AWS Certification Flashcards

1
Q

Encrypting data before sending it to Amazon S3

A

The act of encrypting data before sending it to Amazon S3 is termed as client-side encryption. The AWS encryption SDK is a client-side encryption library that is separate from the language–specific SDKs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Encryption Amazon S3

A

Encryption is enabled by default for all the objects written to Amazon S3. Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Cloud Transformation Value Chain. Organizational Transformation

A

Organizing your teams around products and value streams while leveraging agile methods to rapidly iterate and evolve will help you become more responsive and customer-centric.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Six advantages of cloud computing

A
  1. Trade fixed expense for variable expense
  2. Benefit from massive economies of scale
  3. Stop guessing capacity
  4. Increase speed and agility
  5. Stop spending money running and maintaining data centers
  6. Go global in minutes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Encrypting CloudTrail

A

By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS keys (SSE-KMS) for your CloudTrail log files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Compared to the on-demand instance prices what is the highest possible discount offered?

A
  • Savings Plans - up to 72%
  • Amazon EC2 Spot Instances - up to 90%
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

own keys for encryption on AWS services

A

customer managed key (CMK)
The KMS keys that you create are customer managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You cannot use AWS Secrets Manager for creating and using your own keys for encryption on AWS services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which AWS services support VPC Endpoint Gateway for a private connection from a VPC?

A

Just remember that only Amazon S3 and Amazon DynamoDB support VPC gateway endpoint. All other services that support VPC Endpoints use a VPC interface endpoint (note that Amazon S3 supports the VPC interface endpoint as well).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which AWS services can be used to decouple components of a microservices based application on AWS Cloud?

A
  • Amazon Simple Queue Service (SQS)
  • Amazon Simple Notification Service (SNS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

removing an AWS account from AWS Organizations

A

The AWS account must be able to operate as a standalone account. Only then it can be removed from AWS organizations. For each account that you want to make standalone, you must accept the AWS Customer Agreement, choose a support plan, provide and verify the required contact information, and provide a current payment method

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

The application needs high-performance hardware disks that provide fast I/O performance.

A

Instance Store

An instance store provides temporary block-level storage for your instance. This storage is located on disks that are physically attached to the host computer. This is a good option when you need storage with very low latency, but you don’t need the data to persist when the instance terminates or you can take advantage of fault-tolerant architectures. the Instance Store volumes are included as part of the instance’s usage cost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AWS Shield Advanced provides expanded DDoS attack protection for web applications running on the following resources

A

Amazon Elastic Compute Cloud, Elastic Load Balancing (ELB), Amazon CloudFront, Amazon Route 53, AWS Global Accelerator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

the MOST cost-effective option to purchase an EC2 Reserved Instance (RI)

A

All you need to remember is that a 3 years term would always be more cost-effective than a 1-year term. Then within a term, “all upfront” is better than “partial upfront” which in turn is better than “no upfront” from a cost savings perspective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security Group Overview

A

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups act at the instance level, not at the subnet level. You can specify allow rules, but not deny rules. You can specify separate rules for inbound and outbound traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Compare NAT gateways and NAT instances

A

You can use a network address translation (NAT) gateway or a Network Address Translation instance (NAT instance) to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. Network Address Translation gateway (NAT gateway) is managed by AWS but Network Address Translation instance (NAT instance) is managed by you.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

AWS Business Support

A

You should use AWS Business Support if you have production workloads on AWS and want 24x7 phone, email and chat access to technical support and architectural guidance in the context of your specific use-cases. You get full access to AWS Trusted Advisor Best Practice Checks. You also get access to Infrastructure Event Management for an additional fee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

charges for this data transfer

A

There are three fundamental drivers of cost with AWS: compute, storage, and outbound data transfer. In most cases, there is no charge for inbound data transfer or data transfer between other AWS services within the same region. Outbound data transfer is aggregated across services and then charged at the outbound data transfer rate.

