_handler(). They ‘may’ be available to the next instance of the function, but declare them as NULL and do NULL checks in the handler of sub-functions.

Answer 427

A

Since customers pay for Athena by the amount of data it scans, reduce the amount of data scanned by partition data, organise it into columnar format to reduce the number of columns Athena sees during a query.

Answer 428

A

On-demand capacity will always manage the RCU/WCU and storage requirements for the incoming load. Auto scaling sets an upper limit and can be slow. Provisioned capacity also sets a limit.

Answer 429

A

Use S3 resource policy “condition” to define ACLs access limits

Answer 430

A

3,000 puts and 5,000 gets per object partition.

Answer 431

A

Do a restore of just the table. Restore it to a new table name, delete the old table, then rename the restored table to the old table name.

Answer 432

A

Parameter groups and option groups provide the parameters admins need.

Answer 433

A

R53
IAM
CloudFront

Answer 434

A

(Me: the order in the table doesn’t matter)

Local
Longest CIDR prefix (/32 is longest)

Me:
The routing table is used in order of most specific to least specific, e.g. A destination of 0.0.0.0 with a netmask of 0.0.0.0, i.e. your default route, is the least specific possible and so will always be applied last.
The ‘local’ table is the special routing table containing high priority control routes for local and broadcast addresses.

Answer 435

A

Legacy Lambda used a three-tier architecture: the hypervisor stack (shared tenancy) with a guest OS running on that (account isolation), then a Sandbox, Lambda runtime, and function code ran on that (function isolation). The sandbox runs only one function, but as many instances as needed concurrently.
New Lambda is a two-tier architecture: the shared hypervisor stack, but now runs a micro VM dedicated to a Sandbox stack-shared tenancy->dedicate function tenancy. (Fire craker)

Answer 436

A

AMI
Instance type
Purchase option: on-demand, RI, spot
IP addressing
User data
CW detailed monitoring option
Amount and type of storage
key pair
to make any changes after saving, you must create a completely new launch config., then change the LC association in the AS Group.

Answer 437

A

Local
Longest CIDR prefix (/32 is longest)
Static over dynamic/propagated
Routes learned from a DX connection
Static routes learned from VPN
Static routes learned from VPN BGP

Answer 438

A

Metadata about network traffic into and out of the VPC, including address, port, protocol and more.
Logs do not include information about DHCP, AWS DNS, or license activation requests. This is not a network monitor.

Answer 439

A

In private and public VPCs, edge locations, and any region.

Me: in the console, there are three options for the endpoint type:

Regional
Edge optimised
Private

Private APIs are only accessible through VPC endpoints for API Gateway. Create a VPC endpoints and add Resource Policy for the API to allow access.

when API requests predominantly originate from an EC2 instance or services within the same region as the API is deployed, a regional API endpoint, a regional API endpoint will typically lower the latency of connections and is recommended for such scenarios.
To create a regional API, you follow the steps in creating an edge-optimised API, but must explicitly set REGIONAL type as the only option of the API’s endpointConfiguration

Answer 440

A

The template is designed so that it can be run any number of times without user input.

(Me, this is just one of the Reuse goal for deployment automation)

Answer 441

A

GCMAS
DR_McGIFT PIX

Me:
DR McGIFT PX

D - Density
R - RAM (memory)
M - Mainly general purpose
C - Compute
G - Graphics
I - IOPS
F - FPGA
T - (think T2) Low cost burst-able general purpose 
P - (think Pics) Graphics
X - Extreme memory

Answer 442

A

The table is a set of columns that have the name data type of the fields in the data files you want to query. It also contains a pointer to the S3 location where these data files sit.

Answer 443

A

Kinesis supports VPC Endpoints (Private Endpoints)

Answer 444

A

Time is critical to set up a link, VPN in minutes, DX takes days or weeks even months
Cost can be lower for spiky or sporadic usage
When network QOS is not critical
Consistent performance is not required - VPN performance depends on customer router CPU due to encryption; the ISP network connection over the internet is not consistent.

Answer 445

A

Multi security groups
Additional network interfaces
Additional storage volumes
Advanced configurations:
- elastic graphics
- elastic inference
- T2/T3 unlimited
Also, you can modify and reused LTs; they can be the starting point for a new LT for a new LT or version them with updates.

Me: you can now use launch templates with Amazon EC2 Auto Scaling and Amazon EC2 Spot Fleet in you AWS CloudFormation templates.
Launch templates enable you to centrally make changes to launch parameters and control the roll out of these changes to Auto Scaling groups and Spot Fleet.
With T2 unlimited instances, you have the ability to sustain high CPU performance over any desired timeframe while still keeping your costs as low as possible. You simply enable this feature when you launch your instance; you can also enable it for an instance that is already running.

Answer 446

A

A persistent session-oriented protocol/API best suited for data streaming, interactive applications, event management applications.

Answer 447

A

Trust policy - defining who can assume the role

2. Permission policy - defining what the role can do

Answer 448

A

S3 logs all access requests on a bucket (source bucket) to a designated bucket (target bucket) for logging.

