AWS SAP-CO2 Study Guide

Question 1

What is an OU in AWS?

Answer 1

An Organizational Unit (OU) is a way to group AWS accounts within an AWS Organization to help manage and organize accounts more effectively.

Question 2

What steps are involved in AWS Account Organizational Unit Migration?

Answer 2

Remove the member account from the former organization.
Send an invite to the member account from the prospective organization.
Accept the invite from the prospective organization upon the member account.
Ensure the OrganizationAccountAccessRole is added to the member account.

Question 3

What is AWS Control Tower, and what does it automate?

Answer 3

AWS Control Tower is a service that simplifies the setup and governance of a secure and compliant multi-account AWS environment. It automates the setup of environments, as well as ongoing policy management using guard rails such as SCPs and AWS Config.

Question 4

What are Service Control Policies (SCPs) used for?

Answer 4

SCPs are policies used for OUs to manage permissions within AWS Organizations. They help set limits and guardrails for accounts to ensure compliance and control.

Question 5

Do SCPs grant permissions directly to AWS accounts?

Answer 5

No, SCPs do not grant permissions directly. Permissions are still managed through IAM (Identity and Access Management). SCPs define restrictions, and the effective permissions are the intersection of IAM, SCP, and IAM permissions boundaries.

Question 6

What happens if an OU does not have all features enabled?

Answer 6

An OU must have all features enabled to utilize SCPs effectively. Disabling features may affect policy enforcement.

Question 7

Who does SCPs affect within member accounts?

Answer 7

SCPs affect member accounts and attached users and roles within, including the root user(s), but not management accounts.

Question 8

How do SCPs impact resource-based policies?

Answer 8

SCPs do not directly affect resource-based policies. They control permissions at the account level but do not change resource-based policies within services.

Question 9

What are service-linked roles, and how do SCPs interact with them?

Answer 9

Service-linked roles enable other AWS services to integrate with AWS OUs. SCPs do not affect service-linked roles’ permissions; they continue to function as designed.

Question 10

What happens if SCPs are disabled at the root account level?

Answer 10

If SCPs are disabled at the root account level, all SCPs are automatically detached from OUs under that root account. If re-enabled, accounts under that root revert to full AWS Access (default).

Question 11

What is the similarity between SCPs and IAM permissions boundaries?

Answer 11

Both SCPs and IAM permissions boundaries require an explicit “allow.” If not explicitly allowed, access is denied.

Question 12

What is the key principle of “Allow vs. Deny” in IAM policies?

Answer 12

If any “Deny” statement is present in a policy, it takes precedence over “Allow” statements. Default behavior is to deny all resources, and “Allow” statements are needed to grant permissions.

Question 13

What does LDAP stand for, and what is its purpose?

Answer 13

LDAP stands for Lightweight Directory Access Protocol. It is a software protocol used for locating data about organizations, individuals, and resources in a network.

Question 14

What is Identity Federation?

Answer 14

Identity Federation is a system of trust between two parties for authenticating users and conveying information needed to authorize their access to resources.

Question 15

What types of entities can be included in AWS user groups?

Answer 15

AWS user groups can only contain users. They do not include other types of entities.

Question 16

What is the difference between S3 Bucket Policies and Access permissions?

Answer 16

S3 Bucket Policies are used to add or deny permissions across some or all S3 objects in a bucket for central management. Access permissions grant users access to S3 resources. Bucket policies can restrict based on conditions like request time, SSL usage, and requester IP address.

Question 17

What type of access control is provided by IAM Policies, ACLs, and Bucket Policies?

Answer 17

IAM Policies: User-level control.
ACLs (Access Control Lists): Account-level control.
Bucket Policies: Both account-level and user-level control.

Question 18

What is the IAM Credentials Report used for?

Answer 18

The IAM Credentials Report is a security tool that lists all AWS accounts, IAM users, and the status of their various credentials. It is used for auditing permissions at the account level.

Question 19

What is the purpose of IAM Access Advisor?

Answer 19

IAM Access Advisor shows the service permissions granted to a user and when those services were last used. It helps in revising policies at the user level.

Question 20

What is the AWS Policy Simulator used for?

Answer 20

The AWS Policy Simulator is used to test and troubleshoot IAM policies that are attached to users, user groups, or resources.

Question 21

What is IAM Access Analyzer used for?

Answer 21

IAM Access Analyzer is a service used to identify unintended access to resources in an organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity to avoid security risks.

Question 22

What is Amazon Cognito, and what is its role?

Answer 22

Amazon Cognito is a web identity federation service and identity broker that handles interactions between applications/resources and web Identity Providers (IdPs). It helps with user authentication and authorization.

Question 23

What is a User Pool in Amazon Cognito?

Answer 23

A User Pool is user-based and handles user registration, authentication, and account recovery in Amazon Cognito. It is compatible with various Identity Providers (IDPs).

Question 24

What is an Identity Pool in Amazon Cognito?

Answer 24

An Identity Pool receives an authentication token to authorize access to resources directly or through the API Gateway. It maps to IAM roles and has default roles for authenticated/guest users.

Question 25

What is AWS Resource Access Manager (RAM) used for?

Answer 25

AWS Resource Access Manager is used to share AWS resources that you own with other AWS accounts, either within the same Organizational Unit (OU) or any AWS account. It helps avoid resource duplication.

Question 26

What can be shared using AWS RAM?

