AWS Solutions Architect Flashcards

Question 1

Q

AWS Aurora

Answer

A

Amazon Aurora (Aurora) is a fully managed relational database engine that’s compatible with MySQL and PostgreSQL.

Handles highly transactional (OLTP) workloads. Online Transaction Processing.

The code, tools, and applications you use today with your existing MySQL and PostgreSQL databases can be used with Aurora.

Aurora can deliver up to five times the throughput of MySQL and up to three times the throughput of PostgreSQL without requiring changes to most of your existing applications.

The underlying storage grows automatically as needed, up to 64 tebibytes (TiB).

Aurora also automates and standardizes database clustering and replication, which are typically among the most challenging aspects of database configuration and administration.

Question 2

Q

OLTP

Answer

A

OLTP (Online Transactional Processing) is a category of data processing that is focused on transaction-oriented tasks.

OLTP typically involves inserting, updating, and/or deleting small amounts of data in a database. OLTP mainly deals with large numbers of transactions by a large number of users.

Think RDS

Question 3

Q

OLAP

Answer

A

OLAP (Online Analytical Processing) is the technology behind many Business Intelligence (BI) applications. OLAP is a powerful technology for data discovery, including capabilities for limitless report viewing, complex analytical calculations, and predictive “what if” scenario (budget, forecast) planning.

Think Redshift

Question 4

Q

AWS ECS

Answer

A

Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service.

ECS supports Fargate to provide serverless compute for containers. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

There are two different charge models for Amazon Elastic Container Service (ECS): Fargate Launch Type Model and EC2 Launch Type Model. With Fargate, you pay for the amount of vCPU and memory resources that your containerized application requests while for EC2 launch type model, there is no additional charge. You pay for AWS resources (e.g. EC2 instances or EBS volumes) you create to store and run your application. You only pay for what you use, as you use it; there are no minimum fees and no upfront commitments.

Question 5

Q

AWS Fargate

Answer

A

AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS).

Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

Question 6

Q

AWS Elastic Kubernetes Service

Answer

A

Amazon Elastic Kubernetes Service (Amazon EKS) is a fully managed Kubernetes service.

EKS is the best place to run Kubernetes for several reasons. First, you can choose to run your EKS clusters using AWS Fargate, which is serverless compute for containers. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

EKS integrates with AWS App Mesh

Question 7

Q

App Mesh

Answer

A

AWS App Mesh is a service mesh that provides application-level networking to make it easy for your services to communicate with each other across multiple types of compute infrastructure.

Question 8

Q

Fanout Pattern

Answer

A

A “fanout” pattern is when an Amazon SNS message is sent to a topic and then replicated and pushed to multiple Amazon SQS queues, HTTP endpoints, or email addresses.

This allows for parallel asynchronous processing.

Question 9

Q

Visibility Timeout

Answer

A

a period of time during which Amazon SQS prevents other consumers from receiving and processing the message.

The default visibility timeout for a message is 30 seconds. The maximum is 12 hours.

Question 10

Q

Dead Letter Queue

Answer

A

Amazon SQS supports dead-letter queues, which other queues (source queues) can target for messages that can’t be processed (consumed) successfully.

Dead-letter queues are useful for debugging your application or messaging system because they let you isolate problematic messages to determine why their processing doesn’t succeed.

Question 11

Q

AWS CloudHSM

Answer

A

AWS CloudHSM enables you to generate and use your encryption keys on a FIPS 140-2 Level 3 validated hardware.

CloudHSM protects your keys with exclusive, single-tenant access to tamper-resistant HSM instances in your own Amazon Virtual Private Cloud (VPC).

Attempting to log in as the administrator more than twice with the wrong password zeroizes your HSM appliance. When an HSM is zeroized, all keys, certificates, and other data on the HSM is destroyed. You can use your cluster’s security group to prevent an unauthenticated user from zeroizing your HSM.

Amazon strongly recommends that you use two or more HSMs in separate Availability Zones in any production CloudHSM Cluster to avoid loss of cryptographic keys.

Question 12

Q

ALB Health Checks

Answer

A

Your Application Load Balancer periodically sends requests to its registered targets to test their status. These tests are called health checks.

Each load balancer node routes requests only to the healthy targets in the enabled Availability Zones for the load balancer.

Each load balancer node checks the health of each target, using the health check settings for the target group with which the target is registered. After your target is registered, it must pass one health check to be considered healthy.

After each health check is completed, the load balancer node closes the connection that was established for the health check.

Question 13

Q

AWS Trusted Advisor

Answer

A

AWS Trusted Advisor is an online tool that provides you real-time guidance to help you provision your resources following AWS best practices.

It inspects your AWS environment and makes recommendations for saving money, improving system performance and reliability, or closing security gaps.

Cost Optimization – recommendations that can potentially save you money by highlighting unused resources and opportunities to reduce your bill.

Security – identification of security settings that could make your AWS solution less secure.

Fault Tolerance – recommendations that help increase the resiliency of your AWS solution by highlighting redundancy shortfalls, current service limits, and over-utilized resources.

Performance – recommendations that can help to improve the speed and responsiveness of your applications.

Service Limits – recommendations that will tell you when service usage is more than 80% of the service limit.

Question 14

Q

Cooldown Period

Answer

A

The cooldown period is a configurable setting for your Auto Scaling group that helps to ensure that it doesn’t launch or terminate additional instances before the previous scaling activity takes effect.

After the Auto Scaling group dynamically scales using a simple scaling policy, it waits for the cooldown period to complete before resuming scaling activities.

When you manually scale your Auto Scaling group, the default is not to wait for the cooldown period, but you can override the default and honor the cooldown period. If an instance becomes unhealthy, the Auto Scaling group does not wait for the cooldown period to complete before replacing the unhealthy instance.

Question 15

Q

IAM Tagging

Answer

A

You can define the tags on UAT and production EC2 instances and add a condition to the IAM policy which allows access to specific tags.

Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type — you can quickly identify a specific resource based on the tags you’ve assigned to it.

Question 16

Q

AWS Resource Access Manager (RAM)

Answer

A

the AWS Resource Access Manager (RAM) is primarily used to securely share your resources across AWS accounts or within your Organization and not on a single AWS account.

