AWS Solutions Architect Certification Flashcards

Question

Block public access (Securing data)

Answer 1

Default configuration for S3 buckets

Answer 2

Use if granting cross-account access permissions to other AWS accounts. Also if user IAM polices reach their size limits or you prefer to keep access policies in S3 Will require a principal

Answer 3

Use if you prefer to keep access control policies in IAM Or if you have numerous S3 buckets with different permission requirements

Answer 4

S3 encrypts objects before saving to disk and decrypts the data when downloaded Can allow S3 to create/encrypt keys, can provide CMK and store in KMS, or can manage the key yourself

Answer 5

Encrypt data before storing in S3 and manage master encryption keys yourself

Answer 6

Centralized repository to store structured and unstructured data, and S3 is a good selection for its near limitless storage capacity Used to decouple compute from storage as well as ML and analytics workloads Can use Athena, Redshift, Rekognition, and Glue

Answer 7

Query-able interface all assets stored in S3 and provides single source of contents Can input data into S3, extract metadata with Lambda and store in DynamoDB and query with elastic search

Answer 8

Fully managed ETL pipelines

Answer 9

Analyze data directly in S3 using SQL. Serverless so only pay for volume of data you run queries on. Best used for light data discovery

Answer 10

Run queries against S3. Should be used for complex queries with many concurrent users.

Answer 11

Monitors data access patterns and transfers data into more appropriate storage class to save on costs. Works best when data has an unknown access pattern

Answer 12

Set of rules defining actions to apply to a group of objects. Can tell S3 to transition objects to less expensive storage classes. Can automate the move to archival tiers, but will need to manually move them back

Answer 13

Default storage option that provides high performance for frequently accessed data. High throughput and low latency. SSL encryption at rest, and no minimums or storage duration Price is the highest, but the more you store the cheaper per GB the fees become

Answer 14

Less frequent access, but rapid access when you need it. Idea for long-term storage, backups, datastore, DR files, etc. Less expensive than general purpose for storage, but more expensive for access

Answer 15

Less available, less resilient, only available in one AZ Less frequently accessed data and less resilient Good for backups of onprem data where it can be recovered if necessary. Cheaper

Answer 16

Instant (rarely accessed but need it instantly, ex. medical images) Flexible 1-5min, 3-5 hrs, 12 hours for bulk, rarely accessed and only need 1-2 times per year. Good for Offset storage needs. Data minimum duration of 90 days

Answer 17

Lowest storage cost option. Minimum of 180 days 12-48 hr retrieval times

Answer 18

Storage: Amount/size of objects, intelligent tiering, moving from tier class to the other Requests/data retrieval: Pay per requests made against objects in bucket Data transfer: Except to EC2, from the internet, or CF Storage management features: S3 inventory, analytics, object tagging

Answer 19

Free Provides details about requests made to a bucket, requester, bucket name, status, environment Can help to learn about customer base with certain access patterns, and understanding of bill Can use Athena to analyze logs Not guaranteed log delivery

Answer 20

Fee Captures subset of API calls for S3 events Determine which requests were made to S3 from which IP address, time and additional details Can use Athena to analyze logs Can use CloudWatch to monitor Cloudtrail events and invoke AWS lambdas and SNS notifications Guaranteed log delivery and more structured

Answer 21

New object created, object removed, restore object, reduced redundancy storage, replication Can publish events to SNS, SQS, Lambda

Answer 22

Can perform a single API action on a list of objects: Put object tagging Restore requests to Glacier Copies of objects Invoke lambdas Can use with S3 inventory, manage with labels and tags, monitor/troubleshoot the jobs with Cloudtrail

Answer 23

Monitoring service that collects logs, events and metrics Can create custom dashboards and set alarms for certain thresholds Metrics can have multiple dimensions (bucket name, filtered, storage type, etc). Dimensions are used to drill down on certain metrics

Answer 24

Check that you have recommended settings enabled in S3 account. Can receive notifications via SNS or remediate issues with Lambdas Can check if Logging is enabled for buckets, checks for publics access, checks if buckets require SSL

Answer 25

Receive alerts for questionable access to S3 buckets and can remediate issues by removing access Identify resources in your account/org that is shared with external identities Alerts you if buckets configured to allow access to internet Need to create an analyzer in each bucket region

Answer 26

Ensure account follows best practices for security, performance, fault tolerance, service limits, and cost optimizations Can asses bucket permissions, bucket logging, bucket versioning

Answer 27

App requirements: Understand data access patterns or archival needs. Data organization: Use prefixes or tags to organize all data to help manage it Understand, analyze, optimize: Setup monitors to help manage costs proactively and defensively Continuous right sizing: Know the correct storage classes

Answer 28

Storage class analysis, observes data access patterns over time

Answer 29

QS dashboards that can use ML insights CloudWatch that can provide actionable insights to monitor application performance changes AWS budgets to track costs and usage Cost and usage reports

Answer 30

Rule that moves objects between storage classes based on create dates Only supports transitions from one more frequently accessed tier to one less frequently accessed Works for versioned and unversioned buckets CT doesn't support lifecycle actions

Answer 31

For object greater than 100 MB, or transfer over a spotty network Can remove incomplete uploads

Answer 32

Connect to cloud to store app data files in S3, cloud backed storage volumes of onprem apps, and physical tape on prep to virtual tapes in AWS

Answer 33

Provides org wide visibility into object storage and activity trends Can drill down into account, region, storage class, bucket, and prefixes. Can create custom dashboards

Answer 34

Tracks and takes action on AWS costs and usage Can set custom budget alerts Set budgets on a recurring bases to continue to be notified

Answer 35

network throughput, CPU, DRAM, DNS lookup time, latency, data transfer speeds with HTTP analysis tools