Answer 26

AWS RAM can be used to share resources like VPC subnets, AWS Transit Gateway, Route 53 Resolver Rules, and License Manager Configurations across accounts using Private IPs.

Question 27

What is the purpose of AWS API Gateway?

Answer 27

AWS API Gateway serves as a front door to AWS resources, enabling users to access Lambda functions, EC2 instances, DynamoDB, and more. It offers caching for improved performance, throttling, low cost, scalability, CORS support, and handles security with authentication through Cognito User Pools and authorization with IAM.

Question 28

What types of certificates are used for HTTPS security integration with AWS API Gateway?

Answer 28

For Edge-Optimized deployments, certificates are in the US-East-1 region. For Regional deployments, certificates are in the API Gateway region. Custom domain names for HTTPS integration can be set up using AWS ACM (AWS Certificate Manager).

Question 29

What are the differences between Application Load Balancer (ALB) and Elastic Load Balancer (ELB/CLB)?

Answer 29

ALB is best suited for load balancing HTTP(s) traffic at the layer 7 (WebSockets) and has static DNS names. ELB/CLB are legacy load balancers that can handle HTTP(s) and strict Layer 4 load balancing for TCP protocols. They have static DNS names and support sticky sessions via cookies.

Question 30

What is the purpose of Route 53 Health Checks?

Answer 30

Route 53 Health Checks are used to monitor the health of endpoints, such as applications, servers, or other AWS resources. They work with routing policies like weighted routing, latency-based routing, geolocation, and multivalue routing, helping to detect and respond to endpoint health issues.

Question 31

What does AWS Global Accelerator offer?

Answer 31

AWS Global Accelerator provides Anycast/static IP addresses for global users, optimizing application availability and performance. It routes user traffic to the nearest endpoint based on performance, location, and policies. It’s suitable for non-HTTP use cases like gaming (UDP), IoT (MQTT), and VOIP.

Question 32

What is the primary function of CloudFront in AWS?

Answer 32

CloudFront is a serverless service that scales, saves network bandwidth, and delivers entire websites, including dynamic, static, streaming, and interactive content using a global network of edge locations. It improves website performance by caching content and serving it from the nearest edge location to users.

Question 33

What is the difference between Unicast IP and Anycast IP?

Answer 33

Unicast IP is where each server has a unique IP address, while Anycast IP is where multiple servers share the same IP address, and the client is routed to the nearest server using that IP.

Question 34

What is the purpose of AWS PrivateLink?

Answer 34

AWS PrivateLink allows the exposure of a VPC service to other VPCs without using VPC peering. It provides a secure and private connection between VPCs, eliminating the need for public internet access.

Question 35

What is the primary use case for AWS Direct Connect?

Answer 35

AWS Direct Connect is used to establish a dedicated network connection between on-premises data centers and AWS VPCs. It is ideal for high-throughput workloads and provides a reliable and secure connection to AWS resources.

Question 36

How are IP addresses divided using CIDR notation?

Answer 36

CIDR (Classless Inter-Domain Routing) notation divides IP addresses into subnets by specifying the number of bits used for the network and host portions of the address. For example, /24 means the first 24 bits are for the network, and the remaining 8 bits are for hosts.

Question 37

What is the main purpose of AWS Global Accelerator?

Answer 37

AWS Global Accelerator is a network service that improves the availability and performance of applications for global users. It provides Anycast/static IP addresses to create a fixed entry point, routes traffic to the optimal endpoint based on performance, and offers fast failover for disaster recovery.

Question 38

What is the key difference between AWS Global Accelerator and Amazon CloudFront?

Answer 38

AWS Global Accelerator is designed to improve the performance of applications using TCP/UDP, making it suitable for non-HTTP use cases like gaming and IoT. Amazon CloudFront, on the other hand, is a content delivery service that caches and delivers website content, including dynamic and static content, at edge locations.

Question 39

How does Route 53 handle DNS routing and domain registration?

Answer 39

Route 53 is an AWS service for DNS routing and domain registration. It manages DNS records, including A, AAAA, CNAME, MX, and PTR records, and allows you to route traffic based on routing policies such as simple, weighted, latency, geolocation, and more.

Question 40

What is the primary purpose of Route 53 Health Checks (HC)?

Answer 40

Route 53 Health Checks are used for failover in services like Application Load Balancers (ALB) by monitoring the health of endpoints (e.g., applications, servers). If an endpoint fails the health check, traffic is redirected to healthy endpoints.

Question 41

What is the difference between Unicast IP and Anycast IP?

Answer 41

Unicast IP assigns a unique IP address to each server, whereas Anycast IP assigns the same IP address to multiple servers, routing traffic to the nearest one. Anycast IP is used to create a fixed entry point, as in AWS Global Accelerator.

Question 42

What does the Route 53 Resolver service do?

Answer 42

Route 53 Resolver allows connectivity between AWS infrastructure and external DNS resolvers. It can automatically answer DNS queries for local VPC domain names and be configured to integrate with on-premises DNS resolvers.

Question 43

How can AWS Direct Connect benefit organizations?

Answer 43

AWS Direct Connect provides a dedicated network connection between on-premises data centers and AWS VPCs, reducing network costs, increasing bandwidth, and ensuring a more reliable and secure connection to AWS resources.

Question 44

What are some common DNS types used in Route 53?

Answer 44

Common DNS types in Route 53 include SOA records, NS records, A records, MX records, and PTR records, each serving a specific purpose in DNS management.

Question 45

What is the purpose of CIDR notation in networking?

