AWS Practitioner Notes

Question 1

Describe the basic AWS Infrastructure

Answer 1

AWS is split into Regions (based on geography)
Regions are split into Availability Zones (2-6 per region, average 3)
Availability Zones have multiple Data Centers
In addition there are Edge Locations, Local Zones, and Outposts

Question 2

What are some factors in choosing a Region

Answer 2

Compliance Requirements
Latency
Available Services
Pricing

Question 3

Shared Responsibility Matrix - AWS Responsibilities

Answer 3

Security OF the cloud
Hardware
Certain Software (offered as a service)
Certain OS (of serverless services)
Networking/Firewalls of serverless services

Question 4

Shared Responsibility Matrix - Customer Responsibilities

Answer 4

Security IN the cloud
Customer Data
Platforms, applications, IAM, network/firewall of EC2 instances
OS of EC2 instances
Networking traffic

Question 5

What is IAM

Answer 5

IAM = Identity and Access Management

Question 6

Describe IAM Users

Answer 6

An IAM User should be a single physical user
Users can be assigned to groups, but don’t have to be

Question 7

Describe IAM Groups

Answer 7

An IAM Group is a collection of IAM Users
An IAM User can belong to multiple groups

Question 8

Describe IAM Policies

Answer 8

An IAM Policy can be assigned to a user or a group
An IAM Policy is used to control access to AWS resources

Question 9

What is an Inline Policy

Answer 9

A policy that is assigned to a user directly

Question 10

What is the Least Privilege Principle

Answer 10

Only giving a user the bare minimum access they require

Question 11

How is an IAM Policy Structured

Answer 11

It has a version number, an ID, and a Statement
A statement consists of an ID, Effect (Allow/Deny), Principal (account/user/role to which the statement applies), Action (list of actions the policy allows/denies), and Resources (list of AWS resources that the policy applies to)

Question 12

IAM Password Policy

Answer 12

Allows you to define the password requirements for all accounts

Question 13

What is MFA

Answer 13

Multi-factor Authentication - Using both a password and a security device
Can be physical (key or or keyfob that generates MFA codes)
Can be virtual

Question 14

Name three ways to access AWS

Answer 14

The AWS Management Console (requires password/MFA)
Command Line Interface (requires access keys)
Software Development Kit - SDK (requires access keys)

Question 15

What is AWS Cloudshell

Answer 15

It is an alternate way to access AWS - private CLI using the browser - does not require access keys

Question 16

What are IAM Roles

Answer 16

IAM Roles are a way to assign permissions to AWS services

Question 17

Name two IAM security tools

Answer 17

IAM Credential Reports (account level)
IAM Access Advisor (user level)

Question 18

What are some IAM best practices

Answer 18

Don’t use the root account unless you absolutely have to - create accounts with administrative access instead
1 physical user = 1 AWS account
Assign Users to Groups, then assign permissions/policies to those groups
Use a strong password policy
Use/enforce MFA
Use roles when giving permissions to AWS services

Question 19

What is EC2 stand for

Answer 19

Elastic Cloud Compute

Question 20

Is EC2 IAAS, PAAS, SAAS?

Answer 20

It is IAAS - Infrastructure As A Service

Question 21

What can you customize in an EC2 instance

Answer 21

Operating System
Number of Cores
RAM
Storage Space
Network Card

Question 22

What is EC2 User Data

Answer 22

A Bootstrap Script - runs once when the instance starts

Question 23

What are the different EC2 types

Answer 23

General Purpose - Good for web servers or code repositories
Compute Optimized - Good for high performance processing
Memory Optimized - Good for processing large data sets in memory
Storage Optimized - Good for high sequential r/w access to local datasets

Question 24

EC2 naming convention - explain the different parts of: m5.2xlarge

Answer 24

m = instance class
5 = generation
2xlarge = size within the instance class

Question 25

What is a security group

Answer 25

A set of permissions that allows traffic in or out of an EC2 instance
It only has ALLOW rules
Acts as firewall to an EC2 instance
Regulates access to ports, authorized IP ranges (IPV4 and IPV6)
Can be attached to multiple instances
Instances can have multiple security groups assigned to them
Locked to a Region/VPC combination
Lives outside the EC2 instance - if it blocks something, that something never reaches the instance

Question 26

Describe Important Ports

Answer 26

21 = FTP
22 = SFTP and secure shell
80 = HTTP
443 = HTTPS
3389 = Remote Desktop Protocol

Question 27

What is SSH

Answer 27

Secure Shell - used to log into Linux, MAC, and Windows (v10+) servers

Question 28

What is Putty

Answer 28

Used to log into Windows (any version) servers

Question 29

Describe the EC2 purchasing option On Demand Instances

Answer 29

Good for short workloads
Pricing - Windows/Linux - Pay per second after the first minute
Pricing - Other - Pay per hour
Highest cost, no upfront payment

Question 30

Describe the EC2 purchasing option Reserved Instances

Answer 30

Good for long workloads
Can reserve for 1 or 3 years
Save up to 72%
Reserve specific instance attributes
Can pay upfront, partially upfront, no upfront