Answer 36

Prefixes: Scale for high request rates Parallelization: Maximize bandwidth by scaling connections horizontally S3 select: Optimize data retrieval operations by querying subset of objects. Works with JSON, CSV, and Parquet Timeout/retries: Recover from continuous failures Use Cloudfront for frequently accessed content Transfer accelerator: transferring data across vast geographic locations Cloudwatch: monitor performance

Answer 37

Naming scheme: bucket-name/prefix/object The bucket prefix allows objects to be stored on separate partitions, so can increase the transactions per second

Answer 38

Horizontally scale parallel requests to S3 service endpoints for better performance Can break up object data into multiple parts Requires an upload id and part # Can pause between uploads and don't need to finish uploading the entire object

Answer 39

Use AWS SDK for connection timeouts, retries, backoffs (exponential or random increase in request wait times)

Answer 40

CDN to ensure low latency and higher transfer speeds Caches copies of content, for everything not cached it will maintain open connection with origin server DNS routes client requests to closest CDN Can restrict access to buckets to only be accessible by CF Can use HTTPS Implement georestrictions WAF to prevent certain traffic based on IPs

Answer 41

Account management service where you can programatically create accounts and consolidate accounts within the org Root --> OU --> Account Policies can impact all child nodes and leaves when assigned

Answer 42

Will apply to all AWS users, groups, and roles within the account including the root identity

Answer 43

Increase points of presence ``` Static asset caching Live, on demand video streaming Security and DDos protection Dynamic and customized content API acceleration Software distribution Can help with app availability since content can be cached and origin servers can go down ```

Answer 44

Can be applied to every object and object stored in S3 and grand additional permissions beyond those specified in IAM or bucket policies. Can be used to grant access to another AWS user or predefined groups like the public. If you have read permissions on the bucket, but not the actual objects, then you can only list contents of the bucket

Answer 45

Can be set separately, If you want smoke to be able to view list of files in a bucket and be able To view/download them, you must gran them permission on the bucket itself as well as each object

Answer 46

Great way to apply very limited permissions to an IAM role. Good if you want the user to have a policy that applies to multiple buckets For example, a role used for DB backups should only be able to create objects and not view/delete them

Answer 47

Creation and updates to individual objects in S3 are atomic, you'll never upload a new object or change an existing object and see only half of the change New objects are seen instantly (read-after-write consistency) Updates to objects only guarantee eventual consistency. Thus it's best to treat objects as immutable.

Answer 48

S3 sits outside the VPC and can be access from anywhere if bucket polices are not set to deny it. Incomplete multipart upload costs accrue storage costs event if it fails to fully upload. Create lifecycle policies to clean up these incomplete uploads

Answer 49

High performance block storage designed for use with EC2 Can handle relational/nonrelational DBs, containerized apps, fs, media workflows, and big data analytic workloads All volumes are replicated within an AZ and can easily scale to PB of data Can use snapshots with automated lifecycle policies to back up to S3

Answer 50

Raw storage where hardware is presented as disk or volume, and can be attached to compute system for use Storage is formatted in predefined continuous segments called blocks and are the basic fixed storage unites to store data Can be on HDD, SSDs, or NVMe Application shares data management with OS

Answer 51

Built on top of block storage, that serves as a file share or file server Created using an OS that formats and manages the reading and writing of data to the block storage. Data is stored in a directory tree hierarchy SMB and NFS are the most common storage protocols OS manages the storage protocol and the operation of the file system and differentiates based on types of data

Answer 52

Built on top of block and created using an OS that formats and manages the reading and writing of data to the block storage device, Object storage does not differentiate between types of data, and type becomes part of object metadata. One object storage system could use binary objects of size 128MB, so smaller files or data are stored at a binary level within the object, and data larger than that are stored by spreading the data across multiple objects

Answer 53

Instead of storing files locally and managing access on. a NFs server, you store files in cloud resources by a managed file service like EFS Customer manages access control for who has access to FS via network controls (SGs/NACLs), access points, and IAM policies Comm between clients are storage is handled by special NFS protocol The cloud service provides a common DNS namespace for clients to connect to the shared file system and those with appropriate permissions access the FS by connecting to their attached mount points and file systems appear as local volumes to the client.

Answer 54

EFS, FSx for Lustre, FSx for Windows FS, Fsx on NETApp ONTAP, FSx for OpenZFS

Answer 55

Scalable, elastic, fully managed and supports NFS. Capacity is dynamic without any intervention Can be shared with up to 10k+ concurrent clients. Only pay for the storage that you use

Answer 56

Parallel FS for high performing workloads. Need to select the specific performance and capacity parameters suited for you app needs

Answer 57

Latency: Amount of time between making requests to storage system and receiving a response. EFS standard offers 1 to 2.4 ms IOPS: General purpose FS offers 35k read and 7k write. Max I/O offers over 500k Throughput: Measuring the performance of reading and writing large sequential data files measured in MBs/second. EFS offers rates up to 10GB/sec Has higher latency but better durability and availability than EBS

Answer 58

3. A write isn't acknowledged until data is written to all 3.

Answer 59

POSIX permissions: user and group level permissions to control client access permissions to your fs SGs: Restrict access over network with VPC SFs. Determines which IPs have network visibility to EFS endpoint. IAM: Control both the creation and administration of the EFS FS KMS: Encrypt data at rest and turn on TLS when you mount the fs

Answer 60

Standard and Standard IA and OneZone IA Lifecycle management will move files based on access frequency Much more expensive than EBS

Answer 61

Yes, using Direct connect

Answer 62

Can set an EFS fs as the local mount path directly within the Lambda service console.

