AWS Flashcards
Which service gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount?
AWS Budgets
What service has an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time?
AWS Cost Explorer
What service provides threat detection and continuous monitoring for malicious activity and unauthorized behavior to protect your AWS accounts and workloads?
AWS GuardDuty
What service is a fully-managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS? It also provides an inventory of S3 buckets that are public, unencrypted, or shared with AWS accounts outside the ones defined in your AWS organizations, which it can alert for sensitive data such as PII.
Amazon Macie
What is the default configuration of the default NACL?
Allow
What is the default configuration of a custom NACL?
Deny
What service can you use to create and provide trusted users with temporary short term security credentials that can control access to your AWS resources? This provides access to your AWS resources to your users, without having to define an AWS identity for them.
AWS Security Token Service (STS)
Is Redshift appropriate for handling session state of a web application?
No, it is a data warehouse
What is the easiest way to reliably load streaming data into data lakes, data stores, and analytics tools? It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near-real-time analytics with existing business intelligence tools and dashboards you’re already using today. It is a fully-managed service. It can also batch, compress, transform, and encrypt the data before loading it.
Amazon Kinesis Data Firehose
How is Kinesis Data Firehose different from Kinesis Data Streams?
It takes more work to set up Data Streams, but Firehose transfers into fewer places.
Where can Amazon Kinesis Data Firehose transfer information into?
S3<br></br>Redshift<br></br>Elasticsearch<br></br>Splunk
Ignoring cost, which Disaster Recovery plan has a better RTO and RPO? Warm standby, or Backup and Restore?
Warm Standby
What is RT in disaster recovery?
Recovery time - How fast the system is back up
What is RP in disaster recovery?
Recovery point - How much data is recovered
What can you do with an EBS volume while taking a snapshot of it?
Anything. It can be used normally.
What is a “warm attach” of an ENI?
Attaching it to an instance while it’s stopped.
What is a “hot attach” of an ENI?
Attaching it to an instance while it’s running.
What is a “cold attach” of an ENI?
Attaching it to an instance while it’s being launched.
Suppose you want a CFT to work in multiple regions, and therefore need to set the AMI based on the region. What’s a good way to do that?
Use a mapping, taking the region as a key and AMI as the value.
How could you implement synchronous data replication for an RDS database to meet a disaster recovery plan’s RTO?
RDS Multi-AZ deployments. When you provision an instance of one, RDS creates a primary DB instance and sychronously replicates the data to standby instances in different AZs. If the primary fails, it automatically falls over to a standby instance, while keeping the same endpoint.
Which DR plan optimizes RT with cost not being a major factor? Multi-site, Warm Standby, Pilot Light, or Backup and Restore?
Multi-Site. By having identical infrastructure in both places, you spend more money but have optimal RT.
Does RDS multi-region exist?
No
Does RDS multi-AZ exist?
Yes
What DNS records need to be made at the zone apex to point to the DNS name of an ALB?
Alias with A and AAAA type record sets
How long does multi-AZ RDS take to failover from one AZ to another?
One to two minutes
You have an ALB pointed at an autoscaling group of EC2 instance.<br></br><br></br>What action does an ALB take if an EC2 instance fails a health check?
The ALB stops sending traffic to the instance.
What is the Backup and Restore DR plan?
Taking snapshots of data, and restoring from them in an incident.
What are the benefits of the Backup and Restore DR plan?
It’s cheap.
What is the Pilot Light DR plan?
Keeping the critical elements of a system ready to scale up. This gets rid of the time spent creating initial infrastructure.
What are the drawbacks of the Backup and Restore DR plan?
It takes the longest time to recover.
What is the Warm Standby DR plan?
Keeping a scaled-down version of a fully functional environment always running.
What is the Multi-site DR plan?
Having a one-one copy of your infrastructure in another region or AZ.
What are the four different DR plan types?
Backup & Restore<br></br>Pilot Light<br></br>Warm Standby<br></br>Multi-Site
Your team has provisioned Auto Scaling Groups in a single Region. The Auto Scaling Group at max capacity would total 40 EC2 instances between them. However, you notice that the Auto Scaling Groups will only scale out to a portion of that number of instances at any one time. What could be the problem?
There is a vCPU-based on-demand instance limit per region.
What is an IAM group?
An IAM group is a collection of IAM users. They let you specify permissions for multiple users.
Where are point-in-time snapshots of EBS volumes stored?
S3
Which would be faster, a point-in-time EBS volume snapshot, or copying their data to s3 manually?
The snapshot.
Can SNS send emails?
Yes
Can you send cloudwatch alerts through SES?
No, SES is for sending communications via email, not for cloudwatch notification. Use SNS instead.
