AWS Dev Associate Flashcards by Jenna Seto

You plan on running an open-source MongoDB database year-round on EC2. Which instance launch mode should you choose?

on-demand
reserved instances
spot instances

Reserved Instances

How well did you know this?

Not at all

Perfectly

You are launching an EC2 instance in us-east-1 using this Python script snippet:

> ec2.create_instances(ImageId=’ami-b23a5e7’, MinCount=1, MaxCount=1)

It works well, so you decide to deploy your script in us-west-1 as well. There, the script does not work and fails with “ami not found” error. What’s the problem?

AMI is region locked and the same ID cannot be used across regions
The AMI needs to first be shared to another region. The same ID can then be used

AMI is region locked and the same ID cannot be used across regions

How well did you know this?

Not at all

Perfectly

You would like to deploy a database technology and the vendor license bills you based on the physical cores and underlying network socket visibility. Which EC2 launch modes allow you to get visibility into them?

spot ins
dedicated hosts
on-demand

Dedicated Hosts

How well did you know this?

Not at all

Perfectly

You are running a critical workload of three hours per week, on Monday. As a solutions architect, which EC2 Instance Launch Type should you choose to maximize the cost savings while ensuring the application stability?

on-demand ins
reserved ins
spot ins
scheduled reserved ins

Scheduled Reserved Instances

How well did you know this?

Not at all

Perfectly

Scalability vs High Availability

S: app can handle greater load by adapting (v & h: elasticity)
HA: running app in 2+ data centers, can survive data center loss

How well did you know this?

Not at all

Perfectly

Load Balancers provide a

static IPv4 we can use in our application
static DNS name we can use in our app
static IPv6 we can use in our app

static DNS name we can use in our app - ELB chapter

How well did you know this?

Not at all

Perfectly

You are running a website with a load balancer and 10 EC2 instances. Your users are complaining about the fact that your website always asks them to re-authenticate when they switch pages. You are puzzled, because it’s working just fine on your machine and in the dev environment with 1 server. What could be the reason?

the app must have a bug
the load balancer does not have stickiness enabled
the EC2 Instances log out users b/c they don’t see their true IPs

the load balancer does not have stickiness enabled

How well did you know this?

Not at all

Perfectly

Your application is using an Application Load Balancer. It turns out your application only sees traffic coming from private IP which are in fact your load balancer’s. What should you do to find the true IP of the clients connected to your website?

Modify the frontend of the website so that users send their IP in the requests
Look into the X-Forwarded-For header in the backend
Look into the X-Forwarded-Proto header in the backend

Look into the X-Forwarded-For header in the backend

How well did you know this?

Not at all

Perfectly

You quickly created an ELB and it turns out your users are complaining about the fact that sometimes, the servers just don’t work. You realise that indeed, your servers do crash from time to time. How to protect your users from seeing these crashes?

enable Stickiness
enable Health Checks
enable SSL Termination

enable Health Checks - CLB hands on

How well did you know this?

Not at all

Perfectly

You are designing a high performance application that will require millions of connections to be handled, as well as low latency. The best Load Balancer for this is

network load balancer

How well did you know this?

Not at all

Perfectly

Application Load Balancers handle all these protocols except

HTTP
HTTPS
Websocket
TCP

TCP - ELB overview

How well did you know this?

Not at all

Perfectly

The application load balancer can redirect to different target groups based on all these except…

Hostname
Request Path
Client IP

Client IP

How well did you know this?

Not at all

Perfectly

You are running at desired capacity of 3 and the maximum capacity of 3. You have alarms set at 60% CPU to scale out your application. Your application is now running at 80% capacity. What will happen?

Nothing
The desired capacity will go up to 4 and max will stay at 3
The desired capacity will go up to 4 and max will stay at 4

nothing - auto scaling groups hands on

How well did you know this?

Not at all

Perfectly

I have an ASG and an ALB, and I setup my ASG to get health status of instances thanks to my ALB. One instance has just been reported unhealthy. What will happen?

the ASG will keep the instance running & restart the app
the ASG will detach the EC2 instance from the group
the ASG will terminate the EC2 instance

the ASG will terminate the EC2 instance

How well did you know this?

Not at all

Perfectly

Your boss wants to scale your ASG based on the number of requests per minute your application makes to your database.

it’s impossible
create a CloudWatch custom metric & build alarm on this to scale your ASG
enable detailed monitoring & use that to scale your ASG

create a CloudWatch custom metric & build alarm on this to scale your ASG

How well did you know this?

Not at all

Perfectly

Scaling an instance from an r4.large to an r4.4xlarge is called

horizontal
vertical

scalability?

vertical scalability

How well did you know this?

Not at all

Perfectly

Running an application on an auto scaling group that scales the number of instances in and out is called

horizontal
vertical

scalability?

horizontal scalability

How well did you know this?

Not at all

Perfectly

You would like to expose a fixed static IP to your end-users for compliance purposes, so they can write firewall rules that will be stable and approved by regulators. Which Load Balancer should you use?

ALB with Elastic IP attached to it
NLB
CLB

network load balancer

Network Load Balancers expose a public static IP, whereas an Application or Classic Load Balancer exposes a static DNS (URL)

How well did you know this?

Not at all

Perfectly

A web application hosted in EC2 is managed by an ASG. You are exposing this application through an Application Load Balancer. The ALB is deployed on the VPC with the following CIDR: 192.168.0.0/18. How do you configure the EC2 instance security group to ensure only the ALB can access the port 80?

open up the EC2 security group on port 80 to 0.0.0.0/0
open up the EC2 security group on port 80 to 192.168.0.0/18
open up the EC2 security group on port 80 to the ALB’s security group

open up the EC2 security group on port 80 to the ALB’s security group

This is the most secure way of ensuring only the ALB can access the EC2 instances. Referencing by security groups in rules is an extremely powerful rule and many questions at the exam rely on it.

How well did you know this?

Not at all

Perfectly

Your application load balancer is hosting 3 target groups with hostnames being users.example.com, api.external.example.com, and checkout.example.com. You would like to expose HTTPS traffic for each of these hostnames. How do you configure your ALB SSL certificates to make this work?

use SNI
use a wildcard SSL certificate
use an HTTP to HTTPS redirect rule
use a security group SSL certificate

use SNI

SNI (Server Name Indication) is a feature allowing you to expose multiple SSL certs if the client supports it. Read more here: https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/

How well did you know this?

