AWS Cloud Practitioner Flashcards

Question

How do you generate AWS Access Keys?

Answer 1

Use the AWS Console.

Answer 2

The CLI allows you do work with AWS over the command line, SDK allows you to access AWS programmatically.

Answer 3

AWS Software Developer Kit

Answer 4

A terminal in the AWS management console in which you are automatically logged in as your user in your current region.

Answer 5

IAM Credentials Report

Answer 6

IAM Access Advisor

Answer 7

One AWS user = one physical user.

Answer 8

Assign users to groups and permissions to groups.

Answer 9

AWS Billing Dashboard

Answer 10

Elastic Compute Cloud

Answer 11

Bootstrapping means running commands when a machine starts. This script is only run once, and it is used to automate boot tasks.

Answer 12

The EC2 User Data Script

Answer 13

AWS Linux and Ubuntu

Answer 14

EC2 Instance types represent different amounts of memory, different CPUs &c.

Answer 15

‘m’ is the name of its instance class (‘general purpose’), ‘5’ is its instance generation, ‘2xLarge’ is its size within the instance class.

Answer 16

A compute optimised EC2 instance.

Answer 17

A memory optimised EC2 instance.

Answer 18

A storage optimised EC2 instance.

Answer 19

Security groups.

Answer 20

Security groups can be attached to multiple instances but they are locked to a region. If you want to go into another region you have to create a new security group.

Answer 21

All inbound traffic is blocked, all outbound traffic is allowed.

Answer 22

EC2 security groups only support allow rules.

Answer 23

Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH)

Answer 24

EC2 Instances that you pay for with no long-term commitments. They are good for short workloads. You pay by the second.

Answer 25

You can purchase a Reserved Instance for a one-year or three-year commitment. They are good for long term workloads (like databases) and are cheaper than On-Demand Instances.

Answer 26

Convertible Reserved Instances are a type of Reserved Instance that can be exchanged for new instance types, new tenancies, and new operating systems as circumstances change. They are good for long workloads with flexible instances.

Answer 27

A Spot Instance is an instance that uses spare EC2 capacity that is available for less than the On-Demand price. These are good for short workloads and are cheap, but you may lose your instances.

Answer 28

An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully dedicated to your use. This is good if you have compliance requirements.

Answer 29

Dedicated Instances are Amazon EC2 instances that run in a virtual private cloud (VPC) on hardware that's dedicated to a single customer.

Answer 30

On-Demand Capacity Reservations enable you to reserve compute capacity for your Amazon EC2 instances in a specific Availability Zone for any duration. Capacity Reservations mitigate against the risk of being unable to get On-Demand capacity in case there are capacity constraints.

Answer 31

Elastic Block Store. Elastic Block Store is an high-performance block-storage service designed for EC2.

Answer 32

An Amazon EBS volume is a block-level storage device that you can attach to your instances. After you attach a volume to an instance, you can use it as you would use a physical hard drive.

Answer 33

A volume can only be mounted to one instance at a time (unless you are willing to do some complicated things). They can be moved between EC2 Instances easily, provided those instances are within the same AZ. To move volumes between AZs you need to snapshot them.

Answer 34

The ‘delete on termination’ attribrute.

Answer 35

By default the EC2 instance’s root volume will be deleted, but no other EBS volumes will be.

Answer 36

A ‘backup’ of the contents of a volume.

Answer 37

Moving a snapshot to ‘archive tier’ makes its storage 75% cheaper, but it takes 24 to 75 hours to retrieve it.

Answer 38

Amazon Machine Image

Answer 39

An Amazon Machine Image is a master image for the creation of EC2 instances in AWS. You can create an AMI from a existing EC2 instance. They are built for a specific region.

Answer 40

Public AMI (AWS provided), your own AMI (made and maintained by you) and AWS Marketplace AMIs

Answer 41

EC2 Image Builder is used to automate the creation of VMs or container images. AMIs are one of the types of images you can create with Image Builder, and Image Builder allows you to automate the creation, maintenance and validation of AMIs.

Answer 42

EC2 instance store. Instance stores lose their storage if they’re stopped- they’re good for buffer/cache/scratch storage. There is a risk of data loss if the hardware fails, and backups are your responsibility.

Answer 43

Elastic File System

Answer 44

Network File System

Answer 45

It is a Network File System which is accessible across multiple AZs (via EFS mount targets). It is expensive, compared with EBS.

Answer 46

Elastic File System Infrequent Access. If you enable EFS-IA within a lifecycle policy, EFS will automatically move your files to a cheaper infrequent access store if they go unused for a long time.

