AWS-SA-Pro Flashcards

1
Q

What are the two most common features of AWS Systems Manager?

A
  1. Run Command
  2. Patch Manager
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the name of the AWS Systems Manager command that is used for a patch?

A

AWS-RunPatchBaseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which AWS service can you use if you want to migrate Chef and/or Puppet configuration management tools into the cloud?

A

AWS OpsWorks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Are AMI’s global or region-specific?

A

Region-specific

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

AWS OpsWorks is more suited for _______ whereas Elastic Beanstalk is more suited for _______.

A

AWS OpsWorks is more suited for infrastructure engineers whereas Elastic Beanstalk is more suited for development teams.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do the key concepts of AWS OpsWorks interrelate (Stacks, Layers, Apps, Recipes, Cookbooks) ?

A

Stacks = one or more Layers.
Layers = set of EC2 instances grouped by function.
Apps = deployed (from S3) onto the layers.
Recipes = scripts applied to layers.
Cookbooks = collection of recipes that can be stored on GitHub.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How are Amazon GuardDuty & Amazon Inspector different from AWS Shield & AWS WAF?

A

GuardDuty & Inspector = detection.
Shield & WAF = protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which service creates serverless GraphQL and Pub/Sub APIs?

A

AWS AppSync

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What 4 services can be used with AWS WAF?

A

(1) CloudFront
(2) ALB
(3) API Gateway
(4) AppSync

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which AWS service scans EC2 instances for vulnerabilities and provides a report of findings?

A

Amazon Inspector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which AWS service provides a CVE (common vulnerabilities and exposures) report?

A

Amazon Inspector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Differences between Amazon Inspector and Amazon GuardDuty?

A

Inspector scans EC2 instances for vulnerabilities.
GuardDuty scans entire AWS account using ML-based threat detection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Would you use SAML 2.0 Identity Federation with Google, Facebook, Twitter, etc?

A

No. Use SAML 2.0 Identity Federation with an Enterprise Identity Provider (used mainly for on-prem IDs to indirectly login to AWS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the difference between Cognito and IAM Identity Center?

A

Cognito will be used for customer login scenarios and IAM Identity Center will be used for enterprise / workforce login scenarios.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What’s the difference between Cognito User Pools and Identity Pools?

A

User Pools offer a sign-up or sign-in experience and provide users with a JWT.
Identity Pools offer a way to swap an unauthenticated or authenticated identity for AWS credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Can API Gateway accept JWT’s for authentication?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How can an AWS admin create predefined products (and IaC templates) that end users can provision without fully accessing the AWS service (e.g. EC2 instances) ?

A

AWS Service Catalog

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

VPC Flow Logs can capture metadata for what three items (levels)?

A

(1) VPC
(2) Subnet
(3) ENI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Do VPC Flow Logs provide real-time data?

A

No. There is a delay.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What two log destinations can be used with VPC Flow Logs?

A

(1) S3
(2) CloudWatch logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Where is a Network Firewall deployed?

A

At the VPC level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What layer does AWS WAF use?

A

L7

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is used to configure your WAF rules?

A

A Web ACL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the default Web ACL Capacity Unit (WCU) maximum?

A

1500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the three types of WAF Rule Groups? (Rule Group = reusable set of rules that you can add to a web ACL)

A

(1) Managed groups
(2) Self-managed groups
(3) Service-owned groups (Shield, Firewall Manager)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

AWS WAF can inspect a request body, header, and cookie (among other items). However, what is the limit for how much can be inspected?

A

8 KiB (or 8192 bytes)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

How are you charged for using WAF?

A

(1) $5 / month / Web ACL
(2) $1 / month / Web ACL Rule
(3) $0.60 / 1 million requests

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What layer does AWS Shield Standard protect?

A

L3 and L4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Does AWS Shield Advanced get automatically applied to your resources?

A

No, even after paying for it, you still need to explicitly choose how to configure it for your resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What are two benefits of AWS Shield Advanced?

A

(1) DDoS cost protection – service credits are provided if your resources auto-scale in response to a DDoS attack
(2) Health-based detection – Shield Advanced can monitor Route 53 health checks to detect changes in resources and more quickly identify threats / attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Which AWS service offers Desktop-As-A-Service (DaaS)?

A

Amazon Workspaces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Are Amazon Workspaces highly available?

A

No, they run on EC2 instances inside a single subnet (and therefore AZ).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Which AWS Directory Service is best when you have more than 5000 users, you want it to be highly available (2+ AZs), and you want a trust relationship between on-prem and cloud directory?

A

AWS Directory Service for Microsoft Active Directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which AWS service uses schema extensions (remote desktop, Sharepoint, SQL, DFS)?

A

AWS Directory Service for Microsoft Active Directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is the best AWS directory service to use when you don’t want any directory data hosted in AWS?

A

AD Connector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is the best AWS directory service for continuous operations if the network link between AWS and on-prem environment fails?

A

AWS Directory Service for Microsoft Active Directory – because the directory is simultaneously running on AWS EC2 instances in addition to on-prem

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What AWS service allows your on-premises active directory to use other directory-compatible AWS services – without any identity data being stored in AWS?

A

AD Connector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What are the three categories of internet networking zones?

A

(1) Public Internet
(2) AWS Public Zone
(3) AWS Private Zone (VPCs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Can DHCP Option Sets be edited?

A

No, once created they are immutable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

When you associate a DHCP Option Set to a VPC, do the changes occur immediately?

A

No, the changes require a DHCP Renew which takes some time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

In every subnet, what is the “subnet+1” IP address reserved for?

A

The VPC router’s network interface – every VPC router needs an interface in every subnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What AWS service would you use to provision infrastructure for a contact center?

A

Amazon Connect – also it is omnichannel (voice + chat)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What AWS service would you use to ingest the following types of data: security cameras, smartphones, cars, drones, audio, thermal, depth, radar.. ?

A

Kinesis Video Streams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What AWS service will likely be used when the exam mentions GStreamer or RTSP (real-time streaming protocol) ?

A

Kinesis Video Streams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What AWS service is used for serverless ETL ?

A

AWS Glue

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

How many AWS Glue Data Catalogs can you have?

A

One catalog per region per account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

How can you avoid data silos and improve visibility into your data stores across all AWS services?

A

Use AWS Glue Data Catalog crawlers to discover data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What AWS service provides managed web and mobile application testing using a fleet of real browsers and devices?

A

AWS Device Farm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

What AWS service uses NLP to analyze text?

A

Amazon Comprehend

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What AWS service would you use for intelligent enterprise search capability?

A

Amazon Kendra

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

What AWS service uses “slots” as parameters to categorize talking points during a conversation?

A

Amazon Lex

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

What routes traffic between subnets and is controlled by the route tables?

A

VPC Router

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Every VPC is created with a _____ that is the default for every subnet in the VPC.

A

Main route table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

How many route tables can a subnet have associated to it?

A

Only 1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

How does a route table prioritize traffic routing when there are multiple matching entries?

A

The most specific route is prioritized

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

For a stateless firewall to work smoothly, you often have to ______ all outbound traffic so your server can return the responses to the changing client ephemeral ports.

A

allow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What AWS component has both “allow” and “deny” rules?

A

NACL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

How are the NACLs and Security Groups different in regards to their default configurations?

A

NACLs allow all traffic by default.
Security Groups deny all traffic by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

When you create a Custom NACL, what is the default inbound rule and default outbound rule?

A

Both are “deny all” rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Can Security Groups have explicit deny rules?

A

No. Only allow rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Security Groups are not actually attached to EC2 Instances; they are attached to _____

A

ENIs (primary network interface of the EC2 instance)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What AWS service would you use when you need single digit millisecond latency and AWS infrastructure physically located closer to your end users?

A

AWS Local Zones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What AWS service is conceptually just a single AZ that is physically closer to your end users?

A

AWS Local Zones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

What AWS service converts text into “life-like” speech (no translation service) ?

A

Amazon Polly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What AWS service performs deep learning image and video analysis?

A

Amazon Rekognition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What AWS service can detect and analyze text in documents such as JPEG, PNG, PDF, or TIFF ?

A

Amazon Textract

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What AWS service can you use to generate predictions based on time-series data?

A

Amazon Forecast

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What service can you conceptually think of as an IDE for ML model lifecycles?

A

Amazon SageMaker Studio

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Which Disaster Recover strategy would be analogous to moving from your current house to building a new backup house from scratch?

A

Backup & Restore

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Which Disaster Recover strategy only runs the bare minimum resources required for a recovery?

A

Pilot Light

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Which Disaster Recover strategy keeps a fully functional copy of your resources running but in a smaller and scaled down capacity than your current infrastructure?

A

Warm Standby

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

What keyword is used to describe the main CloudWatch service?

A

CloudWatch Metrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

How would you capture richer and more detailed metrics for CloudWatch?

A

Install the CloudWatch agent

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What term is used in CloudWatch to define a container for metrics?

