AWS Flashcards
What are the four disaster recovery strategies outlined by AWS in order of expense and RTO (low to high)?
Backup and Recover, Pilot Light, Warm Standby, Multi-size
What is RPO and what does it stand for?
Recovery Point Objective. The optimal point in time from which you’ll be recovering from.
What is RTO and what does it stand for?
Recovery Time Objective. The amount of time it will take for a backup system to be fully operational.
What is the least expensive DR solution recommended by AWS?
Backup and Restore
What durability does S3 have?
11 9s durability.
When would you use Pilot Light?
When you don’t want to pay the cost of having unused compute infrastructure but want to limit RTO to tens of minutes.
What happens when an EC2 instance that’s fronted by an ELB fails it’s health check?
The ELB stops sending it traffic.
When attached an ENI to an EC2, what’s the difference between a cold, warm, and hot attach?
Cold: attaching when the EC2 is being launched, Warm: attaching when EC2 is stopped, Hot: attaching when EC2 is running
When can you move an ENI from one instance to another?
When the ENI’s are in the same AZ and VPC but in different subnets
Would you choose RDS read replicas or RDS Multi-Region if you wanted to minimize RTO?
You would choose RDS Mutli-Region since read replicas are not updated synchronously.
Is DynomoDB an appropriate option for infrequently accessed data?
Yes
Are NACLs stateless? Are Security group stateless?
NACLS are stateless, Security groups are stateful.
What order are NACL rules evaluated in?
They are evaluated by rule number from lowest to highest.
You have been evaluating the NACLs in your company. Currently, you are looking at the default network ACL. Which statement is true about NACLs?
The default configuration of the default NACL is Allow, and the default configuration of a custom NACL is Deny.
What service can you use to ensure that resources you’ve deployed are within budget?
AWS Budgets
How many AZs can a subnet span?
Just one.
What addresses in the CIDR address block used by your Subnet are reserved and for what?
x. x.x.0 is the network address
x. x.x.1 is the VPC router
x. x.x.2 is for the DNS
x. x.x.3 is reserved for future use
x. x.x.255 is used for broadcast, which is in not supported by AWS
How many internet gateways can you have per VPC?
Just one.
Why wouldn’t you want to create a route out to the internet on your main route table in your VPC?
Any subnet created in your VPC will be associated with the main route table be default; if your main route table has a route table to the internet, all subnets will be public by default.
Why would you use a NAT gateway?
To enable an instance in a private subnet to have access to the internet.
How can you ensure an auto scaling group automatically scales out at a certain time every day?
Create a scheduled action
How can you block a specific IP address from accessing your subnet?
Using a Network ACL. You cannot use a security group to block a specific IP address.
How many network ACLs is your subnet associated with?
Exactly 1.
What is a VPC Endpoint?
A virtual device that allows communications between your VPC components and AWS services
What is the maximum bandwidth of a NAT Gateway?
They scale from 5 Gbps to 100 Gbps
When would you use an interface endpoint as opposed to a gateway endpoint?
Use gateway endpoints when you need to access DynomoDB or S3; otherwise use an interface endpoint. The interface endpoint uses an ENI while the gateway endpoint sits at the edge of your VPC.
Can you do transitive peering with VPCs?
No
Can you peer VPCs across regions?
Yup
Can you have overlapping CIDR address ranges when you peer two VPCs?
Nope
If you need to connect your VPC to tens, hundreds, or thousands of VPCs, which service could you use?
AWS PrivateLink
What does the service and customer need to create in their VPCs to use PrivateLink
The service needs to set up a Network Load balancer and the consumer needs to set up an ENI
When would you use VPN CloudHub?
When you have multiple sites with VPN connections that need to connect together.
If you want to avoid the complexity of peering together multiple VPCs, which service can you use?
Transit Gateway
Can you use Transit Gateway to connect VPCs in multiple regions?
Yes
How can you prevent VPCs from communicating with each other if they are connected through Transit Gateway?
Configure your route tables to prevent them from interacting.
What can you do to simplify your network architecture if you have less than 10 VPCs that are connected to your data center using direct connect?