Answer 47

Fsx is used to launch 3rd party high performance file systems on AWS. There is an Fsx for windows and lustre (“linux” + “cluster” = “lustre”).

Answer 48

Vertical scalability means that you can increase the size of an instance.

Answer 49

Horizontal scalability means that you can increase the number of instances for your application.

Answer 50

High availability indicates that you running you application in at least two availability zones. High availability goes hand in hand with horizontal scaling.

Answer 51

Once a system is scalable, elasticity means there will be some ‘auto-scaling’, so that a system can scale based on load. This allows you to optimise costs.

Answer 52

A load balancer is a service which forwards internet traffic to multiple servers downstream. This allows you to spread load across multiple downstream instances. You can expose a single point of access (DNS) to your application and seamlessly handle failures downstream.

Answer 53

You can use a load balancer across multiple AZs.

Answer 54

Elastic Load Balancer.

Answer 55

Elastic Load Balancer is a managed service which handles the maintenance of your load balancers. Elastic Load Balancing scales your load balancer as your incoming traffic changes over time.

Answer 56

Application load balancer

Answer 57

Network load balancer

Answer 58

Gateway load balancer

Answer 59

Auto scaling group

Answer 60

Auto scaling groups are designed to scale in and out (aka add and remove EC2 instances) to match your application’s load. You set a minimum and maximum number of machines and a desired capacity and your ASG will automatically register new instances to your load balancer when needed. It will also replace unhealthy instances.

Answer 61

Manual scaling

Answer 62

Dynamic scaling

Answer 63

Simple/ step scaling. An example of an event is a cloudwatch alarm being triggered.

Answer 64

Target tracking scaling (e.g., ‘I want ASG CPU to stay around 40%’)

Answer 65

Scheduled scaling

Answer 66

Predictive scaling (use machine learning to predict traffic ahead of time, and automatically provision EC2 instances ahead of time)

Answer 67

Amazon Simple Storage Service

Answer 68

Files are objects, directories are buckets.

Answer 69

S3 Buckets are defined at the region level.

Answer 70

If you try to upload objects larger than 5TB, you will need to do this with a multi part upload.

Answer 71

IAM policies can be used to dictate which API calls are allowed for a specific AWS User.

Answer 72

Bucket policies.

Answer 73

Object Access Control List

Answer 74

You can set this rule at the account level.

Answer 75

S3 file versioning is set at the bucket level

Answer 76

Cross region replication

Answer 77

Same region replication

Answer 78

Compliance, lower latency access, replication across accounts

Answer 79

Log aggregation, live replication between prod and test accounts

Answer 80

You can move manually, or by using S3 lifecycle configurations

Answer 81

S3 Standard

Answer 82

S3 Infrequent Access. Standard infrequent access is used for disaster recovery. One zone infrequent access is used for backups of on-prem data, or data you can recreate.

Answer 83

S3 Standard

Answer 84

S3 Standard

Answer 85

S3 Glacier Storage.

Answer 86

S3 Glacier Instant Retrieval.

Answer 87

S3 Glacier Flexible Retrieval (which includes expedited, standard and bulk tiers).

Answer 88

S3 Glacier Deep Archive

Answer 89

S3 Intelligent Tiering

Answer 90

No encryption, server-side encryption (file is encrypted after it is received) and client-side encryption (use encrypts objects before uploading it)

Answer 91

The AWS Snow Family are portable devices to collect and process data at the edge and to migrate data in and out of AWS.

Answer 92

When it would take you more than a week to upload your data to the cloud directly.

Answer 93

Connect it to the web and use AWS DataSync to send your data

Answer 94

It has up to 100PB useable

Answer 95

Snowball client

Answer 96

AWS OpsHub

Answer 97

AWS Storage Gateway

Answer 98

Relational Database Service

Answer 99

Relational Database Service is a managed DB service for using SQL.

Answer 100

Amazon Aurora

Answer 101

Read replicas. With this pattern you create up to 5 read replicas of your DB. Writes are still done to the main DB.

Answer 102

Multi AZ. Read and writes still go to the main DB- the DB copy is only used if there is a disaster which takes out the main DB.

Answer 103

Multi Region. Similar to ‘read replicas’ pattern. Reads are done to the DB replica in your region, but writes are done to the main DB. There is a replication cost for copying the DB between regions.

Answer 104

A managed DB for caching. This helps take the load of the DB for read intensive workloads.