Answer 63

Big data and analytics: Shared files access to data scientists using genomics software running on EKS cluster Web serving content management: Serve files to web apps quickly and scalable way to meet demand App testing and development: Shared storage repository to share code and other files in a secure and organized way DB backups: NFS files system is the preferred backup repository for many common database backup apps, like Oracle, SAP Container storage: Providing persistent shared access across common file repository

Answer 64

The amount of data center capacity to provide all the computational resources to an AZ. Can be multiple data centers For high performance needs, with extremely low latencies, AWS offers the availability to provision compute not just within same availability zone, but same placement grouping, so basically the same data center (hardware).

Answer 65

Simplifies the setup, provisioning and maintenance of Windows workloads SSD and HDD storage. Provides up to 64TB per file system. Throughput up to 3GB Provides backups and replication across multiple AZs Migration of files from Windows servers to AWS, accelerating the adoption of migration through the use of a hybrid files system with low latency Identity-based auth through Microsoft Active Directory

Answer 66

Deployment type (Multi or single AZ) Storage type (HDD or SSD) Storage capacity (Priced per GB-month) Throughput capacity (priced per MBps-month)

Answer 67

Windows file server (with DNS address) and storage volumes

Answer 68

A resource that allows client compute instances, where in AWS or on prep, to connect to FS

Answer 69

Direct Connect: Service that enables you to access FS over a dedicated network connection from on-prem environment Client VPN: Access FS from on-prem using secure and private tunnel

Answer 70

Setup and run Active Directories in the cloud Deploy each directory across multiple AZ and AWS handles the integration of the two services Can also keep self-managed AD on prem and integrated with FSx in the cloud

Answer 71

Can control which resources in VPC can access FSx with SGs with inbound and outbound rules. Will need to allow outbound traffic to connect to AD

Answer 72

Web services that sets up, operates and scales relational dbs Handles updates and backups Supported drivers include Postgres, mysql, mariadb, oracle, and sql server

Answer 73

Managed db service only compatible with mysql and Postgres drivers

Answer 74

Managed key-value, non-relational db service that provides fast and predictable performance You can create db tables that store and retrieve data and serve any level of request traffic Can scale up or scale down your tables' throughput capacity without downtime or degradation Uses a partition key to allocate data to different nodes. Can have an optional sort key to store related attributes in a sorted order to be queried as a collection Also has a PK and can use global and local indexes to speed up performance

Answer 75

MongoDB workloads at scale with separate storage and compute that can be scaled independently ``` Table -> Collection Row -> Document Column -> Field PK -> Object ID Nested table -> Embedded document ```

Answer 76

Improves performance by retrieving data from high throughput and low latency in-memory data stores Provides access to data across replicated nodes Popular choice for gaming, FS, healthcare and IOT Memcached and Redis cache engines differ based on backup and replication, automatic failover Redis supports complex data types, data replication and data availability.

Answer 77

Fast, reliable managed graph db for apps with highly connected datasets. Good for applications that work with highly connected data sets used to discover potential fraudulent behavior before it happens. Used for recommendation engines, fraud detection, drug discovery, and network security

Answer 78

Enterprise-level, petabyte scale, fully managed warehousing service. Can achieve efficient storage and optimum query performance through a combination of massively parallel process, columnar data storage, and efficient data compression encoding schemes Offers 10x faster performance than other solutions. Serve different purposes than RDBMS. Warehouses are meant to store aggregate values (analytical data)

Answer 79

Organized to support transactional and analytical operations. Most commonly stored in relational databases but can also be in non-relational. Can run powerful data queries and analysis

Answer 80

More flexible than structured and without the requirement to change the schema for every single record in the table. Allows user to capture any data in any structure as data evolves and changes over time. Examples include XML, email, and JSON

Answer 81

Not organized in any distinguishable or predefined manner Full of irrelevant info which means data needs to first be processed to perform any kind of meaningful analysis Examples include text messages, word processing docs, videos, photos, and other images. Files are not organized

Answer 82

Built to store structured data in tables using defined schema

Answer 83

non-relational that store unstructured data in the form of key-value pairs + Store data in a single table as blob objects without predefined schema + Flexible and handles a wide variety of data types + No need for complex joins - Difficult to perform analytical queries due to lack of ions - Access patterns need to be known in advance for optimum performance

Answer 84

Type of non-relational db that store semistructured and unstructured data in the form of files + Flexible + No need to play for a specific type of data + Easy to scale - Sacrifice ACID compliance - Databases cannot query across files natively

Answer 85

Both structured and unstructured data sources and for apps that require real-time access to data. + Support demanding apps requiring ms response times + Great for caching + Ultrafast and inexpensive access to copies of data - Not great for rapidly changing data

Answer 86

Store any type of data, structured, semi, unstructured + Allow simple, fast retrieval of complex hierarchical structures + Great for RT big data mining, such as fraud detection + Great for making relevant recommendations and allowing for rapid querying of this relationships - Cannot adequately store transactional data - Not efficient for analytics

Answer 87

Focus on recording update, insertion and deletion transactions. Queries are simple and short which require less time and space to process.

Answer 88

Store historical data that has been input by OLTP. Can extract information from a large database and analyze if for decision-making. A good example is business intelligence Tool

Answer 89

Stored procedure in RDS is executed for every new row, triggering a lambda function that passes the event to Kinesis and is stored in S3. Then can use Athena queries in QS to visualize data

Answer 90

Aurora is more durable than RDS and more resilient, it is very fast recovery from failures. Aurora has better auto scaling capabilities and can provision up to 15 replicas

Answer 91

Migrate data from external database to AWS. Requires source and target DB connection strings, a deployed EC2 instance to run replication task Transfer data from S3 into relational db in Aurora

Answer 92

Relational: Normalized or dimensional data warehouse Non: Denormalized document, wide column, or key-value

Answer 93

Much east to scale horizontally, but has the issue of eventual consistency, which can be an issue for apps that require ACID compliance (Data may not be updated at the same time for all distributed systems)

Answer 94

Homogenous: Migrate between same DB engines, and require use of native database tools Heterogenous: Migrate between different database engines. Requires the use of AWS Schema conversion Tool to translate db schema to new platform.