Answer 449

A

Only NACL can deny traffic. Security groups cannot.
Security groups deny by default, but allow by rule.

Me: The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated. Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denuded. You cannot modify or remove this rule.

Answer 450

A

The union of SCP (Service Control Policy :an Organisational boundary Policy), user/IAM Role permission boundary policy, IAM role permission policy determines a principal’s effective permissions.

Answer 451

A

The VPC must have an IGW, and the subnet must have a default route to the IGW by associating with a VPC route table that has a route to the IGW.

Answer 452

A

S3
Redshift
Splunk
Kinesis Analytics

Answer 453

A

Each of he slices on your compute nodes have the advertised amount of data available to them according to the Management Console. But Redshift also reserves the same amount for replication of slice data from other nodes, similar to RAID 5 with a disk array.

Answer 454

A

Use spot fleet

Answer 455

A

When the application can tolerate loss of an instance, such as 
production:
1. big data systems, 
2. Stateless web clusters
Non-production:
3. Dev environment
4. Experiments.

Answer 456

A

ALB supports HTTP2 for up to 128 simultaneous connections. It will split them up to separate HTTP 1.1 connections to target groups.

Me:
Listener Configuration
Listeners support the following protocols and ports:

Protocols: HTTP, HTTPS

Ports: 1-65535

You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer so that your applications can focus on their business logic. If the listener protocol is HTTPS, you must deploy at least one SSL server certificate on the listener. For more information, see Create an HTTPS Listener for Your Application Load Balancer.

Application Load Balancers provide native support for WebSockets. You can use WebSockets with both HTTP and HTTPS listeners.

Application Load Balancers provide native support for HTTP/2 with HTTPS listeners. You can send up to 128 requests in parallel using one HTTP/2 connection. The load balancer converts these to individual HTTP/1.1 requests and distributes them across the healthy targets in the target group. Because HTTP/2 uses front-end connections more efficiently, you might notice fewer connections between clients and the load balancer. You can’t use the server-push feature of HTTP/2.

Answer 457

A

Spot fleet

Answer 458

A

Publish message to $aws/rules/rulename and which sends the message directly to an IoT Rule without the pub-sub features of IoT Topics.

Answer 459

A

Be careful and understand the context of the question.

Databases and data movement is best for DP.

Answer 460

A

CLB or ALB. NLB does not support UDP, only TCP.

Me: ALB does not support UDP. It supports HTTP, HTTPS, HTTP/2 and WebSockets

UDP Load Balancing
Today (24 June 2019) we are adding support for another frequent customer request, the ability to load balance UDP traffic. You can now use Network Load Balancers to deploy connectionless services for online gaming, IoT, streaming, media transfer, and native UDP applications. If you are hosting DNS, SIP, SNMP, Syslog, RADIUS, and other UDP services in your own data center, you can now move the services to AWS. You can also deploy services to handle Authentication, Authorization, and Accounting, often known as AAA.

You no longer need to maintain a fleet of proxy servers to ingest UDP traffic, and you can now use the same load balancer for both TCP and UDP traffic. You can simplify your architecture, reduce your costs, and increase your scalability.

Answer 461

A

By default, CF runs under the identity of the user running. Some users, like junior DevOps members, may have restricted permissions in the AWS account. But if you grant the stack greater permissions, the junior developers can edit and run it while still having their restrictive permissions.

Answer 462

A

AWS IoT use MQTT, which is a industry standard protocol that other devices and systems likely use.

Answer 463

A

It provides a single IPv4 address for all devices behind it, saving on scarce IPv4 addresses. IPv6 doesn’t have this constraint, thus NAT isn’t as relevant in IPv6.

Answer 464

A

Use an OpsWorks stack and compose the web tier using the ECS cluster. Compose the other tiers natively in OpsWorks.

Me:
AWS OpsWorks Stacks simplified the process of launching and maintaining container instances for existing Amazon ECS cluster. To create or launch other Amazon ECS entities, such as clusters and tasks, use the Amazon ECS console, CLI or API. You can then associate a cluster with a stack by creating an ECS Cluster layer, which you can use to manage the cluster in AWS OpsWorks Stacks.
* OpsWorks and ECS Cluster is 1:1 mapping.
OpsWorks needs permission to interact with ECS on your behalf (aws-opsworks-service-role).

Answer 465

A

When the application positively needs the capacity and the demand is not steady.

Answer 466

A

KDA uses an in-application output stream that serves as the result set. The KDA SQL Application can direct the result set to KDS, KDF.
Also, SQL application can send errors to an in-application error stream that goes to a different destination.

Answer 467

A

Local db users or IAM.

Answer 468

A

The AMI Creator’s account plus any other accounts the configuration names. It can also be public.

Answer 469

A

You need to run an HSM in your data centre. AWS does not provide access to CloudHSM. CloudHSM is a dedicated tenancy solution running on shared infrastructure, similar to EC2.

Answer 470

A

OpsWorks offers most of the control over deployments that CloudFormation offers, but still provides minimal config options. It offers Chef or puppet as the deployment frameworks.

