AWS-SA-Pro Flashcards
What are the two most common features of AWS Systems Manager?
- Run Command
- Patch Manager
What is the name of the AWS Systems Manager command that is used for a patch?
AWS-RunPatchBaseline
Which AWS service can you use if you want to migrate Chef and/or Puppet configuration management tools into the cloud?
AWS OpsWorks
Are AMI’s global or region-specific?
Region-specific
AWS OpsWorks is more suited for _______ whereas Elastic Beanstalk is more suited for _______.
AWS OpsWorks is more suited for infrastructure engineers whereas Elastic Beanstalk is more suited for development teams.
How do the key concepts of AWS OpsWorks interrelate (Stacks, Layers, Apps, Recipes, Cookbooks) ?
Stacks = one or more Layers.
Layers = set of EC2 instances grouped by function.
Apps = deployed (from S3) onto the layers.
Recipes = scripts applied to layers.
Cookbooks = collection of recipes that can be stored on GitHub.
How are Amazon GuardDuty & Amazon Inspector different from AWS Shield & AWS WAF?
GuardDuty & Inspector = detection.
Shield & WAF = protection.
Which service creates serverless GraphQL and Pub/Sub APIs?
AWS AppSync
What 4 services can be used with AWS WAF?
(1) CloudFront
(2) ALB
(3) API Gateway
(4) AppSync
Which AWS service scans EC2 instances for vulnerabilities and provides a report of findings?
Amazon Inspector
Which AWS service provides a CVE (common vulnerabilities and exposures) report?
Amazon Inspector
Differences between Amazon Inspector and Amazon GuardDuty?
Inspector scans EC2 instances for vulnerabilities.
GuardDuty scans entire AWS account using ML-based threat detection.
Would you use SAML 2.0 Identity Federation with Google, Facebook, Twitter, etc?
No. Use SAML 2.0 Identity Federation with an Enterprise Identity Provider (used mainly for on-prem IDs to indirectly login to AWS)
What is the difference between Cognito and IAM Identity Center?
Cognito will be used for customer login scenarios and IAM Identity Center will be used for enterprise / workforce login scenarios.
What’s the difference between Cognito User Pools and Identity Pools?
User Pools offer a sign-up or sign-in experience and provide users with a JWT.
Identity Pools offer a way to swap an unauthenticated or authenticated identity for AWS credentials.
Can API Gateway accept JWT’s for authentication?
Yes
How can an AWS admin create predefined products (and IaC templates) that end users can provision without fully accessing the AWS service (e.g. EC2 instances) ?
AWS Service Catalog
VPC Flow Logs can capture metadata for what three items (levels)?
(1) VPC
(2) Subnet
(3) ENI
Do VPC Flow Logs provide real-time data?
No. There is a delay.
What two log destinations can be used with VPC Flow Logs?
(1) S3
(2) CloudWatch logs
Where is a Network Firewall deployed?
At the VPC level
What layer does AWS WAF use?
L7
What is used to configure your WAF rules?
A Web ACL
What is the default Web ACL Capacity Unit (WCU) maximum?
1500
What are the three types of WAF Rule Groups? (Rule Group = reusable set of rules that you can add to a web ACL)
(1) Managed groups
(2) Self-managed groups
(3) Service-owned groups (Shield, Firewall Manager)
AWS WAF can inspect a request body, header, and cookie (among other items). However, what is the limit for how much can be inspected?
8 KiB (or 8192 bytes)
How are you charged for using WAF?
(1) $5 / month / Web ACL
(2) $1 / month / Web ACL Rule
(3) $0.60 / 1 million requests
What layer does AWS Shield Standard protect?
L3 and L4
Does AWS Shield Advanced get automatically applied to your resources?
No, even after paying for it, you still need to explicitly choose how to configure it for your resources.
What are two benefits of AWS Shield Advanced?
(1) DDoS cost protection – service credits are provided if your resources auto-scale in response to a DDoS attack
(2) Health-based detection – Shield Advanced can monitor Route 53 health checks to detect changes in resources and more quickly identify threats / attacks
Which AWS service offers Desktop-As-A-Service (DaaS)?
Amazon Workspaces
Are Amazon Workspaces highly available?
No, they run on EC2 instances inside a single subnet (and therefore AZ).
Which AWS Directory Service is best when you have more than 5000 users, you want it to be highly available (2+ AZs), and you want a trust relationship between on-prem and cloud directory?
AWS Directory Service for Microsoft Active Directory
Which AWS service uses schema extensions (remote desktop, Sharepoint, SQL, DFS)?
AWS Directory Service for Microsoft Active Directory
What is the best AWS directory service to use when you don’t want any directory data hosted in AWS?
AD Connector
What is the best AWS directory service for continuous operations if the network link between AWS and on-prem environment fails?
AWS Directory Service for Microsoft Active Directory – because the directory is simultaneously running on AWS EC2 instances in addition to on-prem
What AWS service allows your on-premises active directory to use other directory-compatible AWS services – without any identity data being stored in AWS?
AD Connector
What are the three categories of internet networking zones?
(1) Public Internet
(2) AWS Public Zone
(3) AWS Private Zone (VPCs)
Can DHCP Option Sets be edited?
No, once created they are immutable
When you associate a DHCP Option Set to a VPC, do the changes occur immediately?
No, the changes require a DHCP Renew which takes some time
In every subnet, what is the “subnet+1” IP address reserved for?
The VPC router’s network interface – every VPC router needs an interface in every subnet
What AWS service would you use to provision infrastructure for a contact center?
Amazon Connect – also it is omnichannel (voice + chat)
What AWS service would you use to ingest the following types of data: security cameras, smartphones, cars, drones, audio, thermal, depth, radar.. ?
Kinesis Video Streams
What AWS service will likely be used when the exam mentions GStreamer or RTSP (real-time streaming protocol) ?
Kinesis Video Streams
What AWS service is used for serverless ETL ?
AWS Glue
How many AWS Glue Data Catalogs can you have?
One catalog per region per account
How can you avoid data silos and improve visibility into your data stores across all AWS services?
Use AWS Glue Data Catalog crawlers to discover data
What AWS service provides managed web and mobile application testing using a fleet of real browsers and devices?
AWS Device Farm
What AWS service uses NLP to analyze text?
Amazon Comprehend
What AWS service would you use for intelligent enterprise search capability?
Amazon Kendra
What AWS service uses “slots” as parameters to categorize talking points during a conversation?
Amazon Lex
What routes traffic between subnets and is controlled by the route tables?
VPC Router
Every VPC is created with a _____ that is the default for every subnet in the VPC.
Main route table
How many route tables can a subnet have associated to it?
Only 1
How does a route table prioritize traffic routing when there are multiple matching entries?
The most specific route is prioritized
For a stateless firewall to work smoothly, you often have to ______ all outbound traffic so your server can return the responses to the changing client ephemeral ports.
allow
What AWS component has both “allow” and “deny” rules?
NACL
How are the NACLs and Security Groups different in regards to their default configurations?
NACLs allow all traffic by default.
Security Groups deny all traffic by default.
When you create a Custom NACL, what is the default inbound rule and default outbound rule?
Both are “deny all” rules.
Can Security Groups have explicit deny rules?
No. Only allow rules.
Security Groups are not actually attached to EC2 Instances; they are attached to _____
ENIs (primary network interface of the EC2 instance)
What AWS service would you use when you need single digit millisecond latency and AWS infrastructure physically located closer to your end users?
AWS Local Zones
What AWS service is conceptually just a single AZ that is physically closer to your end users?
AWS Local Zones
What AWS service converts text into “life-like” speech (no translation service) ?
Amazon Polly
What AWS service performs deep learning image and video analysis?
Amazon Rekognition
What AWS service can detect and analyze text in documents such as JPEG, PNG, PDF, or TIFF ?
Amazon Textract
What AWS service can you use to generate predictions based on time-series data?
