AWS Deck 1

Question 1

What does S3 stand for?

Answer 1

Simple Storage Service

Question 2

How much data can be stored without worry of underlying storage infrastructure with regards to S3?

Answer 2

Unlimited

Question 3

How many AZ’s can S3 replicate data across?

Answer 3

At least 3 to ensure 99.99% availability and 11’ 9s of durability

Question 4

What can objects contain? What are they like?

Answer 4

Data. They are like files.

Question 5

What size can objects be?

Answer 5

Anywhere from 0 Bytes to 5 Terabytes

Question 6

What do buckets tend to contain?

Answer 6

Objects

Question 7

What can buckets contain that can in turn contain objects?

Answer 7

Folders

Question 8

Bucket names are unique across all AWS accounts. True or False?

Answer 8

True

Question 9

What are bucket names similar to?

Answer 9

Domain names

Question 10

When you upload a file to S3 successfully, what will you receive?

Answer 10

An HTTP 200 code

Question 11

What can objects be moved between?

Answer 11

Storage Classes

Question 12

Objects cant be deleted automatically based on a schedule. True or False?

Answer 12

False

Question 13

What do objects give?

Answer 13

Version ID’s

Question 14

When new objects are uploaded the old objects are kept. True or False?

Answer 14

True

Question 15

Is is possible to access limited object versions or any object versions?

Answer 15

Any

Question 16

What happens when you delete an object?

Answer 16

The previous object is restored

Question 17

Can versioning ever truly be turned off once it is turned on? Explain

Answer 17

No, it can only be suspended

Question 18

Where can you only turn MFA Delete on from?

Answer 18

The AWS CLI

Question 19

What is the only thing a root account can delete?

Answer 19

Objects

Question 20

All new buckets are public by default. True or False? Explain

Answer 20

False, they are private by default

Question 21

What can be turned on to track operations performed on objects?

Answer 21

Logging

Question 22

How is access control configured? Explain how.

Answer 22

By using bucket policies and Access Control Lists

Question 23

What are bucket policies exactly?

Answer 23

JSON documents which let you write complex control access

Question 24

ACL’s are what method? What do you grant access to?

Answer 24

Legacy method (not deprecated). Grant access to objects and buckets with simple actions

Question 25

What two “snow” things are a rugged container? What do they contain?

Answer 25

Snowball and Snowball Edge. Contain a storage device

Question 26

What is a snowmobile?

Answer 26

A 45 foot long ruggedized shipping container, pulled by a semi-trailer truck

Question 27

What scale migration is snowball and snowball edge for?

Answer 27

Peta-scale migration

Question 28

What type of migration is snowmobile for?

Answer 28

Exabyte-scale migration

Question 29

Why would someone use snowball vs having to transfer 100TB of data over high speed internet?

Answer 29

Snowball is 1/5th the cost

Question 30

What is the speed comparison of transferring data when it comes to high speed internet vs. snowball?

Answer 30

It would take 100 days to transfer over 100TB of data vs. snowball where it would take less than a week.

Question 31

How many sizes does snowball come in? How much usable space per size?

Answer 31

50TB - 42TB of usable space. 80TB - 72TB of usable space.

Question 32

How many sizes does snowball edge come in? How much usable space per size?

Answer 32

100TB - 83TB of usable space. 100TB Clustered - 45TB per node

Question 33

What size does snowmobile come in?

Answer 33

100PB (petabytes)

Question 34

What two things can you do using snowball or snowmobile regarding data?

Answer 34

Import or export data

Question 35

What things can you import into with regards to “snow”?

Answer 35

S3 or Glacier

Question 36

What can snowball edge undertake?

Answer 36

Local processing and edge-computing workloads

Question 37

How can snowball edge be used regarding “clusters”?

Answer 37

Can be used in a cluster in groups of 5-10 devices

Question 38

What do VPC endpoints help keep traffic between?

Answer 38

AWS services within the AWS network

Question 39

How many kinds of VPC endpoints are there? What are their names?

