AWS Cloud Practitioner Flashcards

Question 1

Q

What is public cloud?

Answer

A

Computing services offered by third-party providers over the public Internet

Question 2

Q

What is hybrid cloud?

Answer

A

A cloud setup where you have some data on prem and some in the cloud

Question 3

Q

What type of expense is cloud computing?

Answer

A

With cloud services we reduce our trade capital expense (CAPEX) in exchange for higher operational expense (OPEX)

Question 4

Q

What does Iaas stand for?

Answer

A

Infrastructure as a service.

Question 5

Q

What is an example of Iaas in AWS?

Question 6

Q

What does Paas stand for?

Answer

A

Platform as a service. Paas removes the need to manage underlying infrastructure.

Question 7

Q

What is an example of Paas in AWS?

Answer

A

Elastic beanstalk

Question 8

Q

What does Saas stand for?

Answer

A

Software as a service. A completed product that will be run and managed by the provider.

Question 9

Q

What is an example of Saas in AWS?

Answer

A

Rekognition

Question 10

Q

What are the 3 AWS pricing fundamentals?

Answer

A

You pay for compute time, you pay for data stored in the cloud and you pay for data transfer out of the cloud (data transfer into the cloud is free)

Question 11

Q

What is a region in AWS?

Answer

A

A physical location containing a cluster of data centres which are divided into Availability Zones (AZs).

Question 12

Q

What are four things you should take into account when choosing an AWS region?

Answer

A

Compliance with data governance, proximity to customers, available services within a region and pricing.

Question 13

Q

What is an AZ in AWS?

Answer

A

Availability Zone. Each AZ within a region is one or more discrete data centres.

Question 14

Q

How are AZs organised in a region?

Answer

A

They are separated from each other so they’re less likely to all be affected by a disaster.

Question 15

Q

What standard defines what is AWS’s responsibility and what is the user’s responsibility?

Answer

A

The shared responsibility model.

Question 16

Q

What does IAM stand for?

Answer

A

Identity and Access Management

Question 17

Q

What should you use your AWS root account for?

Answer

A

You should only use the root account to perform a few account and service management tasks (for example, creating other accounts).

Question 18

Q

What can IAM groups contain?

Answer

A

IAM groups contain users. They cannot contain other groups- although users can belong to multiple groups.

Question 19

Q

What type of files are used to assign IAM permissions?

Answer

A

In IAM you assign permissions with JSON documents called policies.

Question 20

Q

Which principle should you use when deciding on the permissions to grant an IAM user?

Answer

A

The least privilege principle. Don’t give anymore permissions than a user needs.

Question 21

Q

What are tags, and what are they used for?

Answer

A

Tags are used to organise and track AWS resources. They are key-value pairs.

Question 22

Q

What is within the IAM Policy Structure?

Answer

A

An optional SID (id), an effect (this dictates whether the policy allows or denies access), a principle (the user/account/group to which this policy applies), an action (a list of actions which this policy applies to- e.g., a ‘get’), a resource (list of resources which this action applies to- e.g., a bucket), and an optional condition (condition for execution)

Question 23

Q

What is the name of the type of device you use for physical MFA?

Answer

A

Universal Second Factor

Question 24

Q

What are the three ways in which you can access AWS?

Answer

A

The AWS Management Console, the AWS Command Line Interface (CLI) and AWS Software Developer Kit (SDK)

Question 25

Q

How do you generate AWS Access Keys?

Answer

A

Use the AWS Console.

Question 26

Q

What is the different between the AWS CLI and SDK?

Answer

A

The CLI allows you do work with AWS over the command line, SDK allows you to access AWS programmatically.

Question 27

Q

What does AWS SDK stand for?

Answer

A

AWS Software Developer Kit

Question 28

Q

What is AWS Cloudshell?

Answer

A

A terminal in the AWS management console in which you are automatically logged in as your user in your current region.

Question 29

Q

If you want AWS Services to perform actions on your behalf you need to assign them permissions using IAM Roles (T/F)

Question 30

Q

What is the name of the document which lists all of your account’s users and the status of their credentials?

Answer

A

IAM Credentials Report

Question 31

Q

What is the name of the document which shows the service permissions granted to a user and when those services were last accessed?

Answer

A

IAM Access Advisor

Question 32

Q

What is the correct policy for creating new AWS Users?

Answer

A

One AWS user = one physical user.

Question 33

Q

What is the correct policy for assigning permissions to a user?

Answer

A

Assign users to groups and permissions to groups.

Question 34

Q

Where do you find information on your AWS spending?

Answer

A

AWS Billing Dashboard

Question 35

Q

What does EC2 stand for?

Answer

A

Elastic Compute Cloud

Question 36

Q

What is bootstrapping in EC2?

Answer

A

Bootstrapping means running commands when a machine starts. This script is only run once, and it is used to automate boot tasks.

Question 37

Q

What is the name of the script which is run when we launch an EC2 instance?

Answer

A

The EC2 User Data Script

Question 38

Q

What are examples of EC2 base images?

Answer

A

AWS Linux and Ubuntu

Question 39

Q

What are EC2 instance types?

Answer

A

EC2 Instance types represent different amounts of memory, different CPUs &c.

Question 40

Q

An EC2 instance is named m5.2xLarge. What information do we know about it?

Answer

A

‘m’ is the name of its instance class (‘general purpose’), ‘5’ is its instance generation, ‘2xLarge’ is its size within the instance class.