Answer 95

Burstable performance (short-lived bursts of high activity) and memory-optimized (suitable for most DBs)

Answer 96

Oracle, postgres, aurora, mysql, mariadb, oracle, and sql server

Answer 97

On-demand and reserved

Answer 98

Require both authentication and permissions to access tables IAM polices and be used to assign permissions Security groups are used to control access to the DB instance

Answer 99

Serverless, on-demand, reserved

Answer 100

IAM, fully managed encryption at rest

Answer 101

Attribute, items, table

Answer 102

Provisioned and On-demand

Answer 103

Server-based: Traditional architecture, server hosts, delivers, and manages the resources the application users need. Need to pay for maintenance and you're responsible for maintaining them. Requires you to pay for additional server as scale grows + Better for predictable workloads, in-depth analysis, or long running computations + Full visibility since you own all the infra + Good for legacy apps that can't be decoupled Serverless: Apps are hosted by 3rd party service so no need to manage server. Provide automatic scaling and higher availability + Good for rapid scaling and applications with short running tasks that have a single purpose + Liability is reduced + Smaller deployable units result in faster delivery

Answer 104

Automates config, management, and maintenance Configures read replicas or setup synchronous replication Automatic backups and encryption at rest and in transit Can easily scale compute resources

Answer 105

Full control over database deployment Supervise number of instances per database Encrypt EBS volumes to protect your data at rest and in transit as data travels between the volume and the instance

Answer 106

High available, fault tolerant, and scales as damn grows DynamoDB supports ACID No hardware provisioning, patching, or upgrading Encrypts data by default Aurora serverless provides relational dbs, with on demand and automatically scaling. Shuts down when not in use

Answer 107

Variable workloads (Peaks throughout the day) Unpredictable workloads (Peaks of unpredictable traffic) New apps with unknown instance size Multitenant apps where each customer has their own db

Answer 108

Session caching, full page caching, message queue applications, leaderboards

Answer 109

Small and static data, static HTML page or JS pages

Answer 110

On-demand (pay by the hour) and reserved (1 or 3 year term) but high savings

Answer 111

Clients work with database via SQL endpoint at the leader node (leader and compute nodes are grouped into a cluster). This node spins up jobs and distributes to compute nodes that contain the actual data. Leader node aggregates data from compute nodes Compute nodes have their own CPU, memory and disk storage. Jobs are partitioned into slices and allocated compute node resources

Answer 112

On-demand: Pay an hourly rate based on type and number of nodes Concurrency scaling: Per second on demand rate that exceeds free daily credits Reserved Instance: Lots of savings by committing to 1 or 3 yr term Spectrum pricing: Applied when you use this feature. Bytes scanned on S3

Answer 113

6 copies across 3 zones

Answer 114

Instance hosting the database: - On-demand, reserved, serverless (based on capacity) Storage: - per GB per month - I/O Data transferred out to the internet and other AWS regions. Never between services in the same region.

Answer 115

Only a feature for MySQL but allows for single db to span multiple regions for shorter latencies throughout each region

Answer 116

On demand: Pay for compute capacity by the second with no long-term commitments Spot Instances: Unused EC2 capacity. Can save a lot, but not always available Reserved: Discounted but need to pay for 1 or 3yr contract

Answer 117

General Purpose: M4, M5, T2/T3 Burstable Compute Optimized: C4, C5, C5d Memory Optimized: R4, R5

Answer 118

Clusters: Logical grouping of instances within single AZ. Good for low network latency, high network throughput Spread: Placed on distinct racks within data center. Good for small number of critical instances that should be kept separate from each other Partition: Reduce the likelihood of correlated hardware failures of your application. Can be used to deploy large distributed and replicated workloads like HDFS and Cassandra across distinct racks +

Answer 119

General purpose SSD gp2 Provisioned IOPS SSD io1 Throughput HDD st1 Cold HDD sc1 EBS Magnetic standard

Answer 120

1GB to 16TB | 16k IOPS

Answer 121

64k -256k IOPS | This would be for big database workloads

Answer 122

125GB to 16TB Throughput is 500 MiB/s Used for data lakes and data warehouses

Answer 123

Lowest cost block store for infrequently accessed data workloads. Some use cases include file servers and throughput oriented storage for data that is infrequently accessed

Answer 124

1GB to 1TB. Workloads for infrequently used data

Answer 125

Advanced data structures Multi AZ capable Replication Backup and restore

Answer 126

Simple data structures No replication No backups Multiple nodes Multi-threaded No backups

Answer 127

5x for MySQL; 3x for Postgres; Can scale out to 15 replicas

Answer 128

High available cache for DynamoDB. Microsecond latency. Millions of requests per second. API compatible

Answer 129

This is compute optimized instances Anywhere from 3 to 36 vCPUS

Answer 130

Basically better/new get processors that may be more cost-effective/higher performing

Answer 131

Yes, if you enable encryption at the time of launching an RDS instance

Answer 132

Yes, in you enable encryption at the time of launching an RDS instance

Answer 133

Yes once you enable encryption it is done automatically

Answer 134

Aurora Serverless. Not a long running instance.

Answer 135

DynamoDb is a regional service and can exist outside the VPC, whereas Aurora must reside within it.

Answer 136

Dynamo sales much better, and is faster at both reading and writing.

Answer 137

Provide a balance of compute, memory, and network resources Range from M classes: Can provide large amounts of memory, network bandwidth, and many vCPUs. T classes: Burstable performance instances

Answer 138

Sudden, temporary spikes in usage. Instances accumulate CPU credit when workload is operating below baseline threshold. They can trust at any time for as long as needed.