A

Namespaces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What is the term that CloudWatch uses to differentiate metrics between distinct EC2 instances?

A

Dimensions (a name/value pair that is part of the identity of a metric)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What are the two CloudWatch resolutions, which is the default, and what are the time intervals?

A
  1. Standard (default): 60 second granularity
  2. High: 1 second granularity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What CloudWatch feature can be used to view data aggregation over a time period, such as Min, Max, Sum, Average ?

A

CloudWatch Statistics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

How do the three main CloudWatch Logs items interrelate (Log Events, Log Streams, Log Groups) ?

A

Log Groups contain Log Streams, which contain Log Events, which consist of a timestamp and raw message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

If you use the S3 Export feature of CloudWatch Logs, is the data transferred in real time?

A

No, it can take up to 12 hours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

What integration would you use if you want near-real-time handling of CloudWatch Logs data?

A

Kinesis Firehose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

What integration would you use if you need real-time handling of CloudWatch Logs data?

A

Lambda functions and/or Kinesis Data Streams

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

How long are CloudTrail Events stored by default at no cost?

A

90 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What are the three different types of CloudTrail Events?

A

(1) Management Events
(2) Data Events
(3) Insight Events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

What type of CloudTrail Events are captured by default?

A

Management Events, but NOT Data Events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

What are the two scopes that can be used when creating a CloudTrail Trail?

A

(1) One Region
(2) All Regions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

How many CloudTrail Trails can you have per Region?

A

5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

How would you capture global service events using CloudTrail for services like IAM, STS, CloudFront ?

A

This isn’t captured by default, so you would have to create a new CloudTrail Trail. The Trail would log these events into us-east-1 since they are global services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

Does CloudTrail capture events in real-time?

A

No, it takes approximately 15 minutes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

For CloudTrail, what is the cost to have one Trail for ongoing Management Events delivered to S3 ?

A

Free

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

Which AWS service is used to trace user requests through your application to identify bottlenecks and view latency data at each stage of the application?

A

AWS X-Ray

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

The following items are two common examples of AWS-generated ___________ ?
(1) aws:createdBy
(2) aws:cloudformation:stack-name

A

Cost Allocation Tags

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

After creating a Cost Allocation Tag, is it immediately available?

A

No, it can take up to 24 hours to be visible and active

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

After creating a Cost Allocation Tag, does it apply retroactively to your cost reporting?

A

No, it is not retroactive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

What are the 7 free AWS Trusted Advisor checks for the AWS Basic Support and AWS Developer Support plans?

A

(1) S3 Bucket Permissions
(2) Security Groups - Specific Ports Unrestricted
(3) IAM Use (i.e. does each account have IAM users and not using root user)
(4) MFA on Root Account
(5) Are EBS Snapshots public?
(6) Are RDS Snapshots public?
(7) 50 service limit checks (80%+ quota utilization)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

Which AWS support plans give you access to the AWS Support API to integrate with your applications?

A

AWS Business Support
AWS Enterprise Support

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

What CloudWatch Logs feature allows you to stream logging data into different systems?

A

Subscription Filters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

What protocol operates over TCP/179 ?

A

Border Gateway Protocol (BGP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

What can be conceptually thought of as a network in BGP?

A

An Autonomous System (AS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

What’s the difference between iBGP and eBGP?

A

iBGP (internal) deals with routing within an AS.
eBGP (external) deals with routing between AS’s.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

In BGP, each AS broadcasts ______ to the other AS’s.

A

The shortest ASPATH (doesn’t take into account the path performance/latency).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

How can you configure AS route tables in BGP to manipulate the routes that each AS broadcasts?

A

You can use Path Prepending to artificially lengthen certain paths. This will solve the problem of AS’s broadcasting the shortest path without taking into account latency.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

What AWS service uses anycast IP addresses, so a customer’s request to the IP address will be routed the closest location?

A

AWS Global Accelerator

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

In regards to the OSI layers, how is Global Accelerator different from CloudFront?

A

CloudFront only uses L7, but Global Accelerator uses L4 (TCP/UDP) and L7.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

How are Symmetric Encryption and Asymmetric Encryption different?

A

Symmetric Encryption is fast but less secure, because both parties use the same key to encrypt/decrypt the data.
Asymmetric Encryption is slower but more secure, because it uses a public key + private key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

IKE (Internet Key Exchange) Phase 1 and IKE Phase 2 are the two main phases of ________.

A

IPSEC VPNs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

What are the two types of VPNs?

A

(1) Policy-based VPNs (different rules for different types of traffic)
(2) Route-based VPNs (target matching based on prefixes)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

With a Site-to-Site VPN, is the Virtual Private Gateway (VGW) highly available?

A

Yes, behind the scenes there are separate endpoints distributed across AZs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

How would you configure a Site-to-Site VPN to be highly available?

A

Add a second Customer Gateway (CGW).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

What is the AWS Site-to-Site VPN speed limit?

A

1.25 Gbps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

What AWS service would you use to reduce complexity when connecting multiple VPCs and on-prem networks?

A

AWS Transit Gateway (TGW)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

What is the benefit of peering TGW’s?

A

You can create connections to other AWS Regions either in the same account or also cross-account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

When Transit Gateways (TGWs) are peered, are the routes in each TGW route table automatically shared/propagated between TGWs?

A

No.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

How many peering attachments per TGW?

A

Up to 50

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

A ________ is associated with VPCs, Subnets, Internet Gateways (IGW), Virtual Private Gateways (VGW), and Transit Gateways (TGW).

A

route table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

What’s the difference between static routes and dynamic routes in a route table?

A

Static routes are added manually.
Dynamic routes are propagated into the route table, if this is enabled for a TGW or VGW association.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

What could you do to enable better performance for your Site-to-Site VPN?

A

Use the Accelerated Site-to-Site VPN feature. This utilizes Global Accelerator edge locations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

What would you use for an AWS-managed implementation of OpenVPN, typically as a way for a remote workforce to securely access AWS resources?

A

Client VPN (different from Site-to-Site VPN)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

Is the Split Tunnel feature of AWS Client VPN the default?

A

No, it must be enabled. Split Tunnel allows your client to retain it’s existing route tables when associating the Client VPN route table onto it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

How are you billed for DX ?

A

Hourly cost for the port allocation at the DX location.
Outbound data transfer (inbound is free).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

Is a DX location owned by AWS ?

A

No, typically these are regional data centers where AWS has rented equipment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

What are the 3 speed options for a DX connection?

A

1, 10, or 100 Gbps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
122
Q

How could you secure your DX connection at the L2 level on a hop-by-hop basis?

A

Use MACsec

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
123
Q

Regarding a DX connection (which is a L2 connection), what is used to allow multiple L3 networks to run over the DX ?

A

Virtual Interfaces (VIFs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
124
Q

____ VIFs are used to connect to public IPs in AWS Public Zones.
____ VIFs are used to connect to private IPs within AWS VPCs.
____ VIFs are used to integrate DX with Transit Gateways (TGWs).

A

Public
Private
Transit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
125
Q

An Accelerated Site-to-Site VPN can be used for ____ but not _____.

A

Can be used for TGW, but not VGW.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
126
Q

When using a Private VIF to run over your DX connection, what is the max number of prefixes that you can advertise to the BGP network?

A

100

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
127
Q

A ______ ____ is layered over a DX connection and runs from on-prem infrastructure to a Virtual Private Gateway (VGW). It must be attached to a VGW within the same region that the DX connection terminates into.

A

Private VIF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
128
Q

A _____ VIF can access all AWS Regions. There is no region specific limitation like for ______ VIFs.

A

Public….. Private

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
129
Q

What AWS service could you use to connect on-prem infrastructure to multiple VPCs spread across AWS Regions using a single DX connection?

A

Direct Connect Gateway (DGW)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
130
Q

A Direct Connect Gateway (DGW) can be associated with VPCs & ______, or TGWs & a ______, but not both.

A

Private VIFs…. Transit VIF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
131
Q

Would you use a DX Link Aggregation Group (LAG) more for speed purposes or for resiliency purposes?

A

Speed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
132
Q

A DX _____ ____________ _______ is when you utilize multiple DX connections going into a single DX location for faster speeds (parallel data transit).

A

Link Aggregation Group (LAG)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
133
Q

A DX LAG is capable of using 2 ___ GB ports or 4 ports if they use less than ___ GB.

A

100

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
134
Q

What AWS service is used to register domains and host zones (nameservers)?

A

Route 53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
135
Q

When you create a Route 53 Hosted Zone, how many nameservers does AWS allocate for your hosted zone?

A

4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
136
Q

In Route 53, a CNAME record can map a domain to another _______, but not to an ___ _________.

A

… domain…. IP address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
137
Q

What type of DNS record is used for a server to find the mail server of a specific domain?

A

MX records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
138
Q

What type of DNS record can be used to prove domain ownership?

