AWS Certified Cloud Practitioner 2020

Question 1

What are the Six Advantages of Cloud Computing?

Answer 1

1. Trade fixed expense for variable expense
2. Benefit from massive economies of scale
3. Stop guessing capacity
4. Increase speed and agility
5. Stop spending money running and maintaining data centers
6. Go global in minutes

Question 2

What is Infrastructure as a Service (IaaS)?

Answer 2

Infrastructure as a Service (IaaS) contains the basic building blocks for cloud IT and typically provides access to networking features, computers (virtual or on dedicated hardware), and data storage space.

e.g. EC2

Question 3

What is Platform as a Service (PaaS)?

Answer 3

Platform as a Service (PaaS) removes the need for your organization to manage the underlying infrastructure (usually hardware and operating systems) and allows you to focus on the deployment and management of your applications.

e.g. Elastic Beanstalk, Amazon Lightsail

Question 4

What is Software as a Service (SaaS)?

Answer 4

Software as a Service (SaaS) provides you with a completed product that is run and managed by the service provider.

e.g. GMail

Question 5

What does Public Cloud mean?

Answer 5

A cloud-based application is fully deployed in the cloud and all parts of the application run in the cloud.

Question 6

What does Hybrid cloud mean?

Answer 6

A hybrid deployment is a way to connect infrastructure and applications between cloud-based resources and existing resources that are not located in the cloud.

Question 7

What does On-premises cloud mean?

Answer 7

The deployment of resources on-premises, using virtualization and resource management tools, is sometimes called the “private cloud.”

Question 8

What defines an AWS Region?

Answer 8

1. An AWS Region is a physical location in the world where we have multiple Availability Zones. Each Availability Zone is isolated, but the Availability Zones in a Region are connected through low-latency links.
2. Each Amazon Region is designed to be completely isolated from the other Amazon Regions.

Question 9

What is an Availability Zone?

Answer 9

1. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. These Availability Zones offer you the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.
2. Each Availability Zone is designed as an independent failure zone.

Question 10

AWS Cloud Compliance supports what standards

Answer 10

• SOC 1/ISAE 3402, SOC 2, SOC 3
• FISMA, DIACAP, and FedRAMP
• PCI DSS Level 1
• ISO 9001, ISO 27001, ISO 27017, ISO 27018

Question 11

Why choose a particular AWS region?

Answer 11

1. Data sovereignty laws - where can the data legally be kept?
2. Latency to end users
3. Availability of AWS services in the region

Question 12

What support plans exist?

Answer 12

1. Basic - free
2. Developer - 29/mo, scales
3. Business - 100/mo, scales
4. Enterprise - 15k/mo, scales - Get a TAM (Technical Account Manager)

Question 13

Which support plan gets you a TAM?

Answer 13

Enterprise - 15k/mo, scales

Question 14

What is CloudWatch?

Answer 14

1. All about performance (analogy is personal trainer)
2. Can monitor most of AWS
3. Monitors your AWS resources and the applications they run
4. Can create alarms which trigger notifications

Question 15

What Cloudwatch monitoring periods exist for EC2?

Answer 15

Every 5 minutes by default

Every 1 minute for detailed monitoring

Question 16

Is IAM global or regional?

Answer 16

Global

Question 17

3 ways user can access AWS

Answer 17

1. AWS management console
2. Command Line Interface (CLI) - requires access key ID and secret access key
3. Amazon SDK

Question 18

IAM policies are which format?

Answer 18

JSON

Question 19

IAM policies are applied in what structure?

Answer 19

Groups

Question 20

IAM best practices

Answer 20

1. Only use root account to create other accounts
2. 1 user = 1 human, no phantom users
3. Always place users in groups and apply policies at the group level
4. Strong password policies
5. Always use MFA
6. Use roles to access other AWS services
7. Use access keys for programmatic access to AWS
8. Use IAM credential reports to audit

Question 21

What is AWS credential reports?