Question 41

Q

You have a machine learning project. What is the best type of EC2 instance to use for it?

Answer

A

A compute optimised EC2 instance.

Question 42

Q

You have a project which needs a high performance database. What is the best type of EC2 instance to use for it?

Answer

A

A memory optimised EC2 instance.

Question 43

Q

You have a noSQL database project. What is the best type of EC2 instance to use for it?

Answer

A

A storage optimised EC2 instance.

Question 44

Q

What do you use to control traffic in and out of EC2 instances?

Answer

A

Security groups.

Question 45

Q

You create an EC2 security group. What are the rules for reusing it?

Answer

A

Security groups can be attached to multiple instances but they are locked to a region. If you want to go into another region you have to create a new security group.

Question 46

Q

What are the default EC2 security group rules?

Answer

A

All inbound traffic is blocked, all outbound traffic is allowed.

Question 47

Q

What rules do EC2 security groups support?

Answer

A

EC2 security groups only support allow rules.

Question 48

Q

What is AWS EC2 Instance Connect?

Answer

A

Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH)

Question 49

Q

What are On-Demand EC2 Instances?

Answer

A

EC2 Instances that you pay for with no long-term commitments. They are good for short workloads. You pay by the second.

Question 50

Q

What are Reserved EC2 Instances?

Answer

A

You can purchase a Reserved Instance for a one-year or three-year commitment. They are good for long term workloads (like databases) and are cheaper than On-Demand Instances.

Question 51

Q

What are Convertible Reserved EC2 Instances?

Answer

A

Convertible Reserved Instances are a type of Reserved Instance that can be exchanged for new instance types, new tenancies, and new operating systems as circumstances change. They are good for long workloads with flexible instances.

Question 52

Q

What are Spot EC2 Instances?

Answer

A

A Spot Instance is an instance that uses spare EC2 capacity that is available for less than the On-Demand price.These are good for short workloads and are cheap, but you may lose your instances.

Question 53

Q

What are Dedicated Hosts EC2 Instances?

Answer

A

An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use. This is good if you have compliance requirements.

Question 54

Q

What are Dedicated EC2 Instances?

Answer

A

Dedicated Instances are Amazon EC2 instances that run in a virtual private cloud (VPC) on hardware that’s dedicated to a single customer.

Question 55

Q

What are EC2 Capacity Reservations?

Answer

A

On-Demand Capacity Reservations enable you to reserve compute capacity for your Amazon EC2 instances in a specific Availability Zone for any duration. Capacity Reservations mitigate against the risk of being unable to get On-Demand capacity in case there are capacity constraints.

Question 56

Q

What does EBS stand for?

Answer

A

Elastic Block Store. Elastic Block Store is an high-performance block-storage service designed for EC2.

Question 57

Q

What is an EBS Volume?

Answer

A

An Amazon EBS volume is a block-level storage device that you can attach to your instances. After you attach a volume to an instance, you can use it as you would use a physical hard drive.

Question 58

Q

What are the rules for moving and reusing EBS Volumes?

Answer

A

A volume can only be mounted to one instance at a time (unless you are willing to do some complicated things). They can be moved between EC2 Instances easily, provided those instances are within the same AZ. To move volumes between AZs you need to snapshot them.

Question 59

Q

Which attribute is used to control EBS volume behaviour when an EC2 Instance terminates?

Answer

A

The ‘delete on termination’ attribrute.

Question 60

Q

What are the default rules for EBS volume behaviour on EC2 Instance termination?

Answer

A

By default the EC2 instance’s root volume will be deleted, but no other EBS volumes will be.

Question 61

Q

What is an EBS snapshot?

Answer

A

A ‘backup’ of the contents of a volume.

Question 62

Q

What does it mean to archive a snapshot?

Answer

A

Moving a snapshot to ‘archive tier’ makes its storage 75% cheaper, but it takes 24 to 75 hours to retrieve it.

Question 63

Q

What does AMI stand for?

Answer

A

Amazon Machine Image

Question 64

Q

What does an AMI do?

Answer

A

An Amazon Machine Image is a master image for the creation of EC2 instances in AWS. You can create an AMI from a existing EC2 instance. They are built for a specific region.

Answer 63

A

Public AMI (AWS provided), your own AMI (made and maintained by you) and AWS Marketplace AMIs

Answer 64

A

EC2 Image Builder is used to automate the creation of VMs or container images. AMIs are one of the types of images you can create with Image Builder, and Image Builder allows you to automate the creation, maintenance and validation of AMIs.

Answer 65

A

EC2 instance store. Instance stores lose their storage if they’re stopped- they’re good for buffer/cache/scratch storage. There is a risk of data loss if the hardware fails, and backups are your responsibility.

Answer 66

A

Elastic File System

Answer 67

A

Network File System

Answer 68

A

It is a Network File System which is accessible across multiple AZs (via EFS mount targets). It is expensive, compared with EBS.

Answer 69

A

Elastic File System Infrequent Access. If you enable EFS-IA within a lifecycle policy, EFS will automatically move your files to a cheaper infrequent access store if they go unused for a long time.

Answer 70

A

Fsx is used to launch 3rd party high performance file systems on AWS. There is an Fsx for windows and lustre (“linux” + “cluster” = “lustre”).

Answer 71

A

Vertical scalability means that you can increase the size of an instance.

Answer 72

A

Horizontal scalability means that you can increase the number of instances for your application.

