AWS Solutions Architect Flashcards

Question

S3 Intelligent Tiering

Answer 1

Designed for customers who want to optimize storage costs automatically. First cloud object storage class that delivers automatic cost savings by moving data between two access tiers - Frequent access and infrequent access. Ideal for data with unknown or changing access patterns. Monitors access patterns and moves objects that have not been accessed for 30 consecutive days to the infrequent access tier. If accessed later, it is moved back to frequent. No retrieval fees in intelligent tiering.

Answer 2

Long-term archive Not available for real-time access Cannot be specified at the time an object is created. Visible through S3 only. Retrieval Options: Expedited - allows quick access for urgent requests for a subset of archives. Data access is typically within 1-5 minutes. Two types: On-demand - similar to EC2 and are available most of the time. Provisioned - are guaranteed to be available. Standard - Allows access to any archives within several hours. Typically 3-5 hours. Default. Bulk - Glaciers lowest-cost retrieval option, enabling retrieval of large amounts, even petabytes, of data inexpensively in a day. Usually takes 5-12 hours.

Answer 3

Failover is automatically handled by Amazon Aurora so that your applications can resume database operations as quickly as possible without manual administrative intervention. If you have an Amazon Aurora Replica in the same or a different Availability Zone, when failing over, Amazon Aurora flips the canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary. Start-to-finish, failover typically completes within 30 seconds. If you are running Aurora Serverless and the DB instance or AZ become unavailable, Aurora will automatically recreate the DB instance in a different AZ. If you do not have an Amazon Aurora Replica (i.e. single instance) and are not running Aurora Serverless, Aurora will attempt to create a new DB Instance in the same Availability Zone as the original instance. This replacement of the original instance is done on a best-effort basis and may not succeed, for example, if there is an issue that is broadly affecting the Availability Zone.

Answer 4

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an Internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other services do not leave the Amazon network. Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic. There are two types of VPC endpoints: interface endpoints and gateway endpoints. You should create the type of VPC endpoint required by the supported service. As a rule of thumb, most AWS services use VPC Interface Endpoint except for S3 and DynamoDB, which use VPC Gateway Endpoint.

Answer 5

HTTP: 80 HTTPS: 443 Succeeds if instance returns 200 response code within HC interval

Answer 6

TCP, TLS, UDP, TCP_UDP 1-65535

Answer 7

Succeeds if TCP connection succeeds

Answer 8

``` Redshift DynamoDB S3 Amazon EMR Kinesis Firehose ```

Answer 9

By default, CloudTrail event log files are encrypted using Amazon S3 server-side encryption (SSE). You can also choose to encrypt your log files with an AWS Key Management Service (AWS KMS) key.

Answer 10

Actions taken by a user, role, or an AWS service in the AWS management console, CLI, and AWS SDKs and APIs are recorded as events. Enabled on account creation. Focuses on auditing API activity. Event history allows viewing, search, and download of the past 90 days of activity. Two Types: All regions - Records events in each region and delivers the CT log files to a specified S3 bucket. (default option) One region - records events in the region specified. (default option when creating trail in CLI or CT API). Cloudtrail events can be sent to Cloudwatch logs to trigger alarms according to metric filters. Cloudtrail log file integrity validation can verify if a log file was modified, deleted, or unchanged after Cloudtrail delivered.

Answer 11

A cloudtrail trail that will log all events for AWS accounts in an organization created by AWS Organizations. Org trails must be created by the master account.

Answer 12

Create a web ACL with a rule that explicitly allows an approved IP. Then create another rule with a condition like "geo match" that blocks requests that originate from a specific country. Allow first, then block what you desire.

Answer 13

AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database. It supports homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations between different database platforms, such as Oracle to Amazon Aurora.

Answer 14

Used to convert the source schema and code to match that of the target database in a heterogeneous database migration.

Answer 15

fully managed, highly reliable, and scalable file storage accessible over the industry-standard Service Message Block (SMB) protocol. It is built on Windows Server, delivering a wide range of administrative features such as user quotas, end-user file restore, and Microsoft Active Directory (AD) integration. Amazon FSx supports the use of Microsoft’s Distributed File System (DFS) Namespaces to scale-out performance across multiple file systems in the same namespace up to tens of Gbps and millions of IOPS.

Answer 16

Add a lifecycle hook to your Auto Scaling group so that you can perform custom actions when instances launch or terminate.

Answer 17

``` Pending Pending:Wait Pending:Proceed InService Terminating:Wait Terminating:Proceed Terminated ``` If you added an autoscaling:EC2_INSTANCE_LAUNCHING lifecycle hook to your Auto Scaling group, the instances move from the Pending state to the Pending:Wait state. After you complete the lifecycle action, the instances enter the Pending:Proceed state. When the instances are fully configured, they are attached to the Auto Scaling group and they enter the InService state. When Amazon EC2 Auto Scaling responds to a scale in event, it terminates one or more instances. These instances are detached from the Auto Scaling group and enter the Terminating state. If you added an autoscaling:EC2_INSTANCE_TERMINATING lifecycle hook to your Auto Scaling group, the instances move from the Terminating state to the Terminating:Wait state. After you complete the lifecycle action, the instances enter the Terminating:Proceed state. When the instances are fully terminated, they enter the Terminated state.

