AWS Flashcards

Question 1

Q

Check the ECR repository?

Answer

A

aws ecr describe-images –repository-name telematics/gmonstarparser

if image tags are needed:

aws ecr describe-images –repository-name telematics/gmonstarparser –image-ids imageTag=”2021.06.14-RC-1.0.47”

Question 2

Q

How to add tags to AWS ECR image?

Answer

A

MANIFEST=$(aws ecr batch-get-image –repository-name dockerhub/amd64/ubuntu –image-ids imageTag=16.04 –query ‘images[].imageManifest’ –output text)

aws ecr put-image –repository-name dockerhub/amd64/ubuntu –image-tag “test_date +%y%m%d.%H%M” –image-manifest “$MANIFEST”

Question 3

Q

How to log into kubernetes using AWS credentials?

Answer

A

export KUBECONFIG=/opt/kubeconfig/kube.config

aws eks update-kubeconfig –cluster-name fc-dev

Question 4

Q

Check tags of an AWS ECR Image

Answer

A

aws ecr describe-images –repository-name fcpls/xyz –image-id imageTags=dev.1234

Question 5

Q

IAM Group
IAM Users
IAM Role

Answer

A

Role - assumed by trusted entities - used for delegation.

Root user - has complete administration access.
Max 5000 users per account

Group can’t be nested.

IAM Users can assume a role.

All permissions implicitly denied.

Question 6

Q

Authentication methods

Answer

A

Signing certificate can be used for authentication for some services.

Question 7

Q

AWS Security Token Service

Answer

A

request limited privilege credentials for IAM/federated users.
global service
sts.amazonaws.com
all regions enabled.

Question 8

Q

Billing Alarm

Answer

A

Only root user can update anything related to billing.

Billing preferences > Receive Billing Alerts > CloudWatch > Specify conditions > SNS

Question 9

Q

Locations

Answer

A

Region
    Availability Zone
Edge Location - Cache
Regional Edge Location - between AWS and Edge
Global network

Question 10

Q

VPC

Answer

A

Logically Isolated network assigned to user within a region.
172.31.0.0/16
Default 1 VPC is created in all accounts.
Default route table and internet gateway added.
3 subnets created in each AZ.

Question 11

Q

Route 53

Answer

A

Domain Name service

DNS management
Traffic Check
Avilability Check
Domain name registeration

Question 12

Q

EC2

Answer

A

Elastic Compute Cloud
Genral purpose - T, M

Reserved instance - 1 - 12 or 12 - 36 months
Spot Instances
Savings Plan
Dedicated Hosts
Scheduled Instances
Capacity Reservations

Limits - increase with Support ticket

Question 13

Q

EBS

Answer

A

Block storage used for EC2
io1
gp2

Question 14

Q

AMIs

Answer

A

Amazon Machine Image
=
Launch Permissions +
Snapshots +
Block dedvice Mapping

Question 15

Q

EC2 Instance Metadata

Answer

A

Information that can be used to configure the application on the instance.

http://169.254.169.254/latest/meta-data/

Question 16

Q

EC2 User Data

Answer

A

Execute commands to configure the instance at the time of launch.

http://169.254.169.254/latest/user-data/

Question 17

Q

EC2 Instance Status Check and System Status Check

Answer

A

Instance - customer resposibility
System - AWS responsibility

For system - stop and then start the instance - this will change the host machine.

Question 18

Q

EC2 detailed Monitoring

Answer

A

frequency 1 minute from 5 minutes.

Question 19

Q

IP Addresses

Answer

A

Public IP - lost when instance stopped.
Private IP - lost when instance is terminated
Elastic IP - Charged when not used. Associated with the private IP. Can be transferred to other resources.

EC2 instance doesnt know anything about the public IP.

Question 20

Q

Internet Gateway

Answer

A

1:1 NAT Gateway

Translates Public IP to Private IP.

Question 21

Q

Jumphost/Bastion - Agent Forwarding

Answer

A

ssh-add -K xyz.pem
ssh -A ec2-user@
ssh ec2-user@

Pageant for windows machine.

Question 22

Q

NAT instances and Gateways

Network Address Translation

Answer

A

Instance managed by customer
Manual scaling
Not HA
Assign Security Group
Needs Elastic IP
Enable Port Forwarding - disable, Source/Destination Check

Question 23

Q

Placement Groups

Answer

A

Cluster - close together, tightly coupled.
Partition - spread across logical partitions, groups of partitions, do not share resource. (Max 7 per AZ)
Spread - Reduce correlated failure - distinct underlying hardware.

