Adrian Cantrill Cards Flashcards

Question

AWS GraphDB service

Answer 1

- Used to create a stack - Parameters, resources, mappings, conditions, and outputs - Apply a template (YAML/JASON) to create one or more stacks

Answer 2

- If TCP is used for the front and back end, the LB makes a connection to your instance. The ELB’s IP will show as the source. Proxy Protocol includes an additional field with the original source IP address. (TCP only)

Answer 3

- Protocol policy - Path patterns - Http methods - Query String forwarding - Cookie forwarding - Lambda function association - Object caching - HTTP caching - Request header caching - Object compression - TTL - Viewer access restrictions

Answer 4

- Enable Management events (default) when configuring a Trail. Note: The CloudTrail Event history feature supports only management events. Not all management events are supported in event history.

Answer 5

- S3 is a global service with region specific presence. Buckets are globally available and unique. But objects live in a particular region. Each account has a limit of 100 buckets, but unlimited prefixes.

Answer 6

- Athena can access logs from CloudTrail, CloudFront, all Load Balancers, and Amazon VPC Flow Logs.

Answer 7

- To speed up queries on non-key attributes, you can create a global secondary index. A global secondary index contains a selection of attributes from the base table, but they are organised by a primary key that is different from that of the table. The index key does not need to have any of the key attributes from the table. It doesn’t even need to have the same key schema as a table.

Answer 8

- Database backups enable you to restore a database even after the Master is gone. However, they have a default retention period of 35 days, after which they will be deleted. (Sean - this is referring to AWS auto-backup).

Answer 9

- Use S3 ACLs.

Answer 10

- On-demand or - Reserved instances Note: spot instances is not available for RedShift compute nodes

Answer 11

- By installing Systems Manager Agent, applying appropriate IAM permissions (EC2 only) and activations for on-premise servers.

Answer 12

- Viewer request - Viewer response - Origin request - Origin response

Answer 13

- Configure Trails to deliver CloudTrail events to S3. And optionally enable file encryption and validation to prevent files from tampering. Note: by default, log files are stored indefinitely

Answer 14

- The Origin, origin protocol, and origin fetch are where the cached content originate. - The Viewer and Viewer Protocol are the client side or the edge.

Answer 15

Dynamo has had to create more partitions for each CatID. But since the partition key is CatID, Dynamo still limits the RCU/WCUs to 3000/1000 across *all* partitions for that CatID. You need to consider a partition key that has more values than 0001-0004.

Answer 16

- Check the default route table for the subnet in A where the pinging instance lives. It needs to have a route to the CIDR range of VPC B, configured as a Peering Connection with the ID of the peering connection. The same is true of VPC B, which needs a default route table entry for VPC A. - Check NACL for both VPCs to ensure there are no inbound or outbound restrictions. - Lastly, check the security groups for both sides of the communication to ensure sufficient allowances for inbound and outbound traffic between the two. (Me: such as ICMP protocol is allowed)

Answer 17

- AWS uses MQTT, which is an industry standard protocol that other devices and systems likely use. Me: What is MQTT stands for MQ Telemetry Transport. It is a publish/subscribe, extremely simple and lightweight messaging protocol, designed for constrained devices and low-bandwidth, high-latency or unreliable networks.

Answer 18

- KMS or CloudHSM comply with FIPS 140-2 Note: KMS provides only AWS API access. It does not provide industry standard API access. (CloudHSM provides exclusive control)

Answer 19

Administration of KMS, such as key management, may not have permissions to decrypt keys or data. Users of KMS may not have admin privileges, but can ask KMS to encrypt and decrypt data.

Answer 20

A customer resource is a resource either in AWS or 3rd party that a CloudFormation template asks for as part of the stack. It uses messaging: SNS or Lambda, to trigger that resource to create/update/delete Me: a custom resource is a resource that is not available as AWS CloudFormation resource types. Custom resource enable you to write custom provisioning logic in template logic in the template that AWS CF runs anytime you create, update or delete stacks.

Answer 21

- CloudFront local endpoint. Then the upload traverses the AWS backbone

Answer 22

Cross origin resource sharing. This is a security measure that a server can use to control what other servers can access resources on it.

Answer 23

- A CloudFront local endpoint. Then the upload traverses the AWS global network.

Answer 24

By creating an private access point, in this case a private access point gateway. This was my answer. Need to revisit. It is correct, but not complete

Answer 25

Use a Lambda function to manipulate records or change the format to Parquet or ORC with a checkbox Me: when you enable Kinesis Data Firehose data transformation, Kinesis Data Firehose buffers incoming data up to 3 MB by default (the size can be adjusted via API). Firehose then invokes the specifies Lambda function asynchronously with each buffered batch using the AWS Lambda to Kinesis Data Firehose. Apache ORC: the smallest, fastest columnar storage for Hadoop workloads Apache Parquet is a columnar storage format for Hadoop workloads

Answer 26

The master node has much lower CPU and memory requirements, so it can be smaller. The data nodes to do the work and should be bigger

Answer 27

Each of the slices on your compute nodes have the advertised amount of data available to them according to the Management Console. But Redshift also reserves the same amount for replication of slice from other nodes, similar to RAID 5 with a disk array.

Answer 28

The name the template uses to describe physical resources that CF creates. The physical resources acquire cryptic IDs only at the time of creation. The logical resource makes it easier to identify those resources.

Answer 29

Each connection has a bandwidth limit. Not encrypted, must have BGP support for routing

Answer 30

It’s in the VPC you specify when creating the cluster. Aurora Serverless allocates ACUs into your cloister from a warm pool it maintains for all customers. The proxy manages connection from your applications to the cluster and movement of the ACUs in and out of your VPC. The proxy also manages migrating cache data from one ACU to another when capacity changes. Keep in mind, Serverless uses the same Cluster Storage Volumetier that Aurora uses, so Serverless is only managing the compute tier since the storage tier is already Serverless and multi-tenant.

Answer 31

An EMR cluster can have only one Master node. It also can have Core Nodes that run HDFS and manage tasks. And optionally Task Nodes which executes tasks but have no storage system. You cannot change the Master node instance type after creating the cluster. You can change Core and Task node instances types.

Answer 32

Parameter groups and option groups provide the parameters admins need.

Answer 33

Declare resource objects as singletons outside of the lambda_handler() (me: it like a global variable in c to avoid instantiation for each Lambda function instance). They *may* be available to the next instance of the function, but declare them as NULL and do NULL checks in the handler or sub-functions. Me: state dehydration and cold start up library loading slows Lambda function down. So Lambda function will have a better performance when it is stateless and a programming language that loads fast.

Answer 34

Uniform instance Groups and Fleet instance Groups

Answer 35

Use stages (me: see Lambda function versioning as an example)

Answer 36

Configure three master nodes: the master and two eligible masters. Also have at least three data nodes across AZs. By having three of each, ES can use a quorum to determine the next election if one fails (me: assuming that only one AZ will fail in a given time).

Answer 37

Effect, Action, Resource. And additionally, Condition

Answer 38

Backtrack instead of restore from a backup.

Answer 39

ALBs terminate the client request then establish a new connection to the target group because encryption operates at layer 7. NLBs examining only the layer four header, simply pass on the layer 5+ portion of the packet which may or may not be encrypted. This enables an end-to-end pass-through of encrypted layer 7, improving performance (me: and allow for end-to-end encryption (better data protection)

Answer 40

Use an ALB and enumerate the various HTTP response codes for the health check. CLB doesn’t support Layer 7 where HTTP resides.

Answer 41

Design it to run in any account or location without modifications or user input.

Answer 42

On-demand capacity will always manage the RCU/WCU and storage requirements for the incoming load. Auto scaling sets and upper limits and can be slow. Provisioned capacity also sets a limit.

Answer 43

# Define the updates to the ticket availability and the purchase steps as a transaction. That way, DynamoDB commits all of the updates as a single atomic unit. me: each transaction can include up to 10 unique items or up to 4MB of data, including conditions. TransactWriteItems TransactReadItems Three read options: - eventual consistency - strong consistency - transactional Two for write: - standard - transactional. Transactions are enabled for all single-region DynamoDB tables and are disabled on global tables by default. Items are not locked during a transaction. DynamoDB transactions provide serialisable isolation. If an item is modified outside of a transaction while the transaction is in process, the transaction is canceled and an exception is thrown with details about which item or items cause the exception.

Answer 44

me: The question is not properly written Answer from LinuxAcademy: VPC peering is not transitive. VPC B need to have a VPC peering connection to VPC C.

Answer 45

- Event driven - Capable of scaling from very low capacity to very high capacity - Only pay for what the demand requires. me: it question implies Lambda Serverless, not e.g. DynamoDB on-demand. DynamoDB is a Serverless database service.

Answer 46

When the application positively needs the capacity and the demand is not steady, e.g. sparky.

Answer 47

Subnets don’t have security groups. Security groups are assigned to network interfaces.

Answer 48

Neptune is a graph DB that is highly scalable with 15 read replicas across three AZs in a region. It can hold up to 64 TB of data with encryption at rest.

Answer 49

Viewer request and viewer response | Origin request and origin response

Answer 50

Access to Parameter Store and access to master key (CMK) used to encrypt the credentials in Parameter Store.

Answer 51

Classic LB or ALB. NLB does not support UDP, only TCP.

Answer 52

PKCS#11, java cryptography extensions (JCE), Microsoft cryptoNG (CNG). These are APIs. It does not provide any AWS APIs, meaning that it cannot integrate with other AWS Services offering encryption. CloudHSM also supports FIPS 142-2 at level 3 which is higher than KMS. (Me: FIPS 142-2 at level 2)

Answer 53

Create, Update or Delete resources

Answer 54

Since customers pay for Athena by the amount of data it scans, reduce the amount of data scanned by partition data, organise it into columnar format to reduce the number of columns Athena sees during a query.

Answer 55

XML, JSON, CSV, TSV, Apache Avro, Apache ORC and Apache Parquet me: Avro is a row-oriented remote procedure call and data serialisation framework developed within Apache’s Hadoop project. It uses JASON for defining data types and protocols, and serialises data in a compact binary format.

Answer 56

- Metadata about network traffic into and out of the VPC, including address, port, protocol and more. Logs do not include information about DHCP, AWS DNS, or license activation requests. This is not a network monitor.

Answer 57

The cluster endpoint refers to the master for read and write. The reader endpoint refers to *all* replicas as a cluster. Readers get directed to any replica, improving scalability of Aurora for read-intensive workload. Instance endpoints refer to any specific instance. Custom endpoints allows you to configure groups of instances behind an endpoint. me: Amazon Aurora typically involves a cluster of DB Instances instead of a single instance. Each connection is handled by a specific DB instance. When you connect to an Aurora cluster, the host name and port that you specify point to an intermediary handler called an endpoint. Aurora uses endpoint mechanism to abstract these connections. Thus, you don’t have to hardcore all the host names or write your own logic for load balancing and rerouting connections when some DB Instances aren’t available. For certain Aurora tasks, different Instances or groups of Instances perform different roles. For example, the primary instance handles all the data definition language (DDL) and data manipulation language (DML)statements. Up to 15 Aurora Replicas handle read-only query traffic.

Answer 58

They are uni-directional request/response calling patterns that use HTTP semantics with query string arguments. Behind the API, a service performs a task and returns the result to the caller.

Answer 59

- Cluster — the collection of resources ECS can use to run your containers - Service — ECS or Fargate runtime responsible for managing container tasks - Task definition — a configuration file that tells ECS what containers it should create and how they interact with the outside world; - Container definition —

Answer 60

1. Identify significant points in the question. 2. Identify similar answers, but understand the differences. 3. Look for disqualifying facts in answers, based on point 1. 4. Eliminate any generally bad answers. 5. Pick between remaining answers using judgement.

Answer 61

Configure a Trail with ‘Apply to all regions’ selected and ‘Apply to my Organisation’.

Answer 62

OK, Alarm, Insufficient Data

Answer 63

Only if versioning is enabled, S3 creates new versions with the same name (me: same name but with unique IDs, each and every object stored in S3 have globally unique object ID regardless versioned or not). Objects have object IDs that are unique. Versions can live in different storage tiers in S3 using lifecycle policies. Delete actions mark objects for deletion. me: when versioning is enabled, a simple DELETE cannot permanently delete an object. Instead, Amazon S3 inserts a delete marker in the bucket, and that maker becomes the current version of the object with a new ID. When you try to GET an object whose current version is a delete marker, Amazon S3 behaves as though the object has been deleted ( event though it has not been erased) and return a 404 error. To permanently delete versioned objects, you must use DELETE ObjectVersionId.

Answer 64

Formerly, Public VIFs were limited to a region Formerly, Private VIFs are attached to a VPG which is associated with a VPC Now using BGP, the Public VIF advertises all public zone AWS service endpoints in all regions. *Public zone endpoints do not require or event allow a DX to a access the Internet Now, using DX gateway, customers can use a single Private VIF to a DXGW, then connect to any VPGW in any region; DX GW uses BGP to advertise the networks it can access back to the VIF, reducing admin overhead. *These Private VIFs are not transitive.

Answer 65

KMS or CloudHSM comply with FIPS 142-2. Note: KMS provides only AWS API access. It does not provide industry standard API access. On the contrary, CloudHSM provides only the industry standard API PKCS#11, JCE (Java cryptography extension) and CNG (Microsoft cryptoNG) and it is not integrated with AWS services to prove crypto services like KMS does.

Answer 66

DR Mc GIFT PX Dr. Mc Gift PX DR Mc FIGHT PX

Answer 67

SQS does not support multiple consumers of messages on a queue nor does it support replay. You should recommend kinesics data streams for this requirement.

Answer 68

Use a Lambda function pre-processor on the KDA application. The Lambda function can inspect each message and any missing field with default values.

Answer 69

me: AWS Public zone or in your VPC. By default, they live in a region but outside the customer’s VPC. It thus has access to the internet. Customers can also configure VPC Lambda functions where all the networking restrictions do the subnet and security group apply. The VPC Lambda function still runs in a sandbox outside of the VPC and exposes itself through an ENI in the VPC. For this reason, cold starts are even slower. New: RemoteNAT enables multiple VPC Lambda functions to share the same network interface in a VPC, thus speeding up the start time.

Answer 70

Reduce latency for database lookups, improved availability if the cache is HA, stateless micro service design support by offloading state to a cache, and reduced costs/impact on databases by offloading cache-able reads to the memory cache.

Answer 71

- Update with no interruption AWS CF updates the resource without disrupting operation of that resource and without changing the resource’s physical ID. for example, if you update any property on an AWS::CloudTrail::Trail resource, AWS CloudFormation updates the trail without disruption. - Update with some interruption AWS CF updates the resource with some interruption and retains the Physical ID. for example, if you update certain properties on an AWS::EC2::Instance resource, the instance might have some interruption while AWS CloudFormation and AWS CF and Amazon EC2 reconfigure the instance. - Replacement AWS CF recreates the resource during an update, which also generates a new physical ID. AWS CF creates the replacement resource first, changes references from other dependent resources to point to the replacement resource, and then deletes the old resource. For example, if you update Engine property of an AWS::RDS::DBInstance resource type, AWS CouldFormation creates a new resource and replaces the current DB instance resource with the new one. AutoScaling Group: no interruption you can use the AutoScalingRollingUpdate policy to control how AWS CF handles rolling updates or an Auto Scaling group. This common approach keeps the same Auto Scaling group, and then replaces the old instances based on the parameters that you set. EBS: change instance type - replacement Change size, interruption EC2: Resizing - interruption Change type - replacement Moving to a different AZ, replacement

Answer 72

There is no standby in Aurora. Replicas, up to 15 per region, serve as promotable to master instances.

Answer 73

KMS facilitates progressive encryption: a CMK encrypted a data encryption key (DEK) which encrypts data. The encrypted DEK then used to decrypt data (after it is decrypted by using the CMK).

Answer 74

A small function that does something narrow and well. Accept an input, and produce an output. me: just like an RESTful function in a micro-service architecture - do one thing, and do it well.

Answer 75

CloudTrail events log all API activities in your account. The user who deleted an IAM role will appear there as an event.

Answer 76

Lower cost option: One DX, one VPN over internet Better performance option: two DX — separate customer routers, separate links to DX location, separate DX location routers (me: have a physically separated redundant DX link)

Answer 77

DynamoDB enables Adaptive Capacity by default. This allocates RCU/WCU dynamically across partitions while still staying below the total hard limit of the table. Me: Instant Adaptive Capacity (new 2019) - Scalability and performance even for imbalanced workload: * Dynamic partitioning for storage and throughput * Automatic isolation of frequently accessed items * Automatic boosting if table is consuming less than provisioned. Note: max capacity (high water mark) will be automatically increased (on-demand model)

Answer 78

Task, pass, choice, fail, succeed, parallel, wait.