Per AWS pricing, data transfer between S3 and EC2 instances within the same region is not charged, so there would be no data transfer charge for moving 500 GB of data from an EC2 instance to an S3 bucket in the same region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

the Availability Zone (AZ) specific characteristics of Amazon Elastic Block Store (EBS) and Amazon Elastic File System (Amazon EFS) storage types

A

EBS volume can be attached to a single instance in the same Availability Zone (AZ) whereas EFS file system can be mounted on instances across multiple Availability Zones (AZ)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The company wants to automate the traditional maintenance job of running timely assessments and checking for OS vulnerabilities.

A

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on your Amazon EC2 instances. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Dedicated host

A

Amazon EC2 Dedicated Hosts allow you to use your eligible software licenses from vendors such as Microsoft and Oracle on Amazon EC2. An Amazon EC2 Dedicated Host is a physical server fully dedicated for your use, so you can help address corporate compliance requirements.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Dedicated instance

A

A Dedicated Instance is an Amazon EC2 instance that runs in a virtual private cloud (VPC) on hardware that’s dedicated to a single customer. Dedicated Instances that belong to different AWS accounts are physically isolated at the hardware level. However, Dedicated Instances may share hardware with other instances from the same AWS account that are not Dedicated Instances. You cannot use Dedicated Instances for using server-bound software licenses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

assess its applications deployed on Amazon Elastic Compute Cloud (Amazon EC2) instances for vulnerabilities and deviations from AWS best practices

A

Amazon Inspector
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

the most cost-effective and flexible with no requirement for a long term resource commitment or upfront payment but still guarantees that instance would not be interrupted?

A

On-Demand Instance - An On-Demand Instance is an instance that you use on-demand. You have full control over its lifecycle — you decide when to launch, stop, hibernate, start, reboot, or terminate it. There is no long-term commitment required when you purchase On-Demand Instances. There is no upfront payment and you pay only for the seconds that your On-Demand Instances are running. The price per second for running an On-Demand Instance is fixed. On-demand instances cannot be interrupted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which AWS service can be used to store, manage, and deploy Docker container images?

A

Amazon Elastic Container Registry (Amazon ECR) - Amazon Elastic Container Registry (Amazon ECR) can be used to store, manage, and deploy Docker container images. Amazon Elastic Container Registry (Amazon ECR) eliminates the need to operate your container repositories. You can then pull your docker images from Amazon Elastic Container Registry (Amazon ECR) and run those on Amazon Elastic Container Service (Amazon ECS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Shared Responsibility Model

A

AWS is responsible for security “of” the cloud. This covers their global infrastructure elements including Regions, Availability Zones (AZ), and Edge Locations.

The customer is responsible for security “in” the cloud. As example, Server-side Encryption (SSE)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

a VPC and a subnet within AWS Cloud

A

An Amazon Virtual Private Cloud (Amazon VPC) spans all of the Availability Zones (AZ) in the Region whereas a subnet spans only one Availability Zone (AZ) in the Region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Security Group and a Network Access Control List (Network ACL)

A

Security Group acts as a firewall at the instance level whereas Network Access Control List (Network ACL) acts as a firewall at the subnet level.
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. A network access control list (network ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets (i.e. it works at subnet level).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Amazon Rekognition Cloud Computing Type

A

Software as a Service (SaaS)
SaaS provides you with a complete product that is run and managed by the service provider. With a SaaS offering, you don’t have to think about how the service is maintained or how the underlying infrastructure is managed. You only need to think about how you will use that particular software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Database encryption - Under the AWS Shared Responsibility Model

A

customers are responsible for managing their data, including data encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

AWS Developer Support plan

A

AWS Developer Support plan allows one primary contact to open unlimited cases.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

some of the global services

A

AWS Identity and Access Management (AWS IAM), Amazon CloudFront, Amazon Route 53 and AWS Web Application Firewall (AWS WAF) are some of the global services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

some of the regional services

A

AWS Lambda, Amazon Rekognition, Amazon S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Access to Amazon Elastic File System (Amazon EFS)

A

Amazon EFS is a regional service storing data within and across multiple Availability Zones (AZs) for high availability and durability. Amazon EC2 instances can access your file system across AZs, regions, and VPCs, while on-premises servers can access using AWS Direct Connect or AWS VPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

use cases for Amazon EFS Standard-Infrequent Access (EFS Standard-IA)