Question 24

Q

Elastic Load Balancing

Answer

A

Application
layer 7 http https
path, host, query string, parameter, sourceIP based routing
Targets - IP, Lambda, Containers
Sticky sessions

Network
layer 4 tcp udp tls
High performance, low latency, TLS offloading
static IP
UDP, IP address as target.
Connection timeout cant be defined
Assign elastic IPs for each node in an AZ

Classic
Layer 4 or layer 7
Old/deprecated
Connection Timeout can be defined

Question 25

Q

S3

Answer

A

Object storage service:
Key
Version ID
Value
Metadata
Subresources
Access Control Information

Name has to be unique
Region specific

Question 26

Q

EC2 Access to S3

Answer

A

EC2 Assume Role

Instance setting - attach role - created in previous step.

Question 27

Q

Auto Scaling for Load Balancer

Answer

A

CloudWatch monitors the parameters
e.g. CPU > 80% > Scaling group

Create Launch configuration group (Can’t be modified)
Create Auto Scaling group
i. keep group at initial size OR
ii. Scaling policies:
a. ALB request per count
b. Average CPU
c. Average network IN
d. Average network OUT
Scheduled action to increase instances.

The cooldown period is a configurable setting for your Auto Scaling group that helps to ensure that it doesn’t launch or terminate additional instances before the previous scaling activity takes effect so this would help. After the Auto Scaling group dynamically scales using a simple scaling policy, it waits for the cooldown period to complete before resuming scaling activities.

Question 28

Q

Scaling policies for Load Balancer

Answer

A

Target Tracking Scaling
Simple scaling policy
Step scaling policy
i. create an alarm
ii. specify action when alarm is triggered

Note: Step scaling the policy can continue to respond to additional alarms, even while a scaling activity or health check replacement is in progress.

Question 29

Q

Launch Templates and Launch Configuration

Answer

A

LC can’t be modified once created.
To change, create a copy and modify it.

LT is versioned. To edit, a new version of template can be created.

Question 30

Q

Auto Scaling health checks

Answer

A

Configure ASG to use ELB health checks. Otherwise if ELB cant connect to instance, ASG won’t create new instance.

Question 31

Q

Cross zone load balancing

Answer

A

Disabled, doesn’t consider if there are more instances in an AZ, both AZs get equal traffic.

If enabled, all instances get same amount of traffic, irrespective of AZ.

Question 32

Q

ELB for private instances

Answer

A

Configure ELB on Public subnet, then create target group, for corresponding AZ private subnet.
Note, ELB in Public subnet in AZ A cannot serve traffic to Instance in private subnet in AZ B.

Question 33

Q

Proxy Protocol Header

X-Forwarder Header

Answer

A

PPH - works on layer 4
XFH - works on layer 7

Used for passing the source IP address to the application.

Question 34

Q

Security groups

Answer

A

Stateful in nature.
All rules are evaluated.
Attached to ENI, so we can define rules with source source and destination as other security groups.
Can only define allow rules, can’t define deny rules.
SG membership can be changed while instance is running.

Question 35

Q

NACL

Answer

A

Network Access Control List

Attached to Subnet, mandatory to have at least 1 NACL on each Subnet.
List of rules are processed in order and first match is used.
Can define allow or deny rule.
Stateless
Doesn’t affect traffic if both instances are in same subnet.
Default NACL has everything allowed. Custom NACL has all deny.

Used to block traffic, i.e. malicious IPs.

Question 36

Q

VPC Peering Connections

Answer

A

Connecting 2 VPCs to be able to connect over private network.
Doesn’t support transitive connections.

Question 37

Q

Transit Gateway

Answer

A

Central gateway to direct multiple CIDRs over multipel networks.

Question 38

Q

VPC Endpoint Services

Answer

A

In destination VPC, we create an Endpoint service, and then on the source VPC we create an Endpoint.

Interface endpoint is an elastic network interface that allows a private IP address in a subnet to connect VPC resources to a number of AWS services, such as CloudFormation, Elastic Load Balancers (ELBs), SNS, and more.

Gateway endpoint is a target for a route in a route table to connect VPC resources to S3 or DynamoDB. Traffic is then routed from instances in a subnet to one of these two services.

Question 39

Q

Virtual Private Gateway

Customer Gateway

Answer

A

VPC side of VPN connection - Virtual Private Gateway

Customer side of VPN connection - Customer Gateway

Question 40

Q

Router

Answer

A

Connects all the networking components and are giverned by router table rules.