A

TXT records

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
139
Q

What DNS feature is used to cache DNS query results?

A

TTL - depending on how long the TTL is, sometimes a query may not use the most up-to-date IP address and the request will take longer to go through

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
140
Q

What is a Route 53 Hosted Zone in simple terms?

A

It is a DNS database for a domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
141
Q

What is the difference between CNAME and ALIAS records?

A

CNAME maps name–>name (does not support apex)
ALIAS maps name–>name (does support apex)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
142
Q

What is the main limitation of Route 53 Simple Routing?

A

doesn’t support health checks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
143
Q

Which Route 53 routing policy improves availability but is NOT a replacement for load balancing?

A

Route 53 Multi Value Routing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
144
Q

Which Route 53 routing policy would you use to optimize performance and user experience?

A

Route 53 Latency-Based Routing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
145
Q

Which Route 53 routing policy checks for records based on the state, country, and continent?

A

Route 53 Geolocation Routing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
146
Q

Which Route 53 routing policy routes based on physical distance and includes a bias value?

A

Route 53 Geoproximity Routing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
147
Q

When using a Route 53 Private Hosted Zone, what two attributes need to be set to “true” ?

A
  1. enableDnsHostnames
  2. enableDnsSupport
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
148
Q

What AWS service can you use to track changes that are made to your resources?

A

AWS Config

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
149
Q

Can you deploy an application to your on-prem servers using Elastic Beanstalk?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
150
Q

_________ multi-master DB instances are confined to the same region, whereas _________ multi-master DB instances allow read/write to any region.

A

Aurora… DynamoDB Global Tables…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
151
Q

_________ is a serverless Database-Table-as-a-Service (DBaaS), whereas _________ is NOT serverless and is a Database-Server-as-a-Service (DBSaaS).

A

DynamoDB…. Amazon RDS…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
152
Q

Each DynamoDB table item (conceptually, a row) can have a max size of _____ KB.

A

400

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
153
Q

Does an ELB provide you with an IP address or a DNS name to use?

A

ELB only provides you with a DNS name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
154
Q

How does AWS incentivize customers to use ALIAS records for mapping from a DNS name to an AWS resource?

A

They do not charge for this. It is free.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
155
Q

For DNS resolution, you would use _____ records to map www.example.com to an IPv4 address.

A

A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
156
Q

Can the Management Account of an AWS Organization be restricted with a Service Control Policy (SCP) ?

A

No. SCPs do not affect the Management Account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
157
Q

Do SCPs affect service-linked roles?

A

No. Service-linked roles will still work normally even with an SCP attached.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
158
Q

Would you use Amazon Macie to scan your CodeCommit repositories for secret keys?

A

No, Amazon Macie is generally used for scanning S3 buckets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
159
Q

How many subnets can you have per VPC?

A

Default is 200

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
160
Q

Can a Security Group block a specific IP address?

A

No, because Security Groups block all inbound traffic by default and only use allow rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
161
Q

How many IAM users can you have per account? Can this quota be changed?

A

5000…. No, this is a hard limit.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
162
Q

What could you set up to ensure your AWS Service Quotas don’t end up restricting your application as its demand grows?

A

You could create CloudWatch Alarms to notify you when you’re approaching your Service Quotas. Then you can request a quota increase before your application hits the quota ceiling.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
163
Q

Permissions Boundaries can be applied to ________ or ________.

A

IAM Users… IAM Roles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
164
Q

What are the 6 sequential items that are checked when determining allow/deny status for anything within the SAME AWS account?

A
  1. Check for any “Explicit Deny” rules
  2. SCPs
  3. Resource Policies
  4. Permissions Boundaries
  5. Session Policies (only applicable for “assumeRole” situations)
  6. Identity Policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
165
Q

AWS Resource Access Manager allows AWS resources to be shared from one account to another AWS _________, _________, or _________.

A

Account… Organizational Unit (OU)… Organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
166
Q

Is there a cost for using AWS Resource Access Manager?

A

No cost.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
167
Q

Are AZ’s always mapped to the same physical data centers, when comparing two accounts? For example, would “us-east-1a” for account A always match “us-east-1a” for account B?

A

No. AWS rotates how the AZ’s are mapped to the physical data centers.

Solution = AZ ID’s… These ARE consistent across accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
168
Q

When sharing AWS resources using AWS Resource Access Manager between accounts WITHIN the same organization, does the recipient account need to manually accept the invite?

A

No, the recipient account automatically accepts the invitation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
169
Q

When sharing AWS resources using AWS Resource Access Manager between accounts across DIFFERENT organizations, does the recipient account need to manually accept the invite?

A

Yes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
170
Q

When using a Shared Services VPC with AWS Resource Access Manager, can the participant accounts provision services into the Shared Services VPC?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
171
Q

When using a Shared Services VPC with AWS Resource Access Manager, can the account that owns/shares the VPC delete or modify resources created by the participant accounts?

A

No. Ownership of a provisioned resource by a participant account remains with that participant account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
172
Q

VPC Peering allows shared access to ______ VPC resources, whereas AWS PrivateLink only allows access (via interface endpoints) to a ________ VPC service/application.

A

all ….. specific

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
173
Q

Does a VPC Gateway Endpoint go into a specific subnet or specific AZ?

A

Neither, a VPC Gateway Endpoint is used across all AZ’s in a region.

Then you can define which subnets will have the Gateway Endpoint prefix added into their route tables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
174
Q

What type of endpoint provides private access to S3 and/or DynamoDB ?

A

VPC Gateway Endpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
175
Q

Can VPC Gateway Endpoints access services in other regions?

A

No, they are a regional service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
176
Q

AWS Internet Gateways are conceptually attached to the perimeter of a _________.

A

VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
177
Q

Does your default VPC come with an Internet Gateway?

A

Yes. Also it comes with a public subnet in each AZ.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
178
Q

A VPC ______ Endpoint allows private access to the AWS Public Zone services (S3, DynamoDB) without using an Internet Gateway or NAT Gateway.

A

Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
179
Q

In Amazon ECS, you cannot attach security groups to the ECS Tasks when using the _____ networking mode.

A

bridge or host

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
180
Q

In Amazon ECS, which networking mode assigns an ENI and a private IPv4 address to each ECS Task?

A

awsvpc (this provides more control than the “bridge” networking mode)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
181
Q

Are certificates from AWS Certificate Manager regional or global?

A

Regional. If multiple regions are desired, you must request a certificate for each region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
182
Q

st1 and sc1 are examples of _______ EBS volumes and they have a _______ (high/low) max IOPS count.

A

HDD… low…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
183
Q

To troubleshoot constantly failing EC2 instances in an ASG, are you able to suspend the “Terminate” process of the ASG?

A

Yes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
184
Q

Even if you enable EC2 instance protection for an EC2 instance, the ______ still has the ability to terminate an EC2 instance that it has created.

A

ASG

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
185
Q

For an Amazon SQS Queue, the _______ attribute specifies the number of times a message is delivered to the queue before being moved to a dead-letter queue.

A

maxReceiveCount

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
186
Q

A VPC ________ Endpoint goes into a specific subnet whereas a VPC ________ Endpoint is used across all AZ’s in a region.

A

Inferface… Gateway…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
187
Q

Network access to a VPC ________ Endpoint can be controlled with a Security Group (b/c it is within a subnet within a VPC) whereas a VPC ________ Endpoint cannot.

A

Inferface… Gateway…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
188
Q

Which type of VPC endpoint uses DNS for its routing?

A

VPC Interface Endpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
189
Q

VPC ________ Endpoints use prefix lists and route tables, whereas VPC ________ Endpoints use DNS.

A

Gateway… Interface…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
190
Q

When deploying resources into a public subnet, does the resource need to have a public IP address?

A

No, you can choose to only assign a private IP address to your resources, even in public subnets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
191
Q

Can a public (aka internet-facing) ALB communicate with instances inside a private subnet?

A

Yes, as long as the ALB is running from a public subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
192
Q

Can the Fargate deployment type run on AWS Outposts?

A

No.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
193
Q

______ allow us to run multiple L3 networks over the L2 Direct Connect.

A

VIFs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
194
Q

A VIF uses a ______ Peering Session + _______.

A

BGP… VLAN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
195
Q

When creating a site-to-site VPN connection, specify ________ routing if your customer gateway device supports BGP.

A

dynamic (as opposed to static)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
196
Q

Would you use AWS X-Ray to help plan a migration?

A

No, it is used to debug production applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
197
Q

A Network ACL can filter requests based on _______ but not ________.

A

IP addresses… URLs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
198
Q

A _______ server acts as an intermediary between the client and the server, effectively functioning like a firewall/filter.

A

proxy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
199
Q

What enables private connections to AWS services without using public IPs, and uses AWS PrivateLink under the hood?

A

Interface Endpoints

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
200
Q

Metric Filters and Subscription Filters are components of which AWS service?