A

AWS recommends Amazon EFS Standard-Infrequent Access (EFS Standard-IA) storage class if you need your full dataset to be readily accessible and want to automatically save on storage costs for files that are less frequently accessed. Examples include keeping files accessible to satisfy audit requirements, performing historical analysis, or performing backup and recovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

security groups and network access control lists (network ACL)

A

A security group is stateful, that is, it automatically allows the return traffic

A network access control list (network ACL) contains a numbered list of rules and evaluates these rules in the increasing order while deciding whether to allow the traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Elastic File System (Amazon EFS) - Infrequent Access

A

Amazon Elastic File System (Amazon EFS) - Infrequent Access storage class is cost-optimized for files accessed less frequently. Data stored on the Amazon Elastic File System (Amazon EFS) - Infrequent Access storage class costs less than Standard and you will pay a fee each time you read from or write to a file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Amazon Elastic Block Store (Amazon EBS) Snapshots

A

Amazon Elastic Block Store (Amazon EBS) Snapshots are stored incrementally, which means you are billed only for the changed blocks stored

Amazon EBS Snapshots are a point in time copy of your block data. For the first snapshot of a volume, Amazon EBS saves a full copy of your data to Amazon S3. Amazon EBS Snapshots are stored incrementally, which means you are billed only for the changed blocks stored.

38
Q

improves the availability for a fleet of Amazon Elastic Compute Cloud (Amazon EC2)

A

Deploy the Amazon Elastic Compute Cloud (Amazon EC2) instances across different Availability Zones (AZ) in the same AWS Region

39
Q

AWS Shield Advanced pricing

A

AWS Shield Advanced offers some cost protection against spikes in your AWS bill that could result from a DDoS attack. This cost protection is provided for your Elastic Load Balancing load balancers, Amazon CloudFront distributions, Amazon Route 53 hosted zones, Amazon Elastic Compute Cloud instances, and your AWS Global Accelerator accelerators.

AWS Shield Advanced is a paid service for all customers, irrespective of the Support plan.

40
Q

AWS Migration Evaluator

A

AWS Migration Evaluator (Formerly TSO Logic) is a complimentary service to create data-driven business cases for AWS Cloud planning and migration.

AWS Migration Evaluator quickly provides a business case to make sound AWS planning and migration decisions. With AWS Migration Evaluator, your organization can build a data-driven business case for AWS, gets access to AWS expertise, visibility into the costs associated with multiple migration strategies, and insights on how reusing existing software licensing reduces costs further.

41
Q

Which budget types can be created under AWS Budgets (Select three)?

A

AWS Budgets enable you to plan your service usage, service costs, and instance reservations. AWS Budgets information is updated up to three times a day. Updates typically occur between 8 to 12 hours after the previous update. Budgets track your unblended costs, subscriptions, refunds, and RIs. There are four different budget types you can create under AWS Budgets - Cost budget, Usage budget, Reservation budget and Savings Plans budget.

42
Q

Cost Allocation Tags in AWS Billing

A

For each resource, each tag key must be unique, and each tag key can have only one value

You must activate both AWS generated tags and user-defined tags separately before they can appear in Cost Explorer or on a cost allocation report

43
Q

gmail

A

Software as a Service (SaaS)

Software as a Service (SaaS) provides you with a complete product that is run and managed by the service provider. With a Software as a Service (SaaS) offering, you don’t have to think about how the service is maintained or how the underlying infrastructure is managed. You only need to think about how you will use that particular software. Gmail is an example of Software as a Service (SaaS).

44
Q

Amazon GuardDuty

A

Amazon GuardDuty is a threat detection service that monitors malicious activity and unauthorized behavior to protect your AWS account. Amazon GuardDuty analyzes billions of events across your AWS accounts from AWS CloudTrail (AWS user and API activity in your accounts), Amazon VPC Flow Logs (network traffic data), and DNS Logs (name query patterns). Security findings are retained and made available through the Amazon GuardDuty console and APIs for 90-days. After 90-days, the findings are discarded. To retain findings for longer than 90-days, you can enable AWS CloudWatch Events to automatically push findings to an Amazon S3 bucket in your account or another data store for long-term retention.