Answer 105

A fully managed in-memory cache for DynamoDB

Answer 106

You can set up global tables. This allows you to have two way DB replication- both reads and writes happen to the DB copy in your region. This is then replicated everywhere. This is active-active replication.

Answer 107

With redshift, data is loaded every hour, not continuously. It is high performance, and has an SQL interface for it to be queried.

Answer 108

Elastic Map Reduce.

Answer 109

It is used to analyse and process big data. It’s good for data processing, machine learning &c.

Answer 110

Amazon Athena

Answer 111

Amazon Quicksight

Answer 112

DocumentDB (this is very similar to DynamoDB, but it isn’t Serverless- it is compatible with MongoDB)

Answer 113

Amazon Neptune. A social network is a good use case for a graph database.

Answer 114

Amazon Quantum Ledger Database. A ledger is a book for recording financial transactions. It’s immutable, and used to review the history of all the changes made to your application data over time.

Answer 115

With Amazon QLDB there’s no decentralisation, in accordance with financial regulation rules

Answer 116

Amazon Managed Blockchain. It is used to join public blockchain networks or to create your own scalable private network.

Answer 117

Glue is used to prepare and transform data for analytics. You can prep data for, for example, Redshift.

Answer 118

Database Migration Service. This allows you to migrate from one DB type to another.

Answer 119

Elastic Container Service.

Answer 120

Elastic Container Service is used to launch docker containers on AWS. You must provision and maintain the infrastructure for then.

Answer 121

Fargate is a managed service for launching docket containers. It is similar to ECS but it’s Serverless and you don’t need to provision instances yourself.

Answer 122

Elastic Container Registry.

Answer 123

Elastic Container Registry is a private docker registry where you can store your docker images.

Answer 124

Pay per request and compute time.

Answer 125

API Gateway is used for building Serverless APIs. It provides the client with the rest API gateway used to connect to the API. Used to create, publish, maintain, monitor and secure APIs.

Answer 126

AWS Batch is used to do computing batch jobs. A batch job is a job with a start and end. Batch jobs are defined as docker images and run on ECS. Pretty much anything that can be run on ECS can be run on batch.

Answer 127

Amazon Lightsail is very useful for people with little AWS experience. It’s a simpler alternative to using many individual services and can be used to launch a simple web app. It has limited AWS integration.

Answer 128

CloudFormation is used to instantiate multiple services at once (e.g., a security group, 2 EC2 instances etc). It’s done with infrastructure as code. It also makes it easy to replicate an architecture.

Answer 129

CloudFormation Stack Designer

Answer 130

Cloud Development Kit

Answer 131

Cloud Development Kit allows you to define your cloud infrastructure using a familiar coding language (e.g., Python rather than YAML). This is then compiled into a CloudFormation template. This makes it possible to deploy infrastructure and app runtime code together

Answer 132

Elastic Beanstalk is a service for deploying and scaling web applications and services. Upload your code and Elastic Beanstalk automatically handles the deployment—from capacity provisioning, load balancing, and auto scaling to application health monitoring.

Answer 133

Elastic Beanstalk is free but you pay for the underlying instance.

Answer 134

CodeDeploy automates software deployments. It works with EC2 and on-prem servers. Servers and instances have to be provisioned ahead of time with the CodeDeploy agent.

Answer 135

CodeCommit.

Answer 136

CodeBuild allows you to build your code in the cloud. It compiles source code, runs tests, and produces packages that are ready to be deployed (by CodeDeploy, for example). It can retrieve code from CodeCommit.

Answer 137

CodePipeline allows you to orchestrate the steps to have code pushed to prod. It is the basis is for CI/CD.

Answer 138

CodeArtefact is a secure artefact (dependancy) management tool for software development. It works with common dependency tools such as nvm, npm, gradle etc.

Answer 139

CodeStar is a unified UI to easily manage software development activities in one place. It gives you a nice dashboard and handles all the other code services for you.

Answer 140

Cloud9 is a cloud IDE. It allows for pair programming.

Answer 141

AWS Systems Manager.

Answer 142

AWS Systems Manager helps you manage EC2 and on-prem systems at scale. It gives you operation insights about the state of the infrastructure.

Answer 143

AWS SSM Session Manager allows you to start a secure shell on your EC2 and on-prem servers. It’s another way to access these servers or instances securely.

Answer 144

Non-AWS tools Chef and Puppet help you to perform server config automatically. In response, AWS OpsWorks was made to allow you to use Chef and Puppet in the cloud. It’s an alternative to AWS SSM, which you would only use if you were already using Chef and Puppet.

