AWS-SA-2020

Question 1

What AWS functionality is used to move S3 data from one storage class to another

Answer 1

Life cycle policies

Question 2

s3 durability

Answer 2

11 x 9

Question 3

For all s3 storage classed how my zones are data stored in?

Answer 3

3 except for single zone s3

Question 4

what should you use for hot or fast backup

Answer 4

IA standard (infrequent access, fast)

Question 5

srr vs crr

Answer 5

same region replication vs cross region

Question 6

when to use crr

Answer 6

compliance, latency (users in different locations), ops efficiency (compute clusters in different locations)

Question 7

before setting up cross region replication you must

Answer 7

enable versioning

Question 8

If object locking is enabled can you use regional replication?

Answer 8

yes

Question 9

What types of access control exists for s3?

Answer 9

ACLs, bucked policy, iam

Question 10

s3 standard replication to # of az?

Answer 10

3 availability zone replication

Question 11

s3 intelligent does what

Answer 11

moves data to the most cost-effective access tier

Question 12

s3 one zone ia

also s3 IA

Answer 12

one zone, used to be RRS, costs 20% less than standard IA vs
s3 IA is multi zone (3)

Question 13

Glacier AZ, cost, retrieval

Answer 13

Multiple AZ, retrieve in minutes or hours, low cost

Question 14

Glacier deep dive details

Answer 14

lowest cost, accessed 1,2x per year compliance types, 12 hours, 3 AZ

Question 15

for cross region replication to work + what happens to new/old/deleted files

Answer 15

1 versioning must be enabled on both
2 existing files not auto replicated, new will
3 deletes not replicated

Question 16

object vs block and which is s3

Answer 16

object = files, block = os, s3 is object

Question 17

bucket names are

Answer 17

are universal, unique

Question 18

4 types of at rest encryption

Answer 18

s3 managed keys (sse-s3 / aes-256
aws key mgt - sse-kms
server side w/client keys sse-c
or client side and upload

Question 19

transfer accelerator uses

Answer 19

edge locations to speed up transfer

Question 20

What is cloudfront

Answer 20

content delivery network - simple api that allows files to be delivered to end-users using a global network of edge locations

Question 21

What are the main logical components of AWS IAM?

Answer 21

Users, Groups, Roles, Permission Policies

Question 22

Can a user assume a role in another account?

Answer 22

Yes, a user can assume a role in another account by calling assume-role using the CLI or using the Web console switch role function. With the CLI asume-role requires an –role-arn and a –role-service-name.

Question 23

From an IAM perspective, what should I do with the root user first thing after setting up a new account?

Answer 23

• Remove the access key.
• Set an extremely secure password on the root user.
• Do not use the root password only;y in emergencies
• Enable MFA and lock away the security key.

Question 24

List the EC2 instance categories?

Answer 24

Spot Instance, On-Demand Instances, Reserved Instances.

Question 25

3 types of LB

Answer 25

app - intelligent
network - performance
basic - easy

Question 26

x-forwarded-for

Answer 26

if you need the ip of end user

Question 27

instances reported by ELB are reported as

Answer 27

inService, out of service

Question 28

LB have their own DNS name but never

Answer 28

never an IP

Question 29

sticky sessions can be set with these types of lb

Answer 29

classic, application (target group level)

Question 30

cross-zone lb

Answer 30

balancing across AZ

Question 31

path pattern

Answer 31

route based on path (images or content, different paths)

Question 32

multi-az vs read replicas

Answer 32

az is for DR, Read replicas for performance

Question 33

Cloudformation is

Answer 33

script cloud environment - Create Your AWS Stack From a Recipe

Question 34

Quickstart cloudformation

Answer 34

templates already built to create environments

Question 35

Elastic Beanstalk is for

Answer 35

developers can upload code and elatic beanstalk handles deployment, scaling,etc

Question 36

SQS is

Answer 36

decouple components, stores messages in que
acts as buffer
pull not pushed

Question 37

types of sqs queues

Answer 37

standard - unlimited transactions per second

fifo - exactly once, first in/out 300ps

Question 38

SQS retention period

Answer 38

default 4 days

can be 1min to 14 days

Question 39

sqs visibility timeout

Answer 39

re appears if ec2 doesn’t delete after pickup

Question 40

SWF is

Answer 40

SWF as a fully-managed state tracker and task coordinator that runs background jobs