I don’t think the above answer is correct. See blow alternative.

CloudFormation is at infrastructure level, create/update/delete AWS resources described in a CloudFormation template. Elastic Beanstalk hides infrastructure details, provides an layer of abstraction so the user can focus on the application needs. OpsWorks manages the configurations for resources and applications that CloudFormation or EBS provisioned.

AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. Cloud formation allows you to use a simple test file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. This file serves as the single source of truth for your cloud environment.

EBS: Abstraction from CloudFormation, Spin app from blueprints, no need to worry about every small detail of infrastructure.

OpsWorks: Configuration management inside those servers, change port, install newer software version, etc.

Answer 471

A

Subnets
R53 resolver rules
Transit gateway
License configurations
Accounts cannot share subnets inside of the default VPC, nor use subnets that are owned by the owner of the resource. Likewise, a share cannot share security groups not owned by the resource owner. The resource owner can remove sharing from resources in use by others and those shares will continue until released.

Answer 472

A

You’re assigning it to the primary network interface, not the instance.

Answer 473

A

Memory, file system, Applications. For these, customers need to install the CloudWatch Agent.

Answer 474

A

Metrics and alarms

Answer 475

A

Use default values in parameter lists (avoiding human input),
Use ParameterStore for system and custom values
Pseudo Parameters for CF-wide values such as region, partition, accountID, stackID and more
Intrinsic Functions for AZs in a region, AMI and more,
Don’t specify the physical ID of a resource and CF will create a unique one for you.

Answer 476

A

Create a bucket policy that allows principal: *

me: Make the S3 publicly accessible.

Answer 477

A

Scale UP the instance type(s) of the cluster to a larger EC2 type. Since there is only one write instance, the only option is scaling UP.

me: Scaling the write node vertically

Answer 478

A

NLB. NLB recently added support for UDP load balancing. Otherwise, CLB would be the only option.

Answer 479

A

Customer Master Key.
This is the core of KMS. They encrypt the data that’s in KMS. Usually, the data is other encryption keys. They never leaving KMS, and because KMS is regional, they never leave the region.

Answer 480

A

The workflow for updating a stack is no different from creating a stack: the user defines the resource updates then executes the new/modified stack template. Change Sets allow a junior developer to create the template for change, but simply save and notify others of the proposed change, without having permissions to run the Change Set. Senior developer can review the Change Set and run it if approved.

Answer 481

A

Create an IAM policy that Allows all the actions on the DynamoDB table that the Sales_Managers (and others who adopt this policy) need. Use a Condition that uses a variable that looks for the ID of the SalesRep_ID requested in the query. Only allow access to the records associated with this Sales_Manager.

Answer 482

A

Master node,
Core nodes
Task nodes

An EMR cluster can have only one node, the Master node. It also can have Core nodes that run HDFS and manage tasks. And Task Nodes execute tasks but have no storage system. You cannot change the Master node instance type after creating the cluster. You can change Core and Task node instance types.

Me:
With Amazon EMR 5.23.0 and later, you can launch a cluster with three master nodes to support high availability of applications like YARN Resource Manager, HDFS Name Node, Spark, Hive, and Ganglia. The master node is no longer a potential single point of failure with this feature. If one of the master nodes fails, Amazon EMR automatically fails over to a standby master node and replaces the failed master node with new one with the same configuration and bootstrap actions.

However, unlike the master node, there can be multiple core nodes—and therefore multiple EC2 instances—in the instance group or instance fleet. There is only one core instance group or instance fleet. With instance groups, you can add and remove EC2 instances while the cluster is running or set up automatic scaling. For more information about adding and removing EC2 instances with the instance groups configuration, see Scaling Cluster Resources. With instance fleets, you can effectively add and remove instances by modifying the instance fleet’s target capacities for On-Demand and Spot accordingly. For more information about target capacities, see Instance Fleet Options.

Task Nodes

Task nodes are optional. You can use them to add power to perform parallel computation tasks on data, such as Hadoop MapReduce tasks and Spark executors. Task nodes don’t run the Data Node daemon, nor do they store data in HDFS. As with core nodes, you can add task nodes to a cluster by adding EC2 instances to an existing uniform instance group, or modifying target capacities for a task instance fleet. Clusters with the uniform instance group configuration can have up to a total of 48 task instance groups. The ability to add uniform instance groups in this way allows you to mix EC2 instance types and pricing options, such as On-Demand Instances and Spot Instances. This gives you flexibility to respond to workload requirements in a cost-effective way. When you use the instance fleet configuration for your cluster, the ability to mix instance types and purchasing options is built in, so there is only one task instance fleet.

Answer 483

A

It’s in the VPC you specify when creating the cluster. Aurora Serverless allocates ACUs into your cluster from a warm pool it maintains for all customers. The proxy manages connections from your applications to the cluster and movement of the ACUs in and out of your VPC. The proxy also manages migrating cache data from one ACU to another when capacity changes. Keep in mind, Serverless uses the same Cluster Storage Volume tier that Aurora uses, so Serverless is only managing the compute tier since the storage tier is already serverless and multi-tenant.