Answer 145

An app that is deployed in multiple regions

Answer 146

Edge locations are data centres designed to deliver services with the lowest latency possible. They’re located in central locations (e.g. within cities), and you cannot actually deploy to them. They’re generally used for caching, and connecting more quickly to the AWS global network.

Answer 147

An edge location

Answer 148

Domain Name System

Answer 149

Route 53 is AWS’s managed DNS (Domain Name System) service.

Answer 150

The simple routing policy has no health checks. The domain name is passed to Route 53 and an IP is returned.

Answer 151

With a weighted routing policy we assign ‘weights’ to our EC2 instances and Route 53 assigns a corresponding level of traffic to each one as a form of load balancing. With this policy we get health checks.

Answer 152

With a latency routing policy we get routing based on which server is going to give us the lowest latency. With this policy we get health checks.

Answer 153

With a failover routing policy we have a primary EC2 instance and a failover one. If the primary fails a health check, we are routed to the second.

Answer 154

Content Delivery Network. Cloudfront is an example of a Content Delivery Network.

Answer 155

Cloudfront is a Content Delivery Network. Cloudfront improves read performance by caching content at edge locations. Because Cloudfront provides excellent read performance, it is particularly good for static content that must be available everywhere.

Answer 156

Cloudfront can also be integrated with Shield and AWS WAF (Web Application Firewall) to protect against DDoS attacks. Using Shield, attack traffic can be geographically isolated and absorbed using the capacity in edge locations close to the source. With WAF you can define custom security rules (also called web ACLs) that contain a set of conditions, rules, and actions to block attacking traffic.

Answer 157

With S3 Cross Region Replication, each region must be set up individually. In comparison with Cloudfront, S3 Cross Region Replication doesn’t use caching or the Global Edge Network. It’s best for dynamic content that needs to be available at low latency in a few regions.

Answer 158

S3 Transfer Acceleration is used to transfer files to an AWS edge location which will forward the data to an S3 bucket in the target region making use of an optimised network path. This increases transfer speeds.

Answer 159

AWS Global Accelerator allows you to leverage the AWS internal network to send data through edge locations and optimise the route to your application. Global Accelerator provides two global static public IPs that act as a fixed entry point to your application endpoints. There’s no caching.

Answer 160

AWS Outposts are on premises server racks which AWS will setup and manage for you within your other on-prem infrastructure. They will come with AWS Services pre loaded.

Answer 161

AWS Wavelength embeds AWS compute and storage services within 5G networks, providing mobile edge computing infrastructure for developing, deploying, and scaling ultra-low-latency applications.

Answer 162

AWS Local Zones allows you to add extra AZs to your region in order to improve your geographic proximity to your users.

Answer 163

With an active-passive architecture, users in one region can read and write locally (the active region) and users in another region can only read locally (the passive region). The users in the passive region therefore have a higher write latency.

Answer 164

Apps which communicate synchronously talk directly to one another. Apps which communicate asynchronously communicate via a queue of events. Synchronous applications can experience problems if there are sudden spikes in traffic. In an async setup, the two applications are decoupled.

Answer 165

Simple queue service.

Answer 166

Simple queue service is Serverless service designed to decouple applications. A producer application sends data into the Simple queue service. This data can be read by one or multiple consumer applications, which pull messages from the queue. Once our consumers are done processing the message they will delete the message from the queue. Consumer applications can share work.

Answer 167

Amazon Kinesis allows you to collect, process, and analyze real-time streaming data. It is useful for big data streaming.

Answer 168

Amazon Simple Notification Service

Answer 169

Amazon Simple Notification Service makes it possible to get an application to send a message to many receivers without writing multiple direct integrations. Your producer application communicates with an SNS topic. The consumer applications can then subscribe to your topic to receive all the published messages.

Answer 170

Amazon Simple Notification Service and Simple Queue Service are ‘cloud native’ services. If you are running on-prem you may not want to reengineer your app to use them- instead, you can use Amazon MQ. Amazon MQ is a managed message broker service for RabbitMQ and ActiveMQ. It doesn’t scale as well as SNS and SQS, and should only be used if you don’t want to reengineer something preexisting.

Answer 171

CloudWatch metrics provides metrics for every AWS service. You can use it to create a CloudWatch metrics dashboard. You are also able to create custom metrics.

Answer 172

CloudWatch alarms are used to trigger notifications for any metrics. You can choose a period in which to evaluate an alarm. Alarm states are OK, INSUFFICIENT_DATA, and ALARM.

Answer 173

CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use. You can choose log retention and monitor logs in real time.

