AWS Solutions Architect Associate Flashcards
How is the replication handled for RDS Multi-AZ?
Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone.
How long will a failover of an RDS database typically complete
one to two minutes.
When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.
You want to attempt a cold attach for an Amazon Elastic Network Interface.
What does this mean?
Attach ENI when the instance is being launched.
Best practices for configuring network interfaces You can attach a network interface to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach).
Application Load Balancer is to front the Auto Scaling Group and distribute the load between the instances.
The VPC is running IPv4 and IPv6.
The last thing you need to do to complete the configuration is point the domain name to the Application Load Balancer.
Using Route 53, which record type at the zone apex will you use to point the DNS name of the Application Load Balancer?
“AAAA” Record
“A” Record
Alias with a type “AAAA” record set and Alias with a type “A” record set are correct. To route domain traffic to an ELB, use Amazon Route 53 to create an alias record that points to your load balancer.
Your dev team has created a new AMI which has been hardened to meet company security standards, and this AMI needs to be deployed on all EC2 instances in the organization. What step or steps do you need to take to deploy this AMI?
Replace the launch configuration by a launch template using the new AMI.
AWS recommends that you create Auto Scaling groups from launch templates to ensure that you’re accessing the latest features and improvements.
Using CloudFormation to migrate to the new region they’ve discovered a problem with the template.
Whenever the template is created in the new region, it’s still referencing the AMI in the old region.
What steps can you take to automatically select the correct AMI when the template is deployed?
Create a mapping in the template. Define the unique AMI value per region.
This is exactly what mappings are built for. By using mappings, you easily automate this issue away. Make sure to copy your AMI to the region before you try and run the template, though, as AMIs are region specific.
The server team has been using Puppet for deployment automations. The decision has been made to continue using Puppet in the AWS environment if possible. If possible, which AWS service provides integration with Puppet?
AWS OpsWorks for Puppet Enterprise
Fully-managed configuration management service that hosts Puppet Enterprise, a set of automation tools from Puppet for infrastructure and application management. OpsWorks also maintains your Puppet master server by automatically patching, updating, and backing up your server.
Which description best describes Amazon Redshift?
Near real-time complex querying on massive data sets.
Amazon Redshift is a fast, fully-managed cloud data warehouse that makes it simple and cost-effective to analyze all your data using standard SQL and your existing Business Intelligence (BI) tools.
The DynamoDB table has a preconfigured read and write capacity. Users have been reporting slowdown issues, and an analysis has revealed the DynamoDB table has begun throttling during peak traffic times. What step can you take to improve game performance?
Adjust your auto scaling thresholds to scale more aggressively.
Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf in response to actual traffic patterns.
You have decided to use AWS Kinesis Data Firehose to stream the data to multiple backend storing services for analytics. Which service is not a viable solution to stream the real time data to?
Athena
Amazon Athena is correct because Amazon Kinesis Data Firehose cannot load streaming data to Athena.
What is the Limit of space on a Snowcone device?
8 TB
you have 25 TB of data that needs to be moved to an S3 bucket. Your company has just finished setting up a 1 GB Direct Connect drop, but you do not have a VPN currently up and running. This data needs to be encrypted during transit and at rest and must be uploaded to the S3 bucket within 21 days. How can you meet these requirements?
Use a Snowball device to transmit the data.
This would be the perfect choice to transmit your data. Snowball encrypts your data, so all the security and speed requirements would be met.
Configured a VPC as well as two subnets within the VPC.
Attach an internet gateway to the VPC.
In the first subnet, they create the EC2 instance which will host their web application.
Finish the configuration by making the application accessible from the Internet.
The second subnet has an instance hosting a smaller, secondary application.
But this application is not currently accessible from the Internet. What could be potential problems?
The second subnet does not have a route in the route table to the internet gateway.
The EC2 instance does not have a public IP address.
A news media company is using an S3 bucket as a website to serve photos of television personalities within the company. The photos are intended to be served nationwide to local affiliates across the company. But you have found that these photos are being accessed and pirated for other websites not affiliated with the company. What can you do to stop this?
Remove public read access from your bucket, then provide your users with pre signed URLs to access the photos.
Security Groups act at what level?
The Instance Level
What is AWS STS?
AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources.
You have been evaluating the NACLs in your company. Most of the NACLs are configured the same:
100 All Traffic Allow
200 All Traffic Deny
* All Traffic Deny
How can the last rule * All Traffic Deny be edited?
You can’t modify or remove this rule.
The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated. Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied. You can’t modify or remove this rule.
Route 53:
What does TTL Mean?
What does it control?
Time to live
Controls how long the DNS record will be Cached
Using Route 53, how would you direct example.com traffic to various IPs based on the country the user was sending traffic from?