Answer 484

A

With EC2, you define the instance type and are responsible for the cluster. With Fargate, you don’t. You define tasks and let ECS/Fargate obtain the container hosts to run those tasks.

me: The difference is in the container hosting layer - a hosting cluster needed to run the containers and the management of the cluster.

Answer 485

A

Web Application Firewall (WAF) can protect APIs against a range of threats including DDoS, Known IP blacklists and much more.

Me: WAF does not provide DDoS protection, AWS Shield and AWS Shield Advanced provides DDoS protection.

Answer 486

A

Use a Lambda function with event source mapping set to the arrival of messages in an SQS queue. This is an event-driven alternative to the usual polling approach of EC2-based applications.

Answer 487

A

Shield is a DDoS protection layer in front of WAF.
Shield Standard is free and always on.
Shield Advanced provides WAF, DDoS mitigation’s, visibility and reporting, DDoS response team support, and cost protection due to attacks.
Shield Advanced also protects EIPs.

Answer 488

A

Stack sets enable an account admin to run stack templates across multiple accounts and multiple regions.
The two sides of the transaction are the Admin account and Target account. It also requires two defined roles: AWSCloudFormationStackSetAdmininstrationRole and the AWSCloudFormationExecutionRole.

Answer 489

A

Design it to run in any account or location without any modifications or user input.

Answer 490

A

S3 is not a custom origin and CF configuration will match the same protocol as the client connection.
If you need a different protocol to the origin, configure a custom origin. When specifying an origin such as www., the Origin configuration offer serval TLS options and protocol policies.

Answer 491

A

Snowball Edge can hold up to 100/80TB of data and including edge computing services such as IoT Greengrass, Lambda functions and GPU processors. This is ideal for remote locations with poor networking infrastructure and real time capabilities are not required.

Answer 492

A

DynamoDB has had to create more partitions for each CatID. But since the partition key is CatID, DynamoDB still limits the RCU/WCUs to 3000/1000 across all partitions for that CatID. You need to consider a partition key that has more values than 0001-0004.

Me:

DynamoDB will split partition based on a) RCU/WCU 3000/1000 and b) storage size of 10GB
This is no longer a limitation since the DynamoDB will balance the RCU/WCUs at the table level, not the partition level.
On-demand capacity pricing option will autoscale RCU/WCUs according to the demand at the time. The other one is the provisioned throughput option.

There are a few downsides to DynamoDB that you should consider before choosing to use it in your production applications.

Strong vendor lock-in. DynamoDB is a proprietary solution and doesn’t have an open-source version, so if you ever decide to move away from using DynamoDB, you’ll be looking at a significant amount of work migrating to a different database solution. Some functionality, such as DynamoDB Streams, might be particularly hard to rebuild in a different database.

The cost structure can backfire with large datasets. There are two pricing options for DynamoDB: the on-demand option and the provisioned throughput option. While the on-demand pricing is a good fit for applications with “spiky” usage and relatively low average traffic, as average usage increases the on-demand pricing structure can become quite expensive.

No built-in caching. DynamoDB requires the access to your data to be mostly uniform. If you access a certain segment of your data (like the most recent entries) much more than others, you won’t have an out-of-the-box way to cache these recent items—excepting of course the DynamoDB Accelerator, which is proprietary and adds to your costs.

No support for JOIN operations. DynamoDB’s design doesn’t allow you to join data from across multiple tables. So if you need the data from multiple tables for a single operation, you’ll find DynamoDB to be more expensive, slower and more complicated for implementing JOINs than with a relational datastore.

Answer 493

A

MQ supports global brokers where brokers are deployed in AZs in multiple regions while keeping the entire Queue in sync.

Answer 494

A

NACLs cannot reference other resources, only ports and IP ranges. Security Groups, however, can refer to the ID of another security group to allow traffic from it.

Me:
NACLs does not provide traffic control inside a subnet. It only controls in/out bound traffic between subnets.

Answer 495

A

Simple, limited feature set - Memcached
Vertical Scaling - Memcached: supports multi-threading
Horizontal Scaling (read) - Redis
HA - Redis: replicate to other nodes
Backup/Restore - Redis
Rich feature set - Redis
Transaction - Redis
Geo-special data type - Redis

Answer 496

A

SQS FIFO supports up to 300 messages per second with guaranteed ordering and no duplicates.

Me:

Identify significant points.
a) messages need to be in order of delivery
b) no message duplication
c) 6,000 message per minute ==> 100 per second

Answer 497

A

The owner enters registration information into the ACM form including the domain name.
ACM validates the domain name using R53 or your other registrar.
Once validated, ACM issues the certificate containing public and private keys. Private key is encrypted using KMS.
The certificate is now available to any AWS integrated service.
When these services need to use the private key to decrypt content, they use KMS to decrypt the key, hold it in memory, and use it to decrypt the public key encrypted content.