Answer 79

A persistent session-oriented protocol/API best suited for data streaming, interactive applications, event management applications.

Answer 80

The VPC must have an IGW, and the subnet must have a default route to the IGW by associating with a VPC route table that has a route to the IGW.

Answer 81

Configure a Trail to stream to a CloudWatch Log Group

Answer 82

Configure a Trail to stream to a CloudWatch Log group

Answer 83

Subnets, Transit Gateways, resolver rules, license configurations. Accounts cannot share subnets inside of the default VPC, nor use subnets that are owned by the owner of the resource. Likewise, a share cannot share security groups not owned by the resource owner. The resource owner can remove sharing from resources in use by others and those shares will continue until released.

Answer 84

Long-Running Clusters and Data Warehouses On-Demand: On-Demand or instance-fleet mix Spot or instance-fleet mix Cost-Driven workloads: Spot Spot Spot Data-Critical workloads On-Demand: On-Demand Spot or instance fleet mix Application Testing: Spot Spot Spot

Answer 85

Use reserved instances in the necessary AZs

Answer 86

It’s specifying a value that needs to be globally unique. Thus, any use of the template after the first run will not be able to create the bucket since it will be a duplicate name.

Answer 87

Organisational boundaries->user/role boundaries->role policies->effective permissions

Answer 88

Cluster - the collection of resources ECS can use to run your containers Service - ECS or Fargate runtime responsible for managing container task Task definition - a configuration file that tells ECS what containers it should create and how they interact with the outside world; Container definition - a configuration file which is used in a task definition to describe the different containers that are launched as part of a task

Answer 89

Save all your configurations. Then, you can revert to a saved configuration.

Answer 90

By configuring a Trail to stream to a CloudWatch Log Group

Answer 91

Use a Behaviour that restricts viewer access based on signed URLs or signed cookies.

Answer 92

Use CF to delete the stack completely. It uses the Logical/Physical resource mapping to track all resources it created so that it can delete them using the template.

Answer 93

Publish message to $aws/rules/rule name which sends the message directly to an IoT Rule without the pub/sub features of IoT Topics.

Answer 94

Create an IAM policy that Allows all the actions on the Dynamo table that the Sales_Managers (and others who adopt this policy) need. Use a Condition that uses a variable that looks for the ID of the SalesRep_ID requested in the query. Only allows access to the records associated with this Sales_Manager. ``` { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:BatchGetItem", "dynamodb:Query", "dynamodb:PutItem", "dynamodb:UpdateItem", "dynamodb:DeleteItem", "dynamodb:BatchWriteItem" ], "Resource": ["arn:aws:dynamodb:*:*:table/table-name"], "Condition": { "ForAllValues:StringEquals": { "dynamodb:Attributes": [ "column-name-1", "column-name-2", "column-name-3" ] }, "StringEqualsIfExists": {"dynamodb:Select": "SPECIFIC_ATTRIBUTES"} } } ] } ```

Answer 95

It uses Streams to capture all changes to one table to the other tables in other regions. You configure a Global Table by enabling Streams (Old and New), then adding Regions where you want to replicas. All tables are masters and stream their changes to the other replicas.

Answer 96

Web Identity Federation, SAML and cross account trust

Answer 97

Aurora provisioned with read replica instances will promote to Master within 1 minute. Aurora serverless needs to create ACU, Proxy and connections in the new AZ, which will take longer. ACU: Aurora Capacity Unit Aurora Serverless and Failover: If the DB instance for an Aurora Serverless DB cluster becomes unavailable or the Availability Zone (AZ) it is in fails, Aurora recreates the DB instance in a different AZ. We refer to this capability as automatic multi-AZ failover. This failover mechanism takes longer than for an Aurora Provisioned cluster. The Aurora Serverless failover time is currently undefined because it depends on demand and capacity availability in other AZs within the given AWS Region. Me: when you work with Aurora without Aurora Serverless (provisioned DB clusters), you can choose your DB instance class size and create Aurora Replicas.This model works well with when the database workload is predictable, because you can adjust capacity manually based on the expected workload. ``` With Aurora Serverless, you can create a database endpoint without specify the DB instance class size. You set the minimum and maximum capacity. With Aurora Serverless, the database endpoint connects to a proxy fleet that routes the workload to a fleet of resources that are automatically scaled. Because of the proxy fleet. Aurora Serverless manages the connections automatically. Scaling is rapid because it uses a pool of “warm” resources that are always ready to service requests. Storage and processing are seperate, so you can scale down to zero processing and pay only for storage. ``` Aurora Serverless introduces a new serverless DB engine mode for Aurora DB clusters. Non-Serverless DB cluster use the provisioned DB engine mode.

Answer 98

Reference a resource option. Elsewhere in the script, enumerate all the valid values for that option. Optionally, provide a default so that the user does not have to make a choice.

Answer 99

- Snowball >= 10TB - SnowEdge >= 10 TB with Edge comput - Snowmobile >= 100TB, arrange. File Gateway. Snowball becomes economical only from 10TB or higher and when time is short. In this case, the customer has time and the amount of data is less than 10TB. Me: this recommendation assumes that the link bandwidth is big enough and the file transfer does not impact all other activities on the link.

Answer 100

To speed up queries on non-key attributes, you can create a global secondary index. A global secondary index contains a selection of attributes from the base table, but they are organised by a primary key that is different from that of the table. The index key does not need to have any of the key attributes from the table. It doesn’t even need to have the same key schema as a table. (me: The global secondary index creates a new table that is hidden)

Answer 101

- When speed of setup is critical; VPN takes minutes, DX takes days - weeks - Cost can be lower for spiky or sporadic usage - When network QoS is not critical. VPN performance depends on customer router CPU due to encryption; the ISP network connection over the internet is not consistent.

Answer 102

It uses Stream to capture all changes to one table to the other tables in other regions. You configure a Global Table by enabling Streams (Old and New), then by adding Regions where you want replicas. All tables are masters and stream their changes to the other replicas.

Answer 103

(Me: launch configuration is immutable after saving) - AMI, - instance type, - purchase options: on-demand, RI, sport, - IP addressing, - user data, - CW detailed monitoring option, - amount and type of storage, - key pair. To make changes after saving, you must create a completely new launch config, then change the LC association in the AS group.

Answer 104

Configure a VPC Endpoint (Gateway type). Configure the endpoint to update the route table for the private subnet needing access. This avoid NAT gateways or egress-only IGWs, leaving the private subnet private.

Answer 105

Provisioned, parallel query, or Serverless

Answer 106

The table is a set of columns that have the name and data type of the fields in the data files you want to query. It also contains a pointer to the S3 location where these data files sit.

Answer 107

Amazon MQ offers support for a number of standard protocols and is an open source project, so the API is likely familiar to the customer. Unlike SQS and SNS, Amazon MQ is deployed with private endpoints in the customer’s VPC with no public access required for applications within the VPC. It’s also available in an active/standby configuration across multiple AZs in a region. (Me: MQ is not fully integrated with AWS eco-system such as monitoring using CloudWatch, CloudTrails, etc. control plane or the data plane).

Answer 108

- General Purpose gp2: SSD Default for most workloads. Burst to 3,000 IOPS with credits 1GB - 16TB. - Provisioned IOPS SSD io1: SSD Mission critical, sustained IOPS Suited for Large database 4GB - 16TB Provisioned IOPS to 64,000 ``` - Throughput Optimised st1: HDD Low cost Frequently accessed data, streams, media; not boot volume 500GB - 16TB 500 IOPS ``` ``` - Cold HDD sc1: HDD Low cost Infrequent access Not boot volume 500 GB - 16 TB 250 IOPS ```

Answer 109

Applications and the required library versions

Answer 110

With EC2, you define the instance type and are responsible for the cluster. With Fargate, you don’t. You define tasks and let ECS/Fargate obtain the container hosts to run those tasks.

Answer 111

You can’t. Any origin server must offer public access to CloudFront.

Answer 112

Shield is a DDoS protection layer in front of WAF. Standard is free and always on (me: network layer DDoS protection). Advanced provides WAF, DDoS mitigation’s, visibility and reporting, DDoS response team support, and cost protection due to attacks. Shield also protects EIPs.

Answer 113

In a VPC you specify. By default, it uses the default VPC, but you can specify a customer VPC in your account. To access S3 data, you need to configuration NAT or internet gateway for the public S3 endpoint, or create a VPC endpoint for S3.

Answer 114

- using default values in parameter lists (avoiding human input), - use ParameterStore for system and customer values, - Pseudo Parameters for CF-wide values such as region, partition, account ID, stack ID and more, - Intrinsic Functions (for AZs in a region, more), - Don’t specify the PhysicalID or a resource (and CF will create a unique one for you.

Answer 115

HVM uses newer generation of CPUs that allows guest OSs to interact with CPU, memory, network, local storage and the motherboard bypassing the hypervisor. Unlike paravirtualisation, HVM avoids emulation, speeding up performance of guest OSs. Next, AWS introduced Nitro in 2017, bringing hardware virtualisation to all aspects of the guest OS access to the hardware. This results in near bear metal performance.

Answer 116

Memory, file system, applications. For these, customers need to install the CloudWatch Agent.

Answer 117

Long running - create, continue to run jobs, queries , host databases Interactive - create, then log on using SSH and work from the console Transient - create, run a job, terminate.

Answer 118

Cross origin resource sharing. This is a security measure that a server can use to control what other servers can access resources on it (me: using http)

Answer 119

Very low latency connections and REST APIs for queries. Also it doesn’t involve cluster infrastructure running a customer’s environment.

Answer 120

All nodes are in a single AZ, subnet and security group for minimum latency (me: and data movement cost - cross AZ data traffic will be charged at a price)

Answer 121

At the Log Group level which is a group of related Log Streams

Answer 122

Install CloudWatch Agent on the EC2 instance. Configure it to tail the logs in /var/logs. It will pick up each entry in the log file and send them as Log events using a Log Stream.

Answer 123

It lives outside of OpsWorks in a repository you specify, such as Git. You provide the URL and the credentials to OpsWorks in the Apps recipe, you specify the deployment targets using a deployment recipe.

Answer 124

They are uni-directional request/response calling patterns that use HTTP semantics with query string arguments. Behind the API, a service performs a task and returns the result to the caller.

Answer 125

Enable the Data API to expose the REST APIs of the database through the Proxy layer.

Answer 126

SQS FIFO supports up to 300 messages per second with guaranteed ordering and no duplicates.

Answer 127

ElasticSearch cluster run in a dedicated network not part of the customer’s account. For private VPC access, ElasticSearch will expose itself to the customer VPC using interface endpoints. The customer can assign a security group to the cluster. For public access, the cluster is accessible directly from the internet.

Answer 128

AZs, regions, global edge services

Answer 129

Scale UP the instance type(s) of the cluster to a larger EC2 type. Since there is only one write instance, the only option is scaling UP.

Answer 130

There is not standby in Aurora DB. up to 15 read replicas in a region, all are promotable to master instances.

Answer 131

S3 is a global service with region-specific presence. Buckets are globally globally available and unique. But objects live in a particular region. Each account has a limit of 100 buckets, but unlimited prefixes.

Answer 132

Configure WAF in front of the CF distribution

Answer 133

The ALB Service is outside of the VPC across the regions. ALB will deploy an ALB node with the appropriate IP address in each AZ you’ve selected.

Answer 134

Make sure Requestor and Acceptor DNS resolution is configured for the peering connection. This will ensure that the requestor doesn’t need to go over the Internet for the ping. Me: (AWS 2016) You can now enable resolution of public DNS host name to private IP addresses when queried from the peering VPC. This functionality is also supported cross-account so the two VPCs can be in different accounts. You can enable DNS resolution support for VPC peering using AWS Management Console, AWS CLI, through SDKs.

Answer 135

Database (auto) backups enable you to restore a database even after the Master is gone. However, they have a default retention period of 35 days, after which they will be deleted.

Answer 136

Using logs it exports to CloudWatch Logs using a service-linked role.

Answer 137

You don’t configure capacity on Aurora Serverless. You configure Aurora Capacity Units (ACUs) which are 1 CPU and 2GB of RAM.

Answer 138

Administrators of KMS such as key management may not have permissions to decrypt Keys or data. Users of KMS may not have admin privileges, but can ask KMS to encrypt or decrypt data.

Answer 139

Spot fleet

Answer 140

Put reference data in S3 then define a reference table that enables the SQL query to treat the lookup data as a table.

Answer 141

(Me: the question is not clear) Guard Duty uses ML to monitor a number of AWS data sources, such as VPC flow logs, R53, CloudTrail, threat intel, CloudWatch events, account activity. It generates findings into the Guard Duty console. A trusted IP list excludes these IPs from Guard Duty scanning. Threat lists tell GD additionally what to watch across all accounts.

Answer 142

OpsWorks offers most of the control over deployments that CloudFormation offers, but still provides minimal config options. It offers Chef or Puppet as the deployment frameworks.

Answer 143

On demand capacity reservations. No up-front, but you get the capacity when you need it. (Me: no pricing discount which is apply to account billing in regions, On demand capacity reservations is applied to AZs. Can be cancelled at any time)

Answer 144

In a region, an AZ, a subnet, behind a security group.

Answer 145

Docker, multi-container Docker, java, node.js, tomcat, python, ruby, .NET, Go, PHP, Docker Go, Docker GlassFish, Docker Python.

Answer 146

If the instance is running as an IAM role, the IAM role info is available in the instance meta data for the application to use Instance profile - if you use console to create a role for EC2, the console automatically creates an instance profile and give the same name as the role; If you manage via CLI, you create roles and instance profiles as seperate actions - you must know the names of your instance profile Instance Metadata - data about your instance that you can use to configure or manage the running instance. Instance metadata is divided into categories, for example, host name, events, and security groups. Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods. Anyone who has direct access to the instance, and potentially any software running on the instance, can view its metadata. Therefore, you should not store sensitive data, such as passwords or long-lived encryption keys, as user data.

Answer 147

Assign it an execution role appropriate for what it needs to access.

Answer 148

Query filters do not reduce the amount of items that DynamoDB searches for the query results. Only sort keys do that.

Answer 149

Have them all use the same security group. That security group should have a rule that ALLOWS traffic from that same security group ID. Protocol type, Protocol number, Ports, Source IP All Traffic, All, All, ‘The Security Group ID’

Answer 150

When the application can tolerate loss of an instance, such as big data systems, stateless web clusters, or dev test or experiments what time of finish is not critical.

Answer 151

1. Hardware platform or cluster and capacity scaling are fully managed, 2. pay only what you use (compute and resources), 3. suitable for unknown usage pattern or spiky workload (non-steady workloads). 4. Event driven.

Answer 152

Application Load Balancer - Feature rich, layer 7 load-balanced platform - Content-based routing allows requests to be routed to different applications behind a single load balancer: path based routing or host-based routing - support for micro-services (Lambda) and container based applications, including deep integration with Amazon Elastic Container Service (Amazon ECS) It is a best practice that you upload SSL Certificates to ACM. If you’re using certificate algorithms and key sizes that aren’t currently supported by ACM or the associated AWS resources, then you can also upload an SSL certificate to IAM using CLI. Application Load Balancer - (HA) Automatically scales capacity to handle the number of incoming requests - (Health checks) ALB allows the user specify a range of HTTP response codes that define instance health - (Sticky session) ALB only supports the cookies generated by the load balancer - (VPC support) Yes, but without EC2-classic - (Dynamic Port Mapping) Yes, ALB supports dynamic port mapping using the EC2 Container Service - (Supported protocol) HTTP, HTTPS, HTTP/2, WebSockets - (CloudWatch metrics) Per port and path monitoring, Range HTTP response codes, Connection per hour, Overall traffic volume - (Access Logs) ALB supports type of request (HTTP, HTTPS, HTTP/2, WebSockets), and the target Amazon Resource Name. - (Backend Server AuthN) Supported by ALB - (Deletion Protection) Supported by ALB - (Path-Based Routing) Supported by ALB Me: if you are building an API and wanted to leverage AuthN/Z, request validation, rate limiting, SDK generation, direct AWS service backend, use AWS API Gateway. If you want to add Lambda to an existing web app behind ALB you can now just add it to the needed route. API gateway integrates with IAM natively, it has done all the heavy lifting for you. ALB vs API Gateway: https://serverless-training.com/articles/api-gateway-vs-application-load-balancer-technical-details/

Answer 153

Two or sixteen for DC2 node type or four or sixteen for RA3 node type. The leader node distributes work to the slices. The Load or Copy commands get data from e.g. S3 and distribute it to the slices. Slices have dedicated storage and CPU capacity. When loading data, the leader node distributes it according to your distribution style configuration: all, even, key or auto.