Answer 21

Audit the permissions of users/accounts

Question 22

S3 suited for what storage uses?

Answer 22

Object-based storage, for flat files (Not suitable for an OS)
Files can be 0-5TB in size
Unlimited storage

Question 23

Namespace of S3 buckets?

Answer 23

universal namespace!

Question 24

How to know if S3 upload successful?

Answer 24

HTTP 200

Question 25

S3 data consistency model

Answer 25

read after write consistency for puts of new objects

eventual consistency for overwrite puts and deletes

Question 26

Where are S3 buckets stored? Where can they be accessed?

Answer 26

Buckets do exist in regions, but can be accessed globally

Can replicate bucket in one region to bucket in another region using cross region replication

Question 27

How does S3 scale?

Answer 27

S3 scales automatically to meet demand

Question 28

What is S3 Transfer acceleration?

Answer 28

upload to edge location in your region, propagated to other regions using the AWS backbone

Question 29

What is an Edge location?

Answer 29

place where content is cached for fast access (think CloudFront)

Note: you can also write (put an object) to an edge location (i.e. Transfer Acceleration)

Question 30

What is the best practice for S3 access control?

Answer 30

S3 bucket policies or IAM policies are recommended for access control

Question 31

What are the S3 storage classes?

Answer 31

Amazon S3 Standard (S3 Standard)
Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering)
Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)
Amazon S3 Glacier Instant Retrieval
Amazon S3 Glacier Flexible Retrieval (Formerly S3 Glacier)
Amazon S3 Glacier Deep Archive

Question 32

Characteristics of S3 standard

Answer 32

Low latency and high throughput performance
Designed for durability of 99.999999999% of objects across multiple Availability Zones
Resilient against events that impact an entire Availability Zone
Designed for 99.99% availability over a given year
Backed with the Amazon S3 Service Level Agreement for availability
Supports SSL for data in transit and encryption of data at rest
S3 Lifecycle management for automatic migration of objects to other S3 Storage Classes

Question 33

Characteristics of Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering)

Answer 33

• Automatically moves data to the most cost-effective tier
  Frequent, Infrequent, and Archive Instant Access tiers have the same low-latency and high-throughput performance of S3 Standard
• The Infrequent Access tier saves up to 40% on storage costs
• The Archive Instant Access tier saves up to 68% on storage costs
• Opt-in asynchronous archive capabilities for objects that become rarely accessed
• Deep Archive Access tier has the same performance as - Glacier Deep Archive and saves up to 95% for rarely accessed objects
• Designed for durability of 99.999999999% of objects across multiple Availability Zones and for 99.9% availability over a given year
• Backed with the Amazon S3 Service Level Agreement for availability
• Small monthly monitoring and auto tiering charge
• No operational overhead, no lifecycle charges, no retrieval charges, and no minimum storage duration
• Objects smaller than 128KB can be stored in S3 Intelligent-Tiering but will always be charged at the Frequent Access tier rates, and are not charged the monitoring and automation charge.

Question 34

Characteristics of Amazon S3 Standard-Infrequent Access (S3 Standard-IA)

Answer 34

• Infrequent access, but require rapid access - lower fee, but charged a retrieval fee
• Same low latency and high throughput performance of S3 Standard
• Designed for durability of 99.999999999% of objects across multiple Availability Zones
• Resilient against events that impact an entire Availability Zone
• Data is resilient in the event of one entire Availability Zone destruction
• Designed for 99.9% availability over a given year
• Backed with the Amazon S3 Service Level Agreement for availability
• Supports SSL for data in transit and encryption of data at rest
• S3 Lifecycle management for automatic migration of objects to other S3 Storage Classes