Answer 139

Enterprise-class databases and in-memory applications X and R series, which have varying high performing CPUs

Answer 140

Workloads requiring high sequential read/write access to very large data sets on local storage. High IOPS, low latency

Answer 141

Framework consisting of standards, guidelines, and best practices to manage cybersecurity risks Country agnostic

Answer 142

Permit approved country IP addresses. Prevent banned countries

Answer 143

Deny traffic based on IP Sql injection prevention Cross-site scripting prevention User-agent block Bad bot block Content scraper block

Answer 144

Cloudfront, ALBs, EC2 instances, API Gateways Only pay based on how many rules you deploy and how many web requests your application receives

Answer 145

Isolate tiers of your application within a single VPC. Network segmentation limits the spread and damage of potential attacks. It also reduces the scope when auditing for specific requirements

Answer 146

Deploy a bastion server or use SSM

Answer 147

Specify a destination IP and a target which is the connection by which to send the destination traffic

Answer 148

Uses VPC flow logs, DNS logs, and AWS CT events to use threat intelligence/ML for anomaly detection. Categorizes risk levels and notifies operations team

Answer 149

A way to protect DNS traffic and is a way to protect your domain registered with Router53. DNS spoofing can direct users to malicious websites.

Answer 150

NACLS Generally uses info from headers (IP source or destination) for filtering Fast and no issue with heavy traffic Explicit Deny implicit allow

Answer 151

SGs and Firewalls Can identify TCP connection stages, packet statue, and other key statuses

Answer 152

Denies all inbound and outbound traffic unless you add rules

Answer 153

Allows all inbound and outbound traffic If no NACL are specifically added to subnet, default is provided

Answer 154

In order based on their rule number 10, 20, 30, etc. Will ignore any higher level rule that contradicts lower level rule

Answer 155

Permits all inbound and outbound traffic

Answer 156

Permits no inbound traffic, but allows all outbound traffic

Answer 157

Ensure they don't have a large range of ports open Limit modifications to only certain IAM roles Use ELBs with SGs to restrict access to internet Don't ignore outbound rules

Answer 158

Protection from DDoS attacks Can also pay for additional protection and features, including layer 7 DDoS and AWS Firewall Manager

Answer 159

Centrally configure and manage firewall rules across accounts and app. Can make sure new applications and resources follow common set of security rules.

Answer 160

Yes, and they combine of form a single, combined policy

Answer 161

No, you can only specify allow

Answer 162

Limit connection to instances Manage instances at scale using Run command Patch and update with defined maintenance windows Secure, monitor, and rotate secrets

Answer 163

Provide full key rotation integration with RDS Randomly generates passwords in CloudFormation and stores the password in Secrets Manager Share secrets across different AWS accounts

Answer 164

Session manager, run command, state manager, patch manager, and parameter store

Answer 165

Continuously scans resources to help prioritize patch remediation, meet compliance requirements, identify vulnerabilities sooner. Can indicate overly permissive paths over TCP or UDP at VPC edges

Answer 166

Discover resources Record current state of resources and track historical changes Evaluate config changes against compliance polices Automate remediation

Answer 167

Capture packet metadata like source/destination IP address, ports, protocol, packet size, etc. Cannot monitor payloads Not real-time Should be enabled for packet rejects

Answer 168

Use dedicated bucket for CT logs Implement least-privilege access to buckets where you store log files Enable MFA to delete log storage bucket

Answer 169

Console sign-in requests without MFA IAM policy changes Unauthorized API calls w/in AWS account KMS key configuration changes ACLs, SGs, Route table changes

Answer 170

Existing app that must run on prem but want to use cloud resources and scalability Fast, local access to data Many physical locations to manage with data and want reliable connectivity and simplified maintenance

Answer 171

Facilitates private cloud storage Can bring data into AWS for processing in the cloud. Can also backup, archive and tier your storage Deploys in-cloud and on-prem Will integrate with S3, KMS, EBS etc.

Answer 172

Gateway first writes application data to on-prem disk used for cache storage. Then it uploads the data to AWS Cache acts as durable store for data

Answer 173

S3 FIle gateway, FSx FG, Tape gateway and volume gateway

Answer 174

100GB to 5Tb

Answer 175

Amount of data transferred out of the gateway The type and amount of storage (ex S3) Requests made to the gateway

Answer 176

On prem via VM appliance On AWS via EC2

Answer 177

Public endpoint over internet VPC endpoint via AWS VPN or direct connect FIPS

Answer 178

Initially data is stored on-disk in a cache storage where it is later encrypted and compressed as it moves to upload buffer where it will then traverse the wire to the S3 tape library

Answer 179

No, must go through Storage Gateway for I/O ops. Storage gateway uses an S3 service bucket rather than customer bucket, so content is not accessible

Answer 180

Archive tapes into Glacier Flexible Retrieval or Deep Archive

Answer 181

Number of tapes, capacity, and barcode prefix

Answer 182

Assume role with an associated IAM policy that grants access

Answer 183

EBS volume requests CMK (KMS stores master key) EC2 mounts EBS volume and volume passes encrypted volume key to instance. The instance decrypts the data key with KMS (with master key). Instance now has access to decrypted data key and can encrypt data to EBS

Answer 184

Backing up data to the cloud Archiving long-term, retention based data Building data lakes

Answer 185

Each file that is uploaded to S3 on-prem appliance is paired with a single S3 bucket and uses the appliance's local cache

Answer 186

Yes, unlike tape storage gateway, you can access data directly in S3

Answer 187

Local caching and optimized data transfers to storage in AWS

Answer 188

Storage, requests, and data transfer

Answer 189

S3 does not utilize an upload buffer. Both will allocate a certain amount of space for a cache to prevent frequent lookups in S3/AWS

Answer 190

Yes. Objects are immutable in S3

Answer 191

Yes, they would be connected to separate buckets. However, you can adjust the prefix from each share if it needs to write to the same bucket