Answer 154

RTMP (Real Time Media Protocol) is only option that supports Adobe Flash.

Answer 155

4 KB/sec. That can be five read operations of 4K or less, one or more operations of more than 4K. Also, Dynamo caches up to 300 CUs so that they’re available for spikes.

Answer 156

It’s a region-based cache of the origin server content. This is the first place a CDN server checks on an origin fetch. If this misses, then the fetch goes to the origin.

Answer 157

If only a single node, the leader and compute nodes are co-located on a single instance. Greater than one, Redshift creates a dedicated leader node free of charge. So the two-node example will include three instances.

Answer 158

Update with no interruption (e.g. updating a CloudTrail property) Update with some interruption (e.g. change an instance type) Replacement (e.g. change the engine type of an RDS database)

Answer 159

Create a bucket policy that allows principal:* (me: anonymous access)

Answer 160

With forward, the ALB forwards the HTTP request and arguments to the destination you’ve configured in the ALB forwarding rule. (Me: server side redirect) With redirect, the ALB returns a different URL to the client browser that the browser then needs to use to make the request again. This slightly slower than forwarding. (Me: client side redirect)

Answer 161

Simple AD, Microsoft Active Directory (AD), AD connector, Amazon Cloud Directory, and Amazon Cognito. Amazon Cloud Directory enables you to build flexible cloud-native directories for organising hierarchies of data along multiple dimensions. While traditional directory solutions, such as Active Directory and other LDAP-based directories, limit you to a single hierarchy, Cloud Directory offers you the flexibility to create directories with hierarchies that span multiple dimensions. For example, you can create an organisational chart that can be navigated through separate hierarchies for reporting structure, location, and cost centre.

Answer 162

VMs run on top of a hypervisor， abstracting the hardware。 VMs contain the OS and applications. The isolation boundary is the VM. Many VMs can run on the same hypervisor Containers run on top of the OS but further isolate applications. With a container engine, like Docker, applications and their dependencies can run isolated from each other on the same OS/VM. Containers don’t have dedicated memory like a VM does, so you can pack more applications on hardware by using containers rather than just using VMs. But, containers are not isolated from each other regarding security. Containers can start very quickly compared to VMs in seconds, sometimes MS. (Me: things are changing fast in AWS, e.g. Lambda is running inside a VM that is so light it can compete with container in resources they consumes and cold start time and at the same time have the security isolation at a VM level)

Answer 163

It provides a single IPV4 address for all devices behind it, saving on scarce IPV4 addresses. IPV6 doesn’t have this constraint, thus NAT isn’t as relevant in IPV6.

Answer 164

- Viewer Request - Viewer Response - Origin Request - Origin Response

Answer 165

Legal holds and retention polices. This prevents objects from deletion. Versioning must be enabled. Object locks must be set at time of creating the bucket me: To use Amazon D3 object lock, follow these basic steps: 1. Create a new bucket with Amazon S3 object lock enabled. 2. (Optional) Configure a default retention period for objects placed in the bucket. 3. Place the objects that you wanted to lock in the bucket. 4. Apply a retention period, a legal hold, or both, to the objects that you want to protect. (Me: With Amazon S3 object lock, you can store objects using a write-once-read-many (WORM) model. You can use it to prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely. Amazon S3 object lock helps you meet regulatory requirements that required WORM storage, or simply add another layer of protection against object changes and deletion. -A retention period specifies a fixed period of time during which an object remains locked. - A legal hold provides the same protection as a retention period, but it has no expiration date. Instead, a legal hold remains in place until you explicitly remove it. Legal holds are independent from retention periods. An object version can have both a retention period and a legal hold, one but not the other, or neither. Amazon S3 object lock works only in versioned buckets, and retention periods and legal holds apply to individual object versions. When you lock an object version, Amazon S3 stores the lock information in the metadata for that object version. Placing a retention period or legal hold on an object protects only the version specified in the request. It doesn’t prevent new versions of the object from being created. If you. Put an object into a bucket that has the same key name as an existing, protected object, Amazon S3 creates a new version of that object, stores it in the bucket as requested, and reports the request as completed successfully. The existing, protected version of the object remains locked according to its retention configuration.)

Answer 166

Cross Origin Resource Sharing is a security measure that a server can use to control what other servers can access resources on it.

Answer 167

1. Docker, 2. multi-Container Docker, 3. Docker Python, 4. Docker GlassFish, 5. Docker Go, 6. tomcat, 7. python, 8. java, 9. node.js, 10. .NET, 11. Go, 12. PHP 13. Ruby

Answer 168

1. Simple 2. Failover 3. Weighted 4. Geo location 5. Geo-proximity 6. Latency 7. Multi-value answer. Me: geo-proximity - use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another. multi-value - use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.

Answer 169

Create a new instance and switch over then done.å

Answer 170

Configure the volume to a larger size. Me: You can resize an EBS volumes without downtime. 1. Login to your AWS console 2. Choose “EC2” from the services list 3. Click on “Volumes” under EBS menu 4. Choose the volume that you want to resize, right click on “Modify Volume” The above steps will increase the “physical’ size of the disk attached to the instance. You’ll then need to log on to the instance to resize the partition of the disk and resize the file system on that partition.

Answer 171

EMR cluster is deployed in a subnet of your chosen in your VPC to minimise the latency. Security Groups will be added and they are fully managed by Amazon EMR. When the cluster is launched, Amazon EMR adds security groups based on whether the cluster is launching into VPC private or public subjects. Security Groups are managed by Amazon EMR. To manage the cluster on a VPC, Amazon EMR attaches a network device to the master node and manages it through this device. If you modify this device in any way, the cluster will fail. Create a cluster using the Amazon EMR console 1. Open the console 2. Choose Create Cluster 3. Choose Go to advanced options 4. In the Hardware Configuration section, for Network， select the VPC ID 5. Select Subnet ID 6. Configure NAT instance and S3 endpoint if haven’t already done so.

Answer 172

Resource policies, identity polices, and Access Control List (ACL)

Answer 173

Network Mode valid values: 1. none 2. bridge 3. awsvpc 4. host Bridge — allow all containers to interact with internal networking to the host. Host — map containers to host networking; e.g. map container port 80 to host port 80; can only run one container on a host with the same host networking requirement. AWS VPC — map a VPC ENI to a container task. This is how Fargate works. If using EC2 mode, this can produce a lot of ENIs. Some EC2 instance types have ENI limits, so the ECS may only be able to launch a few containers. (The above maybe outdated. Check out reinvent 2019 on Fargate: there will only be one ENI in VPC for fargate). These networking types are for Linux. For Windows, the only networking type is NAT. awsvpc — network mode give Amazon ECS tasks the same networking properties as Amazon EC2 instances: when you create the awsvpc network mode in your task definitions, every task that is launched from that task definition gets its own elastic network interface (ENI) and a primary private IP address. The task networking feature simplifies container networking and gives you more control over how containerised applications communicate with each other and others services within your VPC.

Answer 174

1. Task 2. Wait 3. Succeed 4. Fail 5. Pass 6. Parallel 7. Choice

Answer 175

Assign it an execution role appropriate for what it needs to access.

Answer 176

Replace the classic load balancers with an ALB and configure 1. the forwarding rules to each of the different websites. 2. An SSL cert for each website you support.

Answer 177

Provisioning a spot fleet.

Answer 178

Documents can contains embedded objects like sub-documents, lists and arrays, similar to how an RDBMS schema would have these things as separate tables with reference keys to join them.

Answer 179

You may not have three partition keys that you’re rotating evenly while PUTting records. Thus, you’re maximising one shard, but under-using the others. Me: Advantage of Using the KPL KPL has two modes: sync and async, async provides high performance. KPL implements complex logics so that you don’t have to. KCL make it easy for consumer-side developers (Java) - Producer monitoring using CloudWatch. KPL emits throughput, error, and other metrics to CloudWatch and configurable to monitor at the stream, shard, or producer level. KPL is not the same as AWS SDK. AWS SDK directly work with Kinesis Data Stream APIs Each shard can support up to 1000 put records per second. Max size of a data blob (the payload before base64 encoding) within one record is 1 MB.

Answer 180

Use an ALB and enumerate the various HTTP response codes for the health check. CLB doesn’t support Layer 7 where HTTP resides. (Me: CLB supports HTTP, HTTPs and TCP) Before you start using Elastic Load Balancing, you must configure one or more listeners for your Classic Load Balancer. A listener is a process that checks for connection requests. It is configured with a protocol and a port for front-end (client to load balancer) connections, and a protocol and a port for back-end (load balancer to back-end instance) connections. CLB supports - HTTP - HTTPS (secure HTTP) - TCP - SSL (secure TCP)

Answer 181

Instances, IP addresses or a Lambda function. | Instance or IP addresses can include EC2 instances, ECS or EKS containers.

Answer 182

1. By installing Systems Manager Agent on these VMs. 2. Applying appropriate IAM permissions (EC2 only) 3. Activations for On-premise servers.

Answer 183

ElasticSearch clusters run in a dedicated network not part of the customer’s account. For private VPC access, ElasticSearch will expose itself to the customer VPC using interface endpoints. The customer can assign a security group to the cluster. For public access, the cluster is accessible directly for the internet. Me: - Cannot be hosted in your VPC (or AWS’ public zone, like S3) - interface endpoint for private access - customer can assign security group to the cluster - internet for public access -

Answer 184

1. Reliable ordered messaging 2. Message groups 3. Composite messaging (Me: queue and topic? Or SNS + SQS) And more ... Me:: 4. Easy to migrate existing messaging service 5. Support existing protocols ``` AWS MQ (Apache activeMQ) it has two main concepts: topic and queues With a queue, you can have multiple consumers of a queue and each message will be delivered once; if there are no consumers when the message arrives, it sits in the queue until a consumer arrives. With a topic you can have multiple consumers and each message will be delivered in December to each consumer, but if a consumer is offline when a message arrives they miss it. ``` SQS offers serverless queues - you don’t have to pay for the infrastructure, just the messages you send and receive. SNS is comparable to serverless topics. It will notify your services when a message arrives, but if you’re offline you can miss it. SNS can feed into SQS, so if you have some service that may be up and down, you can guarantee it gets SNS messages by queueing them in SQS for it to consume on its schedule.

Answer 185

1. ElasticSearch (Lucerne) 2. Logstash or Beats, and 3. Kibana for visualisation Me: Logstash: collect, Parse, Transform Logs Beats: are lightweight data shippers that you install as agents on your servers to send specific types of operational data to ElasticSearch. Logstash has a larger footprint, but provides a broad array of input.

Answer 186

Two 80TB snowballs daisy-chained together. Each Snowball can hold 50 or 80TB. Daisy-chaining avoids having to partition the source data and instead, treat the two snowballs as a single storage unit of 160TB. 50TB — US region only. Question: how many snowball devices can be daisy-chained together?

Answer 187

At the CloudWatch Log Group level, which is a group of related Log Streams.

Answer 188

You can have CloudTrail deliver log files from multiple AWS accounts into a single Amazon S3 bucket. For example, you have four AWS accounts IDs 1111111111, 222222222, 33333333333, and 44444444444444, and you want to configure CloudTrail to deliver log files from all four of these accounts to a bucket belonging to account 1111111111111. Steps are: 1. Turn on CloudTrail in the account where the destination bucket will belong (1111111111111 in this example). Do not turn on CloudTrail in any other accounts yet. 2. Update the bucket policy on your destination bucket to grant cross-account permissions to CloudTrail. 3. Turn on CloudTrail in the other accounts you want (222222222222, 333333333333, 444444444444 in this example). Configure CloudTrail in these accounts to use the same bucket belonging to the account that you specified in step 1 (1111111111111111 in this example). If you have created an organisation in AWS Organisations, you can create a trail that will log all events for all AWS accounts in that organisation. This is sometimes referred to as an organisation trail. You can ask choose to edit an existing trail in the master account and apply it to an organisation, making it an organisation trail. Origination trails log events for the master account and all member accounts in the organisation.

Answer 189

assigned it an execution role appropriate for what it needs to access

Answer 190

It’s one of the schema definitions that describes the columns and data types of the data. You create them using the Athena interface, API or CLI, or the Glue Data Crawler can create them.

Answer 191

1. AWS KMS service (only AWS API access) | 2. CloudHSM service (industry API/protocol such as #PKCS11

Answer 192

It allows you to exclude events from a stream based on a text pattern

Answer 193

Customer Master Key. this is the core of KMS. When crypt or decrypt a data key, the execution is inside KMS. Master key is kept in KMS, it cannot be exported. CMK is used by the envelop encryption method: master key is used to encrypt data keys, data keys are used to encrypt data. Note, RedShift employs more layered data protection, but the concept is the same. KMS is regional, it cannot be shared across region. E.g. data encrypted in one region, cannot be decrypted in another region. S3 bucket object cross region replication deployed complex key management to achieve the safe data transfer.

Answer 194

me: Based on the object storage type, size and outbound data transfer volume (no inbound data transfer fee) Based on the storage tier 1. Standard Storage (1 month/minimum, no min duration), requests (PUT/GET), and transfer out. 2. IA - same as Standard except 1 month min for 128 MB storage, fee for retrieval. 3. One Zone (Reduced durability): same as IA, but cheaper 4. Intelligent Tiering: for a fee, IT moves your object to the optimum price tier. You still pay the tier. Lifecycle rules can do this according to your explicit policies. Lifecycle rules can only go in one direction, not back and forth like intelligent Tiering.

Answer 195

The workflow for updating a stack is no different from creating a stack: the user defines the resource updates then executed the new/modified stack template. Change Sets allow a junior developer to create the template for change, but simply save and notify others of the proposed change, without having permissions to run the Change Set. Senior developer can review the Change Set then run it if approved. me: Updating a stack does not provide any release management process control, such as review and approve process before the changes going to be made.

Answer 196

Trust Policy, defining who can assume the role. | Permissions policy, defining what the role can do.

Answer 197

A sequence of Log Events from the same source. A log event is a line from CloudWatch containing the CloudWatch Log timestamp and the event message, also containing a timestamp of the actual event time.

Answer 198

ALB supports federated identity such as OAUTH, and if configured, it will forward the request to the IDP such as Facebook before letting the request through to the target group. Me: OpenID Connect compliant IdP. It works with Amazon Cognito.

Answer 199

Legal holds and retention policies. This prevents object from deletion. Versioning must be enabled. Object locks must be set (me: enabled) at time of creating the bucket. me: 1. S3 bucket must enable versioning and locking during creation. 2. Object locking applies to a particular object version. 3. It is Write Once Read Many times (WORM) - it is immutable once locked. 4. An object version can have all the locking permutations (none, retention, retention + Legal hold, Legal hold) 5. Locking can be removed manually.

Answer 200

1. Formerly, Public VIFs were limited to a region 2. Formerly, Private VIFs are attached to a VPG which is associated with a VPC 3. NOW using BGP, the Public VIF advertises all public zone AWS service endpoints in all regions * Public Zone endpoints do not require or even allow a DX to access the internet 4. NOW using DX Gateway, customers can use a single Private VIF to a DX GW, then connect to any VPGW in any region; DX GW uses BGP to advertise the networks it can access back to the VIF, reducing admin overhead * These Private VIFs are not transitive. Me: when to order a DX, a few things to know (or requirements) Takes time to establish, expensive to maintain, Must chose a speed: < 1GB, 1GB, 10GB Must establish a single mode finer connection between the data location and DX Partner location. must have a router at the data location that supports BGP, w/MD5 authentication, VLAN (802.11q), completes LOA/? Must have a router at DX location

Answer 201

1. Managed Cluster - 2. Managed container runtime - e.g. Fargate 3. Task definition 4. Container definition

Answer 202

1. Serverless 2. Provisioned 3. Parallel query

Answer 203

ACM only supports certain AWS services that explicitly intergrate with it, such as CloudFront, ELB, ElasticBeanstalk (EBS), and API Gateway. R53 also uses ACM for DNS checks during certificate issuing (to ensure that you own the domain). 1. CloudFront 2. ELB 3. EBS 4. API Gateway 5. Route 53 (for domain ownership validation) Me: ACM does not supply certificates to an EC2 instance

Answer 204

1. S3 2. Kinesis (Firehose) 3. Data Pipeline Me: AWS Data Pipeline is a web service that helps you reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals. With AWS Data Pipeline, you can regularly access your data where it’s stored, transform and prop EDS it at scale, and efficiently transfer the results to AWS services such as Amazon S3, Amazon RDS, Amazon DynamoDB, and Amazon EMR. 1. S3 2. RDS 3. DynamoDB 4. EMR

Answer 205

Using logs that it exports to CloudWatch Logs using a server-linked role.