45
Q

Amazon Kendra

A

Amazon Kendra is an intelligent search service powered by machine learning. Kendra reimagines enterprise search for your websites and applications so your employees and customers can easily find the content they are looking for, even when it’s scattered across multiple locations and content repositories within your organization.

46
Q

Under the AWS Shared Responsibility Model, which of the following is the responsibility of a customer regarding AWS Lambda?

A

Maintain versions of an AWS Lambda function

47
Q

Amazon Relational Database Service (Amazon RDS) service

A

Amazon Relational Database Service (Amazon RDS) makes it easy to set up, operate, and scale a relational database in the cloud. Read replicas allow you to create read-only copies that are synchronized with your master database. Read replicas are used for improved read performance. You can also place your read replica in a different AWS Region closer to your users for better performance. Using a cross-Region read replica can also help ensure that you get back up and running if you experience a regional availability issue in case of a disaster. Read replicas are an example of horizontal scaling of resources.

48
Q

consolidated billing in AWS Organizations

A

Bob receives the cost-benefit from Susan’s Reserved Instances (RI) only if he launches his instances in the same Availability Zone (AZ) where Susan purchased her Reserved Instances

Bob receives the cost-benefit from Susan’s Reserved Instances (RI) only if he launches his instances in the same Availability Zone (AZ) where Susan purchased her Reserved Instances. For example, if Susan specifies us-west-2a when she purchases her Reserved Instances, Bob must specify us-west-2a when he launches his instances to get the cost-benefit on the organization’s consolidated bill. However, the actual locations of Availability Zones (AZs) are independent of one account to another. For example, the us-west-2a Availability Zone (AZ) for Bob’s account might be in a different location than the location for Susan’s account.

AWS bills five instances as Reserved Instances, and the remaining four instances as regular instances

Since Susan has five Reserved Instances (RIs), AWS bills five instances as Reserved Instances, and the remaining four instances as regular instances.

49
Q

Some of these instances host the CRM (Customer Relationship Management) applications that need to be accessible 24*7. These applications are not mission-critical. In case of a disaster, these applications can be managed on a lesser number of instances for some time.

A

The warm standby strategy deploys a functional stack, but at reduced capacity. The DR endpoint can handle requests, but cannot handle production levels of traffic. It may be more, but is always less than the full production deployment for cost savings. If the passive stack is deployed to the recovery Region at full capacity, however, then this strategy is known as “hot standby.” Because warm standby deploys a functional stack to the recovery Region, this makes it easier to test Region readiness using synthetic transactions.

50
Q

AWS Marketplace

A

Sell Software as a Service (SaaS) solutions to AWS customers

AWS customer can buy software that has been bundled into customized Amazon Machine Image (AMIs) by the AWS Marketplace sellers

AWS Marketplace offers two ways for sellers to deliver software to customers: Amazon Machine Image (AMI) and Software as a Service (SaaS).

51
Q

programmatic access to AWS Support Center features to create, manage and close your support cases

A

AWS Enterprise Support
AWS Business Support

52
Q

Which of the following types are free under the Amazon Simple Storage Service (Amazon S3) pricing model?

A

Data transferred in from the internet

Data transferred out to an Amazon Elastic Compute Cloud (Amazon EC2) instance, when the instance is in the same AWS Region as the S3 bucket

There are four cost components to consider for S3 pricing – storage pricing; request and data retrieval pricing; data transfer and transfer acceleration pricing; and data management features pricing. Under “Data Transfer”, You pay for all bandwidth into and out of Amazon S3, except for the following: (1) Data transferred in from the internet, (2) Data transferred out to an Amazon Elastic Compute Cloud (Amazon EC2) instance, when the instance is in the same AWS Region as the S3 bucket, (3) Data transferred out to Amazon CloudFront (CloudFront).