Question 41

Q

Egress only Internet Gateway

Answer

A

Stateful gateway to provide egress onlu access for IPV6 traffic

Question 42

Q

VPC

Answer

A

from /16 to /28
cant be changed once created.
CIDRs can’t overlap.

Question 43

Q

Subnet

Answer

A

should be within VPC CIDR
can't be updated once created. Automatically connects to default route table.
Can't have multiple AZ
CIDR can't overlap with other subnet.
first 4 IP and last IP are reserved.
172.31.10.0/24 - Network
172.31.10.1 - Gateway/Router
172.31.10.2 - DNS server
172.31.10.3 - Future use
172.31.10.255 - Network broadcast

Question 44

Q

Connecting to VPC

Answer

A

AWS Managed VPN
AWS Direct Connect - not encrypted.
AWS Direct Connect + VPN - encrypted
AWS VPN Cloud Hub
Software VPN
Transit VPC
VPC Peering
AWS PrivateLink
VPC Endpoints

Question 45

Q

VPC Sharing

Answer

A

Subnets can be shared with other AWS accounts within same AWS Org.

Question 46

Q

VPC Flow logs

Answer

A

Capture IP Traffic to and from network.
Stored in CloudWatch Logs.
1. VPC
2. Subnet
3. Network Interface

Question 47

Q

CORPS

5 pillars

Answer

A

Cost Optimization
Operation Excellence
Reliability
Performance
Security

Question 48

Q

Route 53

Answer

A

Possible to have Domain registered in 1 account and have hosted zone in another AWS account.
Domain can be migrated to other providers using support team.

Hosted zone is collection of records.

Public zone
Private hosted zone. - needs enablednshostname and enablednssupport

Alias is R53, no charges, it can point to domain apex records as well. i.e. amazon.com

A record - 169.254.169.254
CNAME - my.amazon.com

Traffic Flow - create routing configurations - for complex scenarios where multiple policies are required.

Resolver - used in hybrid cloud

Question 49

Q

Route 53 Health Checks

Answer

A

check instance health by connecting to it.
Pointing to Endpoints
Status of other health checks.
Status of Cloudwatch Alarms.

Endpoints can be IP or domain names.

Question 50

Q

Route 53 Routing Policies

Answer

A

Simple - multiple, round robin, no health check
Failover - active-passive
Geolocation
Geoproximity
Latency
Multivalue - upto 8 responses.
Weighted

Question 51

Q

AWS GLobal Accelerator

Answer

A

Improves availability and performance of applications.

provides statis IP Addresses that act as fixed entry points to application.

Uses Edge locations - they are associated with regional AWS resources/endpoints

AWS Global Accelerator uses the vast, congestion-free AWS global network to route TCP and UDP traffic to a healthy application endpoint in the closest AWS Region to the user.

This means it will intelligently route traffic to the closest point of presence (reducing latency). Seamless failover is ensured as AWS Global Accelerator uses anycast IP address which means the IP does not change when failing over between regions so there are no issues with client caches having incorrect entries that need to expire.

Question 52

Q

S3

Answer

A

Key Based object store
Files - 0 - 5TB
Single PUT max size 5GB
Object >100MB can use multipart.
Follows Read after Write consistency for PUT for new objects.
Eventual consistency for overwrite PUT and DELETE

= Key, Value, VersionID, Metadata, ACL.

100 buckets per account
Unlimited objects per bucket
Region specific
Nested bucket is not possible

Question 53

Q

S3 Features

Answer

A

Transfer Accelration
Requester Pays
Tags
Events
Static Web Hosting
Bit Torrent

Question 54

Q

S3 Sub-resources

Answer

A

LifeCycle
Website
Versioning
ACL
Bucket Policies
Cross Origin Resource Sharing (CORS)
Logging

Question 55

Q

S3 Storage Classes

Answer

A

1. Standard
2, Intelligent Tiering
3. Standard IA
4. One Zone IA
5. GLacier
6. Deep Archive

Question 56

Q

CloudFront:

what components?
what are the origins?
types?
geo-restriction uses.

Answer

A

Distributes content with low latency and high data transfer speeds
Global service with ingress to upload objects and egress to distribute content
= Regional Edge Cache + Edge Locations

Origin - S3, EC2, ELB, R53

Web Distribution - http/s; add, update, delete objects
RTMP - streaming

CloudFront geo restriction feature to do one of the following:
• Allow your users to access your content only if they’re in one of the countries on a whitelist of approved countries.
• Prevent your users from accessing your content if they’re in one of the countries on a blacklist of banned countries.