Use a direct connect gateway.
Is a NAT gateway redundant in the AZ?
Yes
What should you do to create an availability zone-independent architecture when setting up NATs?
Create one in each AZ.
Is Direct Connect encrypted by default?
No
What is AWS Personal Health Dashboard
The AWS Health Dashboard is the single place to learn about the availability and operations of AWS services. You can view the overall status of AWS services, and you can sign in to view personalized communications about your particular AWS account or organization. Your account view provides deeper visibility into resource issues, upcoming changes, and important notifications.
What is the difference between a launch configuration and a launch template?
launch template is similar to a launch configuration, in that it specifies instance configuration information. Included are the ID of the Amazon Machine Image (AMI), the instance type, a key pair, security groups, and the other parameters that you use to launch EC2 instances. However, defining a launch template instead of a launch configuration allows you to have multiple versions of a template. With versioning, you can create a subset of the full set of parameters and then reuse it to create other templates or template versions. For example, you can create a default template that defines common configuration parameters and allow the other parameters to be specified as part of another version of the same template.
How long does it take to failover when using an RDS with Multi-AZ Deployment
1 to 2 minutes
When using an RDS with Multi-AZ deployment, what does AWS do to fail over if your primary database fails?
When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.
Can you delete the default security group associated with your VPC?
You can’t delete this group, however, you can change the group’s rules.
Can you remove the * All Traffic Deny NACL rule?
No
How many security groups can be attached to an EC2 instance?
Up to 5
What is AWS Managed VPN?
AWS Managed VPN lets you reuse existing VPN equipment and processes, and reuse existing internet connections.
It is an AWS-managed high availability VPN service.
It supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies.
What are the three most common properties found in an IAM statement?
Effect, Action, and Resource
Is IAM Universal?
Yes
What would you use IAM Federation for?
When you want to connect to AWS using AD credentials.
What’s the file size range for an object in S3?
0 to 5 TB
What’s the URL syntax for an S3 object?
http://[bucket-name].s3.[region].amazonaws.com/[key-name]
What status code will you get back when you upload a file to S3?
HTTP 200
How can you make an S3 object accessible publicly?
Enable the bucket to be public and then apply a policy to allow access to the object or the entire bucket
Can you disable versioning on a bucket?
No, but you can suspend it
What the retrieval times for Glacier Instant Retrieval, Glacier Flexible Retrieval, and Glacier Deep Archive?
Milliseconds
Minutes to hours
Default of 12 hours
When using an object lock, what’s the difference between governance mode and compliance mode?
With governance mode, users with a special permission can overwrite the file. With compliance mode, no user (including root) can delete the object until the end of the retention period.
What is the difference between SSE-S3, SSE-KMS, and SSE-C
SSE-S3: AWS automatically handles the encryption using a key that they manage
SSE-KMS: You use a key provided by KMS
SSE-C: You provide the key
How do you enforce encryption in S3?
Use a bucket policy to ensure that PUT requests include an encryption parameter in the HTTP header
How many PUT/COPY/POST/DELETE requests per second can you make in S3? How many GET/HEAD?
3,500 per prefix
5,500 per prefix
What must you enable to upload a file over 5GB?
Multipart Uploads
Why would you use a byte-range fetch?
Increase performance when downloading files
What is the minimum and maximum time frame for reserving an instance?
1 to 3 years
Can you attach and detach roles while an EC2 instance is running?
Yes
What inbound and outbound traffic and allowed by default when creating a security group?
All inbound is denied by default and all outbound is allowed by default.
What is the difference between users data and meta data?
User data is your bootstrap script, meta data is information about EC2
When would you use Enhance Networking?
You need reliable throughput between 10 Gbps and 100 Gbps
When would you use Elastic Fabric Adapter (EFA)
High Performance Computing
Machine Learning
OS-Bypass
When would you use Cluster, Spread, and Partition placement groups?
Use cluster for lower networking latency / high throughput
Use spread for critical EC2 instances that need to be on separate hardware
Partition placement groups can be used to deploy large distributed and replicated workloads, such as HDFS, HBase, and Cassandra, across distinct racks
