AWS Solutions Architect Associate Flashcards
How is the replication handled for RDS Multi-AZ?
Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone.
How long will a failover of an RDS database typically complete
one to two minutes.
When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.
You want to attempt a cold attach for an Amazon Elastic Network Interface.
What does this mean?
Attach ENI when the instance is being launched.
Best practices for configuring network interfaces You can attach a network interface to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach).
Application Load Balancer is to front the Auto Scaling Group and distribute the load between the instances.
The VPC is running IPv4 and IPv6.
The last thing you need to do to complete the configuration is point the domain name to the Application Load Balancer.
Using Route 53, which record type at the zone apex will you use to point the DNS name of the Application Load Balancer?
“AAAA” Record
“A” Record
Alias with a type “AAAA” record set and Alias with a type “A” record set are correct. To route domain traffic to an ELB, use Amazon Route 53 to create an alias record that points to your load balancer.
Your dev team has created a new AMI which has been hardened to meet company security standards, and this AMI needs to be deployed on all EC2 instances in the organization. What step or steps do you need to take to deploy this AMI?
Replace the launch configuration by a launch template using the new AMI.
AWS recommends that you create Auto Scaling groups from launch templates to ensure that you’re accessing the latest features and improvements.
Using CloudFormation to migrate to the new region they’ve discovered a problem with the template.
Whenever the template is created in the new region, it’s still referencing the AMI in the old region.
What steps can you take to automatically select the correct AMI when the template is deployed?
Create a mapping in the template. Define the unique AMI value per region.
This is exactly what mappings are built for. By using mappings, you easily automate this issue away. Make sure to copy your AMI to the region before you try and run the template, though, as AMIs are region specific.
The server team has been using Puppet for deployment automations. The decision has been made to continue using Puppet in the AWS environment if possible. If possible, which AWS service provides integration with Puppet?
AWS OpsWorks for Puppet Enterprise
Fully-managed configuration management service that hosts Puppet Enterprise, a set of automation tools from Puppet for infrastructure and application management. OpsWorks also maintains your Puppet master server by automatically patching, updating, and backing up your server.
Which description best describes Amazon Redshift?
Near real-time complex querying on massive data sets.
Amazon Redshift is a fast, fully-managed cloud data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools.
The DynamoDB table has a preconfigured read and write capacity. Users have been reporting slowdown issues, and an analysis has revealed the DynamoDB table has begun throttling during peak traffic times. What step can you take to improve game performance?
Adjust your auto scaling thresholds to scale more aggressively.
Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf in response to actual traffic patterns.
You have decided to use AWS Kinesis Data Firehose to stream the data to multiple backend storing services for analytics. Which service is not a viable solution to stream the real time data to?
Athena
Amazon Athena is correct because Amazon Kinesis Data Firehose cannot load streaming data to Athena.
What is the Limit of space on a Snowcone device?
8 TB
you have 25 TB of data that needs to be moved to an S3 bucket. Your company has just finished setting up a 1 GB Direct Connect drop, but you do not have a VPN currently up and running. This data needs to be encrypted during transit and at rest and must be uploaded to the S3 bucket within 21 days. How can you meet these requirements?
Use a Snowball device to transmit the data.
This would be the perfect choice to transmit your data. Snowball encrypts your data, so all the security and speed requirements would be met.
Configured a VPC as well as two subnets within the VPC.
Attach an internet gateway to the VPC.
In the first subnet, they create the EC2 instance which will host their web application.
Finish the configuration by making the application accessible from the Internet.
The second subnet has an instance hosting a smaller, secondary application.
But this application is not currently accessible from the Internet. What could be potential problems?
The second subnet does not have a route in the route table to the internet gateway.
The EC2 instance does not have a public IP address.
A news media company is using an S3 bucket as a website to serve photos of television personalities within the company. The photos are intended to be served nationwide to local affiliates across the company. But you have found that these photos are being accessed and pirated for other websites not affiliated with the company. What can you do to stop this?
Remove public read access from your bucket, then provide your users with pre signed URLs to access the photos.
Security Groups act at what level?
The Instance Level
What is AWS STS?
AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources.
You have been evaluating the NACLs in your company. Most of the NACLs are configured the same:
100 All Traffic Allow
200 All Traffic Deny
* All Traffic Deny
How can the last rule * All Traffic Deny be edited?
You can’t modify or remove this rule.
The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated. Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied. You can’t modify or remove this rule.
Route 53:
What does TTL Mean?
What does it control?
Time to live
Controls how long the DNS record will be Cached
Using Route 53, how would you direct example.com traffic to various IPs based on the country the user was sending traffic from?
Use Geolocation Routing policy
True or False? Route 53 only provides DNS for public IPs.
False
Route 53 allows you to host both public and private zones.
Using Route 53, how would you direct example.com traffic to 1 primary IP with a second one for backup?
Use Failover Routing Policy
If the visibility timeout on a message in an SQS queue expires, what happens to the message?
It’s now available in the queue to be retrieved.
If the timeout expires, the message will again be available in the queue for processing.
What is the maximum length of time a message may remain in an SQS queue?
14 Days
Which service is SNS commonly paired with to alert users that an alarm has gone off?
Cloudwatch
What type of subscription can SNS retry if a message fails to deliver?
HTTP(S)
SNS can only immediately retry sending a message to an HTTP(S) endpoint.
Which tool can be used to monitor the queue depth of a DLQ (Dead Letter Queue)?
CloudWatch
The go-to tool for any sort of monitoring in AWS
If your application needs to process 5,000 messages per second, which type of SQS queue would you use?
SQS Standard
This gives you a nearly unlimited number of transactions per second.
What type of service is SQS?
Messaging Queue
True or False? MFA tokens are required for all new users.
False
Describe the principle of least privilege?
Only assigning the user the minimum amount of permissions that they need to do their job.
Why are IAM users considered “permanent” users?
Because once their password, access key, or secret key is set, these credentials don’t automatically rotate or change without human interaction.
What is the single best thing you can do to secure the root account in AWS?
Enable MFA
Why is it dangerous to use the AWS root user account?