Answer 18

Cannot be used as boot volume in AWS Large, Sequential I/O operations Low Price Big data, data warehouses, log processing Throughput-oriented storage for a large volumes of data is infrequently accessed Cost: Low

Answer 19

Small, random I/O operations Best for Transactional workloads Critical business apps that require sustained IOPS performance Large database workloads such as MongoDB, Oracle, Microsoft SQL Cost: moderate/high

Answer 20

All of the APIs created with Amazon API Gateway expose HTTPS endpoints only. Amazon API Gateway does not support unencrypted (HTTP) endpoints. By default, Amazon API Gateway assigns an internal domain to the API that automatically uses the Amazon API Gateway certificate. When configuring your APIs to run under a custom domain name, you can provide your own certificate for the domain.

Answer 21

Amazon SQS automatically deletes messages that have been in a queue for more than the maximum message retention period. The default message retention period is 4 days. Max is 14 days.

Answer 22

Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution. You can use Amazon WorkSpaces to provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe. You can pay either monthly or hourly, just for the WorkSpaces you launch, which helps you save money when compared to traditional desktops and on-premises VDI solutions.

Answer 23

Allows mapping of zone apex (e.g. yourwebsite.com) DNS name to your load balancer (or other AWS resource) DNS name. Useful because IP addresses change all of the time, so using DNS is appropriate.

Answer 24

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. You can create and run an ETL job with a few clicks in the AWS Management Console. You simply point AWS Glue to your data stored on AWS, and AWS Glue discovers your data and stores the associated metadata (e.g. table definition and schema) in the AWS Glue Data Catalog. Once cataloged, your data is immediately searchable, queryable, and available for ETL. AWS Glue generates the code to execute your data transformations and data loading processes.

Answer 25

1. If there are instances in multiple Availability Zones, choose the Availability Zone with the most instances and at least one instance that is not protected from scale in. If there is more than one Availability Zone with this number of instances, choose the Availability Zone with the instances that use the oldest launch configuration. 2. Determine which unprotected instances in the selected Availability Zone use the oldest launch configuration. If there is one such instance, terminate it. 3. If there are multiple instances to terminate based on the above criteria, determine which unprotected instances are closest to the next billing hour. (This helps you maximize the use of your EC2 instances and manage your Amazon EC2 usage costs.) If there is one such instance, terminate it. 4. If there is more than one unprotected instance closest to the next billing hour, choose one of these instances at random.

Answer 26

A physical hardware appliance with the Storage Gateway software preinstalled on a validated server configuration. The hardware appliance is a high-performance 1U server that you can deploy in your data center, or on-premises inside your corporate firewall. When you buy and activate your hardware appliance, the activation process associates your hardware appliance with your AWS account. After activation, your hardware appliance appears in the console as a gateway on the Hardware page. You can configure your hardware appliance as a file gateway, tape gateway, or volume gateway type. The procedure that you use to deploy and activate these gateway types on a hardware appliance is the same as on a virtual platform. A file gateway can be configured to store and retrieve objects in Amazon S3 using the protocols NFS and SMB.

Answer 27

The describe-instances command shows the status of the EC2 instances including the recently terminated instances. It also returns a StateReason of why the instance was terminated.

Answer 28

When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted: - Data at rest inside the volume - All data moving between the volume and the instance - All snapshots created from the volume - All volumes created from those snapshots Encryption operations occur on the servers that host EC2 instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its attached EBS storage. You can encrypt both the boot and data volumes of an EC2 instance.

Answer 29

Direct Connect creates a direct, private connection from your on-premises data center to AWS, letting you establish a 1-gigabit or 10-gigabit dedicated network connection using Ethernet fiber-optic cable.

Answer 30

S3 now provides increased performance to support at least 3,500 requests per second to add data and 5,500 requests per second to retrieve data, which can save significant processing time for no additional charge. Each S3 prefix can support these request rates, making it simple to increase performance significantly. This S3 request rate performance increase removes any previous guidance to randomize object prefixes to achieve faster performance. That means you can now use logical or sequential naming patterns in S3 object naming without any performance implications. This improvement is now available in all AWS Regions.

Answer 31

The queue attribute that determines whether you are using Short or Long polling. By default, its value is zero which means it is using Short polling. If it is set to a value greater than zero, then it is Long polling.

Answer 32

- Long polling helps reduce your cost of using Amazon SQS by reducing the number of empty responses when there are no messages available to return in reply to a ReceiveMessage request sent to an Amazon SQS queue and eliminating false empty responses when messages are available in the queue but aren't included in the response. - Long polling reduces the number of empty responses by allowing Amazon SQS to wait until a message is available in the queue before sending a response. Unless the connection times out, the response to the ReceiveMessage request contains at least one of the available messages, up to the maximum number of messages specified in the ReceiveMessage action. - Long polling eliminates false empty responses by querying all (rather than a limited number) of the servers. Long polling returns messages as soon any message becomes available.