Question 31

Describe the EC2 purchasing option Savings Plans

Answer 31

Good for long workloads
Can be for 1 or 3 year commitment
Save up to 72%
Commit to specific usage (ex $10/hour) for 100 hours
Usage beyond that is at on demand prices

Question 32

Describe the EC2 purchasing option Spot Instances

Answer 32

Good for short workloads that can be interrupted
Up to 90% discount
Can lose instance at any time
Use for workloads resistant to failure

Question 33

Describe the EC2 purchasing option Dedicated Host

Answer 33

Dedicated host - good for when have compliance requirements
Have all of a physical server reserved just for your use, control instance placement
Payment options are on demand or reserved - is very expensive

Question 34

Describe the EC2 purchasing option Dedicated Instances

Answer 34

No other customer will share your hardware
Multiple instances from the same account may share the hardware

Question 35

Describe the EC2 purchasing option Capacity Reservations

Answer 35

Reserve an amount of capacity for a specific AZ for any duration
Always have access to the capacity whenever you need it, no time commitment, no billing discounts, can combine with Regional Reserve instances and Savings Plans, charged On Demand prices whether you run instances or not

Question 36

What is EBS

Answer 36

Elastic Block Storage - network storage
Can be attached to a single instance
Multiple EBS can be attached to a single instance
Has provisioned capacity - can select size and speed when setting up
Billed for the provisioned capacity
Use limited to an AZ

Question 37

What is an EBS Snapshot

Answer 37

A backup image of an EBS volume

Question 38

What is the EBS Snapshot Archive

Answer 38

75% cheaper storage tier
24-72 hours to restore from

Question 39

What is AMI

Answer 39

Amazon Machine Image
A defined configuration for an EC2 instance
Public AMI - provided by Amazon
Private AMI - make and maintain yourself
AWS Marketplace AMI - purchased off the Marketplace

Question 40

Define the process for building/using an AMI

Answer 40

Create EC2 instance and configure it
Stop the instance
Create the AMI from the stopped instance
Launch new instances from the AMI

Question 41

What is an Instance Store

Answer 41

Physical storage attached to an EC2 instance
Data is lost if the EC2 instance is stopped
Backup and replication are customer’s responsibility

Question 42

What is EFS

Answer 42

Elastic File System - network storage that can be attached to multiple EC2 - can be used across AZ’s

Question 43

What is EFS Infrequent Access

Answer 43

Storage tier up to 92% cheaper than EFS Standard
Files automatically moved to this tier and back to Standard

Question 44

What is FSx for Windows

Answer 44

Fully managed file system built on Windows File Server

Question 45

What is FSx for Lustre

Answer 45

File system for high performance computing
Used for ML, analytics, video processing, and financial modeling

Question 46

What is ELB

Answer 46

Elastic Load Balancing

Question 47

Describe the two types of scalability

Answer 47

Vertical Scalability - increase/decrease the size of an instance - scale up/down
Horizontal Scalability - increase/decrease the number of instances - scale out/in

Question 48

What is High Availability

Answer 48

When you are running in multiple AZ’s or Regions

Question 49

What is Elasticity

Answer 49

The ability to scale in/out to match demand and optimize costs

Question 50

What is ASG

Answer 50

Auto-Scaling Groups - a service that adds/removes instances automatically
Replaces unhealthy instances automatically

Question 51

What are 2 types of Load Balancers

Answer 51

ALB - Application Load Balancers - for HTTP/HTTPS traffic (external)
NLB - Network Load Balancers - for TLS/TCP traffic (internal)

Question 52

What are 4 types of ASG Dynamic Scaling Strategies

Answer 52

Simple/Step Scaling - based on Cloudwatch alarms targeting capacity usage
Target Tracking Scaling - based on average CPU usage
Scheduled Scaling - based on known usage patterns over a period of time
Predictive Scaling - uses ML based on past traffic patterns

Question 53

What is S3

Answer 53

Simple Storage Service
Create buckets to store objects/files
Regional Service

Question 54

S3 Bucket Naming Conventions

Answer 54

Must be UNIQUE across all regions/accounts
No uppercase, no underscores
3-36 characters long
Not an IP
Must start with lowercase letter
Can’t start with “xn-“
Can’t end with “-s3alias”

Question 55

What are characteristics of S3 objects

Answer 55

Object key = is full path and file name of object
Max size is 5TB, if greater than 5GB must upload in pieces
Metadata - key and value pairs
Can tag objects

Question 56

What are S3 Bucket Policies

Answer 56

Allows access to objects in a S3 bucket
Object Access Control List - Security Policy that details users that can access the object
Bucket Access Control List - Security Policy that details users that can access the bucket

Question 57

What is the default Security Bucket Policy

Answer 57

As a default, an S3 bucket denies public access to its objects - overrides other specific policies

Question 58

What is Static Web Hosting

Answer 58

Where the code for a web site is stored in an S3 bucket
Must have public access turned on

Question 59

What is S3 Versioning

Answer 59

Where objects in S3 buckets are assigned file keys
Previous versions of objects are retained and can be restored
Deleted objects can be restored