Question 57

Q

OAI Origin Access Identity

Answer

A

Used to restrict access to content on S3. - only CloudFront can connect to S3.

Question 58

Q

Cloud Front costs are?

Answer

A

1. Data OUT to Internet
2, Data OUT to origin
3. Number of HTTP/S requests.
4. Invalidation requests
5. Dedicated IP

Question 59

Q

EBS vs Instance Store

Answer

A

Elastic Block Store

Doesnt need to be attached to EC2.
Cannot attach to multiple instances.
Replicated across multiple locations within AZ.
EC2 and EBS have to be in same AZ

Note:
Instance Store - non-persistent block storage
Can be root or additional volume.
Located physically on the host running the instance.
Can be used for buffers and caches.
Instance-backed EC2 instances can’t be stopped. - Data will be lost.

Question 60

Q

EBS types

Answer

A

Max IOPS per instance is 80,000

io1
  high performance SSD
  4GB to 16TB
  64,000 Max IOPS
  1000 MB/s Max t/p

gp2
  general purpose SSD
  1GB to 16TB
  16,000 Max IOPS
  250 MB/s Max t/p

st1
  troughput optimized HDD
  500GB to 16TB
  500 Max IOPS
  500 MB/s Max t/p

sc1
  cold HDD
  500GB to 16TB
  250 Max IOPS
  250 MB/s Max t/p

Question 61

Q

EBS vs snapshots

Answer

A

EBS stored on multiple disks in an AZ while snapshots are stored in S3.
Snapshots are easier to store.
Snapshots do not provide granular backup solution.
EBS are AZ specific, while snapshots are region specific.

Question 62

Q

How to copy AMI to another account

Answer

A

On AMI configuration enter the Account number that is allowed.
Then on the KMS key policy permit the the Account number to grant/read permissions.
Then on the destination account, we will see the AMI.

Question 63

Q

EFS - Elastic File System

Answer

A

File storage - this is not block storage.
Its fully managed service.
NFS v4.1 protocol
Pay for what is used.
Multi AZ, and the mount-points can be in 1 or many AZs
Using DirectConnect or VPN, can be mounted from on-premises syste,s.
EFS File Sync Agent - existing file systems can be synced with EFS
EFS is elastic - grows ans shrinks as data is added/removed.
Multiple EC2 can connect to 1 EFS
Option - general purpose or Max IO
Provides strong consistency and file locking
Data stored across multiple AZ
Data at rest and transit - TLS 1.2

Question 64

Q

EFS Access control

Answer

A

IAM is uised for administration of EFS itself.
For files and directories - POSIX compliant user and groups are used.
EFS security groups act as firewall.

Answer 65

A

Fully managed 3rd party file systems.
Native compatibility of third part file systems = windows based storage, high performance computing, machine learning, electronic design automation.
Types:
- Windows File Server
- Lustre for compute intensive workloads.

Answer 66

A

Built on windows server, with native features used by MIcrosoft. - SMB, NTFS, AD integration
Uses SSD
Applications: Home directories, media workflows
Supports, ACL, shadow copies, user quotas
NTFS can be accesses from multiple instances using SMB protocol.
Support access via AWS Direct Connect/AWS VPN
Encryption at Rest and in-transit
ISO, PCI-DSS, SOC, HIPAA
Data is replicated within an AZ.
Optional multi AZ - active standby setup.
Supports Distributed File System Replication (DFSR) in both Single-AZ.

Answer 67

A

Data is stored on s3 long term
Data is presented via fast scalable file system interface.
Accesible over Direct Connect and VPN

Answer 68

A

Virtual on-premises file server - store and retrieve files as objects in S3
OnPremises and EC2 can use this file storage.
Flat files directly stored in S3
SMB(v2-v3 Windowws) or NFS(v3-v4 Linux) based.
Max file size 5 TB

Note: The file gateway should be used to replace the NFS file systems as it uses NFS.

Answer 69

A

Block based volumes.
iSCSI based
Cached Volume - data stored in S3, cache is on-site
- 32TB  per volume max
- 1PB per gateway max
Stored Volume - data is stored on-site - backup async s3
- 16TB per volume max
- 512TB per gateway max
Tape Gateway

Note: The AWS Storage Gateway volume gateway should be used to replace the block-based storage systems as it is mounted over iSCSI

Answer 70

A

Scalable, high performance - container management service - supports only Docker Container.
No additional charge for ECS.
AWS specific platform - different from EKS
Types
- Fargate - serverless
- EC2 - responsibility of customer

ECS Tasks:

task definition is reqd to run containers on ECS
task definition - text file in JSON format - max 10 containers.