Question 41

SNS

Answer 41

web notifications

push, delivers messages to subscribers

Question 42

elastic transcoder is

Answer 42

converts media files to other formats

Question 43

api gateway can access

Answer 43

can access ec2 or serverless

Question 44

api gw features

Answer 44

cache, auto scale, can throttle for attacks, cloudwatch logging

Question 45

What is CORS

Answer 45

allows webpages to talk to resources in another domain

Question 46

what if you get “Origin policy cannot be read at remote source”

Answer 46

enable CORS API GW

Question 47

Kinesis is used for

Answer 47

streaming data

Question 48

3 types of Kinesis & define

Answer 48

Streams - endpoints stream and its stored in shards
Firehose - no storage, need to process asap
Analytics - analyzes streams/firehose and stores data

Question 49

Cognito is

Answer 49

AWS web ID federation

Question 50

cognito user vs identity pools

Answer 50

cognito aws user - registration, accounts

identity - grants IAM roles

Question 51

lambda is

Answer 51

compute service, upload code and go
very cheap, scales out auto (not up)
serverless

Question 52

aws x-ray

Answer 52

debug lambda

Question 53

lambda can do global activities like

Answer 53

backup s3 bucket

Question 54

What can’t trigger lambda

Answer 54

rds, ec2

Question 55

IAM is universal or regional

Answer 55

Universal

Question 56

root account

Answer 56

account created when you setup account that has admin access

Question 57

new users have _ permission

Answer 57

no permissions

Question 58

new users are assigned a

Answer 58

access key and secret access key to access system - cannot use this to access console

Question 59

2 types of aws access for user

Answer 59

console and programmatic

Question 60

s3 file size, and maximum

Answer 60

0 to 5TB, unlimited

Question 61

s3 namespace is _

Answer 61

universal, global, creates http://xxxname

Question 62

successful s3 upload

Answer 62

200 ok

Question 63

how to protect objects in s3

Answer 63

mfa

Question 64

s3 file fundamentals & components

Answer 64

key - name
value - data
version id
metadata
sub resources like acls and torrents

Question 65

s3 PUTS new ojbects =

Answer 65

read after write (instant)

Question 66

s3 overwrite PUTS or deletes

Answer 66

eventual consistency

Question 67

control access to buckets using

Answer 67

bucket ACL or policy

Question 68

Versioning can be use for backups and w/lifecycle rules

Answer 68

yes

Question 69

Can versioning use MFA for delete

Answer 69

yes, adds extra security

Question 70

Lifecycle management summary

Answer 70

moves object between tiers of storage
can be used with versioning
applies to current/past versions

Question 71

cross-region replication versioning

Answer 71

must be enabled on source and destination bucket

Question 72

cross-region replication regions must be

Answer 72

unique

Question 73

what is an edge location, is it read or write

Answer 73

where content is cached

can read and write

Question 74

CloudFront originates from what AWS services

Answer 74

s3 bucket, ec2 instance, elb, rt53

Question 75

Cloudfront distribution points are what

Answer 75

collection of edge locations given to CDN

Question 76

For streaming what does each stand for : WEB vs RTMP

Answer 76

websites vs media streaming

Question 77

what is snowball & where does it import/export

Answer 77

Petabyte scale transport system, big disk

import/export to s3

Question 78

termination protection is turned _ by default

Answer 78

off

Question 79

EBS backed instance default action is for root EBS volume to be _ on termination

Answer 79

deleted

Question 80

Can root volume of default ami be encrypted

Answer 80

yes

Question 81

Security group defaults

Answer 81

all inbound traffic blocked, outbound allowed

Question 82

security groups applied to EC2 max

Answer 82

no max, both directions (EC2 in sec groups)

Question 83

Can you block a IP using security groups

Answer 83

no

Question 84

can you set deny rules in a security group

Answer 84

no, they deny all by default

Question 85

can volumes exist on ebs

Answer 85

yes, its a virtual hard disk

Question 86

where do snapshots live

Answer 86

s3, like a photo of the disk

Question 87

what is a snapshot

Answer 87

point in time copy of volume

Question 88

are snapshots incremental

Answer 88

yes

Question 89

Should you stop an instance before taking snapshot of the root volume

Answer 89

yes

Question 90

can you take a snaphot while instance is running

Answer 90

yes, but should only of not root volumes

Question 91

what can you change for a used ebs volume

Answer 91

can change on the fly

can change type

Question 92

How to move ec2 volume from one AZ or region to another

Answer 92

take snapshot
create ami
launch ec2 instance in new az
for regions you have to copy the ami to new region first