The root user account has full permissions to every service.
True or False? An allow statement in a policy document will override a explicit deny statement.
False
What does the “EAR” in a policy document stand for?
Effect, Action, Resource
How does availability and durability differ in S3?
Availability is the ability to access your data
Durability is the ability of AWS to ensure your data is properly stored in S3.
What is the largest object you can store in S3?
5 TB
True or False? Each Amazon S3 bucket name is globally unique.
True
Since S3 is an object-based storage solution, which type of file should never be stored in it?
Database
What kind of data should be stored in S3 Standard?
Data that is frequently used
If you have data that needs to be instantly retrievable, but it’s not likely to be needed anytime soon, which S3 storage class would you select?
S3 Standard-IA
Versioning on your bucket was recently suspended and, after this, your boss deleted an object whose version ID is null and wants to restore it. What do you do?
It’s not possible since versioning was suspended. The object is gone.
True or False? You can create an S3 lifecycle policy to migrate objects from Glacier to Standard-IA.
False:
Lifecycle policies can’t work backwards. You can use a lifecycle policy to migrate objects from the more frequently accessed storage classes to the longer-term options, but not the other way around.
Why is versioning not enabled by default on new S3 buckets?
It costs money, as you’ll be paying for every additional copy of your objects that you upload.
What is the minimum time that AWS requires you to keep an EC2 instance online after you’ve turned it on?
None.
There is no min run time.
True or False? If you restart your EC2 instance the user data will rerun automatically.
By default, user data runs one time and one time only.
When would you want to use a cluster placement group?
When you want to reduce network latency in your application
In EC2 instances, what is user data commonly used for?
For bootstrapping an EC2 instance as it comes online
You have a small number of critical instances that should be kept separate from each other. You want to ensure that each instance is placed on distinct underlying hardware. What kind of placement group would you pick?
A spread placement group would be the best fit.
Why would you want to spin up an EC2 Dedicated Host?
Because your application has hardware-specific licensing requirements
What is NOT a valid use case for IAM roles?
Assuming a role to allow a user to SSH into an EC2 instance and install updates.
What are IAM Roles used for?
IAM roles are designed to be used with AWS API calls
What type of storage does EFS offer?
File
Can only be used natively with Linux based OS
Elastic File System / Elastic File Storage
True or False? You can create an unencrypted EBS volume from an encrypted snapshot by unselecting the “encryption” check box when restoring it.
False. You cannot unencrypt with this method.
True or False? Amazon Machine Images are Region specific. To use one in another Region, it needs to be explicitly copied there.
True
You’re trying to mount an EBS volume in Availability Zone (AZ) A to an EC2 instance in AZ B. Why isn’t it working?
EC2 instances must be in the same AZ as the EBS volumes.
True or False? Only certain types of EC2 instances support hibernation.
True
You just took a snapshot of an EBS volume. Where is it stored?
S3
You’ve been tasked with creating a file system for a Linux workload that should handle massive datasets, up to hundreds of gigabytes per second. What AWS service would you use?
FSx for Lustre is built for just this kind of task.
True or False? EBS volumes are encrypted by default.
False
You’ve been tasked with creating a highly performant database on your EC2 instance. What type of EBS volume will support the high level of IOPS that you require?
Provisioned IOPS would be the best option in this instance.
True or False? Amazon FSx for Lustre can’t store data directly on Amazon S3.
False
Why would you consider hibernating an EC2 instance over stopping and starting it?
You have an application that takes a long time to load. Hibernating the instance prevents you from having to reload it.
What is the purpose of an Amazon Machine Image (AMI)?
It’s a template to create a new EC2 instance from.
What is a feature that does RDS Aurora NOT support?
Universal HA is not a feature of Aurora.
What should you do to scale out an RDS database that has a read-heavy workload?
Add additional read replicas.
True or False? RDS read replicas have their own endpoints.
True
What is NOT a supported RDS database engine?
IBM Db2 is not a supported database engine
True or False? RDS read replicas can be created in different Regions from the source DB instance.
True
You may use a read replica for disaster recovery of the source DB instance, either in the same AWS Region or in another Region.
True or False? DynamoDB lives in your VPC.
False
DynamoDB is not deployed into your VPC. Your VPC must have an internet gateway or a VPC endpoint configured to access resources such as Amazon DynamoDB
Fill in the blank: DynamoDB is a ____ database.
Non-Relational
What is the longest you can store an automatic RDS backup?
35 Days
Amazon Aurora is compatible with which database engines?
MySQL and Postrgres
What type of read would you use with DynamoDB if you can’t have stale data in your application?
Strongly Consistent Reads
True or False? Direct Connect provides you with an encrypted connection to your AWS account by default.
False.
Direct Connect is not encrypted by default.
How do you scale a NAT Gateway?
You don’t. AWS does this automatically for you.
Your security team will only approve S3 usage if your EC2 instances don’t transmit data over the public internet. What service can you use to comply with this requirement?
VPC Endpoints are used to keep your traffic to AWS services out of public networking space.
Network Access Control Lists (NACLs) are Stateful or Stateless?
Stateless
By default, what range of IP addresses and ports do security groups leave open for inbound traffic?
None. They are closed by default.
Where are Network Access Control Lists (NACLs) located?
NACLs are located at the subnet level.
Why would you use Transit Gateway over VPC peering?
Transit Gateway is designed for when you have too many VPCs to peer together
What is the IPv4 CIDR block of the default VPC?
172.31.0.0/16 is the IPv4 CIDR block for the Default VPC provided by AWS out of the box.
When would you want to use Direct Connect?
When you need a high-speed private connection from your on-premises environment to AWS
Direct Connect is designed for on-premises to AWS communication.
What is a reason that VPC peering could fail?
VPCs have overlapping IP addresses
What instance will a NLB (network load balancer) load balancer send traffic to if no hosts are healthy?
It will try to send traffic to all the instances
What kind of ELB load balancer would you select if you need to route traffic based on the contents of the request?