Question 17

Q

Edge Location

Answer

A

An edge location helps deliver high availability, scalability, and performance of your application for all of your customers from anywhere in the world.

This is used by other services such as Lambda and Amazon CloudFront.

Question 18

Q

CloudFront

Answer

A

Amazon CloudFront is a web service that gives businesses and web application developers an easy and cost-effective way to distribute content with low latency and high data transfer speeds.

CloudFront delivers your files to end-users using a global network of edge locations.

Question 19

Q

ELB Access Logs

Answer

A

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer.

Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses.

You can use these access logs to analyze traffic patterns and troubleshoot issues.

Access logging is an optional feature of Elastic Load Balancing that is disabled by default.

After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files.

You can disable access logging at any time.

Question 20

Q

IAM Database Authentication

Answer

A

You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication.

IAM database authentication works with MySQL and PostgreSQL.

With this authentication method, you don’t need to use a password when you connect to a DB instance.

An authentication token is a string of characters that you use instead of a password.

After you generate an authentication token, it’s valid for 15 minutes before it expires. If you try to connect using an expired token, the connection request is denied.

Benefits:

Network traffic to and from the database is encrypted using Secure Sockets Layer (SSL).

You can use IAM to centrally manage access to your database resources, instead of managing access individually on each DB instance.

For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security

Question 21

Q

“AWSAuthenticationPlugin”

Answer

A

AWS-provided plugin that works seamlessly with IAM to authenticate your IAM users.

Question 22

Q

S3 Standard (S3 Standard)

Answer

A

General-purpose storage of frequently accessed data

Question 23

Q

S3 Standard_IA

Answer

A

Long lived, but less frequently accessed data. Stored redundantly across multiple geo separated AZs.

Suitable for objects larger than 128k.

Question 24

Q

S3 Onezone_IA

Answer

A

Stores object data in only one AZ. Less expensive than Standard_IA, but not as resilient to the physical loss of an AZ.

Suitable for objects larger than 128k.

Question 25

Q

S3 Intelligent Tiering

Answer

A

Designed for customers who want to optimize storage costs automatically.

First cloud object storage class that delivers automatic cost savings by moving data between two access tiers - Frequent access and infrequent access.

Ideal for data with unknown or changing access patterns.

Monitors access patterns and moves objects that have not been accessed for 30 consecutive days to the infrequent access tier. If accessed later, it is moved back to frequent.

No retrieval fees in intelligent tiering.

Question 26

Q

Glacier

Answer

A

Long-term archive

Not available for real-time access

Cannot be specified at the time an object is created.

Visible through S3 only.

Retrieval Options:
Expedited - allows quick access for urgent requests for a subset of archives. Data access is typically within 1-5 minutes. Two types:

On-demand - similar to EC2 and are available most of the time.
Provisioned - are guaranteed to be available.

Standard - Allows access to any archives within several hours. Typically 3-5 hours. Default.

Bulk - Glaciers lowest-cost retrieval option, enabling retrieval of large amounts, even petabytes, of data inexpensively in a day. Usually takes 5-12 hours.

Question 27

Q

Aurora Database Failure - Auto-healing

Answer

A

Failover is automatically handled by Amazon Aurora so that your applications can resume database operations as quickly as possible without manual administrative intervention.

If you have an Amazon Aurora Replica in the same or a different Availability Zone, when failing over, Amazon Aurora flips the canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary. Start-to-finish, failover typically completes within 30 seconds.

If you are running Aurora Serverless and the DB instance or AZ become unavailable, Aurora will automatically recreate the DB instance in a different AZ.

If you do not have an Amazon Aurora Replica (i.e. single instance) and are not running Aurora Serverless, Aurora will attempt to create a new DB Instance in the same Availability Zone as the original instance. This replacement of the original instance is done on a best-effort basis and may not succeed, for example, if there is an issue that is broadly affecting the Availability Zone.

Question 28

Q

VPC Endpoint

Answer

A

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an Internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other services do not leave the Amazon network.

Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

There are two types of VPC endpoints: interface endpoints and gateway endpoints. You should create the type of VPC endpoint required by the supported service. As a rule of thumb, most AWS services use VPC Interface Endpoint except for S3 and DynamoDB, which use VPC Gateway Endpoint.

Question 29

Q

ALB Health Check Protocols/Ports

Answer

A

HTTP: 80
HTTPS: 443

Succeeds if instance returns 200 response code within HC interval

Question 30

Q

NLB Listener Protocols/Ports

Answer

A

TCP, TLS, UDP, TCP_UDP

1-65535

Question 31

Q

NLB Healthcheck

Answer

A

Succeeds if TCP connection succeeds

Question 32

Q

Kinesis Results Storage

Answer

A

Redshift
DynamoDB
S3
Amazon EMR
Kinesis Firehose

Question 33

Q

Cloudtrail Default Encryption Settings

Answer

A

By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE).

You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key.

Question 34

Q

Cloudtrail

Answer

A

Actions taken by a user, role, or an AWS service in the AWS management console, CLI, and AWS SDKs and APIs are recorded as events.

Enabled on account creation.

Focuses on auditing API activity.

Event history allows viewing, search, and download of the past 90 days of activity.

Two Types:
All regions - Records events in each region and delivers the CT log files to a specified S3 bucket. (default option)
One region - records events in the region specified. (default option when creating trail in CLI or CT API).

Cloudtrail events can be sent to Cloudwatch logs to trigger alarms according to metric filters.

Cloudtrail log file integrity validation can verify if a log file was modified, deleted, or unchanged after Cloudtrail delivered.

Question 35

Q

Organization Trail

Answer

A

A cloudtrail trail that will log all events for AWS accounts in an organization created by AWS Organizations. Org trails must be created by the master account.

Question 36

Q

AWS WAF - Allow then block

Answer

A

Create a web ACL with a rule that explicitly allows an approved IP.

Then create another rule with a condition like “geo match” that blocks requests that originate from a specific country.

Allow first, then block what you desire.

Question 37

Q

AWS Database Migration Service

Answer

A

AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database.

It supports homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations between different database platforms, such as Oracle to Amazon Aurora.

Question 38

Q

AWS Schema Conversion Tool

Answer

A

Used to convert the source schema and code to match that of the target database in a heterogeneous database migration.

