AWSexam_1 Flashcards

Question 1

Q

Invention requires two things

Answer

A

The ability to try a lot of experiments, and
Not having to live with the collateral damage of failed experiments

Question 2

Q

What is a region?

Answer

A

A physical location in the world which consists of 2 or more availability zones.

Question 3

Q

What is an availability zone?

Answer

A

An availability zone is one or more discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities.

Question 4

Q

What are edge locations?

Answer

A

Edge locations are endpoints for AWS which are used for catching content. Typically this consists of CloudFront which is Amazon’s CDN.

Question 5

Q

What is IAM and what is it for?

Answer

A

Identity Access Management = Allows you to manage users and their level of access to the AWS console.

Question 6

Q

What are the 4 key terms for IAM?

Answer

A

Users
1. end-users such as employees
Groups
1. A collection of users (with certain permissions)
Policies
1. Permission documents
Roles
1. Some have more power than others

Question 7

Q

Is IAM regional or global?

Answer

A

Everything you do in IAM is GLOBAL

This goes for both managing users and managing policies.

Question 8

Q

What is the root account (IAM)?

Answer

A

simply the account created when first setting up your AWS account

Important to have two-factor authentication activated for the root account.

Question 9

Q

What permissions do users have when first created?

Answer

A

NONE. No permission whatsoever. Needs to be added.

but.. new users are assigned Access Key ID & Secret Access Keys when first created (note you only get to see these once)

Question 10

Q

What does power users access allow?

Answer

A

access to all AWS services EXCEPT the management of groups and users within IAM

Question 11

Q

In what language are IAM policy documents written?

Question 12

Q

Using SAML (Security Assertion Markup Language 2.0), you can give your federated users single sign-on (SSO) access to the AWS Management Console (TRUE or FALSE)?

Question 13

Q

What is S3?

Answer

A

Simple Storage Service

S3 provides developer and IT teams a safe place to store files (across multiple devices)

object-based storage

Question 14

Q

How big files can you upload to S3?

Answer

A

0 bytes to 5 Terabytes

(unlimited storage but you pay by gigabytes)

Question 15

Q

What does “S3 is a universal namespace” mean?

Answer

A

that names must be unique GLOBALLY

Question 16

Q

How are files stored in S3?

Answer

A

in Buckets

Question 17

Q

What do you receive from S3 when your upload is successful?

Answer

A

a HTTP 200 code

Question 18

Q

How is the data consistency model in S3?

Answer

A

Read AFTER write consistency for PUTS of new objects
- can read immediately after write
Eventual consistency for overwrite PUTS and DELETES (can take some time to propagate)
- if updating or deleting updates, you might get different versions if reading it immediately after but eventually it will be consistent

Question 19

Q

What does S3 objects consist of?

Answer

A

Keys
- the name of the object
Value
- the data (made up of a sequence of bytes)
Version ID
- important for versioning
Metadata
- Data about data you are storing (tags etc.)
Sub-resources
- Access control lists (permissions to access files)

Question 20

Q

How high availability do you have with S3?

Answer

A

Built for 99.99 % availability (four 9s)
Amazon guarantees 99.9 % availability (three 9s)
- and Amazon guarantees 99.999999999 % DURABILITY for S3 information (eleven 9s = your files will not disappear)

BUT depending on the storage tier used.

Question 21

Q

What are the S3 storage tiers?

Answer

A

S3 Standard
- 99.99 % availability and 99.999999999 durability
- Stored redundantly across multiple devices in multiple facilities and is designed to sustain the loss of 2 facilities concurrently
S3 - Infrequently Accessed
- (cheaper than S3)
- For data that is accessed less frequently but requires rapid access when needed
S3 One Zone infrequently accessed
- low-cost option for infrequently accessed data (but relatively fast retrieval)
- do not require the multiple availability zone data resilience (only in 1 availability zone)
- Availability 99.50 %
S3 - Intelligent Tiering
- designed for cost-efficiency by automatically moving data to the most cost-effective access tier, without performance impact or operational overhead
S3 Glacier
- Retrieval times from minutes to hours
S3 Glacier Deep Archive
- cheapest storage option but used for archival only
- retrieval time of 12 hours is acceptable

Question 22

Q

What characterises S3 standard?

Answer

A

99.99 % availability and 99.999999999 durability
Stored redundantly across multiple devices in multiple facilities and is designed to sustain the loss of 2 facilities concurrently

Question 23

Q

What characterises S3 IA?

Answer

A

S3 - Infrequently Accessed
- (cheaper than S3)
- For data that is accessed less frequently but requires rapid access when needed

Question 24

Q

What characterises S3 One Zone?

Answer

A

S3 One Zone infrequently accessed
- low-cost option for infrequently accessed data (but relatively fast retrieval)
- do not require the multiple availability zone data resilience (only in 1 availability zone)
- Availability 99.50 %

Question 25

Q

What characterises S3 Intelligent Tiering?