Answer 192

POSIX permissions

Answer 193

Cached: low latency to most recent data Stored: Entire dataset is on prem with scheduled backups to S3 Only available with on-prem host platform. Asynchronous point-in-time snapshots to S3. Data is stored durably in S3 service buckets as EBS snapshots. Backups capture only changed blocks. Both use the iSCSI protocol

Answer 194

Centralized backup services that backs up your application data across AWS services

Answer 195

Custom file shares and migrating app data into S3 to transition to using EC2 You want all your data stored locally and require AWS for backup snapshots

Answer 196

Block storage backups, cloud-based DR

Answer 197

Read requests are served locally form the cache and there is no latency. If there's a cache miss, it must retrieve data from the backend data store then returned to the calling application

Answer 198

No, you'll need a snapshot of the prior volume and use it to create a new one of a larger size. You can also used a cached volume

Answer 199

Remove old snapshots

Answer 200

A point in time when volume is consistent from which you can create a snapshot or clone a volume

Answer 201

Add/edit the snapshot schedule. Configure CHAP authentication

Answer 202

IPv4: http://instance-ip/latest/meta-data IPv6: http://[fd00:ec2::hostid-in-ip-address]/latest/meta-data *USES HTTP

Answer 203

No, it is better to use customer generated

Answer 204

Data at rest inside the volume All data moving between the volume and instance All snapshots created from the volume All volumes created from these snapshots

Answer 205

Serverless event bus service that you can connect applications with data to Will receive events and applies rules to route the event to a target

Answer 206

How traffic reaches your application and can control bot traffic and block common attack patterns such as SQL injection and CSS This protects against layer 7 attacks (HTTP) Can only deploy on ALBs, API Gateway, CloudFront

Answer 207

Amazon shield -- free for every AWS customer Can use Shield advanced as a paid service to protect against more sophisticated attacks

Answer 208

Will detect PII stored within S3 across multiple accounts

Answer 209

GuardDuty Can set up CloudWatch events rules and be notified of any findings

Answer 210

Predominantly scanning EC2 for software vulnerabilities , but also for containers pushed to ECR This needs to be applied after a starting up an EC2 instance

Answer 211

Secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2 to protect keys

Answer 212

Single encryption key that is used to encrypt and decrypt data

Answer 213

Public key to encrypt private key to decrypt. Basics of SSL. Also used to sign/verify operations

Answer 214

AWS managed, user keys created in KMS, user keys created outside of KMS

Answer 215

No. If you wanted to copy an EBS encrypted volume to a new region then you'd have to create a new encrypted snapshot and create new volume in new region with new encrypted key

Answer 216

1 year. Previous backing key will be kept active to encrypt old data. CMK ID will remain the same, but backing key will change

Answer 217

You can select a custom date, like 90 days or 180. However, manual key rotation will generate a new CMK ID, so you should make use of key aliases to know which version of the key you want to use

Answer 218

Storing secrets like db-urls and passwords and configuration management. Integrates with KMS for encrypted parameters or can store as plain text Can enforce parameter polices like a custom TTL where a forced update will happen for sensitive data

Answer 219

Secrets manager can enforce rotation every X days and can automatically generate secrets on rotation It is mostly made for RDS

Answer 220

Expand NFS file storage system

Answer 221

Storage gateway

Answer 222

File storage gateway. Users can authenticate with Active Directory

Answer 223

Global, highly-available DNS service where a user's ISP will route url requests to Route53, which will provide the IP You can register domain with Route53 and even purchase the domain name. Can do public or private Uses multiple routing algorithms

Answer 224

"." is the root ".com" is the top level domain ".amazon" is the second level domain "aws." is the subdomain

Answer 225

Root is the label (domain name of node) Zone (holds resources records for node's domain (com.) Resource records: Composed of separate resource records (amazon.com.) Authoritative name server: At least one ANS (aws.amazon.com.)

Answer 226

Extract info from name servers in response to client requests Traverse DNS hierarchy to provide full resolution Cache results based on record's TTL

Answer 227

Builds upon high availability of Regions and AZs Subnets divide VPC Route tables to control traffic going out of subnets Internet Gateway allows access from internet to VPC because otherwise not internet traffic should be allowed NAT gateway allows private subnet resources access to the internet NACLs control access to subnets; stateless

Answer 228

Classless inter-domain routing, which is a method for allocating IP addresses defining a range of addresses Example: 192.168.0.0/26 = 192.168.0.0 - 192.168.0.63 Composed of a base IP and subnet mask (which is how many bits can change in the IP) 192.168.0.0, /0 or /24 or /32

Answer 229

Basically allows part of the underlying IP to get additional next values from the base IP /32 allows for 1 IP 2^0 /31 allows for 2 IP 2^1 /30 allows for 4 IP 2^2 /24 allows for 256 IP 2^8 Allows for 1 of the octets in the IP address to change so 256 * 256 amount of options

Answer 230

10. 0.0.0/8 in big networks 172. 16.0.0/12 AWS default VPC in that range 192. 168.0.0/16 for home networks

Answer 231

around 65,000 per CIDR. CIDR blocks will contain a subnet mask of 16 Can add multiple CIDRs within a VPC though. Can have up to 5

Answer 232

Yes, and each subnet has its own CIDR block

Answer 233

Provides a network route for packets to leave VPC to IGW and to the internet. Will require an additional entry within the route table to specify that Then need to associate public route tables with public subnets

Answer 234

To allow an admin to have access to a public facing instance to log into other resources within private subnets that they have permissions to It will have its own SGs and NACLs Make sure it only has port 22 traffic from the IP address you need

Answer 235

Allow outbound traffic from resources within a private subnet. Will allow outbound traffic (0.0.0.0/0) to be added to private route table with the NAT gateway as the target NAT gateways will have access to public route tables

Answer 236

Traffic that exists an instance is still able to return to that instance as inbound traffic even if no rule exists. It's able to remember a request.