Question 39

Q

FSx for Windows File Server

Answer

A

fully managed, highly reliable, and scalable file storage accessible over the industry-standard Service Message Block (SMB) protocol.

It is built on Windows Server, delivering a wide range of administrative features such as user quotas, end-user file restore, and Microsoft Active Directory (AD) integration.

Amazon FSx supports the use of Microsoft’s Distributed File System (DFS) Namespaces to scale-out performance across multiple file systems in the same namespace up to tens of Gbps and millions of IOPS.

Question 40

Q

Lifecycle hook

Answer

A

Add a lifecycle hook to your Auto Scaling group so that you can perform custom actions when instances launch or terminate.

Question 41

Q

Lifecycle hook stages and hook actions

Answer

A

Pending
Pending:Wait
Pending:Proceed
InService
Terminating:Wait
Terminating:Proceed
Terminated

If you added an autoscaling:EC2_INSTANCE_LAUNCHING lifecycle hook to your Auto Scaling group, the instances move from the Pending state to the Pending:Wait state. After you complete the lifecycle action, the instances enter the Pending:Proceed state. When the instances are fully configured, they are attached to the Auto Scaling group and they enter the InService state.

When Amazon EC2 Auto Scaling responds to a scale in event, it terminates one or more instances. These instances are detached from the Auto Scaling group and enter the Terminating state. If you added an autoscaling:EC2_INSTANCE_TERMINATING lifecycle hook to your Auto Scaling group, the instances move from the Terminating state to the Terminating:Wait state. After you complete the lifecycle action, the instances enter the Terminating:Proceed state. When the instances are fully terminated, they enter the Terminated state.

Question 42

Q

HDD Volumes

Answer

A

Cannot be used as boot volume in AWS

Large, Sequential I/O operations

Low Price

Big data, data warehouses, log processing

Throughput-oriented storage for a large volumes of data is infrequently accessed

Cost: Low

Question 43

Q

SSD Volumes

Answer

A

Small, random I/O operations

Best for Transactional workloads

Critical business apps that require sustained IOPS performance

Large database workloads such as MongoDB, Oracle, Microsoft SQL

Cost: moderate/high

Question 44

Q

API Gateway supported protocol?

Answer

A

All of the APIs created with Amazon API Gateway expose HTTPS endpoints only.

Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.

Question 45

Q

SQS Retention Period Default/Max

Answer

A

Amazon SQS automatically deletes messages that have been in a queue for more than the maximum message retention period. The default message retention period is 4 days.

Max is 14 days.

Question 46

Q

Amazon Workspaces

Answer

A

Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution. You can use Amazon WorkSpaces to provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe.

You can pay either monthly or hourly, just for the WorkSpaces you launch, which helps you save money when compared to traditional desktops and on-premises VDI solutions.

Question 47

Q

What Route 53 Alias resource record sets allow you to do?

Answer

A

Allows mapping of zone apex (e.g. yourwebsite.com) DNS name to your load balancer (or other AWS resource) DNS name.

Useful because IP addresses change all of the time, so using DNS is appropriate.

Question 48

Q

AWS Glue

Answer

A

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.

You can create and run an ETL job with a few clicks in the AWS Management Console. You simply point AWS Glue to your data stored on AWS, and AWS Glue discovers your data and stores the associated metadata (e.g. table definition and schema) in the AWS Glue Data Catalog.

Once cataloged, your data is immediately searchable, queryable, and available for ETL. AWS Glue generates the code to execute your data transformations and data loading processes.

Question 49

Q

ASG Default Termination Policy

Answer

A

If there are instances in multiple Availability Zones, choose the Availability Zone with the most instances and at least one instance that is not protected from scale in. If there is more than one Availability Zone with this number of instances, choose the Availability Zone with the instances that use the oldest launch configuration.
Determine which unprotected instances in the selected Availability Zone use the oldest launch configuration. If there is one such instance, terminate it.
If there are multiple instances to terminate based on the above criteria, determine which unprotected instances are closest to the next billing hour. (This helps you maximize the use of your EC2 instances and manage your Amazon EC2 usage costs.) If there is one such instance, terminate it.
If there is more than one unprotected instance closest to the next billing hour, choose one of these instances at random.

Question 50

Q

AWS Storage Gateway Hardware Appliance

Answer

A

A physical hardware appliance with the Storage Gateway software preinstalled on a validated server configuration.

The hardware appliance is a high-performance 1U server that you can deploy in your data center, or on-premises inside your corporate firewall.

When you buy and activate your hardware appliance, the activation process associates your hardware appliance with your AWS account. After activation, your hardware appliance appears in the console as a gateway on the Hardware page.

You can configure your hardware appliance as a file gateway, tape gateway, or volume gateway type. The procedure that you use to deploy and activate these gateway types on a hardware appliance is the same as on a virtual platform.

A file gateway can be configured to store and retrieve objects in Amazon S3 using the protocols NFS and SMB.

Question 51

Q

“aws ec2 describe-instances”

Answer

A

The describe-instances command shows the status of the EC2 instances including the recently terminated instances. It also returns a StateReason of why the instance was terminated.

Question 52

Q

What characteristics does an Encrypted EBS Volume have?

Answer

A

When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

Data at rest inside the volume
All data moving between the volume and the instance
All snapshots created from the volume
All volumes created from those snapshots

Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage. You can encrypt both the boot and data volumes of an EC2 instance.

Question 53

Q

Direct Connect

Answer

A

Direct Connect creates a direct, private connection from your on-premises data center to AWS, letting you establish a 1-gigabit or 10-gigabit dedicated network connection using Ethernet fiber-optic cable.

Question 54

Q

S3 Scaling

Answer

A

S3 now provides increased performance to support at least 3,500 requests per second to add data and 5,500 requests per second to retrieve data, which can save significant processing time for no additional charge.

Each S3 prefix can support these request rates, making it simple to increase performance significantly.

This S3 request rate performance increase removes any previous guidance to randomize object prefixes to achieve faster performance. That means you can now use logical or sequential naming patterns in S3 object naming without any performance implications. This improvement is now available in all AWS Regions.

Question 55

Q

What is SQS ReceiveMessageWaitTimeSeconds?

Answer

A

The queue attribute that determines whether you are using Short or Long polling.