Question 35

Characteristics of Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

Answer 35

• Low cost, do not require multiple availability zone data resilience
• Same low latency and high throughput performance of S3 Standard
• Designed for durability of 99.999999999% of objects in a single Availability Zone†
• Designed for 99.5% availability over a given year
• Backed with the Amazon S3 Service Level Agreement for availability
• Supports SSL for data in transit and encryption of data at rest
• S3 Lifecycle management for automatic migration of objects to other S3 Storage Classes

Question 36

Characteristics of Amazon S3 Glacier Deep Archive

Answer 36

Data retrieval in milliseconds with the same performance as S3 Standard

Designed for durability of 99.999999999% of objects across multiple Availability Zones

Data is resilient in the event of the destruction of one entire Availability Zone

Designed for 99.9% data availability in a given year

128 KB minimum object size

Backed with the Amazon S3 Service Level Agreement for availability

S3 PUT API for direct uploads to S3 Glacier Instant Retrieval, and S3 Lifecycle management for automatic migration of objects

Question 37

Characteristics of Amazon S3 Glacier Flexible Retrieval (Formerly S3 Glacier)

Answer 37

Competitive with costs of on-prem solutions

Designed for durability of 99.999999999% of objects across multiple Availability Zones

Data is resilient in the event of one entire Availability Zone destruction

Supports SSL for data in transit and encryption of data at rest

Ideal for backup and disaster recovery use cases when large sets of data occasionally need to be retrieved in minutes, without concern for costs

Configurable retrieval times, from minutes to hours, with free bulk retrievals

S3 PUT API for direct uploads to S3 Glacier Flexible Retrieval, and S3 Lifecycle management for automatic migration of objects

Question 38

Characteristics of Amazon S3 Glacier Deep Archive

Answer 38

Designed for durability of 99.999999999% of objects across multiple Availability Zones

Lowest cost storage class designed for long-term retention of data that will be retained for 7-10 years

Ideal alternative to magnetic tape libraries

Retrieval time within 12 hours

S3 PUT API for direct uploads to S3 Glacier Deep Archive, and S3 Lifecycle management for automatic migration of objects

Question 39

What is S3 Outposts?

Answer 39

store your S3 data on premises

S3 Object compatibility and bucket management through the S3 SDK

Designed to durably and redundantly store data on your Outposts

Encryption using SSE-S3 and SSE-C

Authentication and authorization using IAM, and S3 Access Points

Transfer data to AWS Regions using AWS DataSync

S3 Lifecycle expiration actions

Question 40

Characteristics of Amazon S3 Glacier Instant Retrieval

Answer 40

Data retrieval in milliseconds with the same performance as S3 Standard

Designed for durability of 99.999999999% of objects across multiple Availability Zones

Data is resilient in the event of the destruction of one entire Availability Zone

Designed for 99.9% data availability in a given year

128 KB minimum object size

Backed with the Amazon S3 Service Level Agreement for availability

S3 PUT API for direct uploads to S3 Glacier Instant Retrieval, and S3 Lifecycle management for automatic migration of objects

Question 41

How does S3 versioning work?

Answer 41

Stores all versions of an object, even if you delete

Great for backup

Versioning can be suspended, but not disabled; existing versions remain

Integrates with lifecycle rules

Can require MFA in order to delete

Question 42

How can you restrict S3 bucket access?

Answer 42

Bucket policies

Object policies

IAM policies to users and groups

Question 43

Characteristics of CloudFront

Answer 43

Amazon’s CDN

Origin - The origin of the files

Distribution - collection of edge locations

First user forces a download of the file from origin to edge location - stays in cache until TTL (default is 24 hours in seconds)

2 types

• web distribution
• RTMP - used for media streaming (like Adobe Flash) - not used much anymore

You can clear cached objects, but you will be charged for it

Question 44

Name common compute services

Answer 44

EC2 - Secure and resizeable compute capacity (virtual servers) in the cloud

Lightsail - Easy-to-use cloud platform that offers you everything you need to build an application or website

Lambda - Run code without thinking about servers. Pay only for the compute time you consume.