Answer 45

CIDR (Classless Inter-Domain Routing) notation is used to specify IP address ranges and subnet masks. It allows for more flexible allocation of IP addresses and efficient use of address space.

Question 46

How many VPCs are allowed per AWS region by default?

Answer 46

By default, AWS allows up to 5 Virtual Private Clouds (VPCs) per region.

Question 47

How many subnets are allowed per VPC in AWS?

Answer 47

AWS allows up to 200 subnets per VPC. Subnets are used to segment a VPC into smaller network segments.

Question 48

What does the notation “/32” represent in CIDR?

Answer 48

The notation “/32” in CIDR represents a subnet mask where no octet of the IP address changes. It effectively specifies a single IP address.

Question 49

In CIDR notation, what does “/0” represent?

Answer 49

In CIDR notation, “/0” represents a subnet mask where all octets of the IP address can change, effectively representing all possible IP addresses.

Question 50

How many IP addresses are available in a subnet with a CIDR notation of “/29”?

Answer 50

A subnet with a CIDR notation of “/29” provides 8 IP addresses. Two of them are reserved for network address and broadcast address, leaving 6 usable IP addresses.

Question 51

Why does AWS reserve certain IP addresses within a VPC’s CIDR block for each subnet?

Answer 51

AWS reserves certain IP addresses, such as the first 4 and the last 1, in each subnet for specific purposes, including the VPC router, Amazon provided DNS mapping, and future use. These addresses are not available for user allocation.

Question 52

What is the purpose of CIDR notation in AWS security group (SG) rules?

Answer 52

CIDR notation is used in AWS security group rules to define IP address ranges that are allowed or denied access to resources. SG rules specify which IP addresses or CIDR blocks can communicate with AWS resources.

Question 53

What is an EC2 On-Demand Instance, and how is it billed?

Answer 53

An EC2 On-Demand Instance is a pay-as-you-go instance where you are billed by the second for instances launched after the first minute of usage.

Question 54

What is an EC2 Savings Plan Instance, and what are the available commitment terms?

Answer 54

An EC2 Savings Plan Instance allows you to commit to a certain amount of usage for 1 or 3-year terms. Any usage beyond the commitment is billed at the On-Demand rate.

Question 55

What is an EC2 Reserved Instance, and how does it differ from a Savings Plan?

Answer 55

An EC2 Reserved Instance is a commitment to a consistent instance configuration for 1 or 3 years. It is great for cost optimization and can be shared across AWS Organization accounts. It cannot be used for existing server-bound software licenses.

Question 56

What is an EC2 Convertible Reserved Instance, and when is it a good choice?

Answer 56

An EC2 Convertible Reserved Instance is one of the reserved instance purchasing options that offers flexibility. It is suitable for long workloads with the ability to change instance type, family, OS, scope, and tenancy during the reservation term.

Question 57

What are EC2 Dedicated Instances, and how do they differ from Dedicated Host Instances?

Answer 57

EC2 Dedicated Instances run on hardware dedicated to a customer’s use within a VPC but may share hardware with other instances from the same AWS account. Dedicated Host Instances run on physical servers dedicated entirely to a customer’s use and allow the use of existing server-bound software licenses.

Question 58

What is an EC2 Spot Instance, and when is it most cost-effective?

Answer 58

An EC2 Spot Instance is the most cost-efficient EC2 instance type, offering up to 90% off the On-Demand rate. It is suitable for workloads with flexible start/end times, such as batch jobs and data analysis.

Question 59

What are EC2 Spot Fleets, and what strategies can be used to allocate Spot Instances?

Answer 59

EC2 Spot Fleets are sets of Spot Instances and optional On-Demand Instances. Strategies for allocating Spot Instances include Lowest Price (cost optimization), Diversified (availability), and Capacity Optimized (optimal capacity).

Question 60

What are EC2 Spot Blocks (Spot Duration), and how do they differ from regular Spot Instances?

Answer 60

EC2 Spot Blocks allow you to “block” spot instances for a specified time frame (1 to 6 hours) without interruptions. In rare situations, Spot Blocks may be reclaimed. They are not available to new customers.

Question 61

How are EC2 Security Group (SG) configurations defined?

Answer 61

EC2 Security Group (SG) configurations specify source (inbound rules) or destination (outbound rules) for network traffic. They can be defined using single IPv4/IPv6 addresses, CIDR blocks, Prefix List IDs for AWS services, or references to other SGs.

Question 62

What is a Cluster Placement Group in EC2, and what are its characteristics?

Answer 62

A Cluster Placement Group in EC2 clusters instances into a low-latency group within a single Availability Zone (AZ). It offers high network speeds and low latency. If the underlying rack fails, all instances within the group can fail simultaneously. Use cases include big data jobs and applications requiring low latency and high network throughput.

Question 63

What is a Partition Placement Group in EC2, and what are its characteristics?

Answer 63

A Partition Placement Group in EC2 spreads instances across different partitions within an AZ. Each partition relies on different sets of racks, and instances within one partition do not share racks with instances in other partitions. It can scale to hundreds of instances per group and supports up to 7 partitions per AZ, spanning multiple AZs. Use cases include distributed and replicated workloads such as HDFS, HBase, Cassandra, Kafka, and Hadoop.

Question 64

What is a Spread Placement Group in EC2, and what are its characteristics?