Answer 174

With Eventbridge you can react to events in AWS. These include cron jobs and reacting to events on the different AWS event buses. You can, for example, trigger a lambda to run every hour.

Answer 175

Events which have happened within AWS Services

Answer 176

Events which have happened within AWS partner services (like zendesk or datadog)

Answer 177

Events which have happened within your custom AWS integrations

Answer 178

Cloudtrail is a service which provides governance, compliance and audit for your AWS account. It is enabled by default, and contains a history of all events/API calls made by your account. This includes activity in the console and your services. You can put these logs in Cloudwatch logs or S3.

Answer 179

X-Ray provides visual analysis of your application. Debugging is very difficult with a distributed system- X-Ray shows you visually where in the app things are going wrong. This allows us to troubleshoot bottlenecks, pinpoint service issues and to work out if we are meeting Service Level Agreements. We can also identify users who are impacted.

Answer 180

CodeGuru is ML powered service that does automated code reviews and gives performance recommendations

Answer 181

AWS CodeGuru Reviewer analyses your code when you commit it to find issues.

Answer 182

AWS CodeGuru Profiler gives recommendations about app performance during runtime. It also gives recommendations pre-prod. It supports java and python, It can help decrease compute costs, identify objects using up memory and do anomaly detection.

Answer 183

Service Health Dashboard shows you information about the health of all AWS regions and services. You can subscribe to an RSS feed of the information and see historical data. This is not personalised information- it is a general resource.

Answer 184

Personal Health Dashboard is like Service Health Dashboard except it provides alerts and guidance when AWS is experiencing events which impact you. It also helps you plan for future scheduled activities that might be disruptive.

Answer 185

Virtual Private Cloud

Answer 186

A Virtual Private Cloud is a private network for you to deploy resources in. It’s linked to a specific region.

Answer 187

A subnet is a range of IP addresses in your Virtual Private Cloud. A subnet must reside in a single Availability Zone. After you add subnets, you can deploy AWS resources in your Virtual Private Cloud.

Answer 188

Public subnets are accessible from the internet and private ones are not. Services are more secure in private subnets.

Answer 189

We use VPC route tables to define which subnets are public and which are private.

Answer 190

VPC Internet Gateways allow our VPC to connect to the internet. There will be a route between our public subnets and our Internet Gateway.

Answer 191

NAT Gateways are managed by AWS and NAT Instances are managed by you. They allow instances in private subnets to access the web while remaining private. The NAT Gateway/Instance will be in the public subnet.

Answer 192

A network ACL is a firewall which controls traffic to and from a VPC subnet. The NACL has ALLOW and DENY rules which are attached at the subnet level.

Answer 193

VPC Flow Logs are a log of all IP traffic going through your interfaces. These logs help you to troubleshoot connectivity issues and can be exported to S3/Cloudwatch.

Answer 194

VPC Peering allows you to connect 2 VPCs privately using AWS’s network. This makes them behave as if they were the same VPC network. For this to work, the VPCs must not have overlapping IP ranges.

Answer 195

VPC endpoint enables creation of a private connection between VPC and supported AWS services without requiring an internet gateway, a NAT device or a public network. This gives better security and lower latency.

Answer 196

Gateway endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC.

Answer 197

AWS PrivateLink is a secure way to expose a VPC to 1000s of other VPCs. Peering is another way to connect VPCs but it doesn’t scale and isn’t very secure.

Answer 198

To connect two VPCs with PrivateLink, you need to set up a Network Load Balancer on the producer VPC and an Elastic Network Interface on the consumer VPC. For every new consumer you need a new PrivateLink.

Answer 199

Option one is a site-to-site VPN- the connection is auto encrypted but it goes over the public internet. Option two is a Direct Contact (DX)- you can use a Direct Contact to establish a physical connection between your on-prem server and AWS. This is more expensive and takes time to set up but is private.

Answer 200

AWS Client VPN is a managed VPN service that allows you to securely access your AWS resources and resources in your on-premises network (e.g. on your computer). With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client. This will allow you to connect to your EC2 instance over a private IP, just as if you were in the private VPC network- this goes over the public web.

Answer 201

Managing many VPC connections can be difficult. Transit Gateway exists to solve this- all connections go through transit gateway, making it possible to connect hundreds of VPCs.

Answer 202

Amazon Rekognition is used to recognise objects, people and text in images and videos using ML. It can do facial analysis and facial search to do user verification and people counting.

Answer 203

Amazon Transcribe converts speech to text. You can automatically remove personally identifiable information (PII) using redaction. It also supports automatic language identification for multi language audio.