53
Q

Amazon S3 Standard

A

Amazon S3 Standard offers high durability, availability, and performance object storage for frequently accessed data. Amazon S3 Standard offers low latency and high throughput performance, It is designed for durability of 99.999999999% of objects across multiple Availability Zones (AZ). Amazon S3 Standard has no constraint of a minimum storage duration for objects.

54
Q

Which of the following Amazon Simple Storage Service (Amazon S3) storage classes do not charge any data retrieval fee?

A

Amazon S3 Standard does not charge any data retrieval fee.
Amazon S3 Intelligent-Tiering does not charge any data retrieval fee.

55
Q

services/utilities falls under the purview of AWS under the AWS Shared Responsibility Model?

A

As AWS Shield Standard is automatically activated for all AWS customers with no options for any customizations, therefore AWS needs to manage the maintenance and configurations for this service. Hence this service falls under the purview of AWS.

56
Q

AWS Trusted Advisor can provide alerts on which of the following common security misconfigurations?

A

It provides alerts on several of the most common security misconfigurations that can occur, including leaving certain ports open that make you vulnerable to hacking and unauthorized access, neglecting to create IAM accounts for your internal users, allowing public access to Amazon S3 buckets, not turning on user activity logging (AWS CloudTrail), or not using MFA on your root AWS Account.

57
Q

benefits of the AWS Web Application Firewall (AWS WAF)?

A

AWS Web Application Firewall (AWS WAF) can block all requests except the ones that you allow
AWS Web Application Firewall (AWS WAF) can check for the presence of SQL code that is likely to be malicious (known as SQL injection)

58
Q

AWS Global Accelerator

A

AWS Global Accelerator is a good fit for non-HTTP use cases
AWS Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover.

AWS Global Accelerator provides static IP addresses that act as a fixed entry point to your applications
It provides static IP addresses that provide a fixed entry point to your applications and eliminate the complexity of managing specific IP addresses for different AWS Regions and Availability Zones (AZs).

59
Q

The organization also wants to connect its on-premises data center with the different virtual private clouds (VPC) for better organization-wide collaboration. Which AWS services can be combined to build the MOST efficient solution for this use-case?

A

AWS Transit Gateway connects virtual private clouds (VPC) and on-premises networks through a central hub.
AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.

60
Q

AWS Systems Manager

A

AWS Systems Manager allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources. You can create logical groups of resources such as applications, different layers of an application stack, or production versus development environments.

With AWS Systems Manager, you can select a resource group and view its recent API activity, resource configuration changes, related notifications, operational alerts, software inventory, and patch compliance status. You can also take action on each resource group depending on your operational needs. AWS Systems Manager provides a central place to view and manage your AWS resources, so you can have complete visibility and control over your operations.

61
Q

An engineering team is new to the AWS Cloud and it would like to launch a dev/test environment with low monthly pricing. Which AWS service can address this use case?

A

Amazon Lightsail

Amazon Lightsail is designed to be the easiest way to launch and manage a virtual private server (VPS) with AWS. Amazon Lightsail plans include everything you need to jumpstart your project – a virtual machine, SSD- based storage, data transfer, Domain Name System (DNS) management, and a static IP address – for a low, predictable price.

62
Q

A start-up would like to quickly deploy a popular technology on AWS. As a Cloud Practitioner, which AWS tool would you use for this task?

A

AWS Partner Solutions (formerly Quick Starts)

AWS Partner Solutions are automated reference deployments built by Amazon Web Services (AWS) solutions architects and AWS Partners. Partner Solutions help you deploy popular technologies to AWS according to AWS best practices. You can reduce hundreds of manual procedures to a few steps and start using your environment within minutes.

AWS Partner Solutions are automated reference deployments for key workloads on the AWS Cloud. Each Partner Solution launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability.

63
Q

A company would like to separate cost for AWS services by the department for cost allocation. Which of the following is the simplest way to achieve this task?

A

Create tags for each department

You can assign metadata to your AWS resources in the form of tags. Each tag is a label consisting of a user-defined key and value. Tags can help you manage, identify, organize, search for, and filter resources. You can create tags to categorize resources by purpose, owner, environment, or other criteria.