Answer 33

Think Elasticache Redis, and Memchached

Answer 34

Redis is an open source, in-memory data structure store used as a database, cache, and message broker.1

Answer 35

Memcached is an in-memory key-value store for small arbitrary data (strings, objects) from results of database calls, API calls, or page rendering.

Answer 36

Enhanced networking uses single root I/O virtualization (SR-IOV) to provide high-performance networking capabilities on supported instance types. It supports network speeds of up to 100 Gbps for supported instance types. Elastic Network Adapters (ENAs) provide traditional IP networking features that are required to support VPC networking.

Answer 37

Enhanced networking provides higher bandwidth, higher packet-per-second (PPS) performance, and consistently lower inter-instance latencies.

Answer 38

a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces.

Answer 39

An Elastic Fabric Adapter (EFA) is simply an Elastic Network Adapter (ENA) with added capabilities. It provides all of the functionality of an ENA, with additional OS-bypass functionality. OS-bypass is an access model that allows HPC and machine learning applications to communicate directly with the network interface hardware to provide low-latency, reliable transport functionality. The OS-bypass capabilities of EFAs are not supported on Windows instances. If you attach an EFA to a Windows instance, the instance functions as an Elastic Network Adapter, without the added EFA capabilities.

Answer 40

Two ways: - By using your own keys in AWS KMS - By using Amazon-managed keys in AWS KMS Amazon EBS encryption offers seamless encryption of EBS data volumes, boot volumes, and snapshots, eliminating the need to build and maintain a secure key management infrastructure. EBS encryption enables data at rest security by encrypting your data using Amazon-managed keys, or keys you create and manage using the AWS Key Management Service (KMS). The encryption occurs on the servers that host EC2 instances, providing encryption of data as it moves between EC2 instances and EBS storage.

Answer 41

Outputs is an optional section of the CloudFormation template that describes the values that are returned whenever you view your stack's properties. Can provide info like DNS name of ELB, hostname of EC2 instances, etc.

Answer 42

You might be unable to log into an EC2 instance if: - You're using an SSH private key but the corresponding public key is not in the authorized_keys file. - You don't have permissions for your authorized_keys file. - You don't have permissions for the .ssh folder. - Your authorized_keys file or .ssh folder isn't named correctly. - Your authorized_keys file or .ssh folder was deleted. - Your instance was launched without a key, or it was launched with an incorrect key. To connect to your EC2 instance after receiving the error "Server refused our key," you can update the instance's user data to append the specified SSH public key to the authorized_keys file, which sets the appropriate ownership and file permissions for the SSH directory and files contained in it.

Answer 43

Throughput Optimized HDD (st1) volumes provide low-cost magnetic storage that defines performance in terms of throughput rather than IOPS. This volume type is a good fit for large, sequential workloads such as Amazon EMR, ETL, data warehouses, and log processing. Bootable st1 volumes are not supported. Throughput Optimized HDD (st1) volumes, though similar to Cold HDD (sc1) volumes, are designed to support frequently accessed data.

Answer 44

Highest performance SSD volume designed for latency-sensitive transactional workloads I/O-intensive NoSQL and relational databases 4 GB - 16 TB 64,000 IOPS io2 is same as io1, except it has higher durability: 99.999% vs. 99.8-99.9%

Answer 45

General Purpose SSD volume that balances price performance for a wide variety of transactional workloads. Boot volumes, low-latency interactive apps, dev and test 99.8% - 99.9% durability 1 GB - 16 TB 16,000 IOPS 250 MB/s Throughput

Answer 46

Lowest cost HDD volume designed for less frequently accessed workloads 99.8% - 99.9% durability Colder data requiring fewer scans per day 500 GB - 16 TB 250IOPS per Volume 250 MB/s Throughput 250 Max IPOS/volume

Answer 47

AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the AWS console, the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost.

Answer 48

Volume Gateway presents cloud-backed iSCSI block storage volumes to your on-premises applications. Volume Gateway stores and manages on-premises data in Amazon S3 on your behalf and operates in either cache mode or stored mode. In the cached Volume Gateway mode, your primary data is stored in Amazon S3, while retaining your frequently accessed data locally in the cache for low latency access. In the stored Volume Gateway mode, your primary data is stored locally and your entire dataset is available for low latency access on premises while also asynchronously getting backed up to Amazon S3. In either mode, you can take point-in-time copies of your volumes using AWS Backup, which are stored in AWS as Amazon EBS snapshots. Using Amazon EBS Snapshots enables you to make space-efficient versioned copies of your volumes for data protection, recovery, migration, and various other copy data needs.