Answer 498

A

it’s a message broker based on Apache MQ. It supports the JMS API or protocol such as AMQP, MQTT, OpenWire or STOMP. It can function as a queue or topic and supports cardinality of 1:1 or 1:n.

Me:

Supports many industry standard protocol
Supports message topic and message queue
Supports multiple regions and keeping messages in sync using global brokers
Supports HA (Active/Standby in multiple AZs)

Answer 499

A

You’re assigning it to the primary network interface, not the instance.

Answer 500

A

This is the reserved VPC address for the R53 resolver in the VPC.

Answer 501

A

Only NACLs can deny traffic. Security groups cannot. Security groups deny by default, but allow by rule.

Answer 502

A

Install the CloudWatch agent on the EC2 instance.
Configure it to tail the logs in /var/logs.
It will pick up each entry in the log file and send them as Log events using a Log Stream.

Answer 503

A

4 KB/Sec. That can be five read operations of 4K or less, one or more operations of more than 4K. Also, Dynamo caches up to 300 CUs so that they’re available for spikes.

Answer 504

A

Metadata about network traffic into or out of the VPC, including address, port, protocol and more.
Logs do not include information about license activation, DNS and DHCP requests.
This is not a network monitor.

Answer 505

A

Every 6-8 hours or every 5GB of data change, whichever comes first.

Amazon Redshift now provides more control over snapshots
Posted On: Apr 4, 2019

Amazon Redshift automatically takes incremental snapshots (backups) of your data every 8 hours or 5 GB per node of data change. You now get more information and control over a snapshot including the ability to control the automatic snapshot’s schedule.

Amazon Redshift now provides the ability to:

View snapshots that are not associated to any cluster so you can remove unnecessary snapshots
Bulk-delete snapshots to allow you to quickly delete unnecessary snapshots and reduce your S3 storage needs
Control your cluster’s automatic snapshot schedule using the snapshot scheduler. The snapshot schedule can be configured with a cron style granularity via an API or with the AWS Management Console. You can create a schedule and attach the schedule to your cluster to have full control of when automated snapshots are taken.

Answer 506

A

it can reduce ACUs to zero if there is not demand, reducing costs.

Me:
Aurora Serverless maintains a warm pool of ACUs, and it moves the ACUs in or out of the warm pool into your cluster to match the demand changes.

Answer 507

A

You can create a new version of an application and environment. You can then choose to swap URLs so that the new version gets the production URL.

Answer 508

A

Define the updates to the ticket availability and the purchase steps as a transaction. That way DynamoDB commits all the updates as a single atomic unit.

Answer 509

A

Metrics and Alarms

Answer 510

A

Use on-demand capacity reservations. No up-front, but you get the capacity when you need it.

Answer 511

A

This is the reserved IP address for the R53 Resolver in a subnet of a VPC.

Answer 512

A

DynamoDB enables Adaptive Capacity by default. This allocates RCU/WCUs dynamically across partitions while still staying below the total hard limit of the table.

Me: DynamoDB accommodates your workload, not vice versa
Partitions don‘t matter； individule keys do
Swith capacity modes in order to optimise cost and performance。

Use provisioned mode

Steady workloads
Gradual ramps
Events with known traffic
Ongoing monitoring

Use on-demand mode

Unpredictable workloads
Frequently idle workloads
Events with unknown traffic
“Set it and forget it”

Answer 513

A

local db users or IAM

Answer 514

A

VPC Peering is not transitive. VPC B needs to have a VPC Peering connection to VPC C.

Answer 515

A

Create a private endpoint in each of the VPC that need to exchange data via KDS.

Answer 516

A

Put reference data in S3 then define a reference table that enables the SQL query to treat the lookup data as a table.

Answer 517

A

Better performance since the traffic is over the AWS network. Also, more secure since the request never leaves the AWS network.

Answer 518

A

Single node cluster, leader node and core node share the same instance.
Two-node cluster, leader is on a node on an instance by itself - the third instance added for free.

Answer 519

A

A graph database.
Neptune is a graph DB that’s highly scalable with 15 read replicas across three AZs in a region. It can hold up to 64 TB of data with encryption at rest.

Answer 520

A

Enable Management events (default) when configuring a Trail.

Me:
Create a Trail and enable it to capture global IAM events during the creation.

Answer 521

A

A small function that does something narrow and well. Accept an input, and produce an output.

Me: thinking micro-service architecture.

Answer 522

A

Guard Duty uses ML to monitor a number of AWS data sources, such as VPC flow logs, R53, CloudTrail, threat intel, CloudWatch events, account activity.
It generates findings into the Guard Duty console. A trusted IP list excludes these IPs from Guard Duty scanning. Threat lists tell GD additionally what to watch across all accounts.

Answer 523

A

ElasticSearch (Lucene)
Logstash or Beats
Kibana for visualisation.

Answer 524

A

ElasticSearch clusters run in a dedicated network not part of the customer’s account. For private VPC access, ElasticSearch will expose itself to the customer VPC using interface endpoints. The customer can assign a security group to the cluster. For public access, the cluster is accessible via internet.