ECS Cluster:

logical grouping of containers.
service provide auto scaling.
region specific

ECS Container Agent

required on EC2 instance
ECS optimized AMIs are present.

ECS Auto Scaling
- target tracking and step scaling policies

Cluster Auto Scaling

Capacity Provider
Managed Scaling
Managed instance termination protection

Answer 71

A

Serverless code execution
Triggerred by events
Need to define the memory
CPU power is proportional to memory
Can access other services.
64MB to 3008 MB in 128 MB increment.
Functions larger than 1536MB get multiple CPU threads
Max timeout of Lambda 15mins-900secs.
Default timeout 3secs.
Event sources maintain mapping configuration - source defines which lambda to call.
While DynamoDB and Kinesis - need lambda to poll them.
Manage and deploy serverless applications using AWS Serverless Application Model. SAM

Answer 72

A

Collection of resources and methods integrated with backend HTTP endpoints/Lambda functions.
Uses CloudFront Network
Manages
- traffic management
- authorisation
- access control
- monitoring
- api version management.
Features
- Metering
- Security
- Resiliency
- Operations monitoring
- Lifecycle Management

Answer 73

A

relational DB
Online Transactional Processing OLTP
For structured, relational data store.
Automated backup
Push button scaling, replication and redundancy
Types:
1. Aurora
2. MySQL
3. Oracle
4. SQL Server.
5. Postgres

MultiAZ for synchronous replication - automatic failover.
Read replicas used for heavy read workload - async replication
Encryption at rest. - results in snapshot, backups, instance storage, read replicas being encrypted.
Existing DB can’t be encrypted. But using a snapshot a DB can be created which can be encrypted during creation process.
Read Replica on a different region will have to be encrypted using the key in that region.
Upto EBS volume size backup is free.
RDS can only be scaled up for compute and storage.
Scaling compute can cause downtime.
Read Relicas in different region can be promotoed to DB in case of disaster.
Automated backups need to be enabled for Read Replicas to be enabled.
RR available for MySQLm Postgres, Maria, Oracle, Aurora
In case of failover in MultiAZ, RR also take the new connection and connect to new primary.
Max 5 RR.

Answer 74

A

Migrate databse to AWS quickly and securely.
Schema Conversion Tool SCT
- homogenous (mysql to mysql)
- heterogenous (mysql to oracle)

Answer 75

A

Fully managed.
Scales in 10GB increments - 32 CPU 244GB
2 copies of data maintained in 3 AZs
Can handle loss of 2 copies of data w/o affecting write
Can handle loss of 3 copies w/o affecting read

Answer 76

A

Aurora Replica (15) in-region
MySQL Replica (5) cross-region
- this replica can again be replicated to local aurora replicas.
  Global Database - provides best replication performance.
  Traditional binlog replication is also available.

Secondary region can be promoted to full read/write quickly.

Answer 77

A

only MySQL-compatible.
Used for scaling out write performance with multiple AZ.
Have read after write consistency.

Answer 78

A

On-Demand, Autp-Scaling
MySQL and PostgreSQL compatible editions.
Automatically starts up, shuts down, and scales up or down.
Only for DB storage and DB capacity, IO while its active

Answer 79

A

NoSQL DB service
MultiAZ and cross region replication
Push button scaling without incurring downtime.
Eventually consistenct, can be configured to stangly consistent.
Can use DynamoDB Transactions for ACID.
Synchronous Replication to 3 AZs
Is Schema-less

Read model:

Eventually consistent (Max read throughput)
Strongly consistent (reflects all writes that received a successful response.)

Auto-Scaling - Dynamically adjust provisioned throughput capacity in response to actual traffic patterns.

Pricing:

On-demand - data reads and writes
Provisioned - Specify reads and writes and configure AutoScaling separately.

Answer 80

A

Keeps a list of item level changes in 24 hours.
Can trigger Lambda based on events.

DAX - fully managed HA, in-memory cache for DynamoDB - 10x performance.
Millions of requests per second.
Code changes not required to use DAX - cache invalidation, data population, cluster management.

Answer 81

A

Multi-master DB and replication.
DDB takes care of all task of creating identical tables in different regions and propagate data.
Best for massively scaled applications and globally dispersed users.