A

CloudWatch Logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
201
Q

Management Events and Data Events are components of which AWS service?

A

CloudTrail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
202
Q

Which AWS services can be directly accessed through Gateway Endpoints?

A

S3 and DynamoDB

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
203
Q

How does traffic routing work with Gateway Endpoints in a VPC?

A

Gateway Endpoints are added as a target for a specific route in your VPC route table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
204
Q

When generating an S3 Presigned URL, what permissions get embedded into the link?

A

The permissions will match those of the IAM user who created the link.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
205
Q

Is it a good practice to generate an S3 Presigned URL using an IAM role?

A

No, because the IAM role will generally expire faster than the URL and then the URL will not work.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
206
Q

What AWS service could you use to simplify access to S3 (for example, providing different departments with their own S3 URL each containing separate permissions policies)?

A

S3 Access Points

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
207
Q

What CLI command would you use to set up an S3 Access Point?

A

create-access-point

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
208
Q

Does S3 Object Lock require versioning to be enabled on the bucket?

A

Yes. Thus, it is actually the object versions, rather than the object, that are being locked.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
209
Q

What are the two types of S3 Object Lock?

A

(1) S3 Object Lock - Retention
— compliance mode: immutable
— governance mode: some changes allowed
(2) S3 Object Lock - Legal Hold
— on/off switch: prevents deletion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
210
Q

What service can be used to monitor and discover sensitive data in S3 (for example, PII) ?

A

Amazon Macie

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
211
Q

What service runs discovery jobs based on (1) managed data identifiers and/or (2) custom data identifiers?

A

Amazon Macie

212
Q

In the context of EBS, 1 IOPS is equal to __ KB per second.

A

16 KB

213
Q

What is the standard and maximum IOPS for an EBS GP3 volume?

A

Standard: 3,000 IOPS
Maximum: 16,000 IOPS

214
Q

What are the 3 types of EBS Provisioned IOPS SSD Volumes?

A

(1) io1
(2) io2
(3) Block Express

215
Q

What are the two types of EBS HDD-Based Volumes?

A

(1) st1: throughput optimized
(2) sc1: cold, lowest cost

216
Q

Can you attach an instance store volume to an already-launched EC2 instance?

A

No, instance store volumes must be attached at the time of launch.

217
Q

Instance store volumes are often included in the price of _____

A

EC2 Instances

218
Q

Can st1 or sc1 EBS volumes be used as EC2 boot volumes?

A

No.

219
Q

You can aggregate multiple EBS volumes into a RAID0 set, and this can provide up to _____ IOPS of performance.

A

260,000 IOPS

220
Q

The io1 and io2 EBS volumes can provide up to ____ IOPS and the io2 Block Express volume can provide up to _____ IOPS.

A

64,000 … 256,000

221
Q

What is the max item size for an item in a DynamoDB table?

A

400 KB

222
Q

What is the data transfer rate for DynamoDB Table RCU’s and WCU’s ?

A

RCU: 4KB/s
WCU: 1KB/s

223
Q

What are the two modes of ECS?

A

(1) EC2 Mode
(2) Fargate Mode

224
Q

Which ECS mode injects ENI’s into your VPC while the EC2 instances are run and hosted within AWS’s internal EC2 pool?

A

Fargate mode

225
Q

Are SQS and SNS public zone services or private zone services?

A

Public zone

226
Q

With SQS and SNS, which is one-to-many and which is one-to-one ?

A

SNS: one-to-many
SQS: one-to-one

227
Q

Which AWS service is kind of a hybrid between SNS and SQS and provides both queues and topics?

A

AmazonMQ

228
Q

What is the default Lambda function timeout, and the max timeout?

A

Default: 3 seconds
Max: 15 minutes

229
Q

If you want to always reference the most recent Lambda version, what would you point to (a phrase)?

A

$LATEST

230
Q

What database compatibility does AWS Aurora offer?

A

MySQL, PostgreSQL

231
Q

What is a key difference between AWS Aurora and RDS?

A

Aurora: More scalable, RDS: Broader DB engine options

232
Q

Which AWS service is used for orchestrating multiple AWS Lambda functions?

A

AWS Step Functions

233
Q

What are the three types of API endpoints offered by AWS API Gateway?

A

Edge-Optimized, Regional, Private

234
Q

What AWS service integrates with API Gateway for user authentication and authorization?

A

AWS Cognito

235
Q

What file does AWS SAM use to define serverless resources?

A

sam-template.yaml

236
Q

What AWS service does AWS SAM internally use to deploy applications?

A

AWS CloudFormation

237
Q

Which service can be used with AWS CloudFront to protect against DDoS attacks?

A

AWS Shield

238
Q

Key difference between Trusted Key Groups and Origin Access Identity (OAI) in CloudFront?

A

Trusted Key Groups: URL signing; OAI: S3 bucket access

239
Q

What AWS service’s primary function is to manage SSL/TLS certificates?

A

AWS Certificate Manager (ACM)

240
Q

When a SSL/TLS certificate is needed for a CloudFront distribution (or any global services), where must the certificate be generated?

A

us-east-1

241
Q

Which AWS service is commonly used with ElastiCache for database caching?

A

Amazon RDS

242
Q

Does ElastiCache for Redis or Memcached support complex data types?

A

Redis

243
Q

Which supports multi-threading, ElastiCache for Redis or Memcached?

A

Memcached

244
Q

Which ElastiCache option offers persistence and replication?

A

Redis

245
Q

Key difference between AWS Internet Gateway and AWS NAT Gateway?

A

Internet Gateway: Two-way internet access; NAT Gateway: Outbound-only for private subnets

246
Q

What format can AWS CloudFormation templates be written in?

A

JSON, YAML

247
Q

What feature does AWS CloudFormation provide for grouping related resources?

A

CloudFormation Stacks

248
Q

Can you update a running CloudFormation Stack?

A

Yes

249
Q

A CloudFormation Stack is a collection of AWS resources that is created as a result of deploying a single _____________.

A

CloudFormation template

250
Q

Which CloudFormation service can deploy and manage stacks across multiple accounts and regions?

A

CloudFormation StackSets

251
Q

Key difference between CloudFormation Templates and Stacks?

A

Templates: JSON or YAML file blueprint of the infrastructure; Stacks: the collection of resources deployed from the template

252
Q

What are the three types of AWS Storage Gateway?

A

File Gateway, Volume Gateway, Tape Gateway

253
Q

Which type of Storage Gateway is used to store and retrieve objects in S3 using file protocols (NFS, SMB)?

A

AWS Storage Gateway File Gateway

254
Q

Which AWS Storage Gateway type supports block-based storage?

A

AWS Storage Gateway Volume Gateway

255
Q

What SSM capability provides a centralized store for configuration data?

A

SSM Parameter Store

256
Q

What is the main difference between AWS Config and AWS SSM?

A

Config: resource configuration
SSM: resource operations / automation

257
Q

For a hybrid environment storage solution where on-prem and cloud integration is desired, what AWS service is best?

A

AWS Storage Gateway File Gateway

258
Q

Between AWS Transfer Family and AWS DataSync, which is best for continuous, regular file transfers and which is best for one-time or batch large-scale data transfer?

A

AWS Transfer Family: continuous, regular
AWS DataSync: fast high-volume transfer

259
Q

_______ can transfer data quickly to and from Amazon S3, EFS, FSx for Windows File Server.

A

AWS DataSync

260
Q

What is the maximum data storage capacity of a standard AWS Snowball device?

A

80 TB

261
Q

What is a Homogeneous Migration in AWS DMS?

A

Migration between the same database engines

262
Q

What is a Heterogeneous Migration in AWS DMS?

A

Migration between different database engines

263
Q

What AWS service is often used alongside DMS for schema conversion? Is it used for homogeneous or heterogeneous migrations?

A

AWS Schema Conversion Tool (SCT)
Only used for heterogeneous migrations.

264
Q

What policies define the maximum permissions for an account, organization, or organizational unit (OU) in AWS Organizations?

A

SCPs

265
Q

Do SCPs grant permissions?

A

No, they only restrict permissions

266
Q

Can SCPs override IAM policies?

A

No, they are used in conjunction with IAM policies

267
Q

Key difference between SCPs and IAM Policies?

A

SCPs: Restrict permissions at the account/OU level; IAM Policies: Grant specific permissions to users, groups, and roles

268
Q

How many IP addresses are reserved in each subnet in AWS VPC?

A

5

269
Q

Which specific IP address in a subnet is reserved for the network address?

A

The first IP address (e.g., 10.0.0.0)

270
Q

Which IP address in a subnet is reserved for the subnet’s default gateway (aka router)?

A

The second (VPC + 1) IP address (e.g., 10.0.0.1)

271
Q

Which specific IP address in a subnet is reserved for DNS?

A

The third (VPC + 2) IP address (e.g., 10.0.0.2)

272
Q

Which AWS service uses DHCP Option Sets?