Batch - Fully managed batch processing at any scale

Elastic Beanstalk - Easy-to-use service for deploying and scaling web applications and services

Serverless Application Repository - quickly deploy code samples, components, and complete applications for common use cases such as web and mobile back-ends, event and data processing, logging, monitoring, IoT, and more.

AWS Outposts - Run AWS infrastructure and services on premises for a truly consistent hybrid experience

EC2 Image Builder - Build and maintain secure Linux or Windows Server images

Question 45

What are the EC2 types?

Answer 45

On Demand: Pay fixed rate by the hour or by the second

Reserved: Includes a capacity reservation, but with a significant discount on the hourly rate. 1 or 3 year contract terms. Max discount for longest time and paying immediately

Spot: Bid a price (per hour) for an instance capacity. Greater savings if you have flexible start and end times

Dedicated Hosts: Physical EC2 server dedicated for your use. Reduced costs when you use your existing server-bound software licenses

Question 46

What’s an EC2 AMI?

Answer 46

AMI (Amazon Machine Image) - e.g. VM snapshot

Question 47

How do we design for failure in EC2?

Answer 47

“Everything fails all of the time” - we need to design for failure as a natural occurrence

Have one EC2 instance in each availability zone - so failure in one AZ won’t drop your app.

Use ALB or ELB to route

Use auto scaling group

Question 48

How do you pay for partial hours for EC2 Spot instances?

Answer 48

If you terminate mid hour, you pay full hour

If AWS terminates mid hour, you don’t pay for the hour

Question 49

When to use EC2 Dedicated hosts?

Answer 49

Useful when regulatory requirements exist

Useful when licensing restrictions exist

Question 50

What are Security Groups?

Answer 50

Virtual firewalls in the cloud - need to open ports in order to use them

Question 51

What’s VPC?

Answer 51

Virtual Private Cloud

your own “data center in the cloud”

Can create a hardware VPN connection between corporate network and VPC - to extend your corporate data center

Question 52

What is AWS Direct Connect?

Answer 52

Private hardware connection between AWS and your data center

Can be more reliable and have better bandwidth than the Internet

VPN over Direct Connect: better security - encrypted

Question 53

What is EBS?

Answer 53

“virtual disk in the cloud”

virtual storage volumes (block devices) that can be attached to EC2 instances

Attach, then create a filesystem, database, etc.

Placed in specific availability zones

Automatically replicated within AZ to protect from failure

Perfect for OSes, databases

Can be resized, but not as easily/automatically as EFS

Question 54

What EBS Types?

Answer 54

SSD

• GP2: General purpose SSD - balance price and performance
• IO1: Provisioned IOPS SSD - high performance

Magnetic

• ST1: Throughput optimized HDD - low cost, frequent access, throughput intensive
• SC1: Cold HDD - lowest cost HDD for less frequent access
• Magnetic: previous generation

Question 55

What Load Balancer Types?

Answer 55

Application Load Balancers

Network Load Balancers

Gateway Load Balancer

Classic Load Balancers

Question 56

What is EC2 auto scaling?

Answer 56

Automatically add EC2 instances to scale an application

Based on an AMI (e.g. VM snapshot)

Question 57

When to choose Application Load Balancer?

Answer 57

Not free

Layer 7

Choose an Application Load Balancer when you need a flexible feature set for your applications with HTTP and HTTPS traffic. Operating at the request level, Application Load Balancers provide advanced routing and visibility features targeted at application architectures, including microservices and containers.

Question 58

When to choose Network Load Balancer?

Answer 58

Extreme performance, Static IP addresses

Choose a Network Load Balancer when you need ultra-high performance, TLS offloading at scale, centralized certificate deployment, support for UDP, and static IP addresses for your applications. Operating at the connection level, Network Load Balancers are capable of handling millions of requests per second securely while maintaining ultra-low latencies.

Question 59

When to choose Gateway Load Balancer?