Answer

A

designed for cost-efficiency by automatically moving data to the most cost-effective access tier, without performance impact or operational overhead

Question 26

Q

What characterises S3 Glacier?

Answer

A

Retrieval times from minutes to hours

Question 27

Q

What characterises S3 Glacier Deep Archive?

Answer

A

cheapest storage option but used for archival only
retrieval time of 12 hours is acceptable

Question 28

Q

What determines charges in S3?

Answer

A

Storage
Requests
Storage Management Pricing (meta-data)
Data Transfer Pricing
Transfer Acceleration

Question 29

Q

What is transfer acceleration?

Answer

A

Amazon S3 Transfer acceleration enables fast, easy, and secure transfer of files over long distances between your end users and an S3 bucket.

=> CloudFront CDN

Question 30

Q

What types of encryption can you make in S3?

Answer

A

Client Side Encryption
Server Side Encryption
- with Amazon S3 Managed Keys => SSE-S3
- with KMS => SSE-KMS
- with Customer Provided Keys => SSE-C

Question 31

Q

What are the default settings for Buckets in S3?

Answer

A

Buckets are by default PRIVATE and All objects inside are PRIVATE by default

Question 32

Q

What region does he recommend?

Answer

A

US East (N. Virginia) - where all new services come out first - however, goes out more often

Question 33

Q

What are Regions?

Answer

A

Distinct geographical areas - and each region always consists of two or more availability zones

A Region is a physical location in the world which consists of two or more Availability Zones (AZ)

Question 34

Q

What is an Availability Zone (AZ)?

Answer

A

An Availability Zone (AZ) is one or more discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities.

Question 35

Q

What is an Edge Location?

Answer

A

Edge Locations are endpoints for AWS which are used for caching content. Typically this consists of CloudFront, Amazon’s Content Delivery Network (CDN)

Example: someone from Sydney downloads something from New York - the content can be cached in Sydney so someone else from Sydney can download it directly from Sydney instead of NY.

Question 36

Q

What are the differences between the four different AWS plans?

Answer

A

Can be typical exam questions!

Question 37

Q

Q1: An AWS VPC is a component of which group of AWS services?

Answer

A

Networking Services

A Virtual Private Cloud (VPC) is a virtual network dedicated to a single AWS account. It is logically isolated from other virtual networks in the AWS cloud, providing compute resources with security and robust networking functionality.

Question 38

Q

Q2: Which of the below are storage services in AWS? (Choose 2)

Answer

A

S3 and EFS both provide the ability to store files in the cloud. EC2 provides compute, and is often augmented with other storage services. VPC is a networking service. Further information:

https://aws.amazon.com/efs/https://aws.amazon.com/s3/https://aws.amazon.com/ec2/https://aws.amazon.com/vpc/

Question 39

Q

Q3: Which of the following is correct?

Answer

A

of Edge Locations > # of Availability Zones > # of Regions

The number of Edge Locations is greater than the number of Availability Zones, which is greater than the number of Regions. Further information: https://aws.amazon.com/about-aws/global-infrastructure/

Question 40

Q

Q4: Which of the below are compute service from AWS? (Choose 2)

Answer

A

Both Lambda and EC2 offer computing in the cloud. S3 is a storage offering while VPC is a network service. Further information: https://aws.amazon.com/ec2/https://aws.amazon.com/lambda/https://aws.amazon.com/s3/https://aws.amazon.com/vpc/

Question 41

Q

Q5: Which of the below are database services from AWS? (Choose 2)

Answer

A

RDS is a service for relational databases provided by AWS. DynamoDB is AWS’ fast, flexible, no-sql database service. S3 provides the ability to store files in the cloud and is not suitable for databases, while EC2 is part of the compute family of services. Further information: https://aws.amazon.com/dynamodb/https://aws.amazon.com/rds/https://aws.amazon.com/ec2/https://aws.amazon.com/s3/

Question 42

Q

Q6: Which of the following are a part of AWS’ Network and Content Delivery services? (Choose 2)

Answer

A

Cloudfront + VPC

VPC allows you to provision a logically isolated section of the AWS where you can launch AWS resources in a virtual network. Cloudfront is a fast, highly secure and programmable content delivery network (CDN). EC2 provides compute resources while RDS is Amazon’s Relational Database System. Further information: https://aws.amazon.com/vpc/https://aws.amazon.com/cloudfront/https://aws.amazon.com/ec2/https://aws.amazon.com/rds/

Question 43

Q

Q7: In which of the following is CloudFront content cached?

Answer

A

CloudFront content is cached in Edge Locations.

Question 44

Q

Q8: Which of the below are factors that have helped make public cloud so powerful? (Choose 2)

Answer

A

Not having to deal with the collateral damage of failed experiments

The ability to try out new ideas and experiment without an upfront commitment

Public cloud allows organisations to try out new ideas, new approaches and experiment with little upfront commitment. If it doesn’t work out, organisations have the ability to terminate the resources and stop paying for them. Further information: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/six-advantages-of-cloud-computing.html

Question 45

Q

Q9: What is an Amazon VPC?