Answer 49

EBS volumes can be used while a snapshot is in progress. Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. While it is completing, an in-progress snapshot is not affected by ongoing reads and writes to the volume hence, you can still use the EBS volume normally. A non-root EBS volume can be detached or attached to a new EC2 instance while the snapshot is in progress. The only exception here is if you are taking a snapshot of your root volume.

Answer 50

Application Load Balancers support Weighted Target Groups routing. With this feature, you will be able to do weighted routing of the traffic forwarded by a rule to multiple target groups. This enables various use cases like blue-green, canary and hybrid deployments without the need for multiple load balancers. It even enables zero-downtime migration between on-premises and cloud or between different compute types like EC2 and Lambda.

Answer 51

To divert 50% of the traffic to the new application in AWS and the other 50% to the application, you can also use Route 53 with Weighted routing policy. This will divert the traffic between the on-premises and AWS-hosted application accordingly. Weighted routing lets you associate multiple resources with a single domain name (yourwebsite.com) or subdomain name (portal.yourwebsite.com) and choose how much traffic is routed to each resource. This can be useful for a variety of purposes, including load balancing and testing new versions of software. You can set a specific percentage of how much traffic will be allocated to the resource by specifying the weights. For example, if you want to send a tiny portion of your traffic to one resource and the rest to another resource, you might specify weights of 1 and 255. The resource with a weight of 1 gets 1/256th of the traffic (1/1+255), and the other resource gets 255/256ths (255/1+255). You can gradually change the balance by changing the weights. If you want to stop sending traffic to a resource, you can change the weight for that record to 0.

Answer 52

1. instance - The targets are specified by instance ID. 2. ip - The targets are IP addresses. 3. Lambda - The target is a Lambda function.

Answer 53

When the target type is ip, you can specify IP addresses from one of the following CIDR blocks: - 10.0.0.0/8 (RFC 1918) - 100.64.0.0/10 (RFC 6598) - 172.16.0.0/12 (RFC 1918) - 192.168.0.0/16 (RFC 1918) - The subnets of the VPC for the target group These supported CIDR blocks enable you to register the following with a target group: ClassicLink instances, instances in a VPC that is peered to the load balancer VPC, AWS resources that are addressable by IP address and port (for example, databases), and on-premises resources linked to AWS through AWS Direct Connect or a VPN connection. Take note that you can not specify publicly routable IP addresses. If you specify targets using an instance ID, traffic is routed to instances using the primary private IP address specified in the primary network interface for the instance. If you specify targets using IP addresses, you can route traffic to an instance using any private IP address from one or more network interfaces. This enables multiple applications on an instance to use the same port. Each network interface can have its own security group.

Answer 54

Used for S3, DynamoDB All others use interface endpoint

Answer 55

Provide a password for each user created and give these passwords to the admins. The AWS Management Console is the web interface used to manage your AWS resources using your web browser. To access this, your users should have a password that they can use to login to the web console.

Answer 56

Increase or decrease the current capacity of the group based on a target value for a specific metric. This is similar to the way that your thermostat maintains the temperature of your home – you select a temperature and the thermostat does the rest. If you are scaling based on a utilization metric that increases or decreases proportionally to the number of instances in an Auto Scaling group, then it is recommended that you use target tracking scaling policies. Otherwise, it is better to use step scaling policies instead.

Answer 57

Step scaling policies and simple scaling policies are two of the dynamic scaling options available for you to use. Both require you to create CloudWatch alarms for the scaling policies. Both require you to specify the high and low thresholds for the alarms. Both require you to define whether to add or remove instances, and how many, or set the group to an exact size. The main difference between the policy types is the step adjustments that you get with step scaling policies. When step adjustments are applied, and they increase or decrease the current capacity of your Auto Scaling group, the adjustments vary based on the size of the alarm breach. In most cases, step scaling policies are a better choice than simple scaling policies, even if you have only a single scaling adjustment. The main issue with simple scaling is that after a scaling activity is started, the policy must wait for the scaling activity or health check replacement to complete and the cooldown period to expire before responding to additional alarms. Cooldown periods help to prevent the initiation of additional scaling activities before the effects of previous activities are visible.

Answer 58

Increase or decrease the current capacity of the group based on a single scaling adjustment.

Answer 59

Based on a schedule that allows you to set your own scaling schedule for predictable load changes.

Answer 60

Encrypting data before it is sent to S3. To enable: Use an AWS KMS managed customer master key OR Use client-side master key for client-side encryption that are never sent to AWS

Answer 61

Network & Transport layer protection DDOS Attacks, near real-time visibility Integration with WAF

Answer 62

Deliver near real-time stream of system events that describe changes in AWS resources Events respond to Operational Changes and take corrective action as necessary, by sending messages to respond to the environment, activating functions, making changes, and capturing state information. Concepts: - Events - indicates a change in your AWS environment - Targets - Processes events. - Rules - matches incoming events and routes them to targets for processing. EX: can increase or reduce ECS tasks based on PUT or DELETES

Answer 63

Must use "--transit-encryption-enabled," and "--authtoken" parameters Redis cannot use IAM for authorization. Must use the above parameters.