A

Amazon VPC

273
Q

What can be specified in a custom DHCP Option Set?

A

DNS servers, NTP servers, domain name, NetBIOS name servers, NetBIOS node type

274
Q

What service can be used to capture information about IP traffic going to and from network interfaces in a VPC?

A

VPC Flow Logs

275
Q

Where can VPC Flow Logs be published to?

A

CloudWatch Logs, Amazon S3

276
Q

Can VPC Flow Logs be created for subnets and individual network interfaces, in addition to VPCs?

A

Yes

277
Q

Key difference between VPC Flow Logs and AWS CloudTrail?

A

Flow Logs: Network traffic logs; CloudTrail: API activity logs

278
Q

Are VPC Flow Logs in AWS real-time?

A

No, there’s a slight delay

279
Q

In VPC Flow Logs, what are the protocol numbers that are used to identify ICMP, TCP, and UDP traffic?

A

ICMP: 1
TCP: 6
UDF: 17

280
Q

What is the primary use of SAML 2.0 in cloud services?

A

Single Sign-On (SSO) for web applications

281
Q

In SAML 2.0, what is the role of the “Identity Provider” (IdP)?

A

Authenticates user’s identity and sends SAML assertions

282
Q

What format are SAML 2.0 assertions typically in?

A

XML

283
Q

How does the Service Provider (SP) use SAML 2.0 in Identity Federation?

A

Consumes the assertion from IdP to grant user access

284
Q

What are the two main components of AWS Cognito?

A

User Pools, Identity Pools

285
Q

What does AWS Cognito User Pool provide?

A

User directory and handles sign-up/sign-in processes

286
Q

What does AWS Cognito Identity Pool enable?

A

Granting access to AWS services for authenticated and unauthenticated users

287
Q

What is the primary function of AWS Route 53?

A

Managed Domain Name System (DNS) service

288
Q

Can AWS Route 53 be used for domain registration?

A

Yes

289
Q

Are VPC Gateway Endpoints region-specific in AWS?

A

Yes, they are confined to the region in which your VPC is located

290
Q

What happens when you create a VPC Interface Endpoint in a VPC with DNS resolution enabled?

A

Private DNS entries are automatically added for the service

291
Q

What is the purpose of Route 53 Resolver Endpoints in AWS?

A

Enable DNS queries to flow between your VPC and your on-prem network

292
Q

What are the two types of Route 53 Resolver Endpoints?

A

Inbound Endpoints, Outbound Endpoints

293
Q

What AWS service can be used to compile and test code?

A

AWS CodeBuild

294
Q

What is the build file called in AWS CodeBuild that is stored in the root of the source?

A

buildspec.yml

295
Q

Can Read Replicas in RDS be promoted to primary instances?

A

Yes, useful for failover or scaling purposes

296
Q

Are RDS Read Replicas replicated synchronously or asynchronously?

A

Asynchronously

297
Q

Can RDS Read Replicas be located in different regions than the primary database?

A

Yes

298
Q

What technology does Gateway Load Balancer utilize to efficiently distribute traffic?

A

GENEVE protocol

299
Q

How do ALBs differ from Network Load Balancers (NLBs) in AWS?

A

ALBs operate at Layer 7 (application layer), NLBs at Layer 4 (transport layer)

300
Q

What are the scaling options available in AWS Auto Scaling Groups?

A

(1) Manual
(2) Scheduled
(3) Dynamic (simple, step, target tracking)

301
Q

Do autoscaling groups have a cost?

A

No, they are free.

302
Q

Within an autoscaling group, what defines the instance types and instance configurations?

A

The launch template

303
Q

What can you use to pause EC2 instances in an ASG during launch or termination so that custom actions can occur?

A

ASG Lifecycle Hooks

304
Q

Do ASGs require a scaling policy?

A

No, not required.

305
Q

What service is used to simplify the deployment of third-party virtual security appliances in a scalable and fault-tolerant manner?

A

AWS Gateway Load Balancer (GWLB)

306
Q

What is the default granularity for CloudWatch metrics?

A

1 minute.

307
Q

What is the difference between CloudWatch Logs and CloudWatch Metrics?

A

Logs collect text-based log files, Metrics collect quantitative data.

308
Q

What feature does CloudWatch provide to react to metric thresholds being breached?

A

CloudWatch Alarms that trigger notifications or actions.

309
Q

Which service provides request tracing to debug and analyze applications?

A

AWS X-Ray

310
Q

What determines the level of access to Trusted Advisor checks and recommendations?

A

The AWS support plan (Basic, Developer, Business, or Enterprise)

311
Q

What are the two main types of backups for AWS RDS?

A

Automated backups and manual snapshots.

312
Q

How long does AWS RDS retain automated backups by default?

A

7 days (configurable up to 35 days).

313
Q

What AWS service provides connection pooling to enhance database efficiency and scalability?

A

AWS RDS Proxy

314
Q

What are the two main types of indexes in Amazon DynamoDB?

A

Global Secondary Index (GSI) and Local Secondary Index (LSI)

315
Q

What is a limitation of a Local Secondary Index (LSI) in DynamoDB?

A

It must be defined at the time of table creation. LSI’s cannot be added or removed later.

316
Q

In DynamoDB, a _____ supports queries over the entire table and a _____ only supports queries within the same partition.

A

Global Secondary Index (GSI) … Local Secondary Index (LSI)

317
Q

What is the primary purpose of Amazon DynamoDB Accelerator (DAX)?

A

To provide in-memory caching for DynamoDB

318
Q

What DynamoDB feature provides multi-region, fully managed, multi-master database replication?

A

DynamoDB Global Tables

319
Q

How is Amazon Athena priced?

A

Based on the amount of data scanned by the queries.

320
Q

How does Amazon Athena differ from Amazon Redshift?

A

Athena is serverless and queries data directly in S3, while Redshift is a managed, petabyte-scale data warehouse that requires data loading.

321
Q

What is the default data retention period for Kinesis Data Streams?

A

24 hours (extendable up to 365 days).

322
Q

Name four AWS services that Kinesis Data Firehose can deliver data to.

A

Amazon S3, Redshift, OpenSearch Service, and Splunk.

323
Q

Name two AWS services that can be used as data sources for Kinesis Data Analytics.

A

Kinesis Data Streams and Kinesis Data Firehose.

324
Q

What processing languages does Kinesis Data Analytics support?

A

SQL and Java (Apache Flink).

325
Q

What are three open-source frameworks that can be run on Amazon EMR?

A

Hadoop, Spark, HBase.

326
Q

What are the two types of nodes in Amazon EKS?

A

Worker nodes and control plane nodes.

327
Q

Name two AWS services that can be integrated with Amazon EKS for logging and monitoring.

A

Amazon CloudWatch, AWS CloudTrail.

328
Q

What are four AWS services that can be protected by AWS WAF?

A

(1) CloudFront
(2) API Gateway
(3) ALB
(4) AWS AppSync (GraphQL APIs)

329
Q

How does AWS WAF allow you to control web traffic?

A

Through web ACLs (Access Control Lists).

330
Q

How does AWS WAF differ from AWS Shield?

A

WAF provides customizable web traffic control, Shield offers DDoS protection.

331
Q

How can you enable HTTPS for an application running on AWS Elastic Beanstalk?

A

By applying an SSL certificate to your Elastic Beanstalk environment’s load balancer.

332
Q

What AWS Elastic Beanstalk feature could you use for testing changes, blue/green deployments, or quickly replicating environments for different purposes without manual configuration?

A

Environment cloning

333
Q

What type of file is used to configure multi-container Docker applications?

A

Docker Compose file

334
Q

What are the three categories of Elastic Beanstalk runtimes/platforms?

A

Built-in languages, Docker, and custom platforms

335
Q

What is the hierarchical structure of Elastic Beanstalk?

A

Applications, which contain Environments, which contain Versions.

336
Q

In Elastic Beanstalk, what are the two tier options when configuring an environment?

A

(1) web server tier (user interacts with)
(2) worker tier (processes application logic)

337
Q

Elastic Beanstalk is great for _______ ___________ _______.

A

small development teams

338
Q

When using Elastic Beanstalk, should you host the database part of the application within Elastic Beanstalk?

A

No, create the databases outside of Elastic Beanstalk so they are not accidentally deleted (or data is lost) during blue/green deployments.

339
Q

The term “source bundle” refers to an application within what AWS service?

A

Elastic Beanstalk

340
Q

To decouple an existing RDS instance from within an Elastic Beanstalk environment to be a standalone RDS instance, you should create an _____ _________, click on “________ _______ __________” for the RDS instance, create a new EB environment without RDS, swap environments, and then terminate the old environment.

A

RDS snapshot… Enable Delete Protection

341
Q

Behind the scenes, Elastic Beanstalk uses _______________ to provision resources for your application.

A

CloudFormation

342
Q

You can customize your Elastic Beanstalk environment by creating a ____________ folder within the application source bundle and adding YAML or JSON CloudFormation files ending in ________.