Answer 73

A

High availability indicates that you running you application in at least two availability zones. High availability goes hand in hand with horizontal scaling.

Answer 74

A

Once a system is scalable, elasticity means there will be some ‘auto-scaling’, so that a system can scale based on load. This allows you to optimise costs.

Answer 75

A

A load balancer is a service which forwards internet traffic to multiple servers downstream. This allows you to spread load across multiple downstream instances. You can expose a single point of access (DNS) to your application and seamlessly handle failures downstream.

Answer 76

A

You can use a load balancer across multiple AZs.

Answer 77

A

Elastic Load Balancer.

Answer 78

A

Elastic Load Balancer is a managed service which handles the maintenance of your load balancers. Elastic Load Balancing scales your load balancer as your incoming traffic changes over time.

Answer 79

A

Application load balancer

Answer 80

A

Network load balancer

Answer 81

A

Gateway load balancer

Answer 82

A

Auto scaling group

Answer 83

A

Auto scaling groups are designed to scale in and out (aka add and remove EC2 instances) to match your application’s load. You set a minimum and maximum number of machines and a desired capacity and your ASG will automatically register new instances to your load balancer when needed. It will also replace unhealthy instances.

Answer 84

A

Manual scaling

Answer 85

A

Dynamic scaling

Answer 86

A

Simple/ step scaling. An example of an event is a cloudwatch alarm being triggered.

Answer 87

A

Target tracking scaling (e.g., ‘I want ASG CPU to stay around 40%’)

Answer 88

A

Scheduled scaling

Answer 89

A

Predictive scaling (use machine learning to predict traffic ahead of time, and automatically provision EC2 instances ahead of time)

Answer 90

A

Amazon Simple Storage Service

Answer 91

A

Files are objects, directories are buckets.

Answer 92

A

S3 Buckets are defined at the region level.

Answer 93

A

If you try to upload objects larger than 5TB, you will need to do this with a multi part upload.

Answer 94

A

IAM policies can be used to dictate which API calls are allowed for a specific AWS User.

Answer 95

A

Bucket policies.

Answer 96

A

Object Access Control List

Answer 97

A

You can set this rule at the account level.

Answer 98

A

S3 file versioning is set at the bucket level

Answer 99

A

Cross region replication

Answer 100

A

Same region replication

Answer 101

A

Compliance, lower latency access, replication across accounts

Answer 102

A

Log aggregation, live replication between prod and test accounts

Answer 103

A

You can move manually, or by using S3 lifecycle configurations

Answer 104

A

S3 Standard

Answer 105

A

S3 Infrequent Access. Standard infrequent access is used for disaster recovery. One zone infrequent access is used for backups of on-prem data, or data you can recreate.

Answer 106

A

S3 Standard

Answer 107

A

S3 Standard

Answer 108

A

S3 Glacier Storage.

Answer 109

A

S3 Glacier Instant Retrieval.

Answer 110

A

S3 Glacier Flexible Retrieval (which includes expedited, standard and bulk tiers).

Answer 111

A

S3 Glacier Deep Archive

Answer 112

A

S3 Intelligent Tiering

Answer 113

A

No encryption, server-side encryption (file is encrypted after it is received) and client-side encryption (use encrypts objects before uploading it)

Answer 114

A

The AWS Snow Family are portable devices to collect and process data at the edge and to migrate data in and out of AWS.

Answer 115

A

When it would take you more than a week to upload your data to the cloud directly.

Answer 116

A

Connect it to the web and use AWS DataSync to send your data

Answer 117

A

It has up to 100PB useable

Answer 118

A

Snowball client

Answer 119

A

AWS OpsHub

Answer 120

A

AWS Storage Gateway

Answer 121

A

Relational Database Service

Answer 122

A

Relational Database Service is a managed DB service for using SQL.

Answer 123

A

Amazon Aurora

Answer 124

A

Read replicas. With this pattern you create up to 5 read replicas of your DB. Writes are still done to the main DB.

Answer 125

A

Multi AZ. Read and writes still go to the main DB- the DB copy is only used if there is a disaster which takes out the main DB.

Answer 126

A

Multi Region. Similar to ‘read replicas’ pattern. Reads are done to the DB replica in your region, but writes are done to the main DB. There is a replication cost for copying the DB between regions.

Answer 127

A

A managed DB for caching. This helps take the load of the DB for read intensive workloads.

Answer 128

A

A fully managed in-memory cache for DynamoDB

Answer 129

A

You can set up global tables. This allows you to have two way DB replication- both reads and writes happen to the DB copy in your region. This is then replicated everywhere. This is active-active replication.

Answer 130

A

With redshift, data is loaded every hour, not continuously. It is high performance, and has an SQL interface for it to be queried.

Answer 131

A

Elastic Map Reduce.

Answer 132

A

It is used to analyse and process big data. It’s good for data processing, machine learning &c.

Answer 133

A

Amazon Athena

Answer 134

A

Amazon Quicksight

Answer 135

A

DocumentDB (this is very similar to DynamoDB, but it isn’t Serverless- it is compatible with MongoDB)

Answer 136

A

Amazon Neptune. A social network is a good use case for a graph database.

Answer 137

A

Amazon Quantum Ledger Database. A ledger is a book for recording financial transactions. It’s immutable, and used to review the history of all the changes made to your application data over time.

Answer 138

A

With Amazon QLDB there’s no decentralisation, in accordance with financial regulation rules

Answer 139

A

Amazon Managed Blockchain. It is used to join public blockchain networks or to create your own scalable private network.