Answer 525

A

One DX, one VPN over internet

2. Two DX-separate customer routers, separate links to DX location, Separate DX location routers.

Answer 526

A

Parameter groups and option groups provide the parameters admins need.

Answer 527

A

Instances,
IP addresses
A Lambda function.
Instance or IP addresses can include EC2 instances, ECS or EKS containers.

Answer 528

A

Ok
Alarm
Insufficient data

Answer 529

A

you don’t configure capacity on Aurora Serverless. You configure Aurora Capacity Units (ACUs) which are 1 CPU and 2 GB of RAM.

Me: the above seems no longer correct.

Capacity Settings - Minimum Aurora capacity unit:
You set the minimum capacity unit for the DB cluster. Each capacity unit is equivalent to a specific compute and memory configuration. Based on the minimum capacity unit setting, Aurora Serverless automatically creates scaling rules for thresholds for CPU utilization, connections, and available memory. Aurora Serverless reduces the resources for the DB cluster when its workload is below these thresholds. Aurora Serverless can reduce capacity down to the minimum capacity unit

Capacity Settings - Maximum Aurora capacity unit:

You set the maximum capacity unit for the DB cluster. Each capacity unit is equivalent to a specific compute and memory configuration. Based on the maximum capacity unit setting, Aurora Serverless automatically creates scaling rules for thresholds for CPU utilization, connections, and available memory. Aurora Serverless provides more capacity for the DB cluster from warm pool of resources when its workload is above these thresholds. Aurora Serverless can increase capacity to the maximum capacity unit.

Me - the above referring to compute capacity only.

me:
The minimum storage is 10GB. Based on your database usage, your Amazon Aurora storage will automatically grow, up to 64 TB, in 10GB increments with no impact to database performance.

Answer 530

A

The customer has a hardware gateway, usually a router, with IPSEC VPN capability and static or dynamic routing.
The AWS side needs a Virtual Private Gateway, which is the endpoint of the VPN tunnel, attached to a VPC. Many Customer Gateways can attach to a VPGW.

Answer 531

A

Provisioned Aurora, Parallel Query or Serverless

Answer 532

A

Use a Lambda function pre-processor on the KDA application. The Lambda function can inspect each message and add any missing fields fields with default values.

Answer 533

A

None (Linux)
Bridge (Linux)
Host (Linux)
AWS VPC
NAT - windows only

Bridge - allow all containers to interact with internal networking to the host.
Host - map containers to host networking; e.g. map container port 80 to host port 80; can only run one container on a host with the same host networking requirement.
AWS VPC - map a VPC ENI to a container task. This is how Farget works. If using EC2 mode, this can produce a lot of ENIs. Some EC2 instance types have ENI limits, so the ECS may only be able to launch a few containers.
These networking types are for Linux. For Windows, the only networking type is NAT.

Answer 534

A

Enable the Data API to expose the REST APIs of the database through the Proxy layer.

Answer 535

A

Very low latency connections and REST APIs for queries. Also, it doesn’t involve cluster infrastructure running in a customer’s environment.

me:
Aurora Serverless can only be connected via PrivateLink inside a VPC. It does not accept public IP address.

It supports REST APIs through the proxy layer without needing connection strings for db query. Enable the Data API to expose the REST APIs of the database.

Limitations of Aurora Serverless

The following limitations apply to Aurora Serverless :

Aurora Serverless is available for the following:
Aurora MySQL version 1, compatible with MySQL version 5.6.
Aurora MySQL version 2, compatible with MySQL version 5.7. Select Aurora MySQL version 2.07.1 to be able to use Aurora Serverless with MySQL 5.7 compatibility.
Aurora with PostgreSQL version 10.7 compatibility.
The port number for connections must be:
3306 for Aurora MySQL
5432 for Aurora PostgreSQL
You can’t give an Aurora Serverless DB cluster a public IP address. You can access an Aurora Serverless DB cluster only from within a virtual private cloud (VPC) based on the Amazon VPC service.
Each Aurora Serverless DB cluster requires two AWS PrivateLink endpoints. If you reach the limit for AWS PrivateLink endpoints within your VPC, you can’t create any more Aurora Serverless clusters in that VPC. For information about checking and changing the limits on endpoints within a VPC, see Amazon VPC Limits.
A DB subnet group used by Aurora Serverless can’t have more than one subnet in the same Availability Zone.
Changes to a subnet group used by an Aurora Serverless DB cluster are not applied to the cluster.
A connection to an Aurora Serverless DB cluster is closed automatically if it stays open for longer than one day.
Binlog-based replication isn’t supported for Aurora Serverless DB clusters.
Aurora Serverless doesn’t support the following features:
Loading data from an Amazon S3 bucket
Saving data to an Amazon S3 bucket
Invoking an AWS Lambda function with an Aurora MySQL native function
Aurora Replicas
Backtrack
Multi-master clusters
Database cloning
IAM database authentication
Restoring a snapshot from a MySQL DB instance
Amazon RDS Performance Insights

Amazon Aurora Serverless is an on-demand, autoscaling configuration for Amazon Aurora. An Aurora Serverless DB cluster is a DB cluster that automatically starts up, shuts down, and scales up or down its compute capacity based on your application’s needs. Aurora Serverless provides a relatively simple, cost-effective option for infrequent, intermittent, or unpredictable workloads. It can provide this because it automatically starts up, scales compute capacity to match your application’s usage, and shuts down when it’s not in use.