A

.ebextensions
.config

343
Q

What AWS service automates server setup, configuration, deployment, and management with Chef and Puppet?

A

AWS OpsWorks

344
Q

What AWS Systems Manager feature allows you to define the desired state of your AWS resources?

A

State Manager.

345
Q

What AWS service is best suited for automated patch management, executing remote commands, and inventory management?

A

AWS Systems Manager

346
Q

Does Systems Manager Run Command require SSH/RDP access?

A

No, it connects via the Systems Manager agent that is installed on the EC2 instance and/or on-prem instances.

347
Q

In AWS Systems Manager, a ________ _________ is a set of rules for auto-approving patches.

A

Patch Baseline

348
Q

In AWS Systems Manager, what is used to logically separate instances, allowing for different patch baselines to be applied to different sets of instances?

A

Patch Groups

349
Q

In AWS Systems Manager, what is used to schedule tasks such as patching, automation, or software updates to run on instances at specific times?

A

Maintenance Windows

350
Q

In AWS Systems Manager, ______ __________ specify the patches to apply, ______ __________ categorize instances for patching, and __________ ________ determine when patching occurs.

A

Patch Baselines… Patch Groups… Maintenance Windows

351
Q

In Systems Manager Patch Manager, there are some predefined Patch Baselines that contain security patches and updates. What do each of these refer to?
(1) AWS-AmazonLinux2DefaultPatchBaseline
(2) AWS-UbuntuDefaultPatchBaseline
(3) AWS-DefaultPatchBaseline
(4) AWS-WindowsPredefinedDefaultPatchBaseline-OS
(5) AWS-WindowsPredefinedDefaultPatchBaseline-OS-Applications

A

(1) default for Linux
(2) default for Ubuntu
(3) default for Windows (2 possible names)
(4) default for Windows (2 possible names)
(5) defaults for Windows + MS App updates

352
Q

What is the name of the AWS Systems Manager command that patches the instances?

A

AWS-RunPatchbaseline

353
Q

What is the default behavior of a newly created custom NACL in AWS?

A

It denies all inbound and outbound traffic until rules are added to allow traffic.

354
Q

How are rules in a NACL evaluated by AWS?

A

Sequentially, based on the rule number, from lowest to highest.

355
Q

What is the default behavior of a newly created Security Group in AWS?

A

Allows all outbound traffic; denies all inbound traffic

356
Q

The rules in a ____________ allow traffic based on protocol, port, and source/destination.

A

Security Group

357
Q

Often an AWS Site-to-Site VPN can be configured in less than …

A

1 hour

358
Q

What are the three key components of an AWS Site-to-Site VPN connection?

A

(1) Virtual Private Gateway (VGW)
(2) Customer Gateway (CGW)
(3) the IPsec tunnel

359
Q

What are the two types of AWS Site-to-Site VPNs?

A

(1) Static VPN
(2) Dynamic VPN

360
Q

How is an AWS Static VPN different from a Dynamic VPN?

A

Static = route table routes are added manually
Dynamic = “route propagation” (if enabled) allows routes to be automatically added to the route tables using BGP

361
Q

What is the speed limit for AWS Site-to-Site VPNs?

A

1.25 Gbps

362
Q

What are four supported attachments for the Transit Gateway?

A

(1) VPCs
(2) Site-to-Site VPNs (i.e. VGW)
(3) Direct Connect Gateways
(4) Other TGWs

363
Q

Can a Transit Gateway peer with another Transit Gateway in a different AWS account?

A

Yes. Transit Gateway supports cross-account, and cross-region, peering.

364
Q

Is there a cost for using the AWS RAM?

A

No

365
Q

In AWS RAM, what are the three “principals” with whom a resource can be shared?

A

(1) Account
(2) OU
(3) Organization

366
Q

When subnets are shared across AWS accounts using RAM, if a participant account provisions resources into the shared subnet, who owns the resource?

A

The account that provisions the resource owns the resource (in this example, the RAM participant account).

367
Q

When subnets are shared across AWS accounts using RAM, can the VPC (subnet) owner delete or modify resource created by participant accounts?

A

No.

368
Q

To attach a Direct Connect Gateway to a Transit Gateway, you would need a ________ ______ running over the DX connection.

A

transit VIF

369
Q

What AWS service allows you to use on-premises Active Directory with AWS services without any directory data stored in AWS?

A

AD Connector - this redirects requests to on-prem servers

370
Q

What service provides a fully managed Active Directory in AWS?

A

AWS Managed Microsoft AD

371
Q

The AWS AD Connector injects ENIs into _____ subnets within your VPC and these go into (different/same) AZs.

A

two… different

372
Q

The AWS AD Connector requires a _______ or ________ for connecting to your on-premises Active Directory.

A

Site-to-Site VPN or Direct Connect

373
Q

The AWS-Managed _____________ service is highly available by default and it deploys the domain controller into 2 AZ’s by default.

A

Microsoft AD

374
Q

What AWS service supports RADIUS-based MFA?

A

AWS-Managed Microsoft AD

375
Q

To enhance the speed of Direct Connect connections, you can combine multiple DX connections (up to 4), assuming they are all terminating into the same endpoint, using ____________.

A

Link Aggregation Groups

376
Q

What key feature does Managed Microsoft AD support that Simple AD does not?

A

Trust relationships with on-premises Active Directory.

377
Q

What is the maximum speed for an AWS DX LAG?

A

200Gbps

378
Q

In DNS, an A record maps a _______ to a ________.

A

host… IPv4 address

379
Q

In DNS, an AAAA record maps a _______ to a ________.

A

host… IPv6 address

380
Q

In DNS, a CNAME record maps a _______ to a ________.

A

host… host

381
Q

In DNS, if the resolver has to walk the tree in order to find the destination IP address, this result is known as an _____________ answer.

A

authoritative

382
Q

In DNS, if the resolver does NOT have to walk the tree in order to find the destination IP address (i.e. the result is already cached on the DNS resolver server) this result is known as a _____________ answer.

A

non-authoritative

383
Q

What is meant by Resource Records within a Route 53 Public Hosted Zone?

A

Resource Records are simply the collection of A, AAAA, CNAME, MX, TXT, etc records

384
Q

What R53 feature is ideal if you want to use the same domain name for public access and private access, but you want the records to be different for each?

A

Route 53 Split View Hosted Zone

385
Q

Let’s say within DNS, you want to map the following:

catagram.io -> ALB

Could you use a CNAME record for this?

A

No, because CNAME records don’t support the apex (e.g. catagram.io).

You would use an ALIAS record for this.

386
Q

Does R53 Simple Routing support health checks?

A

No

387
Q

Route 53 health checks are conducted every ____ seconds by default, or up to ____ seconds for an extra cost.

A

30… 10

388
Q

What three protocols can be used for Route 53 health checks?

A

(1) HTTP
(2) HTTPS
(3) TCP

389
Q

Route 53 health checks can monitor what three things?

A

(1) endpoints
(2) status of other health checks
(3) state of CloudWatch alarms

390
Q

Is KMS a regional or global service?

A

regional

391
Q

AWS KMS has been validated by the United States National Institute of Standards and Technology (NIST) under what level of security?

A

Federal Information Processing Standards (FIPS) 140-2 (Level 3)

392
Q

The term CMKs (Customer Master Keys) in KMS has been superseded by simply __________.

A

KMS Keys

393
Q

KMS Keys can be used for up to ___ KB of data.

A

4KB

394
Q

For encrypting data > 4KB, you can’t use KMS directly, but you can use KMS to generate ___________ which then encrypts and decrypts the data.

A

Data Encryption Keys (DEKs)

395
Q

Can an EBS volume be encrypted after its creation?

A

No, you would have to a take an EBS snapshot, encrypt the snapshot, and create a new EBS volume from the encrypted snapshot.

396
Q

Can an EBS volume be attached to multiple EC2 instances simultaneously?

A

No, except for EBS Multi-Attach enabled volumes.

397
Q

What are the three throughput modes of EFS?

A

(1) elastic (default)
(2) provisioned (predictable)
(3) bursting (unpredictable)

398
Q

____________ is specific for managing secrets, whereas _________ is used for a wider range of configuration data and secrets.

A

Secrets Manager… Parameter Store

399
Q

Which AWS service supports automatic rotation of credentials without application changes?

A

AWS Secrets Manager

400
Q

If the exam mentions needing to store passwords or API keys, and Parameter Store and Secrets Manager are both options, you should default to choosing _____________.

A

Secrets Manager

401
Q

What service directly integrates with other AWS services (such as RDS) for automatic key rotation?

A

AWS Secrets Manager

402
Q

When choosing between Secrets Manager and Systems Manager Parameter Store, and you need to store either of the following:

(1) hierarchical configuration information
(2) CloudWatch agent configuration

then you should lean towards ____________ as the correct answer.