64
Q

the Operational Excellence pillar

A
  • Perform operations as code
  • Annotate documentation
  • Make frequent, small, reversible changes
  • Refine operations procedures frequently
  • Anticipate failure
  • Learn from all operational failures
65
Q

Amazon Elastic Compute Cloud (Amazon EC2) reserved instance (RI)

A
  • Reserved Instances – long workloads
  • Convertible Reserved Instances – long workloads with flexible instances

Convertible reserved instance (RI) provides you with a significant discount (up to 54%) compared to an on-demand instance and can be purchased for a 1-year or 3-year term.

Convertible reserved instance (RI) can be useful when workloads are likely to change. In this case, a convertible reserved instance (RI) enables you to adapt as needs evolve while still obtaining discounts and capacity reservation.

66
Q

Which of the following AWS services can be used to generate, use, and manage encryption keys on the AWS Cloud?

A

AWS CloudHSM allows you to securely generate, store, and manage cryptographic keys used for data encryption in a way that keys are accessible only to you.

67
Q

EC2 On Demand Price

A
  • Pay for what you use:
  • Linux or Windows - billing per second, after the first minute
  • All other operating systems - billing per hour
  • Has the highest cost but no upfront payment
  • No long-term commitment
  • Recommended for short-term and un-interrupted workloads, where you can’t predict how the application will behave
68
Q

AWS Glue

A

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. AWS Glue job is meant to be used for batch ETL data processing.

69
Q

review permissions granted to an IAM user

A

AWS Identity and Access Management (IAM) access advisor

IAM Access advisor shows the service permissions granted to a user and when those services were last accessed. You can use this information to revise your policies. To summarize, you can identify unnecessary permissions so that you can revise your IAM policies accordingly.

70
Q

Which AWS service can be used to send, store, and receive messages between software components at any volume to decouple application tiers?

A

Amazon Simple Queue Service (Amazon SQS)

Amazon Simple Queue Service (Amazon SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. Amazon SQS eliminates the complexity and overhead associated with managing and operating message-oriented middleware and empowers developers to focus on differentiating work.

Using Amazon Simple Queue Service (Amazon SQS), you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available.

71
Q

Amazon Simple Queue Service (SQS)

A

Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. SQS eliminates the complexity and overhead associated with managing and operating message-oriented middleware and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available. Get started with SQS in minutes using the AWS console, Command Line Interface or SDK of your choice, and three simple commands.

Amazon SQS uses a pull mechanism, i.e. the messages in the queue are available till a registered process pulls the messages to process them.This decouples the architecture since the second application does not need to be available all the time to process messages coming from application one.

72
Q

automated reference deployments

A

AWS Partner Solutions(formerly Quick Starts)

AWS Partner Solutions are automated reference deployments for key workloads on the AWS Cloud. Each Partner Solution launches, configures, and runs the AWS compute, network, storage, and other services required to deploy a specific workload on AWS, using AWS best practices for security and availability.

Partner Solutions are accelerators that condense hundreds of manual procedures into just a few steps. They are customizable and designed for production.

73
Q

ultra-low latency for end-users and devices that connect through mobile networks

A

AWS Wavelength

AWS Wavelength is an AWS Infrastructure offering optimized for mobile edge computing applications. Wavelength Zones are AWS infrastructure deployments that embed AWS compute and storage services within cloud service provider (CSP) data centers at the edge of the 5G network, so application traffic from 5G devices can reach application servers running in Wavelength Zones without leaving the telecommunications network. This avoids the latency that would result from application traffic having to traverse multiple hops across the Internet to reach their destination, enabling customers to take full advantage of the latency and bandwidth benefits offered by modern 5G networks.

74
Q

the health monitoring and reporting capabilities supported by AWS Elastic Beanstalk

A

These checks confirm that: 1. The environment’s Auto Scaling group is available and has a minimum of at least one instance. 2. The environment’s security group is available and is configured to allow incoming traffic on port 80. 3. The environment CNAME exists and is pointing to the right load balancer. 4. In a worker environment, the Amazon Simple Queue Service (Amazon SQS) queue is being polled at least once every three minutes.