Answer 206

1. IAM, 2. R53 3. CloudFront All are global services.

Answer 207

Use SQS fan out. Create several SQS queues. Get the ARN of each queue, then configure the SNS topic to publish to these ARNs. Each will get the message and be able to process it as they need.```

Answer 208

Create a bucket policy that allows principal:* me: Set S3 policy to allow anonymous access to the S3 bucket or the pages in question.

Answer 209

Aurora Global Database replicates cluster volume data from one region to a cluster volume in another in less than 1 second. Replicas in other regions attached to that region’s cluster volume for low-latency read replicas. They can promote to Master in less than one minute. This is lower latency and faster promotion time than MySQL cross-region read replication.

Answer 210

A Primary Key. A primary key can have just have a partition key (hash). It can also have a sort key, which is another column. The combination of the two columns must be unique. E.g., the columns could be SSID and appointment date. In this case, the appointment data must be unique for every unique SSID. Data types for the columns can be string, binary, or number.

Answer 211

(Me: this is a tricky question. It is test the following line (understanding)): S3 is not a custom origin and CF configuration will match the same protocol as the client connection. (Me: whatever client set, S3 will match it. If client use http, S3 will use http) If you need a different protocol to the origin, configure a custom origin. When specifying an origin such as www., the Origin configuration offers several TLS options and protocol policies Me: when your origin is an S3 bucket, you options for using HTTPS for communications with CloudFront depend on how you’re using the bucket. - If your S3 bucket is configured as a website endpoint, you cannot configure CloudFront to use HTTPS to communicate with your origin because S3 doesn’t support HTTPS connection in that configuration. - When your origin is an S3 bucket that supports HTTPS communication, CloudFront always forwards requests to S3 by using the protocol that viewers used to submit the requests. The default setting for the Origin Protocol Policy setting is Match Viewer and cannot be changed.

Answer 212

In a region, an AZ, a VPC, a subnet, behind a security group.

Answer 213

1. Simple AD 2. MS Active Directory (AD) 3. AWS AD connector 4. AWS Cloud Directory 5. Cognito

Answer 214

2, 4 and 16 depends on the node type. 2 or 16 4 or 16 - The leader node distributes work to the slices. - The Load or Copy commands get data from e.g. S3 and distribute it to the slices. - Slices have dedicated storage and CPU capacity. - When Lorain data, the leader node distributes it according to your distribution style configuration: all, even key or auto.

Answer 215

Linux: 1. none 2. bridge 3. host 4. aws vpc - map a VPC ENI to a container task. This is how Fargate works. If using EC2 mode, this can produce a lot of ENIs. Windows: 1. NAT

Answer 216

Enable DynamoDB Streams for New items. Then create a trigger (Lambda function) that captures the new items and updates a web page.

Answer 217

1. Name 2. LC template (Launch Template) 3. version 4. Min 5. Max 6. Desired instance count 7. VPC 8. Subnets 9. Health checks 10. Load balancing 11. Scaling policies 12. Change notifications 13. Tags

Answer 218

``` KDS (Kinesis Data Stream) Direct PUTs (using Kinesis API directly) ``` Me: you can configure Amazon Kinesis Data Streams to send information to a Kinesis Data Firehose delivery stream. Important: If you use the Kinesis Producer Library (KPL) to write data to a Kinesis data stream, you can use aggregation to combine the records that you write to that Kinesis data stream. If you then use that data stream as a source for your Kinesis Data Firehose delivery stream, Kinesis Data Firehose de-aggregates the records before it delivers them to the destination. If you configure your delivery stream to transform the data, Kinesis Data Firehose de-aggregates the records before it delivers them to AWS Lambda.

Answer 219

It’s a region-based cache of the origin server content. This is the first place a CDN server checks on an origin fetch. If this misses, then the fetch goes to the origin.

Answer 220

You don’t provision EFS volume size. EFS allocate what you consume.

Answer 221

1. Web Identity Federation (OID Connect/OAuth) 2. SAML 3. Cross-account trust

Answer 222

Local DB users, or | IAM

Answer 223

a CloudFront local endpoint. Then the upload traverses the AWS backbone. me: Edge location endpoint.

Answer 224

to get the additional capacity a workload needs during predictable spikes in demand, like an ecommerce site. me: When the traffic pattern is well known

Answer 225

it is FIPS 140-2 level 3 complaint 1. PKCS#11 API 2. JCE API 3. Microsoft CryptoNG (CNG) API It does not support AWS API, unlike KMS, only support AWS API. It is not integrated with other AWS services offering encryption.

Answer 226

Declare resource objects as a singletons outside of the lambda_handler(). They ‘may’ be available to the next instance of the function, but declare them as NULL and do NULL checks in the handler or sub-functions.

Answer 227

The AMI creator’s account plus any other accounts the configuration names. It can also be public.

Answer 228

1. The owner enters registration information into the ACM form including the domain name. 2. ACM validates the domain name using R53 or your other register 3. Once validated, ACM issues the certificate containing public and private keys. Private keys is encrypted using KMS. 4. The certificate is now available to any AWS integrated service. 5. When these services need to use the private key to decrypt content, they use KMS to decrypt the key, hold it in the memory, and use it to decrypt the publicly encrypted content.

Answer 229

Transit Gateway. Transit means that this service enables transitive connections from on-premise VPN connections to AWS VPCs. It support true hub and spoke topology. It’s available through VPN and DX. It can attach to multiple AZs, accounts, and regions via transit gateway attachments for VPN or VPC.

Answer 230

Cross-stack references allow you to isolate stacks according to role or frequency of change. Using an export statement, one stack can announce the ID of a resource. Then, anther stack can import that ID and use it as part of its resource creation, e.g., reference a VPC ID when creating a new subnet or security group. Cross-stack references re-use running stack resources, unlike nested stacks, which re-used templates but create *new* resources.

Answer 231

The AS group determines where and when to launch instances. The launch configuration determines how.

Answer 232

1. Complex data types: Redis 2. Vertical scaling: Memcached supports multi-threading 3. Horizontal scaling (read): Redis 4. Backup and restore: Redis 5. HA: Redis supports replication between nodes 6. Transaction: Redis 7. Geo-special data type: Redis 8. Simple, limited feature set: Memcached 9. Rich feature set: Redis

Answer 233

1. Path patterns 2. Protocol policy 3. HTTP methods, 4. HTTP caching 5. Request header caching 6. Object caching 7. TTL 8. Cookie forwarding 9. Query string forwarding 10. viewer access restrictions 11. Object compression 12. Lambda function associations

Answer 234

1. General Purpose gp2: SSD - Default for most workloads. Burst to 3,000 IOPS with credits, 1GB-16TB 2. Provisioned IOPS SSD io1: SSD - mission critical, sustained IOPS Large databases, 4GB - 16TB, provisioned IOPS to 64,000 3. Throughput Optimised st1: HDD - low cost, Frequently accessed data, streams, media; not boot volume, 500GB-16TB, 500 IOPS 4. Cold HDD sc1: HDD - low cost, infrequent access, not boot volume, 500GB - 16TB, 250 IOPS

Answer 235

DynamoDB enables Adaptive Capacity by default. This allocates RCU/WCU dynamically across partitions while staying below the total hard limit of the table. Me: this looks like an updated answer: you don’t need to do anything to managing hot spot any more. DynamoDB’s adaptive capacity will balance the load at the table level, not at the partition level so that unused RCU/WCU for a given partition can be used by the hot spot partition.

Answer 236

1. S3 2. RedShift 3. ElasticSearch (+Kibana), 4. Splint 5. Kinesis Analytics!

Answer 237

If you want to retain versions indefinitely, assign versions to cheaper storage classes, like one zone IA. If you can use a lifecycle policy to delete older versions.

Answer 238

1. Docker 2. Multi-Container Docker 3. Docker python 4. Docker go 5. Docker GlassFish 6. PHP 7. Go 8. .NET 9. Java 10. Ruby 11. Python 12. Node.js 13. tomcat

Answer 239

1. ALB - Layer 7, SSL termination, integration with ACM for cert management, request forwarding based on URL path, support more than one domain, support target groups based on path or IP addresses, able to load balancing across AZs. Does not support TCP or UDP. Embedded WAF, has authentication capability and support Lambda function, 2. ELB - high volume and low latency, support PrivateLink. TCP and UDP, support end to end SSL

Answer 240

A container for a collection of Log Streams that share the same retention, monitoring, access control, and metric filters.

Answer 241

SCP is at Organisational level, permission boundary is at Identity level.

Answer 242

Every VPC has exactly one. It consumes one RFC 1918 IP address. It’s +1 of the subnet’s IP address.

Answer 243

Identity policies (SCP, Permission Boundary Policy), resource policies and ACL

Answer 244

The first two fields are the path components. The final field is the parameter name.

Answer 245

Athena can access logs from 1. CloudTrail 2. CloudFront 3. Load Balancers 4. VPC Flow Logs

Answer 246

Configure Trails to deliver CloudTrail events to S3. Also enable file encryption and validation to protect the files from tampering. (Me, could also stream event to CloudWatch log group)

Answer 247

1. EC2: some interruption (me: e.g. you can dynamically change the instance type by stop and start the instance) 2. RDS: replacement 3. AutoScaling: no interruption 4. EBS: no interruption

Answer 248

1. The origin, origin protocol, and origin fetch are where the cached content originate. 2. The viewer, viewer protocol are the client side of the edge.

Answer 249

Partitions are based on 1. Provisioned storage capacity, and 2. provisioned RCU/WCU capacity. Since you provisioned 10,000 WCUs and a partition can support only 1000 WCUs, DynamoDB created 10 partitions. me: this time, the WCU limitation is a key decider, if WCU were not over the limit, then storage size limit would kick in and it would create four partitions because each partition can only support 10 GB.

Answer 250

EFS EFS: low, consistent latency, 10+ GB per second throughput. EBS (provisioned IOPS): lowest, consistent latency, up to 2GB per second Amazon EFS file systems are distributed across an I constrained number of storage servers. This distributed data storage design enables file systems to grow spastically to petabyte scale and enables massively parallel access from Amazon EC2 instances to your data. The distributed design of Amazon EFS avoids the bottlenecks and constraints inherent to traditional file servers. The distributed design of Amazon EFS avoids the bottlenecks and constraints inherent to traditional file servers. This distributed data storage design means that multithreaded applications and applications that concurrently access data from multiple Amazon EC2 instances can drive substantial levels of aggregate throughput and IOPS. Big data and analytics workloads, media processing workflows, content management, and web serving are examples of these applications.

Answer 251

1. Simple feature set: Memcached 2. Rich feature set: Redis 3. Vertical scaling: Memcached support multi-threading 4. Horizontal scaling (read): Redis 5. Transaction: Redis 6. Backup and restore: Redis 7. Complex data types: Redis 8. Geo-special data type: Redis 9. HA: Redis - supports replication between nodes

Answer 252

1. Provision the cluster in the same region as your S3 data 2. Choose the appropriate instance type for the workload: general purpose M, compute optimised, storage, memory optimised

Answer 253

X.509 v3 SSL or TLS me: an SSL/TLS X.509 certificate is a digital file that’s for Secure Socket Layer (SSL) or Transport Layer Security (TLS). The certificate fulfils tow functions. First the certificate can assist with authenticating and verifying the identity of a host or site. Second, it enables the encryption of information exchanged via a website. An SSL/TLS certificate is one of the most popular types of X.509 certificates, or a type of public key certificate which uses the X.509 standard. X.509 certificates contain a public key and the identity of a hostname, organisation, or individual. When a certificate authority (CA) signs them or another entity validates them, the owner of that certificate can leverage the public key to establish secure connections with another party or validate documents someone digitally signed using the corresponding private key.

Answer 254

Kinesis Data Stream (KDS) supports VPC Endpoints (Private Endpoints).

Answer 255

Backtrack instead of restore from backup.

Answer 256

You could choose Lambda functions, but they will invoke and process immediately. That may be a problem under heavy load depending on the resources the Lambda function needs for processing. For more flexible, de-coupled processing, SQS queues allow the consuming applications to work at their pace while the Queue holds the messages for processing.

Answer 257

No, it is not reusable - it’s specifying a value that needs to be globally unique. Thus, any use of the template after the first run will not be able to create the bucket since it will be a duplicate name. Me: What we could do to ensure the reusability: 1. Use default values for the Parameter List (avoiding human input) 2. Use Parameter Store for system and customer values 3. Pseudo Parameter for CF wide values, e.g. region, partition, account id, and more 4. Intrinsic function for AZs, VPCs, Subnet, and more 5. Don’t specify resource physical id, CloudFormation will produce unique physical ids at the time of resource creation.

Answer 258

Provisioned, Parallel Query or Serverless

Answer 259

When workload is not steady and peak time is irregular.

Answer 260

Restore from a backup. Be mindful that auto backup copy have a retention period of 35 days by default.

Answer 261

Because browers that support SNI only refer to the hostname they are trying to connect. Without SNI, the CloudFront configuration needs to specify a static IP address since that’s what older browsers will be using.

Answer 262

1. Subnets, 2. Transit gateways, 3. Resolver rules, 4. License configurations. Accounts cannot Share subnets inside of the default VPC, nor use subnets that are owned by the owner of the owner of the resource. Likewise, a share cannot share security groups not owned by the resource owner. Likewise, a share cannot share security groups not owned by the resource owner. The resource owner can remove sharing from resources in use by others and those shares will continue until released.

Answer 263

It bundles applications by version in application source bundles.

Answer 264

A custom resource is a resource either in AWS or 3rd party that a CF template asks for as part of the stack. It uses messaging: SNS or Lambda, to trigger that resource to Create/Update/Delete itself.

Answer 265

Use an OpsWorks stack and compose the web tier using the ECS cluster. Compose the other tiers natively in OpsWorks.

Answer 266

Enable the Data API to expose the REST APIs of the database through the Proxy Layer.

Answer 267

1. On-demand | 2. Reserved instances

Answer 268

Configure one per AZ, each in a public subnet. | Me: and instances in the private subnets connect to it

Answer 269

me: EMR or Redshift? Redshift can handle up to two petabytes. When properly designed and optimised, databases in Redshift can query multiple petabytes of data and return results in seconds. Me: two key points - up to two petabytes, query in seconds.

Answer 270

Subnets don’t have security groups. Security groups are assigned to network interfaces (ENI).

Answer 271

VPC peering allows this. Configure the security group of the trusting VPC with the accountID and subnetID of the trusted consumer. This only works within the same region. Across regions, use the VPC ID of the requesting VPC. 1. PrivateLink, 2. VPC peering 3. Transit Gateway

Answer 272

Use S3 ACL Me: ACLs are resource-based access policies that grant access permissions to buckets and objects. By default, the owner, which is the AWS account that created the bucket, has full permissions. Each permission you grant for a user or group adds an entry in the ACL that is associated with the bucket.

Answer 273

1. By default, they live in a region but outside the customer’s VPC. It thus has access to internet. 2. Customers can also configure VPC Lamba functions where all the network restrictions of the subnet and security group apply. The VPC Lambda function still runs in a sandbox outside of the VPC and exposes itself through an ENI in the VPC. For this reason, cold starts are even slower. NEW: remoteNAT enables multiple VPC Lambda functions to share the same the same network interface in a VPC, thus speeding up the start time.

Answer 274

1. Memory, 2. File system 3. Applications. For these, customers need to install the CloudWatch Agent.

Answer 275

1. General purpose SSD gp2: SSD Default EBS type, boot volume, 1GB-16TB, 3,000 IOPS burst with credits 2. Provisioned IOPS SSD io1: SSD Mission critical, sustained throughput larger databases, provisioned IOPS to 64,000 IOPS 4GB - 16TB 3. Optimised HDD st1: HDD frequently accessed data, streams, media, Not boot volume, low cost, 500 IOPS, 500GB - 16TB 4. Cold HDD: HDD infrequent accessed data, not boot volume, lowest cost, 250 IOPS, 500GB-16TB

Answer 276

1. Very low latency connections and REST APIs for queries. | 2. Also, it doesn’t involve cluster infrastructure running in a customer’s environment.

Answer 277

If the instance is running as an IAM role, the IAM role info is available in the instance meta data for the application to use. http://169.254.169.254/latest/meta-data ..../credential Me: instance profile?

Answer 278

Cross-stack references allow you to isolate stacks according to role or frequency of change. Using export statement, one stack can announce the ID of a resource. Then, another stack can import that ID and use it as part of its resource creation, e.g. , reference a VPC ID when creating a new subnet or security group. Cross-stack references re-use running stack resources, unlike nested stacks, which re-used stack templates but create *new* resources.

Answer 279

AWS WAF is a layer 7 firewall that can run in front of CloudFront, API Gateway or ELB. It combines conditions and rules then uses a web ACL to grant or deny traffic. Me: a web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distribution, Amazon API Gateway API, or Application Load Balancer responds to. You can use criteria like the following to allow or block requests: 1. IP address origin of the request 2. Country of origin of the request 3. String match or regular expression (Reyes) match in a part of the request 4. Size of a particular part of the request 5. Detection of malicious SQL code or scripting etc. This criteria is provided inside the rules that you include in your web ACL and in rule groups that you use in the web ACL. It’s specified in the rule statement.

Answer 280

By installing the SM agent on the VM and servers to be managed and applying appropriate IAM permissions (EC2 only) and activation for on-premise servers.

Answer 281

KDA uses an in-application output stream that serves as the result set. The KDA SQL application can direct the result set to KDS, KDF. Also, a SQL application can send errors to an in-application error stream that goes to a different destination.

Answer 282

Similar to AuroraDB, it separates compute from storage. You decide what type and how many dB instances you want across AZs in a region. The Master is the read/write node. The other instances are Read instances (replicas) that can promote to Master. They all interact with the Cluster Storage Volume which manages six copies of all data across three AZs.

Answer 283

Use CF to delete the stack completely. It uses the Logical/Physical resource mapping to track all resources it created so that it can delete them using the template.

Answer 284

``` me: for both VPC 1. Routing 2. Security group 3. NACL ```

Answer 285

You’re assigning it to the primary network interface, not the instances.