Answer 82

A

Redis and Memcache.
For OLAP (Online Analytics Processing)
Memcache for simple cache.
- large node multiple core and threads
- scales by adding removing nodes.
- ideal front-end for DBs
- doesn't support multiAZ no snapshots
- no persistence
Redis for advanced features
- no multithreading
- scaling through shards
- multi AZ using read replicas in same region.
- encryption
- HIPAA compliance
- clustering
- complex data types
- HA
- Pub/Sub capability
- Geospacial Indexing
- Backup and restore.
- persistence

Usage:

Web session store
Database caching
Leaderboard
Streaming data dashboards.

Answer 83

A

Analyzing data using SQL and BI tools.
Fully managed data warehouse.
Clustered Peta byte scale data warehouse
Online Analytics Processing (OLAP) type of DB
Parallel processing and columnar data stored.
Three copies of data:
- the original
- replica on compute nodes
- backup on s3 (continuous backup to s3)

Runs on single AZ, but snapshot can be restored to another AZ,

Answer 84

A

Collect, process, analyze real-time, streaming data.
Has shards, each shard can process 1000 records/sec
Default limit 500 shards.
Record=Parition key, sequence num, data blob
Transient data store default retention 24 hours, max 7 days

Answer 85

A

Enables build custom app to process streaming data
Real-time processins of streaming big data
For rapidly moving data off data producers
Stores data for later processing by applications.
Scaled using shards.

(FireHose delivers data directly to AWS services.)

Producers

Streams API
Producer Library (KPL)
Kinesis Agent

Consumers - Amazon Kinesis Stream Applications

Answer 86

A

Captures, transforms, and loads streaming data
Enables real-time analytics with existing business intelligence tools.
Data streams can be source to Firehose.
Synchronously replicates data across 3 AZs as it is trnsported to detinations.
Destination:
- S3
- Redshift
- Elasticsearch
- Splunk

No Shards here - fully managed

Answer 87

A

Process, Analyze real-time, streaming data.
Use SQL to process Kinesis Data streams.
Use cases 
- Generate time series analytics
-  Feed real time dashboards
- Real time alerts and notifications

Can ingest from Kinesis Stream/Firehose

Answer 88

A

Uses Hadoop Framework running on EC2 and S3
Processes huge amounts of data
Supports Apache Spark, HBase, Presto, Flink
Uses:
- log analysis
- financial analysis
- extract
- translate

Cluster is a collection of EC2 instances provisioned by EMR to run Steps
Steps - programmatic task for processing data.

Answer 89

A

Interactice query servie to analyze data on S3
Serverless
Uses managed Data Catalog(AWS Glue) to store information and schemas about databases.
Uses Presto for SQL support
Works with CSV, JSON, ORC, Apache Parquet, Avro
Removes the need to have ETL(Extract Transform Load) jobs to prepare data for analysis.

Answer 90

A

ETL service that automates time consuming steps
Automatically discovers and profiles data via Glue Data Catalog
Works with data lakes(S3), data warehouses (Redshift), data stores (RDS)

Answer 91

A

Simple Notification Service
Setup Operate and send notification
Instantaneous push based delivery
Multiple transport protocols
Event Notification, monitoring, workflow systems, time sensitive information updates,

Subscribers:

HTTP
HTTPS
Email
JSON
Email-JSON
SQS
Application
Lambda

Transport Protocols:

HTTP/HTTPS
Email/EMail-JSON
SQS
SMS
Lambda
Platform application endpoint
Kinesis Data Firehose

Answer 92

A

Coordinates components of distributed applications as a series of steps in a visual workflow
Create tasks, sequential steps, parallel steps, and branching paths or timers.
Build and run state machines to execute steps of the application.

Answer 93

A

Simple Workflow Service for easy coordination of work across distributed application components.
Distributed async systems as workflows.
Sequential and Parllel processins.
Best for human enabled workflows liek order fulfilment system

Answer 94

A

Message queues that store messages waiting to be processed.
Reliable, highly scalable, hosted queue
distributed and decoupled.
Is Pull based, and not Push based
Messages can be 256 KB in size.
Kept in queue for 1 minute to 14 dats. default - 4 days
Visibility timeout - it process confirmation doesnt come within this time - the message becomes visible again. MAX is 12 hours

Polling

Short (default)
- doesnt wait for messages to appear in queue
- receivemessagewaittime = 0
- hight cost as more polls are done.
Long
- fewer requests - less cost
- SQS waits until message is available in queue before sending a response.
- ReceiveMessageWaitTime = 20sec. (20 secs = MAX)

Queue type:

Standard
- attempts to preserve order
- scalable
- at least once delivery
- 120,000 in-flight messages per queue
FIFO
- preserves exact roder
- exaclt once processing.
- 20,000 in-flight messages per queue
- 3000 messages/sec when batching
- 300 messages/sec when not batching

Queue name can be 80 characters.
Messages can be retained for 4 days to 14 days
Max message size is 256 KB

PCI DSS level 1 and HIPAA
IAM policies for controling access.