Amazon Forecast
What service can you conceptually think of as an IDE for ML model lifecycles?
Amazon SageMaker Studio
Which Disaster Recover strategy would be analogous to moving from your current house to building a new backup house from scratch?
Backup & Restore
Which Disaster Recover strategy only runs the bare minimum resources required for a recovery?
Pilot Light
Which Disaster Recover strategy keeps a fully functional copy of your resources running but in a smaller and scaled down capacity than your current infrastructure?
Warm Standby
What keyword is used to describe the main CloudWatch service?
CloudWatch Metrics
How would you capture richer and more detailed metrics for CloudWatch?
Install the CloudWatch agent
What term is used in CloudWatch to define a container for metrics?
Namespaces
What is the term that CloudWatch uses to differentiate metrics between distinct EC2 instances?
Dimensions (a name/value pair that is part of the identity of a metric)
What are the two CloudWatch resolutions, which is the default, and what are the time intervals?
- Standard (default): 60 second granularity
- High: 1 second granularity
What CloudWatch feature can be used to view data aggregation over a time period, such as Min, Max, Sum, Average ?
CloudWatch Statistics
How do the three main CloudWatch Logs items interrelate (Log Events, Log Streams, Log Groups) ?
Log Groups contain Log Streams, which contain Log Events, which consist of a timestamp and raw message.
If you use the S3 Export feature of CloudWatch Logs, is the data transferred in real time?
No, it can take up to 12 hours
What integration would you use if you want near-real-time handling of CloudWatch Logs data?
Kinesis Firehose
What integration would you use if you need real-time handling of CloudWatch Logs data?
Lambda functions and/or Kinesis Data Streams
How long are CloudTrail Events stored by default at no cost?
90 days
What are the three different types of CloudTrail Events?
(1) Management Events
(2) Data Events
(3) Insight Events
What type of CloudTrail Events are captured by default?
Management Events, but NOT Data Events
What are the two scopes that can be used when creating a CloudTrail Trail?
(1) One Region
(2) All Regions
How many CloudTrail Trails can you have per Region?
5
How would you capture global service events using CloudTrail for services like IAM, STS, CloudFront ?
This isn’t captured by default, so you would have to create a new CloudTrail Trail. The Trail would log these events into us-east-1 since they are global services.
Does CloudTrail capture events in real-time?
No, it takes approximately 15 minutes.
For CloudTrail, what is the cost to have one Trail for ongoing Management Events delivered to S3 ?
Free
Which AWS service is used to trace user requests through your application to identify bottlenecks and view latency data at each stage of the application?
AWS X-Ray
The following items are two common examples of AWS-generated ___________ ?
(1) aws:createdBy
(2) aws:cloudformation:stack-name
Cost Allocation Tags
After creating a Cost Allocation Tag, is it immediately available?
No, it can take up to 24 hours to be visible and active
After creating a Cost Allocation Tag, does it apply retroactively to your cost reporting?
No, it is not retroactive.
What are the 7 free AWS Trusted Advisor checks for the AWS Basic Support and AWS Developer Support plans?
(1) S3 Bucket Permissions
(2) Security Groups - Specific Ports Unrestricted
(3) IAM Use (i.e. does each account have IAM users and not using root user)
(4) MFA on Root Account
(5) Are EBS Snapshots public?
(6) Are RDS Snapshots public?
(7) 50 service limit checks (80%+ quota utilization)
Which AWS support plans give you access to the AWS Support API to integrate with your applications?
AWS Business Support
AWS Enterprise Support
What CloudWatch Logs feature allows you to stream logging data into different systems?
Subscription Filters
What protocol operates over TCP/179 ?
Border Gateway Protocol (BGP)
What can be conceptually thought of as a network in BGP?
An Autonomous System (AS)
What’s the difference between iBGP and eBGP?
iBGP (internal) deals with routing within an AS.
eBGP (external) deals with routing between AS’s.
In BGP, each AS broadcasts ______ to the other AS’s.
The shortest ASPATH (doesn’t take into account the path performance/latency).
How can you configure AS route tables in BGP to manipulate the routes that each AS broadcasts?
You can use Path Prepending to artificially lengthen certain paths. This will solve the problem of AS’s broadcasting the shortest path without taking into account latency.
What AWS service uses anycast IP addresses, so a customer’s request to the IP address will be routed the closest location?
AWS Global Accelerator
In regards to the OSI layers, how is Global Accelerator different from CloudFront?
CloudFront only uses L7, but Global Accelerator uses L4 (TCP/UDP) and L7.
How are Symmetric Encryption and Asymmetric Encryption different?
Symmetric Encryption is fast but less secure, because both parties use the same key to encrypt/decrypt the data.
Asymmetric Encryption is slower but more secure, because it uses a public key + private key.
IKE (Internet Key Exchange) Phase 1 and IKE Phase 2 are the two main phases of ________.
IPSEC VPNs
What are the two types of VPNs?
(1) Policy-based VPNs (different rules for different types of traffic)
(2) Route-based VPNs (target matching based on prefixes)
With a Site-to-Site VPN, is the Virtual Private Gateway (VGW) highly available?
Yes, behind the scenes there are separate endpoints distributed across AZs.
How would you configure a Site-to-Site VPN to be highly available?
Add a second Customer Gateway (CGW).
What is the AWS Site-to-Site VPN speed limit?
1.25 Gbps
What AWS service would you use to reduce complexity when connecting multiple VPCs and on-prem networks?
AWS Transit Gateway (TGW)
What is the benefit of peering TGW’s?
You can create connections to other AWS Regions either in the same account or also cross-account.
When Transit Gateways (TGWs) are peered, are the routes in each TGW route table automatically shared/propagated between TGWs?
No.
How many peering attachments per TGW?
Up to 50
A ________ is associated with VPCs, Subnets, Internet Gateways (IGW), Virtual Private Gateways (VGW), and Transit Gateways (TGW).
route table
What’s the difference between static routes and dynamic routes in a route table?
Static routes are added manually.
Dynamic routes are propagated into the route table, if this is enabled for a TGW or VGW association.
What could you do to enable better performance for your Site-to-Site VPN?
Use the Accelerated Site-to-Site VPN feature. This utilizes Global Accelerator edge locations.
What would you use for an AWS-managed implementation of OpenVPN, typically as a way for a remote workforce to securely access AWS resources?
Client VPN (different from Site-to-Site VPN)
Is the Split Tunnel feature of AWS Client VPN the default?
No, it must be enabled. Split Tunnel allows your client to retain it’s existing route tables when associating the Client VPN route table onto it.
How are you billed for DX ?
Hourly cost for the port allocation at the DX location.
Outbound data transfer (inbound is free).
Is a DX location owned by AWS ?
No, typically these are regional data centers where AWS has rented equipment.
What are the 3 speed options for a DX connection?
1, 10, or 100 Gbps
How could you secure your DX connection at the L2 level on a hop-by-hop basis?
Use MACsec
Regarding a DX connection (which is a L2 connection), what is used to allow multiple L3 networks to run over the DX ?
Virtual Interfaces (VIFs)
____ VIFs are used to connect to public IPs in AWS Public Zones.
____ VIFs are used to connect to private IPs within AWS VPCs.
____ VIFs are used to integrate DX with Transit Gateways (TGWs).
Public
Private
Transit
An Accelerated Site-to-Site VPN can be used for ____ but not _____.
Can be used for TGW, but not VGW.
When using a Private VIF to run over your DX connection, what is the max number of prefixes that you can advertise to the BGP network?
100
A ______ ____ is layered over a DX connection and runs from on-prem infrastructure to a Virtual Private Gateway (VGW). It must be attached to a VGW within the same region that the DX connection terminates into.
Private VIF
A _____ VIF can access all AWS Regions. There is no region specific limitation like for ______ VIFs.
Public….. Private
What AWS service could you use to connect on-prem infrastructure to multiple VPCs spread across AWS Regions using a single DX connection?