Application Load Balancer (ALB)
Routing based on the type of request (GET, POST, etc)
If you’re building an application that needs to support an extreme level of networking traffic, which type of ELB load balancer would you pick?
Network Load Balancer (NLB)
Which layer of the OSI model does the ALB function on?
Layer 7
True or False? By default, ELB load balancers will use static IPs and these will not change.
False:
IPs will change unless you specifically configure static IPs
What benefit do you get from configuring health checks on an ELB load balancer?
Instances that fail the health check will not receive traffic.
Which layer of the OSI model does the NLB function on?
Layer 4
Which kind of ELB load balancer would you use if you need extreme levels of performance?
Network Load Balancer
NLB
Which type of ELB load balancer has AWS deprecated and should not be used?
Classic Load Balancer
Which tool would you use to monitor the CPU usage on an EC2 instance?
CloudWatch
Which web service and feature can be used to monitor, store, and access your log files from Amazon EC2 instances, AWS CloudTrail, Route 53, and other sources?
CloudWatch Logs
What is the default CloudWatch metric interval?
5 minutes
True or False? CloudWatch Logs allows you to create event patterns that look for certain things happening in your logs.
True
What are the W’s of scaling?
What
When
Where
What setting in your Amazon EC2 Auto Scaling group determines how many instances you need online right now?
Desired Capacity
You would select _____ capacity for a DynamoDB table with a predictable workload.
Provisioned is the best option for a predictable workload.
What type of capacity should be selected for a DynamoDB table with a sporadic workload?
On-Demand
What tool can be used to notify you of scaling events?
SNS
Simple Notification Service
What RDS database engine offers a serverless scaling option?
Aurora is the only engine that offers a serverless scaling option
What AWS resource defines the configuration of instances created by EC2 Auto Scaling?
Launch templates are the best way to define what your instances will look like.
If you need to change the AMI included in a launch template, what should you do?
Create a new version of the launch template with the updated AMI.
How can you automatically register EC2 instances with an ELB load balancer when they are launched?
Attach the Load Balancer to an Auto Scaling group
How can you create a highly available application using EC2 Auto Scaling?
Define multiple AZs in your Auto Scaling group.
What setting would prevent a launch template from being used with EC2 Auto Scaling?
Including networking information
You can include EC2 size, ELB, and user Data (start up scripting).
Amazon _____ is the most common service used to trigger a scaling event in an EC2 Auto Scaling group.
CloudWatch
Which layers of our applications need to be loosely coupled?
Internal and external
What is the largest message size you can store in SQS?
256KB
What kind of architecture does AWS recommend building?
Loosely Coupled
How can you ensure that your SQS messages arrive in the correct order?
SQS FIFO guarantees that your messages will arrive in the correct order
API Gateway is commonly built __ your applications.
in front of
What type of firewall can be used in conjunction with API Gateway to help prevent DDoS attacks?
Web Application Firewall (WAF)
SNS is a _____-based messaging service.
Push
Which tool can be used to sideline malformed SQS messages?
Dead Letter Queue
DLQ
_____ allows you to transform data using SQL as it’s being passed through Kinesis.
Kinesis Data Analytics
You can use _ to build a schema for your data, and _ to query the data that’s stored in S3.
Glue - Build Schema or “glue data together”
Athena - Ability to query data with SQL in S3 buckets
What type of database is Redshift?
Relational
True or False? You are responsible for scaling Glue performance.
False
What service allows you to directly visualize your data in AWS?
QuickSight
How much data can a Redshift database hold per cluster?
16 PetaBytes
True or False? Redshift supports multi-AZ deployments.
False
What service would you use in combination with Kibana and Logstash to create an ELK stack?
Elasticsearch
What type of work does EMR perform?
Extract Transform, and Load
_____ provides real-time streaming of data.
Kinesis Data Streams
How long are automatic Redshift backups retained by default?
1 day.
This can be increased to 35 days.
Which service provides the easiest way to run ad-hoc queries across multiple objects in S3 without the need to setup or manage any servers?
Athena
Allows you to query info in S3
What AWS service can create EC2 instances and place containers in them based on your task definitions?
ECS
Elastic Container Service?
Which open-source container management engine powers EKS?
Kubernetes
What feature of ECS and EKS allows you to run containers without having to manage the underlying hosts?
Fargate allows you to run containers without using EC2 instances.
Which IAM entity is assigned to a Lambda function to provide it with permissions to access other AWS APIs?
Role
What is the maximum length of time Lambda can run?
15 minutes
Which of the following is a common trigger for Lambda?
Cloud Watch Events (EventBridge)
Which AWS service allows you to use Fargate without needing ECS or EKS?
None.
Fargate requires either ECS or EKS. Cannot run by itself
What is the maximum amount of RAM you can allocate to a single Lambda function?
10 GB
Where are container images stored?
In a container registry
What type of file is used to build a container image?
Dockerfile
What is one thing EC2 instances allow you to configure but a serverless application doesn’t?
Operating System
What is NOT a supported Lambda runtime?
COBOL
Can run:
Java
Node.js
Python
Your boss requires automatic key rotation for your encrypted data. Which AWS service supports this?
KMS
Key Management Service
What is the best way to deliver content from an S3 bucket that only allows users to view content for a set period of time?
Create a presigned URL using S3
What is the easiest way to log API calls in AWS?
Enable CloudTrail and pick an S3 bucket to store the logs in.
What is NOT a data source for GuardDuty?
RDS Event History
True or False? Amazon Inspector requires an agent for host assessment rules packages.
True
The agent is required for host assessment rules packages
What kind of findings can AWS Inspector discover?
Insufficient patching of applications on an EC2 instance
What service does Macie monitor once you’ve enabled it?
S3
Macie Inspects S3 buckets for PII with machine learning
What is the easiest way to ensure your CloudTrail logs haven’t been tampered with?
Enable log file validation in your trail.
What three components are required in all IAM policy documents?
Effect, Action, Resource
Which Layers does Shield provide protection on?
Layers 3 and 4
What is the minimum length of time before you can schedule a KMS key to be deleted?
7 Days
Where is the most cost effective place to store your database passwords in a secure manner?