Not at all

Perfectly

The Application Load Balancers target groups can be all of these EXCEPT…

EC2 Instances
IP Addresses
Lambda functions
NLBs

network load balancer

How well did you know this?

Not at all

Perfectly

You are running an application in 3 AZ, with an Auto Scaling Group and a Classic Load Balancer. It seems that the traffic is not evenly distributed amongst all the backend EC2 instances, with some AZ being overloaded. Which feature should help distribute the traffic across all the available EC2 instances?

stickiness
cross zone load balancing
target group routing rules
HTTPS termination

cross zone load balancing - video #40

How well did you know this?

Not at all

Perfectly

Your Application Load Balancer (ALB) currently is routing to two target groups, each of them is routed to based on hostname rules. You have been tasked with enabling HTTPS traffic for each hostname and have loaded the certificates onto the ALB. Which ALB feature will help it choose the right certificate for your clients?

TLS Termination
Server Name Indication (SNI)
SSL Security Policies
Host Header

Server Name Indication (SNI)

How well did you know this?

Not at all

Perfectly

An application is deployed with an Application Load Balancer and an Auto Scaling Group. Currently, the scaling of the Auto Scaling Group is done manually and you would like to define a scaling policy that will ensure the average number of connections to your EC2 instances is averaging at around 1000. Which scaling policy should you use?

simple scaling policy
step scaling policy
target tracking
scheduled scaling

target tracking

How well did you know this?

Not at all

Perfectly

Your instance in us-east-1a just got terminated, and the attached EBS volume is now available. Your colleague tells you he can't seem to attach it to your instance in us-east-1b. - Missing IAM permissions - EBS volumes are region locked - EBS volumes are AZ locked

EBS volumes are AZ locked EBS Volumes are created for a specific AZ. It is possible to migrate them between different AZ through backup and restore

You would like to have the same data being accessible as an NFS drive cross AZ on all your EC2 instances. What do you recommend? Mount an... - EFS - EBS - Instance Store

EFS EFS is a network file system (NFS) and allows to mount the same file system on EC2 instances that are in different AZ

You would like to have a high-performance cache for your application that mustn't be shared. You don't mind losing the cache upon termination of your instance. Which storage mechanism do you recommend as a Solution Architect? - Instance Store - EBS - EFS

Instance Store Instance Store provide the best disk performance

You are running a high-performance database that requires an IOPS of 210,000 for its underlying filesystem. What do you recommend? - EBS gp2 drive - EBS io1 drive - EC2 Instance Store - EFS

EC2 Instance Store Is running a DB on EC2 instance store possible? It is possible to run a database on EC2. It is also possible to use instance store, but there are some considerations to have. The data will be lost if the instance is stopped, but it can be restarted without problems. One can also set up a replication mechanism on another EC2 instance with instance store to have a standby copy. One can also have back-up mechanisms. It's all up to how you want to set up your architecture to validate your requirements. In this case, it's around IOPS, and we build an architecture of replication and back up around it

My company would like to have a MySQL database that is going to be available even in case of a disaster in the AWS Cloud. I should setup - Read Replicas - Encryption - Multi AZ

Multi AZ

Our RDS database struggles to keep up with the demand of the users from our website. Our million users mostly read news, and we don't post news very often. Which solution will NOT help fix this problem? - ElastiCache cluster - RDS Read Replicas - RDS Multi AZ

RDS Multi AZ - video #54 RDS overview

We have setup read replicas on our RDS database, but our users are complaining that upon updating their social media posts, they do not see the update right away - must be a bug in our app - read replicas have async replication & therefore it's likely users will only observe eventual consistency - we should have setup multi-az instead

Read Replicas have async replication & therefore it's likely users will only observe eventual consistency

Which RDS Classic (not Aurora) feature does not require us to change our SQL connection string? - Read Replicas - Multi AZ

Multi AZ Multi AZ keeps the same connection string regardless of which database is up. Read Replicas imply we need to reference them individually in our application as each read replica will have its own DNS name --- NOT read replicas: Read Replicas add new endpoints for databases to read from and therefore we must change our application to have the list of these endpoints in order to balance the read load and connect to the databases

You want to ensure your Redis cluster will always be available, enable... - Read Replicas - Multi AZ

Multi AZ

Your application functions on an ASG behind an ALB. Users have to constantly log back in and you'd rather not enable stickiness on your ALB as you fear it will overload some servers. What should you do? - create your own load balancer & deploy that on EC2 instances - store session data in RDS - store session data in ElastiCache - store session data in a shared EBS volume

store session data in ElastiCache personal note: seems quickest :P

One analytics application is currently performing its queries against your main production database. These queries slow down the database which impacts the main user experience. What should you do to improve the situation? - set up a Read Replica - set up Multi AZ - run the analytics queries at night - increase the RDS instance size

Set up a Read Replica Read Replicas will help as our analytics application can now perform queries against it, and these queries won't impact the main production database.

* You have a requirement to use TDE (Transparent Data Encryption) on top of KMS. Which database technology does NOT support TDE on RDS? - PostgreSQL - Oracle - MS SQL Server

PostgreSQL

Which RDS database technology does NOT support IAM authentication? - Oracle - PostgreSQL - MySQL

PostgreSQL

You would like to ensure you have a database available in another region if a disaster happens to your main region. Which database do you recommend? - RDS w/ Read Replicas in another AZ - RDS w/ multi AZ - Aurora Read Replicas in another AZ - Aurora Global DB

Aurora Global Database Global Databases allow you to have cross region replication

You are managing a PostgreSQL database and for security reasons, you would like to ensure users are authenticated using short-lived credentials. What do you suggest doing? - Install PostgreSQL on EC2 and install the pg_iam module. Authenticate using IAM username and password - Use PostgreSQL for RDS and install the pg_iam module. Authenticate using IAM username and password - Use PostgreSQL for RDS and authenticate using a token obtained through the RDS service - Use PostgreSQL for RDS and force SSL connections. Authenticate using SSL certificates that you regularly rotate

Use PostgreSQL for RDS and authenticate using a token obtained through the RDS service In this case, IAM is leveraged to obtain the RDS service token, so this is the IAM authentication use case.