Answer 39

Two kinds. Interface endpoints and Gateway endpoints

Question 40

What is the difference between interface endpoints and gateway endpoints?

Answer 40

Interface costs money, gateway is free

Question 41

Elastic Network Interface (ENI) and Private IP (powered by AWS PrivateLink), are associated with what endpoint?

Answer 41

Interface

Question 42

Gateway endpoints is a target for what?

Answer 42

A specific route in your route table

Question 43

Interface Endpoints dont support a lot of AWS services. True or False?

Answer 43

False

Question 44

What two things does Gateway Endpoint only support?

Answer 44

DynamoDB and S3

Question 45

What do VPC Flow Logs monitor?

Answer 45

In-and-Out traffic of your network interfaces within your VPC

Question 46

What 3 levels can the Flow Logs be turned on?

Answer 46

VPC, Subnet and Network Interface Level

Question 47

VPC flow logs cannot be tagged like other AWS Resources? True or False?

Answer 47

True

Question 48

Is it possible to change the configuration of a flow log after its created?

Answer 48

No

Question 49

You cannot enable flow logs for VPC’s which are peered with your VPC unless it is in the same account. True or False?

Answer 49

True

Question 50

What can VPC Flow Logs be delivered to?

Answer 50

S3 or CloudWatch Logs

Question 51

VPC flows log contain the source and what addresses?

Answer 51

Destination IP addresses

Question 52

Is all instance traffic monitored?

Answer 52

Only some is not monitored

Question 53

Instance Traffic that is not monitored is as follows:

Answer 53

Instance traffic generated by contacting the AWS DNS server, Windows license activation traffic from instances, Traffic to and from the instance metadata address (169.254,169.254), DHCP traffic, Any traffic to the reserved IP address of the default VPC router.

Question 54

What does NACL stand for?

Answer 54

Network Access Control List

Question 55

VPC’s are automatically given a default NACL. True or False?

Answer 55

True

Question 56

Do VPC’s automatically given a default NACL allow all out and inbound traffic?

Answer 56

Yes

Question 57

What must each VPC within a subnet be associated with?

Answer 57

An NACL

Question 58

How many subnets can an NACL be associated with at a time?

Answer 58

1

Question 59

Will associating a subnet with a new NACL remove the previous association?

Answer 59

Yes

Question 60

If an NACL is not explicitly associated with a subnet, will the subnet automatically be associated with the default NACL?

Answer 60

Yes

Question 61

What rules does NACL have?

Answer 61

Inbound and outbound (just like Security Groups)

Question 62

What can rule do?

Answer 62

Either allow or deny traffic (unlike Security Groups which can only allow)

Question 63

Do NACL’s have a state? Explain

Answer 63

No, they are stateless (any allowed inbound traffic is also allowed outbound)

Question 64

When an NACL is created, it will allow all traffic by default. True or False?

Answer 64

False, it will deny all traffic.

Question 65

What do NACL’s contain? What type of “list”?

Answer 65

A numbered list of rules. They get evaluated in order from lowest to highest.

Question 66

If you needed to block a single IP address, could you via an NACL? (Security Groups cannot deny)

Answer 66

Yes

Question 67

At what level do security groups act as a firewall?

Answer 67

Instance Level

Question 68

Unless it is allowed specifically, what traffic is blocked by default?

Answer 68

Inbound Traffic

Question 69

All __ traffic from the instance is allowed by default

Answer 69

Outbound

Question 70

You can specify the source of the security group traffic to be 3 things, what are they?

Answer 70

IP range, Single IP address or another security group

Question 71

Are security groups stateful, or stateless?

Answer 71

StateFUL (if traffic is allowed inbound it is also allowed outbound)

Question 72

Do any changes made to a security group take effective eventually, or immediately?

Answer 72

Immediately

Question 73

Can EC 2 instances belong to multiple security groups?

Answer 73

Yes

Question 74

Security Groups can contain multiple EC2 instances. True or False?