Direct Connect Gateway (DGW)
A Direct Connect Gateway (DGW) can be associated with VPCs & ______, or TGWs & a ______, but not both.
Private VIFs…. Transit VIF
Would you use a DX Link Aggregation Group (LAG) more for speed purposes or for resiliency purposes?
Speed
A DX _____ ____________ _______ is when you utilize multiple DX connections going into a single DX location for faster speeds (parallel data transit).
Link Aggregation Group (LAG)
A DX LAG is capable of using 2 ___ GB ports or 4 ports if they use less than ___ GB.
100
What AWS service is used to register domains and host zones (nameservers)?
Route 53
When you create a Route 53 Hosted Zone, how many nameservers does AWS allocate for your hosted zone?
4
In Route 53, a CNAME record can map a domain to another _______, but not to an ___ _________.
… domain…. IP address
What type of DNS record is used for a server to find the mail server of a specific domain?
MX records
What type of DNS record can be used to prove domain ownership?
TXT records
What DNS feature is used to cache DNS query results?
TTL - depending on how long the TTL is, sometimes a query may not use the most up-to-date IP address and the request will take longer to go through
What is a Route 53 Hosted Zone in simple terms?
It is a DNS database for a domain
What is the difference between CNAME and ALIAS records?
CNAME maps name–>name (does not support apex)
ALIAS maps name–>name (does support apex)
What is the main limitation of Route 53 Simple Routing?
doesn’t support health checks
Which Route 53 routing policy improves availability but is NOT a replacement for load balancing?
Route 53 Multi Value Routing
Which Route 53 routing policy would you use to optimize performance and user experience?
Route 53 Latency-Based Routing
Which Route 53 routing policy checks for records based on the state, country, and continent?
Route 53 Geolocation Routing
Which Route 53 routing policy routes based on physical distance and includes a bias value?
Route 53 Geoproximity Routing
When using a Route 53 Private Hosted Zone, what two attributes need to be set to “true” ?
- enableDnsHostnames
- enableDnsSupport
What AWS service can you use to track changes that are made to your resources?
AWS Config
Can you deploy an application to your on-prem servers using Elastic Beanstalk?
No
_________ multi-master DB instances are confined to the same region, whereas _________ multi-master DB instances allow read/write to any region.
Aurora… DynamoDB Global Tables…
_________ is a serverless Database-Table-as-a-Service (DBaaS), whereas _________ is NOT serverless and is a Database-Server-as-a-Service (DBSaaS).
DynamoDB…. Amazon RDS…
Each DynamoDB table item (conceptually, a row) can have a max size of _____ KB.
400
Does an ELB provide you with an IP address or a DNS name to use?
ELB only provides you with a DNS name
How does AWS incentivize customers to use ALIAS records for mapping from a DNS name to an AWS resource?
They do not charge for this. It is free.
For DNS resolution, you would use _____ records to map www.example.com to an IPv4 address.
A
Can the Management Account of an AWS Organization be restricted with a Service Control Policy (SCP) ?
No. SCPs do not affect the Management Account.
Do SCPs affect service-linked roles?
No. Service-linked roles will still work normally even with an SCP attached.
Would you use Amazon Macie to scan your CodeCommit repositories for secret keys?
No, Amazon Macie is generally used for scanning S3 buckets.
How many subnets can you have per VPC?
Default is 200
Can a Security Group block a specific IP address?
No, because Security Groups block all inbound traffic by default and only use allow rules.
How many IAM users can you have per account? Can this quota be changed?
5000…. No, this is a hard limit.
What could you set up to ensure your AWS Service Quotas don’t end up restricting your application as its demand grows?
You could create CloudWatch Alarms to notify you when you’re approaching your Service Quotas. Then you can request a quota increase before your application hits the quota ceiling.
Permissions Boundaries can be applied to ________ or ________.
IAM Users… IAM Roles
What are the 6 sequential items that are checked when determining allow/deny status for anything within the SAME AWS account?
- Check for any “Explicit Deny” rules
- SCPs
- Resource Policies
- Permissions Boundaries
- Session Policies (only applicable for “assumeRole” situations)
- Identity Policies
AWS Resource Access Manager allows AWS resources to be shared from one account to another AWS _________, _________, or _________.
Account… Organizational Unit (OU)… Organization
Is there a cost for using AWS Resource Access Manager?
No cost.
Are AZ’s always mapped to the same physical data centers, when comparing two accounts? For example, would “us-east-1a” for account A always match “us-east-1a” for account B?
No. AWS rotates how the AZ’s are mapped to the physical data centers.
Solution = AZ ID’s… These ARE consistent across accounts.
When sharing AWS resources using AWS Resource Access Manager between accounts WITHIN the same organization, does the recipient account need to manually accept the invite?
No, the recipient account automatically accepts the invitation.
When sharing AWS resources using AWS Resource Access Manager between accounts across DIFFERENT organizations, does the recipient account need to manually accept the invite?
Yes.
When using a Shared Services VPC with AWS Resource Access Manager, can the participant accounts provision services into the Shared Services VPC?
Yes
When using a Shared Services VPC with AWS Resource Access Manager, can the account that owns/shares the VPC delete or modify resources created by the participant accounts?
No. Ownership of a provisioned resource by a participant account remains with that participant account.
VPC Peering allows shared access to ______ VPC resources, whereas AWS PrivateLink only allows access (via interface endpoints) to a ________ VPC service/application.
all ….. specific
Does a VPC Gateway Endpoint go into a specific subnet or specific AZ?
Neither, a VPC Gateway Endpoint is used across all AZ’s in a region.
Then you can define which subnets will have the Gateway Endpoint prefix added into their route tables.
What type of endpoint provides private access to S3 and/or DynamoDB ?
VPC Gateway Endpoint
Can VPC Gateway Endpoints access services in other regions?
No, they are a regional service.
AWS Internet Gateways are conceptually attached to the perimeter of a _________.
VPC
Does your default VPC come with an Internet Gateway?
Yes. Also it comes with a public subnet in each AZ.
A VPC ______ Endpoint allows private access to the AWS Public Zone services (S3, DynamoDB) without using an Internet Gateway or NAT Gateway.
Gateway
In Amazon ECS, you cannot attach security groups to the ECS Tasks when using the _____ networking mode.
bridge or host
In Amazon ECS, which networking mode assigns an ENI and a private IPv4 address to each ECS Task?
awsvpc (this provides more control than the “bridge” networking mode)
Are certificates from AWS Certificate Manager regional or global?
Regional. If multiple regions are desired, you must request a certificate for each region.
st1 and sc1 are examples of _______ EBS volumes and they have a _______ (high/low) max IOPS count.
HDD… low…
To troubleshoot constantly failing EC2 instances in an ASG, are you able to suspend the “Terminate” process of the ASG?
Yes.
Even if you enable EC2 instance protection for an EC2 instance, the ______ still has the ability to terminate an EC2 instance that it has created.
ASG
For an Amazon SQS Queue, the _______ attribute specifies the number of times a message is delivered to the queue before being moved to a dead-letter queue.
maxReceiveCount
A VPC ________ Endpoint goes into a specific subnet whereas a VPC ________ Endpoint is used across all AZ’s in a region.
Inferface… Gateway…
Network access to a VPC ________ Endpoint can be controlled with a Security Group (b/c it is within a subnet within a VPC) whereas a VPC ________ Endpoint cannot.
Inferface… Gateway…
Which type of VPC endpoint uses DNS for its routing?
VPC Interface Endpoint
VPC ________ Endpoints use prefix lists and route tables, whereas VPC ________ Endpoints use DNS.
Gateway… Interface…
When deploying resources into a public subnet, does the resource need to have a public IP address?
No, you can choose to only assign a private IP address to your resources, even in public subnets.
Can a public (aka internet-facing) ALB communicate with instances inside a private subnet?
Yes, as long as the ALB is running from a public subnet.
Can the Fargate deployment type run on AWS Outposts?
No.