Question 60

What is S3 Replication

Answer 60

Copying a S3 bucket
CRR - Cross Region Replication - copying to another Region
SRR - Same Region Replication - copying to the same Region
Copying is asynchronously

Question 61

What are the basic S3 Storage Classes

Answer 61

S3 - Standard - 99.99% Availability
S3 Infrequent Access - 99.9% Availability
S3 Zone Infrequent Access - 99.9% Availability - 1 AZ only
S3 Glacier Instant Retrieval - Millisecond retrieval
S3 Glacier Flexible Retrieval - Expedited 1-5 min, Standard 3-5 hr, Bulk 5-12 hr
S3 Glacier Deep Archive - Standard 12 hour, Bulk 48 hour

Question 62

What is S3 Intelligent Tiering

Answer 62

Storage method where files are automatically moved from one tier to another
Frequent Access Tier (default)
Infrequent Access Tier - objects not accessed for 30 days
Archive Instant Access Tier - objects not accessed for 90 days
Archive Access Tier (optional) - objects not accessed for 90-700 days
Deep Archive Access Tier (optional) - objects not accessed for 180-700 days

Question 63

What are the S3 encryption options

Answer 63

None
Server side - is encrypted after server receives file
Client side - file is encrypted before being uploaded

Question 64

Name the 3 Snow Family Devices

Answer 64

Snowcone
Snowball Edge
Snowmobile

Question 65

Describe Snowcone

Answer 65

Small box, up to 8 TB storage
Can use up to 15 at a time

Question 66

Describe Snowball Edge

Answer 66

Large server, comes in 2 flavors
Storage optimized - 80 TB storage
Compute optimized - 43 TB storage, has more compute power

Question 67

Describe Snowmobile

Answer 67

Semitruck, 100 PB storage
High security, 24/7 video surveillance
Temperature controlled

Question 68

What is AWS Opshub

Answer 68

Graphical interface that allows you to use Snow family devices

Question 69

What is Hybrid Cloud Storage

Answer 69

Using on premises and cloud storage at same time

Question 70

What is AWS Gateway

Answer 70

bridge between on premise storage and AWS S3

Question 71

Describe RDS

Answer 71

Relational Database Service
Fully Managed Relational Databases
Have to provision the EC2 instances
Postgres, MySQL, MariaDB, Oracle, Microsoft SQL Server, Aurora
Cannot SSH into database

Question 72

What is Aurora

Answer 72

Proprietary database software
Supports Postgres and MySQL
Cloud optimized - better than RDS but more expensive

Question 73

What are Read Replicas for RDS

Answer 73

Read only versions of your DBS - can have up to 5

Question 74

What is Multi-AZ for RDS

Answer 74

Where you backup your DB to a different AZ
If main DB fails, restore from backup

Question 75

What is Multi-Region for RDS

Answer 75

Where you have Read Only versions of your DB in different Regions

Question 76

What is Elasticache

Answer 76

In memory database with high performance, low latency
Helps reduce load off actual DB

Question 77

What is Dynamo DB

Answer 77

A noSQL DB managed by AWS
Is a key-value pair DB
Serverless service
Highly scalable - autoscaling

Question 78

What is Dynamo DB DAX

Answer 78

In memory cache for Dynamo DB

Question 79

What are Dynamo DB Global Tables

Answer 79

Tables in multiple Regions
Read/write in any Region

Question 80

What is Redshift

Answer 80

A Postgres DB that is used for Online Analytical Processing
Has SQL interface

Question 81

What is EMR

Answer 81

Elastic Map Reduce - creates Hadoop cluster

Question 82

What is Athena

Answer 82

Serverless query service for objects in S3 buckets

Question 83

What is Quicksight

Answer 83

Serverless machine learning-powered business intelligence service to create interactive dashboards

Question 84

What is DocumentDB

Answer 84

Serverless implementation of MongoDB (noSQL)

Question 85

What is Neptune

Answer 85

Fully managed graph DB

Question 86

What is QLDB

Answer 86

Quantum Ledger DB
Records financial transactions
Data is immutable once entered

Question 87

What is Managed Blockchain

Answer 87

Managed service to either join public blockchain networks or create your own blockchain network

Question 88

What is GLUE

Answer 88

Managed Extract/Transform/Load service

Question 89

What is DMS

Answer 89

Database Migration Service
Source DB remains available during migration
Can be to/from same type DB or different type DB

Question 90

What is ECS

Answer 90

Elastic Container Service - Docker containers
Customer must provision/maintain EC2 instances
ECS automatically starts/stops containers
Integrated with ELB

Question 91

What is EKS

Answer 91

Elastic Kubernetes Service

Question 92

What is Fargate

Answer 92

Serverless service that launches Docker containers

Question 93

What is the difference between ECS and Fargate

Answer 93

ECS requires customer to provision/maintain EC2 instances on which to run the containers, Fargate manages that for the client

Question 94

What is ECR

Answer 94

Elastic Container Registry
Where container images are stored and accessed by ECS and Fargate

Question 95

What is Lambda

Answer 95

Serverless compute service
Virtual functions
Usually execution triggered by event or scheduled
Cheap but powerful