Answer 140

A

Glue is used to prepare and transform data for analytics. You can prep data for, for example, Redshift.

Answer 141

A

Database Migration Service. This allows you to migrate from one DB type to another.

Answer 142

A

Elastic Container Service.

Answer 143

A

Elastic Container Service is used to launch docker containers on AWS. You must provision and maintain the infrastructure for then.

Answer 144

A

Fargate is a managed service for launching docket containers. It is similar to ECS but it’s Serverless and you don’t need to provision instances yourself.

Answer 145

A

Elastic Container Registry.

Answer 146

A

Elastic Container Registry is a private docker registry where you can store your docker images.

Answer 147

A

Pay per request and compute time.

Answer 148

A

API Gateway is used for building Serverless APIs. It provides the client with the rest API gateway used to connect to the API. Used to create, publish, maintain, monitor and secure APIs.

Answer 149

A

AWS Batch is used to do computing batch jobs. A batch job is a job with a start and end. Batch jobs are defined as docker images and run on ECS. Pretty much anything that can be run on ECS can be run on batch.

Answer 150

A

Amazon Lightsail is very useful for people with little AWS experience. It’s a simpler alternative to using many individual services and can be used to launch a simple web app. It has limited AWS integration.

Answer 151

A

CloudFormation is used to instantiate multiple services at once (e.g., a security group, 2 EC2 instances etc). It’s done with infrastructure as code. It also makes it easy to replicate an architecture.

Answer 152

A

CloudFormation Stack Designer

Answer 153

A

Cloud Development Kit

Answer 154

A

Cloud Development Kit allows you to define your cloud infrastructure using a familiar coding language (e.g., Python rather than YAML). This is then compiled into a CloudFormation template. This makes it possible to deploy infrastructure and app runtime code together

Answer 155

A

Elastic Beanstalk is a service for deploying and scaling web applications and services. Upload your code and Elastic Beanstalk automatically handles the deployment—from capacity provisioning, load balancing, and auto scaling to application health monitoring.

Answer 156

A

Elastic Beanstalk is free but you pay for the underlying instance.

Answer 157

A

CodeDeploy automates software deployments. It works with EC2 and on-prem servers. Servers and instances have to be provisioned ahead of time with the CodeDeploy agent.

Answer 158

A

CodeCommit.

Answer 159

A

CodeBuild allows you to build your code in the cloud. It compiles source code, runs tests, and produces packages that are ready to be deployed (by CodeDeploy, for example). It can retrieve code from CodeCommit.

Answer 160

A

CodePipeline allows you to orchestrate the steps to have code pushed to prod. It is the basis is for CI/CD.

Answer 161

A

CodeArtefact is a secure artefact (dependancy) management tool for software development. It works with common dependency tools such as nvm, npm, gradle etc.

Answer 162

A

CodeStar is a unified UI to easily manage software development activities in one place. It gives you a nice dashboard and handles all the other code services for you.

Answer 163

A

Cloud9 is a cloud IDE. It allows for pair programming.

Answer 164

A

AWS Systems Manager.

Answer 165

A

AWS Systems Manager helps you manage EC2 and on-prem systems at scale. It gives you operation insights about the state of the infrastructure.

Answer 166

A

AWS SSM Session Manager allows you to start a secure shell on your EC2 and on-prem servers. It’s another way to access these servers or instances securely.

Answer 167

A

Non-AWS tools Chef and Puppet help you to perform server config automatically. In response, AWS OpsWorks was made to allow you to use Chef and Puppet in the cloud. It’s an alternative to AWS SSM, which you would only use if you were already using Chef and Puppet.

Answer 168

A

An app that is deployed in multiple regions

Answer 169

A

Edge locations are data centres designed to deliver services with the lowest latency possible. They’re located in central locations (e.g. within cities), and you cannot actually deploy to them. They’re generally used for caching, and connecting more quickly to the AWS global network.

Answer 170

A

An edge location

Answer 171

A

Domain Name System

Answer 172

A

Route 53 is AWS’s managed DNS (Domain Name System) service.

Answer 173

A

The simple routing policy has no health checks. The domain name is passed to Route 53 and an IP is returned.

Answer 174

A

With a weighted routing policy we assign ‘weights’ to our EC2 instances and Route 53 assigns a corresponding level of traffic to each one as a form of load balancing. With this policy we get health checks.

Answer 175

A

With a latency routing policy we get routing based on which server is going to give us the lowest latency. With this policy we get health checks.

Answer 176

A

With a failover routing policy we have a primary EC2 instance and a failover one. If the primary fails a health check, we are routed to the second.

Answer 177

A

Content Delivery Network. Cloudfront is an example of a Content Delivery Network.

Answer 178

A

Cloudfront is a Content Delivery Network. Cloudfront improves read performance by caching content at edge locations. Because Cloudfront provides excellent read performance, it is particularly good for static content that must be available everywhere.

Answer 179

A

Cloudfront can also be integrated with Shield and AWS WAF (Web Application Firewall) to protect against DDoS attacks. Using Shield, attack traffic can be geographically isolated and absorbed using the capacity in edge locations close to the source. With WAF you can define custom security rules (also called web ACLs) that contain a set of conditions, rules, and actions to block attacking traffic.