Answer 95

A

Managed message broker service for Apache Active MQ

Answer 96

A

Provision infrastructure
Infrastructure as Code
Logical IDs - reference resource within a templace
Physical IDs - reference to resources created

Templates - JSON/YAML instructions
Stacks - entire environment described by template
Change Sets - summary of proposed changes.

Answer 97

A

Deploy applications on EC2
PaaS
Devs wanting to just upload the code, and Beanstalk takes care of all the other tasks.

Answer 98

A

Monitoring service for AWS Cloud resources
Collect and track metrics, collect and monitor log files and set alarms
Access Control through IAM

CloudWatch logs -
monitor, store and access logs.
Source - Ec2, CloudTrail, Route 53, etc.
Used for real-time monitoring or long term log retentions.
By default, logs retained indefinitely.
Cloudwatch logs metric filters can evaluate Cloudtrail logs for specific terms/values

CloudWatch metrics retention:

<60secs - 3 hours
=60secs - 15 days
=300secs - 63 days
=3600secs - 455 days

Answer 99

A

Creating trail - can be stored on S3
By default trail is stored for 90 days
Info:
- identity
- time of API
- source IP
- request parameters
- response elements

Answer 100

A

Resource inventory, configuration history and configuration change to enable security and governance

Answer 101

A

Lets Users sign-up, sign-in and access control
Provides Authentication, AUthorization and user management
Users can sign in directly, with username/password, or through third party as facebook, amazon, google.
Components:
- User Pools - directories for sign-up and sign-in
- Indentity Pools - lets us grant access to users to other aws resources.

Cognito works with external identity providers that support SAML and OpenID connect, social Identity providers.

Answer 102

A

Highly available keystorage.
CMK/Customer Master Key can be generated locally or on AWS CloudHSM cluster.
These keys are protected by hardware security modules.

Multi-tenant AWS service
Highly avalable and durable
FIPS 140-2 Level 2

Answer 103

A

Regulatory compliance for Data Security by using a Hardware Security Module instance within AWS.
Tamper resistance hardware device.

Single Tenant
Customer managed Durability
FIPS 140-2 Level 3

Answer 104

A

Web application firewall service - protects against common exploits.
Tightly integrated to CloudFront - rules run on all AWS edge locations.

A new version of the AWS Web Application Firewall was released in November 2019. With AWS WAF classic you create “IP match conditions”, whereas with AWS WAF (new version) you create “IP set match statements”. Look out for wording on the exam.

The IP match condition / IP set match statement inspects the IP address of a web request’s origin against a set of IP addresses and address ranges. Use this to allow or block web requests based on the IP addresses that the requests originate from.

AWS WAF supports all IPv4 and IPv6 address ranges. An IP set can hold up to 10,000 IP addresses or IP address ranges to check.

Answer 105

A

Expanded DDoS attack protection
24/7 support from DDoS response team.
Always-on detection
- Standard - for all AWS users
- Advanced - higher levels of protection.

Answer 106

A

Centrally manage access to multiple AWS accounts
Built in integrations to business applications Salesforce, Box, Office 365
Manage user identities in SSO Identity Store or connect to MS AD
Integrated with AWS Organizations, so users can be granted access to the accounts from AD

Answer 107

A

Fully Managed AWS service
Best choice when users are more than 5000
Runs on Windows Server
Works with SharePoint, Microsoft SQL server and .NET apps

Answer 108

A

Cheap AD compatible service with common directory features
Standalone, fully managed,
If users are less than 500.
Powered by SAMBA 4 AD compatible server
Features:
- Manage user accounts
- apply group policies
- Kerberos-based SSO
- Supports joining Linux or Windows.

Note: MFA and Trust Relationshops are nto supported.

Answer 109

A

Directory gateway for redirecting directory requests to on-premise AD
Eliminates the need for directory synchronization
Connects existing on-premise AD to AWS
Sizes:
- Small for 500 users
- Large for 5000 users.