______ allow us to run multiple L3 networks over the L2 Direct Connect.
VIFs
A VIF uses a ______ Peering Session + _______.
BGP… VLAN
When creating a site-to-site VPN connection, specify ________ routing if your customer gateway device supports BGP.
dynamic (as opposed to static)
Would you use AWS X-Ray to help plan a migration?
No, it is used to debug production applications.
A Network ACL can filter requests based on _______ but not ________.
IP addresses… URLs
A _______ server acts as an intermediary between the client and the server, effectively functioning like a firewall/filter.
proxy
What enables private connections to AWS services without using public IPs, and uses AWS PrivateLink under the hood?
Interface Endpoints
Metric Filters and Subscription Filters are components of which AWS service?
CloudWatch Logs
Management Events and Data Events are components of which AWS service?
CloudTrail
Which AWS services can be directly accessed through Gateway Endpoints?
S3 and DynamoDB
How does traffic routing work with Gateway Endpoints in a VPC?
Gateway Endpoints are added as a target for a specific route in your VPC route table
When generating an S3 Presigned URL, what permissions get embedded into the link?
The permissions will match those of the IAM user who created the link.
Is it a good practice to generate an S3 Presigned URL using an IAM role?
No, because the IAM role will generally expire faster than the URL and then the URL will not work.
What AWS service could you use to simplify access to S3 (for example, providing different departments with their own S3 URL each containing separate permissions policies)?
S3 Access Points
What CLI command would you use to set up an S3 Access Point?
create-access-point
Does S3 Object Lock require versioning to be enabled on the bucket?
Yes. Thus, it is actually the object versions, rather than the object, that are being locked.
What are the two types of S3 Object Lock?
(1) S3 Object Lock - Retention
— compliance mode: immutable
— governance mode: some changes allowed
(2) S3 Object Lock - Legal Hold
— on/off switch: prevents deletion
What service can be used to monitor and discover sensitive data in S3 (for example, PII) ?
Amazon Macie
What service runs discovery jobs based on (1) managed data identifiers and/or (2) custom data identifiers?
Amazon Macie
In the context of EBS, 1 IOPS is equal to __ KB per second.
16 KB
What is the standard and maximum IOPS for an EBS GP3 volume?
Standard: 3,000 IOPS
Maximum: 16,000 IOPS
What are the 3 types of EBS Provisioned IOPS SSD Volumes?
(1) io1
(2) io2
(3) Block Express
What are the two types of EBS HDD-Based Volumes?
(1) st1: throughput optimized
(2) sc1: cold, lowest cost
Can you attach an instance store volume to an already-launched EC2 instance?
No, instance store volumes must be attached at the time of launch.
Instance store volumes are often included in the price of _____
EC2 Instances
Can st1 or sc1 EBS volumes be used as EC2 boot volumes?
No.
You can aggregate multiple EBS volumes into a RAID0 set, and this can provide up to _____ IOPS of performance.
260,000 IOPS
The io1 and io2 EBS volumes can provide up to ____ IOPS and the io2 Block Express volume can provide up to _____ IOPS.
64,000 … 256,000
What is the max item size for an item in a DynamoDB table?
400 KB
What is the data transfer rate for DynamoDB Table RCU’s and WCU’s ?
RCU: 4KB/s
WCU: 1KB/s
What are the two modes of ECS?
(1) EC2 Mode
(2) Fargate Mode
Which ECS mode injects ENI’s into your VPC while the EC2 instances are run and hosted within AWS’s internal EC2 pool?
Fargate mode
Are SQS and SNS public zone services or private zone services?
Public zone
With SQS and SNS, which is one-to-many and which is one-to-one ?
SNS: one-to-many
SQS: one-to-one
Which AWS service is kind of a hybrid between SNS and SQS and provides both queues and topics?
AmazonMQ
What is the default Lambda function timeout, and the max timeout?
Default: 3 seconds
Max: 15 minutes
If you want to always reference the most recent Lambda version, what would you point to (a phrase)?
$LATEST
What database compatibility does AWS Aurora offer?
MySQL, PostgreSQL
What is a key difference between AWS Aurora and RDS?
Aurora: More scalable, RDS: Broader DB engine options
Which AWS service is used for orchestrating multiple AWS Lambda functions?
AWS Step Functions
What are the three types of API endpoints offered by AWS API Gateway?
Edge-Optimized, Regional, Private
What AWS service integrates with API Gateway for user authentication and authorization?
AWS Cognito
What file does AWS SAM use to define serverless resources?
sam-template.yaml
What AWS service does AWS SAM internally use to deploy applications?
AWS CloudFormation
Which service can be used with AWS CloudFront to protect against DDoS attacks?
AWS Shield
Key difference between Trusted Key Groups and Origin Access Identity (OAI) in CloudFront?
Trusted Key Groups: URL signing; OAI: S3 bucket access
What AWS service’s primary function is to manage SSL/TLS certificates?
AWS Certificate Manager (ACM)
When a SSL/TLS certificate is needed for a CloudFront distribution (or any global services), where must the certificate be generated?
us-east-1
Which AWS service is commonly used with ElastiCache for database caching?
Amazon RDS
Does ElastiCache for Redis or Memcached support complex data types?
Redis
Which supports multi-threading, ElastiCache for Redis or Memcached?
Memcached
Which ElastiCache option offers persistence and replication?
Redis
Key difference between AWS Internet Gateway and AWS NAT Gateway?
Internet Gateway: Two-way internet access; NAT Gateway: Outbound-only for private subnets
What format can AWS CloudFormation templates be written in?
JSON, YAML
What feature does AWS CloudFormation provide for grouping related resources?
CloudFormation Stacks
Can you update a running CloudFormation Stack?
Yes
A CloudFormation Stack is a collection of AWS resources that is created as a result of deploying a single _____________.
CloudFormation template
Which CloudFormation service can deploy and manage stacks across multiple accounts and regions?
CloudFormation StackSets
Key difference between CloudFormation Templates and Stacks?
Templates: JSON or YAML file blueprint of the infrastructure; Stacks: the collection of resources deployed from the template
What are the three types of AWS Storage Gateway?
File Gateway, Volume Gateway, Tape Gateway
Which type of Storage Gateway is used to store and retrieve objects in S3 using file protocols (NFS, SMB)?
AWS Storage Gateway File Gateway
Which AWS Storage Gateway type supports block-based storage?
AWS Storage Gateway Volume Gateway
What SSM capability provides a centralized store for configuration data?
SSM Parameter Store
What is the main difference between AWS Config and AWS SSM?
Config: resource configuration
SSM: resource operations / automation
For a hybrid environment storage solution where on-prem and cloud integration is desired, what AWS service is best?
AWS Storage Gateway File Gateway
Between AWS Transfer Family and AWS DataSync, which is best for continuous, regular file transfers and which is best for one-time or batch large-scale data transfer?
AWS Transfer Family: continuous, regular
AWS DataSync: fast high-volume transfer
_______ can transfer data quickly to and from Amazon S3, EFS, FSx for Windows File Server.
AWS DataSync
What is the maximum data storage capacity of a standard AWS Snowball device?
80 TB
What is a Homogeneous Migration in AWS DMS?
Migration between the same database engines
What is a Heterogeneous Migration in AWS DMS?
Migration between different database engines
What AWS service is often used alongside DMS for schema conversion? Is it used for homogeneous or heterogeneous migrations?
AWS Schema Conversion Tool (SCT)
Only used for heterogeneous migrations.
What policies define the maximum permissions for an account, organization, or organizational unit (OU) in AWS Organizations?
SCPs
Do SCPs grant permissions?
No, they only restrict permissions
Can SCPs override IAM policies?
No, they are used in conjunction with IAM policies
Key difference between SCPs and IAM Policies?
SCPs: Restrict permissions at the account/OU level; IAM Policies: Grant specific permissions to users, groups, and roles
How many IP addresses are reserved in each subnet in AWS VPC?