Answer

A

VPC stands for Virtual Private Cloud. Further information: https://aws.amazon.com/vpc/

Question 46

Q

Q10: Which statement best describes Availability Zones?

Answer

A

Distinct locations from within an AWS region that are engineered to be isolated from failures.

An Availability Zone (AZ) is a distinct location within an AWS Region. Each Region comprises at least two AZs. Further information: https://aws.amazon.com/about-aws/global-infrastructure/

Question 47

Q

Q11: What does an AWS Region consist of?

Answer

A

A distinct location within a geographic area designed to provide high availability to a specific geography.

Each region is a separate geographic area. Each region has multiple, isolated locations known as Availability Zones. Further information: https://aws.amazon.com/about-aws/global-infrastructure/

Question 48

Q

Q12: What is an AWS region?

Answer

A

A region is a geographical area divided into Availability Zones. Each region contains at least two Availability Zones.

Question 49

Q

What is IAM and what is it for?

Answer

A

Identity Access Management = Allows you to manage users and their level of access to the AWS console.

Question 50

Q

What features does IAM offer?

Answer

A

Centralised control of your AWS account
Shared access to your AWS account
Granular permissions
Identity Federation (including Active Directory, Facebook, LinkedIn, etc.)
Multi Factor Authentication
Temporary access for users/deviced and services
Set up own password rotation policy
Integrates with many AWS services
Support PCI DSS Compliance (e.g. when taking credit card details)

Question 51

Q

What are the 4 key terms for IAM?

Answer

A

Users
1. end-users such as employees
Groups
1. A collection of users (with certain permissions)
2. Each user of inherit the permissions of the group
Policies
1. Permission documents
Roles
1. Some have more power than others

Question 52

Q

What group does IAM belong to in AWS?

Answer

A

Security, Identity, and Compliance

Question 53

Q

What is the root account in IAM?

Answer

A

The account you can do EVERYTHING with and has unlimited resources.

Question 54

Q

What are the three multi factor authentication (MFA) for IAM?

Answer

A

Virtual MFA device, U2F security key, Other hardware MFA device

Question 55

Q

What region does IAM apply to?

Answer

A

Global - i.e. ALL regions

Question 56

Q

What access do users have when first created?

Answer

A

No access at all

Question 57

Q

What are users assigned when first created in IAM?

Answer

A

An Access Key ID and Secret Access Key (these are not those you use to login to the AWS console, but can be used with APIs and command line access). They can only be viewed once.

Question 58

Q

What should you always do with your root account?

Answer

A

Use multi factor authentication

Question 59

Q

What group does CloudWatch belong to in AWS?

Answer

A

Management & Governance

Question 60

Q

What does S3 stand for?

Answer

A

Simple Storage Service

Question 61

Q

What is an object in S3?

Answer

A

Simply a file that consist of:

Key (name of file), Value (data of the file), Version ID, Metadata (data about data)

Question 62

Q

What is a bucket in S3?

Answer

A

Simply a folder - their name must be unique as this is what appears on the web-address

Question 63

Q

How does data consistency work for S3?

Answer

A

Read after Write for PUTS of new Objects

Eventual Consistency for overwrite PUTS and DELETES

Question 64

Q

What are the AWS guarantee of S3?

Answer

A

Built for 99.99% availability

Guaranteed 99.9% availability

Guaranteed 11x9s durability

Answer 63

A

S3 Standard (designed to sustain loss of 2 facilities concurrently)

S3 - IA (Infrequently Accessed) but needs rapid access when needed (charged retrieval fee)

S3 One Zone - IA (RRS) (Infrequently Accessed) same as above but just for one zone

S3 Intelligent Tiering (uses AI to intelligently move your files to correct tier)

S3 Glacier (used for archiving but retrieval takes from minutes to hours)

S3 Glacier Deep Archive (cheapest option where retrieval takes 12 hours)

Answer 64

A

Storage, Requests, Storage Management Pricing, Data Transfer Pricing, Transfer Acceleration, Cross Region Replication Pricing

Answer 65

A

Turn on multi factor authentication delete

Answer 66

A

The FAQ: https://aws.amazon.com/s3/faqs/

Answer 67

A

Encryption in transit = HTTPS
- Achieved through SSL/TLS
Encryption at rest (server side)
- Achieved by
  - S3 Managed Keys (SSE-S3) (Amazon manages for you)
  - AWS Key Management Service (SSE-KMS) - you manage with Amazon
  - Server Side Encryption with Customer provided keys (SSE-C) - you provide keys to amazon
Client Side encryption
- You just upload an encrypted object

Answer 68

A

Stores all versions of an object (including all writes and even if you delete an object)
=> GREAT backup tool

Answer 69

A

No… Once enabled, versioning cannot be disabled, only suspended.

Answer 70

A

A feature in S3 versioning, which requires the use of multi-factor authentication to provide an additional layer of security for when you try to delete things.

Answer 71

A

Yes…

you will return to not being accessible / all blocked and you have to allow access again.