A

Systems Manager Parameter Store

403
Q

__________ is a continuous security monitoring service for threat detection. It identifies unexpected and unauthorized activity.

A

Amazon Guard Duty

404
Q

_____________ can support multiple AWS accounts via an administrator account that manages threat detection on behalf of the member accounts.

A

Amazon Guard Duty

405
Q

Which AWS logs does Amazon Guard Duty analyze to identify threats and malicious activity?

A

(1) VPC Flow Logs
(2) CloudTrail
(3) DNS Logs

406
Q

What is required to enable AWS Config across multiple accounts in an organization?

A

Enable AWS Config in each account and designate an aggregator account to collect the configuration and compliance data.

407
Q

Can AWS Config track changes to IAM roles and policies?

A

Yes

408
Q

Which AWS service records configuration changes over time on resources?

A

AWS Config

409
Q

Can AWS Config prevent changes from happening?

A

No, it simply records changes.

410
Q

AWS Config is a ________ (regional/global) service by default.

A

regional

411
Q

Where is AWS Config data stored?

A

In an S3 bucket that you specify during AWS Config setup.

412
Q

Using _____________, your AWS resources can be evaluated with predefined or custom rules (using Lambda) and labeled as ‘compliant’ or ‘non-compliant’. These compliant / non-compliant states can then trigger remediation via EventBridge.

A

Config Rules (a feature of AWS Config)

413
Q

One distinction between Guard Duty and Inspector is that _________ focuses more narrowly on EC2 instances.

A

Inspector

414
Q

__________ focuses on vulnerability and deviations from best practices within EC2 instances, while __________ focuses on broader threat detection across the AWS environment.

A

Inspector… Guard Duty

415
Q

Which AWS service provides a “security report” of findings as its output?

A

Amazon Inspector

416
Q

Which AWS service might have an output containing a data attribute called “UnrecognizedPortWithListener”?

A

Amazon Inspector

417
Q

When you see keywords on the exam like host assessments, common vulnerabilities and exposures (CVEs), and Center for Internet Security (CIS) benchmarks, the answer is likely ____________.

A

Amazon Inspector

418
Q

Which AWS service gives you a centralized view of your security alerts and security posture across your AWS accounts?

A

AWS Security Hub

419
Q

What are two main functions of AWS Security Hub?

A

(1) Aggregating security findings
(2) Performing automated security checks against AWS best practices

420
Q

What does PCI DSS stand for, and what is the primary purpose?

A

Payment Card Industry Data Security Standard

To protect cardholder data and secure payment card transactions.

421
Q

What intrinsic function in CloudFormation returns the value of a specified parameter or resource?

A

‘Ref’

422
Q

How can you concatenate values in a CloudFormation template?

A

‘Fn::Join’

423
Q

What feature of CloudFormation can be used to store and reference predefined values outside of the CloudFormation template?

A

CloudFormation Mappings

424
Q

What CloudFormation attribute would you use to ensure resources are created and configured in a specific order?

A

DependsOn

425
Q

What CloudFormation feature can you use to pause resource creation until a custom condition is met?

A

Wait Conditions

426
Q

When sharing a Route 53 Hosted Zone across accounts, the account with the hosted zone must __________ the association, and the account receiving the access must then accept the _____________.

A

authorize… authorization

427
Q

What is a fully qualified domain name (FQDN)?

A

It is the complete address of a host (for example, www.example.com)

428
Q

When using ACM to create certificates for a multi-region deployment of ELBs, can you create all of the certificates in us-east-1?

A

No, that only works for global services (such as CloudFront). For a multi-region deployment of ELBs, you need to create ACM certificates within each desired region.

429
Q

What feature allows AWS S3 to automatically replicate data across multiple AWS regions?

A

S3 Cross-Region Replication.

430
Q

How do you ensure that AWS resources can only be accessed within your organization?

A

Implement a private hosted zone in Amazon Route 53.

431
Q

Which AWS service is used to manage containerized workloads across AWS and on-premises environments?

A

Amazon ECS Anywhere.

432
Q

How can AWS Lambda be triggered by changes in an AWS CodeCommit repository?

A

Based on CodeCommit push events.

433
Q

For a static website hosted on S3 to be publicly accessible, how would you do this in the console?

A

Uncheck (i.e. disable) the “Block Public Access” checkboxes

434
Q

To avoid simultaneous EC2 instance reboots during patching, what feature should you configure?

A

Non-overlapping maintenance windows.

435
Q

What feature allows you to transfer S3 data transfer costs to the requester?

A

Requester Pays.

436
Q

Which DynamoDB feature allows automatic deletion of items after a specified time?

A

Time to Live (TTL).

437
Q

What is the recommended way to collect logs from EC2 instances for analysis?

A

Configure a unified CloudWatch Logs agent.

438
Q

What are the three ECS networking modes?

A

(1) bridge (default for Linux)
(2) host
(3) awsvpc

439
Q

Which ECS networking mode creates an ENI for each task?

A

awsvpc

440
Q

Which network mode should be used in ECS to allow task-level security groups?

A

awsvpc

441
Q

____________ is a free and open-source implementation of the Java Platform, Standard Edition (Java SE). It is an alternative to the commercially-licensed OracleJDK.

A

OpenJDK, or Open Java Development Kit

442
Q

To save on Oracle Java SE licensing costs when migrating to AWS, what could you use as an alternative?

A

OpenJDK

443
Q

_____________ is a unique type of IAM role in AWS that is predefined by the service, and only the linked service can assume the role.

A

service-linked role

444
Q

What adjustment to SQS redrive policy can help prevent premature dead-letter queue transfers?

A

Increase maxReceiveCount.

445
Q

Is multi-region deployment for read and write operations supported by RDS?

A

No, although it does support the creation of cross-Region read replicas for some database engines.

446
Q

For a global application needing fault tolerance across regions with relational database features, what AWS database service fits best?

A

Amazon Aurora Global Database.

447
Q

To comply with strict IT security policies at the container level, which AWS service and feature should be used?

A

Amazon ECS with awsvpc network mode and security groups.

448
Q

What are two ways to ensure security for logs stored in S3?

A

(1) Enable MFA Delete
(2) configure bucket policies

449
Q

Which AWS service is used to migrate VMs from on-premises to AWS with minimal downtime?

A

AWS Application Migration Service (MGN)

450
Q

By default, CloudTrail trails created via the AWS Management Console have _______ ________ events enabled.

A

global service

451
Q

Which AWS service allows automated OS patching and management of EC2 instances?

A

AWS Systems Manager

452
Q

To securely pass database credentials to an Amazon ECS container, you can use AWS Secrets Manager or AWS Systems Manager Parameter Store to store the sensitive data, and you also need to ensure that _____________.

A

the IAM execution role for the ECS task has the necessary permissions to retrieve the credentials.

453
Q

The AWS Application Migration Service uses ___________ _________, that are installed on each source server, to facilitate the migration of on-premises servers to AWS.

A

replication agents

454
Q

CloudTrail ______________ is a feature that allows you to check the integrity of your CloudTrail log files to determine if they have been changed after delivery.

A

log file validation

455
Q

________________ with CloudFront is a feature that allows you to set up CloudFront with two origins: a primary and a secondary.

A

Origin failover

456
Q

A ____________ is a globally available network device that allows you to connect your AWS Direct Connect connection to VPCs in remote Regions. It can be created in any AWS Region and accessed from all other Regions.

A

Direct Connect Gateway

457
Q

How could you enable inter-region VPC access from your corporate environment?

A

Use a Direct Connect connection with a Direct Connect Gateway

458
Q

___________Gateway focuses on private connectivity from on-premises, whereas ___________Gateway focuses on interconnectivity between VPCs, VPNs, and Direct Connect Gateways.

A

Direct Connect Gateway… Transit Gateway

459
Q

What service enables the creation of a cloud-based contact center?

A

Amazon Connect

460
Q

Which service allows you to build conversational interfaces with automatic speech recognition?

A

Amazon Lex

461
Q

What AWS feature can trigger a Lambda function upon data file upload to S3?

A

Amazon S3 event notifications

462
Q

In the context of the AWS Schema Conversion Tool (SCT), a ___________ can be installed on a separate on-premises server from the one running AWS SCT, allowing for the parallel extraction of data.

A

extraction agent

463
Q

Large-scale data migrations of tens of TB of data often use the AWS SCT (Schema Conversion Tool) along with a ______________ for the migration.

A

Snowball Edge device

464
Q

When a user attempts to access AWS resources, a ______________ is generated by the organization’s identity provider (IdP) after the user’s identity is verified (the “authentication” portion of authentication and authorization)

A

SAML assertion

465
Q

______________ is a service that monitors and provides alerts on containerized applications at scale.

A

Amazon Managed Service for Prometheus

466
Q

An example architecture for processing data from IoT devices to Amazon RDS might use ________ to trigger ________.