VPC should be connected to on-premise network via VPN/Direct Connect

Note: Must have an existing AD, supports MFA by existing RADIUS-based MFA infrastructure.

Answer 110

A

Identity-based policies - attached to identities
Resource-based policies - attached to resources
IAM permissions boundaries - Max permissions that an identtiy-based policy can grant to an IAM entity or role.
AWS Organizations service control policies (SCPs) - Maximum permissions for an organization or organizational unit
Session policies - advanced policies that is passes as parameters when temporary session is created programatically.

Answer 111

A

Container for IAM role that is used to pass role information to EC2, when it starts.
Can only have 1 role.

Note, a role can be in multiple instance profiles.

Answer 112

A

Log into the AWS account A.
User should have access to assume the role in account B
Assume role for the destination
Role in account B should have the trust defined
Role in account B should have the permissions defined.

Answer 113

A

Migrate virtual machines from on-premises to EC2.
Supports, Windows and Linux VMs, from VMWare ESX, Microsoft Hyper-V, and Citrix Xen
Steps:
- Export VM to OVA/VMDK/VHD/RAW
- Upload to S3
- Import image to EBS-Backed AMI
- Create Instance from AMI

Answer 114

A

Supports homogenous and heterogenous migration.
Data is continuously replicated to reduce downtime
Fully managed migration process
Can be used together with Schema Conversion Tool for converting schemas during heterogenous migrations.

Sources supports: Oracle SQL server, MySQL, MariaDB, PostgreSQL, Db2, LUW, SAP, MongoDB, Amazon Aurora

Answer 115

A

Agentless service for migrating on-premises and cloud based VMs to AWS.
Source platform can be VMWare , HyperV or Azure.
SMS connector is installed on source
Server volumes are replicated and saved as AMIs which can be launched as EC2.

Answer 116

A

When large amounts of data to be sent to AWS.
Uses secure storage for physical transportation
Snowball client is installed on local computer and is used to identify, compress, encrypt and transfer data.
256 bit encryption and tamper resistant enclosures.
Snoball - 80TB/50TB Petabyte scale
Snowball Edge - 100TB - onboard storage and compute

Snowmobile - exabyte scale - 100 PB per snowmobile

Answer 117

A

Datasync software agent connects to on-premises NA storage systems.
Uses NFS or SMB protocols.
Synchronizes data in AWS with scheduled transfers (TLS encrypted)
Destination can be S3, EFS, FSX WFS
Imporves performance of data transfers by 10x
Permissions and metadata are preserved.
Pay per GB transferred.

Answer 118

A

Max duration 6 hours.

Once started, they will run uninterrupted for selected duration.

Answer 119

A

All S3 objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a presigned URL, using their own security credentials, to grant time-limited permission to download the objects.

When you create a presigned URL for your object, you must provide your security credentials, specify a bucket name, an object key, specify the HTTP method (GET to download the object) and expiration date and time. The presigned URLs are valid only for the specified duration.

Anyone who receives the presigned URL can then access the object. For example, if you have a video in your bucket and both the bucket and the object are private, you can share the video with others by generating a presigned URL.

Answer 120

A

Envelope encryption offers several benefits:

• Protecting data keys

When you encrypt a data key, you don’t have to worry about storing the encrypted data key, because the data key is inherently protected by encryption. You can safely store the encrypted data key alongside the encrypted data.

• Encrypting the same data under multiple master keys

Encryption operations can be time consuming, particularly when the data being encrypted are large objects. Instead of re-encrypting raw data multiple times with different keys, you can re-encrypt only the data keys that protect the raw data.

• Combining the strengths of multiple algorithms

In general, symmetric key algorithms are faster and produce smaller ciphertexts than public key algorithms. But public key algorithms provide inherent separation of roles and easier key management. Envelope encryption lets you combine the strengths of each strategy.

Answer 121

A

To specify permissions for a specific task on Amazon ECS you should use IAM Roles for Tasks. The permissions policy can be applied to tasks when creating the task definition, or by using an IAM task role override using the AWS CLI or SDKs. The taskRoleArn parameter is used to specify the policy.

Answer 122

A

An Elastic Fabric Adapter is an AWS Elastic Network Adapter (ENA) with added capabilities. The EFA lets you apply the scale, flexibility, and elasticity of the AWS Cloud to tightly-coupled HPC apps. It is ideal for tightly coupled app as it uses the Message Passing Interface (MPI).

Brainscape's Knowledge GenomeTM

AWS Flashcards

Brainscape's Knowledge Genome^TM