Use Geolocation Routing policy
True or False? Route 53 only provides DNS for public IPs.
False
Route 53 allows you to host both public and private zones.
Using Route 53, how would you direct example.com traffic to 1 primary IP with a second one for backup?
Use Failover Routing Policy
If the visibility timeout on a message in an SQS queue expires, what happens to the message?
It’s now available in the queue to be retrieved.
If the timeout expires, the message will again be available in the queue for processing.
What is the maximum length of time a message may remain in an SQS queue?
14 Days
Which service is SNS commonly paired with to alert users that an alarm has gone off?
Cloudwatch
What type of subscription can SNS retry if a message fails to deliver?
HTTP(S)
SNS can only immediately retry sending a message to an HTTP(S) endpoint.
Which tool can be used to monitor the queue depth of a DLQ (Dead Letter Queue)?
CloudWatch
The go-to tool for any sort of monitoring in AWS
If your application needs to process 5,000 messages per second, which type of SQS queue would you use?
SQS Standard
This gives you a nearly unlimited number of transactions per second.
What type of service is SQS?
Messaging Queue
True or False? MFA tokens are required for all new users.
False
Describe the principle of least privilege?
Only assigning the user the minimum amount of permissions that they need to do their job.
Why are IAM users considered “permanent” users?
Because once their password, access key, or secret key is set, these credentials don’t automatically rotate or change without human interaction.
What is the single best thing you can do to secure the root account in AWS?
Enable MFA
Why is it dangerous to use the AWS root user account?
The root user account has full permissions to every service.
True or False? An allow statement in a policy document will override a explicit deny statement.
False
What does the “EAR” in a policy document stand for?
Effect, Action, Resource
How does availability and durability differ in S3?
Availability is the ability to access your data
Durability is the ability of AWS to ensure your data is properly stored in S3.
What is the largest object you can store in S3?
5 TB
True or False? Each Amazon S3 bucket name is globally unique.
True
Since S3 is an object-based storage solution, which type of file should never be stored in it?
Database
What kind of data should be stored in S3 Standard?
Data that is frequently used
If you have data that needs to be instantly retrievable, but it’s not likely to be needed anytime soon, which S3 storage class would you select?
S3 Standard-IA
Versioning on your bucket was recently suspended and, after this, your boss deleted an object whose version ID is null and wants to restore it. What do you do?
It’s not possible since versioning was suspended. The object is gone.
True or False? You can create an S3 lifecycle policy to migrate objects from Glacier to Standard-IA.
False:
Lifecycle policies can’t work backwards. You can use a lifecycle policy to migrate objects from the more frequently accessed storage classes to the longer-term options, but not the other way around.
Why is versioning not enabled by default on new S3 buckets?
It costs money, as you’ll be paying for every additional copy of your objects that you upload.
What is the minimum time that AWS requires you to keep an EC2 instance online after you’ve turned it on?
None.
There is no min run time.
True or False? If you restart your EC2 instance the user data will rerun automatically.
By default, user data runs one time and one time only.
When would you want to use a cluster placement group?
When you want to reduce network latency in your application
In EC2 instances, what is user data commonly used for?
For bootstrapping an EC2 instance as it comes online
You have a small number of critical instances that should be kept separate from each other. You want to ensure that each instance is placed on distinct underlying hardware. What kind of placement group would you pick?
A spread placement group would be the best fit.
Why would you want to spin up an EC2 Dedicated Host?
Because your application has hardware-specific licensing requirements
What is NOT a valid use case for IAM roles?
Assuming a role to allow a user to SSH into an EC2 instance and install updates.
What are IAM Roles used for?
IAM roles are designed to be used with AWS API calls
What type of storage does EFS offer?
File
Can only be used natively with Linux based OS
Elastic File System / Elastic File Storage
True or False? You can create an unencrypted EBS volume from an encrypted snapshot by unselecting the “encryption” check box when restoring it.
False. You cannot unencrypt with this method.
True or False? Amazon Machine Images are Region specific. To use one in another Region, it needs to be explicitly copied there.
True
You’re trying to mount an EBS volume in Availability Zone (AZ) A to an EC2 instance in AZ B. Why isn’t it working?
EC2 instances must be in the same AZ as the EBS volumes.
True or False? Only certain types of EC2 instances support hibernation.
True
You just took a snapshot of an EBS volume. Where is it stored?
S3
You’ve been tasked with creating a file system for a Linux workload that should handle massive datasets, up to hundreds of gigabytes per second. What AWS service would you use?
FSx for Lustre is built for just this kind of task.
True or False? EBS volumes are encrypted by default.
False
You’ve been tasked with creating a highly performant database on your EC2 instance. What type of EBS volume will support the high level of IOPS that you require?