Answer 64

Lambda encrypts env. variables using AWS KMS - When invoked those values decrypted & made available to Lambda code - a default KMS Key is created when env. variables used If encryption helpers required, you must create your own key (default keys don't work) -this creates flexibility to create, rotate, disable, and define access controls.

Answer 65

A trail that applies to ALL REGIONS - CloudTrail records events in each region and delivers the CloudTrail event log files to an S3 bucket you specify. This is the default option when you create a trail in the CloudTrail console. ONE REGION - Cloudtrail records the events in the region that you specify only this is the default option when you create a trail using the AWS CLI or the Cloudtrail API

Answer 66

CPU utilization Network utilization Disk read metrics

Answer 67

Written in Perl Helps to install Cloudwatch Unified Agent - memory utilization - disk swap utilization - disk space utilization - page file utilization - log collection

Answer 68

Allows lambda functions to customize content cloudfront delivers, executing functions closer to the viewer - viewer request - after CF receives from viewer - origin request - before CF forwards request to origin - origin response - after CF receives response from origin - viewer response - before CF forwards response to viewer

Answer 69

Provide redundancy when primary orgin fails. create an origin group with two origins: a primary and a secondary. If the primary origin is unavailable, or returns specific HTTP response status codes that indicate a failure, CloudFront automatically switches to the secondary origin. To set up origin failover, you must have a distribution with at least two origins. Next, you create an origin group for your distribution that includes two origins, setting one as the primary. Finally, you create or update a cache behavior to use the origin group.

Answer 70

RDS Multi AZ are replicated synchronously RDS read replicas are replicated asynchronously

Answer 71

Enables governance, compliance, operational auditing, risk auditing across ALL AWS RESOURCES

Answer 72

works with mysql and postgresql -no password required, only auth token Encrypted (SSL)

Answer 73

Provides throttling limits - can handle huge traffic spikes | Allows requests to be cached

Answer 74

Short term or temporary | Think ephemeral storage (instance based) or ephemeral ports (1089-65535)

Answer 75

Enables all VPC features | -NACLS, SGs, DNS, Gateways

Answer 76

Auto discovery, classifying, protecting sensitive data stored in S3

Answer 77

Use signed cookies to control access to private files Members use "set-cookie" which will unlock content

Answer 78

ROA (Route Origin Authorization) - A document created through ARIN containing IP address range to be moved. Then in AWS, publish a self signed X.509 in RDAP (Registration Data Accesss Protocol) remarks.

Answer 79

Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in AWS Systems Manager Parameter Store parameters and then referencing them in your container definition.

Answer 80

Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. Ehanced monitoring is available in all regions ecept AWS GovCloud (US). Metrics include: IOPS - Number of I/O operations completed each second Latency - time elapsed between submission of I/O request and its completion Throughput - number of bytes each second that are transferred to or from disk Queue Depth - number of I/O requests in the queue waiting to be serviced

Answer 81

When enabled, DynamoDB Streams captures a time-ordered sequence of item-level modifications in a DynamoDB table and durably stores the information for up to 24 hours. Applications can access a series of stream records, which contain an item change, from a DynamoDB stream in near real time. AWS maintains separate endpoints for DynamoDB and DynamoDB Streams. To work with database tables and indexes, your application must access a DynamoDB endpoint. To read and process DynamoDB Streams records, your application must access a DynamoDB Streams endpoint in the same Region. You can process DynamoDB streams in multiple ways. The most common approaches use AWS Lambda or a standalone application that uses the Kinesis Client Library (KCL) with the DynamoDB Streams Kinesis Adapter. DynamoDB is integrated with Lambda to create triggers

Answer 82

Supports a file interface into S3, and combines a service and a virtual software appliance -software appliance, or gateway, is deployed into on-premises environment as a virtual machine running on VMware ESXi or Microsoft Hyper-V hypervisor File gateway supports - S3 standard - S3 standard - infrequent access - S3 One Zone - IA Store and retrieve files directly using NFS version 3 or 4.1 Store and retrieve files directly using SMB file system version 2 and 3 Access data in S3 from any AWS cloud app or service Manage S3 using lifecycle policies, cross-region replication, and versioning

Answer 83

File Gateway now supports S3 object lock, enabling write-once-read-many (WORM) file-based systems to store and access objects in S3

Answer 84

Fully managed, high availability, in-memory cache for DynamoDB -supports 10 times performance improvement - from milliseconds to microseconds - even at millions of requests per second

Answer 85

On-demand, autoscaling Database -for intermittent unpredictable workloads set min/max capacity This is cost effective and scales quickly because the servers are prewarmed

Answer 86

POSIX compliant. Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth.

Answer 87

No, they must be copied to the region they will be used in.

Answer 88

Allows switching from a standards based message broker to AWS without rewriting message code. Connecting your current applications to Amazon MQ is easy because it uses industry-standard APIs and protocols for messaging, including JMS, NMS, AMQP, STOMP, MQTT, and WebSocket.