By default, its value is zero which means it is using Short polling. If it is set to a value greater than zero, then it is Long polling.

Question 56

Q

Long Polling

Answer

A

Long polling helps reduce your cost of using Amazon SQS by reducing the number of empty responses when there are no messages available to return in reply to a ReceiveMessage request sent to an Amazon SQS queue and eliminating false empty responses when messages are available in the queue but aren’t included in the response.
Long polling reduces the number of empty responses by allowing Amazon SQS to wait until a message is available in the queue before sending a response. Unless the connection times out, the response to the ReceiveMessage request contains at least one of the available messages, up to the maximum number of messages specified in the ReceiveMessage action.
Long polling eliminates false empty responses by querying all (rather than a limited number) of the servers. Long polling returns messages as soon any message becomes available.

Question 57

Q

What are the best AWS tools for Distributed Session Data Management?

Answer

A

Think Elasticache

Redis, and Memchached

Question 58

Q

Redis

Answer

A

Redis is an open source, in-memory data structure store used as a database, cache, and message broker.1

Question 59

Q

Memcached

Answer

A

Memcached is an in-memory key-value store for small arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Question 60

Q

Elastic Network Adapter (ENA) w/ Enhanced Networking

Answer

A

Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types.

It supports network speeds of up to 100 Gbps for supported instance types. Elastic Network Adapters (ENAs) provide traditional IP networking features that are required to support VPC networking.

Question 61

Q

Enhanced Networking

Answer

A

Enhanced networking provides higher bandwidth, higher packet-per-second (PPS) performance, and consistently lower inter-instance latencies.

Question 62

Q

SR-IOV

Answer

A

a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces.

Question 63

Q

Elastic Fabric Adapter (EFA)

Answer

A

An Elastic Fabric Adapter (EFA) is simply an Elastic Network Adapter (ENA) with added capabilities. It provides all of the functionality of an ENA, with additional OS-bypass functionality. OS-bypass is an access model that allows HPC and machine learning applications to communicate directly with the network interface hardware to provide low-latency, reliable transport functionality.

The OS-bypass capabilities of EFAs are not supported on Windows instances. If you attach an EFA to a Windows instance, the instance functions as an Elastic Network Adapter, without the added EFA capabilities.

Question 64

Q

How do you encrypt an EBS volume?

Answer

A

Two ways:

By using your own keys in AWS KMS
By using Amazon-managed keys in AWS KMS

Amazon EBS encryption offers seamless encryption of EBS data volumes, boot volumes, and snapshots, eliminating the need to build and maintain a secure key management infrastructure. EBS encryption enables data at rest security by encrypting your data using Amazon-managed keys, or keys you create and manage using the AWS Key Management Service (KMS). The encryption occurs on the servers that host EC2 instances, providing encryption of data as it moves between EC2 instances and EBS storage.

Answer 65

A

Outputs is an optional section of the CloudFormation template that describes the values that are returned whenever you view your stack’s properties.

Can provide info like DNS name of ELB, hostname of EC2 instances, etc.

Answer 66

A

You might be unable to log into an EC2 instance if:

You’re using an SSH private key but the corresponding public key is not in the authorized_keys file.
You don’t have permissions for your authorized_keys file.
You don’t have permissions for the .ssh folder.
Your authorized_keys file or .ssh folder isn’t named correctly.
Your authorized_keys file or .ssh folder was deleted.
Your instance was launched without a key, or it was launched with an incorrect key.

To connect to your EC2 instance after receiving the error “Server refused our key,” you can update the instance’s user data to append the specified SSH public key to the authorized_keys file, which sets the appropriate ownership and file permissions for the SSH directory and files contained in it.

Answer 67

A

Throughput Optimized HDD (st1) volumes provide low-cost magnetic storage that defines performance in terms of throughput rather than IOPS.

This volume type is a good fit for large, sequential workloads such as Amazon EMR, ETL, data warehouses, and log processing. Bootable st1 volumes are not supported.

Throughput Optimized HDD (st1) volumes, though similar to Cold HDD (sc1) volumes, are designed to support frequently accessed data.

Answer 68

A

Highest performance SSD volume designed for latency-sensitive transactional workloads

I/O-intensive NoSQL and relational databases

4 GB - 16 TB

64,000 IOPS

io2 is same as io1, except it has higher durability:
99.999% vs. 99.8-99.9%

Answer 69

A

General Purpose SSD volume that balances price performance for a wide variety of transactional workloads.

Boot volumes, low-latency interactive apps, dev and test

99.8% - 99.9% durability

1 GB - 16 TB

16,000 IOPS

250 MB/s Throughput

Answer 70

A

Lowest cost HDD volume designed for less frequently accessed workloads

99.8% - 99.9% durability

Colder data requiring fewer scans per day

500 GB - 16 TB

250IOPS per Volume

250 MB/s Throughput

250 Max IPOS/volume

Answer 71

A

AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances.

A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager.

Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale.

You can use Run Command from the AWS console, the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost.

Answer 72

A

Volume Gateway presents cloud-backed iSCSI block storage volumes to your on-premises applications. Volume Gateway stores and manages on-premises data in Amazon S3 on your behalf and operates in either cache mode or stored mode.

In the cached Volume Gateway mode, your primary data is stored in Amazon S3, while retaining your frequently accessed data locally in the cache for low latency access.

In the stored Volume Gateway mode, your primary data is stored locally and your entire dataset is available for low latency access on premises while also asynchronously getting backed up to Amazon S3.

In either mode, you can take point-in-time copies of your volumes using AWS Backup, which are stored in AWS as Amazon EBS snapshots. Using Amazon EBS Snapshots enables you to make space-efficient versioned copies of your volumes for data protection, recovery, migration, and various other copy data needs.

Answer 73

A

EBS volumes can be used while a snapshot is in progress.

Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed.

While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume hence, you can still use the EBS volume normally.

A non-root EBS volume can be detached or attached to a new EC2 instance while the snapshot is in progress. The only exception here is if you are taking a snapshot of your root volume.

Answer 74

A

Application Load Balancers support Weighted Target Groups routing. With this feature, you will be able to do weighted routing of the traffic forwarded by a rule to multiple target groups.