Answer 59

Choose a Gateway Load Balancer when you need to deploy and manage a fleet of third-party virtual appliances that support GENEVE.

Question 60

When to choose Classic Load Balancers?

Answer 60

Test & dev

Low cost

Question 61

What is Lambda pricing?

Answer 61

Number of requests - 1M free, then $0.20 per 1M after
Execution time, memory
- time code executes to nearest 100ms.
- price depends on amount of memory you allocate to your function

Question 62

Lambda characteristics

Answer 62

Event driven compute service

Triggered by several options - e.g. S3 drops, etc.

Run your code in response to HTTP requests using Amazon API Gateway or API calls made using AWS SDKs

Can use version control

Scales automatically - Lambda scales out, not up

Lambda functions are independent (stateless)

Question 63

What is shared responsibility in Lambda?

Answer 63

I’m responsible for my code and the language version I’m using

AWS responsible for hardware

Question 64

Lamdba supported languages

Answer 64

Node.js

Java

Python

C#

Go

PowerShell

Question 65

Supported RDS engines

Answer 65

MS SQLServer

MySQL

PostgreSQL

Oracle

Aurora

• Amazon’s DB - compatible with MySQL and postgresql
• 6 copies of data spread across 3+ AZs

MariaDB

Question 66

RDS characteristics

Answer 66

Not free

SQL/OLTP (Online transaction processing)
- A single transaction

Not for OLAP (Online analytics processing) - see Red Shift

Multi-AZ for disaster recovery, failover
Read-replicas for performance

Write to primary database

Read from up to 5 read replicas

Question 67

What is DynamoDB?

Answer 67

Amazon’s NoSQL

Question 68

What is Red Shift?

Answer 68

Business intelligence or Data warehousing
OLAP: Online analytics processing

Analytics on a whole database

Examples: Cognos, SQL Server Reporting Services, Oracle Hyperion, SAP NetWeaver, etc.

NOT for OTLP (Online transaction processing)

Question 69

What is ElastiCache

Answer 69

“Application caching”

Web service fronting an in-memory cache

Web applications access this instead of disk-based databases

Supported engines

• Redis
• Memcached

Question 70

What is Amazon Neptune

Answer 70

Amazon’s graph database

Scalable, high availability

Question 71

What is Route 53?

Answer 71

Amazon’s DNS solution

Register a domain name

Global in scope, similar to IAM and S3

Policies

• Failover routing
• Latency-based routing

Question 72

What is Elastic Beanstalk?

Answer 72

A way to deploy and manage AWS resources as an orchestrated manner if you don’t know a lot about AWS - like a wizard

Free

Limited in what it can provision and not programmable

“easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.”

Handles capacity provisioning, load balancing, scaling, application health monitoring

Question 73

What is CloudFormation

Answer 73

Same concept as Elastic Beanstalk, but for people who know what they’re doing in AWS.

Free

Can provision almost any AWS service and is completely programmable

Turns your infrastructure into code

Question 74

Good alternative to saving your credentials using aws configure to access AWS services

Answer 74

Create an IAM role with specific permissions policies

Attach that role to the EC2 instance that you want to perform the authorized operation from. The permissions change immediately - no need to reboot.

Perform the authorized operation. It will work by virtue of the attached role.

In this way, you don’t need to keep your access key and secret access key on the EC2 instance

Question 75

What AWS services are global?

Answer 75

IAM

Route 53

CloudFront

SNS

SES

Question 76

Is S3 regional or global?

Answer 76

Regional, but viewed globally

Question 77

What is Snowball?

Answer 77

Snowball - a huge disk (50 or 80 TB)
- How you can make massive uploads to S3 by borrowing disks from Amazon returning to them with the data

Snowball Edge
- Same as Snowball, but with a computer as well that can run lamdba

Question 78

What is Storage Gateway?