Parameter Store
Which AWS service supports automatic rotation of RDS security credentials?
Secrets Manager
In general, what does a DDoS attack entail?
A large number of connections overwhelms your architecture. Your application is unable to answer the legitimate requests that are sent to it.
Which Layers does WAF provide protection on?
Layer 7
True or False? You must explicitly deny all API calls that a user shouldn’t be able to make.
False
All API calls are set to Deny, you must explicitly enable
What part of a CloudFormation template allows you to pass values into the template?
Parameters
Your brand new CloudFormation stack just encountered an error. What happens to the resources that it had created?
They are terminated
What does it mean to have “immutable pattern”?
It can be destroyed and rebuilt with relative ease using automated processes.
What is a common use case for the AWS Systems Manager Parameter Store “SecureString” parameter?
For storing values that need to be encrypted and referenced in a secure manner.
Whenever possible, we should focus on __ processes over doing things ____.
automating
manually
ElasticBeanstalk is an example of ___.
Platform as a Service (PaaS)
What is NOT a benefit of using ElasticBeanstalk to deploy your application?
It will not rewrite your applications from any language into python.
It can:
Deploy and update your application for you
Maintain full control over all your architecture
Automatically replace instances that fail
Systems Manager can be used to patch and update _ and __.
EC2 instances, on-premise instances
How do caches help improve performance?
They reduce the amount of trips that are required to the source of the data.
CloudFront is commonly used to front ____.
S3 Buckets
DAX is designed to sit in front of what AWS data service?
DynamoDB
What 2 types of caches are supported by ElastiCache?
Redis and Memcached
What AWS service allows you to easily deal with public IP caching issues?
Global Accelerator
What’s the place where caches can be best used?
Anywhere possible!
True or False? Global Accelerator is the only AWS service that allows you to create weights for your application endpoints.
False
Route 53 can do this as well.
What type of physical AWS architecture does CloudFront use to improve performance?
Edge Locations
Where should AWS SSO NOT be used?
For external users authenticating to a mobile application
Where is the account ID placed when setting up cross-account role access?
In the role trust policy.
True or False? Config offers real-time evaluation of rule violations.
False
Config doesn’t evaluate in real time
How can you stop a root user from terminating EC2 instancesHow can you stop a root user from terminating EC2 instances?
Apply a service control policy (SCP) to the account to deny this action
True or False? Other accounts can automatically assume your roles.
False
Roles access needs to be given out. Not there by default.
True or False? An Allow permission in a IAM Policy Document will override a Deny in a service control policy (SCP).
False
What are the versions of Directory Service?
AD Connector
Managed Microsoft AD
Simple AD
What AWS service should be used to assist with managing Active Directory?
Directory Service
Cognito is designed to be used with ____.
Mobile applications
True or False? By default, Trusted Advisor will send you alerts when it finds an issue.
False
This doesn’t happen by default. You would have to set up the alerts.
Config can be used to _ and __.
Config can be used to track AWS resources and enforce best practices.
How can you consolidate the AWS bill for your organization?
Enable Consolidated Billing
True or False: DataSync is an agentless data migration solution.
False.
DataSync requires an agent
Which tool would you use for a one-time migration of data into AWS if cost is a factor?
AWS DataSync
Which tool would you use to organize and track your cloud migration?
Migration Hub
What would be the best way to migrate 80TB of data into S3 if you have limited bandwidth at your datacenter?
Snowball
What tool would you use to migrate from an Oracle database to Aurora?
Schema Conversion Tool
What is the easiest way to start sending your tape backups into AWS rather than keeping them on prem?
Tape Gateway
Which tool would you use to migrate a database from on-premises to RDS?
Database Migration Service
What is the easiest way to keep a copy of your data cached locally as well as backed up in S3, where you can store and retrieve objects using industry-standard file protocols such as Network File System (NFS) and Server Message Block (SMB)?
File Gateway
Which AWS tool would you use to integrate S3 and an application that only supports FTPS transfers?
Transfer Family
What can an EBS volume do when snapshotting the volume is in progress?
The volume can be used normally while the snapshot is in progress.
Read and write is possible while snapshotting is occurring.
You have many Auto Scaling Groups that utilize launch configurations.
Many of these launch configurations are similar yet have subtle differences.
You’d like to use multiple versions of these launch configurations.
An ideal approach would be to have a default launch configuration and then have additional versions that add additional features.
Which option best meets these requirements?
Use Launch Templates Instead
Contain AMI, Instance type, key pair, sec group, and other parameters. Automatically supports versioning.
You have many Auto Scaling Groups that you need to create.
One requirement is that you need to reuse some software licenses and therefore need to use dedicated hosts on EC2 instances in your Auto Scaling Groups.
What step must you take to meet this requirement?
Use Launch Templates to use more advanced AWS EC2 configurations.
This allows you to specify Dedicated Hosts
You have configured an Auto Scaling Group of EC2 instances fronted by an Application Load Balancer and backed by an RDS database.
You want to begin monitoring the EC2 instances using CloudWatch metrics.
Which metric is not readily available out of the box?
Memory utilization
Memory utilization is not available as an out of the box metric in CloudWatch. You can, however, collect memory metrics when you configure a custom metric for CloudWatch.
What are Custom Metrics that you can set up for CloudWatch?
Memory utilization
Disk swap utilization
Disk space utilization
Page file utilization
Log collection
What is DynamoDB?
DynamoDB is a NoSQL database that supports key-value and document data structures.
Good for Web Session Data
Good For storing Metadata for S3 Objects
A key component in the Disaster Recovery plan will be the database instances and their data.
An aggressive Recovery Time Objective (RTO) dictates that the database needs to be synchronously replicated. Which configuration can meet this requirement?
RDS Multi AZ
Provide enhanced availability and durability for RDS DB.
The company wants to establish Recovery Time and Recovery Point Objectives.
The RTO and RPO can be pretty relaxed.
The main point is to have a plan in place, with as much cost savings as possible.
Which AWS disaster recovery pattern will best meet these requirements?
Backup and Restore.