Answer 64

A Spread Placement Group in EC2 spreads instances across underlying hardware to reduce the risk of simultaneous failures. It can have a maximum of 7 instances per group per AZ and can span multiple AZs. Instances in a Spread Placement Group are isolated from each other, making it suitable for critical applications requiring isolation from each other.

Question 65

What happens to EC2 instances in terms of recovery after a failure?

Answer 65

In EC2, after a failure, instances can recover with the same private IP, public IP, elastic IP, metadata, placement group, and instance ID.

Question 66

What is EC2 User Data, and how is it used?

Answer 66

EC2 User Data is used to perform automated, dynamic configuration tasks and run scripts after an instance starts. It can be passed as shell scripts or cloud-init directives during instance launch. By default, user data runs only during the initial boot cycle, but configurations can be updated to run them every time an instance is restarted.

Question 67

What is EC2 Hibernate, and what are its benefits?

Answer 67

EC2 Hibernate allows instances to preserve their in-memory state, resulting in faster boot times as the OS is not stopped and restarted. The memory state is written to a file in the root EBS volume, which must be encrypted. Hibernate is available for On-Demand, Reserved, and Spot Instances and is useful for long-running processing and services with long initialization times. However, it cannot be used beyond 60 days.

Question 68

What is the Elastic Fabric Adapter (EFA), and what is it used for?

Answer 68

The Elastic Fabric Adapter (EFA) is a networking solution designed to improve network performance for high-performance computing (HPC) workloads on AWS. It is specifically designed for Linux instances and tightly coupled workloads, leveraging the MPI standard. EFA bypasses the underlying Linux OS to provide low-latency and reliable transport for inter-node communications.

Question 69

What are the benefits of EC2 Enhanced Networking?

Answer 69

EC2 Enhanced Networking offers higher bandwidth, higher packets per second (PPS), and lower latency compared to standard networking options. It provides two options: ENA (Elastic Network Adapter) with up to 100 Gbps bandwidth and Intel 82599VF with up to 10 Gbps bandwidth (legacy).

Question 70

What are the different AWS Scaling Policies, and how do they work?

Answer 70

AWS Scaling Policies include:

Dynamic Scaling: This includes Target-Tracking scaling, which adjusts the capacity based on a target metric (e.g., maintaining a specific CPU utilization).
Simple/Step Scaling: This allows you to define specific scaling steps triggered by CloudWatch alarms (e.g., adding or removing instances based on CPU utilization thresholds).
Scheduled Actions: Scheduled scaling based on known usage patterns (e.g., increasing capacity at specific times).
Predictive Scaling: Continuous forecasting of load and scheduled scaling ahead.

Question 71

What is scaling cooldown in AWS Auto Scaling?

Answer 71

Scaling cooldown is a period following a scaling action during which AWS Auto Scaling does not initiate any further scaling actions. The default cooldown period is 300 seconds. It helps prevent rapid and potentially unnecessary scaling actions that could occur if further changes in load occur immediately after a scaling action.

Question 72

What is the difference between Amazon EC2 Auto Scaling and AWS Auto Scaling?

Answer 72

Amazon EC2 Auto Scaling is a service specifically focused on managing EC2 instances, allowing you to automatically launch or terminate instances based on configuration parameters or schedule. It relies on predictive scaling for determining resource capacity.
AWS Auto Scaling is a centralized service that can manage scaling for various AWS resources, including EC2 instances, spot fleets, Auto Scaling groups, ECS, DynamoDB, and RDS based on utilization targets or metrics. It introduced scaling plans to manage resource utilization efficiently.

Question 73

How does EC2 Auto Scaling handle the termination of instances?

Answer 73

EC2 Auto Scaling follows a specific termination precedence:

Determine which Availability Zone (AZ) has the most instances and at least one unprotected instance.
Determine which instances to terminate to align the remaining instances with the allocation strategy for the on-demand or spot instances being terminated.
Determine if the instance uses the oldest launch template or launch configuration, and choose instances using the old version.
If multiple unprotected instances are to terminate, determine which instances are closest to the next billing hour.

Question 74

What is Amazon Elastic Container Registry (ECR) and what are its key features?

Answer 74

Amazon Elastic Container Registry (ECR) is a private and public container image registry service provided by AWS. Key features include:

Storage for container images.
Backed by Amazon S3.
Access control using IAM.
Integration with ECS, EKS, and Fargate.
Support for vulnerability scans, versioning, image tags, and image lifecycle management.

Question 75

What are the two launch types available in Amazon ECS, and how do they differ?

Answer 75

Amazon ECS offers two launch types:

Amazon EC2: In this launch type, tasks are run on EC2 instances. It can use EFS volumes but not EBS volumes.
AWS Fargate: Fargate allows you to run tasks without the need to manage underlying EC2 instances. It supports EFS volumes, FSx for Windows, docker volumes, or bind mounts for storage.

Question 76

What is the purpose of Amazon ECS Autoscaling target tracking metrics, and can they be triggered by EventBridge rules or schedules?

Answer 76

Amazon ECS Autoscaling uses target tracking metrics, such as ECSSVCAVECPU (Average CPU usage) and ECSSVCAVEMEM (Average memory usage), to automatically adjust the number of tasks in a service based on a target metric. These metrics can indeed be scaled in/out based on EventBridge-invoked rules or schedules.

Question 77

What roles are involved in IAM for Amazon ECS, and how are they used?