Answer 180

A

With S3 Cross Region Replication, each region must be set up individually. In comparison with Cloudfront, S3 Cross Region Replication doesn’t use caching or the Global Edge Network. It’s best for dynamic content that needs to be available at low latency in a few regions.

Answer 181

A

S3 Transfer Acceleration is used to transfer files to an AWS edge location which will forward the data to an S3 bucket in the target region making use of an optimised network path. This increases transfer speeds.

Answer 182

A

AWS Global Accelerator allows you to leverage the AWS internal network to send data through edge locations and optimise the route to your application. Global Accelerator provides two global static public IPs that act as a fixed entry point to your application endpoints. There’s no caching.

Answer 183

A

AWS Outposts are on premises server racks which AWS will setup and manage for you within your other on-prem infrastructure. They will come with AWS Services pre loaded.

Answer 184

A

AWS Wavelength embeds AWS compute and storage services within 5G networks, providing mobile edge computing infrastructure for developing, deploying, and scaling ultra-low-latency applications.

Answer 185

A

AWS Local Zones allows you to add extra AZs to your region in order to improve your geographic proximity to your users.

Answer 186

A

With an active-passive architecture, users in one region can read and write locally (the active region) and users in another region can only read locally (the passive region). The users in the passive region therefore have a higher write latency.

Answer 187

A

Apps which communicate synchronously talk directly to one another. Apps which communicate asynchronously communicate via a queue of events. Synchronous applications can experience problems if there are sudden spikes in traffic. In an async setup, the two applications are decoupled.

Answer 188

A

Simple queue service.

Answer 189

A

Simple queue service is Serverless service designed to decouple applications. A producer application sends data into the Simple queue service. This data can be read by one or multiple consumer applications, which pull messages from the queue. Once our consumers are done processing the message they will delete the message from the queue. Consumer applications can share work.

Answer 190

A

Amazon Kinesis allows you to collect, process, and analyze real-time streaming data. It is useful for big data streaming.

Answer 191

A

Amazon Simple Notification Service

Answer 192

A

Amazon Simple Notification Service makes it possible to get an application to send a message to many receivers without writing multiple direct integrations. Your producer application communicates with an SNS topic. The consumer applications can then subscribe to your topic to receive all the published messages.

Answer 193

A

Amazon Simple Notification Service and Simple Queue Service are ‘cloud native’ services. If you are running on-prem you may not want to reengineer your app to use them- instead, you can use Amazon MQ. Amazon MQ is a managed message broker service for RabbitMQ and ActiveMQ. It doesn’t scale as well as SNS and SQS, and should only be used if you don’t want to reengineer something preexisting.

Answer 194

A

CloudWatch metrics provides metrics for every AWS service. You can use it to create a CloudWatch metrics dashboard. You are also able to create custom metrics.

Answer 195

A

CloudWatch alarms are used to trigger notifications for any metrics. You can choose a period in which to evaluate an alarm. Alarm states are OK, INSUFFICIENT_DATA, and ALARM.

Answer 196

A

CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use. You can choose log retention and monitor logs in real time.

Answer 197

A

With Eventbridge you can react to events in AWS. These include cron jobs and reacting to events on the different AWS event buses. You can, for example, trigger a lambda to run every hour.

Answer 198

A

Events which have happened within AWS Services

Answer 199

A

Events which have happened within AWS partner services (like zendesk or datadog)

Answer 200

A

Events which have happened within your custom AWS integrations

Answer 201

A

Cloudtrail is a service which provides governance, compliance and audit for your AWS account. It is enabled by default, and contains a history of all events/API calls made by your account. This includes activity in the console and your services. You can put these logs in Cloudwatch logs or S3.

Answer 202

A

X-Ray provides visual analysis of your application. Debugging is very difficult with a distributed system- X-Ray shows you visually where in the app things are going wrong. This allows us to troubleshoot bottlenecks, pinpoint service issues and to work out if we are meeting Service Level Agreements. We can also identify users who are impacted.

Answer 203

A

CodeGuru is ML powered service that does automated code reviews and gives performance recommendations

Answer 204

A

AWS CodeGuru Reviewer analyses your code when you commit it to find issues.

Answer 205

A

AWS CodeGuru Profiler gives recommendations about app performance during runtime. It also gives recommendations pre-prod. It supports java and python, It can help decrease compute costs, identify objects using up memory and do anomaly detection.

Answer 206

A

Service Health Dashboard shows you information about the health of all AWS regions and services. You can subscribe to an RSS feed of the information and see historical data. This is not personalised information- it is a general resource.

Answer 207

A

Personal Health Dashboard is like Service Health Dashboard except it provides alerts and guidance when AWS is experiencing events which impact you. It also helps you plan for future scheduled activities that might be disruptive.

Answer 208

A

Virtual Private Cloud

Answer 209

A

A Virtual Private Cloud is a private network for you to deploy resources in. It’s linked to a specific region.

Answer 210

A

A subnet is a range of IP addresses in your Virtual Private Cloud. A subnet must reside in a single Availability Zone. After you add subnets, you can deploy AWS resources in your Virtual Private Cloud.

Answer 211

A

Public subnets are accessible from the internet and private ones are not. Services are more secure in private subnets.

Answer 212

A

We use VPC route tables to define which subnets are public and which are private.

Answer 213

A

VPC Internet Gateways allow our VPC to connect to the internet. There will be a route between our public subnets and our Internet Gateway.

Answer 214

A

NAT Gateways are managed by AWS and NAT Instances are managed by you. They allow instances in private subnets to access the web while remaining private. The NAT Gateway/Instance will be in the public subnet.