The allowed block size in VPC is between a /?? netmask and /?? netmask
/16 (65536 IP addresses) and /28 (16 IP addresses)
When you create a subnet, is it automatically associated with the main route table for the VPC?
Yes
To enable the connection to a service running on an instance, the associated NACL must allow both inbound traffic on the service port as well as outbound traffic from ____
Ephemeral ports. When a client connects to a server, a random port from the ephemeral port range becomes the client’s source port.
What is DAX?
DynamoDB accelerator is a fully managed, highly available, in-memory cache for DynamoDB. It provides an in-memory cache that delivers up to 10x performance improvement from milliseconds to microseconds or even at millions of requests per second.
What is AWS Backup?
AWS Backup is a centralized backup service that makes it easy and cost-effective for you to backup your application data across AWS services in the AWS Cloud, helping you meet your business and regulatory backup compliance requirements.
What is the maximum retention period for an RDS automated backup?
35 days
Is it possible to create an active-active failover with one primary and one secondary resource in route53?
No, because active-active means sending traffic to both endpoints.
Will stopping an EC2 instance detach its ENI (elastic network interface)?
No
Will stopping an EC2 instance disassociate an Elastic IP address from it?
No
Why would you use AWS Storage gateway over Amazon FSx for Windows File Server, for a hybrid cloud’s SMB share with low-latency access to data in AWS for on-premises applications?
AWS Storage Gateway supports local caching without any development overhead.
Can you make a DynamoDB table globally accessible in all regions?
Yes, via global tables.
Is autoscaling enabled by default for dynamodb tables created using the aws CLI?
No
Do RDS read replicas provide synchronous or asynchronous replication?
Asynchronous
How big of a range does 10.0.0.0/32 refer to?
A single IP address
What is a VPC endpoint?
An endpoint that lets you connect between a VPC and an AWS service (like s3).
Which type of s3 VPC endpoint is billed, Gateway or Interface?
Interface endpoint
Which type of s3 VPC endpoint allows access from a VPC in another region, using VPC peering or AWS Transit Gateway? Interface, or Gateway
Interface endpoint
Which type of s3 VPC endpoint allows access from on premises? Interface, or Gateway?
Interface
Which type of s3 VPC endpoint uses Amazon S3 public IP addresses? Gateway, or Interface
Gateway
Which type of S3 VPC endpoint uses private IP addresses from your VPC to access Amazon S3? Gateway or Interface?
Interface
Will you be billed for a spot instance when it’s preparing to stop with a ‘stopping’ state?
No
Will you be billed when your on-demand instance is preparing to hibernate with a stopping state?
Yes
Is it a valid DDOS prevention measure, to add multiple Elastic Fabric Adapters (EFA,) to EC2 instances to increase network bandwidth.
You can only attach one EFA per EC2 instance, and they’re for performance improvement, not DDoS prevention.
How can you get data out of S3 Glacier quickly?
Purchase provisioned retrieval capacity, and use an Expedited retrieval.
In a CFT, use the ____ attribute when you want to wait on resource configuration actions before stack creation proceeds.
CreationPolicy
If an NACL has an allow rule that matches a piece of traffic, followed by a deny rule that also matches it, will the traffic be allowed?
Yes, once a rule is matched (from low to high number) the rest are not evaluated.
What endpoint should be used to load balance read requests between Aurora read replicas?
The built-in Reader endpoint.
Scenario: Set up asynchronous data replication to another RDS DB instance hosted in another AWS Region<br></br><br></br>Solution: ______
Create a Read Replica
Should you use an Aurora Provisioned DB cluster for intermittent, sporadic, and unpredictable transactional workloads?
No, it is more suited to predictable workloads, because you can adjust capacity manually. Use serverless instead.
Why would you prefer target tracking scaling to simple scaling?
You can have shorter cooldown periods, and you don’t have to create cloudwatch alarms.
What is target tracking scaling?
Scaling to keep a given metric within a specified range.
Can you directly set CloudWatch Alarms to update an ECS task count?
No, you should use CloudWatch Events instead.
Can an SQS queue subscribe to an SNS topic?
Yes
Are SQS messages automatically deleted after retrieval?
No
How can Cloudfront help fix users getting lots of 504 errors?
Origin failover. It can automatically fail over from a primary to a secondary origin group, if a 504 (gateway timeout) error occurs.
Should you use AWS Storage Gateway to migrate a file share to AWS, if you plan on migrating an entire application from on-premise to AWS?
No, it i used to integrate on-prem and AWS systems. If you’re migrating the entire applicaiton to AWS, you can use a purely-AWS storage solution.
What is AWS Resource Access Manager?
AWS Resource Access Manager (RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs) in AWS Organizations, and with IAM roles and IAM users for supported resource types
Can RDS events capture INSERT/DELETE/UPDATE calls?