Answer 204

Amazon Polly turns text to speech using deep learning.

Answer 205

Amazon Translate is a language translation tool.

Answer 206

Amazon Lex allows you to convert speech to text. It also uses Natural Language Understanding to recognise the intent of text and callers. It can help to build chat bots and call centre bots.

Answer 207

Amazon Connect receives calls- it is a cloud based virtual contact centre. It can integrate with other customer relationship systems.

Answer 208

Amazon Comprehend is used for Natural Language Processing (NLP). It uses ML to find insights and relationships in text. It can understand the content and tone of text, and can organise text files by content.

Answer 209

Amazon Sagemaker allows dev to build ML models. To do this you need to build ML models, train and tune them, and apply them.

Answer 210

Amazon Forecast uses ML to do accurate forecasts. It takes in data in an Amazon S3 bucket and forecasts from it.

Answer 211

Amazon Kendra is a document search service powered by ML. Kendra creates a knowledge index, allowing you to query the document using natural language. You can also fine tune your search with filters.

Answer 212

Amazon Personalize is a ML service to build apps with real time personalised recommendations. With S3 and Personalize you can create a personalised API for your applications.

Answer 213

Amazon Textract extracts text, handwriting and data from any scanned document using AI and ML. It can read and process any kind of document.

Answer 214

If you are ready to scale, that will provide you with DDoS protection. They can also be integrated with WAF and Shield.

Answer 215

Encryption happens at rest (i.e. in storage &c), and in transit (i.e., while being transferred).

Answer 216

Key Management Service

Answer 217

The Key Management Service manages encryption keys for us. Some encryption is opt-in and some is automatic.

Answer 218

CloudHSM provisions encryption hardware for us and you manage your encryption keys yourself. It is called CloudHSM after the hardware we’re using, which is called an HSM (Hardware Security Module).

Answer 219

Customer Managed keys (created, managed and used by the customer), AWS Managed keys (managed on the customer’s behalf by AWS- used by AWS Services), AWS Owned keys (you can’t view these keys- they are keys that protect resources in your account) and Cloud HSM keys (keys generated from your CloudHSM hardware)

Answer 220

AWS Certificate manager

Answer 221

AWS Certificate manager lets you easily provision and deploy SSL/TLS Certificates. It is used to provide in flight encryption for HTTPS sites.

Answer 222

AWS Secrets Manager is used for storing secrets. It has the capacity to force the rotation of certificates every x days. It is primarily meant for RDS (Relational Database Service) integration.

Answer 223

AWS Artefact is a portal which gives you access to AWS compliance docs and AWS agreements. These can be used for internal audit and compliance.

Answer 224

AWS GuardDuty allows you to do intelligent threat discovery to protect your AWS account. It uses ML and anomaly detection, and looks at your AWS logs. Eventbridge rules can be set up so that you are notified of findings.

Answer 225

Amazon Inspector automatically discovers workloads, such as Amazon EC2 instances, containers, and Lambda functions, and scans them for software vulnerabilities and unintended network exposure. It reports findings to AWS Security hub and provides a vulnerability risk score.

Answer 226

AWS Config helps with auditing and recording compliance on your AWS resources. It helps record configurations and changes over time.

Answer 227

Amazon Macie is a data security and data privacy service which uses ML and pattern matching to discover and protect sensitive data in AWS. It helps alert you to personally identifiable information (PII).

Answer 228

AWS Security Hub is the centralised security tool for AWS accounts to manage security and automate security checks. It aggregates alerts and summarises findings.

Answer 229

Amazon Detective analyses security issues and suspicious activities and attempts to discover the root cause. It makes use of ML and graphs.

Answer 230

Spam, port scanning, DDoS, hosting questionable or copyrighted content. This is for anything with an AWS-owned IP.

Answer 231

Amazon Organisations allows you to centrally manage multiple AWS accounts. The main account is the master account. This service allows consolidated billing, meaning you can make savings. You can also automate AWS account creation. You should enable CloudTrail on all accounts and send logs to central S3 account.

Answer 232

Service Control Policies.

Answer 233

Service Control Policies allow you to white or blacklist IAM actions. This is applied at the OU (Organisational Unit) or account level.

Answer 234

AWS Control Tower is an easy way to set up and govern a secure compliant multi-account AWS environment based on best practices. It runs on top of AWS Organisations.

Answer 235

Using a Private IP. Public and Elastic IPs are more expensive and slower. Communicating between EC2 instances in the same AZ is free.