This enables various use cases like blue-green, canary and hybrid deployments without the need for multiple load balancers. It even enables zero-downtime migration between on-premises and cloud or between different compute types like EC2 and Lambda.

Answer 75

A

To divert 50% of the traffic to the new application in AWS and the other 50% to the application, you can also use Route 53 with Weighted routing policy. This will divert the traffic between the on-premises and AWS-hosted application accordingly.

Weighted routing lets you associate multiple resources with a single domain name (yourwebsite.com) or subdomain name (portal.yourwebsite.com) and choose how much traffic is routed to each resource. This can be useful for a variety of purposes, including load balancing and testing new versions of software. You can set a specific percentage of how much traffic will be allocated to the resource by specifying the weights.

For example, if you want to send a tiny portion of your traffic to one resource and the rest to another resource, you might specify weights of 1 and 255. The resource with a weight of 1 gets 1/256th of the traffic (1/1+255), and the other resource gets 255/256ths (255/1+255).

You can gradually change the balance by changing the weights. If you want to stop sending traffic to a resource, you can change the weight for that record to 0.

Answer 76

A

instance - The targets are specified by instance ID.
ip - The targets are IP addresses.
Lambda - The target is a Lambda function.

Answer 77

A

When the target type is ip, you can specify IP addresses from one of the following CIDR blocks:

10.0.0.0/8 (RFC 1918)
100.64.0.0/10 (RFC 6598)
172.16.0.0/12 (RFC 1918)
192.168.0.0/16 (RFC 1918)
The subnets of the VPC for the target group

These supported CIDR blocks enable you to register the following with a target group: ClassicLink instances, instances in a VPC that is peered to the load balancer VPC, AWS resources that are addressable by IP address and port (for example, databases), and on-premises resources linked to AWS through AWS Direct Connect or a VPN connection.

Take note that you can not specify publicly routable IP addresses. If you specify targets using an instance ID, traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance. If you specify targets using IP addresses, you can route traffic to an instance using any private IP address from one or more network interfaces. This enables multiple applications on an instance to use the same port. Each network interface can have its own security group.

Answer 78

A

Used for S3, DynamoDB

All others use interface endpoint

Answer 79

A

Provide a password for each user created and give these passwords to the admins.

The AWS Management Console is the web interface used to manage your AWS resources using your web browser. To access this, your users should have a password that they can use to login to the web console.

Answer 80

A

Increase or decrease the current capacity of the group based on a target value for a specific metric. This is similar to the way that your thermostat maintains the temperature of your home – you select a temperature and the thermostat does the rest.

If you are scaling based on a utilization metric that increases or decreases proportionally to the number of instances in an Auto Scaling group, then it is recommended that you use target tracking scaling policies. Otherwise, it is better to use step scaling policies instead.

Answer 81

A

Step scaling policies and simple scaling policies are two of the dynamic scaling options available for you to use. Both require you to create CloudWatch alarms for the scaling policies. Both require you to specify the high and low thresholds for the alarms. Both require you to define whether to add or remove instances, and how many, or set the group to an exact size.

The main difference between the policy types is the step adjustments that you get with step scaling policies. When step adjustments are applied, and they increase or decrease the current capacity of your Auto Scaling group, the adjustments vary based on the size of the alarm breach.

In most cases, step scaling policies are a better choice than simple scaling policies, even if you have only a single scaling adjustment.

The main issue with simple scaling is that after a scaling activity is started, the policy must wait for the scaling activity or health check replacement to complete and the cooldown period to expire before responding to additional alarms. Cooldown periods help to prevent the initiation of additional scaling activities before the effects of previous activities are visible.

Answer 82

A

Increase or decrease the current capacity of the group based on a single scaling adjustment.

Answer 83

A

Based on a schedule that allows you to set your own scaling schedule for predictable load changes.

Answer 84

A

Encrypting data before it is sent to S3.

To enable:
Use an AWS KMS managed customer master key
OR
Use client-side master key for client-side encryption that are never sent to AWS

Answer 85

A

Network & Transport layer protection
DDOS Attacks, near real-time visibility
Integration with WAF

Answer 86

A

Deliver near real-time stream of system events that describe changes in AWS resources

Events respond to Operational Changes and take corrective action as necessary, by sending messages to respond to the environment, activating functions, making changes, and capturing state information.

Concepts:

Events - indicates a change in your AWS environment
Targets - Processes events.
Rules - matches incoming events and routes them to targets for processing.

EX: can increase or reduce ECS tasks based on PUT or DELETES

Answer 87

A

Must use “–transit-encryption-enabled,” and “–authtoken” parameters

Redis cannot use IAM for authorization. Must use the above parameters.

Answer 88

A

Lambda encrypts env. variables using AWS KMS

When invoked those values decrypted & made available to Lambda code
a default KMS Key is created when env. variables used

If encryption helpers required, you must create your own key (default keys don’t work)
-this creates flexibility to create, rotate, disable, and define access controls.

Answer 89

A

A trail that applies to ALL REGIONS - CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket you specify. This is the default option when you create a trail in the CloudTrail console.

ONE REGION - Cloudtrail records the events in the region that you specify only this is the default option when you create a trail using the AWS CLI or the Cloudtrail API

Answer 90

A

CPU utilization
Network utilization
Disk read metrics

Answer 91

A

Written in Perl
Helps to install Cloudwatch Unified Agent

memory utilization
disk swap utilization
disk space utilization
page file utilization
log collection

Answer 92

A

Allows lambda functions to customize content cloudfront delivers, executing functions closer to the viewer

viewer request - after CF receives from viewer
origin request - before CF forwards request to origin
origin response - after CF receives response from origin
viewer response - before CF forwards response to viewer

Answer 93

A

Provide redundancy when primary orgin fails.

create an origin group with two origins: a primary and a secondary. If the primary origin is unavailable, or returns specific HTTP response status codes that indicate a failure, CloudFront automatically switches to the secondary origin.

To set up origin failover, you must have a distribution with at least two origins. Next, you create an origin group for your distribution that includes two origins, setting one as the primary. Finally, you create or update a cache behavior to use the origin group.