No, you should use native functions or stored procedures.
Which has better schema flexibility and scalability? Aurora or DynamoDB?
DynamoDB. Being nonrelational helps in these aspects.
How would you get metrics from RDS that aren’t normally available in CloudWatch (e.g. memory usage)?
Enable Enhanced Monitoring
With Amazon Aurora, how would you point production traffic to high-capacity instances and reporting traffic to low-capacity instances in a cluster?
Custom endpoints.
How do you prevent an RDS DB from losing access due to an AZ’s outage?
Mutli-AZ failover
Which is more appropriate for set permissions for Active Directory users from AWS Directory Service AD Connector? IAM Roles or IAM Groups?
IAM Roles
If you have an Auto Scaling Group of EC2 instances in two availability zones, what minimum number of instances do you need to insure there are never fewer than two instances running?
Four. This will have 2 instances running in each AZ, so if one AZ has an outage you will still have 2 running in the other.
How can you ensure that your RDS database can only be accessed using the profile credentials specific to your EC2 instances via an authentication token?
Enable IAM DB Authentication
Can you set up an IAM Policy and MFA which require other AWS users to enter their IAM credentials and token before accessing an ElastiCache cluster?
No. You have to use the Redis AUTH option instead.
How would you add environment variables to a Lambda function that could only be read by users with access to a KMS key (as opposed to users with access to the lambda)?
Use the KMS key to enable encryption helpers to store and encrypt the sensitive information.
Are third party tool necessary to use Corporate AD/LDAP to let users access their (and only their) folder in an S3 bucket?
No. Just set up a federation proxy or identity provider, use Security Token Service to generate temp tokens, and configure an IAM role and IAM Policy to access the bucket.
Should you store encryption keys in S3?
No, CloudHSM is a more appropriate place to store them
Is EBS On-Premises Data Encryption a thing?
No. EBS is purely in the cloud, not on your premises, so there cannot be on-premises encryption.
What are the features in AWS that can ensure data security for your confidential documents in s3?
S3 Client-Side and Server-Side encryption.
Are DynamoDB streams enabled by default?
No, you have to enable each one you want to create
What is Amazon MQ?
Amazon MQ is a managed message broker service for Apache ActiveMQ and RabbitMQ that makes it easy to set up and operate message brokers on AWS.
How can API Gateway protect backend systems and applications from traffic spikes?
Throttling limits
What is AWS Control Tower?
AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. It creates your landing zone using AWS Organizations, bringing ongoing account management and governance as well as implementation best practices
Is it possible to upgrade the storage capacity of a DynamoDB Table?
No, it is fully managed and automatically scales its storage
How are geoproximity and geolocation routing different?
Geoproximity lets you configure the size of the geographic region from which traffic is routed, geolocation just lets you choose the instances based on location.
Are IPv4 CIDRs required in a VPC, or can you use purely IPv6?
Yes, they are required.
Which EBS volume type is most cost-effective for infrequent, large, sequential I/O operations?
Cold HDD (sc1)
Which is better for processing a 5 minute workload? On-demand EC2 instances, or Lambda?
Lambda
Can EBS volumes be attached to any EC2 instance in any Availability Zone?
No, they can only be attached to instances in the same AZ
Can you change the configuration of an EBS volume while it’s being used?
Yes
How would you create a static IP for an ALB and its targets?
Create elastic IP, point it at an NLB, put the ALB in the NLB’s target group.<br></br><br></br>EIP -> NLB -> ALB -> Targets
Can an NACL allow/disallow communication between two subnets?
Yes
Can you set filter policies in an SNS topic to choose which SQS queue to publish a message to?
Yes
Can you block SQL Injection and XSS attacks via AWS Web Application Firewall?
Yes
The maximum ratio of provisioned IOPS to requested volume size (in GiB) is __:1
50 : 1
How do you protect a Redshift cluster from a regional outage?
Enable Cross-Region Snapshots Copy in the Redshift Cluster
What are AWS Step Functions?
AWS Step Functions is a low-code, visual workflow service that developers use to build distributed applications, automate IT and business processes, and build data and machine learning pipelines using AWS services. Workflows manage failures, retries, parallelization, service integrations, and observability so developers can focus on higher-value business logic.
Can AWS SWF prevent duplicate tasks?
Yes
Can you specify a security group as the source for the rule in another security group?
Yes, although that doesn’t add a corresponding rule to the other security group.
Is “RDS Child Processes” included in the enhanced monitoring metrics that cloudwatch gathers from RDS DB instances?
Yes
Is “OS Processes” included in the enhanced monitoring metrics that cloudwatch gathers from RDS DB instances?