5
Which specific IP address in a subnet is reserved for the network address?
The first IP address (e.g., 10.0.0.0)
Which IP address in a subnet is reserved for the subnet’s default gateway (aka router)?
The second (VPC + 1) IP address (e.g., 10.0.0.1)
Which specific IP address in a subnet is reserved for DNS?
The third (VPC + 2) IP address (e.g., 10.0.0.2)
Which AWS service uses DHCP Option Sets?
Amazon VPC
What can be specified in a custom DHCP Option Set?
DNS servers, NTP servers, domain name, NetBIOS name servers, NetBIOS node type
What service can be used to capture information about IP traffic going to and from network interfaces in a VPC?
VPC Flow Logs
Where can VPC Flow Logs be published to?
CloudWatch Logs, Amazon S3
Can VPC Flow Logs be created for subnets and individual network interfaces, in addition to VPCs?
Yes
Key difference between VPC Flow Logs and AWS CloudTrail?
Flow Logs: Network traffic logs; CloudTrail: API activity logs
Are VPC Flow Logs in AWS real-time?
No, there’s a slight delay
In VPC Flow Logs, what are the protocol numbers that are used to identify ICMP, TCP, and UDP traffic?
ICMP: 1
TCP: 6
UDF: 17
What is the primary use of SAML 2.0 in cloud services?
Single Sign-On (SSO) for web applications
In SAML 2.0, what is the role of the “Identity Provider” (IdP)?
Authenticates user’s identity and sends SAML assertions
What format are SAML 2.0 assertions typically in?
XML
How does the Service Provider (SP) use SAML 2.0 in Identity Federation?
Consumes the assertion from IdP to grant user access
What are the two main components of AWS Cognito?
User Pools, Identity Pools
What does AWS Cognito User Pool provide?
User directory and handles sign-up/sign-in processes
What does AWS Cognito Identity Pool enable?
Granting access to AWS services for authenticated and unauthenticated users
What is the primary function of AWS Route 53?
Managed Domain Name System (DNS) service
Can AWS Route 53 be used for domain registration?
Yes
Are VPC Gateway Endpoints region-specific in AWS?
Yes, they are confined to the region in which your VPC is located
What happens when you create a VPC Interface Endpoint in a VPC with DNS resolution enabled?
Private DNS entries are automatically added for the service
What is the purpose of Route 53 Resolver Endpoints in AWS?
Enable DNS queries to flow between your VPC and your on-prem network
What are the two types of Route 53 Resolver Endpoints?
Inbound Endpoints, Outbound Endpoints
What AWS service can be used to compile and test code?
AWS CodeBuild
What is the build file called in AWS CodeBuild that is stored in the root of the source?
buildspec.yml
Can Read Replicas in RDS be promoted to primary instances?
Yes, useful for failover or scaling purposes
Are RDS Read Replicas replicated synchronously or asynchronously?
Asynchronously
Can RDS Read Replicas be located in different regions than the primary database?
Yes
What technology does Gateway Load Balancer utilize to efficiently distribute traffic?
GENEVE protocol
How do ALBs differ from Network Load Balancers (NLBs) in AWS?
ALBs operate at Layer 7 (application layer), NLBs at Layer 4 (transport layer)
What are the scaling options available in AWS Auto Scaling Groups?
(1) Manual
(2) Scheduled
(3) Dynamic (simple, step, target tracking)
Do autoscaling groups have a cost?
No, they are free.
Within an autoscaling group, what defines the instance types and instance configurations?
The launch template
What can you use to pause EC2 instances in an ASG during launch or termination so that custom actions can occur?
ASG Lifecycle Hooks
Do ASGs require a scaling policy?
No, not required.
What service is used to simplify the deployment of third-party virtual security appliances in a scalable and fault-tolerant manner?
AWS Gateway Load Balancer (GWLB)
What is the default granularity for CloudWatch metrics?
1 minute.
What is the difference between CloudWatch Logs and CloudWatch Metrics?
Logs collect text-based log files, Metrics collect quantitative data.
What feature does CloudWatch provide to react to metric thresholds being breached?
CloudWatch Alarms that trigger notifications or actions.
Which service provides request tracing to debug and analyze applications?
AWS X-Ray
What determines the level of access to Trusted Advisor checks and recommendations?
The AWS support plan (Basic, Developer, Business, or Enterprise)
What are the two main types of backups for AWS RDS?
Automated backups and manual snapshots.
How long does AWS RDS retain automated backups by default?
7 days (configurable up to 35 days).
What AWS service provides connection pooling to enhance database efficiency and scalability?
AWS RDS Proxy
What are the two main types of indexes in Amazon DynamoDB?
Global Secondary Index (GSI) and Local Secondary Index (LSI)
What is a limitation of a Local Secondary Index (LSI) in DynamoDB?
It must be defined at the time of table creation. LSI’s cannot be added or removed later.
In DynamoDB, a _____ supports queries over the entire table and a _____ only supports queries within the same partition.
Global Secondary Index (GSI) … Local Secondary Index (LSI)
What is the primary purpose of Amazon DynamoDB Accelerator (DAX)?
To provide in-memory caching for DynamoDB
What DynamoDB feature provides multi-region, fully managed, multi-master database replication?
DynamoDB Global Tables
How is Amazon Athena priced?
Based on the amount of data scanned by the queries.
How does Amazon Athena differ from Amazon Redshift?
Athena is serverless and queries data directly in S3, while Redshift is a managed, petabyte-scale data warehouse that requires data loading.
What is the default data retention period for Kinesis Data Streams?
24 hours (extendable up to 365 days).
Name four AWS services that Kinesis Data Firehose can deliver data to.
Amazon S3, Redshift, OpenSearch Service, and Splunk.
Name two AWS services that can be used as data sources for Kinesis Data Analytics.
Kinesis Data Streams and Kinesis Data Firehose.
What processing languages does Kinesis Data Analytics support?
SQL and Java (Apache Flink).
What are three open-source frameworks that can be run on Amazon EMR?
Hadoop, Spark, HBase.
What are the two types of nodes in Amazon EKS?
Worker nodes and control plane nodes.
Name two AWS services that can be integrated with Amazon EKS for logging and monitoring.
Amazon CloudWatch, AWS CloudTrail.
What are four AWS services that can be protected by AWS WAF?
(1) CloudFront
(2) API Gateway
(3) ALB
(4) AWS AppSync (GraphQL APIs)
How does AWS WAF allow you to control web traffic?
Through web ACLs (Access Control Lists).
How does AWS WAF differ from AWS Shield?
WAF provides customizable web traffic control, Shield offers DDoS protection.
How can you enable HTTPS for an application running on AWS Elastic Beanstalk?
By applying an SSL certificate to your Elastic Beanstalk environment’s load balancer.
What AWS Elastic Beanstalk feature could you use for testing changes, blue/green deployments, or quickly replicating environments for different purposes without manual configuration?
Environment cloning
What type of file is used to configure multi-container Docker applications?
Docker Compose file
What are the three categories of Elastic Beanstalk runtimes/platforms?
Built-in languages, Docker, and custom platforms
What is the hierarchical structure of Elastic Beanstalk?
Applications, which contain Environments, which contain Versions.
In Elastic Beanstalk, what are the two tier options when configuring an environment?
(1) web server tier (user interacts with)
(2) worker tier (processes application logic)
Elastic Beanstalk is great for _______ ___________ _______.
small development teams
When using Elastic Beanstalk, should you host the database part of the application within Elastic Beanstalk?
No, create the databases outside of Elastic Beanstalk so they are not accidentally deleted (or data is lost) during blue/green deployments.
The term “source bundle” refers to an application within what AWS service?
Elastic Beanstalk
To decouple an existing RDS instance from within an Elastic Beanstalk environment to be a standalone RDS instance, you should create an _____ _________, click on “________ _______ __________” for the RDS instance, create a new EB environment without RDS, swap environments, and then terminate the old environment.