Question 96

What is an API Gateway

Answer 96

Serverless middleman between external clients and Lambda functions

Question 97

What is AWS Batch

Answer 97

Fully managed batch processing service
Can be triggered by event or scheduled
Will dynamically launch EC2 instances
Batch jobs are defined as Docker images and run on ECS

Question 98

What is the difference between Lambda and Batch

Answer 98

Lambda functions have limited run time and resources and is serverless
Batch has no time limit, can have greater resources, is not serverless but servers are managed by AWS

Question 99

What is Lightsail

Answer 99

Virtual servers, storage, databases, and networking
Simpler than other AWS services, but is very limited
Good for people with little cloud experience

Question 100

What is Cloud Formation

Answer 100

A declarative method of outlining your AWS Infrastructure, for any resources
Define the services/infrastructure you want, then Cloud Formation creates them
Infrastructure as Code
Gives ability to create and destroy infrastructure on the fly
Can create templates, get templates from Web
Supports most AWS services
Uses JSON/YAML files

Question 101

What is CDK

Answer 101

AWS Cloud Development Kit
Use other languages
Allows you to deploy runtime code and infrastructure tool

Question 102

What is Elastic Beanstalk

Answer 102

Developer centric view of deploying infrastructure on the internet
Uses AWS components
Platform as a Service
Beanstalk is free, but pay for resources created
Fully Managed Service

Question 103

What is CloudDeploy

Answer 103

Hybrid service that deploys code

Question 104

What is CloudCommit

Answer 104

Equivalent of Github for AWS
Fully managed service

Question 105

What is CloudBuild

Answer 105

A service that compiles source code, runs tests, and produces packages ready to be deployed
Hybrid Service
Servers/EC2’s must have CloudDeploy agent installed

Question 106

What is Code Pipeline

Answer 106

Orchestrates the steps to move Code to production
CICD
Works with CloudDeploy, CloudCommit, and CodeBuild

Question 107

What is CodeArtifact

Answer 107

System for managing software package dependencies for software development

Question 108

What is CodeStar

Answer 108

Unified UI to manage software development activities in one place
Uses the Code* services behind the scenes

Question 109

What is Cloud9

Answer 109

A Virtual IDE used for collaberation

Question 110

What is SSM

Answer 110

Systems Manager
Hybrid service that works on both EC2 or on-premise server
Suite of 10+ programs to manage servers
Servers require SSM Agent to be installed

Question 111

What is SSM Sessions Manager

Answer 111

Secure Shell for SSM
No SSH access, bastion hosts, or SSH keys needed
Doesn’t use port 22, so is better security

Question 112

What is OpsWork

Answer 112

Managed Chef and Puppet service

Question 113

What is Route 53

Answer 113

AWS DNS service used to route to AWS infrastructure

Question 114

What are the 4 Route 53 routing policies

Answer 114

Simple Routing Policy - No health checks
Weighted Routing Policy - Routing based on defined ratios for various servers
Latency Routing Policy - Routing based on the lowest latency
Failover Routing Policy - Route to main server unless down, then route to backup server

Question 115

What is Cloudfront

Answer 115

Content Delivery Network
Data is cached at Edge Locations
Helps against DDoS attacks

Question 116

What is Cloudfront Origins S3 Basket

Answer 116

Used to distribute files and cache them at the Edge

Question 117

What is Cloudfront Origins Custom Origin

Answer 117

Connects to: Application Load Balancer, EC2, S3 Website, any HTTP backend

Question 118

Difference Between Cloudfront and S3 Cross Region Replication

Answer 118

Cloudfront uses Edge Locations to make content available for a short time
S3 CRR is set up for specific Regions, works for content only needed in a few Regions

Question 119

What is S3 Transfer Acceleration

Answer 119

S3 using Edge Locations and high speed internal network to speed up data transfer to/from S3 buckets

Question 120

What is AWS Global Accelerator

Answer 120

AWS’s fast private network and Edge Locations used to improve global availability and performance

Question 121

Compare Global Accelerator and Cloudfront

Answer 121

Both use AWS network and Edge Locations
Both integrate with AWS Shield
Cloudfront is a CDN, caching files at the Edge
Global Accelerator uses Edge Locations, but does not cache files

Question 122

What are AWS Outposts

Answer 122

Hybrid Cloud system where AWS servers are emplaced at a client location in addition to client owned servers
AWS sets up and manages the AWS servers
Client responsible for physical security of AWS servers

Question 123

What is AWS Wavelength

Answer 123

AWS Servers emplaced in telecommunications providers datacenters at the edge of 5G networks
Data stays within providers’ networks, never reaches AWS
Ultra low latency

Question 124

What are AWS Local Zones

Answer 124

Special AWS datacenters that place certain services closer to end users to reduce latency

Question 125

Describe 4 Global Application Architectures

Answer 125

Single Region, Single AZ
Single Region, Multiple AZ
Multiple Region, Active Passive (only 1 is read & write)
Multiple Region, Active Active (all are read & write)