Answer 77

In Amazon ECS, there are two key IAM roles:

EC2 Instance Profile (EC2 only): Used by the ECS agent running on EC2 instances to make API calls to the ECS service, send container images from ECR, and reference sensitive data in Secrets Manager or SSM Parameter Store.
ECS Task Role: Allows each ECS task to have a specific IAM role, enabling different roles for different ECS services. The task role is defined in the task definition.

Question 78

What are the different ways to manage nodes in Amazon EKS, and what are the options for node types?

Answer 78

In Amazon EKS, you can manage nodes using the following methods:

Managed Node Groups: EKS creates and manages nodes (EC2 instances) for you. Supports On-Demand or Spot Instances.
Self-Managed Nodes: Nodes created and managed by you, registered with the EKS cluster. Supports On-Demand and Spot Instances. You can use prebuilt AMIs like the Amazon EKS Optimized AMI.

Question 79

What are the characteristics and use cases of AWS Lambda (λ)?

Answer 79

AWS Lambda is a serverless compute service with the following characteristics:

Serverless backend that can run code in response to events.
Free tier includes 1 million requests and 400,000 GB-seconds of compute time.
Billed per 1,000,000 requests and duration of memory usage.
Supports up to 10 GB of RAM.
Environment variables for configuration.
No out-of-the-box caching.
Regionally based with no time limit (unlike Lambda).
Concurrency executions limit (default 1000, adjustable)

Question 80

What is AWS Fargate, and how does it work?

Answer 80

AWS Fargate is a serverless compute engine for containers that allows you to run containers without managing the underlying infrastructure. AWS runs ECS tasks for you based on the CPU and memory requirements you specify. Fargate provides VPC isolation, storage resources, and has no time limit like AWS Lambda. It supports EFS for storage but does not support mounting EBS volumes.

Question 81

What is AWS CloudTrail, and what does it monitor and record?

Answer 81

AWS CloudTrail is a service that monitors and records account activity across AWS infrastructure. It provides governance, compliance, and audit capabilities for AWS accounts. It records a history of events and API calls within your AWS account.

Question 82

What are the two types of CloudTrail events, and what is the difference between them?

Answer 82

CloudTrail events can be separated into two types:

Management Events: These events are enabled by default and capture management actions like creating, modifying, or deleting AWS resources.
Data Events: These events are not enabled by default due to the volume of data they generate. Data events track specific resource-level activities and can be turned on to trigger or invoke actions.

Question 83

What is CloudTrail Insights, and how does it help detect unusual activity?

Answer 83

CloudTrail Insights is a feature that helps detect unusual activity in an AWS account by analyzing normal management events to create a baseline. It then continuously analyzes write events, such as S3, CloudTrail console, and EventBridge events, to detect unusual patterns that may indicate issues like inaccurate resource provisioning or bursts of AWS IAM actions.

Question 84

How long are CloudTrail events stored by default, and what is the alternative for longer retention?

Answer 84

CloudTrail events are stored for 90 days by default. If you need longer retention, you can configure CloudTrail to send events to Amazon S3, where you can store and analyze them using services like Amazon Athena.

Question 85

What is Amazon EventBridge (formerly known as CloudWatch Events), and how does it work?

Answer 85

Amazon EventBridge is a service that provides connectivity between events and services. It allows you to react to events from various AWS services and external sources by defining event patterns in AWS JSON rule configurations. When an event matches a rule, it can trigger actions like invoking AWS Lambda functions, sending SNS or SQS messages, or initiating other services.

Question 86

What are Event Buses in Amazon EventBridge, and what are the types of Event Buses?

Answer 86

Event Buses in Amazon EventBridge are logical containers for events. There are three types of Event Buses:

Default Event Bus: Receives events from AWS services.
Partner Event Bus: Receives events from third-party SaaS partners.
Custom Event Bus: Receives events from custom applications or AWS services not integrated with the default bus.

Question 87

What are some characteristics of Amazon SQS (Simple Queue Service)?

Answer 87

Amazon SQS is a distributed message queue service with the following characteristics:

Messages are stored for a configurable retention period.
Supports both standard and FIFO (First-In-First-Out) queues.
Messages are 256 KB or less in size.
Can have multiple consumers for a queue.
Supports short polling and long polling for message retrieval.
Offers a dead letter queue to capture messages that encounter exceptions or timeouts.
Provides visibility timeouts to prevent message duplication.

Question 88

What are some characteristics of Amazon SNS (Simple Notification Service)?

Answer 88

Amazon SNS is a publish/subscribe messaging service with the following characteristics:

Supports pub/sub model with topics and subscriptions.
Allows filtering of messages for subscribers using filter policies.
Supports push-based data delivery to subscribers via various transport protocols.
Integrates with various AWS services and external endpoints.
Offers encryption in transit and at rest using KMS.
Supports up to 100,000 topics and 12,500,000 subscribers.

Question 89

What is AWS Certificate Manager (ACM), and what is its primary purpose?

Answer 89

AWS Certificate Manager (ACM) is a service that provisions, manages, imports, and deploys public and private SSL/TLS certificates for use with AWS services and internally connected resources. Its primary purpose is to simplify the process of managing SSL/TLS certificates and automate certificate renewals.

Question 90

What is the role of Systems Manager (SSM) Parameter Store, and how does it manage secrets?

Answer 90

SSM Parameter Store is used to store and manage secrets, configurations, and other sensitive information securely. It tracks parameter versions, supports encryption with AWS Key Management Service (KMS), provides notifications via EventBridge, and allows setting Time-to-Live (TTL) for parameters.

Question 91

What are the key features of AWS Secrets Manager?