Answer 536

A

Event driven
Capable of scaling from very low capacity
Pay only for the usage.

Answer 537

A

Effect
Action
Resource
Optionally 4. Condition

Answer 538

A

It uses Streams to capture all changes to one table to the other tables in other regions.
You configure a Global Table by enabling Streams (Old and New), then by adding Regions where you want to replicas. All tables are masters and stream their changes to the other replicas.

All the tables in different regions need to be added in the same replication group.

Answer 539

A

Configure Trails to deliver events to S3. Also enable file encryption and validation to protect the files from tampering.

Answer 540

A

Only if versioning is enabled, S3 creates new versions with the same name. Objects have object IDs that are unique. Versions can live in different storage tiers in S3 using lifecycle policies. Delete action mark object for deletion.

Me: the short version
When versioning is enabled, a simple DELETE cannot permanently delete an object.
Instead, Amazon S3 inserts a delete marker in the bucket, and that marker becomes the current version of the object with a new ID.

(Each object version deletion can be achieved by version expiration)
The NoncurrentVersionExpiration action applies to noncurrent object versions, and Amazon S3 permanently removes these object versions. You cannot recover permanently removed objects.
For more information, see Object lifecycle management.

The longer version:
You can delete object versions whenever you want. In addition, you can also define lifecycle configuration rules for objects that have a well-defined lifecycle to request Amazon S3 to expire current object versions or permanently remove noncurrent object versions. When your bucket is version-enabled or versioning is suspended, the lifecycle configuration actions work as follows:

The Expiration action applies to the current object version and instead of deleting the current object version, Amazon S3 retains the current version as a noncurrent version by adding a delete marker, which then becomes the current version.
The NoncurrentVersionExpiration action applies to noncurrent object versions, and Amazon S3 permanently removes these object versions. You cannot recover permanently removed objects.
For more information, see Object lifecycle management.

A DELETE request has the following use cases:

When versioning is enabled, a simple DELETE cannot permanently delete an object.
Instead, Amazon S3 inserts a delete marker in the bucket, and that marker becomes the current version of the object with a new ID. When you try to GET an object whose current version is a delete marker, Amazon S3 behaves as though the object has been deleted (even though it has not been erased) and returns a 404 error.

Answer 541

A

AWS WAF is a layer 7 firewall that can run in front of CloudFront, API Gateway or ELB. It combines conditions and rules then use a web ACL to grant or deny traffic.

Answer 542

A

Reliable, ordered messaging, message groups, composite messaging and more.

Me.

Amazon MQ can be deployed into customer’s VPC
With global message broker, messages can be synchronised across regions around world.
It supports industry protocols for pub/sub best suited for compatibility for cloud migrating
supports message topics and message queue.

Answer 543

A

You restored from a backup that had the old RCU provisioning. Backup contain the data and the database settings.

What are the signanificant points?

Database is a previous version
Performance dropped

Question:

does the number of RCUs configuration is stored with the database? When a database is restored, the old configuration is restored at the same time?
more table partitions with the old database than the new one, and the adaptive capacity is not enabled?

Based on the offical answer, the RCU configuration is not part of the database. It is the backup process that backs up the database and its associated settings.

Answer 544

A

Configure a Trail to stream to a CloudWatch Log Group.

Answer 545

A

CF generates an event stream. Users can view the events in the CF console. Also, CF can send the events to SNS where applications and dashboards can subscribe to the events.

Answer 546

A

Query filter does not inference the amount of data the query results returned.

Answer 547

A

In private and public VPCs, edge locations, and any region.

Me: in the API Gateway console, there are three chooses:

Regional (can be behind CloudFront or facing the public internet directly)
Edge Optimised (internet —> CloudFront Distribution —> Edge Location —> [API Gateway] (region))
Private （caller is from a VPC)

Answer 548

A

Only if versioning is enabled. S3 creates new versions with the same name. Objects have object IDs that are unique. Versions can live in different storage tiers in S3 using lifecycle policies. Delete actions mark objects for deletion.

Answer 549

A

CF generates an event stream. Users can view the events in the console. Also, CF can send events to SNS where applications and dashboards can subscribe to the events.

Answer 550

A

4KB/sec. that can be five read operations of 4KB or less, one or more operations of more than 4KB, Dynamo caches up to 300 CUs so that they are available for spikes.

Each RCU read 4KB data per second, as such 5 RCUs can at max read 20KB data per second in five read operations.

Answer 551

A

Applications and required library versions

Answer 552

A

Put reference data in S3 then define a reference table that enables the SQL query to treat the lookup data as a table.

Answer 553

A

Stack Sets enables an account administrator to run the Stack templates across multiple accounts and regions.