Question 126

What is SQS

Answer 126

Simple Queue Service
Allows asynchronous communication
Producers send messages to SQS
Consumers read messages from SQS and then delete them
Fully managed, serverless
Messages retained 4-14 days, unlimited messages

Question 127

What is Kinesis

Answer 127

Real time big data streaming service
Managed service to collect, process, and analyze real time streaming data

Question 128

What is SNS

Answer 128

Simple Notification Service
Pubsub - Publishers send messages to SNS Topic, Subscribers are then sent those messages

Question 129

What is Amazon MQ

Answer 129

Amazon managed broker service for RabbitMQ and ActiveMQ (which are non-AWS software)

Question 130

What is CloudWatch Metrics

Answer 130

Service that provides metrics for every service in AWS
Can create custom metrics

Question 131

What is CloudWatch Alarms

Answer 131

Service that allows you to set up monitoring of CloudWatch Metrics which can trigger various responses: Autoscaling, EC2 actions (stop/restart/etc), SNS notifications

Question 132

What is CloudWatch Logs

Answer 132

Collects logs from various AWS services, enables real time monitoring

Question 133

What is CloudWatch Logs Agent

Answer 133

Software that can be installed on EC2’s or on-premise servers and feeds logs to CloudWatch Logs

Question 134

What is EventBridge

Answer 134

Service that allows you to schedule CRON jobs
Can respond to service event triggers

Question 135

What is CloudTrail

Answer 135

A history of events/API calls made within your AWS account
Source: CLI, console, CDK, AWS services
Good for compliance, governance, and audit
Logs can be sent to CloudWatch Logs

Question 136

What is X-Ray

Answer 136

Diagnostic tool that can be used to trace data flow
Good for troubleshooting and tracing

Question 137

What is CodeGuru

Answer 137

Machine learning enabled code reviewer
Also makes application performance and cost recommendations

Question 138

What is the Service Health Dashboard

Answer 138

Shows health of all services in all regions
Has a RSS feed you can subscribe to

Question 139

What is the Personal Health Dashboard

Answer 139

Dashboard that provides alerts and remediation advice for AWS services used by your account that are current having issues or have upcoming scheduled events

Question 140

Describe VPC

Answer 140

Virtual Private Cloud
Private network for deploying your AWS resources
VPC’s are contained within a Region

Question 141

What is a Subnet

Answer 141

A way of partitioning your network within a VPC
Associated within a single AZ
Public subnet - accessible to/from internet
Private subnet - not accessible to/from internet

Question 142

What is an Internet Gateway

Answer 142

Help VPC’s connect to the internet via a public subnet

Question 143

What is a NAT Gateway

Answer 143

NAT Gateway (AWS Managed) / NAT Instance (self managed) - allow private subnets to access the internet while remaining private

Question 144

What is NACL

Answer 144

Network Access Control List
Firewall that controls traffic to/from a subnet
Can have ALLOW and DENY rules
Rules only contain IP addresses
Operates at subnet level
Stateless: Return traffic must be explicitly allowed

Question 145

What is a Security Group

Answer 145

Firewall that controls traffic to/from an ENI (Elastic Network Interface) / an EC2 instance
Can only have ALLOW rules
Rules include IP addresses and other Security Groups
Operates at instance level
Stateful: Return traffic automatically allowed

Question 146

What are VPC Flow Logs

Answer 146

Logs of all IP traffic flowing your into your instances

Question 147

What is VPC Peering

Answer 147

Connect two VPC’s privately, using AWS’s network
Make them behave as if in the same network
Must not have overlapping CIDR (IP network range)
Is not Transitive - must be established between each pair individually

Question 148

What are VPC Endpoints

Answer 148

Allows you to connect to AWS Services using a private network instead of the public internet

Question 149

What is a VPC Endpoint Gateway

Answer 149

Allows you to connect to S3 or Dynamo DB (only)

Question 150

What is a VPC Endpoint Interface

Answer 150

Allows you to connect to any AWS service other than S3/Dynamo DB

Question 151

What is PrivateLink

Answer 151

Most secure and scalable way to expose a service to many VPC’s
Source VPC creates Network Load Balancer, target VPC creates Elastic Network Interface, then privately link the two

Question 152

What is Site to Site VPN

Answer 152

Connect on-premise servers to AWS
Uses public internet
Fast to set up
Customer end - uses Customer Gateway
AWS end - uses Virtual Private Gateway

Question 153

What is Direct Connect

Answer 153

Physical connection between on-premise servers and AWS
Expensive and takes long time to set up
Private, secure, fast

Question 154

What is AWS Client VPN

Answer 154

Connect on-premise servers to AWS using OpenVPN Client
Uses public internet

Question 155

What is a Transit Gateway

Answer 155

Transitive Peering between multiple AWS VPC’s and client VPC in a hub and spoke (star) pattern

Question 156

Security - Shared Responsibility Matrix - AWS

Answer 156

Security OF the Cloud
Protecting infrastructure that protects AWS services
Managed services like S3, Dynamo DB, etc

Question 157

Security - Shared Responsibility Matrix - Customer

Answer 157

Security IN the Cloud
EC2 OS patching and updates
Firewall and Network configurations
IAM
Encryption of application data