Answer 91

AWS Secrets Manager helps manage, retrieve, and rotate database credentials, API keys, and other secrets. It offers automatic secret generation on rotation, encryption at rest with KMS, integration with AWS services like RDS, and auditing through CloudTrail and CloudWatch.

Question 92

What is the purpose of Amazon GuardDuty, and what types of threats can it protect against?

Answer 92

Amazon GuardDuty is a threat detection service that continuously monitors AWS accounts and workloads for malicious activity. It can protect against threats such as cryptocurrency attacks, anomaly detection via machine learning, malware scanning, and suspicious activity in AWS accounts, EC2, S3, EBS, and more.

Question 93

What does Amazon Macie do, and what types of data does it protect?

Answer 93

Amazon Macie is a security service that uses machine learning and natural language processing to discover, classify, and protect sensitive data stored in Amazon S3. It can protect data such as personally identifiable information (PII) and offers dashboards, reports, and alerts.

Question 94

What are the services that AWS WAF can protect, and what is its primary use case?

Answer 94

AWS Web Application Firewall (WAF) can protect services such as CloudFront, API Gateway, ALB, Appsync, and Cognito User Pool. Its primary use case is to monitor and control access to web applications by defining Web ACL rules.

Question 95

What is the purpose of AWS Shield, and how does it provide DDoS protection?

Answer 95

AWS Shield is a DDoS protection service that safeguards applications running on AWS against distributed denial-of-service (DDoS) attacks at layer 3 and layer 4. AWS Shield Advanced offers more advanced protections for services like ELB, EC2, CloudFront, and more.

Question 96

What is AWS Firewall Manager, and how does it help manage security rules?

Answer 96

AWS Firewall Manager is a service that manages security rules across all accounts of an AWS organization. It helps manage rules for services like WAF, AWS Shield Advanced, security groups, and more. It ensures consistent security rule enforcement.

Question 97

What is AWS Network Firewall, and what types of traffic can it inspect and protect against?

Answer 97

AWS Network Firewall is a firewall service that provides protection for the entire Amazon VPC, from layer 3 to layer 7. It can inspect and protect against various types of traffic, including inbound and outbound internet traffic, VPC-to-VPC traffic, Direct Connect, and Site-to-Site VPN traffic.

Question 98

What is the role of Amazon Inspector, and how does it assess security?

Answer 98

Amazon Inspector is an automated security assessment service that assesses the security of AWS Lambda functions, EC2 instances, and container infrastructure. It checks for vulnerabilities, unintended network accessibility, and other security issues, providing risk scores and findings.

Question 99

What are Security Groups (SGs), and how do they differ from Network Access Control Lists (NACLs)?

Answer 99

Security Groups (SGs) are stateful, instance-level firewalls that control inbound and outbound traffic. They are used to allow specific traffic to EC2 instances, load balancers, and other resources. Network Access Control Lists (NACLs) are stateless, subnet-level firewalls used to control traffic at the subnet level. SGs are typically used for more granular control, while NACLs are used for subnet-level control.

Question 100

What is the purpose of an Internet Gateway (IGW) in a VPC?

Answer 100

An Internet Gateway (IGW) allows resources within a VPC to connect to the internet (IPv4/IPv6). It serves as the entry and exit point for traffic between the VPC and the internet.

Question 101

What is Launch Configuration Tenancy, and how does it interact with VPC tenancy?

Answer 101

Launch Configuration Tenancy refers to the tenancy attribute of instances during their launch configuration. VPC tenancy, controlled by the tenancy attribute of the VPC, determines whether instances are shared (default), dedicated, or dedicated host. The interaction between Launch Configuration Tenancy and VPC tenancy determines the tenancy type of launched instances.

Question 102

What types of VPC configurations can be created using the Amazon VPC console wizard?

Answer 102

The Amazon VPC console wizard allows you to create various VPC configurations, including:

VPC with public and private subnets.
VPC with public and private subnets and AWS Site-to-Site VPN access.
VPC with a single public subnet.
VPC with a private subnet only and AWS Site-to-Site VPN access.

Question 103

What is the purpose of VPC Traffic Mirroring, and what can be done with captured network traffic?

Answer 103

VPC Traffic Mirroring allows you to capture and inspect network traffic within a VPC. Captured traffic can be routed to security appliances for analysis. You can capture traffic from source ENIs and route it to target ENIs or Network Load Balancers (NLBs). It can be used for monitoring and security analysis.

Question 104

What is the role of Virtual Private Gateway in a VPC, and when is it necessary?

Answer 104

A Virtual Private Gateway (VGW) is the VPN connector on the AWS side of a VPN connection. It is created and attached to the VPC when setting up a site-to-site VPN connection to an on-premises data center. It enables encrypted network connectivity between the VPC and the on-premises network.

Question 105

What does AWS VPN (AWS Site-to-Site VPN) provide, and how is it configured?

Answer 105

AWS VPN (AWS Site-to-Site VPN) establishes an ongoing VPN connection between an on-premises data center (customer gateway) and an Amazon VPC (Virtual Private Cloud). It uses IPsec to create an encrypted network connection. Configuration involves setting up a Virtual Private Gateway (VGW) and a Customer Gateway.

Question 106

What is a Transit VPC, and how does it function?

Answer 106

A Transit VPC uses customer-managed EC2 VPN instances in a dedicated transit VPC to facilitate network traffic routing. It allows data transfer between VPCs but incurs data transfer costs. AWS Transit Gateway is often considered a more cost-effective and less maintenance-intensive alternative.