A

Amazon S3 event notifications… a Lambda function

467
Q

The _______ record is specific to AWS Route 53 and provides a Route 53–specific extension to DNS functionality.

A

ALIAS

468
Q

In Route 53, __________ records are nearly always preferred over __________ records, except when pointing to non-AWS resources.

A

Alias… CNAME

469
Q

If another AWS account needs to copy information to or from a resource in your own AWS account, you can set up cross-account access with a __________ Policy

A

resource-based

470
Q

Which AWS service allows you to create data-driven workflows to automate and orchestrate the movement and transformation of data?

A

AWS Data Pipeline

471
Q

Which AWS service utilizes a standby instance for automatic failovers?

A

Amazon RDS

472
Q

When you choose a ____________ deployment, Amazon RDS automatically creates a primary DB instance and synchronously replicates the data to a standby instance in a different Availability Zone.

A

Multi-AZ

473
Q

_____________ is a scalable marketing communications AWS service that helps businesses connect with their customers through personalized multichannel communications.

A

Amazon Pinpoint

474
Q

The “rehost” migration strategy is also known as ____________ and does not re-configure anything.

A

lift and shift

475
Q

Between Amplify and Elastic Beanstalk, ________ is optimized for serverless and frontend-driven applications, whereas ________ is for traditional app deployments with more backend control.

A

Amplify… Elastic Beanstalk

476
Q

The “Replatform” migration strategy could also be described as _______________.

A

lift and shift with optimization

477
Q

When a company’s migration encompasses a transition from a self-managed database to an AWS managed database (such as RDS), this would be an example of a __________ migration strategy.

A

Replatform

478
Q

How can you restrict access to files in Amazon S3 to ensure they can only be accessed via CloudFront URLs?

A

Use the CloudFront feature called Origin Access Control (OAC).

479
Q

______________ defines a way for client web applications (typically the JavaScript) that are loaded in one domain to interact with resources in a different domain.

A

Cross-origin resource sharing (CORS)

480
Q

___________ is used for simplified (fully managed, aka serverless) deployment and management of containerized web applications, whereas ___________ is used for more flexible, larger, and configurable containerized workloads.

A

AWS App Runner… ECS

481
Q

_________ APIs are often used in real-time applications such as chat applications, collaboration platforms, multiplayer games, and financial trading platforms.

A

WebSocket APIs

482
Q

_________ provide full-duplex communication over a single TCP connection. Unlike ______, the connection is persistent and not closed after each request/response.

A

WebSocket APIs… Rest APIs

483
Q

_________ use HTTP only briefly during the initial handshake phase when establishing the connection to upgrade from HTTP to _________ protocol. Once upgraded, all further messaging happens directly over TCP.

A

WebSocket APIs… WebSocket

484
Q

_________ is a fully managed serverless GraphQL service.

A

AWS AppSync

485
Q

What are three common types of APIs?

A

(1) REST API
(2) GraphQL API
(3) WebSocket API

486
Q

An EC2 instance _______ is a container for an IAM role that is used to pass role information to an Amazon EC2 instance when the instance starts.

A

profile

487
Q

What is the default configuration (enabled/disabled) of cross-zone load balancing ALBs, NLBs, and GLBs?

A

(1) ALB: enabled
(2) NLB: disabled
(3) GLB: disabled

488
Q

A load balancer ________ checks for connection requests from clients, using the protocol and port that you configure, and forwards requests to a target group.

A

listener

489
Q

A ________ Load Balancer offers support for static IP addresses (because it operates at _____ of the OSI model).

A

Network Load Balancer… L4

490
Q

A ________ Load Balancer can route requests to multiple applications on a single EC2 instance, using different ports for each application

A

Network Load Balancer

491
Q

A ________ Load Balancer is capable of managing sudden and unpredictable workloads, scaling to millions of requests per second

A

Network Load Balancer

492
Q

Which AWS service integrates data flows between SaaS and AWS services?

A

Amazon AppFlow

493
Q

What are the two primary methods to allow external users to access AWS resources?

A

(1) granting federated access via the IAM Identity Center
(2) Cognito Identity Pools

494
Q

__________ is used for managing access to AWS resources for human users within your organization, while __________ is used for providing temporary, limited access to AWS resources for users of mobile and web applications.

A

IAM Identity Center… Cognito Identity Pools

495
Q

Are RDS automated backups enabled by default?

A

Yes

496
Q

___________ occur once per day during a user-configurable period known as the backup window.

A

Amazon RDS automated backups

497
Q

The S3 Glacier standard retrieval time is approximately ___________.

A

3 to 5 hours

498
Q

Which CloudFormation intrinsic function allows you to retrieve attribute properties of other resources created within the CloudFormation template.

A

Fn::GetAtt

499
Q

In the context of the AWS Storage Gateway, the term “iSCSI” indicates that _______ storage is being used, and thus the Storage Gateway _______ Gateway may be the answer.

A

block… Volume

500
Q

__________ is an open-source platform developed by Red Hat for implementing Java applications, it provides a full range of Java EE (Enterprise Edition) features, and it is used as a framework by many software companies.

A

JBoss Application Server

501
Q

_________ is a utility built into Oracle databases that automates the process of backup and recovery.

A

Oracle RMAN (Recovery Manager)

502
Q

__________ is a search service purpose-built for simplicity, whereas __________ is a managed distribution of open-source Elasticsearch supporting advanced analytics features.

A

CloudSearch… OpenSearch Service

503
Q

The ______________ is an identity authentication protocol that can help prevent replay attacks (where an adversary intercepts traffic and redirects or delays it).

A

Challenge-Handshake Authentication Protocol (CHAP)

504
Q

Similar to how a NAT Gateway is used for outbound IPv4 traffic from a private subnet, a _______ is used for outbound IPv6 traffic.

A

egress-only Internet Gateway

505
Q

What are the two Storage Gateway - Volume Gateway options?

A

(1) Cached Volumes
(2) Stored Volumes

506
Q

What is the term for a workflow within AWS Step Functions?

A

a state machine

507
Q

Can AWS Step Functions read and write from DynamoDB?

A

Yes

508
Q

____________ manages compute environments and job queues, allowing users to easily run thousands of jobs of any scale using Amazon ECS, Amazon EKS, and AWS Fargate with an option between Spot or on-demand resources.

A

AWS Batch

509
Q

_________ is designed for running batch computing workloads of any scale, while _________ is tailored for processing vast amounts of data using open source big data tools.

A

AWS Batch… Amazon EMR

510
Q

Is the Oracle feature called Real Application Clusters (RAC) supported in Amazon RDS?

A

No

511
Q

The ___________ (error type) in AWS Lambda typically occurs when the function reaches the account’s concurrency limit or when the request throughput limit is exceeded.

A

TooManyRequestsException

512
Q

In DynamoDB, the ___________ error means that your request rate is too high for a table or global secondary index. To solve this, you can increase the ___________ of your DynamoDB table.

A

ProvisionedThroughputExceededException … Write Capacity Units (WCUs)

513
Q

When an EC2 instance assumes an IAM role, does it retrieve its security credentials from the instance metadata or user data?

A

metadata (from the instance metadata service (IMDS) within the instance itself)

514
Q

To keep your SSL/TLS keys secure, you can use ____________ to offload SSL/TLS processing for your web servers.

A

AWS CloudHSM

515
Q

Which disaster recover strategies would you use for the following:
(1) RTO of 24 hours or less
(2) RTO of hours
(3) RTO of minutes
(4) RTO essentially zero

A

(1) backup and restore
(2) pilot light
(3) warm standby
(4) active-active

516
Q

CloudFront _____________ allow you to control access to your content without changing your current URLs. It is also used when you want to provide access to multiple restricted files rather than a single file.

A

signed cookies

517
Q

In Amazon Kinesis, a _______ is a high-level class within the Kinesis Client Library (KCL) that Kinesis applications use to start processing data.

A

worker

518
Q

In AWS Lambda, what are the two types of concurrency?

A

(1) Reserved concurrency
(2) Provisioned concurrency

519
Q

In AWS Lambda, ________ concurrency represents the maximum number of concurrent instances allocated to your function, whereas ________ concurrency is the number of pre-initialized execution environments allocated to your function.

A

reserved… provisioned

520
Q

The _________ metric in AWS Lambda represents the number of function execution attempts that were throttled due to invocation rates exceeding the current limits.

A

Throttles metric

521
Q

Each separate source of logs in CloudWatch Logs makes up a separate _____ __________.

A

Log Stream

522
Q

Would you use SNS or SQS as part of an architecture to help with scaling?

A

SQS

523
Q

Is S3 or EBS the ideal storage solution you need to scaling an application?

A

S3

524
Q

The _________ ___________ is a built-in SSL/TLS certificate that is associated with the CloudFront default domain name (*.cloudfront.net)

A

default certificate

525
Q

A CloudFront ________ origin refers to any web server or AWS resource that is not an Amazon S3 bucket

A

custom

526
Q
A