RDS snapshot… Enable Delete Protection
Behind the scenes, Elastic Beanstalk uses _______________ to provision resources for your application.
CloudFormation
You can customize your Elastic Beanstalk environment by creating a ____________ folder within the application source bundle and adding YAML or JSON CloudFormation files ending in ________.
.ebextensions
.config
What AWS service automates server setup, configuration, deployment, and management with Chef and Puppet?
AWS OpsWorks
What AWS Systems Manager feature allows you to define the desired state of your AWS resources?
State Manager.
What AWS service is best suited for automated patch management, executing remote commands, and inventory management?
AWS Systems Manager
Does Systems Manager Run Command require SSH/RDP access?
No, it connects via the Systems Manager agent that is installed on the EC2 instance and/or on-prem instances.
In AWS Systems Manager, a ________ _________ is a set of rules for auto-approving patches.
Patch Baseline
In AWS Systems Manager, what is used to logically separate instances, allowing for different patch baselines to be applied to different sets of instances?
Patch Groups
In AWS Systems Manager, what is used to schedule tasks such as patching, automation, or software updates to run on instances at specific times?
Maintenance Windows
In AWS Systems Manager, ______ __________ specify the patches to apply, ______ __________ categorize instances for patching, and __________ ________ determine when patching occurs.
Patch Baselines… Patch Groups… Maintenance Windows
In Systems Manager Patch Manager, there are some predefined Patch Baselines that contain security patches and updates. What do each of these refer to?
(1) AWS-AmazonLinux2DefaultPatchBaseline
(2) AWS-UbuntuDefaultPatchBaseline
(3) AWS-DefaultPatchBaseline
(4) AWS-WindowsPredefinedDefaultPatchBaseline-OS
(5) AWS-WindowsPredefinedDefaultPatchBaseline-OS-Applications
(1) default for Linux
(2) default for Ubuntu
(3) default for Windows (2 possible names)
(4) default for Windows (2 possible names)
(5) defaults for Windows + MS App updates
What is the name of the AWS Systems Manager command that patches the instances?
AWS-RunPatchbaseline
What is the default behavior of a newly created custom NACL in AWS?
It denies all inbound and outbound traffic until rules are added to allow traffic.
How are rules in a NACL evaluated by AWS?
Sequentially, based on the rule number, from lowest to highest.
What is the default behavior of a newly created Security Group in AWS?
Allows all outbound traffic; denies all inbound traffic
The rules in a ____________ allow traffic based on protocol, port, and source/destination.
Security Group
Often an AWS Site-to-Site VPN can be configured in less than …
1 hour
What are the three key components of an AWS Site-to-Site VPN connection?
(1) Virtual Private Gateway (VGW)
(2) Customer Gateway (CGW)
(3) the IPsec tunnel
What are the two types of AWS Site-to-Site VPNs?
(1) Static VPN
(2) Dynamic VPN
How is an AWS Static VPN different from a Dynamic VPN?
Static = route table routes are added manually
Dynamic = “route propagation” (if enabled) allows routes to be automatically added to the route tables using BGP
What is the speed limit for AWS Site-to-Site VPNs?
1.25 Gbps
What are four supported attachments for the Transit Gateway?
(1) VPCs
(2) Site-to-Site VPNs (i.e. VGW)
(3) Direct Connect Gateways
(4) Other TGWs
Can a Transit Gateway peer with another Transit Gateway in a different AWS account?
Yes. Transit Gateway supports cross-account, and cross-region, peering.
Is there a cost for using the AWS RAM?
No
In AWS RAM, what are the three “principals” with whom a resource can be shared?
(1) Account
(2) OU
(3) Organization
When subnets are shared across AWS accounts using RAM, if a participant account provisions resources into the shared subnet, who owns the resource?
The account that provisions the resource owns the resource (in this example, the RAM participant account).
When subnets are shared across AWS accounts using RAM, can the VPC (subnet) owner delete or modify resource created by participant accounts?
No.
To attach a Direct Connect Gateway to a Transit Gateway, you would need a ________ ______ running over the DX connection.
transit VIF
What AWS service allows you to use on-premises Active Directory with AWS services without any directory data stored in AWS?
AD Connector - this redirects requests to on-prem servers
What service provides a fully managed Active Directory in AWS?
AWS Managed Microsoft AD
The AWS AD Connector injects ENIs into _____ subnets within your VPC and these go into (different/same) AZs.
two… different
The AWS AD Connector requires a _______ or ________ for connecting to your on-premises Active Directory.
Site-to-Site VPN or Direct Connect
The AWS-Managed _____________ service is highly available by default and it deploys the domain controller into 2 AZ’s by default.
Microsoft AD
What AWS service supports RADIUS-based MFA?
AWS-Managed Microsoft AD
To enhance the speed of Direct Connect connections, you can combine multiple DX connections (up to 4), assuming they are all terminating into the same endpoint, using ____________.
Link Aggregation Groups
What key feature does Managed Microsoft AD support that Simple AD does not?
Trust relationships with on-premises Active Directory.
What is the maximum speed for an AWS DX LAG?
200Gbps
In DNS, an A record maps a _______ to a ________.
host… IPv4 address
In DNS, an AAAA record maps a _______ to a ________.
host… IPv6 address
In DNS, a CNAME record maps a _______ to a ________.
host… host
In DNS, if the resolver has to walk the tree in order to find the destination IP address, this result is known as an _____________ answer.
authoritative
In DNS, if the resolver does NOT have to walk the tree in order to find the destination IP address (i.e. the result is already cached on the DNS resolver server) this result is known as a _____________ answer.
non-authoritative
What is meant by Resource Records within a Route 53 Public Hosted Zone?
Resource Records are simply the collection of A, AAAA, CNAME, MX, TXT, etc records
What R53 feature is ideal if you want to use the same domain name for public access and private access, but you want the records to be different for each?
Route 53 Split View Hosted Zone
Let’s say within DNS, you want to map the following:
catagram.io -> ALB
Could you use a CNAME record for this?
No, because CNAME records don’t support the apex (e.g. catagram.io).
You would use an ALIAS record for this.
Does R53 Simple Routing support health checks?
No
Route 53 health checks are conducted every ____ seconds by default, or up to ____ seconds for an extra cost.
30… 10
What three protocols can be used for Route 53 health checks?
(1) HTTP
(2) HTTPS
(3) TCP
Route 53 health checks can monitor what three things?
(1) endpoints
(2) status of other health checks
(3) state of CloudWatch alarms
Is KMS a regional or global service?
regional
AWS KMS has been validated by the United States National Institute of Standards and Technology (NIST) under what level of security?
Federal Information Processing Standards (FIPS) 140-2 (Level 3)
The term CMKs (Customer Master Keys) in KMS has been superseded by simply __________.
KMS Keys
KMS Keys can be used for up to ___ KB of data.
4KB
For encrypting data > 4KB, you can’t use KMS directly, but you can use KMS to generate ___________ which then encrypts and decrypts the data.
Data Encryption Keys (DEKs)
Can an EBS volume be encrypted after its creation?
No, you would have to a take an EBS snapshot, encrypt the snapshot, and create a new EBS volume from the encrypted snapshot.
Can an EBS volume be attached to multiple EC2 instances simultaneously?
No, except for EBS Multi-Attach enabled volumes.
What are the three throughput modes of EFS?
(1) elastic (default)
(2) provisioned (predictable)
(3) bursting (unpredictable)
____________ is specific for managing secrets, whereas _________ is used for a wider range of configuration data and secrets.
Secrets Manager… Parameter Store
Which AWS service supports automatic rotation of credentials without application changes?
AWS Secrets Manager
If the exam mentions needing to store passwords or API keys, and Parameter Store and Secrets Manager are both options, you should default to choosing _____________.
Secrets Manager
What service directly integrates with other AWS services (such as RDS) for automatic key rotation?