Your organisation wants to enforce SSL connections on your MySQL database - Change your security group rules to only allow SSL traffic - Download certificates and change your application to connect using SSL - Apply a 'REQUIRE SSL' statement to all your users in your SQL DB - Enable RDS encryption

Apply a 'REQUIRE SSL' statement to all your users in your SQL DB - video #54 RDS overview

You are implementing a caching strategy with ElastiCache and would like to ensure that only the data that is often requested will be loaded in ElastiCache, as your cache size is small. Which caching strategy should you implement? - lazy loading - write through - TTL

lazy loading Lazy Loading would only cache data that is actively requested from the database

You are serving web pages for a very dynamic website and you have a requirement to keep latency to a minimum for every single user when they do a read request. Writes can take longer to happen. Which caching strategy do you recommend? - cache aside - write-through - TTL

write-through this has longer writes, but the reads are quick and the data is always updated in the cache

Tell what each record (for Route53) does: - A - AAAA - CNAME - Alias

A: hostname to IPv4 AAAA: hostname to IPv6 CNAME: hostname to hostname Alias: hostname to AWS resource

You have purchased "mycoolcompany.com" on the AWS registrar and would like for it to point to [lb1-1234.us-east-2.elb.amazonaws.com]. What sort of Route 53 record is NOT POSSIBLE to set up for this? - CNAME - Alias

CNAME The DNS protocol does not allow you to create a CNAME record for the top node of a DNS namespace (mycoolcompany.com), also known as the zone apex

Route53 - Simple vs Weighted vs Latency vs Failover ?

(look up answer)

You have deployed a new Elastic Beanstalk environment and would like to direct 5% of your production traffic to this new environment, in order to monitor for CloudWatch metrics and ensuring no bugs exist. What type of Route 53 records allows you to do so? - Simple - Weighted - Latency - Failover

Weighted Weighted allows you to redirect a part of the traffic based on a weight (hence a percentage). It's common to use to send a part of a traffic to a new application you're deploying

After updating a Route 53 record to point "myapp.mydomain.com" from an old Load Balancer to a new load balancer, it looks like the users are still not redirected to your new load balancer. You are wondering why... - it's b/c of the alias record - it's b/c of the CNAME record - it's b/c of the TTL (time to live) - it's b/c of the health checks

TTL DNS records have a TTL (Time to Live) in order for clients to know for how long to caches these values and not overload the DNS with DNS requests. TTL should be set to strike a balance between how long the value should be cached vs how much pressure should go on the DNS.

You want your users to get the best possible user experience and that means minimizing the response time from your servers to your users. Which routing policy will help? - Multi Value - Weighted - Latency - Geo location

Latency Latency will evaluate the latency results and help your users get a DNS response that will minimize their latency (e.g. response time)

You have a legal requirement that people in any country but France should not be able to access your website. Which Route 53 record helps you in achieving this? - Latency - Simple - Geo location - Multi Value

Geo location

Direct Connect

Direct Connect: connection between on-prem data center to AWS (private)

VPC

VPC: virtual private cloud, used default when creating EC2 instances

Subnets

Subnets: tied to specific AZ, where we launch EC2 instances from

Internet Gateway

Internet Gateway: provides internet access to public subnets & instances

NAT Gateway / Instances

NAT Gateway / Instances: provides internet access to public subnets & instances

NACL

NACL: firewall for inbound/outbound, stateless, for subnet rules

Security Groups

Security Groups: stateful, operate on EC2 instance level or ENI, can reference other security groups

VPC Peering

VPC Peering: connects 2 VPC (non overlapping IP addresses)

VPC Endpoints

VPC Endpoints: private access to AWS Services within

VPC Flow Logs

VPC Flow Logs: network traffic logs

Site to Site VPN

Site to Site VPN: connection between on-prem data center to AWS (public)

You have set up an internet gateway in your VPC, but your EC2 instances still don't have access to the internet. Which of the following is **NOT** a possible issue? - Route Tables are missing entries - The security group does not allow network in - The NACL does not allow network traffic out

The security group does not allow network in security groups are stateful and if traffic can go out, then it can go back in

You would like to provide internet access to your instances in private subnets with IPv4, while making sure this solution requires the least amount of administration and scales seamlessly. What should you use? - NAT Instances with Source / Destination Check flag off - NAT Gateway

NAT Gateway

Your EC2 instance in a private subnet must access the AWS APIs privately. You must keep all traffic within the AWS network. What do you recommend? - NAT Gateway in public subnet & Internet Gateway - VPC Endpoints - Direct Connect

VPC Endpoints

I tried creating an S3 bucket named "dev" but it didn't work. This is a new AWS Account and I have no buckets at all. What is the cause? - I'm missing IAM permissions to create a bucket - Bucket names must be globally unique and "dev" is already taken

Bucket names must be globally unique and "dev" is already taken - video #83

You've added files in your bucket and then enabled versioning. The files you've already added will have which version? - 1 - 0 - -1 - null

null Any file that is not versioned prior to enabling versioning will have version "null"

Your client wants to make sure the encryption is happening in S3, but wants to fully manage the encryption keys and never store them in AWS. You recommend - SSE-S3 - SSE-KMS - SSE-C - Client Side Encryption

SSE-C - video #87

SSE-S3

encryption keys entirely handled & managed by AWS

SSE-KMS

encryption keys handled & managed by AWS's Key Management Service - gives user control (who has control) - provides audit trail (who did what)

SSE-C

encryption keys handled & managed by you outside of AWS - S3 does not store any keys - keys get used then discarded - must use HTTPS (encryption in transit) - keys are provided in HTTP headers - more management on your end since you created the keys

Client Side Encryption

when you (client) encrypt the object before uploading to S3 - S3 Encryption Client helps with encryption - You must encrypt/decrypt data yourself before sending/when retrieving to/from S3 - Customer fully manages keys & encryption cycle - Encryption all happens outside of S3

Encryption in transit (SSL/TLS)

- free to use endpoints you want, but HTTPS is recommended - use HTTPS endpoint by default - HTTPS is mandatory for SSE-C

Your company wants data to be encrypted in S3, and maintain control of the rotation policy for the encryption keys. You recommend - SSE-S3 - SSE-KMS - SSE-C - Client Side Encryption

SSE-KMS

Your company does not trust S3 for encryption and wants it to happen on the application. You recommend - SSE-S3 - SSE-KMS - SSE-C - Client Side Encryption