Provisioned IOPS would be the best option in this instance.
True or False? Amazon FSx for Lustre can’t store data directly on Amazon S3.
False
Why would you consider hibernating an EC2 instance over stopping and starting it?
You have an application that takes a long time to load. Hibernating the instance prevents you from having to reload it.
What is the purpose of an Amazon Machine Image (AMI)?
It’s a template to create a new EC2 instance from.
What is a feature that does RDS Aurora NOT support?
Universal HA is not a feature of Aurora.
What should you do to scale out an RDS database that has a read-heavy workload?
Add additional read replicas.
True or False? RDS read replicas have their own endpoints.
True
What is NOT a supported RDS database engine?
IBM Db2 is not a supported database engine
True or False? RDS read replicas can be created in different Regions from the source DB instance.
True
You may use a read replica for disaster recovery of the source DB instance, either in the same AWS Region or in another Region.
True or False? DynamoDB lives in your VPC.
False
DynamoDB is not deployed into your VPC. Your VPC must have an internet gateway or a VPC endpoint configured to access resources such as Amazon DynamoDB
Fill in the blank: DynamoDB is a ____ database.
Non-Relational
What is the longest you can store an automatic RDS backup?
35 Days
Amazon Aurora is compatible with which database engines?
MySQL and Postrgres
What type of read would you use with DynamoDB if you can’t have stale data in your application?
Strongly Consistent Reads
True or False? Direct Connect provides you with an encrypted connection to your AWS account by default.
False.
Direct Connect is not encrypted by default.
How do you scale a NAT Gateway?
You don’t. AWS does this automatically for you.
Your security team will only approve S3 usage if your EC2 instances don’t transmit data over the public internet. What service can you use to comply with this requirement?
VPC Endpoints are used to keep your traffic to AWS services out of public networking space.
Network Access Control Lists (NACLs) are Stateful or Stateless?
Stateless
By default, what range of IP addresses and ports do security groups leave open for inbound traffic?
None. They are closed by default.
Where are Network Access Control Lists (NACLs) located?
NACLs are located at the subnet level.
Why would you use Transit Gateway over VPC peering?
Transit Gateway is designed for when you have too many VPCs to peer together
What is the IPv4 CIDR block of the default VPC?
172.31.0.0/16 is the IPv4 CIDR block for the Default VPC provided by AWS out of the box.
When would you want to use Direct Connect?
When you need a high-speed private connection from your on-premises environment to AWS
Direct Connect is designed for on-premises to AWS communication.
What is a reason that VPC peering could fail?
VPCs have overlapping IP addresses
What instance will a NLB (network load balancer) load balancer send traffic to if no hosts are healthy?
It will try to send traffic to all the instances
What kind of ELB load balancer would you select if you need to route traffic based on the contents of the request?
Application Load Balancer (ALB)
Routing based on the type of request (GET, POST, etc)
If you’re building an application that needs to support an extreme level of networking traffic, which type of ELB load balancer would you pick?
Network Load Balancer (NLB)
Which layer of the OSI model does the ALB function on?
Layer 7
True or False? By default, ELB load balancers will use static IPs and these will not change.
False:
IPs will change unless you specifically configure static IPs
What benefit do you get from configuring health checks on an ELB load balancer?
Instances that fail the health check will not receive traffic.
Which layer of the OSI model does the NLB function on?
Layer 4
Which kind of ELB load balancer would you use if you need extreme levels of performance?
Network Load Balancer
NLB
Which type of ELB load balancer has AWS deprecated and should not be used?
Classic Load Balancer
Which tool would you use to monitor the CPU usage on an EC2 instance?
CloudWatch
Which web service and feature can be used to monitor, store, and access your log files from Amazon EC2 instances, AWS CloudTrail, Route 53, and other sources?
CloudWatch Logs
What is the default CloudWatch metric interval?
5 minutes
True or False? CloudWatch Logs allows you to create event patterns that look for certain things happening in your logs.
True
What are the W’s of scaling?
What
When
Where
What setting in your Amazon EC2 Auto Scaling group determines how many instances you need online right now?
Desired Capacity
You would select _____ capacity for a DynamoDB table with a predictable workload.
Provisioned is the best option for a predictable workload.
What type of capacity should be selected for a DynamoDB table with a sporadic workload?
On-Demand
What tool can be used to notify you of scaling events?
SNS
Simple Notification Service
What RDS database engine offers a serverless scaling option?
Aurora is the only engine that offers a serverless scaling option
What AWS resource defines the configuration of instances created by EC2 Auto Scaling?
Launch templates are the best way to define what your instances will look like.
If you need to change the AMI included in a launch template, what should you do?