Answer 94

A

RDS Multi AZ are replicated synchronously

RDS read replicas are replicated asynchronously

Answer 95

A

Enables governance, compliance, operational auditing, risk auditing across ALL AWS RESOURCES

Answer 96

A

works with mysql and postgresql
-no password required, only auth token
Encrypted (SSL)

Answer 97

A

Provides throttling limits - can handle huge traffic spikes

Allows requests to be cached

Answer 98

A

Short term or temporary

Think ephemeral storage (instance based) or ephemeral ports (1089-65535)

Answer 99

A

Enables all VPC features

-NACLS, SGs, DNS, Gateways

Answer 100

A

Auto discovery, classifying, protecting sensitive data stored in S3

Answer 101

A

Use signed cookies to control access to private files

Members use “set-cookie” which will unlock content

Answer 102

A

ROA (Route Origin Authorization) - A document created through ARIN containing IP address range to be moved.

Then in AWS, publish a self signed X.509 in RDAP (Registration Data Accesss Protocol) remarks.

Answer 103

A

Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in AWS Systems Manager Parameter Store parameters and then referencing them in your container definition.

Answer 104

A

Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on.

Ehanced monitoring is available in all regions ecept AWS GovCloud (US).

Metrics include:

IOPS - Number of I/O operations completed each second
Latency - time elapsed between submission of I/O request and its completion
Throughput - number of bytes each second that are transferred to or from disk
Queue Depth - number of I/O requests in the queue waiting to be serviced

Answer 105

A

When enabled, DynamoDB Streams captures a time-ordered sequence of item-level modifications in a DynamoDB table and durably stores the information for up to 24 hours.

Applications can access a series of stream records, which contain an item change, from a DynamoDB stream in near real time.

AWS maintains separate endpoints for DynamoDB and DynamoDB Streams.

To work with database tables and indexes, your application must access a DynamoDB endpoint. To read and process DynamoDB Streams records, your application must access a DynamoDB Streams endpoint in the same Region.

You can process DynamoDB streams in multiple ways. The most common approaches use AWS Lambda or a standalone application that uses the Kinesis Client Library (KCL) with the DynamoDB Streams Kinesis Adapter.

DynamoDB is integrated with Lambda to create triggers

Answer 106

A

Supports a file interface into S3, and combines a service and a virtual software appliance

-software appliance, or gateway, is deployed into on-premises environment as a virtual machine running on VMware ESXi or Microsoft Hyper-V hypervisor

File gateway supports

S3 standard
S3 standard - infrequent access
S3 One Zone - IA

Store and retrieve files directly using NFS version 3 or 4.1

Store and retrieve files directly using SMB file system version 2 and 3

Access data in S3 from any AWS cloud app or service

Manage S3 using lifecycle policies, cross-region replication, and versioning

Answer 107

A

File Gateway now supports S3 object lock, enabling write-once-read-many (WORM) file-based systems to store and access objects in S3

Answer 108

A

Fully managed, high availability, in-memory cache for DynamoDB
-supports 10 times performance improvement - from milliseconds to microseconds - even at millions of requests per second

Answer 109

A

On-demand, autoscaling Database
-for intermittent unpredictable workloads set min/max capacity

This is cost effective and scales quickly because the servers are prewarmed

Answer 110

A

POSIX compliant.

Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth.

Answer 111

A

No, they must be copied to the region they will be used in.

Answer 112

A

Allows switching from a standards based message broker to AWS without rewriting message code.

Connecting your current applications to Amazon MQ is easy because it uses industry-standard APIs and protocols for messaging, including JMS, NMS, AMQP, STOMP, MQTT, and WebSocket.

Answer 113

A

S3, Redshift, Elastisearch, generic HTTP endpoints, datadog, New Relic, MongoDB, Splunk

Answer 114

A

The Splunk platform makes machine data accessible and usable. Splunk Enterprise enables you to search, monitor, and analyze machine data from any source to gain valuable intelligence and insights across your entire organization.

Answer 115

A

Amazon Redshift Spectrum is a feature within Amazon Web Services’ Redshift data warehousing service that lets a data analyst conduct fast, complex analysis on objects stored on the AWS cloud.

With Redshift Spectrum, an analyst can perform SQL queries on data stored in Amazon S3 buckets.

Answer 116

A

composite primary key: This type of key is composed of two attributes. The first attribute is the partition key, and the second attribute is the sort key.

Simple primary key: This type of key is composed of one attribute known as the partition key. Attributes in DynamoDB are similar in many ways to fields or columns in other database systems.

Answer 117

A

These are attributes that have distinct values for each item, like e-mailid, employee_no, customerid, sessionid, orderid, and so on.

Answer 118

A

Try to combine more than one attribute to form a unique key, if that meets your access pattern. For example, consider an orders table with customerid+productid+countrycode as the partition key and order_date as the sort key.

Answer 119

A

Use for a single resource that performs a given function for your domain, for example, a web server that serves content for the example.com website.

Answer 120

A

Use when you want to configure active-passive failover.

Answer 121

A

Use when you want to route traffic based on the location of your users.

Answer 122

A

Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another with routing bias.

Answer 123

A

Use when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the best latency.

Answer 124

A

Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.

Answer 125

A

Use to route traffic to multiple resources in proportions that you specify.

Answer 126

A

Required for a VPN connection

Answer 127

A

Bucket name must be the same as the domain name
The website must have a registered domain name
Route 53 will auto register, but if you’re using another registrar, CNAME or Alias must be configured

Answer 128

A

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks.

AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.

Answer 129

A

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Answer 130

A

Think of Migrations. This is not used for day to day on prem and AWS transfers like storage gateway.

AWS DataSync makes it simple and fast to move large amounts of data online between on-premises storage and Amazon S3, Amazon Elastic File System (Amazon EFS), or Amazon FSx for Windows File Server.

Handles NFS and SMB and self managed object store.

Transfers hundreds of terabytes and millions of files at speeds up to 10 times faster than open-source tools, over the internet or AWS Direct Connect links.

Best for AWS Direct Connection. Install data sync agent on premises.

Answer 131

A

Route edge to edge, or do transitive peering

If you are using VPC peering, on-premises connectivity (VPN and/or Direct Connect) must be made to
each VPC. Resources in a VPC cannot reach on-premises using the hybrid connectivity of a peered VPC

Answer 132

A

SQS and SWF (simple workflow service)

Answer 133

A

Path based and host based

Answer 134

A

SNS, SQS, Lambda

Answer 135

A

Uses virtual tapes to back up physical on-prem tapes using AWS Storage Gateway - to reduce costs, use glacier deep archive

Answer 136

A

For an app that has paid users and free users.