Answer 78

Similar to Snowball, but stays on prem

A way to cache files on-prem so you don’t lose files if you lose connectivity to AWS

Question 79

What AWS services are on-prem?

Answer 79

Snowball - a huge disk (50 or 80 TB)

Snowball Edge

Storage Gateway

CodeDeploy

Opsworks

IoT GreenGrass

Question 80

What is AWS CodeDeploy?

Answer 80

AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers.

Question 81

What is AWS Systems Manager?

Answer 81

Manage an EC2 “fleet” (e.g. yum install .... to each machine in fleet)

Piece of software installed on each VM to connect to Systems Manager

Can manage inside AWS and on prem

Run Command used to install, patch, and uninstall software

Integrates with CloudWatch to give dashboard of entire estate

Create Resource Groups

• Can create based on “Tag query”
• Can apply automation to all resources in a Resource Group at the same time (e.g. stop all EC2 instances in Resource Group at once)

Question 82

What is Service Health Dashboard?

Answer 82

Access the status for all AWS services

Question 83

What is Personal Health Dashboard?

Answer 83

Access the status for my AW.

AWS Personal Health Dashboard provides alerts and guidance for AWS events that might affect your environment.

Question 84

What is Global Accelerator?

Answer 84

create accelerators to improve availability and performance of applications for local and global users

direct traffic to optimal endpoints over the AWS global network

uses Amazon’s dedicated network rather than the Internet to overcome Internet congestion, etc.

improves internet user performance by up to 60%

Question 85

What is EFS?

Answer 85

Elastic File System

file storage service for EC2

automatically resizes with need

multiple EC2 instances can access at the same time

think centralized file server or content management system

Question 86

What is the difference between AWS Budgets and AWS Cost Explorer?

Answer 86

Budgets: Plan for costs before they occur

Cost Explorer: Explore costs after they’ve occurred

Question 87

What is consolidated billing?

Answer 87

Combines resources billed to activate economies of scale (volume discounts)!

Consolidated Billing enables you to see a combined view of AWS costs incurred by all accounts in your department or company, as well as obtain a detailed cost report for each individual AWS account associated with your paying account.

Only 20 linked accounts allowed (soft limit - can increase)

Best practice: Paying account should be used for billing purposes only.

Question 88

What is CloudTrail?

Answer 88

Think “audit”

Monitors API calls in the AWS platform

Per AWS account and is enabled per region

Everytime we do something, CloudTrail logs it.

Best practice - use a separate account for logging

• Turn on CloudTrail in the paying account
• Create an S3 bucket with a bucket policy that allows cross-account access
• Turn on CloudTrail in the other accounts and use the bucket in the paying account

Question 89

What is AWS Landing Zone (now AWS Control Tower)?

Answer 89

Sets up a multi-account AWS environment at the click of a button

Typically used by large enterprises with multiple AWS accounts

Creates accounts that conform to company policies

Question 90

What is Security Hub?

Answer 90

Gives a comprehensive view of your security alerts across multiple AWS accounts - thousands!

Inputs from GuardDuty, Inspector, Macie, IAM Access Analyzer, Firewall Manager, etc.

Question 91

What do I do when I have compromised AWS creds?

Answer 91

Determine what resources those creds have access to

Invalidate creds that have been compromised

Consider invalidating any temporary security creds that might have been issues using the compromised creds

Restore appropriate access

Review access to your AWS account

Question 92

What is AWS Simple Monthly Calculator?

Answer 92

easy-to-use online tool that enables you to estimate the monthly cost of AWS services for your use case based on your expected usage.

Question 93

What is AWS Total Cost of Ownership Calculator?

Answer 93

Compare costs for AWS vs. owned on-premise

Question 94

What is AWS Artifact?

Answer 94

place to find compliance documents

AWS has some responsibilities, developer has some responsibilities - See AWS Shared Responsibility Model

Question 95

What is the AWS Shared Responsibility model?