Client Side Encryption

The bucket policy allows our users to read/write files in the bucket, yet we were not able to perform a PutObject API call. What is your assessment? - the bucket policy is wrong - the IAM user has an explicit DENY in the attached IAM policy - you need to contact AWS Support to life this limit

the IAM user has an explicit DENY in the attached IAM policy Explicit DENY in an IAM policy will take precedence over a bucket policy permission

Which encryption method requires HTTPS? - SSE-S3 - SSE-KMS - SSE-C - Client Side Encryption

SSE-C

You have a website that loads files from another S3 bucket. When you try the URL of the files directly in your Chrome browser it works, but when the website you're visiting tries to load these files it doesn't. What's the problem? - Bucket policy is wrong - IAM policy is wrong - CORS not enabled - Encryption is wrong

CORS is not enabled

I have an on-premise personal server that I'd like to use to perform AWS API calls - I should run `aws configure` and put my credentials there. Invalidate them when I'm done. - I should attach an EC2 IAM Role to my personal server.

I should run `aws configure` and put my credentials there. Invalidate them when I'm done

My EC2 Instance does not have the permissions to perform an API call PutObject on S3. What should I do? - I should run `aws configure` and insert my personal credentials, because I have access to PutObject on S3 - I should ask an administrator to attach a Policy to the IAM role on my EC2 Instance that authorizes it to do the API call - I should export the env variables with my credentials on the EC2 Instance - I should use the EC2 Metadata API call

I should ask an administrator to attach a Policy to the IAM role on my EC2 Instance that authorizes it to do the API call

I need my colleague's help to debug my code. When he runs the application on his machine, it's working fine, whereas I get API authorisation exceptions. What should I do? - Send him my AWS access key and secret key so he can replicate the issue on his machine - Ask him to send me his credentials so I can start working - Compare his IAM policy and my IAM policy in the policy simulator to understand the differences - Ask him to create an EC2 server and puts his credentials there so I can run the application from the EC2 Instance

Compare his IAM policy and my IAM policy in the policy simulator to understand the differences

To get the instance id of my EC2 machine from the EC2 machine, the best thing is to... - Create an IAM role and attach it to my EC2 instance so I can perform a 'describe' API call - Query the user data at http://169.254.169.254/latest/user-data - Query the meta data at http://169.254.169.254/latest/meta-data - Query the user data at http://254.169.254.169/latest/meta-data

Query the meta data at http://169.254.169.254/latest/meta-data

The AWS CLI depends on which language? - Java - Golang - Python - C#

Python - scripting language(?)

I'd like to deploy an application to an on-premise server. The server needs to perform API calls to Amazon S3. Amongst the following options, the best security I can achieve is... - run `aws configure` and insert my personal credentials - create an IAM user for the application and insert the credentials in the application's code - create an IAM user for the application and put the credentials into environment variables. Here, it's about creating a dedicated user for that application, as using your own personal credentials would blur the lines between actual users and applications. - attach an IAM Role to my on-premise server

create an IAM user for the application and put the credentials into environment variables. Here, it's about creating a dedicated user for that application, as using your own personal credentials would blur the lines between actual users and applications. or you could run `aws configure` on the machine

When I run the CLI on my EC2 Instances, the CLI uses the ______ service to get _____ credentials thanks to the IAM Role that's attached. - user data | temporary - user data | permanent - meta data | temporary - meta data | permanent

meta data | temporary

I want to test whether my EC2 machine is able to perform the termination of EC2 instances. There is an IAM role attached to my EC2 Instance. I should - Use the IAM Policy Simulator OR the dry run CLI option - Use the IAM Policy Simulator OR metadata service - Use the dry run CLI option OR the metadata service

Use the IAM Policy Simulator OR the dry run CLI option - video #105

Can EC2 Instances retrieve the IAM Role policy JSON document that's attached to them using the CLI without any role attached? - Yes - No

No you can retrieve the role name attached to your EC2 instance using the metadata service but not the policy itself

* I have received an authorisation exception from my EC2 instance while performing an EC2 API call. [vbguZQlpz4e1h4rtSaXnEfDAFZP...] I want the decode the cryptic error message. How do I do it? - Ask AWS Support because only them can decode these messages - Use the EC2 decode-authorization-message API - Use the IAM decode-authorization-message API - Use the STS decode-authorization-message API

Use the STS decode-authorization-message API - video #106 STS

My KMS API call just failed against AWS. It seems I've reached the rate limit of the KMS API. I should retry - every 10 mins - using an linear backoff strategy - using an exponential backoff strategy

using an exponential backoff strategy - video #110 SDK overview

Which API call should be used to get credentials before issuing API calls against an MFA-protected API? - STS GetFederationToken - STS GetSessionToken - IAM GetMFAToken

STS GetSessionToken

What is the priority in the CLI credentials chain? (most > least ???) - Environment Variables > Command Line Options > EC2 Instance Profile - Command Line Options > Environment Variables > EC2 Instance Profile - EC2 Instance Profile > Command-Line Options > Environment Variables - EC2 Instance Profile > Environment Variables > Command-Line Options

Command Line Options > Environment Variables > EC2 Instance Profile https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html#config-settings-and-precedence

You have enabled versioning and want to be extra careful when it comes to deleting files on S3. What should you enable to prevent accidental permanent deletions? - Use a bucket policy - Enable MFA Delete - Encrypt the files - Disable versioning

Enable MFA Delete MFA Delete forces users to use MFA tokens before deleting objects. It's an extra level of security to prevent accidental deletes

You would like all your files in S3 to be encrypted by default. What is the optimal way of achieving this? - Use a Bucket Policy that forces HTTPS connections - Enable "Default Encryption" on S3 - Enable versioning

Enable "Default Encryption" on S3

You suspect some of your employees to try to access files in S3 that they don't have access to. How can you verify this is indeed the case without them noticing? - Restrict their IAM policies and look at CloudTrail logs - Enable S3 Access Logs and analyze them using Athena - Use a bucket policy

Enable S3 Access Logs and analyze them using Athena S3 Access Logs log all the requests made to buckets, and Athena can then be used to run serverless analytics on top of the logs files

You are looking for your entire S3 bucket to be available fully in a different region so you can perform data analysis optimally at the lowest possible cost. Which feature should you use? - CloudFront distributions - S3 Cross-Region Replication - S3 versioning - S3 websites

S3 Cross-Region Replication S3 CRR is used to replicate data from an S3 bucket to another one in a different region

You are looking to provide temporary URLs to a growing list of federated users in order to allow them to perform a file upload on S3 to a specific location. What should you use? - S3 CORS - S3 Pre-Signed URL - S3 Bucket Policies - IAM Users

S3 Pre-Signed URL Pre-Signed URL are temporary and grant time-limited access to some actions in your S3 bucket.