Process paid queue users first, then process the free queue.

Answer 137

A

With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. You can use it to prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely.

Object Lock helps you meet regulatory requirements that require WORM storage, or simply add another layer of protection against object changes and deletion.

Answer 138

A

Code deployment service capable of deployments to EC2 instances, on-premises instances, lambda, aws fargate, etc.

Answer 139

A

The purpose of a canary deployment is to reduce the risk of deploying a new version that impacts the workload.

The method will incrementally deploy the new version, making it visible to new users in a slow fashion. As you gain confidence in the deployment, you will deploy it to replace the current version in its entirety.

Answer 140

A

Traffic is shifted in equal increments w/ equal number of minutes between

Answer 141

A

Used to offer SSL/TLS cipher suites for CloudFront and ELB

Answer 142

A

Custom SSL uses TLS protocol to allow multiple domains to serve SSL traffic over the same IP address by including the hostname.

Cloudfront delivers content from edge location using SNI custom SSL if an ACM cert is generated & associated with web distribution.

Answer 143

A

automates creation, retention, and deletion of snapshots taken to back up EBS volumes.

Answer 144

A

Encrypting Credentials, API keys, other secrets, and to enable auto rotation for all creds.

Answer 145

A

many, many items:

instance ID, public keys, public ip address, network interfaces, placement groups, etc.

Answer 146

A

Stop, start, terminate, reboot, or recover EC2 instances

Answer 147

A

An AAAA record maps a domain name to the IP address (Version 6) of the computer hosting the domain. An AAAA record is used to find the IP address of a computer connected to the internet from a name.

Answer 148

A

Maps a domain name to the IP address (version 4) of the computer hosting the domain. An A record is used to find the IP address of a computer connected to the internet from a name.

Answer 149

A

Use Route53 to create an alias pointed to the load balancer.

Answer 150

A

Only can be created for use with subdomains.

Answer 151

A

managed cloud service that lets connected devices easily & securely interact with cloud apps and other devices.

Example: data on road conditions, weather services

Answer 152

A

Increase write capacity assigned to shard table in Kinesis streams.

Answer 153

A

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.

Set up AWS WAF.

Create a web access control list (web ACL) using the wizard in the AWS WAF console.

Choose the AWS resources that you want AWS WAF to inspect web requests for.

Answer 154

A

Ensures ASG doesnt launch/terminate additional EC2 instances before the previous activity takes effect

Default value is 300 seconds, but can be configured.

Answer 155

A

Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded.

To signal a resource, you can use the cfn-signal helper script or SignalResource API. AWS CloudFormation publishes valid signals to the stack events so that you track the number of signals sent.

"CreationPolicy" : {
  "AutoScalingCreationPolicy" : {
    "MinSuccessfulInstancesPercent" : Integer
  },
  "ResourceSignal" : {    
    "Count" : Integer,
    "Timeout" : String
  }
}

Answer 156

A

Cluster: packs instances close together inside an AZ. Workloads achieve low-latency network performance necessary for tightly coupled node-to-node comms typical of HPC.

Partition: spreads instances across logical partitions such that the groups of instances in one partition dont share underlying hardware with groups of instances in different partitions. Used for large, distributed workloads like Hadoop, cassandra, kafka.

Spread: strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.

Answer 157

A

While running, and while stopping to hibernate.

Reserved instances are billed when terminated until the end of their term, or until they are sold on the marketplace.

Answer 158

A

Only FIFO queues preserve order of messages

Answer 159

A

AWS AppSync is a fully managed service that makes it easy to develop GraphQL APIs by handling the heavy lifting of securely connecting to data sources like AWS DynamoDB, Lambda, and more.

Adding caches to improve performance, subscriptions to support real-time updates, and client-side data stores that keep off-line clients in sync are just as easy.

Once deployed, AWS AppSync automatically scales your GraphQL API execution engine up and down to meet API request volumes.

Answer 160

A

A language for API’s that enables you to query and manipulate data easily

Answer 161

A

If an app is using multiple PUT commands and multiple GET commands, and the same file is being accessed, the file with the most recent time stamp will be selected. This can cause inconsistencies when putting or getting files with S3.

S3 doesn’t support file locking in the way that EFS does. S3 file locking only prevents files from being changed or deleted after a set amount of time. EFS will lock files that are in use/being updated to prevent inconsistencies, but S3 will not.

Answer 162

A

AWS has limits for vCPUs, so if you create too many, the creation can fail.

vCPU limits are set per region, not per AZ.

If you require more instances, submit a limit increase to AWS for consideration.

Answer 163

A

To restrict access to content that you serve from Amazon S3 buckets, follow these steps:

Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution.

Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there.

Answer 164

A

Service mesh that provides app-level networking to make it easy for services to communicate with eachother across multiple types of compute infrastructure

Answer 165

A

Cloud resource discovery service that enables naming of application resources with custom names and auto updates locations of dynamically changing resources.

Answer 166

A

Custom S3 SELECT query specifically for S3

Answer 167

A

Bucket name and Object Key

S3 bucket name - Globally unique ID
S3 object name - key name, which uniquely identifies the object in the bucket
S3 metadata - Provides info about the object “Date, type, etc.”
S3 Object Tag - Tagging to help categorize storage

Answer 168

A

Provides fast retrieval or archived data on urgent requests (1-5 minutes)

Answer 169

A

Ensures retrieval capacity up to 150MB/s, and needs to be purchased if urgent retrieval is required under all circumstances.

It’s possible an urgent request could be denied without provisioned capacity.

Answer 170

A

Used to perform filtering operations on data archives in Glacier

Answer 171

A

Bulk retrievals are S3 Glacier’s lowest-cost retrieval option, which you can use to retrieve large amounts, even petabytes, of data inexpensively in a day. Bulk retrievals typically complete within 5–12 hours.

Answer 172

A

Kinesis can be used in real-time analytics situations and Lambda can be a destination

Answer 173

A

NACL rules are evaluated from the lowest number first.

If there is a match, the traffic passes immediately.

Example: if rule 100 says “Allow” it will allow traffic even if 101 says explicitly deny the same rule.