Question 93

instance store volumes are sometimes called

Answer 93

ephemeral

Question 94

instance vs ebs backed - will you lose data

Answer 94

if instance host fails data is gone, ebs will stay

Question 95

what happens to root volumes on instance termination

Answer 95

they are deleted unless you told aws to keep ebs

Question 96

are snapshots of encrypted volumes auto encrypted

Answer 96

yes

Question 97

volumes of restored encrypted snapsots are

Answer 97

encrypted automatically

Question 98

can you share snaphots

Answer 98

only if they are unencrypted

Question 99

can you encrypt root devices volumes

Answer 99

yes

Question 100

If you don’t select encrypt when building, how to encrypt root volume

Answer 100

snapshot
copy snapshot, select encryption
create ami
use ami to create instance

Question 101

what is cloudwatch

Answer 101

monitors performance
can monitor applications, events, billing, can create notifications
create dashboards, alarms, logs

Question 102

cloudtrail is all about

Answer 102

auditing

Question 103

CloudWatch standard vs detailed monitoring time

Answer 103

1 vs 5 min

Question 104

roles vs storing keys for IAM

Answer 104

roles are much more secure and easier to manage

Question 105

roles can be assigned to

Answer 105

ec2 instances

Question 106

are roles universal

Answer 106

yes

Question 107

how to get info about an instance

Answer 107

curl command, ec2 instance metadata

Question 108

EFS supports & pay

Answer 108

NFS v 4

pay for what you use, no pre provisioning, up to Petabytes

Question 109

EFS stored where and consistency is

Answer 109

stored - multiple AZs in region

read after write consistency

Question 110

3 types of placement groups

Answer 110

clustered - low network latency (ec2 same AZ)
spread - need individual ec2 on separate hardware
partitioned - multiple ec2 instances separate hw

Question 111

placement group names and regions

Answer 111

must be same region

must have unique name in account

Question 112

how to move instance into a placement group

Answer 112

instance must be stopped, using cli or sdk (no console)

Question 113

Elasticache does what and the names of memory types are

Answer 113

improves performances of web apps to speed up databases

memcached, redis

Question 114

RDS OLTP flavors

Answer 114

sql, mysql, postgresql, oracle, aurora, mariadb

Question 115

aws no sql

Answer 115

dynamo db

Question 116

redshift olap

Answer 116

data warehousing or bus intelligence

Question 117

RDS runs on

Answer 117

virtual machines that you have no access to

Question 118

can you patch your rds instance

Answer 118

no, amazon does it

Question 119

is RDS serverless

Answer 119

no, but there is serverless aurora

Question 120

read replicas allow

Answer 120

read only copy of database, to improve performance

Question 121

2 ways to improve DB performance

Answer 121

elasticache and read replicas

Question 122

read replicas available for following databases

Answer 122

mysql, postgresql, mariadb, oracle, aurora

Question 123

must have _ turned on to deploy read replicas

Answer 123

automatic backups

Question 124

you can have up to _ copies of any db

Answer 124

5

Question 125

Can you have read replicas of read replicas

Answer 125

yes - watch for latency

Question 126

each read replica will have its own

Answer 126

dns endpoint

Question 127

can you have read replicas in multi az or region

Answer 127

yes

Question 128

can you promote read replicas

Answer 128

yes, it breaks replication

Question 129

2 types of RDS backups

Answer 129

automated - scheduled

snapshots - manually

Question 130

how to force failover from one az to another for RDS

Answer 130

reboot RDS instance

Question 131

Encryption at rest supported for which rds

Answer 131

all server RDS options

Question 132

dynamo db used what kind of disk

Answer 132

ssd storage

Question 133

dynamo db spread across

Answer 133

3 AZ

Question 134

dynamo db read options

Answer 134

eventually consistent - over 1 second

strongly consistent - under 1 second

Question 135

redshift is available in _ azs

Answer 135

1

Question 136

redshift backups

Answer 136

1-35 days, 1 is default, maintains 3 copies of data in s3

Question 137

Aurora is

Answer 137

aws own sql compatible with mysql, postgrssql

2 copies stores in min 3 az

Question 138

can you share aurora snapshots with other accounts

Answer 138

yes

Question 139

2 types of aurora replicas & what can failover

Answer 139

aurora and mysql

automated failover only w/aurora

Question 140

aurora backups

Answer 140

on by default

Question 141

redis is highly available?