Answer 236

AWS Compute Optimiser allows you to reduce costs and improve performance by recommending optimal AWS resources for your workloads. It uses ML. Recommendations can be exported to S3.

Answer 237

AWS Billing Dashboard gives you a high level understanding of your bills.

Answer 238

Cost allocation tags allow us to explore costs on a deeper level, and to group costs. Tags are also used for organising resources and to create resource groups.

Answer 239

The AWS Cost and Usage report contains the most comprehensive set of AWS cost and usage data available. It can be broken into hourly and daily line items and can be integrated with Athena.

Answer 240

The cost explorer allows you to visualise and manage AWS costs and usage time. You can create custom reports and choose an optimal savings plan. You can also forecast costs 12 months ahead.

Answer 241

When you enable the monitoring of estimated charges for your AWS account, the estimated charges are calculated and sent several times daily to CloudWatch as metric data. Billing metric data is stored in the US East (N. Virginia) Region and represents worldwide charges. An alarm triggers when your account billing exceeds the threshold you specify.

Answer 242

With AWS Budgets you can create a budget and send an alert when your cost (actual or projected) exceeds the budget. You can also set budgets for other metrics like usage.

Answer 243

AWS Trusted Advisor provides recommendations that help you follow AWS best practices by evaluating your account. It runs checks and tells you if you are passing the checks or not.

Answer 244

Cost optimization, Performance, Security, Fault tolerance and Service quotas

Answer 245

24x7 access to customer service, forums etc; 7 core Trusted Advisor checks; AWS Personal Health Dashboard.

Answer 246

On top of basic support you get business hours emails to Cloud Support Associates, Unlimited technical support cases with 1 primary contact and response times that depend on the problem’s severity.

Answer 247

The Business support plan is intended for Production workloads. On top of developer support you get 24x7 access to cloud engineers, full Trusted Advisor checks, unlimited technical support cases with unlimited contacts and response times that take into account prod problems.

Answer 248

The Enterprise On-Ramp support plan is intended for Production or Business Critical workloads. On top of business support you get Infrastructure Event Management, Technical Account Managers, Concierge Support Team and response times that take into account business critical problems.

Answer 249

The Enterprise support plan is intended for Business Critical workloads. On top of enterprise on-ramp support you get access to pro-active reviews, workshops, deep dives and a designated Technical Account Manager.

Answer 250

AWS Security Token Service.

Answer 251

AWS Security Token Service is a behind the scenes service. It enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users you authenticate. You configure the expiration period.

Answer 252

Amazon Cognito provides identity for potentially millions of web and mobile app users. Individuals using your product should not be IAM users. Cognito integrates with Facebook and Google to provide auth.

Answer 253

AWS Directory Service extends Microsoft’s Active Directory, allowing you to establish trust with your on-prem active directory. Microsoft Active Directory is found on any Windows server with Active Directory Domain Services, and it stores information about objects on the network

Answer 254

IAM Identity Centre provides one login for all your AWS Accounts in AWS Organisations.

Answer 255

Amazon Workspaces is a DaaS (Desktop as a Service) solution to easily provision windows or linux desktops. It is a virtual desktop.

Answer 256

Amazon Appstream 2.0 is similar to Amazon Workspaces except it just gives you a single application rather than a full desktop. It allows you to stream an application to any computer via the browser without provisioning infrastructure

Answer 257

Amazon Sumerian

Answer 258

AWS IoT (internet of things) core allows you to create a network of internet-connected devices that are able to collect and transfer data. It also makes it easy to connect IoT devices to the cloud.

Answer 259

Amazon Elastic Transcoder is used to convert files stored in S3 into media files which are in the format required by consumer playback devices (e.g. the format required by a phone).

Answer 260

AWS AppSync allows you to store and sync data across mobile and web apps in real time. It creates serverless GraphQL and Pub/Sub APIs that simplify application development through a single endpoint to securely query, update, or publish data.

Answer 261

AWS Amplify provides a set of tools and services which help you to develop and deploy web and mobile apps. You can manage auth, storage and APIs from one place making use of existing AWS Services, making it similar to Elastic Beanstalk, but for web and mobile applications. Set up in Amplify Studio.

Answer 262

AWS Device Farm is a service that tests your web and mobile apps against browsers, mobile devices and tablets to fix issues. It runs these tests concurrently.

Answer 263

AWS Backup is a service to manage and automate backups across AWS Services. It supports on-demand and schedules backups, and point-in-time recovery.