Answer 286

It lives outside of OpsWorks in a repository you specify, such as Git. You provide the URL and the credential to OpsWorks in the Apps recipe. Likewise, you specify the deployment targets using a deployment recipe.

Answer 287

Stack sets enable an account admin to run stack templates across multiple accounts and multiple regions. The two sides of the transaction are the Admin account and Target account. It also requires two defined roles: AWSCloudFormationStackSetAdministrationRole and the AWSCloudFormationExecutionRole.

Answer 288

Documents can contain embedded objects like sub-documents, lists and arrays, similar to how an RDBMS schema would have these things AWS separate tables with reference keys to join them. Me: joined during the record creation - need to know the relationship before hand, cannot support adhoc queries like RDBMS do.

Answer 289

Performance: Per-operation latency EFS - lowest, consist latency EBS provisioned IOPS - low, consist latency Throughput scale EFS - 10+ GB per second EBS Provisioned IOPS - up to 2 GB per second

Answer 290

Nested stacks are static template statement that include template references to other templates. They declare the order of resource creation and reference another template. On execution, they create new resources in order of the dependency statements. Unlike cross-stack references that refer to running resources, nested stacks create new resources by reuse template code. me: Nested stack reuses existing stack templates as part of its stack for creating *new* resources Cross-tack reuses running stack resources as part of its stack to create new resources

Answer 291

SCPs offer central control over the maximum available permissions for all accounts in your organisation, allowing you to ensure your accounts stay within your organisation’s access control guidelines. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity Me: Permission Boundary is a new IAM feature that makes it easier for you to delegate permissions management to trusted employees. As your organisation grows, you might want to allow trusted employees to configure and manage IAM permissions to help your organisation scale permission management and move workloads to AWS faster. For example, you might want to grant a developer the ability to create and manage permissions for an IAM role required to run an application on EC2. A permissions boundary is an advanced feature that allows you to limit the maximum permissions that a principle can have.

Answer 292

It configures SSM, defining what SSM does. It can be in JSON or YAML It controls all the functionality of SSM in your account. They are similar to CloudFormation templates.

Answer 293

Access to Parameter Store and access to the customer master key (CMK) used to encrypt the credential in Parameter Store.

Answer 294

Instance storage type. It’s IOPS up to 80,000 IOPS and 1,750MB/s throughput. Me: it does not sound correct. EBS provisioned IOPS: up to 64,000 IOPS.

Answer 295

Multi security groups, additional network interfaces, additional storage volumes, advanced configurations: elastic graphics, elastic inference, T2/T3 unlimited Also, you can modify and reused LTs; they can be the starting point for a new LT or version them with updates.

Answer 296

Organisational boundaries (SCP)—>user/role boundaries (permissions boundary policy)—>role policies (identity permissions policy) —> effective permissions Me: resource access control list is not a policy?

Answer 297

If you want to retain versions indefinitely, assign versions to cheaper storage classes, like one zone IA, otherwise, you can use a lifecycle policy to delete older versions.

Answer 298

SQS does not support multiple consumers of messages on a queue or does it support replay. You should use Kinesis Data Streams for this requirement.

Answer 299

A persistent session-oriented protocol/API best suited for data streaming, interactive applications, event management applications.

Answer 300

By automating DR through CF, organisations can opt for lower-cost backup and restore or pilot-light techniques because CF will do the recovery faster than manual operations. This faster recovery may make the normally faster but more expensive Warm or active-active techniques less necessary for some organisations.

Answer 301

1. By default, they live in a region outside the customer’s VPC. It thus has access to the internet. 2. Customers can also configure VPC Lambda functions where all the networking restrictions of the subnet and security group apply. 3. The VPC Lambda function still runs in a sandbox outside of the VPC and exposes itself through an ENI in the VPC. 4. For this reason, cold starts are even slower. (May not true, see blow update) NEW: RemoteNAT enables multiple VPC Lambda functions to share the same network interface in a VPC, thus speeding up the start time.

Answer 302

AWS WAF is a layer 7 firewall that can run in front of ELB, CloudFront or API Gateway. It combines conditions and rules then uses a web ACL to grant or deny traffic.

Answer 303

Explicit deny, explicit allow, implicit deny

Answer 304

1. The cluster endpoint refers to the Master for read and write. 2. The reader endpoint refers to *all* replicas as a cluster. Readers get directed to any replica, improving scalability of Aurora for read-intensive workloads. 3. Instance endpoints allow you to configure groups of instances behind an endpoint.

Answer 305

xLBs deploy to an AZ with an ENI in any subnet that need to be exposed the LB (me: exposing the target groups to xLBs)

Answer 306

1. Step scaling (based on %CPU load increase), 2. target tracking (tracking overall CPU level on all instances), 3. simple (no steps) Wth step scaling and simple scaling, you choose scaling metrics and threshold values for the CloudWatch alarms that trigger the scaling process. AWS strongly recommend that you use a target tracking scaling policy to scale on a metric like average CPU utilisation or the RequestCountPerTarget metric from the Application Load Balancer. The main issue with simple scaling is that after a scaling activity is started, the policy must wait for the scaling activity or health check replacement to complete and the cool down period to expire before responding to additional alarms. Cool down periods help to prevent the initiation of additional scaling activities before the effects of previous activities are visible. In contrast, with step scaling the policy can continue to respond to additional alarms, even while a scaling activity or health check replacement is in progress.

Answer 307

You may not have three partition keys that you’re rotating evenly while PUTting records. Thus, you’re maximising one shard, but under-using the others.

Answer 308

An ephemeral port - one that specifies a range of port numbers to avoid having to have a matching outbound rule for all inbound rules. A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Ephemeral ports: If an instance in your VPC is the client imitating a request, your network ACL must have an inbound rule to enable destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, and so on). In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you can open ephemeral ports 1024-65535. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. Ensure that you place the deny rules earlier in the table that the allow rules that open the wide range of ephemeral ports. Ephemeral: Lasting for a very short time. “fashions are ephemeral: new ones regularly drive out the old”.

Answer 309

Reserved Instance in the necessary AZs

Answer 310

1. It’s in the VPC you specify when creating the cluster. 2. Aurora Serverless allocates ACUs into your cluster from a warm pool it maintains for all customers. 3. The proxy manages connections from your applications to the cluster and movement of the ACUs in and out of your VPC. 4. The proxy also manages migrating cache data from one ACU to another when capacity changes. 5. Keep in mind, Serverless uses the same Cluster Storage Volume tier that Aurora uses, so Serverless is only managing the compute tier since the storage tier is already serverless and multi-tenant.

Answer 311

Some services don’t support security groups. Only NACLs will work.

Answer 312

1. Same AZ, another AZ in the region, or another region. 2. Replication is asynchronous. 3. Direct replicas from the Master are Tier 1. 4. You can specify Tier 2 replicas off the Tier 1 replicas as well. 5. You can promote a RR to Master. This is useful for rapid DR in another region.

Answer 313

A CloudWatch Log Group is a collection of log streams that have the same retention period, access permission, monitoring and metric filters.

Answer 314

me: an internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. An internet gateway serves two purposes: to provide a target in your VPC route table for internet-routable traffic, and to perform network network address translation (NAT) for instances that have been assigned public IP addresses. In internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic. IGW enable access to or from the internet for instances in a subnet in a VPC. IGW is for a region, not for a particular subnet.

Answer 315

1. The name the CF template uses to describe physical resources that CF creates. 2. The physical resources acquire cryptic IDs only at the time of creation. 3. The logical resource make it easier to identify those physical resources.

Answer 316

Parameter group and options groups provides the parameters admins need.

Answer 317

1. no HA: a single Customer Gateway device, single internet connection, and single tunnel endpoint; 2. Partial HA: a single Customer Gateway device, single Internet connection, and two tunnel endpoints in separate AZs; 3. HA: two Customer Gateway devices, two internet connections, and two tunnel endpoints in separate AZs for each network connection, this uses dynamic routing/BGP (Me: the on-premise side need to have a router support BGP).

Answer 318

1. Long-Running Clusters and Data Warehouses On-Demand On-Demand or instance-fleet mix Spot or instance-fleet mix. 2. Cost-Driven workloads Spot Spot Spot 3. Data-Critical workloads On-Demand Spot or instance-fleet mix 4. Application Testing Spot Spot Spot Me: When you set up a cluster, you choose a purchasing option for EC2 instances. You can choose to use On-Demand instances, Spot Instances, or both. your choice to use instance groups or instance fleets in your cluster determines how you can change instance purchasing options while a cluster is running. If you choose uniform instance groups, the instance type and purchasing option apply to all EC2 instances in each instance group, and you can only specify the purchasing option for an instance group when you create it. If you choose instance fleets, you can change purchasing options to fulfil a target capacity that you specify.

Answer 319

1. It’s one of the schema definitions that describes the columns and data types of the data. 2. It can be created manually using Athena Interface, API or CLI, or 3. It can be created automatically using Glue Data Crawler.

Answer 320

1. The DocumentDB Cluster Storage Volume takes daily snapshots and stores them in S3. 2. DocumentDB also records incremental transactions between snapshots to provide point-in-time recovery. 3. You also define a retention period for all data.

Answer 321

1. Stack sets enable an account admin to run stack templates across multiple accounts and multiple regions. 2. The two side of the transaction are the Admin account and Target account. 3. It also requires two defined roles: - AWSCloudFormationStackSetAdminstrationRole - AWSCloudFormationStackSetTargetRole?

Answer 322

They cannot reference other resources, only ports and IP address ranges. Security groups, however, can refer to the ID of another security group to allow traffic from it.

Answer 323

VM 1. VMs run on top of a hypervisor, abstracting the hardware. 2. VMs contain the OS and applications. 3. The isolation boundary is VM. 4. Many VMs can run on the same hypervisor. Container 1. Containers run on top of the OS but further isolate applications. 2. With Container engine, like Docker, applications and their dependencies can run isolated from each other on the same OS/VM. 3. Containers don’t have dedicated memory like a VM does, so you can pack more applications on hardware by using containers rather than just using VMs. 4. But, containers are not isolated from each other regarding security. 5. Containers can start very quickly compared to VMs — in seconds, sometimes MS.

Answer 324

Amazon MQ offers support for a number of standard protocols and is an open source project, so the API is likely familiar to the customer. Unlike SQS or SNS, Amazon MQ is deployed with private endpoints in the customer’s VPC with no public access required for applications within the VPC. It’s also available in an active/standby configuration across multiple AZs in a region.

Answer 325

1. Region 2. The owner 3. Launch permissions 4. Architecture (32-bit or 64-bit) 5. OS, 6. Storage for the root device. 7. Block device mapping of all storage volumes? Once created, the AMI creates snapshots of any EBS volumes described in the AMI and holds pointers to them. If the instances type uses instance volumes, the AMI creation bundles the instance definition and instance store into files and saves them to S3.

Answer 326

Use a Lambda function to manipulate records or change the format to Parquet or ORC with a checkbox.

Answer 327

1. CSV 2. TSV 3. XML 4. JSON 5. Parquet 6. ORC

Answer 328

OpsWorks offers most of the control over deployments that CloudFormation offers, but still provides minimal config options. It offers Chef or Puppet as the deployment framework. Me: OpsWorks is for development deployment vs SSM is for operational support. CloudFormation defines AWS Resources that needs to be created/updated/deleted while Elastic Beanstalk provides a versioned application hosting environments.

Answer 329

Redshift compliants with DSS, HIPPA and other security standards by supporting encryption in transit and at rest. It uses KMS (AWS Key Management Service) or CMK (Customer Master Key) for encryption keys.

Answer 330

The master node has much lower CPU and memory requirements, so it can be smaller. The data nodes do to work and should be bigger.

Answer 331

1. Name 2. LC template & version 3. Min, Max and desired instance count 4. VPC, 5. Subnet 6. Health check 7. Load balancing 8. scaling policies, 9. Change notifications 10. Tags Launch template defined where and what Scaling configuration defines when

Answer 332

Shield is a DDoS protection layer in front of WAF. Standard is free, Shield Advanced provides WAF, DDoS mitigation, visibility and reporting, DDoS response team support, and cost protection due to attacks. Shield also protects EIPs。 me： AWS Shield Advanced for EIP extends the coverage of DDoS cost protection， which safeguards against scaling charges as a result of a DDoS attack。

Answer 333

HVM uses newer generation of CPUs that allow guest OS to interact with CPU, memory, network, local storage and the motherboard bypassing the hypervisor. Unlike paravirtualisation, HVM avoids emulation, speeding up performance of guest OSs. Next, AWS introduced Nitro in 2017, bringing hardware virtualisation to all aspects of the guest OS access to the hardware. This results in near bare metal performance.

Answer 334

Inbound traffic and outbound traffic Subnet A —> Subnet B; Subnet B —> Subnet A 1. SA outbound rules 2. SB inbound rules 3. SB outbound rules 4. SA inbound rules

Answer 335

AMI baking isn’t flexible but faster launch. | User data is more flexible but possibly slower.

Answer 336

at the CloudWatch Log Group level, which is a group of related (collection of) Log Streams.

Answer 337

Athena can access logs from 1. CloudTrail 2. CloudFront 3. VPC Flows Logs 4. Load Balancers

Answer 338

A NAT gateway has a public IP address, but that’s used only for returning inbound traffic from an outgoing request by a private instance.

Answer 339

KDA has in-application input streams that are virtual tables for the SQL query. These tables take input from KDS or KF and place the message as records in the stream. Or, they place a number of records in the Virtual Tables according to the duration of a window defined in the SQL procedure.

Answer 340

1. The AMI creator’s account plus any other accounts the configuration names. 2. It can also be public.

Answer 341

Use the version stages capability provided.

Answer 342

VPC Peering allows this. Configure the security group of the trusting VPC with the accountID and subnetID of the trusted consumer. This only works within the same region. Across regions, use the VPC ID of the requesting VPC.

Answer 343

It’s a message broker based on Apache MQ. It support standard APIs such as AMQP, MQTT, OpenWire or STOMP. It can function as a queue or topic and supports cardinality of 1:1 or 1:n

Answer 344

In a multi-master cluster, all DB instances can perform write operations. There isn’t any failover when a writer DB instance becomes unavailable, because another writer DB instance is immediately available to take over the work of the failed instance. We refer to this type of availability as continuous availability, to distinguish it from the high availability (with brief downtime during failover) offered by a single-master cluster.