With basic health reporting, the AWS Elastic Beanstalk service does not publish any metrics to Amazon CloudWatch

75
Q

the development workflow

A

Each AWS CodeStar project includes development tools, including AWS CodePipeline, AWS CodeCommit, AWS CodeBuild, and AWS CodeDeploy, that can be used on their own and with existing AWS applications

AWS CodePipeline uses Amazon CloudWatch Events to detect changes in CodeCommit repositories used as a source for a pipeline

You can use AWS CodeStar and AWS Cloud9 to develop, build, and deploy a serverless web application

76
Q

the core Trusted Advisor checks only

A

Both Basic and AWS Developer Support plans have access to the core Trusted Advisor checks only

77
Q

CloudEndure Disaster Recovery

A

CloudEndure Disaster Recovery, available from the AWS Marketplace, continuously replicates server-hosted applications and server-hosted databases from any source into AWS using block-level replication of the underlying server. CloudEndure Disaster Recovery enables you to use AWS Cloud as a disaster recovery Region for an on-premises workload and its environment. It can also be used for disaster recovery of AWS hosted workloads if they consist only of applications and databases hosted on EC2 (i.e. not RDS).

78
Q

AWS Basic Support Plan

A

One-on-one responses to account and billing questions

Service health checks

79
Q

By default, which of the following events are logged by AWS CloudTrail?

A

Management events

An event in AWS CloudTrail is the record of activity in an AWS account. This activity can be an action taken by a user, role, or service that is monitorable by CloudTrail. CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

There are three types of events that can be logged in CloudTrail: management events, data events, and AWS CloudTrail Insights events.

By default, AWS CloudTrail logs all management events and does not include data events or Insights events. Additional charges apply for data and Insights events. All event types use the same CloudTrail JSON log format.

80
Q

AWS Web Application Firewall (AWS WAF) can be deployed on which of the following services?

A

Amazon CloudFront, Application Load Balancer, Amazon API Gateway, AWS AppSync

81
Q

traffic between Availability Zones (AZ)

A

All traffic between Availability Zones (AZ) is encrypted

All Availability Zones (AZ) in an AWS Region are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, low-latency networking between Availability Zones (AZ). All traffic between Availability Zones (AZ) is encrypted.

82
Q

Which of the following is a repository service that helps in maintaining application dependencies via integration with commonly used package managers and build tools like Maven, Gradle, npm, etc?

A

AWS CodeArtifact

AWS CodeArtifact is a fully managed artifact repository service that makes it easy for organizations of any size to securely store, publish, and share software packages used in their software development process. CodeArtifact can be configured to automatically fetch software packages and dependencies from public artifact repositories so developers have access to the latest versions. CodeArtifact works with commonly used package managers and build tools like Maven, Gradle, npm, yarn, twine, pip, and NuGet making it easy to integrate into existing development workflows.

83
Q

A company is moving its on-premises application to AWS Cloud. The application uses in-memory caches for running custom workloads. Which Amazon Elastic Compute Cloud (Amazon EC2) instance type is the right choice for the given requirement?

A

Memory Optimized instance types

Memory optimized instances are designed to deliver fast performance for workloads that process large data sets in memory. Memory optimized instances offer large memory size for memory intensive applications including in-memory applications, in-memory databases, in-memory analytics solutions, High Performance Computing (HPC), scientific computing, and other memory-intensive applications.

84
Q

AWS CloudTrail Insights

A

AWS CloudTrail Insights helps AWS users identify and respond to unusual activity associated with write API calls by continuously analyzing CloudTrail management events.

Insights events are logged when AWS CloudTrail detects unusual write management API activity in your account. If you have CloudTrail Insights enabled, and CloudTrail detects unusual activity, Insights events are delivered to the destination S3 bucket for your trail. You can also see the type of insight and the incident time period when you view Insights events on the CloudTrail console. Unlike other types of events captured in a CloudTrail trail, Insights events are logged only when CloudTrail detects changes in your account’s API usage that differ significantly from the account’s typical usage patterns.