Answer 89

S3, Redshift, Elastisearch, generic HTTP endpoints, datadog, New Relic, MongoDB, Splunk

Answer 90

The Splunk platform makes machine data accessible and usable. Splunk Enterprise enables you to search, monitor, and analyze machine data from any source to gain valuable intelligence and insights across your entire organization.

Answer 91

Amazon Redshift Spectrum is a feature within Amazon Web Services' Redshift data warehousing service that lets a data analyst conduct fast, complex analysis on objects stored on the AWS cloud. With Redshift Spectrum, an analyst can perform SQL queries on data stored in Amazon S3 buckets.

Answer 92

composite primary key: This type of key is composed of two attributes. The first attribute is the partition key, and the second attribute is the sort key. Simple primary key: This type of key is composed of one attribute known as the partition key. Attributes in DynamoDB are similar in many ways to fields or columns in other database systems.

Answer 93

These are attributes that have distinct values for each item, like e-mailid, employee_no, customerid, sessionid, orderid, and so on.

Answer 94

Try to combine more than one attribute to form a unique key, if that meets your access pattern. For example, consider an orders table with customerid+productid+countrycode as the partition key and order_date as the sort key.

Answer 95

Use for a single resource that performs a given function for your domain, for example, a web server that serves content for the example.com website.

Answer 96

Use when you want to configure active-passive failover.

Answer 97

Use when you want to route traffic based on the location of your users.

Answer 98

Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another with routing bias.

Answer 99

Use when you have resources in multiple AWS Regions and you want to route traffic to the region that provides the best latency.

Answer 100

Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random.

Answer 101

Use to route traffic to multiple resources in proportions that you specify.

Answer 102

Required for a VPN connection

Answer 103

Bucket name must be the same as the domain name The website must have a registered domain name Route 53 will auto register, but if you're using another registrar, CNAME or Alias must be configured

Answer 104

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.

Answer 105

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Answer 106

Think of Migrations. This is not used for day to day on prem and AWS transfers like storage gateway. AWS DataSync makes it simple and fast to move large amounts of data online between on-premises storage and Amazon S3, Amazon Elastic File System (Amazon EFS), or Amazon FSx for Windows File Server. Handles NFS and SMB and self managed object store. Transfers hundreds of terabytes and millions of files at speeds up to 10 times faster than open-source tools, over the internet or AWS Direct Connect links. Best for AWS Direct Connection. Install data sync agent on premises.

Answer 107

Route edge to edge, or do transitive peering If you are using VPC peering, on-premises connectivity (VPN and/or Direct Connect) must be made to each VPC. Resources in a VPC cannot reach on-premises using the hybrid connectivity of a peered VPC

Answer 108

SQS and SWF (simple workflow service)

Answer 109

Path based and host based

Answer 110

SNS, SQS, Lambda

Answer 111

Uses virtual tapes to back up physical on-prem tapes using AWS Storage Gateway - to reduce costs, use glacier deep archive

Answer 112

For an app that has paid users and free users. Process paid queue users first, then process the free queue.

Answer 113

With S3 Object Lock, you can store objects using a write-once-read-many (WORM) model. You can use it to prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely. Object Lock helps you meet regulatory requirements that require WORM storage, or simply add another layer of protection against object changes and deletion.

Answer 114

Code deployment service capable of deployments to EC2 instances, on-premises instances, lambda, aws fargate, etc.

Answer 115

The purpose of a canary deployment is to reduce the risk of deploying a new version that impacts the workload. The method will incrementally deploy the new version, making it visible to new users in a slow fashion. As you gain confidence in the deployment, you will deploy it to replace the current version in its entirety.

Answer 116

Traffic is shifted in equal increments w/ equal number of minutes between

Answer 117

Used to offer SSL/TLS cipher suites for CloudFront and ELB

Answer 118

Custom SSL uses TLS protocol to allow multiple domains to serve SSL traffic over the same IP address by including the hostname. Cloudfront delivers content from edge location using SNI custom SSL if an ACM cert is generated & associated with web distribution.

Answer 119

automates creation, retention, and deletion of snapshots taken to back up EBS volumes.

Answer 120

Encrypting Credentials, API keys, other secrets, and to enable auto rotation for all creds.

Answer 121

many, many items: instance ID, public keys, public ip address, network interfaces, placement groups, etc.

Answer 122

Stop, start, terminate, reboot, or recover EC2 instances

Answer 123

An AAAA record maps a domain name to the IP address (Version 6) of the computer hosting the domain. An AAAA record is used to find the IP address of a computer connected to the internet from a name.

Answer 124

Maps a domain name to the IP address (version 4) of the computer hosting the domain. An A record is used to find the IP address of a computer connected to the internet from a name.

Answer 125

Use Route53 to create an alias pointed to the load balancer.

Answer 126

Only can be created for use with subdomains.

Answer 127

managed cloud service that lets connected devices easily & securely interact with cloud apps and other devices. Example: data on road conditions, weather services

Answer 128

Increase write capacity assigned to shard table in Kinesis streams.