Answer 237

Contains an outbound and inbound rule, and both must be considered for a round trip process Doesn't mattered if traffic was allowed in, it will be checked again

Answer 238

There are no subnet boundaries between instances, so still need SGs

Answer 239

Uses dedicated private connections between on-prem infrastructure and cloud account with consistent network performance and lower bandwidth costs This is accomplished with private VLANS

Answer 240

10Gbps and 1 Gbps

Answer 241

Big data, latency, DR, and hybrid cloud

Answer 242

Fully managed global network traffic manager Route53 can send a more permanent and resilient IP address for ALBs in the case that the client caches the IP but it changes for some reason Can provide great network/application reliability

Answer 243

5. So keep this in mind when choosing the correct subnet size

Answer 244

Will need to create multiple NAT gateways in multiple AZs

Answer 245

Accepts everything inbound/outbound with the subnets its associated with

Answer 246

Client that make requests to servers will open up an ephemeral port to accept response, so outbound NACL policies need to specify a port range provided by host OS. And the client will need to allow inbound TCP connections on the same port range.

Answer 247

SGs will evaluate all rules before deciding to allow traffic NACLs will evaluate rules from lowest to highest and first match wins

Answer 248

Can test connection between two endpoints within VPC to see if NACLs and SGs are configured as expected

Answer 249

Initially need to create a VPC Peering connection Then will need to modify route tables. One for the subnet route table for the resources that need to be peered and for the VPC route table with the peering connection as the target

Answer 250

Allows resources within VPC to access AWS resources without traversing the public internet with a private connection More efficient than relying on NAT and Internet gateways

Answer 251

Interface: Provision an ENI (private IP address) as an entry point with SG Gateway endpoints: Provision gateway that must be used as a target in the route table Only works for S3 and DynamoDB

Answer 252

Disable the DeleteOnTermination attribute for the EBS volumes

Answer 253

No, they can only allow certain traffic. So will need the help of NACLs

Answer 254

Works at layer 7 so can take action based on things in that protocol such as paths, headers, and hosts

Answer 255

Doesn't worry about upper layer protocol so it's much faster Easier to integrate with security and firewall products

Answer 256

Load balances third-party virtual appliances (like firewalls and intrusion detection systems)

Answer 257

Yes, and when they do the more specific one takes precedence

Answer 258

No, just subnets and AZs

Answer 259

Yes. Generally you'll want to replicate each of your subnets in each AZ within the region

Answer 260

Yes. It cannot go across regions

Answer 261

Clients have ephemeral ports, so unable to determine which ones would be allowed

Answer 262

No, they have no inbound rules by default

Answer 263

1 IG per VPC, but multiple NATs since they cannot span AZs, so would need one for each AZ

Answer 264

Much better network performance, decreasing latency and maximizing bandwidth However, not most resilient since it'll be in the same AZ and event the same rack Restricts the availability to deploy EC2 instances since need to find space for multiple instances

Answer 265

Add an additional CIDR block.

Answer 266

Use a weighted policy to distribute traffic between two ELBs

Answer 267

WAF in front of an ALB

Answer 268

NLB. CLB and ALB will only show the IP address of those LBs to target EC2 instance

Answer 269

Geographical restrictions - white/black list at country level Caching custom error pages

Answer 270

Create a Web Access Control List (WAF)

Answer 271

Health check settings are defined on a per target group basis

Answer 272

Customer gateway deployed to on prem data center and site-to-site VPN connection with Virtual private gateway enabled on VPC Can connect to Customer Gateway over public IP or a private IP using a NAT device (NAT device would have a public IP) Need to enable route propagation for VPG in the route table associated with subnets

Answer 273

It is a dedicated private connection from a remote network to your VPC You'll need to setup a Virtual Private Gateway on your VPC Can access private sources (EC2) and need VPG and public (S3) don't need a VPG

Answer 274

Increased bandwidth throughput when working with large data sets More consistent network experience Supports hybrid environemtns

Answer 275

Direct Connect Gateway

Answer 276

Dedicated Connections - 1GB - 10GB. Physical port dedicated to a customer Hosted Connections: 50Mbps, 500Mbps, 10 Gbps and capacity can be added or removed on demand * Both take over a month to establish

Answer 277

Can setup multiple Direct Connect locations in the case that one fails. Both will point to the same VPG in a region

Answer 278

Deploy multiple direct connect locations each with multiple connections

Answer 279

Over the public Internet VPC Peering - although this opens the entire network and you may only want to expose one service AWS PrivateLink (VPC Endpoint Services)

Answer 280

Will have to connect service application (within separate VPC) to a NLB and then create an ENI and attach to consuming service. Then can establish a private link

Answer 281

Transitgateway

Answer 282

Route tables: Specify which VPC and talk to another

Answer 283

Use VPN to transit gateway with ECMP which increases the amount of tunnels as opposed to the traditional VPN connection through Virtual private gateway. Can then add more site-to-site VPN connections to get more throughput

Answer 284

Yes, can allow transit gateway to connect with direct connect gateway and connect to direct connect location to a customer router.