AWS Secrets Manager
When choosing between Secrets Manager and Systems Manager Parameter Store, and you need to store either of the following:
(1) hierarchical configuration information
(2) CloudWatch agent configuration
then you should lean towards ____________ as the correct answer.
Systems Manager Parameter Store
__________ is a continuous security monitoring service for threat detection. It identifies unexpected and unauthorized activity.
Amazon Guard Duty
_____________ can support multiple AWS accounts via an administrator account that manages threat detection on behalf of the member accounts.
Amazon Guard Duty
Which AWS logs does Amazon Guard Duty analyze to identify threats and malicious activity?
(1) VPC Flow Logs
(2) CloudTrail
(3) DNS Logs
What is required to enable AWS Config across multiple accounts in an organization?
Enable AWS Config in each account and designate an aggregator account to collect the configuration and compliance data.
Can AWS Config track changes to IAM roles and policies?
Yes
Which AWS service records configuration changes over time on resources?
AWS Config
Can AWS Config prevent changes from happening?
No, it simply records changes.
AWS Config is a ________ (regional/global) service by default.
regional
Where is AWS Config data stored?
In an S3 bucket that you specify during AWS Config setup.
Using _____________, your AWS resources can be evaluated with predefined or custom rules (using Lambda) and labeled as ‘compliant’ or ‘non-compliant’. These compliant / non-compliant states can then trigger remediation via EventBridge.
Config Rules (a feature of AWS Config)
One distinction between Guard Duty and Inspector is that _________ focuses more narrowly on EC2 instances.
Inspector
__________ focuses on vulnerability and deviations from best practices within EC2 instances, while __________ focuses on broader threat detection across the AWS environment.
Inspector… Guard Duty
Which AWS service provides a “security report” of findings as its output?
Amazon Inspector
Which AWS service might have an output containing a data attribute called “UnrecognizedPortWithListener”?
Amazon Inspector
When you see keywords on the exam like host assessments, common vulnerabilities and exposures (CVEs), and Center for Internet Security (CIS) benchmarks, the answer is likely ____________.
Amazon Inspector
Which AWS service gives you a centralized view of your security alerts and security posture across your AWS accounts?
AWS Security Hub
What are two main functions of AWS Security Hub?
(1) Aggregating security findings
(2) Performing automated security checks against AWS best practices
What does PCI DSS stand for, and what is the primary purpose?
Payment Card Industry Data Security Standard
To protect cardholder data and secure payment card transactions.
What intrinsic function in CloudFormation returns the value of a specified parameter or resource?
‘Ref’
How can you concatenate values in a CloudFormation template?
‘Fn::Join’
What feature of CloudFormation can be used to store and reference predefined values outside of the CloudFormation template?
CloudFormation Mappings
What CloudFormation attribute would you use to ensure resources are created and configured in a specific order?
DependsOn
What CloudFormation feature can you use to pause resource creation until a custom condition is met?
Wait Conditions
When sharing a Route 53 Hosted Zone across accounts, the account with the hosted zone must __________ the association, and the account receiving the access must then accept the _____________.
authorize… authorization
What is a fully qualified domain name (FQDN)?
It is the complete address of a host (for example, www.example.com)
When using ACM to create certificates for a multi-region deployment of ELBs, can you create all of the certificates in us-east-1?
No, that only works for global services (such as CloudFront). For a multi-region deployment of ELBs, you need to create ACM certificates within each desired region.
What feature allows AWS S3 to automatically replicate data across multiple AWS regions?
S3 Cross-Region Replication.
How do you ensure that AWS resources can only be accessed within your organization?
Implement a private hosted zone in Amazon Route 53.
Which AWS service is used to manage containerized workloads across AWS and on-premises environments?
Amazon ECS Anywhere.
How can AWS Lambda be triggered by changes in an AWS CodeCommit repository?
Based on CodeCommit push events.
For a static website hosted on S3 to be publicly accessible, how would you do this in the console?
Uncheck (i.e. disable) the “Block Public Access” checkboxes
To avoid simultaneous EC2 instance reboots during patching, what feature should you configure?
Non-overlapping maintenance windows.
What feature allows you to transfer S3 data transfer costs to the requester?
Requester Pays.
Which DynamoDB feature allows automatic deletion of items after a specified time?
Time to Live (TTL).
What is the recommended way to collect logs from EC2 instances for analysis?
Configure a unified CloudWatch Logs agent.
What are the three ECS networking modes?
(1) bridge (default for Linux)
(2) host
(3) awsvpc
Which ECS networking mode creates an ENI for each task?
awsvpc
Which network mode should be used in ECS to allow task-level security groups?
awsvpc
____________ is a free and open-source implementation of the Java Platform, Standard Edition (Java SE). It is an alternative to the commercially-licensed OracleJDK.
OpenJDK, or Open Java Development Kit
To save on Oracle Java SE licensing costs when migrating to AWS, what could you use as an alternative?
OpenJDK
_____________ is a unique type of IAM role in AWS that is predefined by the service, and only the linked service can assume the role.
service-linked role
What adjustment to SQS redrive policy can help prevent premature dead-letter queue transfers?
Increase maxReceiveCount.
Is multi-region deployment for read and write operations supported by RDS?
No, although it does support the creation of cross-Region read replicas for some database engines.
For a global application needing fault tolerance across regions with relational database features, what AWS database service fits best?
Amazon Aurora Global Database.
To comply with strict IT security policies at the container level, which AWS service and feature should be used?
Amazon ECS with awsvpc network mode and security groups.
What are two ways to ensure security for logs stored in S3?
(1) Enable MFA Delete
(2) configure bucket policies
Which AWS service is used to migrate VMs from on-premises to AWS with minimal downtime?
AWS Application Migration Service (MGN)
By default, CloudTrail trails created via the AWS Management Console have _______ ________ events enabled.
global service
Which AWS service allows automated OS patching and management of EC2 instances?
AWS Systems Manager
To securely pass database credentials to an Amazon ECS container, you can use AWS Secrets Manager or AWS Systems Manager Parameter Store to store the sensitive data, and you also need to ensure that _____________.
the IAM execution role for the ECS task has the necessary permissions to retrieve the credentials.
The AWS Application Migration Service uses ___________ _________, that are installed on each source server, to facilitate the migration of on-premises servers to AWS.
replication agents
CloudTrail ______________ is a feature that allows you to check the integrity of your CloudTrail log files to determine if they have been changed after delivery.
log file validation
________________ with CloudFront is a feature that allows you to set up CloudFront with two origins: a primary and a secondary.
Origin failover
A ____________ is a globally available network device that allows you to connect your AWS Direct Connect connection to VPCs in remote Regions. It can be created in any AWS Region and accessed from all other Regions.
Direct Connect Gateway
How could you enable inter-region VPC access from your corporate environment?
Use a Direct Connect connection with a Direct Connect Gateway
___________Gateway focuses on private connectivity from on-premises, whereas ___________Gateway focuses on interconnectivity between VPCs, VPNs, and Direct Connect Gateways.
Direct Connect Gateway… Transit Gateway
What service enables the creation of a cloud-based contact center?
Amazon Connect
Which service allows you to build conversational interfaces with automatic speech recognition?
Amazon Lex
What AWS feature can trigger a Lambda function upon data file upload to S3?
Amazon S3 event notifications
In the context of the AWS Schema Conversion Tool (SCT), a ___________ can be installed on a separate on-premises server from the one running AWS SCT, allowing for the parallel extraction of data.
extraction agent
Large-scale data migrations of tens of TB of data often use the AWS SCT (Schema Conversion Tool) along with a ______________ for the migration.
Snowball Edge device
When a user attempts to access AWS resources, a ______________ is generated by the organization’s identity provider (IdP) after the user’s identity is verified (the “authentication” portion of authentication and authorization)
SAML assertion
______________ is a service that monitors and provides alerts on containerized applications at scale.
Amazon Managed Service for Prometheus
An example architecture for processing data from IoT devices to Amazon RDS might use ________ to trigger ________.