Which of the following is NOT a Glacier retrieval mode? - Instant (10 sec) - Expedited (1 to 5 mins) - Standard (3 to 5 hrs) - Bulk ( 5 to 12 hrs)

Instant (10 sec)

Which of the following is a Serverless data analysis service allowing you to query data in S3? - S3 Analytics - Athena - Redshift - RDS

Athena

You would like to retrieve a subset of your dataset stored in S3 with the CSV format. You would like to retrieve a month of data and only 3 columns out of the 10. You need to minimize compute and network costs for this, what should you use? - S3 Select - S3 Inventory - S3 Analytics - S3 Access Logs

S3 Select

You're trying to upload a 25 GB file on S3 and it's not working - the limit of file size on S3 is 5GB - the S3 service must be down - you should use Multi Part upload when your file is bigger than 5GB

you should use Multi Part upload when your file is bigger than 5GB

When uploading a file that is 1 GB to S3, which type of upload will give you the best throughput performance and resilience? - Upload as one part - Do a Multi Part upload - Use SSE-S3

Do a Multi Part upload

CloudFront vs CloudWatch vs CloudFormation

CloudFront: utilizes edge locations to distribute your static & dynamic web content faster > lower latency for users around the world CloudWatch: think logs and alarms, for monitoring on AWS in real time. You can also use this data to stop under-used instances to save money. CloudFormation: stacks, easy way to model a collection of related AWS & 3rd-party resrcs, Infrastructure as Code!

Which feature allows us to distribute paid content from S3 securely, globally, if the S3 bucket is secured to only exchange data with CloudFront? - Origin Access Identity - S3 Pre-Signed URL - CloudFront Signed URL - CloudFront Distribution Invalidations

CloudFront Signed URL CloudFront Signed URL are commonly used to distribute paid content through dynamic CloudFront Signed URL generation.

You are hosting highly dynamic content in Amazon S3 in us-east-1. Recently, there has been a need to make that data available with low latency in Singapore. What do you recommend using? - CloudFront - S3 Cross Region Replication - S3 Pre-Signed URLs

S3 Cross Region Replication S3 CRR allows you to replicate the data from one bucket in a region to another bucket in another region

How can you ensure that only users who access our website through Canada are authorized in CloudFront? - Set up a security group and attach it to CloudFront - Use a Route53 Latency record and attach it to CloudFront - Use CloudFront Geo Restriction

Use CloudFront Geo Restriction

CloudFront is deploying in front of an HTTP origin. After updating your HTTP app, the users still see the old website. What should you do? - Disable caching - Invalidate the distribution - Recreate a distribution

Invalidate the distribution forces CloudFront edge location to invalidate the cached data and use new data (fetched from S3)

You are looking to run Microservices with Docker containers. Which service can help you manage these containers? - ECR - ECS - Beanstalk - EC2

ECS - video #139 what is Docker

Which ECS config must you enable in /etc/ecs/ecs.config to allow your ECS tasks to endorse IAM roles? - ECS_CLUSTER - ECS_ENGINE_AUTH_DATA - ECS_AVAILABLE_LOGGING_DRIVERS - ECS_ENABLE_TASK_IAM_ROLE

ECS_ENABLE_TASK_IAM_ROLE - video #140 ECS Clusters Although this wasn't discussed during the hands on, you need to know about that important setting in the ecs.config file

You are looking to push Docker images into ECR with your AWS CodePipeline and CodeBuild. The last step fails with an authorization issue. What is the issue? - Open an AWS support ticket - Delete and re-create ECR repos - Double check your IAM permissions for CodeBuild service - You first need to run an ECS instance

Double check your IAM permissions for CodeBuild service - video #144 Any permissions issues against ECR is most likely due to IAM policies

You are looking to run multiple instances of the same application on the same EC2 instance and expose it with a load balancer. The application is available as a Docker container. You should use - CLB & Beanstalk - ALB & Beanstalk - CLB & ECS - ALB & ECS

ALB & ECS Uses the dynamic port feature

You are running a web application on ECS, the Docker image is stored on ECR, and trying to launch two containers of the same type on EC2. The first container starts, but the second one doesn't. You have checked and there's enough CPU and RAM available on the EC2 instance. What's the problem? - The EC2 instances has permissions issues with ECR and you must fix the IAM policy - The host port is defined in the task definition - The container port is defined in the task definition - EC2 instances can only run one container instance for each image

The host port is defined in the task definition To enable random host port, set host port = 0 (or empty), which allows multiple containers of the same type to launch on the same instance

You have started an EC2 instance and it's not registered with the ECS cluster. What's NOT a reason for this issue? - The ECS agent is not running - The AMI used isn't the AWS ECS AMI - The EC2 instance is missing IAM permissions - The security groups on the EC2 instance are misconfigured

The security groups on the EC2 instance are misconfigured security groups do not matter when an instance registers with the ECS service

Which commands must be used to pull an image from ECR? (CLI v1)

> $(aws ecr get-login --no-include-email) | > docker pull $ECR_IMAGE_URL

You would like to run 4 ECS services on your ECS cluster, which need access to various services. What is the best practice? - Create an EC2 instance role with 4 policies and attach it to the EC2 instances in the ECS cluster - Create 4 EC2 instance roles and attach them to the EC2 instances in the ECS cluster - Create 1 ECS task role with 4 policies and attach it to each ECS task definition - Create 4 ECS task roles and attach them to the relevant ECS task definition

Create 4 ECS task roles and attach them to the relevant ECS task definition

Which task cluster placement is the MOST cost-efficient? - binpack - spread - random

bindpack runs all tasks in one EC2 Instance so in the end, it saves money on having to pay for less instances

I am creating an application and would like for it to be running with minimal cost in a development environment. I should run it in - Single Instance Mode - High Availability Mode