Question 107

How does VPC Peering work, and what are its limitations?

Answer 107

VPC Peering establishes private connections between two VPCs, making them behave as if they are on the same network. It works across different AWS accounts and regions but is not transitive, meaning direct peering connections must be established between each VPC. Overlapping CIDRs are not allowed.

Question 108

What is AWS Transit Gateway, and what advantages does it offer?

Answer 108

AWS Transit Gateway enables transitive peering between thousands of VPCs and on-premises data centers. It uses a hub-and-spoke model, supports multiple AWS accounts through AWS Resource Access Manager (RAM), and allows route table control to limit communication between VPCs. It works with Direct Connect and VPN connections.

Question 109

What is AWS VPN CloudHub, and in what scenarios is it used?

Answer 109

AWS VPN CloudHub is used to connect multiple sites, each with its own VPN connection, over the public internet. It establishes secure network connections between customer gateways and AWS VPN CloudHub. It is cost-effective for primary and secondary network connectivity between different locations, especially in hub-and-spoke configurations.

Question 110

What is the purpose of a NAT Gateway in a VPC, and how does it differ from a NAT Instance?

Answer 110

A NAT Gateway is used in a public subnet of a VPC to enable instances in private subnets to initiate outbound IPv4 traffic to the internet or other AWS services. It prevents inbound traffic from the internet. It is fully managed by AWS, tied to a specific availability zone, and uses an Elastic IP. In contrast, a NAT Instance is a user-managed EC2 instance in a public subnet serving a similar purpose but with more configuration and management requirements.

Question 111

What are the key differences between a NAT Gateway and a NAT Instance?

Answer 111

Availability: NAT Gateway is highly available within an availability zone, while NAT Instances require user-managed failover scripts.
Bandwidth: NAT Gateway supports up to 45 Gbps, while NAT Instances’ bandwidth depends on the EC2 instance type.
Maintenance: NAT Gateway is fully managed by AWS, while NAT Instances require user management, including software updates and patches.
Cost: NAT Gateway incurs charges based on usage and data transfer, while NAT Instances have costs associated with the EC2 instance type, size, and network costs.
Security Groups: NAT Gateway does not have associated security groups, while NAT Instances require user-managed security groups.
Bastion Host: NAT Gateway cannot be used as a bastion host, but NAT Instances can be configured for port forwarding and used as bastion hosts.

Question 112

What is the purpose of a VPC Endpoint, and how does it differ from a public endpoint?

Answer 112

A VPC Endpoint allows private network connections to AWS services instead of using the public internet. It is redundant, scales horizontally, and removes the need for internet gateways or NAT gateways to access AWS services. VPC Endpoints come in two types: Interface Endpoints, which provision ENIs and support most AWS services, and Gateway Endpoints, which provision gateways and support specific services like S3 and DynamoDB. They are preferred over public endpoints for enhanced security and reduced data transfer costs.

Question 113

What are VPC Flow Logs, and what information do they capture?

Answer 113

VPC Flow Logs capture information about IP traffic going into and out of network interfaces within a VPC. This includes Subnet Flow Logs and ENI (Elastic Network Interface) Flow Logs. They help monitor and troubleshoot connectivity issues. VPC Flow Logs can be stored in Amazon S3 or CloudWatch Logs and capture network information for various AWS managed interfaces, such as ELB, RDS, Elasticache, Redshift, Workspaces, NAT Gateways, and Transit Gateways.

Question 114

What is the role of a Bastion Host/Server in a VPC, and how should its security groups be configured?

Answer 114

A Bastion Host or Server is an EC2 instance used to SSH into private EC2 instances within a VPC. It typically resides in the public subnet and serves as a gateway for accessing private instances. To secure a Bastion Host, its security group should allow inbound SSH traffic (port 22) only from a trusted source, such as a specific IP address or a trusted network. The security groups of private instances should be configured to allow inbound SSH access from the security group of the Bastion Host or the private IP of the Bastion Host.

Question 115

What is an Egress-only Internet Gateway, and in what scenario is it used?

Answer 115

An Egress-only Internet Gateway is used in a VPC to enable instances to make outbound connections over IPv6 while preventing incoming IPv6 connections from the internet to those instances. It is used when you want to allow outbound IPv6 traffic but don’t want to receive incoming IPv6 connections. It requires configuration of the VPC’s route tables.

Question 116

What is AWS CloudHSM, and what is its primary use case?

Answer 116

AWS CloudHSM is a dedicated Hardware Security Module (HSM) service provided by AWS. It is used to meet corporate, contractual, regulatory, and compliance requirements for secure generation, storage, and management of cryptographic keys. CloudHSM ensures that cryptographic keys are only accessible through access to a tamper-resistant hardware device. It is used within a VPC and is commonly used for database and data warehouse encryption.

Question 117

What is EBS (Elastic Block Store), and what are its key features?

Answer 117

EBS is a block storage service in AWS that provides persistent storage volumes for EC2 instances. Key features include the ability to create and attach volumes to instances, take snapshots for backup, provisioned IOPS for high-performance workloads, and the ability to change volume size and storage type on the fly.

Question 118

What are the differences between EBS-backed instances and instance-store-backed instances (AMIs)?

Answer 118

EBS-backed instances use Amazon Elastic Block Store (EBS) volumes for root storage and can be stopped without losing data. In contrast, instance-store-backed instances use ephemeral storage and cannot be stopped without losing data. EBS-backed instances are more flexible and durable, making them suitable for most use cases.