Least expensive option available to have back up and recovery options with loose RTO and RPO.
Which Type of Load Balancer can support Path based and Host based Routing?
Application Load Balancer (ALB)
What Amazon Database option can support 24,000 read units per second and 3,300 write units per second, and scale for spikes and off-peak?
DynamoDB
An Application Load Balancer is fronting an Auto Scaling Group of EC2 instances, and the instances are backed by an RDS database.
The Auto Scaling Group has been configured to use the Default Termination Policy.
You are testing the Auto Scaling Group and have triggered a scale-in. Which instance will be terminated first?
The instance launched from the oldest launch configuration.
In Auto Scaling Groups, what is the difference between a Launch Configuration and a Launch Template?
Launch Configurations are an older model used for Auto Scaling Groups. These do not support Versioning.
Launch Templates are newer, and are able to work with more AWS resources and services and are recommended. Launch Templates support Versioning.
Your boss has tasked you with decoupling your existing web frontend from the backend.
Both applications run on EC2 instances.
After you investigate the existing architecture, you find that (on average) the backend resources are processing about 5,000 requests per second and will need something that supports their extreme level of message processing.
It’s also important that each request is processed only 1 time. What can you do to decouple these resources?
Use SQS Standard.
Include a unique ordering ID in each message, and have the backend application use this to deduplicate messages.
What is the SQS FIFO (First in First Out) Messaging limit?
3000 messages per second
What are two key concepts regarding subnets?
Every subnet you create is associated with the main route table for the VPC.
Each subnet maps to a single Availability Zone.
You have configured a VPC with both a public and a private subnet.
You need to deploy a web server and a database. You want the web server to be accessed from the Internet by customers.
Which is the proper configuration for this architecture?
Web server in public subnet.
Database in private subnet.
An organization of about 100 employees has performed the initial setup of users in IAM.
All users except administrators have the same basic privileges. But now it has been determined that 50 employees will have extra restrictions on EC2.
They will be unable to launch new instances or alter the state of existing instances. What will be the quickest way to implement these restrictions?
Create the appropriate policy.
Create a new group for the restricted users.
Place the restricted users in the new group and attach the policy to the group.
You are managing S3 buckets in your organization.
This management of S3 extends to Amazon Glacier.
For auditing purposes you would like to be informed if an object is restored to S3 from Glacier.
What is the most efficient way you can do this?
Configure S3 notifications for restore operations from Glacier.
A consultant is hired by a small company to configure an AWS environment.
The consultant begins working with the VPC and launching EC2 instances within the VPC.
The initial instances will be placed in a public subnet.
The consultant begins to create security groups. How many security groups can be attached to an EC2 instance?
You can assign up to five security groups to the instance.
What is an AWS Security Group
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.
What is true of security group rules for allow and deny?
You can specify Allow rules but not Deny Rules
Describe AWS Direct Connect.
A private, dedicated network connection between your facilities and AWS
You have been put in charge of configuring a hybrid environment for the company’s compute resources.
The main requirements to drive this selection are overall cost considerations and the ability to reuse existing internet connections. Which technology best meets these requirements?
AWS VPN
Lets you reuse existing VPN equipment and processes, and reuse existing internet connections.
It is an AWS-managed high availability VPN service.
It supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies.
You are working in a large healthcare facility which uses EBS volumes on most of the EC2 instances.
The CFO has approached you about some cost savings and it has been decided that some of the EC2 instances and EBS volumes would be deleted.
What step can be taken to preserve the data on the EBS volumes and keep the data available on short notice?
Take point-in-time snapshots of your Amazon EBS volumes.
You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots.
What is an AWS Region?
A Region is a physical location in the world
that consists of 2 or more Availability Zones.
What is an AWS Availability Zone?
1 or more discrete data centers,
each with redundant power, networking, and connectivity,
which is housed in separate facilities.
What is the minimum number of AZs in a Region?
2 Availability Zones
in a Region.
In the Shared Responsibility model, is Encryption -
AWS responsibility
Client responsibility
Shared Responsibility
Shared.
AWS encrypts specific things, it’s up to you to create settings that encrypt data that is uploaded and in transit depending on service.
What format are IAM Policy Documents in?
Java Script Object Notation
JSON
is IAM Universal or Regional?
Universal
When you create a user, what permissions do they start with?
None.
You must add them to a group where they will then inherit permissions from that group.
Can you apply an IAM Policy Document to a User?
Yes you can, but this is not best practice
What do users need for programmatic access to AWS resources?
You will need an Access Key and a Secret Access Key.
These are not the same as Usernames and Passwords
How many times can you see your Secret Access Key and Access Key?
Only once. If you do not have these for some reason you’ll need to recreate them, and this can only be viewed once as well.
What is IAM Federation?
The ability to combine your existing user accounts with AWS. Using something like MS Active Directory.
This allows your users to have the same credentials across both enviros
What protocol does IAM Federation use for Authentication?
SAML
Security Authentication Markup Language
What Kind of Storage is S3?
Object Based Storage
It’s not suitable for operating systems or database storage
What is the Max Individual File size for S3?
5TB
Overall storage is unlimited
When you upload files to S3, what code do you receive?
HTTP 200 status code
What is the Key for the objects in S3?
The Key is the file name
The Value is the data itself
When you create an S3 bucket, is it private or public by default?
Private by default. You must enable public access
What is something you can use with your S3 buckets and objects in them to restrict access?
Access Control List (ACL)
This is a way of giving permissions or preventing deletion of the ojbect
What are S3 Bucket Policies?
You can use bucket policy to enforce entire bucket wide rules like anti deletion, or to make the bucket public.
In S3, can you turn versioning off?
No.
You can suspend versioning, but you cannot turn it off once enabled.
What is S3 Standard Storage good for?
Most workloads–
websites
content distribution
mobile and gaming applications.
What is S3 Standard-Infrequent Access good for?
Long-term, infrequently accessed but critical data.
Backups, your data store
for your disaster recovery, etc.
What is S3 One Zone-Infrequent Access is great
for?
long-term, infrequently accessed but non-critical data
because it is only going to be in 1 Availability Zone
What is the retrieval time for S3 Glacier?