Answer 345

DR McGIFT PX (DR McGIFPIX?) 1. D for Density 2. R for RAM 3. M - main choice for general purpose apps 4. C for Compute 5. G for Graphics 6. I for IOPS 7. F for FPGA 8. T - cheap general purpose (think T2 micro) 9. P for Graphics (think Pics) 10. X - Extreme Memory 1. General purpose 2. Memory optimised 3. Storage optimised 4. Network optimised 5. Big data optimised 6. Floating point computation optimised 7. GPU 7. ARM based

Answer 346

Six in total: 1. Simple 2. Failover 3. Geolocation 3. Weighted 4. Latency 5. multi-value answer 6. Geo-proximity

Answer 347

1. Effect 2. Action 3. Resource Optional: 1. Condition 2. Principal (resource policy only)

Answer 348

The IoT Gateway maintains device status in device shadows. These are always available even though things may have sporadic access to the Gateway.

Answer 349

CloudWatch can report on metrics from CF, CloudTrail can report on API calls, and AWS config can report on configuration changes over time.

Answer 350

1. It’s a region-based cache of the origin server content. 2. This is the first place a CDN server checks on an Origin fetch. 3. If this misses, then the fetch goes to the origin.

Answer 351

You cannot. | Any custom origin server must offer public access to CloudFront.

Answer 352

#{parameter_name} You can use a parametrised template to customise a pipeline definition. This enable you to create a common pipeline definition but provide different parameters when you add the pipeline definition to a new pipeline. When you create the pipeline definition file, specify variables using the following syntax: #{myVariable}. It is required that the variable is prefixed by my. For example, the following pipeline definition file, pipeline-definition.json, including the following variable: myShellCmd, myS3InputLoc, and myS3outputLoc. A pipeline definition has an upper limit of 50 parameters.

Answer 353

Use two Snowmobiles. Each Snowmobile can hold up to 100PB of data. Connected together, the transfer operation will see a single 200PB storage area.

Answer 354

PKCS#11, Java Cryptograph Extensions (JCE), MS CryptoNG (CNG). CloudHSM does not support AWS APIs. CloudHSM compliant with FIPS 140-2 at level 3 KMS does not support CloudHSM.

Answer 355

Use SSM run commend to install CloudWatch agent on existing EC2 instances.

Answer 356

The Leader node can only distribute data by file. So a single file is all going to a single compute node. To take better advantage of the cluster, you should pre-process the large file into five, ten or any multiple of five files. Me: is this a EMR cluster?

Answer 357

1. Identify significant points in the question 2. identify similar answers, but understand the differences 3. Look for disqualifying facts in answers, based on #1 4. Eliminate any generally bad answers. 5. Pick between remaining answers using judgement.

Answer 358

CloudHSM or KMS, they both comply with FIPS 140-2. CloudHSM at Level 3, while AWS KMS at level 2. CloudHSM support KPCS#11, Java Cryptography Extensions (JCE), MS CryptoNG (CNG), it does not provide AWS API access KMS provides AWS API access only.

Answer 359

The ALB service is outside of the VPC across the regions. ALB will deploy an ALB node with the appropriate IP address in each AZ you’ve selected.

Answer 360

Install the CloudWatch agent on the EC2 instance. Configure it to tail the logs in /var/logs. It will pick up each entry in the log file and send it them as Log events using a Log Stream.

Answer 361

If the instance is running as an IAM role, the IAM role info is available in the instance meta data for the applications to use.

Answer 362

1. Topics, 2. Queues, 3. Virtual Topics Virtual Topics allows a single publisher to a topic deliver messages to any number of subscribes through a fan-out technique, similar to SNS fan out.

Answer 363

Permission to access the Parameter Store and permission to access the CMK used to encrypted the credentials stored in Parameter Store.

Answer 364

1. ElasticSearch (Lucene) 2. Logstash or Beats 3. Kibana for visualisation

Answer 365

Reduced latency for database lookups, improved availability if the cache is HA, stateful micro service design support by offloading state to a cache, and reduced costs/impact on databases by offloading cache-able reads to the memory cache.

Answer 366

It doesn’t. Only when traffic crosses a subnet do the NACL rules apply.

Answer 367

Using logs that it exports to CloudWatch Logs using a service-linked role.

Answer 368

It can reduce ACUs to Zero if there is no demand, reducing costs.

Answer 369

An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.

Answer 370

1. Owner 2. Launch permissions 3. Architecture 4. OS 5. Block device mapping Once created, the AMI creates snapshots of any EBS volumes described in the AMI and holds pointers to them. If the instance type uses instance volumes, the AMI creation bundles the instance definition and instance store into files and saves them to S3. All AMIs are categorised as either backed by Amazon EBS or backed by instance store. The former means that the root device for an instance launched from the AMI is an Amazon EBS volume created from an Amazon EBS snapshot. The latter means that the root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3. Boot time for an instance: Amazon EBS-backed AMI - usually less than 1 minute Amazon instance store-backed AMI - Usually less than 5 minutes

Answer 371

If you want to retain versions indefinitely, assign versions to cheaper storage classes, like one zone IA. Otherwise, you can use a lifecycle policy to delete older versions.

Answer 372

Two snowmobile daisy-chained together as one partition. Each snowmobile has 100PB capacity.

Answer 373

MQ supports global brokers where brokers are deployed in AZs in multiple regions while keeping the entire Queue in sync.

Answer 374

CloudHSM is only accessible to the customer. KPCS#11, JCE and MS CNG are the stanard APIs you could use to interact with CloudHSM.

Answer 375

1. default Route Tables associated with the subnets involved 2. NACLs that associated with subnet on both sides - inbound and outbound rules 3. Security Groups associated with the source EC2 instance or target EC2 instance.

Answer 376

1. Uniform Instance Groups and | 2. Fleet Instance Groups

Answer 377

3,500 puts 5,000 gets per object partition. Me: S3 must maintain a ‘map’ of each bucket’s object names, or ‘keys’. Traditionally, some form of partitioning would be used to scale out this type of map. Given that S3 supports a lexigraphically-sorted list API, it would stand to reason that the key names themselves are used in some way in both the map and the partitioning scheme ... and in fact that is precisely the case: each key in this ‘keymap’ is stored and retrieved based on the name provided when the object is first put into S3 - this means that the object names you choose actually dictate how AWS manage the keymap. Internally, the keys are all represented in S3 as strings like this: bucket/keyname Further, keys in S3 are partitioned by prefix.

Answer 378

You can place a WAF in front of an API Gateway. Web Application Firewall (WAF) can protect APIs against a range of threats including DDoS, known IP blacklists and much more. Me. AWS Shield or AWS Shield Advance can provide DDoS protection, not WAF. AWS Shield is placed in front of WAF.

Answer 379

Configure WAF in front of the CF distribution.

Answer 380

AZs, regions and global edge services

Answer 381

Because APIs need to run 24/7 on infrastructure someone needs to manage and pay for. Thus, it’s ideal for pay as you go serverless implementation. Me: in other words, autoscaling and pay per request without provisioning max capacity to cater for peak load is a big win/cost saving and support team costs (multi-tenant share cost model).

Answer 382

Create a R53 Resolver outbound endpoint. Create mapping for the on-premise DNS names that refer to the on-premise DNS IP address.

Answer 383

EBS or instance store.

Answer 384

Because browsers that support SNI only refer to the host by name that they are trying to connect. Without SNI, the CloudFront configuration needs to specify a static IP address since that’s what older browsers will be using.

Answer 385

a Docker file describes the OS and other software components of the container using layers. It’s similar to a file system. A container image is like the disk. Or like an AMI. It describe the running container. Container images live in Docker Registries. A container is a running container image. Containers map to resource like ports.

Answer 386

It creates an environment (based on web application or worker application) and deploys your application version into that environment. CF creates stacks, which provision AWS resources (create, update, delete), but NOT applications.

Answer 387

24/7, time-based, or load-based.

Answer 388

Configure three master nodes: the master and two eligible maters. Also have at least three data nodes across AZs. By having three of each, ES can use a quorum to determine the next election if one fails. (Me: this is minimum configuration for a HA ElasticSearch cluster)

Answer 389

1. It lives in a VPC you specify. 2. By default, it uses the default VPC, but you can specify a custom VPC in your account. 3. To access S3 data, you need to configure a NAT or internet gateway for the public S3 point, or create a VPC endpoint for S3.

Answer 390

Use Enable TTL and specify the epoch of the duration items should remain in the table. DynamoDB constantly checks the timestamp of items and marks them for deletion once they exceed their date + epic > today.

Answer 391

Save all your configurations (as a version control). Then, you can revert to a saved configuration (thinking version rollback).

Answer 392

It uses Streams to capture all changes to one table to the other tables in other regions. You configure a Global Table by enabling Streams (Old and New), then by adding Regions where you want to replicas. All tables are masters and stream their changes to the other replicas.

Answer 393

you can change the subnet to public and you can also enable encryption in transit and at rest.

Answer 394

1. When speed of setup is critical; VPN takes minutes, DX take days-weeks 2. Cost can be lower for spiky or sporadic usage. 3. When network QOS is not critical. 4. VPN performance depends on customer router CPU due to encryption; the ISP network connection over the Internet is not consistent.

Answer 395

Use the AWS VPC network mode. | Configure the security group that the container’s VPC uses to control what traffic gets in and out.

Answer 396

1. Cluster - the collection of resources ECS can use to run your containers 2. Service - ECS or Fargate runtime responsible for managing container tasks. 3. Task definition - a configuration file that tells ECS what containers it should create and how they interact with the outside world; 4. Container definition - Container definitions are used in task definitions to describe the different containers that are launched as part of a task.

Answer 397

Legal holds and retention policies - this prevents objects from deletion. prerequisite: Versioning must be enabled. Object locks must be set at time of creating the bucket.

Answer 398

It’s the code behind the API that the API invokes. This could be a mock or the real implementation. Implementations can include Lambda functions, other AWS service like DynamoDB queries, (know the others!), or custom services hosted on EC2 or containers.

Answer 399

Select dual stack.

Answer 400

If you don’t need to change the node type, elastic resize is the fastest option. If you really need to also change the node type, then you’ll have to use classic resize, but it is the longest (24hr.) read-only mode. Me: Redshift now supports elastic resize across node types. Customers can change node types sighing minutes and with one simple operation using elastic resize. Elastic resize across node type automates the steps of taking a snapshot, creating a new cluster, deleting the old cluster, and renaming the new cluster into a simple, quick, and familiar operation. Elastic resize operation can be run at any time or can be schedular to run at a future time. Customers can quickly upgrade their existing DS2 or DC2 node type-based cluster to the new RA3 node type with elastic resize.

Answer 401

1. ALBs terminate the client request then establish a new connection to the target group because encryption operates at layer 7. 2. NLB, examining only the layer 4 header, simply pass on the layer 5+ portion of the packet which may or may not be encrypted. This enables an end-to-end pass-through of encrypted layer 7 data, improving performance. me: ALB will terminate the initial http request, modify it (add the X-Forwarded Headers）and initate a new http request directly to the instance。 If you need to terminate 100% on the instance itself you need to use NLB, not an ALB. me: ALB has a embedded WAF, it terminates SSL connections, client IP address is lost by NLB supports SSL connection pass through, client IP address is preserved

Answer 402

Declare resource objects as singletons outside of the lambda_handler(). They ‘may’ be available to the next instance of the function, but declare them as NULL and do NULL checks in the handler of sub-functions.

Answer 403

Since customers pay for Athena by the amount of data it scans, reduce the amount of data scanned by partition data, organise it into columnar format to reduce the number of columns Athena sees during a query.

Answer 404

On-demand capacity will always manage the RCU/WCU and storage requirements for the incoming load. Auto scaling sets an upper limit and can be slow. Provisioned capacity also sets a limit.

Answer 405

Use S3 resource policy “condition” to define ACLs access limits

Answer 406

3,000 puts and 5,000 gets per object partition.

Answer 407

Do a restore of just the table. Restore it to a new table name, delete the old table, then rename the restored table to the old table name.

Answer 408

Parameter groups and option groups provide the parameters admins need.

Answer 409

1. R53 2. IAM 3. CloudFront

Answer 410

(Me: the order in the table doesn’t matter) 1. Local 2. Longest CIDR prefix (/32 is longest) 3. Me: The routing table is used in order of most specific to least specific, e.g. A destination of 0.0.0.0 with a netmask of 0.0.0.0, i.e. your default route, is the least specific possible and so will always be applied last. The ‘local’ table is the special routing table containing high priority control routes for local and broadcast addresses.

Answer 411

Legacy Lambda used a three-tier architecture: the hypervisor stack (shared tenancy) with a guest OS running on that (account isolation), then a Sandbox, Lambda runtime, and function code ran on that (function isolation). The sandbox runs only one function, but as many instances as needed concurrently. New Lambda is a two-tier architecture: the shared hypervisor stack, but now runs a micro VM dedicated to a Sandbox stack-shared tenancy->dedicate function tenancy. (Fire craker)

Answer 412

1. AMI 2. Instance type 3. Purchase option: on-demand, RI, spot 4. IP addressing 5. User data 6. CW detailed monitoring option 7. Amount and type of storage 8. key pair to make any changes after saving, you must create a completely new launch config., then change the LC association in the AS Group.

Answer 413

1. Local 2. Longest CIDR prefix (/32 is longest) 3. Static over dynamic/propagated 4. Routes learned from a DX connection 5. Static routes learned from VPN 6. Static routes learned from VPN BGP

Answer 414

Metadata about network traffic into and out of the VPC, including address, port, protocol and more. Logs do not include information about DHCP, AWS DNS, or license activation requests. This is not a network monitor.

Answer 415

In private and public VPCs, edge locations, and any region. Me: in the console, there are three options for the endpoint type: 1. Regional 2. Edge optimised 3. Private Private APIs are only accessible through VPC endpoints for API Gateway. Create a VPC endpoints and add Resource Policy for the API to allow access. when API requests predominantly originate from an EC2 instance or services within the same region as the API is deployed, a regional API endpoint, a regional API endpoint will typically lower the latency of connections and is recommended for such scenarios. To create a regional API, you follow the steps in creating an edge-optimised API, but must explicitly set REGIONAL type as the only option of the API’s endpointConfiguration

Answer 416

The template is designed so that it can be run any number of times without user input. (Me, this is just one of the Reuse goal for deployment automation)

Answer 417

GCMAS DR_McGIFT PIX Me: DR McGIFT PX ``` D - Density R - RAM (memory) M - Mainly general purpose C - Compute G - Graphics I - IOPS F - FPGA T - (think T2) Low cost burst-able general purpose P - (think Pics) Graphics X - Extreme memory ```

Answer 418

The table is a set of columns that have the name data type of the fields in the data files you want to query. It also contains a pointer to the S3 location where these data files sit.

Answer 419

Kinesis supports VPC Endpoints (Private Endpoints)

Answer 420

1. Time is critical to set up a link, VPN in minutes, DX takes days or weeks even months 2. Cost can be lower for spiky or sporadic usage 3. When network QOS is not critical 4. Consistent performance is not required - VPN performance depends on customer router CPU due to encryption; the ISP network connection over the internet is not consistent.

Answer 421

1. Multi security groups 2. Additional network interfaces 3. Additional storage volumes 4. Advanced configurations: * elastic graphics * elastic inference * T2/T3 unlimited 5. Also, you can modify and reused LTs; they can be the starting point for a new LT for a new LT or version them with updates. Me: you can now use launch templates with Amazon EC2 Auto Scaling and Amazon EC2 Spot Fleet in you AWS CloudFormation templates. Launch templates enable you to centrally make changes to launch parameters and control the roll out of these changes to Auto Scaling groups and Spot Fleet. With T2 unlimited instances, you have the ability to sustain high CPU performance over any desired timeframe while still keeping your costs as low as possible. You simply enable this feature when you launch your instance; you can also enable it for an instance that is already running.

Answer 422

A persistent session-oriented protocol/API best suited for data streaming, interactive applications, event management applications.

Answer 423

1. Trust policy - defining who can assume the role | 2. Permission policy - defining what the role can do

Answer 424

S3 logs all access requests on a bucket (source bucket) to a designated bucket (target bucket) for logging.

Answer 425

Only NACL can deny traffic. Security groups cannot. Security groups deny by default, but allow by rule. Me: The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated. Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denuded. You cannot modify or remove this rule.

Answer 426

The union of SCP (Service Control Policy :an Organisational boundary Policy), user/IAM Role permission boundary policy, IAM role permission policy determines a principal’s effective permissions.

Answer 427

The VPC must have an IGW, and the subnet must have a default route to the IGW by associating with a VPC route table that has a route to the IGW.

Answer 428

1. S3 2. Redshift 3. Splunk 4. Kinesis Analytics

Answer 429

Each of he slices on your compute nodes have the advertised amount of data available to them according to the Management Console. But Redshift also reserves the same amount for replication of slice data from other nodes, similar to RAID 5 with a disk array.