Single Instance Mode

Application versions can be deployed to - one env - many envs

many environments

I would like to customize the runtime of Elastic Beanstalk and include some of my company wide security software. I should - Provide an EC2 User Data script - Provide a custom platform - Provide a Docker img

Provide a custom platform - video #165

Environments in Elastic Beanstalk - can be named freely - have to be named dev, test, prod

can be named freely - video #155

I would like to update my Elastic Beanstalk application so that we are able to roll back very quickly in case of issues with the new application version. Which deployment mode is the best fit? - all at once - Rolling - Rolling with batches - Immutable

Immutable to roll back quickly, this deployment mode terminates the temporary ASG that has the new version, while the current one is untouched and already running at capacity

I want to update my Elastic Beanstalk application gradually without incurring new costs on update. My application has been over provisioned and can temporarily decrease in size for the number of serving instances, but I still want to serve my users without downtime. I do not want to incur extra costs over updates. Which deployment mode is the best fit? - all at once - Rolling - Rolling with batches - Immutable

Rolling - video #156

We would like to update our EB application with minimal added cost, while maintaining the full capacity to serve our current users in production. Which deployment is the best fit? - all at once - Rolling - Rolling with additional batches - Immutable

Rolling with additional batches - video #156

I would like to create an ElastiCache with my Elastic Beanstalk environment. I should - Create an ElastiCache instance manually outside of my EB and link to it through environment variables. Delete manually when done with the environment - Create an elasticache.ebextensions file at the root of the code zip file and provide appropriate configuration - Create a config.elasticache file in the .ebextensions folder which is at the root of the code zip file and provide appropriate configuration - Create an elasticache.config file in the .ebextensions folder which is at the root of the code zip file and provide appropriate configuration

Create an elasticache.config file in the .ebextensions folder which is at the root of the code zip file and provide appropriate configuration

My deployments on Elastic Beanstalk have been painfully slow, and after looking at the logs, I realize this is due to the fact that my dependencies are resolved on each EC2 machine at deployment time. How can I speed up my deployment with the minimal impact? - Remove some dependencies in your code - Place the dependencies in Amazon S3 - Resolve the dependencies beforehand and package them in the zip file uploaded to Elastic Beanstalk

Resolve the dependencies beforehand and package them in the zip file uploaded to Elastic Beanstalk - video #165

What service does Elastic Beanstalk use under the hood? - AWS OpsWork - AWS CloudFormation - AWS Lambda

AWS CloudFormation

You would like your Elastic Beanstalk environment to expose an HTTPS endpoint instead of an HTTP endpoint in order to get in-flight encryption between your clients and your web servers. What must be done to setup HTTPS on Beanstalk? - Use a separate CloudFormation template to load the SSL certificate onto the Load Balancer - Create an .ebextension/elb.config file to configure the Load Balancer - Open up the port 80 for the security group - Configure Health Checks

Create an .ebextension/elb.config file to configure the Load Balancer

How can you remove older versions that are not used by Elastic Beanstalk so that new versions can be created for your applications? - Setup .ebextensions files - Use a Lifecycle Policy - Define a Lambda function - Use Worker Environments

Use a Lifecycle Policy

You are looking to perform a set of repetitive and scheduled tasks asynchronously. Which Elastic Beanstalk environment should you setup? - Set up a Web Server env and a .ebextensions file - Set up a Web Server env and a cron.yaml file - Set up a Worker env and a .ebextensions file - Set up a Worker env and a cron.yaml file

Set up a Worker env and a cron.yaml file https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features-managing-env-tiers.html

You have created a test environment in Elastic Beanstalk and as part of that environment, you have created an RDS database. How can you make sure the database can be explored after the environment is destroyed? - Make a snapshot of the database before it gets deleted - Make a selective delete in Elastic Beanstalk - Change the Elastic Beanstalk environment variables

Make a snapshot of the database before it gets deleted

I would like to update my development environment as soon as a new version is available. Because my Elastic Beanstalk environment is internal and only used by me, I don't mind downtime. Which deployment options is the best fit? - all at once - Rolling - Rolling with batches - Immutable

all at once

CICD stands for... - Continuous Intervention and Continuous Delivery - Continuous Integration and Continuous Delivery - Continuous Integration and Continuous Development

Continuous Integration and Continuous Delivery

Which AWS Service helps you run automated test in your CICD? - CodeCommit - CodeBuild - CodePipeline - CodeDeploy

CodeBuild

You are looking to automatically trigger a code analysis at each commit in CodeCommit to ensure your developers haven't committed secret credentials. How can you achieve this? - Setup AWS CloudWatch Events in CodeCommit - Setup AWS SNS / Lambda integration in CodeCommit - Setup SES in CodeCommit

Setup AWS SNS / Lambda integration in CodeCommit

You want to send email alerts anytime pull requests are open or comments are added to commits in CodeCommit. You should use - AWS SES - AWS SNS - AWS CloudWatch Events

AWS CloudWatch Events

CodeCommit doesn't support the following authentication - IAM credentials helper with AWS CLI and git - SSH Keys in user profiles - HTTPS credentials in user profiles - HTTP public access

HTTP public access

You want to give a colleague that has an IAM User in another AWS Account access to your CodeCommit repository. How should you achieve that? - Share your SSH key with them - Generate HTTPS credentials and share that - Setup an IAM Role in your account and tell him to use STS cross-account access to assume that role

Setup an IAM Role in your account and tell him to use STS cross-account access to assume that role

Your CodePipeline hasn't deployed code to Elastic Beanstalk even though you've pushed code to your CodeCommit repository. It used to work 10 minutes ago. What reason is the most likely to explain that situation? - IAM permissions are wrong - CodePipeline is waiting for manual approval - Your CodeBuild stage probably failed some tests - Someone has deleted the Elastic Beanstalk environment

Your CodeBuild stage probably failed some tests

Your manager wants to receive emails when your CodePipeline fails in order to take action. How do you do it? - Setup an AWS CloudWatch Event Rule - Setup an SNS notification - Setup a SES email

Setup an AWS CloudWatch Event Rule

Which AWS Services allow you to track and audit API calls made to and from CodePipeline? - AWS CodeBuild - AWS CloudTrail - AWS IAM - AWS Elastic Beanstalk