Answer 285

Allows you to capture and inspect network traffic in your VPC by routing inbound and outbound traffic to its original destination as well as a NLB with EC2 instances running security appliances

Answer 286

Yes, and both can communicate to the internet through an internet gateway

Answer 287

Create a new CIDR within your subnet

Answer 288

Add IPv6 CIDR address to subnet and enable auto-assign Go to instance and assign an IPv6 address Will need to modify SG to allow for IPv6 traffic Typically IPv6 CIDR group within subnet will be added to route table and then can communicate with one another over IPv6

Answer 289

Keeping inbound IPv6 connections to VPC, but allowing outbound IPv6 connections Will need to update route tables to reflect connecting outbound traffic with a target of the egress-only IG

Answer 290

IPv4: 0.0.0.0/0 IPv6: ::/0

Answer 291

Yes. Requires a customer gateway on datacenter and a Virtual private gateway on VPC and site-to-stie VPN over public internet

Answer 292

Direct Connect. Setup a VPG on the VPC and establish a direct private connection to a Direct Connect location

Answer 293

Enable DNS resolution and DNS hostnames in VPC

Answer 294

VPC Endpoint Services ( AWS PrivateLink)

Answer 295

Allows for secure communication across multiple network sites and does not require a VPC

Answer 296

Private Link is used for secure communication from services within a VPC to AWS services outside VPC (VPC Endpoint) not on the public internet Direct Connect is secure communication between VPC and on-prem networks that don't traverse the public internet

Answer 297

Shuts down the instance but stores the current RAM contents to a volume and when rebooted loads back that volume

Answer 298

Static IPv4 addresses associated with AWS account Can associate them with any other instance or ENI and can remap them to another instance in your account in the case of an instance failure Not used when Load Balancers are being used

Answer 299

UDP, TCP, ICMP

Answer 300

Create and edit components within VPC

Answer 301

Launch resources within their assigned subnets

Answer 302

Private VIFS allows access to VPC IP address Public VIFS allow access to AWS Public IP address space

Answer 303

Customer gateways deployed on-prem and AWS DX devices which will connect to a DX Gateway and can then connect to a transit gateway to spread traffic over multiple VPCs

Answer 304

Route clients to closest health endpoint Client ingress traffic is routed through closest available edge location

Answer 305

No, they're chose for you

Answer 306

Geolocation routing policy, geoproximity routing policy, latency routing policy, weighted routing, IP-based policy

Answer 307

Route users based on their location to closest resources

Answer 308

Route traffic based on the location of your resources

Answer 309

When you have resources in multiple regions and you want to route based on which provides the best latency

Answer 310

Route traffic to multiple resources in proportions that you specify

Answer 311

A process that checks for connection requests using the protocol and port you configure; Rules that you define for a listener is how the load balancer routes the requests

Answer 312

Destination for traffic based on the established listener rules

Answer 313

Each target groups routes requests to one ore more registered targets. A target can be registered with multiple groups

Answer 314

Path: Rules that forward requests to different target groups based on URL Host: Forward requests to different target groups based on host name

Answer 315

EC2, ECS, DynamoDB, Aurora

Answer 316

Optimize for availability, availability and cost, optimize for cost

Answer 317

Set a metrics like CPU utilization and target value

Answer 318

Text based descriptions of CloudFormation stacks that you can use to define all your resources and is stored as a text file in JSON or YAML

Answer 319

Collection of resources that you can manage as a single unit

Answer 320

They can enforce specific standards your organization sets for your resources Can also help to ensure consistency They help custom resources manage the lifecycle of resources outside of what is defined in the Cloudformation template

Answer 321

Orchestrator for distributed applications, sequential processing of tasks. Consists of workflow with multiple tasks and deciders and maintains a history of all the activities. Have multiple, separate workflows within a domain Essentially an Airflow competitor as a fully managed state tracker

Answer 322

Video encoding: Video upload triggers a workflow execution E-Commerce App:

Answer 323

Fully managed pub/sub messaging and mobile communications service

Answer 324

Yes, 14 days

Answer 325

Reduce the number of API requests to SQS

Answer 326

SQS Temporary Queue client

Answer 327

Can use both to create the fan out pattern where some app/service will submit a message to SNS and there will be multiple SQS queues subscribing to that topic and will fan out to other downstream services subscribed to the SQS topic

Answer 328

Message filtering

Answer 329

Data Streams Video Streams Analytics Streams Firehose

Answer 330

S3, Redshift, and ElasticSearch Can also write to a number of 3rd party services

Answer 331

Yes, at the shard level

Answer 332

ETL, Data and Analytics/Big data

Answer 333

Synchronous: Invoker expects response (API Gateway) Async: Events are queued and requestor doesn't wait Polling: Lambda will poll services like Kineses, SQS, and DynamoDB streams Async and Polling have built in retry mechanisms, but synch does not have retries

Answer 334

Controls what the function can do

Answer 335

Memory, Timeout, Concurrency

Answer 336

Based on the amount of invocations and the duration. The price will also depend on the memory allocated to the function

Answer 337

15 minutes, 1000, and 10 GB of RAM

Answer 338

Provisioned is used for planning read/write capacity ahead of time On-demand should scale dynamically based on workload, thus is more expensive

Answer 339

Table replication across regions with two-way replication, which helps reduce latency across regions. So any write in an region will be replicated on the other

Answer 340

Allows you to optimize queries on attributes other than the primary key (partition key + sort key)

Answer 341

Private: Only exposed on your using an VPC Endpoint Regional: For clients within same region Edge optimized: Requests are routed through edge locations

Answer 342

IAM permissions for API Gateway

Answer 343

Lambda authorizer (IAM based) and Cognito

Answer 344

Uses a federated identity provider to submit token to federated identity server, then gets credentials from STS and provides temporary AWS creds to client

Answer 345

Provides a mechanism/API to interact with ECS cluster tasks and can define ALBs/NLBs and ASGs for tasks. Groups tasks together

Answer 346

Serverless platform where you don't have to manage the EC2 instances in an ECS cluster. Just need to create task definitions

Answer 347

Assign each task a role with a policy to connect to whichever AWS service is needed

Answer 348

Yes. Cannot use S3 as a task file system

Answer 349

Can define memory and CPU utilization at the service level, adding additional tasks ECS capacity providers and scale EC2 instances if more tasks need to be added greater than the original capacity