Answer 264

The ‘backup and restore’ disaster recovery strategy is the cheapest one. Your ‘backup and restore’ backups do not run- you store your application’s data, and the application will not be back up and running until you restore you data to the right location.

Answer 265

The ‘pilot light’ disaster recovery strategy involves running the core/critical functions of your application in your backup with minimal setup. To recover your application you need to upgrade your database type and start your application servers- however core functionality is always read to go.

Answer 266

The ‘warm standby’ disaster recovery strategy involves having a full version of the application ready to go, but at minimum size. You can increase the size to recover your application.

Answer 267

Having a ‘hot site’ disaster recovery strategy means having a full version of the site at full size ready to go. This is the most expensive choice.

Answer 268

AWS Elastic Disaster Recovery (DRS) is a service which allows you to quickly recover your on prem and cloud based servers into AWS. It facilitates continuous block-level replication of your servers to allow better recovery.

Answer 269

AWS DataSync allows you to move large amounts of data from on-prem to AWS. After the first full load replication tasks are incremental and can be scheduled hourly, daily or weekly.

Answer 270

If you are moving from on-prem to the cloud you need a migration plan. For this you need to understand your on-prem data centre. The AWS Application Discovery Service helps with that. With it you can do ‘agentless discovery’, which is for config and performance history, and ‘agent-base discovery’ which is for system config and system performance.

Answer 271

AWS Application Migration Service makes it easier to move from on-prem servers to AWS. With this you can do a ‘lift and shift’ rehosting solution, simplifying the process of migrating.

Answer 272

AWS Fault Injection Simulator is a service for running fault injection experiments on AWS workloads. We stress the app by creating disruptive events (e.g. a sudden increase in CPU or memory), and observing how the system responds so we can make improvements.

Answer 273

AWS Step Functions allow you to build a Serverless visual workflow. You can create workflows with parallelisation, sequences, conditions, time outs and error handling. You can also implement a human approval feature for your workflows.

Answer 274

AWS Ground Station allows you to control satellite communications, and process and scale satellite operations.

Answer 275

AWS Pinpoint is a two way marketing communications service. Amazon SNS (Amazon Simple Notification Service) and SES (Simple Email Service) require you to manage each message’s audience, content and delivery schedule. Much more of Pinpoint is automated and it makes use of templates. Pinpoint supports email, SMS, voice &c and communications can be personalised.

Answer 276

Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization and Sustainability.

Answer 277

The operational excellence pillar focuses on running and monitoring systems, and continually improving processes and procedures. Key topics include automating changes, responding to events, and defining standards to manage daily operations. Use CloudFormation to perform operations as code. Anticipate failures.

Answer 278

The security pillar focuses on protecting information and systems. Key topics include confidentiality and integrity of data, managing user permissions, and establishing controls to detect security events. Enable traceability. Automate best security practices. Run simulations. Reduce or eliminate the need for direct access to data.

Answer 279

The reliability pillar focuses on workloads performing their intended functions and how to recover quickly from failure to meet demands. Key topics include distributed system design, recovery planning, and adapting to changing requirements. Automatically recover from failures. Scale horizontally. Stop guessing capacity and use autoscaling.

Answer 280

The performance efficiency pillar focuses on structured and streamlined allocation of IT and computing resources. Key topics include selecting resource types and sizes optimized for workload requirements, monitoring performance, and maintaining efficiency as business needs evolve. Experiment more often and be aware of all AWS Services.

Answer 281

The cost optimization pillar focuses on avoiding unnecessary costs. Key topics include understanding spending over time and controlling fund allocation, selecting resources of the right type and quantity, and scaling to meet business needs without overspending. Use CloudWatch to measure overall efficiency.

Answer 282

The sustainability pillar focuses on minimizing the environmental impacts of running cloud workloads. Key topics include a shared responsibility model for sustainability, understanding impact, and maximizing utilization to minimize required resources and reduce downstream impacts. Establish goals. Maximise utilisation. Use managed services as they automate best practices.

Answer 283

The AWS Well Architected Tool allow you to look up questions about Well Architected practices based on your workload.

Answer 284

Right sizing means choosing the best instance type for your needs. Choose something smaller and scale upwards rather than choosing something large as default.

Answer 285

AWS Partner Solutions are automated vetted deployments which help you deploy popular technologies to AWS according to AWS best practices

Answer 286

AWS Knowledge Centre is an AWS Q&A common questions web portal.

Answer 287

AWS IQ helps you quickly find a professional to help with your AWS project. The tool includes video conferencing, contract management and billing.

Answer 288

AWS re:post is AWS’s AWS specialist stack overflow.