Answer 141

yes - multi az

Question 142

ELBs have IP or DNS name

Answer 142

DNS name only assigned

Question 143

alias vs cname

Answer 143

alias - naked (always choose alias in exam)

cname - other than naked

Question 144

can you buy domain names through aws

Answer 144

yes- can take 3 days to register

Question 145

rt53 simple routing

Answer 145

1 dns record, multiple IP, random order to user

Question 146

rt53 weighted routing

Answer 146

send to region based on weights we supply

Question 147

rt53 health checks

Answer 147

removed a record entry until its online and you can send sns notification if one fails

Question 148

rt53 latency based routing

Answer 148

rt53 chooses lowest latency path

Question 149

rt53 failover routing

Answer 149

active/passive site - rt53 healthcheck will failover

Question 150

rt53 geolocation routing

Answer 150

send based on user location

Question 151

rt53 Geoproximity routing

Answer 151

send users based on location of users and resources, must use rt53 traffic flow

Question 152

rt53 multi value answers

Answer 152

multiple record sets, same as simple w/health checks

Question 153

VPC consists of

Answer 153

Internet gateways
route tables
NACLs
Subnets
Security groups

Question 154

1 subnet =

Answer 154

1 availability zone

Question 155

which can have deny rules - nacls or security groups

Answer 155

nacls

Question 156

can VPCs have transitive pairing

Answer 156

no

Question 157

When you creaet a VPC what is created by default

Answer 157

route table, nacl, security group ( no subnets)

Question 158

how many IPs does AWS reserve in your subnet

Answer 158

5

Question 159

how many internet gateways per vpc

Answer 159

1

Question 160

can security groups span vpcs

Answer 160

no

Question 161

are nat gateways redundant in the AZ

Answer 161

yes

Question 162

how many nat gateways per AZ

Answer 162

1

Question 163

NAT GW throughput scales automatically

Answer 163

true

Question 164

are nat gateways associated with security groups

Answer 164

no

Question 165

do nat gateways have a public IP

Answer 165

yes

Question 166

what do you need to do if you add a nat gateway so your ec2’s can talk out

Answer 166

add a route to the nat gw in the route table

Question 167

if you have resources in multiple AZ that share a nat GW what happens if that AZ goes down

Answer 167

resources in the other AZ will not have a GW, configure a nat gw in all AZ where you have resources

Question 168

default network ACL default allow

Answer 168

all outbound/inbound

Question 169

customer network ACLs allow

Answer 169

nothing, denies all

Question 170

each subnet in your vpc must be associated with a _

Answer 170

ACL, else its assigned to default

Question 171

can you block IP

Answer 171

yes with NACL

Question 172

how many NACLs can a subnet be associated with, and vice versa

Answer 172

network ACL to many subnets

subnet to just 1 ACL

Question 173

NACL rules applied how

Answer 173

in order, lowest number first (so last wins)

Question 174

How many public subnets to create a LB

Answer 174

2+

Question 175

can you enable flow logs for peered VPCs

Answer 175

only if the VPC is in your account

Question 176

can you tag a flow log

Answer 176

no

Question 177

can you change a flow log

Answer 177

no

Question 178

what is direct connect

Answer 178

connects your datacenter to aws for high throughput workloads or stable/secure connection

Question 179

If you have a VPN connection that keeps dropping out due to throughput erros what should you use

Answer 179

direct connect

Question 180

what is a VPC endpoint

Answer 180

connect VPC to aws services

Question 181

2 types of VPC endpoints

Answer 181

interface

gateway - s3, dynamo db

Question 182

If you upload an object using AWS Identity and Access Management (IAM) user or role credentials who owns the object?

Answer 182

the AWS account that the user or role belongs to owns the object.

Question 183

File gateway types

Answer 183

Volume gateway
Tape Library (backups only)
File gateway

Question 184

volume gateway has what 2 modes

Answer 184

cached and stored

stored uses EBS snapshots

Question 185

which storage gateway for object based files

Answer 185

file gateway

Question 186

are security groups stateful or stateless & meaning

Answer 186

security groups are stateful - incoming rule auto allows outgoing

Question 187

are NACLs stateful or stateless + meaning

Answer 187

stateless - if you add a rule it doesn’t auto allow the other directions

Question 188

Maximum dynamodb string size

Answer 188

400kb

Question 189

List the rt53 routing policies (names only)

Answer 189

simple
failover
geolocation
geoproximity
latency
multivalue
weighted

Question 190

max instances for spread placement group per AZ

Answer 190

7

Question 191

can you use 3rd party encryption tools

Answer 191

no

Question 192

Are security groups global

Answer 192

no, regional only

Question 193

If you copy a ami to a new region do the tags and iam permissions follow it

Answer 193

no

Question 194

What is the maximum VisibilityTimeout of an SQS message in a FIFO queue?