Question 119

How can you encrypt EBS volumes and snapshots, and what are the benefits of using encryption?

Answer 119

You can encrypt EBS volumes and snapshots using AWS Key Management Service (KMS). Encrypted volumes and snapshots provide enhanced security for data at rest. Encrypted snapshots can be copied to other regions and retain their encryption.

Question 120

What is Amazon EFS (Elastic File System), and what are its key features?

Answer 120

Amazon EFS is a managed file storage service that can be mounted on multiple EC2 instances. Key features include support for Linux-based instances, security group control, throughput scaling, and different performance and throughput modes.

Question 121

What is the difference between Standard and Infrequent Access storage classes in Amazon EFS?

Answer 121

Standard storage class is for frequently accessed files, while Infrequent Access (EFS-IA) is for files with lower access frequency. EFS-IA offers lower storage costs but may have retrieval fees.

Question 122

What is AWS FSx, and what types of file systems does it offer?

Answer 122

AWS FSx is a managed file storage service that offers high-performance file systems for specific use cases. It includes FSx for Windows File Server, FSx for Lustre, and FSx for NetApp ONTAP.

Question 123

What is the purpose of Amazon FSx for Windows File Server, and what features does it provide?

Answer 123

Amazon FSx for Windows File Server is a fully managed Windows file system that supports SMB and Windows NTFS. It integrates with Microsoft Active Directory, offers ACLs, user quotas, and can be mounted on Linux EC2 instances.

Question 124

What is Amazon FSx for Lustre, and for what types of workloads is it designed?

Answer 124

Amazon FSx for Lustre is a high-performance, parallel, and distributed file system designed for workloads that require fast storage to keep up with compute, such as machine learning, high-performance computing, video processing, and more.

Question 125

What is AWS Storage Gateway, and how does it enable hybrid cloud storage?

Answer 125

AWS Storage Gateway is a hybrid cloud storage service that provides on-premises access to virtual cloud storage. It allows organizations to integrate on-premises environments with AWS cloud storage, supporting various protocols like NFS, SMB, and iSCSI. Cached volumes store recently accessed data locally, while volume and tape gateways back up data in the cloud.

Question 126

What are the different types of gateways provided by AWS Storage Gateway, and what protocols do they support?

Answer 126

AWS Storage Gateway offers three types of gateways: File Gateway (supports NFS and SMB), Volume Gateway (supports iSCSI), and Tape Gateway (supports iSCSI for virtual tapes). Each type serves different use cases for integrating on-premises environments with AWS cloud storage.

Question 127

What is the AWS Snow Family, and what are its key components?

Answer 127

The AWS Snow Family is a set of physical devices designed for data migration, edge computing, and offline data transfer. Key components include Snowball, Snowball Edge, Snowcone, and Snowmobile.

Question 128

What is the purpose of AWS Snowball devices, and what are the available types?

Answer 128

AWS Snowball devices are used for offline data transfers, especially when moving large amounts of data in or out of AWS. The available types include Snowball Edge Storage Optimized, Snowball Edge Compute Optimized, and Snowcone.

Question 129

How does AWS Snowmobile compare to other AWS Snow Family devices in terms of data transfer capacity?

Answer 129

AWS Snowmobile is designed for transferring exabytes of data and has a capacity of 100 PB. It is suitable for massive data transfer needs.

Question 130

What is the role of AWS OpsHub in managing AWS Snow Family devices?

Answer 130

AWS OpsHub is software that allows users to manage AWS Snow Family devices, unlock and configure single or clustered devices, transfer files, launch and monitor instances, and perform various management tasks.

Question 131

What is Amazon S3, and what is the purpose of S3 buckets?

Answer 131

Amazon S3 (Simple Storage Service) is a scalable object storage service offered by AWS. S3 buckets are containers for storing objects or files. They provide a way to organize and manage data within S3.

Question 132

What are some naming conventions and restrictions for S3 buckets?

Answer 132

S3 bucket names must be globally unique, start with a lowercase letter or number, be between 3-63 characters long, and not contain uppercase letters, underscores, or IP addresses. They must also not start with the prefix ‘xn–’ or end with the suffix ‘-s3alias’.

Question 133

How does versioning work in Amazon S3, and why is it useful?

Answer 133

Versioning in Amazon S3 allows users to preserve, retrieve, and restore every version of every object stored in a bucket. It helps in protecting against accidental deletions or modifications and provides a way to roll back to previous versions of objects.

Question 134

What are signed URLs in Amazon S3, and what are they used for?

Answer 134

Signed URLs are generated URLs that grant temporary access to S3 objects. They are useful for allowing secure downloads or uploads of objects by providing time-limited access with specific permissions.

Question 135

What are the encryption options available for Amazon S3, and how do they differ?

Answer 135

Amazon S3 offers server-side encryption options, including SSE-S3, SSE-KMS, and SSE-C. SSE-S3 and SSE-KMS are managed by AWS, while SSE-C allows customers to provide their own external keys. Client-side encryption is also an option, where encryption is performed by the client before sending data to S3.

Question 136

What is CORS (Cross-Origin Resource Sharing) in Amazon S3, and how does it allow requests from different origins?

Answer 136

CORS is a mechanism that enables web browsers to make cross-origin requests to resources hosted in a different domain. It allows requests from different origins to access S3 resources by specifying the appropriate CORS headers (Access-Control-Allow-Origin).