Answer 215

A

A network ACL is a firewall which controls traffic to and from a VPC subnet. The NACL has ALLOW and DENY rules which are attached at the subnet level.

Answer 216

A

VPC Flow Logs are a log of all IP traffic going through your interfaces. These logs help you to troubleshoot connectivity issues and can be exported to S3/Cloudwatch.

Answer 217

A

VPC Peering allows you to connect 2 VPCs privately using AWS’s network. This makes them behave as if they were the same VPC network. For this to work, the VPCs must not have overlapping IP ranges.

Answer 218

A

VPC endpoint enables creation of a private connection between VPC and supported AWS services without requiring an internet gateway, a NAT device or a public network. This gives better security and lower latency.

Answer 219

A

Gateway endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC.

Answer 220

A

AWS PrivateLink is a secure way to expose a VPC to 1000s of other VPCs. Peering is another way to connect VPCs but it doesn’t scale and isn’t very secure.

Answer 221

A

To connect two VPCs with PrivateLink, you need to set up a Network Load Balancer on the producer VPC and an Elastic Network Interface on the consumer VPC. For every new consumer you need a new PrivateLink.

Answer 222

A

Option one is a site-to-site VPN- the connection is auto encrypted but it goes over the public internet. Option two is a Direct Contact (DX)- you can use a Direct Contact to establish a physical connection between your on-prem server and AWS. This is more expensive and takes time to set up but is private.

Answer 223

A

AWS Client VPN is a managed VPN service that allows you to securely access your AWS resources and resources in your on-premises network (e.g. on your computer). With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client. This will allow you to connect to your EC2 instance over a private IP, just as if you were in the private VPC network- this goes over the public web.

Answer 224

A

Managing many VPC connections can be difficult. Transit Gateway exists to solve this- all connections go through transit gateway, making it possible to connect hundreds of VPCs.

Answer 225

A

Amazon Rekognition is used to recognise objects, people and text in images and videos using ML. It can do facial analysis and facial search to do user verification and people counting.

Answer 226

A

Amazon Transcribe converts speech to text. You can automatically remove personally identifiable information (PII) using redaction. It also supports automatic language identification for multi language audio.

Answer 227

A

Amazon Polly turns text to speech using deep learning.

Answer 228

A

Amazon Translate is a language translation tool.

Answer 229

A

Amazon Lex allows you to convert speech to text. It also uses Natural Language Understanding to recognise the intent of text and callers. It can help to build chat bots and call centre bots.

Answer 230

A

Amazon Connect receives calls- it is a cloud based virtual contact centre. It can integrate with other customer relationship systems.

Answer 231

A

Amazon Comprehend is used for Natural Language Processing (NLP). It uses ML to find insights and relationships in text. It can understand the content and tone of text, and can organise text files by content.

Answer 232

A

Amazon Sagemaker allows dev to build ML models. To do this you need to build ML models, train and tune them, and apply them.

Answer 233

A

Amazon Forecast uses ML to do accurate forecasts. It takes in data in an Amazon S3 bucket and forecasts from it.

Answer 234

A

Amazon Kendra is a document search service powered by ML. Kendra creates a knowledge index, allowing you to query the document using natural language. You can also fine tune your search with filters.

Answer 235

A

Amazon Personalize is a ML service to build apps with real time personalised recommendations. With S3 and Personalize you can create a personalised API for your applications.

Answer 236

A

Amazon Textract extracts text, handwriting and data from any scanned document using AI and ML. It can read and process any kind of document.

Answer 237

A

If you are ready to scale, that will provide you with DDoS protection. They can also be integrated with WAF and Shield.

Answer 238

A

Encryption happens at rest (i.e. in storage &c), and in transit (i.e., while being transferred).

Answer 239

A

Key Management Service

Answer 240

A

The Key Management Service manages encryption keys for us. Some encryption is opt-in and some is automatic.

Answer 241

A

CloudHSM provisions encryption hardware for us and you manage your encryption keys yourself. It is called CloudHSM after the hardware we’re using, which is called an HSM (Hardware Security Module).

Answer 242

A

Customer Managed keys (created, managed and used by the customer), AWS Managed keys (managed on the customer’s behalf by AWS- used by AWS Services), AWS Owned keys (you can’t view these keys- they are keys that protect resources in your account) and Cloud HSM keys (keys generated from your CloudHSM hardware)

Answer 243

A

AWS Certificate manager

Answer 244

A

AWS Certificate manager lets you easily provision and deploy SSL/TLS Certificates. It is used to provide in flight encryption for HTTPS sites.

Answer 245

A

AWS Secrets Manager is used for storing secrets. It has the capacity to force the rotation of certificates every x days. It is primarily meant for RDS (Relational Database Service) integration.

Answer 246

A

AWS Artefact is a portal which gives you access to AWS compliance docs and AWS agreements. These can be used for internal audit and compliance.

Answer 247

A

AWS GuardDuty allows you to do intelligent threat discovery to protect your AWS account. It uses ML and anomaly detection, and looks at your AWS logs. Eventbridge rules can be set up so that you are notified of findings.

Answer 248

A

Amazon Inspector automatically discovers workloads, such as Amazon EC2 instances, containers, and Lambda functions, and scans them for software vulnerabilities and unintended network exposure. It reports findings to AWS Security hub and provides a vulnerability risk score.