Answer 95

AWS manages security “of the cloud”

Security “in the cloud” is customer’s responsibility

Question 96

How does AWS feel about me doing pen testing?

Answer 96

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services:

• EC2, NAT gateways, ELB
• RDS
• CloudFront
• Aurora
• API Gateway
• Lambda
• Lightsail
• Elastic Beanstalk

Unsupported

• DDoS-ing yourself
• DNS zone walking
• Port flooding
• Protocol flooding
• Request flooding

Question 97

What is Amazon GuardDuty?

Answer 97

Uses ML algs to monitor and protect AWS account

Notifies of weird/anomalous behavior

30 day trial

Input data includes

• CloudTrail logs
• VPC Flow logs
• DNS logs

Operates on single AWS account

Question 98

What is WAF?

Answer 98

Web application firewall

Layer 7 firewall

Put firewall in front of load balancer

Question 99

What is AWS Shield?

Answer 99

DDoS protection service

“Standard” turned on automatically

“Advanced” - optional - $3k/month

Question 100

What is AWS Inspector?

Answer 100

automated service that helps improve security and compliance of apps deployed on AWS

looks for vulnerabilities or deviations from best practices

install on EC2 instances

Question 101

What is AWS Trusted Advisor?

Answer 101

online resource to help reduce cost, increase performance, and improve security by optimizing your AWS environment

real time guidance

advise on cost optimization, performance, security, fault tolerance

looks at all AWS account

Categories of checks

• Cost optimization
• Performance
• Security
• Fault tolerance
• Service limits

Question 102

What is AWS Config?

Answer 102

Monitors configuration of AWS resources in AWS account

Question 103

What is AWS Key Management Service (KMS)?

Answer 103

Manages master keys

For S3, database password

On shared hardware

Integrated with most AWS services

Regional

Question 104

What is AWS CloudHSM?

Answer 104

Dedicated hardware security module (HSM)

Does all AWS KMS does and more

FIPS 140-2 Level 3

Single tenant

Can be clustered across multi-AZ

Question 105

What is AWS Parameter Store?

Answer 105

serverless storage for configuration and secrets

can be stored using KMS or plaintext

TTL to expire supported

free

10K parameters per account

Question 106

What is AWS Secrets Manager?

Answer 106

Does all Parameter Store does and more

Not free; charged per secret stored and per 10K API calls

Can automatically rotate secrets

Apply the new key/password in RDS for you

Generate random secrets

Question 107

What is Athena?

Answer 107

interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL

Pay per query / per TB scanned

No need for ETL

Use cases

• Query log files in S3 (e.g. ELB logs, S3 access logs, etc.)
• Generate business reports
• Analyse AWS cost and Usage reports
• Run queries on click-stream data

Question 108

What is Macie?

Answer 108

Uses AI (ML and NLP) to discover, classify, and protect sensitive data in S3 (like PII)

Dashboards, reporting, alerts

Works with data stores in S3

Can analyze CloudTrail logs

Great for PCI-DSS and preventing ID theft

Question 109

What is Lex?

Answer 109

powers Amazon Alexa

Used to build conversational chatbots powered via voice or text

Question 110

What is Polly?

Answer 110

Text to life-like voice

Can use an accent - lots of different voices

Question 111

What is Transcribe?

Answer 111

Speech to text

Question 112

What is Rekognition?

Answer 112

Images to tags/text

Upload an image and Rekognition will tell you what it thinks the image is - with a certain degree of confidence

Question 113

What is a Subnet?

Answer 113

A range of IP addresses in your VPC

Question 114

What is an ACL?

Answer 114

Access control list (ACL) – use a network ACL to provide additional security in a subnet. The default subnet ACL allows all inbound and outbound traffic.

Question 115

What is a Route Table?

Answer 115

Contains a set of routes that AWS uses to direct the network traffic for your VPC. You can explicitly associate a subnet with a particular route table. By default, the subnet is associated with the main route table.