Answer 430

Use spot fleet

Answer 431

``` When the application can tolerate loss of an instance, such as production: 1. big data systems, 2. Stateless web clusters Non-production: 3. Dev environment 4. Experiments. ```

Answer 432

ALB supports HTTP2 for up to 128 simultaneous connections. It will split them up to separate HTTP 1.1 connections to target groups. Me: Listener Configuration Listeners support the following protocols and ports: Protocols: HTTP, HTTPS Ports: 1-65535 You can use an HTTPS listener to offload the work of encryption and decryption to your load balancer so that your applications can focus on their business logic. If the listener protocol is HTTPS, you must deploy at least one SSL server certificate on the listener. For more information, see Create an HTTPS Listener for Your Application Load Balancer. Application Load Balancers provide native support for WebSockets. You can use WebSockets with both HTTP and HTTPS listeners. Application Load Balancers provide native support for HTTP/2 with HTTPS listeners. You can send up to 128 requests in parallel using one HTTP/2 connection. The load balancer converts these to individual HTTP/1.1 requests and distributes them across the healthy targets in the target group. Because HTTP/2 uses front-end connections more efficiently, you might notice fewer connections between clients and the load balancer. You can't use the server-push feature of HTTP/2.

Answer 433

Spot fleet

Answer 434

Publish message to $aws/rules/rulename and which sends the message directly to an IoT Rule without the pub-sub features of IoT Topics.

Answer 435

Be careful and understand the context of the question. | Databases and data movement is best for DP.

Answer 436

CLB or ALB. NLB does not support UDP, only TCP. Me: ALB does not support UDP. It supports HTTP, HTTPS, HTTP/2 and WebSockets UDP Load Balancing Today (24 June 2019) we are adding support for another frequent customer request, the ability to load balance UDP traffic. You can now use Network Load Balancers to deploy connectionless services for online gaming, IoT, streaming, media transfer, and native UDP applications. If you are hosting DNS, SIP, SNMP, Syslog, RADIUS, and other UDP services in your own data center, you can now move the services to AWS. You can also deploy services to handle Authentication, Authorization, and Accounting, often known as AAA. You no longer need to maintain a fleet of proxy servers to ingest UDP traffic, and you can now use the same load balancer for both TCP and UDP traffic. You can simplify your architecture, reduce your costs, and increase your scalability.

Answer 437

By default, CF runs under the identity of the user running. Some users, like junior DevOps members, may have restricted permissions in the AWS account. But if you grant the stack greater permissions, the junior developers can edit and run it while still having their restrictive permissions.

Answer 438

AWS IoT use MQTT, which is a industry standard protocol that other devices and systems likely use.

Answer 439

It provides a single IPv4 address for all devices behind it, saving on scarce IPv4 addresses. IPv6 doesn’t have this constraint, thus NAT isn’t as relevant in IPv6.

Answer 440

Use an OpsWorks stack and compose the web tier using the ECS cluster. Compose the other tiers natively in OpsWorks. Me: AWS OpsWorks Stacks simplified the process of launching and maintaining container instances for existing Amazon ECS cluster. To create or launch other Amazon ECS entities, such as clusters and tasks, use the Amazon ECS console, CLI or API. You can then associate a cluster with a stack by creating an ECS Cluster layer, which you can use to manage the cluster in AWS OpsWorks Stacks. * OpsWorks and ECS Cluster is 1:1 mapping. OpsWorks needs permission to interact with ECS on your behalf (aws-opsworks-service-role).

Answer 441

When the application positively needs the capacity and the demand is not steady.

Answer 442

KDA uses an in-application output stream that serves as the result set. The KDA SQL Application can direct the result set to KDS, KDF. Also, SQL application can send errors to an in-application error stream that goes to a different destination.

Answer 443

Local db users or IAM.

Answer 444

The AMI Creator’s account plus any other accounts the configuration names. It can also be public.

Answer 445

You need to run an HSM in your data centre. AWS does not provide access to CloudHSM. CloudHSM is a dedicated tenancy solution running on shared infrastructure, similar to EC2.

Answer 446

OpsWorks offers most of the control over deployments that CloudFormation offers, but still provides minimal config options. It offers Chef or puppet as the deployment frameworks. I don’t think the above answer is correct. See blow alternative. CloudFormation is at infrastructure level, create/update/delete AWS resources described in a CloudFormation template. Elastic Beanstalk hides infrastructure details, provides an layer of abstraction so the user can focus on the application needs. OpsWorks manages the configurations for resources and applications that CloudFormation or EBS provisioned. AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. Cloud formation allows you to use a simple test file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts. This file serves as the single source of truth for your cloud environment. EBS: Abstraction from CloudFormation, Spin app from blueprints, no need to worry about every small detail of infrastructure. OpsWorks: Configuration management inside those servers, change port, install newer software version, etc.

Answer 447

1. Subnets 2. R53 resolver rules 3. Transit gateway 4. License configurations Accounts cannot share subnets inside of the default VPC, nor use subnets that are owned by the owner of the resource. Likewise, a share cannot share security groups not owned by the resource owner. The resource owner can remove sharing from resources in use by others and those shares will continue until released.

Answer 448

You’re assigning it to the primary network interface, not the instance.

Answer 449

Memory, file system, Applications. For these, customers need to install the CloudWatch Agent.

Answer 450

Metrics and alarms

Answer 451

1. Use default values in parameter lists (avoiding human input), 2. Use ParameterStore for system and custom values 3. Pseudo Parameters for CF-wide values such as region, partition, accountID, stackID and more 4. Intrinsic Functions for AZs in a region, AMI and more, Don’t specify the physical ID of a resource and CF will create a unique one for you.

Answer 452

Create a bucket policy that allows principal: * me: Make the S3 publicly accessible.

Answer 453

Scale UP the instance type(s) of the cluster to a larger EC2 type. Since there is only one write instance, the only option is scaling UP. me: Scaling the write node vertically

Answer 454

NLB. NLB recently added support for UDP load balancing. Otherwise, CLB would be the only option.

Answer 455

Customer Master Key. This is the core of KMS. They encrypt the data that’s in KMS. Usually, the data is other encryption keys. They never leaving KMS, and because KMS is regional, they never leave the region.

Answer 456

The workflow for updating a stack is no different from creating a stack: the user defines the resource updates then executes the new/modified stack template. Change Sets allow a junior developer to create the template for change, but simply save and notify others of the proposed change, without having permissions to run the Change Set. Senior developer can review the Change Set and run it if approved.

Answer 457

Create an IAM policy that Allows all the actions on the DynamoDB table that the Sales_Managers (and others who adopt this policy) need. Use a Condition that uses a variable that looks for the ID of the SalesRep_ID requested in the query. Only allow access to the records associated with this Sales_Manager.

Answer 458

Master node, Core nodes Task nodes An EMR cluster can have only one node, the Master node. It also can have Core nodes that run HDFS and manage tasks. And Task Nodes execute tasks but have no storage system. You cannot change the Master node instance type after creating the cluster. You can change Core and Task node instance types. Me: With Amazon EMR 5.23.0 and later, you can launch a cluster with three master nodes to support high availability of applications like YARN Resource Manager, HDFS Name Node, Spark, Hive, and Ganglia. The master node is no longer a potential single point of failure with this feature. If one of the master nodes fails, Amazon EMR automatically fails over to a standby master node and replaces the failed master node with new one with the same configuration and bootstrap actions. However, unlike the master node, there can be multiple core nodes—and therefore multiple EC2 instances—in the instance group or instance fleet. There is only one core instance group or instance fleet. With instance groups, you can add and remove EC2 instances while the cluster is running or set up automatic scaling. For more information about adding and removing EC2 instances with the instance groups configuration, see Scaling Cluster Resources. With instance fleets, you can effectively add and remove instances by modifying the instance fleet's target capacities for On-Demand and Spot accordingly. For more information about target capacities, see Instance Fleet Options. Task Nodes Task nodes are optional. You can use them to add power to perform parallel computation tasks on data, such as Hadoop MapReduce tasks and Spark executors. Task nodes don't run the Data Node daemon, nor do they store data in HDFS. As with core nodes, you can add task nodes to a cluster by adding EC2 instances to an existing uniform instance group, or modifying target capacities for a task instance fleet. Clusters with the uniform instance group configuration can have up to a total of 48 task instance groups. The ability to add uniform instance groups in this way allows you to mix EC2 instance types and pricing options, such as On-Demand Instances and Spot Instances. This gives you flexibility to respond to workload requirements in a cost-effective way. When you use the instance fleet configuration for your cluster, the ability to mix instance types and purchasing options is built in, so there is only one task instance fleet.

Answer 459

It’s in the VPC you specify when creating the cluster. Aurora Serverless allocates ACUs into your cluster from a warm pool it maintains for all customers. The proxy manages connections from your applications to the cluster and movement of the ACUs in and out of your VPC. The proxy also manages migrating cache data from one ACU to another when capacity changes. Keep in mind, Serverless uses the same Cluster Storage Volume tier that Aurora uses, so Serverless is only managing the compute tier since the storage tier is already serverless and multi-tenant.

Answer 460

With EC2, you define the instance type and are responsible for the cluster. With Fargate, you don’t. You define tasks and let ECS/Fargate obtain the container hosts to run those tasks. me: The difference is in the container hosting layer - a hosting cluster needed to run the containers and the management of the cluster.

Answer 461

Web Application Firewall (WAF) can protect APIs against a range of threats including DDoS, Known IP blacklists and much more. Me: WAF does not provide DDoS protection, AWS Shield and AWS Shield Advanced provides DDoS protection.

Answer 462

Use a Lambda function with event source mapping set to the arrival of messages in an SQS queue. This is an event-driven alternative to the usual polling approach of EC2-based applications.

Answer 463

Shield is a DDoS protection layer in front of WAF. Shield Standard is free and always on. Shield Advanced provides WAF, DDoS mitigation’s, visibility and reporting, DDoS response team support, and cost protection due to attacks. Shield Advanced also protects EIPs.

Answer 464

Stack sets enable an account admin to run stack templates across multiple accounts and multiple regions. The two sides of the transaction are the Admin account and Target account. It also requires two defined roles: AWSCloudFormationStackSetAdmininstrationRole and the AWSCloudFormationExecutionRole.

Answer 465

Design it to run in any account or location without any modifications or user input.

Answer 466

S3 is not a custom origin and CF configuration will match the same protocol as the client connection. If you need a different protocol to the origin, configure a custom origin. When specifying an origin such as www., the Origin configuration offer serval TLS options and protocol policies.

Answer 467

Snowball Edge can hold up to 100/80TB of data and including edge computing services such as IoT Greengrass, Lambda functions and GPU processors. This is ideal for remote locations with poor networking infrastructure and real time capabilities are not required.

Answer 468

DynamoDB has had to create more partitions for each CatID. But since the partition key is CatID, DynamoDB still limits the RCU/WCUs to 3000/1000 across *all* partitions for that CatID. You need to consider a partition key that has more values than 0001-0004. Me: 1. DynamoDB will split partition based on a) RCU/WCU 3000/1000 and b) storage size of 10GB 2. This is no longer a limitation since the DynamoDB will balance the RCU/WCUs at the table level, not the partition level. 3. On-demand capacity pricing option will autoscale RCU/WCUs according to the demand at the time. The other one is the provisioned throughput option. There are a few downsides to DynamoDB that you should consider before choosing to use it in your production applications. Strong vendor lock-in. DynamoDB is a proprietary solution and doesn’t have an open-source version, so if you ever decide to move away from using DynamoDB, you’ll be looking at a significant amount of work migrating to a different database solution. Some functionality, such as DynamoDB Streams, might be particularly hard to rebuild in a different database. The cost structure can backfire with large datasets. There are two pricing options for DynamoDB: the on-demand option and the provisioned throughput option. While the on-demand pricing is a good fit for applications with “spiky” usage and relatively low average traffic, as average usage increases the on-demand pricing structure can become quite expensive. No built-in caching. DynamoDB requires the access to your data to be mostly uniform. If you access a certain segment of your data (like the most recent entries) much more than others, you won’t have an out-of-the-box way to cache these recent items—excepting of course the DynamoDB Accelerator, which is proprietary and adds to your costs. No support for JOIN operations. DynamoDB’s design doesn’t allow you to join data from across multiple tables. So if you need the data from multiple tables for a single operation, you’ll find DynamoDB to be more expensive, slower and more complicated for implementing JOINs than with a relational datastore.

Answer 469

MQ supports global brokers where brokers are deployed in AZs in multiple regions while keeping the entire Queue in sync.

Answer 470

NACLs cannot reference other resources, only ports and IP ranges. Security Groups, however, can refer to the ID of another security group to allow traffic from it. Me: NACLs does not provide traffic control inside a subnet. It only controls in/out bound traffic between subnets.

Answer 471

1. Simple, limited feature set - Memcached 2. Vertical Scaling - Memcached: supports multi-threading 3. Horizontal Scaling (read) - Redis 4. HA - Redis: replicate to other nodes 5. Backup/Restore - Redis 6. Rich feature set - Redis 7. Transaction - Redis 8. Geo-special data type - Redis

Answer 472

SQS FIFO supports up to 300 messages per second with guaranteed ordering and no duplicates. Me: 1. Identify significant points. a) messages need to be in order of delivery b) no message duplication c) 6,000 message per minute ==> 100 per second

Answer 473

1. The owner enters registration information into the ACM form including the domain name. 2. ACM validates the domain name using R53 or your other registrar. 3. Once validated, ACM issues the certificate containing public and private keys. Private key is encrypted using KMS. 4. The certificate is now available to any AWS integrated service. 5. When these services need to use the private key to decrypt content, they use KMS to decrypt the key, hold it in memory, and use it to decrypt the public key encrypted content.

Answer 474

it’s a message broker based on Apache MQ. It supports the JMS API or protocol such as AMQP, MQTT, OpenWire or STOMP. It can function as a queue or topic and supports cardinality of 1:1 or 1:n. Me: 1. Supports many industry standard protocol 2. Supports message topic and message queue 3. Supports multiple regions and keeping messages in sync using global brokers 4. Supports HA (Active/Standby in multiple AZs)

Answer 475

You’re assigning it to the primary network interface, not the instance.

Answer 476

This is the reserved VPC address for the R53 resolver in the VPC.

Answer 477

Only NACLs can deny traffic. Security groups cannot. Security groups deny by default, but allow by rule.

Answer 478

1. Install the CloudWatch agent on the EC2 instance. 2. Configure it to tail the logs in /var/logs. It will pick up each entry in the log file and send them as Log events using a Log Stream.

Answer 479

4 KB/Sec. That can be five read operations of 4K or less, one or more operations of more than 4K. Also, Dynamo caches up to 300 CUs so that they’re available for spikes.

Answer 480

1. Metadata about network traffic into or out of the VPC, including address, port, protocol and more. 2. Logs do not include information about license activation, DNS and DHCP requests. 3. This is not a network monitor.

Answer 481

Every 6-8 hours or every 5GB of data change, whichever comes first. Amazon Redshift now provides more control over snapshots Posted On: Apr 4, 2019 Amazon Redshift automatically takes incremental snapshots (backups) of your data every 8 hours or 5 GB per node of data change. You now get more information and control over a snapshot including the ability to control the automatic snapshot's schedule. Amazon Redshift now provides the ability to: View snapshots that are not associated to any cluster so you can remove unnecessary snapshots Bulk-delete snapshots to allow you to quickly delete unnecessary snapshots and reduce your S3 storage needs Control your cluster's automatic snapshot schedule using the snapshot scheduler. The snapshot schedule can be configured with a cron style granularity via an API or with the AWS Management Console. You can create a schedule and attach the schedule to your cluster to have full control of when automated snapshots are taken.

Answer 482

it can reduce ACUs to zero if there is not demand, reducing costs. Me: Aurora Serverless maintains a warm pool of ACUs, and it moves the ACUs in or out of the warm pool into your cluster to match the demand changes.

Answer 483

You can create a new version of an application and environment. You can then choose to swap URLs so that the new version gets the production URL.

Answer 484

Define the updates to the ticket availability and the purchase steps as a transaction. That way DynamoDB commits all the updates as a single atomic unit.

Answer 485

Metrics and Alarms

Answer 486

Use on-demand capacity reservations. No up-front, but you get the capacity when you need it.

Answer 487

This is the reserved IP address for the R53 Resolver in a subnet of a VPC.

Answer 488

DynamoDB enables Adaptive Capacity by default. This allocates RCU/WCUs dynamically across partitions while still staying below the total hard limit of the table. Me: DynamoDB accommodates your workload, not vice versa Partitions don‘t matter； individule keys do Swith capacity modes in order to optimise cost and performance。 Use provisioned mode 1. Steady workloads 2. Gradual ramps 3. Events with known traffic 4. Ongoing monitoring Use on-demand mode 1. Unpredictable workloads 2. Frequently idle workloads 3. Events with unknown traffic 4. “Set it and forget it”

Answer 489

local db users or IAM

Answer 490

VPC Peering is not transitive. VPC B needs to have a VPC Peering connection to VPC C.

Answer 491

Create a private endpoint in each of the VPC that need to exchange data via KDS.

Answer 492

Put reference data in S3 then define a reference table that enables the SQL query to treat the lookup data as a table.

Answer 493

Better performance since the traffic is over the AWS network. Also, more secure since the request never leaves the AWS network.

Answer 494

Single node cluster, leader node and core node share the same instance. Two-node cluster, leader is on a node on an instance by itself - the third instance added for free.

Answer 495

A graph database. Neptune is a graph DB that’s highly scalable with 15 read replicas across three AZs in a region. It can hold up to 64 TB of data with encryption at rest.

Answer 496

Enable Management events (default) when configuring a Trail. Me: Create a Trail and enable it to capture global IAM events during the creation.

Answer 497

A small function that does something narrow and well. Accept an input, and produce an output. Me: thinking micro-service architecture.

Answer 498

Guard Duty uses ML to monitor a number of AWS data sources, such as VPC flow logs, R53, CloudTrail, threat intel, CloudWatch events, account activity. It generates findings into the Guard Duty console. A trusted IP list excludes these IPs from Guard Duty scanning. Threat lists tell GD additionally what to watch across all accounts.

Answer 499

1. ElasticSearch (Lucene) 2. Logstash or Beats 3. Kibana for visualisation.

Answer 500

ElasticSearch clusters run in a dedicated network not part of the customer’s account. For private VPC access, ElasticSearch will expose itself to the customer VPC using interface endpoints. The customer can assign a security group to the cluster. For public access, the cluster is accessible via internet.

Answer 501

1. One DX, one VPN over internet | 2. Two DX-separate customer routers, separate links to DX location, Separate DX location routers.

Answer 502

Parameter groups and option groups provide the parameters admins need.

Answer 503

1. Instances, 2. IP addresses 3. A Lambda function. Instance or IP addresses can include EC2 instances, ECS or EKS containers.

Answer 504

Ok Alarm Insufficient data

Answer 505

you don’t configure capacity on Aurora Serverless. You configure Aurora Capacity Units (ACUs) which are 1 CPU and 2 GB of RAM. Me: the above seems no longer correct. Capacity Settings - Minimum Aurora capacity unit: You set the minimum capacity unit for the DB cluster. Each capacity unit is equivalent to a specific compute and memory configuration. Based on the minimum capacity unit setting, Aurora Serverless automatically creates scaling rules for thresholds for CPU utilization, connections, and available memory. Aurora Serverless reduces the resources for the DB cluster when its workload is below these thresholds. Aurora Serverless can reduce capacity down to the minimum capacity unit Capacity Settings - Maximum Aurora capacity unit: You set the maximum capacity unit for the DB cluster. Each capacity unit is equivalent to a specific compute and memory configuration. Based on the maximum capacity unit setting, Aurora Serverless automatically creates scaling rules for thresholds for CPU utilization, connections, and available memory. Aurora Serverless provides more capacity for the DB cluster from warm pool of resources when its workload is above these thresholds. Aurora Serverless can increase capacity to the maximum capacity unit. Me - the above referring to compute capacity only. me: The minimum storage is 10GB. Based on your database usage, your Amazon Aurora storage will automatically grow, up to 64 TB, in 10GB increments with no impact to database performance.

Answer 506

The customer has a hardware gateway, usually a router, with IPSEC VPN capability and static or dynamic routing. The AWS side needs a Virtual Private Gateway, which is the endpoint of the VPN tunnel, attached to a VPC. Many Customer Gateways can attach to a VPGW.

Answer 507

Provisioned Aurora, Parallel Query or Serverless

Answer 508

Use a Lambda function pre-processor on the KDA application. The Lambda function can inspect each message and add any missing fields fields with default values.

Answer 509

1. None (Linux) 2. Bridge (Linux) 3. Host (Linux) 4. AWS VPC 5. NAT - windows only Bridge - allow all containers to interact with internal networking to the host. Host - map containers to host networking; e.g. map container port 80 to host port 80; can only run one container on a host with the same host networking requirement. AWS VPC - map a VPC ENI to a container task. This is how Farget works. If using EC2 mode, this can produce a lot of ENIs. Some EC2 instance types have ENI limits, so the ECS may only be able to launch a few containers. These networking types are for Linux. For Windows, the only networking type is NAT.

Answer 510

Enable the Data API to expose the REST APIs of the database through the Proxy layer.

Answer 511

Very low latency connections and REST APIs for queries. Also, it doesn’t involve cluster infrastructure running in a customer’s environment. me: Aurora Serverless can only be connected via PrivateLink inside a VPC. It does not accept public IP address. It supports REST APIs through the proxy layer without needing connection strings for db query. Enable the Data API to expose the REST APIs of the database. Limitations of Aurora Serverless The following limitations apply to Aurora Serverless : Aurora Serverless is available for the following: Aurora MySQL version 1, compatible with MySQL version 5.6. Aurora MySQL version 2, compatible with MySQL version 5.7. Select Aurora MySQL version 2.07.1 to be able to use Aurora Serverless with MySQL 5.7 compatibility. Aurora with PostgreSQL version 10.7 compatibility. The port number for connections must be: 3306 for Aurora MySQL 5432 for Aurora PostgreSQL You can't give an Aurora Serverless DB cluster a public IP address. You can access an Aurora Serverless DB cluster only from within a virtual private cloud (VPC) based on the Amazon VPC service. Each Aurora Serverless DB cluster requires two AWS PrivateLink endpoints. If you reach the limit for AWS PrivateLink endpoints within your VPC, you can't create any more Aurora Serverless clusters in that VPC. For information about checking and changing the limits on endpoints within a VPC, see Amazon VPC Limits. A DB subnet group used by Aurora Serverless can’t have more than one subnet in the same Availability Zone. Changes to a subnet group used by an Aurora Serverless DB cluster are not applied to the cluster. A connection to an Aurora Serverless DB cluster is closed automatically if it stays open for longer than one day. Binlog-based replication isn't supported for Aurora Serverless DB clusters. Aurora Serverless doesn't support the following features: Loading data from an Amazon S3 bucket Saving data to an Amazon S3 bucket Invoking an AWS Lambda function with an Aurora MySQL native function Aurora Replicas Backtrack Multi-master clusters Database cloning IAM database authentication Restoring a snapshot from a MySQL DB instance Amazon RDS Performance Insights Amazon Aurora Serverless is an on-demand, autoscaling configuration for Amazon Aurora. An Aurora Serverless DB cluster is a DB cluster that automatically starts up, shuts down, and scales up or down its compute capacity based on your application's needs. Aurora Serverless provides a relatively simple, cost-effective option for infrequent, intermittent, or unpredictable workloads. It can provide this because it automatically starts up, scales compute capacity to match your application's usage, and shuts down when it's not in use.

Answer 512

1. Event driven 2. Capable of scaling from very low capacity 3. Pay only for the usage.

Answer 513

1. Effect 2. Action 3. Resource Optionally 4. Condition

Answer 514

It uses Streams to capture all changes to one table to the other tables in other regions. You configure a Global Table by enabling Streams (Old and New), then by adding Regions where you want to replicas. All tables are masters and stream their changes to the other replicas. All the tables in different regions need to be added in the same replication group.

Answer 515

Configure Trails to deliver events to S3. Also enable file encryption and validation to protect the files from tampering.

Answer 516

Only if versioning is enabled, S3 creates new versions with the same name. Objects have object IDs that are unique. Versions can live in different storage tiers in S3 using lifecycle policies. Delete action mark object for deletion. Me: the short version When versioning is enabled, a simple DELETE cannot permanently delete an object. Instead, Amazon S3 inserts a delete marker in the bucket, and that marker becomes the current version of the object with a new ID. (Each object version deletion can be achieved by version expiration) The NoncurrentVersionExpiration action applies to noncurrent object versions, and Amazon S3 permanently removes these object versions. You cannot recover permanently removed objects. For more information, see Object lifecycle management. The longer version: You can delete object versions whenever you want. In addition, you can also define lifecycle configuration rules for objects that have a well-defined lifecycle to request Amazon S3 to expire current object versions or permanently remove noncurrent object versions. When your bucket is version-enabled or versioning is suspended, the lifecycle configuration actions work as follows: The Expiration action applies to the current object version and instead of deleting the current object version, Amazon S3 retains the current version as a noncurrent version by adding a delete marker, which then becomes the current version. The NoncurrentVersionExpiration action applies to noncurrent object versions, and Amazon S3 permanently removes these object versions. You cannot recover permanently removed objects. For more information, see Object lifecycle management. A DELETE request has the following use cases: When versioning is enabled, a simple DELETE cannot permanently delete an object. Instead, Amazon S3 inserts a delete marker in the bucket, and that marker becomes the current version of the object with a new ID. When you try to GET an object whose current version is a delete marker, Amazon S3 behaves as though the object has been deleted (even though it has not been erased) and returns a 404 error.

Answer 517

AWS WAF is a layer 7 firewall that can run in front of CloudFront, API Gateway or ELB. It combines conditions and rules then use a web ACL to grant or deny traffic.

Answer 518

Reliable, ordered messaging, message groups, composite messaging and more. Me. 1. Amazon MQ can be deployed into customer’s VPC 2. With global message broker, messages can be synchronised across regions around world. 3. It supports industry protocols for pub/sub best suited for compatibility for cloud migrating 4. supports message topics and message queue.

Answer 519

You restored from a backup that had the old RCU provisioning. Backup contain the data and the database settings. What are the signanificant points? 1. Database is a previous version 2. Performance dropped Question: 1. does the number of RCUs configuration is stored with the database? When a database is restored, the old configuration is restored at the same time? 2. more table partitions with the old database than the new one, and the adaptive capacity is not enabled? Based on the offical answer, the RCU configuration is not part of the database. It is the backup process that backs up the database and its associated settings.

Answer 520

Configure a Trail to stream to a CloudWatch Log Group.

Answer 521

CF generates an event stream. Users can view the events in the CF console. Also, CF can send the events to SNS where applications and dashboards can subscribe to the events.

Answer 522

Query filter does not inference the amount of data the query results returned.

Answer 523

In private and public VPCs, edge locations, and any region. Me: in the API Gateway console, there are three chooses: 1. Regional (can be behind CloudFront or facing the public internet directly) 2. Edge Optimised (internet —> [CloudFront Distribution —> Edge Location](API Gateway Managed) —> [API Gateway] (region)) 3. Private （caller is from a VPC)

Answer 524

Only if versioning is enabled. S3 creates new versions with the same name. Objects have object IDs that are unique. Versions can live in different storage tiers in S3 using lifecycle policies. Delete actions mark objects for deletion.

Answer 525

CF generates an event stream. Users can view the events in the console. Also, CF can send events to SNS where applications and dashboards can subscribe to the events.

Answer 526

4KB/sec. that can be five read operations of 4KB or less, one or more operations of more than 4KB, Dynamo caches up to 300 CUs so that they are available for spikes. Each RCU read 4KB data per second, as such 5 RCUs can at max read 20KB data per second in five read operations.

Answer 527

Applications and required library versions

Answer 528

Put reference data in S3 then define a reference table that enables the SQL query to treat the lookup data as a table.

Answer 529

Stack Sets enables an account administrator to run the Stack templates across multiple accounts and regions. The two sides of the transaction are the Admin account and Target account. It also requires two defined roles: AWSCloudFormationStackSetAdministrationRole and AWSCloudFormationExecutionRole.

Answer 530

Use an OpsWorks stack and compose the web tier using the ECS cluster. Compose the other tiers natively in OpsWorks.

Answer 531

It creates an environment (based on web application or worker application) and deploys your application version into that environment. CF creates stacks, which precision AWS resources (create, update, delete), but NOT applications.

Answer 532

Cross Origin Resource Sharing. It is a security control that enables the resource owner to allow or deny resources sharing with request coming from a different origin.

Answer 533

Every VPC has exactly one. It consumes one RFC 1918 IP address. It’s +1 of the subnet’s IP address.

Answer 534

Set a TTL against each record, DynamoDB will delete the items after the TTL is past.

Answer 535

Aurora Global Database replicates cluster volume data from on region to a cluster volume in another in less than 1 second. Replicas in other region attach to that region’s cluster volume for low-latency read replicas. They can promote to Master in less than one minute. This is lower latency and faster promotion time than MySQL cross-region read replication.

Answer 536

Long-running Clusters and Data warehouses on-demand on-demand or instance-fleet mix Spot or instance fleet mix Cost-Driven workloads Spot Spot Spot Data-Critical workloads on-demand on-demand Spot or instance-fleet mix Application testing Spot Spot Spot.

Answer 537

In a multi-master cluster, all DB instances can perform write operations. There isn’t any failover when a write operations. There isn’t any failover when a writer DB instance becomes unavailable, because another writer DB instance is immediately available to take over the work of the failed instance. We refer to this type of availability as continuous availability, to distinguish it from the high availability (with brief downtime during failover) offered by a single-master cluster.

Answer 538

It’s in the VPC you specify when creating the cluster. Aurora Serverless allocates ACUs into your cluster from a warm pool it maintains for all customners. The proxy manages connections from your applications to the cluster and movement of the ACUs in and out of your VPC. The proxy also manages migrating cache data from one ACU to another when capacity changes. Keep in mind, Serverless uses the same Cluster Storage Volume tier that Aurora uses., so Serverless is only managing the compute tier Shinae the storage tier is already serverless and multi-tenant.

Answer 539

1. Legal holds 2. Retention polices This prevents objects from deletion. Versioning must be enabled. Object locks must set at the item of creating the bucket.

Answer 540

You need to provision a HSM device in your own data centre. CloudHSM is not physically accessible. CloudHSM is a dedicated tenancy solution running on shared infrastructure, similar to EC2.

Answer 541

Reference a resource option. Elsewhere in the script, enumerate all the valid values for that option. Optionally, provide a default so that the user doesn’t have to make a choice.

Answer 542

1. Owner 2. Launch Permissions 3. OS 4. Architecture 5. Block device mapping of all volumes Once created, the AMI creates snapshots of any EBS volumes described in the AMI and holds pointers to them. If the instance type uses instance volumes, the AMI creation bundles the instance definition and instance store into files and saves them to S3.

Answer 543

Use the AWS VPC network mode. Configure the security group that the container’s VPC uses to control what traffic gets in and out.

Answer 544