Answer 72

A

it will still keep the earlier versions in the versioning backup - it just puts a delete marker as the most recent version.

Answer 73

A

Automates moving your objects (files) between different storage tiers

E.g. if you want it in S3 standard and later want it in S3 infrequently accessed (IA) depending on time

Answer 74

A

The files will NOT be in the new bucket.

The new bucket will have the same permissions as in the other region but the objects/files will not be present.

Answer 75

A

Versioning must be enabled on both the source and destination buckets

Answer 76

A

NEW files will be automatically replicated across the two region buckets but existing files at creation will not appear.

Answer 77

A

No - neither individual deletes nor delete markers

Answer 78

A

S3 transfer acceleration utilises the CloudFront Edge Network to accelerate your upload to S3 (CDN)

….so from edge location to S3 bucket in availability zone

Answer 79

A

You simply upload to an edge location that then uploads to the main bucket instead of you uploading directly to the main bucket, which can be slower.

Answer 80

A

CloudFront
- Amazon’s Content Delivery Network (CDN)
Edge Location
- Location where content will be cached
Origin
- Origin of all the files that the CDN will distribute. This can be an S3 Bucket, an EC2 instance, an Elastic Load Balancer or Route52
Distribution
- Name given to the CDN which consists of a collection of edge locations (Web Distributions and RTMP distributions)

Answer 81

A

websites (part of cloudfront)

Answer 82

A

Media Streaming (part of cloudfront)

Answer 83

A

Both - you can certainly read from them but you can also write = put an object in them (which should be more or less the same as transfer acceleration)

Answer 84

A

Time To Live = the time objects are cached for in the cdn distribution. up to the user to set TTL

Answer 85

A

they will be deleted BUT you will be charged.

Answer 86

A

E.g. if only paying customers can access the content they need to have a signed URL to access the content (e.g. Netflix)

Answer 87

A

A way to quickly remove/invalidate content from the CloudFront, e.g. if you uploaded the wrong media or there is an error (but you’ll be charged).

Answer 88

A

Petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data in and out of S3 AWS = a big desk.

50TB or 80TB

Answer 89

A

up to 100TB data WITH on-board storage and compute capabilities

useful to support local workloads in remote or offline locations (such as on an airplane)

= a portable version of AWS essentially

Answer 90

A

An EXABYTE-scale data transfer service. Up to 100 PB per snowmobile, which is a 45-foot long shipping container.

Answer 91

A

Service that connects on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and AWS’s storage infrastructure.

Answer 92

A

File Gateway (NFS & SMB)
- files are stored in your S3 bucket
Volume Gateway (iSCSI)
- Stored Volumes
  - store your ENTIRE primary data locally and backed up in AWS
- Cached Volumes
  - only has the most frequently used data locally (NOT entire data)
Tape Gateway (VTL)
- way to archive your data in the AWS cloud = good to move your backup to the cloud

Answer 93

A

Access to all AWS services except the management of groups and users within IAM.

Answer 94

A

https://s3-eu-west-1.amazonaws.com/acloudguru1234

Answer 95

A

Glacier: The recovery rate is a key decider. The record shortage must be; safe, durable, low cost, and the recovery can be slow.

Answer 96

A

No access to any AWS services.

Answer 97

A

Organizational Units

Answer 98

A

99.50% OneZone-IA is only stored in one Zone. While it has the same Durability, it may be less Available than normal S3 or S3-IA.

Answer 99

A

Grant her Administrator access by adding her to the Administrators’ group.

Answer 100

A

IAM allows you to manage users, groups, roles, and their corresponding level of access to the AWS Platform.

Answer 101

A

CloudFront Signed Cookies

CloudFront Signed URLs

CloudFront Origin Access Identity

Answer 102

A

An AWS service designed for long term data archival.

Answer 103

A

Will be able to interact with AWS using their access key ID and secret access key using the API, CLI, or the AWS SDKs.

Answer 104

A

Remove the ability for images to be served publicly to the site and then use signed URLs with expiry dates.

Answer 105

A

Administrator Access

Answer 106

A

Design your application to use the Multipart Upload API for all objects.

Answer 107

A

You will need to configure Users and Policy Documents only once, as these are applied globally.

Answer 108

A

S3 - One Zone-Infrequent Access

Answer 109

A

Create individual user accounts with minimum necessary rights and tell the staff to log in to the console using the credentials provided.

Create a customized sign-in link such as “yourcompany.signin.aws.amazon.com/console” for your new users to use to sign in with.

Answer 110

A

Simple Storage Service

Answer 111

A

overwrite PUTS and DELETES

Answer 112

A

Read After Write Consistency

Answer 113

A

You cannot log in to the AWS console using the Access Key ID / Secret Access Key pair. Instead, you must generate a password for the user, and supply the user with this password and your organization’s unique AWS console login URL.

Answer 114

A

Implement Multi-Factor Authentication for all accounts.

Answer 115

A

Bucket names are global, not regional. This is a popular bucket name and is already taken. You should choose another bucket name.