The two sides of the transaction are the Admin account and Target account. It also requires two defined roles: AWSCloudFormationStackSetAdministrationRole and AWSCloudFormationExecutionRole.

Answer 554

A

Use an OpsWorks stack and compose the web tier using the ECS cluster. Compose the other tiers natively in OpsWorks.

Answer 555

A

It creates an environment (based on web application or worker application) and deploys your application version into that environment.
CF creates stacks, which precision AWS resources (create, update, delete), but NOT applications.

Answer 556

A

Cross Origin Resource Sharing. It is a security control that enables the resource owner to allow or deny resources sharing with request coming from a different origin.

Answer 557

A

Every VPC has exactly one. It consumes one RFC 1918 IP address. It’s +1 of the subnet’s IP address.

Answer 558

A

Set a TTL against each record, DynamoDB will delete the items after the TTL is past.

Answer 559

A

Aurora Global Database replicates cluster volume data from on region to a cluster volume in another in less than 1 second. Replicas in other region attach to that region’s cluster volume for low-latency read replicas. They can promote to Master in less than one minute. This is lower latency and faster promotion time than MySQL cross-region read replication.

Answer 560

A

Long-running Clusters and Data warehouses on-demand on-demand or instance-fleet mix Spot or instance fleet mix
Cost-Driven workloads Spot Spot Spot
Data-Critical workloads on-demand on-demand Spot or instance-fleet mix
Application testing Spot Spot Spot.

Answer 561

A

In a multi-master cluster, all DB instances can perform write operations. There isn’t any failover when a write operations. There isn’t any failover when a writer DB instance becomes unavailable, because another writer DB instance is immediately available to take over the work of the failed instance. We refer to this type of availability as continuous availability, to distinguish it from the high availability (with brief downtime during failover) offered by a single-master cluster.

Answer 562

A

It’s in the VPC you specify when creating the cluster. Aurora Serverless allocates ACUs into your cluster from a warm pool it maintains for all customners. The proxy manages connections from your applications to the cluster and movement of the ACUs in and out of your VPC. The proxy also manages migrating cache data from one ACU to another when capacity changes. Keep in mind, Serverless uses the same Cluster Storage Volume tier that Aurora uses., so Serverless is only managing the compute tier Shinae the storage tier is already serverless and multi-tenant.

Answer 563

A

Legal holds
Retention polices

This prevents objects from deletion. Versioning must be enabled. Object locks must set at the item of creating the bucket.

Answer 564

A

You need to provision a HSM device in your own data centre. CloudHSM is not physically accessible.
CloudHSM is a dedicated tenancy solution running on shared infrastructure, similar to EC2.

Answer 565

A

Reference a resource option. Elsewhere in the script, enumerate all the valid values for that option. Optionally, provide a default so that the user doesn’t have to make a choice.

Answer 566

A

Owner
Launch Permissions
OS
Architecture
Block device mapping of all volumes

Once created, the AMI creates snapshots of any EBS volumes described in the AMI and holds pointers to them.
If the instance type uses instance volumes, the AMI creation bundles the instance definition and instance store into files and saves them to S3.

Answer 567

A

Use the AWS VPC network mode. Configure the security group that the container’s VPC uses to control what traffic gets in and out.

Answer 568

A

CloudFormation provision (create, update, delete) AWS resources but it not applications.
EBS creates an environment (based on web application or worker application) and deploys your application version into that environment.

EBS is a layer on top of CloudFormation and abstracts the underlying infrastructure details.

Answer 569

A

Amount of RCU/WCU capacity units consumed by applications
total size of data in the database.

an RCU is 4KB in charges. A WCU is 1 kB in charges. A read or write operation consumes RCUs/WCUs no mater how small the amount of data. And queries always consume an entire item, even if the statement only wants one column.
The only way to restrict the amount of data returned by a read query is to specify a PK and optionally a sort key, filtering the amount of data Dynamo returns.
Serverless: number of requests.

Answer 570

A

It doesn’t. It’s single AZ. You need to create multiple FSx in two or more AZ and do replication, such as DFS. Even multi-region.

Answer 571

A

Applications and memory and file systems. Need to install CloudWatch agent on the EC2 instance to provide the metrics data.

Answer 572

A

Public message to $aws/rules/rulename which sends the message directly to an IoT Rule without the pub/sub features of IoT topics.

Answer 573

A

Use the Permissions of the stack to grant, deny, show, manage, or delegate to the user’s IAM privileges over resources.

Answer 574

A

HVM uses newer generation of CPUs that allow guest OSs to interact with memory, CPU, network, local storage, and motherboard bypassing hypervisor.

Unlike paravirtualisation, HVM avoids emulatio, speeding up performance of guest OSs.

Nitro, introduced in 2017, bring in hardware virtualisation to all expects of the guest OS access to the hardware, resulting a near bare metal performance.

Answer 575

A

They are uni-directional request/response calling patterns that use HTTP semantics with query string arguments. Behind the API, a service performs a task and returns to the caller.