Create a new version of the launch template with the updated AMI.
How can you automatically register EC2 instances with an ELB load balancer when they are launched?
Attach the Load Balancer to an Auto Scaling group
How can you create a highly available application using EC2 Auto Scaling?
Define multiple AZs in your Auto Scaling group.
What setting would prevent a launch template from being used with EC2 Auto Scaling?
Including networking information
You can include EC2 size, ELB, and user Data (start up scripting).
Amazon _____ is the most common service used to trigger a scaling event in an EC2 Auto Scaling group.
CloudWatch
Which layers of our applications need to be loosely coupled?
Internal and external
What is the largest message size you can store in SQS?
256KB
What kind of architecture does AWS recommend building?
Loosely Coupled
How can you ensure that your SQS messages arrive in the correct order?
SQS FIFO guarantees that your messages will arrive in the correct order
API Gateway is commonly built __ your applications.
in front of
What type of firewall can be used in conjunction with API Gateway to help prevent DDoS attacks?
Web Application Firewall (WAF)
SNS is a _____-based messaging service.
Push
Which tool can be used to sideline malformed SQS messages?
Dead Letter Queue
DLQ
_____ allows you to transform data using SQL as it’s being passed through Kinesis.
Kinesis Data Analytics
You can use _ to build a schema for your data, and _ to query the data that’s stored in S3.
Glue - Build Schema or “glue data together”
Athena - Ability to query data with SQL in S3 buckets
What type of database is Redshift?
Relational
True or False? You are responsible for scaling Glue performance.
False
What service allows you to directly visualize your data in AWS?
QuickSight
How much data can a Redshift database hold per cluster?
16 PetaBytes
True or False? Redshift supports multi-AZ deployments.
False
What service would you use in combination with Kibana and Logstash to create an ELK stack?
Elasticsearch
What type of work does EMR perform?
Extract Transform, and Load
_____ provides real-time streaming of data.
Kinesis Data Streams
How long are automatic Redshift backups retained by default?
1 day.
This can be increased to 35 days.
Which service provides the easiest way to run ad-hoc queries across multiple objects in S3 without the need to setup or manage any servers?
Athena
Allows you to query info in S3
What AWS service can create EC2 instances and place containers in them based on your task definitions?
ECS
Elastic Container Service?
Which open-source container management engine powers EKS?
Kubernetes
What feature of ECS and EKS allows you to run containers without having to manage the underlying hosts?
Fargate allows you to run containers without using EC2 instances.
Which IAM entity is assigned to a Lambda function to provide it with permissions to access other AWS APIs?
Role
What is the maximum length of time Lambda can run?
15 minutes
Which of the following is a common trigger for Lambda?
Cloud Watch Events (EventBridge)
Which AWS service allows you to use Fargate without needing ECS or EKS?
None.
Fargate requires either ECS or EKS. Cannot run by itself
What is the maximum amount of RAM you can allocate to a single Lambda function?
10 GB
Where are container images stored?
In a container registry
What type of file is used to build a container image?
Dockerfile
What is one thing EC2 instances allow you to configure but a serverless application doesn’t?
Operating System
What is NOT a supported Lambda runtime?
COBOL
Can run:
Java
Node.js
Python
Your boss requires automatic key rotation for your encrypted data. Which AWS service supports this?
KMS
Key Management Service
What is the best way to deliver content from an S3 bucket that only allows users to view content for a set period of time?
Create a presigned URL using S3
What is the easiest way to log API calls in AWS?
Enable CloudTrail and pick an S3 bucket to store the logs in.
What is NOT a data source for GuardDuty?
RDS Event History
True or False? Amazon Inspector requires an agent for host assessment rules packages.
True
The agent is required for host assessment rules packages
What kind of findings can AWS Inspector discover?
Insufficient patching of applications on an EC2 instance
What service does Macie monitor once you’ve enabled it?
S3
Macie Inspects S3 buckets for PII with machine learning
What is the easiest way to ensure your CloudTrail logs haven’t been tampered with?
Enable log file validation in your trail.
What three components are required in all IAM policy documents?
Effect, Action, Resource
Which Layers does Shield provide protection on?
Layers 3 and 4
What is the minimum length of time before you can schedule a KMS key to be deleted?
7 Days
Where is the most cost effective place to store your database passwords in a secure manner?
Parameter Store
Which AWS service supports automatic rotation of RDS security credentials?
Secrets Manager
In general, what does a DDoS attack entail?
A large number of connections overwhelms your architecture. Your application is unable to answer the legitimate requests that are sent to it.
Which Layers does WAF provide protection on?
Layer 7
True or False? You must explicitly deny all API calls that a user shouldn’t be able to make.
False
All API calls are set to Deny, you must explicitly enable