Answer 116

A

It is a physical or virtual appliance that can be used to cache S3 locally at a customer’s site.

Answer 117

A

No Permissions

Answer 118

A

IAM allows you to set up biometric authentication, so that no passwords are required.

Answer 119

A

Set up an account using their company email address.

Answer 120

A

S3 - OneZone-IA is the recommended storage for when you want cheaper storage for infrequently accessed objects.

Answer 121

A

S3 - IA Glacier has a long recovery time at a low cost or a shorter recovery time at a high cost, and 1Zone-IA has a lower Availability level which means that it may not be available when needed.

Answer 122

A

Enact a strong password policy: user passwords must be changed every 45 days, with each password containing a combination of capital letters, lower case letters, numbers, and special symbols.

Answer 123

A

Change the trigger level to around 3000 as S3 can now accommodate much higher PUT and GET levels.

Answer 124

A

a web service that provides resizable compute capacity in the cloud

reduces the time required to obtain and boot new server instances to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change.

Answer 125

A

As you go, for what you use, less as you use more, and even less when you reserve capacity

4 overall options:

On Demand = fixed rate by the hour (or by the second) with no commitment
Reserved = capacity reservation (contracts of 1-3 years but significant discounts)
Spot = when Amazon has excess capacity, you can bid whatever price you want for instance capacity. Great if you have flexible start and end times for your needs
Dedicated Hosts = physical EC2 servers dedicated for your use

Answer 126

A

Low cost and flexible with no up-front payment or long-term commitment
applications with short term, spiku, or unpredictable workloads that cannot be interrupted
New tests on EC2

Answer 127

A

Steady state or predictable usage
Applications that require reserved capacity
when you can afford making up-front payments

Standard reserved instances (up to 75 % off)
Convertible Reserved instances (up to 54 % off)
Scheduled Reserved Instances (specific time windows)

Answer 128

A

Applications that have flexible start and end times as Amazon can buy them back

Applications that are only feasible at very low compute prices

Users with urgent computing needs for large amounts of additional capacity

Answer 129

A

For regulatory requirements
Great for licensing which does not support multi-tenant or cloud deployments (like licenses with Oracle)
Can be purchased on-demand (hourly)
Can be purchased as a reservation for up to 70 % off standard price

Answer 130

A

If the Spot instance is terminated by Amazon EC2, you’ll not be charged for a partial hour of usage. However, if you terminate the instance yourself, you’ll be charged for any hour in which the instance ran.

Answer 131

A

low cost, general purpose instances (used for web servers and small databases)

Answer 132

A

If terminated by Amazon, you will not be charged for a partial hour of usage.

However, if you terminate the instance yourself, you will be charged for any hour in which the instance ran.

Answer 133

A

Instance Output Per second = how fast your harddisk drive is

Answer 134

A

yes… Even from the beginning when you create it

can also be encrypted using third party tools such as bit locker

Answer 135

A

It is turned OFF by default so you must turn it on

Answer 136

A

On an EBS-backed instance, the default action is for the root EBS volume to be deleted when the instance is terminated

Answer 137

A

IMMEDIATELY

Answer 138

A

it also creates an outbound rule at the same time

Answer 139

A

the security is set to block ALL inbound traffic by default

(all outbound traffic is allowed)

Answer 140

A

any number

Answer 141

A

No… you can have multiple security groups attached to one EC2 instance

Answer 142

A

if you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again

Answer 143

A

Using Network Access Control Lists

(NOT using security groups)

Answer 144

A

NO!

only allow rules (no deny rules)

(deny rules can be made in Network Access Control Lists but that is different)

Answer 145

A

Elastic Block Store

= virtual hard disk in the cloud that provides persistent block storage volumes for use with Amazon EC2 instances.

Answer 146

A

General Purpose SSD
- Most workloads
Provisioned IOPS SSD
- Databases
Throughput Optimised HDD
- Big data and data warehouses
Cold HDD (also magnetic)
- File servers
EBS Magnetic
- workloads where data is infrequently accessed

Answer 147

A

EBS volumes will always be in the same availability zone as your EC2 instance

Answer 148

A

By default, the ROOT volume is terminated together with the EC2 instance.

However, additional volumes are not deleted unless specified.

Answer 149

A

photographs of the hard disk

(point in time copies of volumes)

Answer 150

A

only the blocks that have changed since your last snapshot are moved/replicated to S3

Answer 151

A

you should stop the instance before taking the snapshot when trying to create a snapshot for Amazon EBS volumes that serve as root devices

but… you can also take a snapshot while the instance is running.

Answer 152

A

on the fly

both size and storage types can be changed any time.

Answer 153

A

take a snapshot of it, create an AMI from the snapshot and then use the AMI to launch the EC2 instance in a new availability zone.