Answer 74

True

Question 75

What would you need that would allow you to block specific IP addresses with Security Groups?

Answer 75

Network Access Control List (NACL)

Question 76

How many security groups can you have per region?

Answer 76

10,000 (default 25,000)

Question 77

How many inbound and how many outbound rules per security group can you have?

Answer 77

60 inbound, 60 outbound

Question 78

How many security groups can you have associated to an ENI?

Answer 78

16 (default is 5)

Question 79

When creating a NAT instance you must __ on the instance?

Answer 79

Must disable source and destination checks

Question 80

NAT instances must exist in private subnets. True or False? Explain

Answer 80

False, public subnets

Question 81

Should you have a route out or in to a private subnet NAT instance?

Answer 81

Route Out

Question 82

The size of a NAT instance determines what?

Answer 82

How much traffic can be handled

Question 83

High availability (with regards to NAT), can be achieved using what?

Answer 83

Autoscaling Groups, Multiple subnets in different AZ’s, and automate failover between them using a script

Question 84

NAT gateways are _______ zone.

Answer 84

Redundant inside an availability…(can survive failure of EC2 instance)

Question 85

How many gateways can you have inside 1 availability zone?

Answer 85

1 NAT gateway (cannot span AZ’s)

Question 86

What amount do gateways start at (with regards to NAT topic)?

Answer 86

5GBPS and scales all the way up to 45 GBPS

Question 87

Whats the preferred setup for enterprise systems?

Answer 87

NAT gateways

Question 88

Is there a requirement to patch NAT gateways?

Answer 88

No

Question 89

Is there a need to disable Source/Destination checks for the NAT gateway (unlike NAT instances)?

Answer 89

No

Question 90

NAT gateways are automatically what?

Answer 90

Assigned a public IP address

Question 91

Route Tables for the NAT gateway MUST what?

Answer 91

Be updated

Question 92

If you have resources in multiple AZ’s sharing a gateway, what risk do you run? Unless you do what?

Answer 92

You will lose internet access if the Gateway goes down. Unless you create a gateway in each AZ and configure route tables accordingly

Question 93

Identity Access Management is used to manage what?

Answer 93

Access to users and resources

Question 94

What system is IAM?

Answer 94

Universal (*applied to all Regions at the same time)

Question 95

Is IAM a free or paid service?

Answer 95

Free

Question 96

What kind of account is initially created when AWS is set up?

Answer 96

Root Account (full admin.)

Question 97

Do IAM accounts have any permissions by default?

Answer 97

No, they have to be granted

Question 98

What keys do new users get assigned?

Answer 98

Access Key ID and Secret Key (first created when you give them programmatic access.

Question 99

Access Keys are only used for what?

Answer 99

CLI and SDK (cannot access console)

Question 100

Access keys only shown once when created. True or False?

Answer 100

True (if lost, they must be deleted/recreated again)

Question 101

What should always be setup for Root Accounts?

Answer 101

MFA

Question 102

What must individual users do regarding MFA that admins cannot do?

Answer 102

Individual users have to enable it themselves

Question 103

IAM allows what in terms of a password policies?

Answer 103

To set minimum password requirements or rotate passwords

Question 104

IAM identities are what 3 things?

Answer 104

Users, Groups and Roles

Question 105

IAM users are end users who do what?

Answer 105

Log into the console or interact with AWS resources programatically

Question 106

IAM groups are groups that group up your what?

Answer 106

Group up your users so they all share permission levels of the group (ie; Admins, Devs and Auditors)

Question 107

IAM roles Associate what?

Answer 107

Permissions to a Role and then assign this to a User or Groups

Question 108

IAM policies are JSON what?

Answer 108

Documents which grant permission for a specific user, group, or role to access services. Policies are attached to IAM identities

Question 109

Can managed policies be edited?

Answer 109

No (they are provided by AWS)

Question 110

Customer managed policies are created by who? Can they be edited?

Answer 110

The customer and CAN be edited

Question 111

Inline policies are directly attached to who?

Answer 111

The user