Answer 249

A

AWS Config helps with auditing and recording compliance on your AWS resources. It helps record configurations and changes over time.

Answer 250

A

Amazon Macie is a data security and data privacy service which uses ML and pattern matching to discover and protect sensitive data in AWS. It helps alert you to personally identifiable information (PII).

Answer 251

A

AWS Security Hub is the centralised security tool for AWS accounts to manage security and automate security checks. It aggregates alerts and summarises findings.

Answer 252

A

Amazon Detective analyses security issues and suspicious activities and attempts to discover the root cause. It makes use of ML and graphs.

Answer 253

A

Spam, port scanning, DDoS, hosting questionable or copyrighted content. This is for anything with an AWS-owned IP.

Answer 254

A

Amazon Organisations allows you to centrally manage multiple AWS accounts. The main account is the master account. This service allows consolidated billing, meaning you can make savings. You can also automate AWS account creation. You should enable CloudTrail on all accounts and send logs to central S3 account.

Answer 255

A

Service Control Policies.

Answer 256

A

Service Control Policies allow you to white or blacklist IAM actions. This is applied at the OU (Organisational Unit) or account level.

Answer 257

A

AWS Control Tower is an easy way to set up and govern a secure compliant multi-account AWS environment based on best practices. It runs on top of AWS Organisations.

Answer 258

A

Using a Private IP. Public and Elastic IPs are more expensive and slower. Communicating between EC2 instances in the same AZ is free.

Answer 259

A

AWS Compute Optimiser allows you to reduce costs and improve performance by recommending optimal AWS resources for your workloads. It uses ML. Recommendations can be exported to S3.

Answer 260

A

AWS Billing Dashboard gives you a high level understanding of your bills.

Answer 261

A

Cost allocation tags allow us to explore costs on a deeper level, and to group costs. Tags are also used for organising resources and to create resource groups.

Answer 262

A

The AWS Cost and Usage report contains the most comprehensive set of AWS cost and usage data available. It can be broken into hourly and daily line items and can be integrated with Athena.

Answer 263

A

The cost explorer allows you to visualise and manage AWS costs and usage time. You can create custom reports and choose an optimal savings plan. You can also forecast costs 12 months ahead.

Answer 264

A

When you enable the monitoring of estimated charges for your AWS account, the estimated charges are calculated and sent several times daily to CloudWatch as metric data. Billing metric data is stored in the US East (N. Virginia) Region and represents worldwide charges. An alarm triggers when your account billing exceeds the threshold you specify.

Answer 265

A

With AWS Budgets you can create a budget and send an alert when your cost (actual or projected) exceeds the budget. You can also set budgets for other metrics like usage.

Answer 266

A

AWS Trusted Advisor provides recommendations that help you follow AWS best practices by evaluating your account. It runs checks and tells you if you are passing the checks or not.

Answer 267

A

Cost optimization, Performance, Security, Fault tolerance and Service quotas

Answer 268

A

24x7 access to customer service, forums etc; 7 core Trusted Advisor checks; AWS Personal Health Dashboard.

Answer 269

A

On top of basic support you get business hours emails to Cloud Support Associates, Unlimited technical support cases with 1 primary contact and response times that depend on the problem’s severity.

Answer 270

A

The Business support plan is intended for Production workloads. On top of developer support you get 24x7 access to cloud engineers, full Trusted Advisor checks, unlimited technical support cases with unlimited contacts and response times that take into account prod problems.

Answer 271

A

The Enterprise On-Ramp support plan is intended for Production or Business Critical workloads. On top of business support you get Infrastructure Event Management, Technical Account Managers, Concierge Support Team and response times that take into account business critical problems.

Answer 272

A

The Enterprise support plan is intended for Business Critical workloads. On top of enterprise on-ramp support you get access to pro-active reviews, workshops, deep dives and a designated Technical Account Manager.

Answer 273

A

AWS Security Token Service.

Answer 274

A

AWS Security Token Service is a behind the scenes service. It enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users you authenticate. You configure the expiration period.

Answer 275

A

Amazon Cognito provides identity for potentially millions of web and mobile app users. Individuals using your product should not be IAM users. Cognito integrates with Facebook and Google to provide auth.

Answer 276

A

AWS Directory Service extends Microsoft’s Active Directory, allowing you to establish trust with your on-prem active directory. Microsoft Active Directory is found on any Windows server with Active Directory Domain Services, and itstores information about objects on the network

Answer 277

A

IAM Identity Centre provides one login for all your AWS Accounts in AWS Organisations.

Answer 278

A

Amazon Workspaces is a DaaS (Desktop as a Service) solution to easily provision windows or linux desktops. It is a virtual desktop.

Answer 279

A

Amazon Appstream 2.0 is similar to Amazon Workspaces except it just gives you a single application rather than a full desktop. It allows you to stream an application to any computer via the browser without provisioning infrastructure

Answer 280

A

Amazon Sumerian

Answer 281

A

AWS IoT (internet of things) core allows you to create a network of internet-connected devices that are able to collect and transfer data. It also makes it easy to connect IoT devices to the cloud.

Answer 282

A

Amazon Elastic Transcoder is used to convert files stored in S3 into media files which are in the format required by consumer playback devices (e.g. the format required by a phone).

Answer 283

A

AWS AppSync allows you to store and sync data across mobile and web apps in real time. It creates serverless GraphQL and Pub/Sub APIs that simplify application development through a single endpoint to securely query, update, or publish data.