85
Q

AWS Shared Responsibility Model

A

AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest Operating system and applications

AWS trains AWS employees, but a customer must train their own employees

86
Q

the AWS Control Tower and Service Control Policies

A

AWS Control Tower is an AWS native service providing a pre-defined set of blueprints and guardrails to help customers implement a landing zone for new AWS accounts

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization

87
Q

random access patterns

A

Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering) is the only cloud storage class that delivers automatic cost savings by moving objects between four access tiers when access patterns change. The S3 Intelligent-Tiering storage class is designed to optimize costs by automatically moving data to the most cost-effective access tier, without operational overhead. It works by storing objects in four access tiers: two low latency access tiers optimized for frequent and infrequent access, and two optional archive access tiers designed for asynchronous access that are optimized for rare access.

There are no retrieval fees when using the S3 Intelligent-Tiering storage class, and no additional tiering fees when objects are moved between access tiers within S3 Intelligent-Tiering. It is the ideal storage class for data sets with unknown storage access patterns, like new applications, or unpredictable access patterns, like data lakes.

88
Q

NFS file system

A

Amazon Elastic File System (Amazon EFS)

Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on-demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth.

Amazon EFS is designed to provide massively parallel shared access to thousands of Amazon EC2 instances, enabling your applications to achieve high levels of aggregate throughput and input/output operations per second (IOPS) with consistently low latencies.

89
Q

Which feature/functionality will help you organize your AWS resources, manage and automate tasks on large numbers of resources at a time?

A

AWS Resource Groups
You can use AWS Resource Groups to organize your AWS resources. Resource groups make it easier to manage and automate tasks on large numbers of resources at a time. Resource Groups feature permissions are at the account level. As long as users who are sharing your account have the correct IAM permissions, they can work with the resource groups that you create.

90
Q

A company is looking at a service/tool to automate and minimize the time spent on keeping the server images up-to-date. These server images are used by Amazon Elastic Compute Cloud (Amazon EC2) instances as well as the on-premises systems.

A

Amazon EC2 Image Builder

Amazon EC2 Image Builder simplifies the building, testing, and deployment of Virtual Machine and container images for use on AWS or on-premises.

Keeping Virtual Machine (VM) and container images up-to-date can be time-consuming, resource-intensive, and error-prone. Currently, customers either manually update and snapshot VMs or have teams that build automation scripts to maintain images.

Amazon EC2 Image Builder significantly reduces the effort of keeping images up-to-date and secure by providing a simple graphical interface, built-in automation, and AWS-provided security settings. With Image Builder, there are no manual steps for updating an image nor do you have to build your own automation pipeline.

91
Q

Amazon API Gateway

A

Amazon API Gateway can call an AWS Lambda function to create the front door of a serverless application

Amazon API Gateway can be configured to send data directly to Amazon Kinesis Data Stream

92
Q

AWS offers two types of Savings Plans

A

Compute Savings Plans, EC2 Instance Savings Plans

AWS offers two types of Savings Plans:

Compute Savings Plans provide the most flexibility and help to reduce your costs by up to 66%. These plans automatically apply to EC2 instance usage regardless of instance family, size, AZ, region, OS or tenancy, and also apply to Fargate and Lambda usage. For example, with Compute Savings Plans, you can change from C4 to M5 instances, shift a workload from EU (Ireland) to EU (London), or move a workload from EC2 to Fargate or Lambda at any time and automatically continue to pay the Savings Plans price.

EC2 Instance Savings Plans provide the lowest prices, offering savings up to 72% in exchange for a commitment to the usage of individual instance families in a region (e.g. M5 usage in N. Virginia). This automatically reduces your cost on the selected instance family in that region regardless of AZ, size, OS or tenancy. EC2 Instance Savings Plans give you the flexibility to change your usage between instances within a family in that region. For example, you can move from c5.xlarge running Windows to c5.2xlarge running Linux and automatically benefit from the Savings Plans prices.