Yes
Is “Database Connections” included in the enhanced monitoring metrics that cloudwatch gathers from RDS DB instances?
No
Is “CPU Utilization” included in the enhanced monitoring metrics that cloudwatch gathers from RDS DB instances?
No
When the instance is terminated, what happens to the data on the root volume?
It is automatically deleted
Suppose I want to keep an automatically created backup of RDS for more than 35 days. How should I do that?
Use AWS Backup to create a backup plan
What can you use to encrypt all the data on an EBS Volume?
Encrypt it using AWS KMS
Is VPC Peering supported on a DirectConnect connection?
No
Which DB solution is more fully managed? DynamoDB or RDS?
DynamoDB. RDS still has backups, and choosing when automated OS patching occurs
What happens to data in an Instance Store when you stop an instance?
It does not persist.
Can you encrypt an Instance Store?
No
Can simple scaling scaled based on a set of adjustments?
No
If AWS Storage Gateway is used to integrate AWS cloud storage with on-premise systems, what is used to migrate from on-premise systems?
AWS DataSync
Are IAM roles specific to a region?
No, IAM is a global service
How long must objects be stored in S3 before they can be moved to Infrequent Access tiers?
30 days
Does Redshift autoscale?
No
Is Amazon Aurora appropriate for OLTP, or OLAP?
OLTP Online Transactional Processing
Is Redshift appropriate for OLTP or OLAP?
OLAP, Online analytical processing
Are CloudTrail event log files encrypted by S3 server side encryption by default?
Yes
Does Aurora have warm standbys, ready for instant failover, running by default?
No, you have to use Aurora Replica
How does Aurora replica quickly fail over to a new AZ?
Flipping the CNAME record for the instance to point at the healthy replica
Is data moving from an encrypted EBS volume to an instance encrypted?
Yes
Are Elastic Fabric Adapters supported on windows instances?
No, the OS-bypass capabilities are not supported
Elastic Fabric Adapters are ___ with added capabilities
Elastic Network Adapters
Can IAM allow/deny access to resources with specific tags?
Yes
___ is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL.
Amazon Athena
Is IAM DB authentication in RDS supported for Microsoft SQL Server instances?
No
A mobile application stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider.<br></br><br></br>Which AWS Security Token Service approach to temporary access should you use for this scenario?
Web Identity Federation
What benefit do launch templates have over launch configurations?
You can have multiple versions of a launch template
What service can you use to import/export data from DynamoDB?
Elastic Map Reduce
Do Launch Configurations support dedicated hosts?
No, you must use Launch Templates
When can data persist in an instance store?
In a reboot
By default, is Autoscaling enabled in DynamoDB tables created in the console?
Yes
How many security groups can you assign to an instance?
Five
Can you directly attach a policy to a group, or do you need to use a role?
You can directly attach it
What does EBS Encryption by Default do in a region?
Configures your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create
How many instances should you launch when you create a cluster placement group?
All that you plan on using. Adding later runs into the chance that you get an insufficient capacity error
Does RDS for MySQL have cross region read replicas with sub-second replication?
No, they are async and have a replication latency measured in seconds
What is an Egress-only Internet Gateway?
A gateway that allows an EC2 instance to communicate to the internet but prevents inbound traffic.
What kind of load balancing allows the load balancer to distribute incoming requests evenly to all EC2 instances across multiple availability zones?
Cross-zone load balancing
Should you use an NLB to route traffic to ALBs across multiple regions?
No. Use AWS Global Accelerator instead
Does Inter-Region VPC Peering exist?
Yes
Can inter-AZ data transfers accrue cost?
Yes, deploy to one AZ to reduce transfer costs
Is ALB Target Group CPU utilization a usable metric for auto scaling?
No
Can you use Lambda@Edge functions as part of an origin group in cloudfront?
No
Can you configure AWS Lambda with Elastic BeanStalk?
No
A serverless application consists of multiple Lambda Functions and a DynamoDB table. The application must be deployed by calling the CloudFormation APIs using AWS CLI. The CloudFormation template and the files containing the code for all the Lambda functions are located on a local computer.
What should the Developer do to deploy the application?
Use the aws cloudformation package
command and deploy using aws cloudformation deploy
.
A transcoding media service is being developed on Amazon Cloud. Photos uploaded to Amazon S3 will trigger a Lambda function. The Lambda function will cause the Step Functions to coordinate a series of processes that will do the image analysis tasks. The input of each function should be preserved on the result to conform to the application’s logic flow.
What should the developer do?
Declare a ResultPath
field filter on the Amazon States Language specification.
Can you set reserved concurrency in AWS Lambda?
Yes, you can set the reserved concurrency to limit the amount of scaling a Lambda function can do, and ensure your other functions don’t prevent a specific one from scaling.