Answer 284

A

AWS Amplify provides a set of tools and services which help you to develop and deploy web and mobile apps. You can manage auth, storage and APIs from one place making use of existing AWS Services, making it similar to Elastic Beanstalk, but for web and mobile applications. Set up in Amplify Studio.

Answer 285

A

AWS Device Farm is a service that tests your web and mobile apps against browsers, mobile devices and tablets to fix issues. It runs these tests concurrently.

Answer 286

A

AWS Backup is a service to manage and automate backups across AWS Services. It supports on-demand and schedules backups, and point-in-time recovery.

Answer 287

A

The ‘backup and restore’ disaster recovery strategy is the cheapest one. Your ‘backup and restore’ backups do not run- you store your application’s data, and the application will not be back up and running until you restore you data to the right location.

Answer 288

A

The ‘pilot light’ disaster recovery strategy involves running the core/critical functions of your application in your backup with minimal setup. To recover your application you need to upgrade your database type and start your application servers- however core functionality is always read to go.

Answer 289

A

The ‘warm standby’ disaster recovery strategy involves having a full version of the application ready to go, but at minimum size. You can increase the size to recover your application.

Answer 290

A

Having a ‘hot site’ disaster recovery strategy means having a full version of the site at full size ready to go. This is the most expensive choice.

Answer 291

A

AWS Elastic Disaster Recovery (DRS) is a service which allows you to quickly recover your on prem and cloud based servers into AWS. It facilitates continuous block-level replication of your servers to allow better recovery.

Answer 292

A

AWS DataSync allows you to move large amounts of data from on-prem to AWS. After the first full load replication tasks are incremental and can be scheduled hourly, daily or weekly.

Answer 293

A

If you are moving from on-prem to the cloud you need a migration plan. For this you need to understand your on-prem data centre. The AWS Application Discovery Service helps with that. With it you can do ‘agentless discovery’, which is for config and performance history, and ‘agent-base discovery’ which is for system config and system performance.

Answer 294

A

AWS Application Migration Service makes it easier to move from on-prem servers to AWS. With this you can do a ‘lift and shift’ rehosting solution, simplifying the process of migrating.

Answer 295

A

AWS Fault Injection Simulator is a service for running fault injection experiments on AWS workloads. We stress the app by creating disruptive events (e.g. a sudden increase in CPU or memory), and observing how the system responds so we can make improvements.

Answer 296

A

AWS Step Functions allow you to build a Serverless visual workflow. You can create workflows with parallelisation, sequences, conditions, time outs and error handling. You can also implement a human approval feature for your workflows.

Answer 297

A

AWS Ground Station allows you to control satellite communications, and process and scale satellite operations.

Answer 298

A

AWS Pinpoint is a two way marketing communications service. Amazon SNS (Amazon Simple Notification Service) and SES (Simple Email Service) require you to manage each message’s audience, content and delivery schedule. Much more of Pinpoint is automated and it makes use of templates. Pinpoint supports email, SMS, voice &c and communications can be personalised.

Answer 299

A

Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization and Sustainability.

Answer 300

A

The operational excellence pillar focuses on running and monitoring systems, and continually improving processes and procedures. Key topics include automating changes, responding to events, and defining standards to manage daily operations. Use CloudFormation to perform operations as code. Anticipate failures.

Answer 301

A

The security pillar focuses on protecting information and systems. Key topics include confidentiality and integrity of data, managing user permissions, and establishing controls to detect security events. Enable traceability. Automate best security practices. Run simulations. Reduce or eliminate the need for direct access to data.

Answer 302

A

The reliability pillar focuses on workloads performing their intended functions and how to recover quickly from failure to meet demands. Key topics include distributed system design, recovery planning, and adapting to changing requirements. Automatically recover from failures. Scale horizontally. Stop guessing capacity and use autoscaling.

Answer 303

A

The performance efficiency pillar focuses on structured and streamlined allocation of IT and computing resources. Key topics include selecting resource types and sizes optimized for workload requirements, monitoring performance, and maintaining efficiency as business needs evolve. Experiment more often and be aware of all AWS Services.

Answer 304

A

The cost optimization pillar focuses on avoiding unnecessary costs. Key topics include understanding spending over time and controlling fund allocation, selecting resources of the right type and quantity, and scaling to meet business needs without overspending. Use CloudWatch to measure overall efficiency.

Answer 305

A

The sustainability pillar focuses on minimizing the environmental impacts of running cloud workloads. Key topics include a shared responsibility model for sustainability, understanding impact, and maximizing utilization to minimize required resources and reduce downstream impacts. Establish goals. Maximise utilisation. Use managed services as they automate best practices.

Answer 306

A

The AWS Well Architected Tool allow you to look up questions about Well Architected practices based on your workload.

Answer 307

A

Right sizing means choosing the best instance type for your needs. Choose something smaller and scale upwards rather than choosing something large as default.

Answer 308

A

AWS Partner Solutions are automated vetted deployments which help you deploy popular technologies to AWS according to AWS best practices

Answer 309

A

AWS Knowledge Centre is an AWS Q&A common questions web portal.

Answer 310

A

AWS IQ helps you quickly find a professional to help with your AWS project. The tool includes video conferencing, contract management and billing.

Answer 311

A

AWS re:post is AWS’s AWS specialist stack overflow.

Brainscape's Knowledge GenomeTM

AWS Cloud Practitioner Flashcards

Brainscape's Knowledge Genome^TM