Answer 174

A

Enable cross-account permissions in S3 by creating an IAM customer managed policy that allows an IAM user or role to copy objects from source bucket in one account to destination in the other account.

Then attach the policy to the IAM user or role wanted to transfer objects between accounts.

Answer 175

A

EFS provides semantics

S3 does not

Answer 176

A

Enables, fast,easy, and secure transfer of files over long distances between client and S3.

Uses CloudFront’s globally distributed Edge locations.

As data arrives at edge, it is routed to S3 bucket over an optimized network path.

Answer 177

A

Default is 24 hours, but it can be increased to a maximum of 168 hours.

Answer 178

A

One per Ec2 instance, network device to accelerate HPC and machine learning cluster. (not for windows)

Answer 179

A

A Launch Configuration can only be specified once for an ASG at a time, and cannot be modified after it’s created.

In order to launch a new AMI in an ASG, a new Launch Configuration must be created.

Answer 180

A

An intermediate handler so that no hostnames have to be hardcoded, and no logic needs to be written for load balancing/rerouting when some instances aren’t available.

Each Aurora cluster has a reader endpoint.

Answer 181

A

They are terminated by default.

You can choose to have them terminated, stopped, or hibernated upon interrupt.

Stop and hibernate are available for persistent spot requests and spot fleets with the “maintain” option enabled.

Answer 182

A

“File operation” indicates EFS. EFS allows concurrent connections from multiple EC2 instances.

Achieves throughput and low-latency for big data types.

Provides read after write consistency.

Answer 183

A

the DynamoDB stream ARN can be used to associate it with a lambda function.

Answer 184

A

A fully managed ETL service

Answer 185

A

When S3 is replicated across regions for redundancy

Answer 186

A

EBS for up to 16 TB of storage.

Answer 187

A

Used to collect EC2 instance and on premises logs.

collects logs and advanced metrics with installation and configuration of one agent
Unified agent allows collection of logs from Windows server
Collects additional metrics for “in-guest” visibility
provides better performance

Answer 188

A

Enables interactive search and analysis of log data of Cloudwatch logs

perform queries against logs
purpose-built query language with simple, powerful commands

Answer 189

A

Centralizes operations data from multiple AWS services and automates tasks across AWS resources

create logical groups, such as apps, different layers of app stack, or prod/dev
select groups and view API activity, resource config changes, notifications, operations alerts, software inventory, patch compliance.

Answer 190

A

A security assessment service which only helps in checking for unintended network accessibility of EC2 and EC2 vulnerabilities

Answer 191

A

Allows resources to be managed in a single view

Answer 192

A

Yes it is, but you may be asked about auto scaling DynamoDB, so say that it is.

It can be disabled or enabled on DynamoDB tables.

Answer 193

A

Use:

curl http://yourec2instance/latest/meta-data/

public ipv4
private ipv4
all other metadata

Answer 194

A

Improves availability and performance for local and global users.

Provides static IPs as a fixed entry point to app endpoints in single or multiple regions, such as app load balancers, network load balancers, or EC2.

optimizes TCP and UDP traffic
continually monitors health of application endpoints
detects unhealthy endpoints in less than a minute
routes traffic to closest location using Anycast

Answer 195

A

Global accelerator improves performance for a wide range of apps over TCP and UDP by proxying packets to edge locations.

It is a good fit for non-HTTP, such as gaming (UDP), IoT(MQTT), or VOIP, as well as for HTTP that requires static IP addresses or deterministic fast-regional failover.

Cloudfront improves performance for cacheable content (images and videos), dynamic content (API accelerated, dynamic site delivery), does not route traffic to closest edge location via Anycast Static IP.

Both have DDOS and AWS SHIELD integration.

Answer 196

A

Upload them to ACM (preferred) or IAM certificate store.

Answer 197

A

Enable cross-region snapshot copy to backup redshift cluster to another region to prevent loss of data in a region outage.

Enable copy feature for each cluster
Configure where to copy snapshots and how long to keep automated snapshots in destination region
when cross-region copy is enabled for a cluster, all new manual and auto snapshots are copied to specified regions

Answer 198

A

Yes, but a custom ID broker application has to be created to leverage AWS STS for temp credentials.

Answer 199

A

Use FIFO (first in first out) when duplicates can’t be tolerated.

Answer 200

A

Can be used when tasks cannot be duplicated.

Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud.

If your app’s steps take more than 500 milliseconds to complete, you need to track the state of processing, and you need to recover or retry if a task fails, Amazon SWF can help you.

Answer 201

A

Intelligent threat detection service to proect AWS accounts and workloads

Answer 202

A

Used for long-term storage for auditing, and can be used to create a vault-lock policy, which is an access policy that can be locked to deny user permissions, to delete archive until it has existed for X amount of time. After locking, policy is immutable.
-used for regulatory and compliance archival.

Answer 203

A

Provide a higher frequency (every minute) of default monitoring data

Answer 204

A

No.

In order to give a new EC2 instance in a new VPC public DNS hostnames, DNS hostnames and resolution need to be enabled in the new VPC.

Answer 205

A

IAM_PASSWORD_POLICY

Answer 206

A

Allows view, search, and download of past 90 days of supported activity on an AWS afccount.

After that, a cloud trail “trail” can be created to archive trails to S3.
It can also be analyzed in CW Logs and CW Events.

Answer 207

A

Allows serverless “orchestrations” for modern apps by breaking workflows into steps. Used for app dev. to separate from business logic.

Answer 208

A

Used to connect VPCs to on premise-networks with a single gateway.

hub and spoke model which can scale with many VPCs
allows connections through network transit center
connects on premises data centers through site-to-site VPNs

Answer 209

A

Logical interface that uses LACP (Link aggregation control protocol) to aggregate multiple connections at a single Direct Connect endpoint, allowing them to be treated like a single, managed connection.

Answer 210

A

Used to trace API gateway calls to underlying services

provides end-to-end view of entire API request

Answer 211

A

Allows MFA through SMS messaging or time based one time paswords

Answer 212

A

Use Cloudtrail

Answer 213

A

Use Server Access Logs

Brainscape's Knowledge GenomeTM

AWS Solutions Architect Flashcards

Brainscape's Knowledge Genome^TM