Amazon S3 event notifications… a Lambda function
The _______ record is specific to AWS Route 53 and provides a Route 53–specific extension to DNS functionality.
ALIAS
In Route 53, __________ records are nearly always preferred over __________ records, except when pointing to non-AWS resources.
Alias… CNAME
If another AWS account needs to copy information to or from a resource in your own AWS account, you can set up cross-account access with a __________ Policy
resource-based
Which AWS service allows you to create data-driven workflows to automate and orchestrate the movement and transformation of data?
AWS Data Pipeline
Which AWS service utilizes a standby instance for automatic failovers?
Amazon RDS
When you choose a ____________ deployment, Amazon RDS automatically creates a primary DB instance and synchronously replicates the data to a standby instance in a different Availability Zone.
Multi-AZ
_____________ is a scalable marketing communications AWS service that helps businesses connect with their customers through personalized multichannel communications.
Amazon Pinpoint
The “rehost” migration strategy is also known as ____________ and does not re-configure anything.
lift and shift
Between Amplify and Elastic Beanstalk, ________ is optimized for serverless and frontend-driven applications, whereas ________ is for traditional app deployments with more backend control.
Amplify… Elastic Beanstalk
The “Replatform” migration strategy could also be described as _______________.
lift and shift with optimization
When a company’s migration encompasses a transition from a self-managed database to an AWS managed database (such as RDS), this would be an example of a __________ migration strategy.
Replatform
How can you restrict access to files in Amazon S3 to ensure they can only be accessed via CloudFront URLs?
Use the CloudFront feature called Origin Access Control (OAC).
______________ defines a way for client web applications (typically the JavaScript) that are loaded in one domain to interact with resources in a different domain.
Cross-origin resource sharing (CORS)
___________ is used for simplified (fully managed, aka serverless) deployment and management of containerized web applications, whereas ___________ is used for more flexible, larger, and configurable containerized workloads.
AWS App Runner… ECS
_________ APIs are often used in real-time applications such as chat applications, collaboration platforms, multiplayer games, and financial trading platforms.
WebSocket APIs
_________ provide full-duplex communication over a single TCP connection. Unlike ______, the connection is persistent and not closed after each request/response.
WebSocket APIs… Rest APIs
_________ use HTTP only briefly during the initial handshake phase when establishing the connection to upgrade from HTTP to _________ protocol. Once upgraded, all further messaging happens directly over TCP.
WebSocket APIs… WebSocket
_________ is a fully managed serverless GraphQL service.
AWS AppSync
What are three common types of APIs?
(1) REST API
(2) GraphQL API
(3) WebSocket API
An EC2 instance _______ is a container for an IAM role that is used to pass role information to an Amazon EC2 instance when the instance starts.
profile
What is the default configuration (enabled/disabled) of cross-zone load balancing ALBs, NLBs, and GLBs?
(1) ALB: enabled
(2) NLB: disabled
(3) GLB: disabled
A load balancer ________ checks for connection requests from clients, using the protocol and port that you configure, and forwards requests to a target group.
listener
A ________ Load Balancer offers support for static IP addresses (because it operates at _____ of the OSI model).
Network Load Balancer… L4
A ________ Load Balancer can route requests to multiple applications on a single EC2 instance, using different ports for each application
Network Load Balancer
A ________ Load Balancer is capable of managing sudden and unpredictable workloads, scaling to millions of requests per second
Network Load Balancer
Which AWS service integrates data flows between SaaS and AWS services?
Amazon AppFlow
What are the two primary methods to allow external users to access AWS resources?
(1) granting federated access via the IAM Identity Center
(2) Cognito Identity Pools
__________ is used for managing access to AWS resources for human users within your organization, while __________ is used for providing temporary, limited access to AWS resources for users of mobile and web applications.
IAM Identity Center… Cognito Identity Pools
Are RDS automated backups enabled by default?
Yes
___________ occur once per day during a user-configurable period known as the backup window.
Amazon RDS automated backups
The S3 Glacier standard retrieval time is approximately ___________.
3 to 5 hours
Which CloudFormation intrinsic function allows you to retrieve attribute properties of other resources created within the CloudFormation template.
Fn::GetAtt
In the context of the AWS Storage Gateway, the term “iSCSI” indicates that _______ storage is being used, and thus the Storage Gateway _______ Gateway may be the answer.
block… Volume
__________ is an open-source platform developed by Red Hat for implementing Java applications, it provides a full range of Java EE (Enterprise Edition) features, and it is used as a framework by many software companies.
JBoss Application Server
_________ is a utility built into Oracle databases that automates the process of backup and recovery.
Oracle RMAN (Recovery Manager)
__________ is a search service purpose-built for simplicity, whereas __________ is a managed distribution of open-source Elasticsearch supporting advanced analytics features.
CloudSearch… OpenSearch Service
The ______________ is an identity authentication protocol that can help prevent replay attacks (where an adversary intercepts traffic and redirects or delays it).
Challenge-Handshake Authentication Protocol (CHAP)
Similar to how a NAT Gateway is used for outbound IPv4 traffic from a private subnet, a _______ is used for outbound IPv6 traffic.
egress-only Internet Gateway
What are the two Storage Gateway - Volume Gateway options?
(1) Cached Volumes
(2) Stored Volumes
What is the term for a workflow within AWS Step Functions?
a state machine
Can AWS Step Functions read and write from DynamoDB?
Yes
____________ manages compute environments and job queues, allowing users to easily run thousands of jobs of any scale using Amazon ECS, Amazon EKS, and AWS Fargate with an option between Spot or on-demand resources.
AWS Batch
_________ is designed for running batch computing workloads of any scale, while _________ is tailored for processing vast amounts of data using open source big data tools.
AWS Batch… Amazon EMR
Is the Oracle feature called Real Application Clusters (RAC) supported in Amazon RDS?
No
The ___________ (error type) in AWS Lambda typically occurs when the function reaches the account’s concurrency limit or when the request throughput limit is exceeded.
TooManyRequestsException
In DynamoDB, the ___________ error means that your request rate is too high for a table or global secondary index. To solve this, you can increase the ___________ of your DynamoDB table.
ProvisionedThroughputExceededException … Write Capacity Units (WCUs)
When an EC2 instance assumes an IAM role, does it retrieve its security credentials from the instance metadata or user data?
metadata (from the instance metadata service (IMDS) within the instance itself)
To keep your SSL/TLS keys secure, you can use ____________ to offload SSL/TLS processing for your web servers.
AWS CloudHSM
Which disaster recover strategies would you use for the following:
(1) RTO of 24 hours or less
(2) RTO of hours
(3) RTO of minutes
(4) RTO essentially zero
(1) backup and restore
(2) pilot light
(3) warm standby
(4) active-active
CloudFront _____________ allow you to control access to your content without changing your current URLs. It is also used when you want to provide access to multiple restricted files rather than a single file.
signed cookies
In Amazon Kinesis, a _______ is a high-level class within the Kinesis Client Library (KCL) that Kinesis applications use to start processing data.
worker
In AWS Lambda, what are the two types of concurrency?
(1) Reserved concurrency
(2) Provisioned concurrency
In AWS Lambda, ________ concurrency represents the maximum number of concurrent instances allocated to your function, whereas ________ concurrency is the number of pre-initialized execution environments allocated to your function.
reserved… provisioned
The _________ metric in AWS Lambda represents the number of function execution attempts that were throttled due to invocation rates exceeding the current limits.
Throttles metric
Each separate source of logs in CloudWatch Logs makes up a separate _____ __________.
Log Stream
Would you use SNS or SQS as part of an architecture to help with scaling?
SQS
Is S3 or EBS the ideal storage solution you need to scaling an application?
S3
The _________ ___________ is a built-in SSL/TLS certificate that is associated with the CloudFront default domain name (*.cloudfront.net)
default certificate
A CloudFront ________ origin refers to any web server or AWS resource that is not an Amazon S3 bucket
custom