Under 12 hours
What is the retrieval time for S3 Glacier Deep Archive?
12 Hours or more
What is S3 Intelligent-Tiering?
Uses machine learning
to move your objects between the different tiers
to save you the most amount of money.
What is S3 Object Lock?
Uses the WORM Model
(Write Once Read Many)
Can be used on objects or as a bucket policy.
How many modes does S3 Object Lock have, and what are they?
2 modes:
Compliance Mode - Bans all users
from being able to access or to be able to write
and delete those object including the root account.
Governance Mode - users can’t overwrite
or delete an object version after its lock settings
unless they have special permission
What is S3 Glacier Vault Lock?
Similar to S3 Object lock.
Easily deploy and enforce compliance controls
for individual S3 Glacier vaults with a vault lock policy.
After specifying a control, such as a WORM model,
in a vault lock policy, you cannot edit after locking the policy
What are the two methods for Encryption with S3?
Encryption in Transit - Sending data to S3
Encryption at Rest - Server Side Encryption (SSE)
How many types of Server Side Encryption for S3 are there?
3 types -
AES 256 handled by AWS
KMS - Key Management Service (AWS External Service Service)
Client side encryption - SSE-C - Encrypt the files yourself before uploading.
What are S3 Prefixes?
Prefix is simply the folder
and then subfolder within a S3 bucket.
3,500 put, copy, post, deletes
and then 5,500 get and head requests
per second, per prefix.
In S3 using SSE (server-side
encryption) KMS to encrypt your objects in S3,
what are the request limits generally?
The built-in limits are region specific,
but it’s either going to be 5,500,
10,000, or 30,000 requests per second. Upload or download.
How can you increase S3 Upload Performance?
Use Multi Part upload. Required for files over 5 GB
How can you increase S3 Download Performance?
Use S3 byte-range fetches to increase performance
to download our files from S3.
S3 replication can be where?
Cross Region or in the Same Region
EC2, what is On-Demand Pricing?
Pay by the second or the hour
depending on the type of instance that you run.
And it’s great for flexibility.
No long-term contracts
EC2, what are Spot Instances?
Purchase unused capacity
at a discount of up to 90%.
And the prices fluctuate with supply and demand.
And it’s great for applications
with flexible start and end times.
EC2, what are Reserved instances?
Reserve your capacity
for 1 to 3 years.
The more you pay up front
the greater savings that you have.
You can save up to 72% discount on the hourly charge.
Great if you’ve got known or fixed requirements.
EC2, What are Dedicated Instances?
Physical EC2 server
that’s dedicated for your use.
And it’s great if you have server-bound licenses to reuse or compliance requirements
IAM Policies can control what permissions?
Roles
Users
Groups
When you update an IAM Policy, when does this take effect?
Immediately
When you change a Security Group, when do those changes take effect?
Immediately
How many EC2 Instances can you have in a security group?
Any Number of Instances
When you create a Security Group, what traffic is configured by default?
All Inbound traffic is blocked
All Outbound traffic is allowed
With EC2 instances, what is metadata?
Metadata is data about your EC2 instances.
This is IP Addresses and other useful information about your instance
What is ENI
Elastic Network Interface.
This is for basic networking.
What is Enhanced Networking
When you need speeds between 10 gigabits per second and 100 gigabits per second.
Reliable and high throughput
with Networking, What are EFAs?
Elastic Fabric Adapters
Where you need to have
high-performance computing and machine-learning applications bypass OS level to have more throughput and better performance
With EC2, what is a placement group?
logical grouping of EC2 instances.
With EC2, what is a spread placement group?
EC2 instances on separate hardware
With EC2, where would you want to use a Partition Placement Group?
Multiple EC2 instance with something like HDFS, HBase, and Cassandra
True or False:
With EC2, Cluster Placement groups can span multiple AZs?
False
With EC2, can any type of instances be launched into placement groups?
No, only specific types of instances can be placed into Placement Groups:
Compute Optimized
GPU Optimized
Memory Optimized
Storage Optimized
True or False:
With EC2 Placement groups, you cannot merge groups?
True
What is EC2 Spot Block?
This stops spot instances from being terminated at the specific threshold.
In EBS, what are GP2 and GP3 devices?
General purpose SSDs, GP3 is the improved next generation storage
In EBS, what is io1 and io2?
Provisioned IOPS SSD. More throughput and performance
io2 is the new version of this drive
In EBS, what is sc1
Less frequently accessed drive ability. Cannot be a boot volume.
One of the lowest costs.
Where do EBS snapshots live?
S3
True or False:
You can share EBS snapshots between Accounts and Regions?
True.
You need to be able to move those to the target region.
What else are Instance Store Volumes called?
Ephemeral Storage
What is an AMI?
An EC2 Blueprint containing information about architecture, OS, and other details to spin up exact EC2 instance configurations you need.
How do you encrypt a root volume that IS NOT already encrypted?
Create a snapshot of the unencrypted root device volume.
Create a copy of that snapshot selecting the encrypt option.
Create an AMI from the encrypted snapshot,
Use that AMI to launch a new encrypted instance.
What does EC2 Hibernation mean?
Preserves the in-memory RAM
on the EBS Disk
Faster boot up with no need to reload the operating system.
What Class of EC2 instances support Hibernation?
C, M, and R class instances
What is EFS?
Elastic File Service.
Auto adjust Network File System.
Read after write consistency
What is AWS FSx ?
Centralized storage for windows based applications.
What is Amazon FSx for Lustre?
High capacity, high speed, distributed storage for high performance computing.
Can store data directly on S3
What are the RDS Database flavors?
SQL Server
Oracle
MySQL
PostgresSQL
MariaDB
Aurora
What is RDS primarily designed for?
online transaction processing workloads.
So, this is where you are basically processing lots
of small transactions like customer orders,
banking transactions, payments, and booking systems.
What are Read Replicas?
Where you need to increase read performance from your DB solution.
This is an exact copy of all your data, but specifically used as a read point.
How many Read Replicas can you have for your RDS?