AWS CloudTrail

Where should the buildspec.yml file be placed in your code for CodeBuild to work properly? - in the codebuild / directory - in the codecommit / directory - at the root of your code

at the root of your code

Your CodeBuild has failed. What isn't a solution to troubleshoot what happened? - Look through Logs in AWS CloudWatch logs - Look through Logs in AWS S3 - SSH into the CodeBuild container to debug from there - Run CodeBuild locally to reproduce the build

SSH into the CodeBuild container to debug from there CodeBuild containers are deleted at the end of their execution (success or failed). You can't SSH into them, even while they're running

You would like to improve the performance of your CodeBuild build. You realize that 15 minutes at each build is spent on pulling dependencies from remote repositories and that takes a while. What should you do to drastically speed up the build time? - Commit dependencies in the code - Change buildspec.yml to enable dependencies caching in Amazon S3 - Remove all the dependencies

Change buildspec.yml to enable dependencies caching in Amazon S3

You would like to deploy static web files to Amazon S3 automatically, after generating the static websites from markdown files. Which services should you use for this? - CodeCommit + CodePipeline - CodePipeline + CodeBuild - CodePipeline + CodeDeploy - CodeDeploy

CodePipeline + CodeBuild CodeBuild can run any commands, so you can use it to run commands including generating a static website and copy your static web files to Amazon S3. CodeCommit + CodePipeline won't work as the static website needs to be generated CodeDeploy only supports deployment to EC2 Instances

What's the proper order of events in CodeDeploy? - Install, Stop Application, Start Application, AfterInstall - Install, Stop Application, AfterInstall, Start Application - Stop Application, Before Install, Start Application, After Install - Stop Application, Before Install, After Install, Start Application

Stop Application, Before Install, After Install, Start Application

Which hook step should be used in appspec.yml file to ensure the application is properly running after being deployed? - AfterInstall - ValidateService - ApplicationStart - AllowTraffic

ValidateService

You've created a fleet of EC2 & on-premise instances and you're trying to run your first CodeDeploy. It doesn't work, why? - You've probably forgotten to install and start the CodeDeploy agent - CodeDeploy doesn't work with On Premise instances - You've forgotten to open ports on the CodeDeploy service security group

You've probably forgotten to install and start the CodeDeploy agent

You would like to have a one-stop dashboard for all the CICD needs of one of your projects. You don't need heavy control of the individual configuration of each components in your CICD, but need to be able to get a holistic view of your projects. Which service do you recommend? - CodeBuild - CodePipeline - CodeStar - CodeDeploy

CodeStar

To make your infrastructure created with CloudFormation evolve over time, you should do which of the following? - Change the resources manually in the AWS Console and your CloudFormation template will get automatically updated - Upload a new version of a CloudFormation template with the modified code and apply it in the CloudFormation Console - Create a new CloudFormation stack with the updated template

Upload a new version of a CloudFormation template with the modified code and apply it in the

Before being used by CloudFormation, your templates are uploaded - directly in CloudFormation - in Amazon S3 - in AWS CodeCommit

in Amazon S3 CloudFormation references a template from Amazon S3, no matter what. If you upload the template from the AWS console, it gets uploaded in Amazon S3 behind the scenes, and CloudFormation references that template from there.

You need to specify the order in which your CloudFormation template should create resources - true - false

false - video #184

Which of the following is mandatory for a CloudFormation template? - Parameters - Resources - Mappings - Outputs

Resources

Which intrinsic function should you use to retrieve the DNS name of a Load Balancer created with CloudFormation? - Fn::Ref - Fn::Sub - Fn::Join - Fn::GetAtt

Fn::GetAtt - video #193

The !Ref function can be used to reference the following except... - parameters - resources - conditions

conditions

The following block: Fn::Join: - '' - [IPAddress=, !Ref 'IPAddress'] With the parameter IPAddress being 10.0.0.1. Will generate... - IPAddress,10.0.0.1 - IPAddress=10.0.0.1 - IPAddress10.0.0.1 - 10.0.0.1

IPAddress=10.0.0.1

I'm trying to delete a stack but it seems I can't because other stacks reference its exported outputs. What should you do? - You're stuck - Delete the other stacks referencing the exported outputs first - Open a ticket with AWS Support

Delete the other stacks referencing the exported outputs first - video #191

I tried to create an exported output: Outputs: StackSSHSecurityGroup: Description: The SSH Security Group for our Company Value: !Ref MyCompanyWideSSHSecurityGroup Export: Name: SSHSecurityGroup But it seems I get an error. It says "SSHSecurityGroup" output already exists. What should you do? - Exported output names must be unique within your region - The syntax is wrong

Exported output names must be unique within your region

We'd like to have CloudWatch Metrics for EC2 at a 1 minute rate. What should we do? - Enable Custom Metrics - Enable High Resolution - Enable Basic Monitoring - Enable Detailed Monitoring

Enable Detailed Monitoring - video #198

High Resolution Custom Metrics can have a minimum resolution of - 1 sec - 10 sec - 30 sec - 1 min

1 second - video #198

To send a custom metric to CloudWatch, which API should we use? - SendMetricData - PutCustomMetric - SendCustomMetric - PutMetricData

PutMetricData - video #198

Your CloudWatch alarm is triggered and controls an ASG. The alarm should trigger 1 instance being deleted from your ASG, but your ASG has already 2 instances running and the minimum capacity is 2. What will happen? - One instance will be deleted and the ASG capacity and minimum will go to 1 - The alarm will remain in "ALARM" state but never decrease the number of instances in my ASG - The alarm will be detached from my ASG - The alarm will go in OK state

The alarm will remain in "ALARM" state but never decrease the number of instances in my ASG - video #199

An Alarm on a High Resolution Metric can be triggered as often as - 1 sec - 10 sec - 30 sec - 1 min

10 seconds - video #199

CloudWatch logs automatically expire after 7 days by default - true - false

false They never expire by default

CloudWatch Logs expiration policy should be defined at which level? - Log Groups - Log Streams

Log Groups - video #200

My application traces appear in X-Ray when I run the application on my local laptop. When I deploy my application to my Elastic Beanstalk, the traces do not appear in X-Ray. Why? - A config file is missing in . ebextensions/ folder of your code - You need to authorize your application from the X-Ray console - Your code is wrong