Question 158

What is AWS Shield Standard

Answer 158

Protection against DDoS attacks: SNY/UPD Floods, Reflection attacks, other layer 3/layer 4 attacks
Free

Question 159

What is AWS Shield Advanced

Answer 159

Optional DDoS protection
$3000/month
Protects against more sophisticated attacks on EC2, ELB, CloudFront, Global Accelerator, and Route 53
24/7 access to AWS DDoS response team during the attack
Protection against higher fees during usages spikes from DDoS

Question 160

What is WAF

Answer 160

Web Application Firewall
Protects your web applications from common web exploits (Layer 7 = HTTP)
Deploy on Application Load Balancer, API Gateway, CloudFront
Define Web ACL (Access Control List) - can include IP Addresses, HTTP Headers, HTTP Body, or URI Strings
Web ACL protects against common attack - SQL Injection, Cross site scripting, block geographies (countries)
Can limit the number of requests per user per time period

Question 161

What services can you perform penetration testing on without notice

Answer 161

EC2 Instances/NAT Gateways/ELB, RDS, CloudFront, Aurora, API Gateways, Lambda/Lambda Edge functions, Lightsail, Elastic Beanstalk

Question 162

What security tests are prohibited by AWS

Answer 162

DNS Zone Walking, DDoS, simulated DDoS, Port Flooding, Protocol Flooding, Request Flooding

Question 163

What is KMS

Answer 163

Key Management Service
Manages encryption keys

Question 164

What is CloudHSM

Answer 164

Dedicated hardware security module attached to FIPS validated hardware
Manage your encryption keys

Question 165

What is Customer Managed CMK (Customer Master Keys)

Answer 165

Keys created, managed, used by the customer
Can bring your own keys

Question 166

What is AWS Managed CMK (Customer Master Keys)

Answer 166

Keys managed by AWS and used on customers behalf by AWS
Used by AWS services

Question 167

What is AWS Owned CMK (Customer Master Keys)

Answer 167

Collections of CMK’s that an AWS service owns and manages in mulitple accounts
Used to protect customer resources, but customer doesn’t have access to them

Question 168

What is ACM

Answer 168

AWS Certification Manager
Allows customer to provision, manage, and deploy SSL/TLS Certificates
Used to provide inflight encryption for websites (HTTPS)
Supports both public and private TLS certificates (public are free)
Automatic TLS certificate renewal

Question 169

What is Secrets Manager

Answer 169

Store secrets, force rotation of secrets
Integrated with RDS
Secrets encrypted using KMS

Question 170

What is AWS Artifact

Answer 170

Portal that gives you access to AWS Compliance documentation and AWS agreements
Used to support internal audit or compliance

Question 171

What is GuardDuty

Answer 171

Uses machine learning algorithms, anomaly detection, 3rd party data to protect your account
Input data used - CloudTrail Event Logs, VPC Flow Logs, DNS Logs, Kubernetes Audit Logs
Can protect against CryptoCurrency attacks

Question 172

What is Inspector

Answer 172

Run automated security assessments
For EC2 instances, container images, Lambda Functions
Reporting and integration is with AWS Security Hub
Send findings into Amazon EventBridge

Question 173

What is Macie

Answer 173

Fully managed data security and data privacy service
Uses machine learning and pattern matching to discover and protect your sensitive data in AWS

Question 174

What is Detective

Answer 174

Analyzes, investigates, and identifies the root cause of security issues or suspicious activity (using machine learning and graphs)
Automatically collects and processes events from VPC Flow Logs, CloudTrail, GuardDuty, and creates a unified view

Question 175

Define AWS Abuse

Answer 175

Spam, port scanning, DDoS, Intrusion Attempts, Hosting objectional/copyrighted content, distributing malware
Contact the AWS Abuse Team if discovered

Question 176

Name 4 actions only the Root User account can do

Answer 176

Change account settings
Close the account
Change or cancel support plans
Register as a seller on the AWS Marketplace

Question 177

What is Rekognition

Answer 177

Service that finds people, objects or scenes in video

Question 178

What is Transcribe

Answer 178

Converts speech to text
Uses deep learning process: Automatic Speech Recognition

Question 179

What is Polly

Answer 179

Converts text to speech

Question 180

What is Translate

Answer 180

Converts text in one language to text in another language

Question 181

What is Lex

Answer 181

Lex is Automatic Speech Recognition
Used for Alexa

Question 182

What is Connect

Answer 182

Virtual Call Center

Question 183

What is Comprehend

Answer 183

Natural Language Processing

Question 184

What is Sagemaker

Answer 184

Fully managed service for developers / data scientists to build ML models

Question 185

What is Forecast

Answer 185

Fully managed service that uses ML to delivery highly accurate forecasts

Question 186

What is Kendra

Answer 186

Fully managed document search service
Extract answers from within a document

Question 187

What is Personalize

Answer 187

Fully manage ML service to build apps with real time personalized recommendations

Question 188

What is TexTract

Answer 188

Automatically extracts text, handwriting, data from any scanned documents using AI and ML