Answer 129

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. Set up AWS WAF. Create a web access control list (web ACL) using the wizard in the AWS WAF console. Choose the AWS resources that you want AWS WAF to inspect web requests for.

Answer 130

Ensures ASG doesnt launch/terminate additional EC2 instances before the previous activity takes effect Default value is 300 seconds, but can be configured.

Answer 131

Associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded. To signal a resource, you can use the cfn-signal helper script or SignalResource API. AWS CloudFormation publishes valid signals to the stack events so that you track the number of signals sent. ``` "CreationPolicy" : { "AutoScalingCreationPolicy" : { "MinSuccessfulInstancesPercent" : Integer }, "ResourceSignal" : { "Count" : Integer, "Timeout" : String } } ```

Answer 132

Cluster: packs instances close together inside an AZ. Workloads achieve low-latency network performance necessary for tightly coupled node-to-node comms typical of HPC. Partition: spreads instances across logical partitions such that the groups of instances in one partition dont share underlying hardware with groups of instances in different partitions. Used for large, distributed workloads like Hadoop, cassandra, kafka. Spread: strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.

Answer 133

While running, and while stopping to hibernate. Reserved instances are billed when terminated until the end of their term, or until they are sold on the marketplace.

Answer 134

Only FIFO queues preserve order of messages

Answer 135

AWS AppSync is a fully managed service that makes it easy to develop GraphQL APIs by handling the heavy lifting of securely connecting to data sources like AWS DynamoDB, Lambda, and more. Adding caches to improve performance, subscriptions to support real-time updates, and client-side data stores that keep off-line clients in sync are just as easy. Once deployed, AWS AppSync automatically scales your GraphQL API execution engine up and down to meet API request volumes.

Answer 136

A language for API's that enables you to query and manipulate data easily

Answer 137

If an app is using multiple PUT commands and multiple GET commands, and the same file is being accessed, the file with the most recent time stamp will be selected. This can cause inconsistencies when putting or getting files with S3. S3 doesn't support file locking in the way that EFS does. S3 file locking only prevents files from being changed or deleted after a set amount of time. EFS will lock files that are in use/being updated to prevent inconsistencies, but S3 will not.

Answer 138

AWS has limits for vCPUs, so if you create too many, the creation can fail. vCPU limits are set per region, not per AZ. If you require more instances, submit a limit increase to AWS for consideration.

Answer 139

To restrict access to content that you serve from Amazon S3 buckets, follow these steps: Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution. Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there.

Answer 140

Service mesh that provides app-level networking to make it easy for services to communicate with eachother across multiple types of compute infrastructure

Answer 141

Cloud resource discovery service that enables naming of application resources with custom names and auto updates locations of dynamically changing resources.

Answer 142

Custom S3 SELECT query specifically for S3

Answer 143

Bucket name and Object Key S3 bucket name - Globally unique ID S3 object name - key name, which uniquely identifies the object in the bucket S3 metadata - Provides info about the object "Date, type, etc." S3 Object Tag - Tagging to help categorize storage

Answer 144

Provides fast retrieval or archived data on urgent requests (1-5 minutes)

Answer 145

Ensures retrieval capacity up to 150MB/s, and needs to be purchased if urgent retrieval is required under all circumstances. It's possible an urgent request could be denied without provisioned capacity.

Answer 146

Used to perform filtering operations on data archives in Glacier

Answer 147

Bulk retrievals are S3 Glacier’s lowest-cost retrieval option, which you can use to retrieve large amounts, even petabytes, of data inexpensively in a day. Bulk retrievals typically complete within 5–12 hours.

Answer 148

Kinesis can be used in real-time analytics situations and Lambda can be a destination

Answer 149

NACL rules are evaluated from the lowest number first. If there is a match, the traffic passes immediately. Example: if rule 100 says "Allow" it will allow traffic even if 101 says explicitly deny the same rule.

Answer 150

Enable cross-account permissions in S3 by creating an IAM customer managed policy that allows an IAM user or role to copy objects from source bucket in one account to destination in the other account. Then attach the policy to the IAM user or role wanted to transfer objects between accounts.

Answer 151

EFS provides semantics | S3 does not

Answer 152

Enables, fast,easy, and secure transfer of files over long distances between client and S3. Uses CloudFront's globally distributed Edge locations. As data arrives at edge, it is routed to S3 bucket over an optimized network path.

Answer 153

Default is 24 hours, but it can be increased to a maximum of 168 hours.

Answer 154

One per Ec2 instance, network device to accelerate HPC and machine learning cluster. (not for windows)

Answer 155

A Launch Configuration can only be specified once for an ASG at a time, and cannot be modified after it's created. In order to launch a new AMI in an ASG, a new Launch Configuration must be created.

Answer 156

An intermediate handler so that no hostnames have to be hardcoded, and no logic needs to be written for load balancing/rerouting when some instances aren't available. Each Aurora cluster has a reader endpoint.