Answer 154

A

take a snapshot of it, create an AMI from the snapshot and then COPY the AMI from one region to the other

Next, use the copied AMI to launch the new EC2 instance in the new region

Answer 155

A

EBS Volumes
- root device for an instance launched from the AMI is an Amazon EBS Volume created from an Amazon EBS snapshot
Instance Store Volumes (Ephemeral Storage)
- root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3.

Answer 156

A

Region
Operating system
Architecture (32bit or 64bit)
Launch permissions
Storage for the root device
1. Instance Store Volumes
2. EBS Backed Volumes

Answer 157

A

CANNOT be stopped.
- If the underlying host fails, you will lose your data
can reboot

Answer 158

A

CAN be stopped
- will not lose your data if it is stopped
can reboot
can tell AWS to keep the root volume when terminating the EBS volume if you want

Answer 159

A

The hard disk that has the operating system on it.

back in the days you could not encrypt this when you created it, but now you can encrypt it immediately at creation

if you have not done it from the beginning

Create a snapshot of the unencrypted root device volume
Create a copy of the snapshot and select the encrypt option
Create an AMI from the encrypted snapshot
Use that AMI to launch new encrypted instances

Answer 160

A

back in the days you could not encrypt this when you created it, but now you can encrypt it immediately at creation

if you have not done it from the beginning

Create a snapshot of the unencrypted root device volume
Create a copy of the snapshot and select the encrypt option
Create an AMI from the encrypted snapshot
Use that AMI to launch new encrypted instances

Answer 161

A

Amazon CloudWatch is a monitoring service to monitor your AWS resources as well as the applications you run within AWS

= PERFORMANCE MONITORING

Monitor

Computed
- EC2 instances, autoscaling groups, elastic load balances, route53 health checks
Storage and content delivery
- EBS Volumes
- Storage Gateways
- CloudFront

Answer 162

A

CPU
Network
Disk
Status Check

Answer 163

A

think of CloudTrail as a CCTV (camera) that increases visibility into your user and resource activity by recording AWS Management Console actions and API calls.

Using CloudTrail, you can identify which users and accounts that called AWS, the source IP Address from which the calls were made and when the calls occurred.

(DO NOT confuse with CloudWatch which is for performance monitoring)

Answer 164

A

every 5 minutes by default but can be turned even longer down to 1 minute (detailed monitoring) intervals for example

Answer 165

A

Dashboards
- awesome dashboards to see what is happening with your AWS environment
Alarms
- alarms to notify when you reach specified thresholds
Events
- helps you respond to state changes in your AWS resources
Logs
- helps you aggregate, monitor and store logs

Answer 166

A

Can be used through terminal after connecting with key pair and setting up the access through IAM.

then AWS can be accessed from anywhere in the world

Answer 167

A

Roles are more secure than storing your access key and secret access key on individual EC2 instances
Roles are also easier to manage
Roles can be assigned to an EC2 instance after it is created using the console & command line
Roles are universal - you can use them in any region

Answer 168

A

A way of automating your AWS EC2 deployment.

running it at the command line => can run individual command line commands as scripts (updates, installations, httpd starts, opening of web page, make buckets, create files etc.)

(set up when configuring instances from the AMI creation panel)

Answer 169

A

used to get information about an instance (fx public IP)

get by something like.…

curl http://169.254.169.254/latest/meta-data/

curl http://169.254.169.254/latest/user-data/

Answer 170

A

Elastic File System = a file storage service for Amazon Elastic Compute Cloud (EC2) instances.

=> With amazon EFS, storage capacity is ELASTIC, growing and shrinking automatically as you add and remove files, so your applications have the storage they need, when they need it

Answer 171

A

Cluster Placement Group
Spread Placement Group
Partitioned Placement Group

Answer 172

A

A grouping of instances within a single availability zone.

Recommended for applications that need

low network latency,

high network throughput,

or both.

putting instances as close as possible

Answer 173

A

group of instances each placed on DISTINCT underlying hardware
Spread placement groups are recommended for applications that have a small number of critical EC2 instances that should be kept separate from each other
can only have 7 running instances per availability zone

think of individual instances

(opposite of clustered placement group)

Answer 174

A

Similar to spread placement groups BUT you can have multiple EC2 instances within a partition.
- each partition is on each own set of racks where each rack has its own network and power source
  - this allows you to isolate the impact of hardware failure within your application
- for multiple EC2 instances: HDFS, HBase, Cassandra

think of multiple instances

Answer 175

A

Clustered
- only within one availability zone
Spread and Partitioned
- within MULTIPLE availability zones BUT still the same region

Answer 176

A

unique within your own AWS account

Answer 177

A

homogenous instances = same type of hardware and so on in the horizontal scaling

Answer 178

A

no…

but…. you can create an AMI from your existing instance, then launch a new instance from the AMI into a placement group.

Answer 179

A

aws ec2 create-snapshot

Answer 180

A

availability zones

Answer 181

A

Nitro and Xen

Answer 182

A

block based storage

Answer 183

A

configure encryption when creating the EBS volume

Answer 184

A

cold (sc1)

throughput optimised (st1)

Answer 185

A

Yes, though the AWS APIs, CLI, and AWS Console

Answer 186

A

incrementally

Answer 187

A

Incrementally

Answer 188

A

Solution 1: us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances. Solution 2: us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances.