Question 189

What is AWS Organizations

Answer 189

Global service that allows you to create and manage all your accounts from a master account
Allows consolidated billing
Allows sharing Reserved Instances
Gives pricing benefits from aggregated usage

Question 190

What are Service Control Policies

Answer 190

Service that whitelists or blacklists IAM actions for accounts

Question 191

What is AWS Control Tower

Answer 191

Service that runs on top of AWS Organizations
It applies preventive and detective controls (guardrails) to help keep your organizations and accounts from divergence from best practices

Question 192

What are the 4 pricing models of the Cloud

Answer 192

Pay As You Go
Save When You Reserve
Save When You Use More
Pay Less as AWS Grows (economies of scale)

Question 193

Name some free services

Answer 193

IAM, VPC, Consolidated Billing, Elastic Beanstalk, CloudFormation, Auto Scaling Groups

Question 194

Describe pricing data traffic

Answer 194

Data transferred into AWS is free
Data transferred out of AWS is not free
Data transferred within AWS Region is free if using private IP
Data transferred between Regions is not free

Question 195

What is Compute Optimizer

Answer 195

Service that uses ML and CloudWatch Metrics to recommend optimal AWS resources for your workload to reduce costs and improve performance

Question 196

What is Pricing Calculator

Answer 196

Tool that estimates costs for your solution architecture

Question 197

What is the Billing Dashboard

Answer 197

Tool that shows you costs to date, forecasts for rest of month
Breaks down the costs

Question 198

What are Cost Allocation Tags

Answer 198

Tags attached to services and resources that allow you to track costs at a detailed level

Question 199

What are Cost and Usage Reports

Answer 199

Tool that contains most the comprehensive set of AWS cost and usage data available, including additional metadata about AWS services, pricing, reservations

Question 200

What is Cost Explorer

Answer 200

Tool to visualize, understand, and manage your AWS costs
Forecast up to 12 months based on previous usage

Question 201

What are Billing Alarms

Answer 201

Triggers that track your AWS spending and sends notifications
Billing data is stored in CloudWatch in us-east-1 only, aggregated for all Regions

Question 202

What are AWS Budgets

Answer 202

Tool that allows you to set up a budget for AWS services
Can trigger Billing Alarms
Types: Usage, Cost, Reservations

Question 203

What is Trusted Advisor

Answer 203

An assessment tool that analyzes resources in your account based on these categories: Cost Optimization, Performance, Security, Fault Tolerance, Service Limits

Question 204

What are the 7 core checks for Trusted Advisor

Answer 204

S3 Bucket Permissions
Security Groups - Ports check
IAM Use
MFA on root account
Presence of EBS public snapshots
Presence of RDS public snapshots
Service Limits

Question 205

Describe the Basic Support plan

Answer 205

It is free
Access to 24/7 customer service
Access to documentation, whitepapers, and support forums
Access to 7 core checks for Trusted Advisor
Access to Personal Health Dashboard

Question 206

Describe the Developer Support plan

Answer 206

Costs greater of $29 or 3% of monthly charges
Same as Basic Support plan
Business hours email access to Cloud Support Associates
Unlimited cases, 1 primary contact
General Guidance < 24 hours
System Impaired < 12 hours

Question 207

Describe the Business Support plan

Answer 207

Costs greater of $100 or sliding % of monthly costs
Same as Developer Support plan
Full Trusted Advisor checks
24/7 phone/email/chat access to Cloud Support Engineers
Unlimited Cases, Unlimited Contacts
Access to Infrastructure Event Management for additional fee
Production system impaired < 4 hours
Production System Down < 1 hour

Question 208

Describe the Enterprise Onramp Support plan

Answer 208

Costs greater of $5,500 or 10% of monthly charges
Same as Business Support plan
Access to a pool of Technical Account Managers (TAM)
Concierge Support Team (for account and billing best practices)
Infrastructure Event Management, Well Architected and Operations Review
Business-critical system down < 30 minutes

Question 209

Describe the Enterprise Support plan

Answer 209

Costs greater of $15,000 or sliding % of monthly costs
Same as Enterprise Onramp Support plan
Access to a designated TAM
Business-critical system down < 15 minutes

Question 210

What is STS

Answer 210

Security Token Service
Enables you to create temporary limited-privileges credentials to access your AWS resources

Question 211

What is Cognito

Answer 211

Identity for Web/Mobile application users
Don’t create individual IAM users, create users in Cognito instead

Question 212

What is AWS Directory Services

Answer 212

AWS’s version of Microsoft Active Directory

Question 213

What is Workspaces

Answer 213

Virtual Desktop as a Service (DaaS)
Windows or Linux desktops

Question 214

What is AppStream 2.0

Answer 214

Desktop Application Streaming Service delivered via web browser

Question 215

What is Sumerian

Answer 215

Service that allows you to create and run VR, AR, and 3D applications

Question 216

What is IoT

Answer 216

Internet of Things
Allows you to easily connect IoT devices to the AWS Cloud

Question 217

What is Elastic Transcorder

Answer 217

Convert media files stored in S3 into media file formats required by consumer playback devices

Question 218

What is AppSync

Answer 218

Store and sync data across mobile and web applications in real time
Uses GraphQL (Facebook mobile technology)