Answer 157

They are terminated by default. You can choose to have them terminated, stopped, or hibernated upon interrupt. Stop and hibernate are available for persistent spot requests and spot fleets with the "maintain" option enabled.

Answer 158

"File operation" indicates EFS. EFS allows concurrent connections from multiple EC2 instances. Achieves throughput and low-latency for big data types. Provides read after write consistency.

Answer 159

the DynamoDB stream ARN can be used to associate it with a lambda function.

Answer 160

A fully managed ETL service

Answer 161

When S3 is replicated across regions for redundancy

Answer 162

EBS for up to 16 TB of storage.

Answer 163

Used to collect EC2 instance and on premises logs. - collects logs and advanced metrics with installation and configuration of one agent - Unified agent allows collection of logs from Windows server - Collects additional metrics for "in-guest" visibility - provides better performance

Answer 164

Enables interactive search and analysis of log data of Cloudwatch logs - perform queries against logs - purpose-built query language with simple, powerful commands

Answer 165

Centralizes operations data from multiple AWS services and automates tasks across AWS resources - create logical groups, such as apps, different layers of app stack, or prod/dev - select groups and view API activity, resource config changes, notifications, operations alerts, software inventory, patch compliance.

Answer 166

A security assessment service which only helps in checking for unintended network accessibility of EC2 and EC2 vulnerabilities

Answer 167

Allows resources to be managed in a single view

Answer 168

Yes it is, but you may be asked about auto scaling DynamoDB, so say that it is. It can be disabled or enabled on DynamoDB tables.

Answer 169

Use: curl http://yourec2instance/latest/meta-data/ public ipv4 private ipv4 all other metadata

Answer 170

Improves availability and performance for local and global users. Provides static IPs as a fixed entry point to app endpoints in single or multiple regions, such as app load balancers, network load balancers, or EC2. - optimizes TCP and UDP traffic - continually monitors health of application endpoints - detects unhealthy endpoints in less than a minute - routes traffic to closest location using Anycast

Answer 171

Global accelerator improves performance for a wide range of apps over TCP and UDP by proxying packets to edge locations. It is a good fit for non-HTTP, such as gaming (UDP), IoT(MQTT), or VOIP, as well as for HTTP that requires static IP addresses or deterministic fast-regional failover. Cloudfront improves performance for cacheable content (images and videos), dynamic content (API accelerated, dynamic site delivery), does not route traffic to closest edge location via Anycast Static IP. Both have DDOS and AWS SHIELD integration.

Answer 172

Upload them to ACM (preferred) or IAM certificate store.

Answer 173

Enable cross-region snapshot copy to backup redshift cluster to another region to prevent loss of data in a region outage. - Enable copy feature for each cluster - Configure where to copy snapshots and how long to keep automated snapshots in destination region - when cross-region copy is enabled for a cluster, all new manual and auto snapshots are copied to specified regions

Answer 174

Yes, but a custom ID broker application has to be created to leverage AWS STS for temp credentials.

Answer 175

Use FIFO (first in first out) when duplicates can't be tolerated.

Answer 176

Can be used when tasks cannot be duplicated. Amazon SWF helps developers build, run, and scale background jobs that have parallel or sequential steps. You can think of Amazon SWF as a fully-managed state tracker and task coordinator in the Cloud. If your app's steps take more than 500 milliseconds to complete, you need to track the state of processing, and you need to recover or retry if a task fails, Amazon SWF can help you.

Answer 177

Intelligent threat detection service to proect AWS accounts and workloads

Answer 178

Used for long-term storage for auditing, and can be used to create a vault-lock policy, which is an access policy that can be locked to deny user permissions, to delete archive until it has existed for X amount of time. After locking, policy is immutable. -used for regulatory and compliance archival.

Answer 179

Provide a higher frequency (every minute) of default monitoring data

Answer 180

No. In order to give a new EC2 instance in a new VPC public DNS hostnames, DNS hostnames and resolution need to be enabled in the new VPC.

Answer 181

IAM_PASSWORD_POLICY

Answer 182

Allows view, search, and download of past 90 days of supported activity on an AWS afccount. After that, a cloud trail "trail" can be created to archive trails to S3. It can also be analyzed in CW Logs and CW Events.

Answer 183

Allows serverless "orchestrations" for modern apps by breaking workflows into steps. Used for app dev. to separate from business logic.

Answer 184

Used to connect VPCs to on premise-networks with a single gateway. - hub and spoke model which can scale with many VPCs - allows connections through network transit center - connects on premises data centers through site-to-site VPNs

Answer 185

Logical interface that uses LACP (Link aggregation control protocol) to aggregate multiple connections at a single Direct Connect endpoint, allowing them to be treated like a single, managed connection.

Answer 186

Used to trace API gateway calls to underlying services provides end-to-end view of entire API request

Answer 187

Allows MFA through SMS messaging or time based one time paswords

Answer 188

Use Cloudtrail

Answer 189

Use Server Access Logs