aws Flashcards
Whats the most efficient way to setup a DB that is repeatedly cloned?
Setup an Aurora Cluster with multi AZ replicas. Then use aurora cloning.
How do you encrypt inflight data coming from/to a DB?
Import the RDS root CA cert. Import the Cert to your servers. Then setup your app to use SSL to encrypt connections to DB. Then force all connections to use SSL.
Whats the most efficient way to implement disaster recovery for an on-premises DB?
use elastic disaster recovery service (DRS) to replicate the changes of the on-premises app to AWS.
What service would you use to create an SMS service that is interactive?
Pinpoint journey
How do you reduce the number of IP addresses a client needs to whitelist?
Global accelerator allows you to create 2 endpoint groups as an entry point into you applications. Then you can use load balancers to distribute traffic.
Which is multithreaded memcached or redis?
memcached
what is memcached auto discovery?
allows you app to connect to one node which then retrieves the rest of the nodes which then allows the application to connect to the most appropriate node.
What is Redis global datastore
Allows writing to 1 cluster and reading from two cross-region replica clusters.
How would you allow company division but allow 1 entity to enforce IT governance and cost oversight of those divisions?
Use consolidated billing by creating an AWS org and link the accounts to a parent acount. then enable IAM cross-account access for all corperate IT admins in each child account.
How do you allow and IAM user to make API calls?
create a set of access keys for the user and attach the necessary permissions.
Why would you get an insufficient capacity error when attempting to add instances to an already running cluster placement group? How could you still add instances?
There is no more room on the hardware to fit more instances. Stop and start the cluster placement group.
How would you create a conversational bot?
Amazon Lex
Whats the easiest way to allow a lambda function to be called by a third party?
generate a lambda function URL and use it as a webhook for third parties.
how can you allow yourself to be notified when your certificates are going to expire?
create an eventbridge rule to check if certificates are set to expire. then send a notification though SNS.
When does amazon certificate manager (ACM) start sending expiration events?
45 days prior to expiration.
how can you know if a certificate is about to expire?
ACM sends events that can be listed for. You can also check the daystoexpiry metric on the cert.
how would you migrate a 3 tier containerized application into AWS so that it has high availability?
Move static assets and web pages to S3. host the app on ECS with auto scaling. The migrate the DB to RDS with multi-AZ deployment.
How do you allow cross region replication of an S3 bucket?
- enable versioning on source and destination bucket.
- Source bucket must have the permissions to create objects in the destination bucket.
how do you allow an instance to establish connections to the internet using IPv4 but disallow connections to the instance?
NAT gateway/ instance
If you suspect servers are slow due to not being able to handle traffic how would you verify?
use Computer Optimizer to see recommendations for the optimal size of computer-related resources.
whats cheaper storing images along keys in a DB or storing locations of images in a DB then storing images in S3?
storing images in S3.
How do you manager and monitor your containers in AWS.
Create a workspace on AWS manage Service for prometheous to collect container metrics. Set this workspace as the data source in AWS managed grafana for monitoring and data visualization.
Whats the most cost efficient way to to run a critical work load along with non critical work on a EMR cluster?
implement a transient EMR cluster with the primary and core nodes on on-demand instances and task nodes on spot instances.
what order are instances terminated during auto-scaling?
in the availability zone with most instances. Then instances with the oldest launch template. then instances that are closest to the next billing hour.
how do you share lake formation data with the least amount of effort?
Use lake formation tag based access control to enable authorization and cross-account permissions. Integrate with Security Hub to enhance monitoring and compliant oversight.
how can you monitor the logs in an EKS cluster with the least effort?
Use Cloudwatch container insights and the cloudwatch dashboard to view application’s logs and metrics.
How do you automatically start and stop instances (not terminate) instances automatically on a schedule?
Create a Lambda function to start and stop instances. Then setup an eventbridge event to trigger the lambda function.
Which file systems are multi protocol? Which are single and what are those protocols?
NetApp ONTAP supports NFS, SMB, iSCSI. Open ZFS supports NFS. Windows file server supports SMB. Lustre is its own file system.
If you already have cloudtrail enabled what would be the easiest way to monitor IAM-related errors along with unauthorized errors?
Query cloudtrail lake to find specific errors from the cloudtrail logs.
how can you host an application and DB cheaply given it has spiky traffic. It still needs to be available during idle periods.
containerize the app and use fargate with aurora serverless
can a NLB do http health checks?
yes
If you need an autoscaling DB whats the best choice?
Aurora serverless
in route 53 how do you point your domain name to a Application load balancer?
Alias with a type “AAAA”(IPV6) or “A”(IpV4) record
How would you implement DR for a file system with the least amount of effort?
Create FSx systems in a source and destination region then establish VPC peering. The configure replication between the instances.
how do you monitor traffic into and out of a vpc? and potentially block traffic?
use custom security rules in AWS network firewall to detect and filter traffic passing to and from the VPC
How do you monitor every request to an S3 bucket?
enable server access logging for the S3 bucket.
how do you monitor the API calls into a redshift instance?
cloudtrail
what is redshift spectrum?
a feature that allows one to query and analyze data in redshift.
how long must objects be in their current storage class before moving to infrequent access?
30 days
how do you geographically restrict users from accessing content?
apply geographic restrictions using an allow list. then return custom error responses.
How do you centrally manage allowed and disallowed CIDR ranges for multiple accounts?
Create a VPC customer-manager prefix list then add the cidr blocks. Shre the prefix list ID with the other aws accounts using RAM resource access manager. Then add the prefix list to the security groups.
How do you ensure only certain services can access a data base or S3 bucket?
Create a VPC endpoint(gateway endpoint) for the DB. Then allow a rule for the DB security group granting access to the service that will use it. FOr the S3 bucket deny access through the bucket policy where the source is anything other than what is allowed.
if you are constantly over-provisioning resources what scaling policy should you use?
target tracking
How do you ensure that a dynamoDB table is distributing its work efficiently?
Use partition keys with high cardinality attributes (a large amount of distinct values)
whats the easiest way to transform data entering an S3 bucket.
Create S3 events for put calls -> integrate with SNS -> invoke a glue job to transform the data
How would you send out emails in response to changes to a dynamoDB table?
enable dynamoDB stream along with a lambda trigger and give the lambda function the appropriate role to send emails.
what is a 504 error and what should you do if users receive them?
504 is a gateway timeout. If this occurs setup origin failover in cloudfront.
how do you connect to DynamoDB and S3 without passing through the public internet?
use a VPC endpoint to route traffic through private endpoints.
How do you prevent accidental deletion of object in an S3 bucket?
enable versioning and multifactor authentication for deletion.