``` CloudFormation provision (create, update, delete) AWS resources but it not applications. EBS creates an environment (based on web application or worker application) and deploys your application version into that environment. ``` EBS is a layer on top of CloudFormation and abstracts the underlying infrastructure details.

Answer 545

1. Amount of RCU/WCU capacity units consumed by applications 2. total size of data in the database. an RCU is 4KB in charges. A WCU is 1 kB in charges. A read or write operation consumes RCUs/WCUs no mater how small the amount of data. And queries always consume an entire item, even if the statement only wants one column. The only way to restrict the amount of data returned by a read query is to specify a PK and optionally a sort key, filtering the amount of data Dynamo returns. Serverless: number of requests.

Answer 546

It doesn’t. It’s single AZ. You need to create multiple FSx in two or more AZ and do replication, such as DFS. Even multi-region.

Answer 547

Applications and memory and file systems. Need to install CloudWatch agent on the EC2 instance to provide the metrics data.

Answer 548

Public message to $aws/rules/rulename which sends the message directly to an IoT Rule without the pub/sub features of IoT topics.

Answer 549

Use the Permissions of the stack to grant, deny, show, manage, or delegate to the user’s IAM privileges over resources.

Answer 550

HVM uses newer generation of CPUs that allow guest OSs to interact with memory, CPU, network, local storage, and motherboard bypassing hypervisor. Unlike paravirtualisation, HVM avoids emulatio, speeding up performance of guest OSs. Nitro, introduced in 2017, bring in hardware virtualisation to all expects of the guest OS access to the hardware, resulting a near bare metal performance.

Answer 551

They are uni-directional request/response calling patterns that use HTTP semantics with query string arguments. Behind the API, a service performs a task and returns to the caller.