Answer 194

12 hours

Question 195

AWS premium support levels

Answer 195

basic, developer, business, enterprise

Question 196

What can aws see for cloudwatch in the ec2 instance

Answer 196

For the most part think it can't see inside but...
CPU = how much
Network in
disk read
Can't see Memory

Question 197

what is an elastic IP

Answer 197

static, public ip associated with your AWS account which allows you to rapidly remap to a new instance in case of failure

Question 198

You create flow logs for these network items

Answer 198

You can create a flow log for a VPC, a subnet, or a network interface

Question 199

You can create flow logs for network interfaces on these network services

Answer 199

ELB, RDS, Elasiticach, etc

Question 200

VPC Flow Logs is a feature that enables you to…

Answer 200

capture information about the IP traffic going to and from network interfaces in your VPC.

Question 201

What are dedicated instances

Answer 201

HW dedicated to single customer

Question 202

management service that provides managed instances of Chef and Puppet

Answer 202

AWS OpsWorks

Question 203

Access Keys are used for

Answer 203

API Calls

Question 204

What do you use to logon to an ec2 instance

Answer 204

key pairs

Question 205

EBS volume types

Answer 205

General purpose - SSD
Provisioned IOPS - SSD
Throughput optomized - hDD
Cold - HDD

Question 206

how traffic is shifted from the original AWS Lambda function version to the new AWS Lambda function

Answer 206

Canary, linear, all at once

Question 207

What is AWS IoT Core

Answer 207

service for Internet of Things

Question 208

Is all data between gateway appliance and s3 encrypted

Answer 208

yes, SSL

Question 209

Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which two AWS services?

Answer 209

CloudFront and ELB

Question 210

what is Server Name Indication (SNI)

Answer 210

host multiple TLS secured applications, each with its own TLS certificate, behind a single load balancer

Question 211

What is an ENI

Answer 211

Elastic Network Interface - VPC network card, can attached to ec2

Question 212

snowball vs snowball edge capacity

Answer 212

80 vs 100TB

Question 213

What is AWS Security Token Service (AWS STS)

Answer 213

the service that you can use to create and provide trusted users with temporary security credentials

Question 214

Can you use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes

Answer 214

yes

Question 215

Auto scaling cooldown does what

Answer 215

ensures new ec2 is not launched too soon

default 300 seconds

Question 216

How are EBS volumes stored and replicated

Answer 216

Single AZ only

Question 217

Is Redshift fast or slow

Answer 217

fast, scalable, cost effective

Question 218

what is Pilot light DR

Answer 218

minimal standby architecture

Question 219

Authenticate to your RDS instance using what IAM ___

Answer 219

IAM DB authentication

Question 220

set custom budgets that alert you when your costs or usage exceed

Answer 220

AWS budgets

Question 221

Lambda encrypts using

Answer 221

AWS Key Management Service

Question 222

S3 Select is an Amazon S3 feature that makes it easy to

Answer 222

retrieve specific data from the contents of an object using simple SQL expressions

Question 223

Amazon DynamoDB Accelerator (DAX) cab

Answer 223

reduce Amazon DynamoDB response times`

Question 224

What allows you to establish a trusted relationship between your Active Directory and AWS

Answer 224

AWS connector

Question 225

To monitor advanced metrics on DB use

Answer 225

Enhanced monitoring

Question 226

What provides you a managed Hadoop framework to process data across dynamically scalable Amazon EC2 instances

Answer 226

EMR

Question 227

For Redshift, OLap, to define the number of query queues that are available and how queries are routed

Answer 227

Use WLM work load management

Question 228

A DynamoDB stream is an _ _ _

Answer 228

Ordered flow of information about changes to items in an Amazon DynamoDB table

Question 229

CloudFront signed URLs and signed cookies provide the same basic functionality which is what ?

Answer 229

They allow you to control who can access your content

Question 230

Which ec2 instance will be removed first from a scale in on auto scale groups

Answer 230

wherever there are the most in AZ ECs, then oldest

Question 231

Use Amazon MQ instead of SQS when you are

Answer 231

moving messaging with existing apps to cloud quickly

Question 232

If you will get bursts of traffic on your API gateway use _

Answer 232

Throttling

Question 233

What protects against DDOS attached

Answer 233

AWS Shield

Question 234

Instances that you launch into a default subnet receive what IP(s)

Answer 234

public and private

Question 235

What to use when data must be stored in a columnar fashion

Answer 235

Redshift

Question 236

Max IOPS SSD

Answer 236

32000

Question 237

Retrieval types to use/purchase to speed things up

Answer 237

provisioned and expedited

Question 238

Do SQS standard queues preserve the order of message?

Answer 238

yes

Question 239

What is a scheduled reserved instance

Answer 239

It allows you to reserve instances for a specific time period at a cheaper rate than on demand when using a 1 year term