You need to work through each case to find which will provide you with the required number of running instances even if one AZ is lost. Hint: always assume that the AZ you lose is the one with the most instances. Remember that the client has stipulated that they MUST have 100% fault tolerance.

Answer 189

A

Configure encryption when creating the EBS volume

The use of encryption at rest is default requirement for many industry compliance certifications. Using AWS managed keys to provide EBS encryption at rest is a relatively painless and reliable way to protect assets and demonstrate your professionalism in any commercial situation.

Answer 190

A

False

There are slight differences between a normal ‘new’ Security Group and a ‘default’ security group in the default VPC. For an ‘new’ security group nothing is allowed in by default.

Answer 191

A

Migrate documents to File Gateway presented as NFS and make use of life-cycle using Infrequent Access storage.

Migrate documents to EFS storage and make use of life-cycle using Infrequent Access storage.

Trying to use S3 without File Gateway in front would be a major impact to the user environment. Using File Gateway is the recommended way to use S3 with shared document pools. Life-cycle management and Infrequent Access storage is available for both S3 and EFS. A restriction however is that ‘Using Amazon EFS with Microsoft Windows is not supported’. File Gateway does not support iSCSI in the client side.

Answer 192

A

Retrieve the instance Metadata from http://169.254.169.254/latest/meta-data/.

Instance Metadata and User Data can be retrieved from within the instance via a special URL. Similar information can be extracted by using the API via the CLI or an SDK.

Answer 193

A

True

Spread Placement Groups can be deployed across availability zones since they spread the instances further apart. Cluster Placement Groups can only exist in one Availabiity Zone since they are focused on keeping instances together, which you cannot do across Availability Zones

Answer 194

A

The placement group can only have 7 running instances per Availability Zone

Spread placement groups have a specific limitation that you can only have a maximum of 7 running instances per Availability Zone and therefore this is the only correct option. Deploying instances in a single Availability Zone is unique to Cluster Placement Groups only and therefore is not correct. The last two remaining options are common to all placement group types and so are not specific to Spread Placement Groups.

Answer 195

A

Your fleet of EC2 instances requires high network throughput and low latency within a single availability zone.

Cluster Placement Groups are primarily about keeping you compute resources within one network hop of each other on high speed rack switches. This is only helpful when you have compute loads with network loads that are either very high or very sensitive to latency.

Answer 196

A

False

Standard Reserved Instances cannot be moved between regions. You can choose if a Reserved Instance applies to either a specific Availability Zone, or an Entire Region, but you cannot change the region.

Answer 197

A

Spread Placement Groups can be deployed across availability zones since they spread the instances further apart. Cluster Placement Groups can only exist in one Availability Zone since they are focused on keeping instances together, which you cannot do across Availability Zones.

Answer 198

A

http://169.254.169.254

Answer 199

A

Schedule snapshots of HDD based volumes for periods of low use

Stripe volumes together in a RAID 0 configuration.

Ensure that your EC2 instances are types that can be optimized for use with EBS

There are a number of ways you can optimise performance above that of choosing the correct EBS type. One of the easiest options is to drive more I/O throughput than you can provision for a single EBS volume, by striping using RAID 0. You can join multiple gp2, io1, st1, or sc1 volumes together in a RAID 0 configuration to use the available bandwidth for these instances. You can also choose an EC2 instance type that supports EBS optimisation. This ensures that network traffic cannot contend with traffic between your instance and your EBS volumes. The final option is to manage your snapshot times, and this only applies to HDD based EBS volumes. When you create a snapshot of a Throughput Optimized HDD (st1) or Cold HDD (sc1) volume, performance may drop as far as the volume’s baseline value while the snapshot is in progress. This behaviour is specific to these volume types. Therefore you should ensure that scheduled snapshots are carried at times of low usage. The one option on the list which is entirely incorrect is the option that states “Never use HDD volumes, always ensure that SSDs are used” as the question first states “In addition to choosing the correct EBS volume type for your specific task”. HDDs may well be suitable to certain tasks and therefore they shouldn’t be discounted because they may not have the highest specification on paper.

Answer 200

A

Block based storage

EBS, EFS, and FSx are all storage services base on Block storage.

Answer 201

A

ESX

Xen

Until very recently AWS exclusively used Xen Hypervisors, Recently they started making use of Nitro Hypervisors.

Answer 202

A

Yes, although it may take some time.

Answer 203

A

Yes, through the AWS APIs, CLI, and AWS Console.

Answer 204

A

Tags

Tagging is a key part of managing an environment. Even in a lab, it is easy to lose track of the purpose of a resources, and tricky determine why it was created and if it is still needed. This can rapidly translate into lost time and lost money.

Answer 205

A

Only if I specify (using either the AWS Console or the CLI) that it should do so.