Question 219

What is Amplify

Answer 219

Set of tools and services that allow you to develop and deploy scalable full stack web and mobile applications
Like Elastic Beanstalk for mobile and web applications

Question 220

What is Device Farm

Answer 220

Fully managed service that tests your web and mobile apps against desktop browsers, real mobile devices, and tablets
Real devices, not emulators

Question 221

What is AWS Backup

Answer 221

Fully managed service to centrally manage and automate backups across AWS services

Question 222

Describe 4 Disaster Recovery Strategies

Answer 222

Backup and Restore (Cheapest)
Pilot Light (Core Functions of the App, ready to scale)
Warm Standby (Full version of the app, but at minimum size)
Multi-site/Hot Site (Full version of the app, full size)

Question 223

What is AWS Datasync

Answer 223

Move large amount of data from on-premise to AWS
Replication tasks can be scheduled
Incremental backup after initial backup

Question 224

What is Application Discovery Service

Answer 224

Scan on-premise servers to get information for migration
Agentless Discovery (AWS Agentless Discovery Connector)
Agent Based Discovery (AWS Application Discovery Agent)

Question 225

What is Application Migration Service (MGM)

Answer 225

Lift and shift (rehost) data/applications
Then at some point cut over

Question 226

What is FIS

Answer 226

Fault Injector Service
Fully managed service to run fault injection experiments on AWS workloads
Based on Chaos Engineering

Question 227

What are Step Functions

Answer 227

Build a serverless visual workflow to orchestrate your Lambda functions
Can integrate with EC2, ECS, on-premise servers, API Gateway, SQS Queues
Features: sequence, parallel, conditions, timeouts, error handling

Question 228

What is Ground Station

Answer 228

Fully managed service that allows you to control satellite communications, process data, and scale your satellite operations

Question 229

What is AWS Pinpoint

Answer 229

Scalable 2-way outbound/inbound marketing communications service
Supports email, SMS, push, voice, and in-app messaging
Is the next evolution of SNS or SES

Question 230

What are the good architecture guiding principles

Answer 230

Stop guessing your capacity needs
Test systems at production scale
Automate to make architectural experimentation easier
Allow for evolutionary architectures
Drive architectures using data
Improve through game days (peak usage)

Question 231

Name the Well Architected Frameworks 6 pillars

Answer 231

Operational Excellence
Security
Reliability
Performance Efficiency
Cost Optimization
Sustainability

Question 232

Describe Operational Excellence (pillar 1)

Answer 232

Ability to run and monitor systems to deliver business value and to continually improve supporting processes and procedures

Question 233

Describe Security (pillar 2)

Answer 233

Ability to protect information, systems, and assets, while delivering business value, through risk assessments and mitigation strategies

Question 234

Describe Reliability (pillar 3)

Answer 234

Ability of a system to recover from infrastructure or service disruptions, dynamically acquiring computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues

Question 235

Describe Performance Efficiency (pillar 4)

Answer 235

Ability to use computing resources efficiently to meet system requirements, and to maintain that efficiency as demand changes and technologies evolve

Question 236

Describe Cost Optimization (pillar 5)

Answer 236

Ability to run systems to deliver business value at the lowest price point

Question 237

Describe Sustainability (pillar 6)

Answer 237

Focuses on minimizing environmental impact of running cloud workloads

Question 238

What is AWS Well Architected Tool

Answer 238

Free tool to review your architectures against the 6 pillars
You select your workload and answer questions, then get advice

Question 239

What is Right Sizing

Answer 239

Right sizing is process of matching instance types/sizes to your workload performance and capacity requirements at the lowest possible price

Question 240

Describe the AWS Marketplace

Answer 240

Independent software vendors - buy/sell custom AMI, CloudFormation templates, Software as a Service, Containers

Question 241

What is AWS Training

Answer 241

Digital or classroom training, private training, training/certification for US government, training/certification for enterprises, AWS Academy for universities

Question 242

What is AWS Professional Services and Partner Network

Answer 242

Global team of networks - APN (AWS Partner Network)

Question 243

Describe APN Technology Partners

Answer 243

Third parties that provide hardware, connectivity, and software

Question 244

Describe APN Consulting Partners

Answer 244

Third parties that provide consulting services to help you build in AWS

Question 245

Describe APN Training Partners

Answer 245

Third parties that provide AWS training

Question 246

What is AWS Competency Program

Answer 246

Certification for APN Partners who have demonstrated technical proficiency and proven customer success in specialized solution areas

Question 247

What is AWS Navigate Program

Answer 247

Service that helps AWS Partners become better partners

Question 248

What is AWS Knowledge Center

Answer 248

Knowledge base of more frequent and common questions and requests

Question 249

What is AWS IQ

Answer 249

Tool to find AWS Certified professional help (contractors) for AWS projects

Question 250

What is AWS re:Post

Answer 250

AWS Managed Q&A service - offers cloud sourced, expert reviewed answers to your technical questions about AWS
Free unless purchase Premium Support (customers that don’t get a response from the community are passed on to AWS Support Engineers)