5 Read Replicas are supported per DB
What is Multi AZ vs. Read Replica with RDS?
Read Replicas increase performance for read operations.
Multi AZ is in place as a disaster recovery option and an exact copy. RDS will automatically fail over to the copy when needed
What is AWS Aurora?
Aurora is Amazon’s proprietary database
that’s something that they have created themselves
it’s compatible with MySQL, as well as PostgreSQL.
With AWS Aurora, how many copies are kept of your database?
2 Copies in each availability zone with minimum of 3 zones. Essentially 6 copies of your data
When would you use Aurora Serverless DB?
Host effective option
for infrequent intermittent or unpredictable workloads
What is the difference between eventually consistent and strongly consistent reads?
Eventually consistent means that consistency
across all copies of data is usually reached
within about a second and repeating a read
after a short time should return the updated data.
Strongly consistent reads return a result that reflects all rights that have received a successful response prior to the read.
What is DynamoDB “Transactions” ?
Multiple all-or-nothing operations.
Good for things like financial transactions
or fulfilling orders.
This writes to all tables before any reads. If a write fails, it fails across all tables to keep the tables consistent.
What are ACID Requirements?
Requiring:
Atomicity,
Consistency,
Isolation,
Durability across one or more tables.
Think DynamoDB Transactions.
What are DynamoDB On-Demand backups and restore?
Where you can backup your DynamoDB database
with full backups at any time.
It has zero impact on your table performance
What is DynamoDB Point-in-Time Recovery?
Protects against accidental writes or deletes
Can restore your DynamoDB database to any point
in the last 35 days. As recent as 5 minutes ago.
What is DynamoDB streams?
Where you can maintain First in First Out Records of your data.
What is DynamoDB Global Tables?
managed Multi-Master, Multi-Region Replication for globally distributed usage
True or False:
A Subnet can span multiple AZs?
False
If you have resources in multiple AZs, tied to one NAT gateway, what happens if the AZ where the NAT gateway resides goes down?
All the resources tied to that gateway, even in other AZs that are not down, go out.
Are security groups stateful or stateless?
Stateful
What does it mean to be stateful?
If you send a request from your instance,
the response traffic to that request is allowed to flow in
regardless of the inbound security group rules.
And responses to allowed inbound traffic are allowed
to flow out regardless of the outbound rules.
True or False:
Default Network ACLs allow all traffic in and out?
True
True or False:
Custom Network ACLs allow all traffic in and out?
False
True or False:
Each subnet in VPC must be associated with a network ACL.
True
In networking, if you need to block a hacker or malicious traffic, at what level do you do that?
Network ACL
A subnet can be associated with how many Network ACLs?
One at a time.
Network ACL’s contain a numbered list of rules
that are evaluated in what order?
Starting with Lowest Number first
Are Network ACLs stateful or stateless?
Stateless
So responses to allowed inbound traffic subject to the rules for outbound traffic and vice versa.
What is AWS Direct Connect?
This is a way of directly connecting
your data center to AWS.
high-throughput workloads, lots of network traffic.
For when you need a stable and reliable,
secure connection.
What is a VPC Endpoint?
When you want to connect AWS services
without leaving the Amazon’s internal network.
What is VPC Peering?
this allows you to connect one VPC with another
via a direct network route using private IP addresses,
instances behave as if they were on the same
private network,
and you can peer VPCs with other AWS accounts
as well as other VPCs in the same account.
What is AWS PrivateLink?
Peering VPCs to tens, hundreds, and thousands of customer VPCs,
Requires Network Load Balancer on the service VPC and ENI on the customer VPC
What are AWS Transit Gateways?
Where you can connect all your VPCs without needing to peer them individually
Works with Direct Connect and VPN connections.
Supports IP multicast.
What is VPN Hub?
Simplifies VPN network topology connecting to AWS and using their service
What are the common DNS record types?
Start of Authority
CNAME
Name Server Record or NS Record
A Records
What is a DNS A Record?
Essentially turns a web address into an IP address
What are the 6 routing policies?
simple routing
weighted routing
latency based routing,
failover routing,
geolocation routing,
geoproximity routing.
What is Simple Routing Policy?
one record with multiple IP addresses.
Route 53 will grab one of the addresses and return it at random witthis.
What is Weighted routing policy?
You can determine the percentage of traffic sent to different IP addresses.
What is latency based routing policy?
Route 53 selects the lowest latency response destination and sends the traffic there.
What is Failover routing policy?
Health Checks on each end point and if you lose a region it will fail over to another region
What is Geolocation routing policy?
Where the location of the user determines where the traffic is sent.
What is an Application Load Balancer “Listener” ?
A listener checks for connection requests
from clients using the protocol
and the port that you configure.
So, it’s either going to be port 80 or port 443.
What are Load Balancer Rules?
These determine how the load balancer
routes your request to its registered target.
Consist of:
Priority
Action (one or more)
Conditions (One or more)
With Load Balancers, what is a Target Group?
Target group routes requests
to one or more registered targets,
such as our EC2 instances,
using the protocol and port numbers that you specify.
Application Load Balancers only support what type of requests?
HTTP and HTTPS
Must deploy one SSL cert on your LB
What are Network Load Balancers?
You’re going to use them when you need extreme performance.
Other use cases are where you need protocols
that are not supported by Application Load Balancers.
What does a 504 Error mean on Classic Load Balancers?
Gateway Time out.
If you need the IPv4 address of your end user, what will you need to look for?
You need the X-Forwarded-For header.
What are Sticky Sessions?
They enable your users to stick to the same EC2 instance.
What is deregistration delay or connection draining?
These keep existing connections open if the EC2 instance becomes unhealthy.
What can you use for monitoring in regards to AWS Standards and Best Practice adherence?
AWS Config
What is the CloudWatch default metric delivery interval?
5 minutes
Additional Charge to reduce that to 1 minute
What do you use CloudWatch Logs Insights for?
SQL Logs
What service can be in an Auto Scaling Group?
EC2 Only
How can you improve your Auto Scaling Group provisioning time?