A config file is missing in . ebextensions/ folder of your code

My application traces appear in X-Ray when I run the application on my local laptop. When I deploy my application to my EC2 instances with CodeDeploy, the traces do not appear in X-Ray. Why? - The CodeDeploy script breaks the X-Ray integration. It is a known bug - The X-Ray daemon is not running on the EC2 instance - X-Ray integration needs to be enabled with CodeDeploy

The X-Ray daemon is not running on the EC2 instance - video #206

The X-Ray daemon is running on my EC2, and my application manages to send X-Ray traces from my computer, but it still doesn't work from my EC2 instance. What's wrong? - You need to enable input ports on your EC2 instance to allow UDP traffic in - Your IAM role for your EC2 instance doesn't have the required permissions to send data to X-Ray - Your EC2 instance needs to be running in an auto scaling group

Your IAM role for your EC2 instance doesn't have the required permissions to send data to X-Ray

All of a sudden, your CodePipeline breaks because it says it cannot find the target Elastic Beanstalk environment to deploy your application to. What should you do to find the root cause of this problem? - Look in CloudFormation for deletions - Look in CodePipeline for changes - Look in CloudTrail for a "delete" event in Elastic Beanstalk

Look in CloudTrail for a "delete" event in Elastic Beanstalk

How should you configure the XRay daemon to send traces across accounts? - Create a user on another account, and export the access and secret keys to load them onto the agent - Create a role on another account, and allow a role in your account to assume that role.

Create a role on another account, and allow a role in your account to assume that role. This is best practice

You would like to index your XRay traces in order to search and filter through them efficiently. What should you use? - Segments - Sampling - Annotations - Metadata

Annotations

You would like to use a service that would enable you to get cross-account tracing and visualization. Which service do you recommend? - VPC Flow Logs - AWS X-Ray - CloudWatch Logs - CloudTrail

AWS X-Ray

Which API is NOT used for writing to X-Ray? - BatchGetTraces - GetSamplingRules - PutTraceSegments - PutTelemetryRecords

BatchGetTraces

You are preparing for the biggest day of sale of the year, where your traffic will increase by 100x. You have already setup SQS standard queue. What should you do? - Open a support ticket to pre-warm the SQS queue - Enable auto scaling in the SQS queue - Increase the capacity of the SQS queue - Do nothing, SQS scales automatically

Do nothing, SQS scales automatically

You would like messages to be processed by SQS consumers only after 5 minutes. What should you do? - Increase the DelaySeconds parameters - Change the Visibility Timeout - Enable Long Polling - Use the extended SQS client

Increase the DelaySeconds parameters

Your consumers poll 10 messages at a time and finish processing them in 1 minute. You notice that your messages are processed twice, as other consumers also receive the messages. What should you do? - Enable Long Polling - Add delay to the msgs when being produced - Increase the Visibility Timout - Decrease the Visibility Timout

Increase the Visibility Timout (?) make it visible for a longer time so people don't need to process it twice

One message keeps on being processed and makes your consumers crash one by one. That message has a bad format and you'd like to get rid of it automatically if that happens. How can you implement this? - Add a SQS filter to verify the message format - Implement a DLQ with a redrive policy - Increase the VisibilityTimeout

Implement a DLQ with a redrive policy

Your SQS costs are extremely high. Upon closer look, you notice that your consumers are polling SQS too often and getting empty data as a result. What should you do? - Decrease the # of consumers - Enable Long Polling - Increase the Visibility Timeout

Enable Long Polling

You'd like your messages to be processed exactly once and in order. Which do you need? - SQS Standard Queue - SQS Dead Letter Queue - SQS Delay Queue - SQS FIFO Queue

SQS FIFO Queue

You want to send messages of 1 MB to SQS. You need to - open a support ticket with AWS to increase the limit - change the SQS queue config and set the max msg size to 2 MB - use the SQS Extended Client library

use the SQS Extended Client library

You'd like to send a message to 3 different applications all using SQS. You should - use SQS Replication Feature - use SNS & SQS Fan Out pattern - send messages individually to 3 SQS queues

use SNS & SQS Fan Out pattern

You have a Kinesis stream usually receiving 5MB/s of data and sending out 8 MB/s of data. You have provisioned 6 shards. Some days, your traffic spikes up to 2 times and you get a throughput exception. You should - enable Kinesis replication - add more shards - use SQS as a buffer to Kinesis

add more shards Kinesis replication does not exist

You are sending a clickstream for your users navigating your website, all the way to Kinesis. It seems that the users data is not ordered in Kinesis, and the data for one individual user is spread across many shards. How to fix that problem? - There are too many shards, you should only use 1 shard - You should a partition key that represents the identity of the users - You shouldn't use multiple consumers, only one and it should re-order data

You should a partition key that represents the identity of the users

You intermittently get a ProvisionedThroughputExceeded Exception in your producing applications. You should - use linear backoff on retries - use exponential backoff on retries - retry as fast as possible

use exponential backoff on retries

We'd like to perform real time analytics on streams of data. The most appropriate product will be - SQS - SNS - Kinesis

Kinesis

We'd like for our big data to be loaded near real time to S3 or Redshift. We'd like to convert the data along the way. What should we use? - SQS & Lambda - SNS & HTTP Endpoint - Kinesis Streams & Kinesis Firehose

Kinesis Streams & Kinesis Firehose

You want to send email notifications to your users. You should use - SQS with Lambda - SNS - Kinesis

SNS

Which SQS FIFO message attribute allows two messages to be processed in order? - MessageDeduplicationId - MessageGroupId - MessageHash - MessageOrderId

MessageGroupId

Which SQS FIFO message attribute allows two messages to be de-duplicated? - MessageDeduplicationId - MessageGroupId - MessageHash - MessageOrderId

MessageDeduplicationId

One of your Kinesis Stream is experiencing increased traffic due to a sale day. Therefore your Kinesis Administrator has split shards and thus you went from having 6 shards to having 10 shards in your Kinesis Stream. Your consuming application is running a KCL-based application on EC2 instances. What is the maximum number of EC2 instances that can be deployed to process the shards? - 1 - 6 - 10 - 20

10 In KCL, you can have a maximum of EC2 instances running in parallel equal to the number of shards in your Kinesis Stream.

If you currently have 10 active group messages (defined by GroupID) in your SQS FIFO queues, how many consumers can consume simultaneously? - 1 - 10 - 20 - infinite

10 you can have as many consumers as GroupID for your FIFO queues

AWS Dev Associate Flashcards

Pass aws cert exam!