Bake in as much as possible into your AMI to reduce provisioning time.
In Auto Scaling Groups, what is a Steady State Group?
This is where you set the Minimum, Maximum, and Desired Capacity to 1.
If this instances fails, the ASG will automatically recover that architecture.
Usually Legacy Systems that cannot have more than one online.
How do you Horizontally Scale a relational DB?
Read Replicas
In DynamoDB, what are the 2 types of scaling?
Auto Scaling
On Demand Scaling (for unpredictable workloads)
If SQS is seeing consistent message duplication, what is likely wrong?
Misconfigured visibility timing
True or False:
SQS Queues are Bi Directional?
False.
What do you use for SQS if message order is important?
SQS FIFO
First in First out
If SQS message order is important, and you can’t use FIFO, what is an option?
You can tag numerical order with the message and have it read in the tagged order. This takes configuration.
What is the recommended push notification service?
SNS
Simple Notification Service
What is AWS API Gateway?
It acts as a secure front door to handle
that external communication coming into your environment.
True or False
Redshift is a single availability zone service?
True.
Can be duplicated elsewhere, but not an HA solution
What is AWS EMR
A managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark
Made up of EC2 instances
What is Kinesis Data Firehose
Amazon Kinesis Data Firehose is a automatic scaling managed service for delivering real-time streaming data to destinations.
How can you create a schema for your data in S3 storage?
AWS Glue
Creates the schema, and you can query with Athena
What does AWS Fargate need to work with containers?
It requires ECS and EKS.
True or False
Elastic Container Service is cross platform (on prem and in cloud)?
False.
ECS is AWS only
What is AWS Certificate Manager and what does it provide?
Creates SSL Certificates.
Automatically renew your SSL certificates
and rotate the old certificates with new certificates
so long as it’s with the supported AWS services
ELB, CloudFront, and API Gateway
True or False:
IAM Policy Documents only work when they’re attached to groups.
True
What is AWS Secrets Manager?
Secrets Manager can be used to securely
store and rotate your application secrets, your database credentials,
your API keys, SSH keys, passwords, et cetera.
Paid Service
What is AWS CloudHSM?
Cloud Hardware Security Module.
This creates the core customer key as well as generates other secrets
What is AWS KMS?
Key Manager Service.
Using shared Tenancy of a Hardware Security Module, you can automatically Rotation and Key Generation.
What are the 3 ways to control permissions within KMS?
Key Policy Controlling access.
IAM Policy
Grants with Key Policy.
What is AWS Inspector?
It’s used to perform a vulnerability scans
on both EC2 instances and your VPCs.
Can be run once or weekly
What is AWS GuardDuty?
It uses AI to learn what normal behavior looks
like in your account to alert you
of any abnormal or malicious behavior.
What is AWS Shield?
Shield protects against Layer 3 and Layer 4 attacks only. Used to protect against DDoS attacks.
What is AWS Systems Manager?
They are automation documents can be used
to configure the insides of EC2 instances,
as well as parts of the AWS environment.
Jack of all trades automation
What is the difference between Elastic Beanstalk and Cloudformation?
CloudFormation is for slightly more complex architecture. SQS queues, Lambda functions, LBs, Api Gateway, ETC
Elastic BeanStalk is for quick set up of simple architecture. Web Servers with DBs and such.
What is AWS Parameter Store?
Universal Key Value storage.
Referenceable by CloudFormation for key values and parameters needed instead of hard coding. Requires mapping the values for reference
True or False:
Memcached and DAX support backups?
False
What are the two versions of Elasticache?
Memcached and Redis
What is the primary difference between Memcached and Redis?
Memcached is purely memory cache
Redis has the ability to be a database and has more features. Supports backups
What are 2 in memory Databases?
Redis
DynamoDB
What does AWS Global Accelerator fix?
Fixes IP caching for your clients by giving you 2 static IP addresses that the architecture behind can rotate without issues.
What is AWS Trusted Advisor?
Checks:
Cost Optimization
Performance
Fault Tolerance
Security
Service Limits
How do you get additional checks in Trusted Advisor?
You have to upgrade to a paid support plan.
What is a limit of Trusted Advisor?
It only TELLS you something is wrong, you’ll need to go actually fix it or automate a Lambda response to fix this.
In Automation, what would you use to notify users of thresholds?
SNS can notify users based on limitations and set thresholds.
with IAM, how do you give someone cross account access for something like an audit?
You use a cross role account. Always assign roles instead of duplicate log in.
What are the Active Directory Options?
AD Connector - On prem AD but used with AWS
AWS Microsoft AD - Fully managed AWS MS AD
What Sign on service do you use for External Mobile users?
AWS Cognito
What AWS service helps you enforce standards in your AWS Account?
AWS Config.
Can create a rule, and check if it’s set up. And if the rule is broken, can enforce with Lambda
How can you centralize all your logging?
Using CloudTrail with AWS Organizations.
What are Service Control Policies?
This is the way to restrict the root account.
The policies are the ultimate and final say, and override all other permission sets.
What is File Gateway?
Hybrid Storage Solution for files
What is one of the requirements for Storage Gateway when creating a hybrid environment?
You have to have a VM on prem that runs the software for the gateway transfers.
What is AWS DataSync?
Agent based, one time transfer of data to AWS. Primarily for File Shares. Can transfer to EFS and FSx
What is AWS Transfer Family?
FTPS and SFTP for legacy application transfer protocols
What is Migration Hub?
Organization tool where you can track the migration progress.
What is Database Migration Service?
Migrates your Database to AWS
Has tools to convert Oracle or MySQL Servers to any database engine, primarily Aurora.
What is Server Migration Service?
Moving servers from VMware to AWS.
Can create AMIs from the VMware information.
True or False:
A User can belong to more than one group?
True
What defines AWS Direct Connect?
Private Dedicated network connection from your facilities to AWS
In Databases, promoting a Read Replica to Primary during failure is automatic or manual?
Manual process.
Which Item can an identity-based policy not be attached to?
Roles
Users
Groups
Resources
Resources.
Only Resource based bolicies are attached to resources.