You can control whether an EBS root volume is deleted when its associated instance is terminated. The default delete-on-termination behaviour depends on whether the volume is a root volume, or an additional volume. By default, the DeleteOnTermination attribute for root volumes is set to ‘true.’ However, this attribute may be changed at launch by using either the AWS Console or the command line. For an instance that is already running, the DeleteOnTermination attribute must be changed using the CLI.

Answer 206

A

Cold (sc1)

Throughput Optimized (st1)

Of all the EBS types, both current and of the previous generation, HDD based volumes will always be less expensive than SSD types. Therefore, of the options available in the question, the Cold (sc1) and Throughout Optimized (st1) types are HDD based and will be the lowest cost options.

Answer 207

A

5/RAID 10/RAID 0 configurations using those volumes.

True

Answer 208

A

aws ec2 create-snapshot

Answer 209

A

In Availability Zones

Answer 210

A

Multi-Availability Zones = for disaster recovery
Read replicas = for performance
- can send some of the traffic to the read replicas to your site does not crash

Answer 211

A

used to pull in very large and complex data sets… usually used by management to do queries on data

Answer 212

A

Online Transaction Processing (OLTP) = for relational databases

and…

Online Analytical Processing (OLAP) (a lot of queries, more complicated) = for non-relational databases

these two differ widely

Answer 213

A

Redshift is for OLAP (online analytical processing) by Amazon. Data warehouse solution by Amazon.

Redshift is used for business intelligence.

Answer 214

A

OLTP: Online Transaction Processing (OLTP) = for relational databases

SQL
MySQL
PostgreSQL
Oracle
Aurora
MariaDB

Answer 215

A

virtual machines and you have no access to those virtual assistance (you cannot log in to these operating systems)

Patching of the RDS operating system and DB is Amazon’s responsibility

Answer 216

A

no…

(with the exception of Aurora Serverless)

Answer 217

A

Automatic backups
- recover your database to any point in time within a “retention period”.
- Automated backups take full daily snapshots
- Automated backups are enabled by default
- Backups are stored in S3
- You Get free storage space equal to the size of your database (10gb RDS Instance = 10gb worth of storage)
Database Snapshots
- Are user-initiated / done manually
- Stored even after you delete the original RDS instance (unlike automated backups

Answer 218

A

When you restore a backup, the restored version will be a new RDS instance with a new DNS endpoint.

Answer 219

A

As soon as your RDS instance is encrypted, the data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas and snapshots.

Answer 220

A

in the event of planned database maintenance, DB instance failure or an Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention

the backup/copy of your production database is automated when it has been enabled

Answer 221

A

SQL Server
Oracle
MySQL Server
PostgreSQL
MariaDB

(NOT Aurora as it has its own different architecture)

Answer 222

A

Read replicas allow you to have a read-only copy of your production database.

You use read-replicas primarily for very read-heavy database workloads

Used for scaling / to increase performance

Answer 223

A

Oracle
MySQL Server
PostgreSQL
MariaDB
Aurora

(NOT for SQL Server)

Answer 224

A

all 6 database systems. Set up using KMS (Key Management Service)

SQL Server
Oracle
MySQL Server
PostgreSQL
MariaDB
Aurora

Answer 225

A

5

and you can have read replicas of read replicas (which may give latency)

Answer 226

A

You can have read replicas that have multi-AZ

and… you can create read replicas of multi-AZ source databases

(you have even have a read replica in a second region)

Answer 227

A

each read replica will have its own DNS endpoint

Answer 228

A

it will break the other read replicas

Answer 229

A

Amazon’s noSQL database solutions (opposite of RDS)

when need consistent, single-digit millisecond latency at any scale

DynamoDB = SERVERLESS

Answer 230

A

Stored on SSD Storage
Spread across 3 geographically distinct data centres
Eventual consistent read (default) (1 second)
Strongly consistent read (optional = less than 1 second)

Answer 231

A

Eventual consistent read
- Consistency across all copies of data is usually reached within a second
Strongly consistent read
- a strongly consistent read returns a result that reflects all writes that received a successful response prior to the read = this is basically immediate (in less than 1 second)

Answer 232

A

Single-node (160gb)
or… Multi Node
- Leader node (client connections and receives queries)
- Compute node (store data and perform queries and computations) can have up to 128 compute nodes behind the leqder node

Answer 233

A

as non-relational database system you can compress the data much more and thus uses much less space

Answer 234

A

Massively Parallel Processing

a part of Amazon Redshift that automatically distributes data and query load across all nodes.

for fast query performance as data warehouse grows

Answer 235

A

Enabled by default with a 1 day retention period
Maximum retention period is 35 days
Always attempts to maintain at least 3 copies of your data (original, replica and backup in S3)
can also replicate snapshots to S3 in another region for disaster recovery

Answer 236

A

Compute node Hours = total number of hours you run across all your compute nodes for the billing period
- not charged for leader node hours
backups
Data transfer

Answer 237

A

Only available in 1 availability zone at a time

Answer 238

A

a MySQL compatible, relational database engine that combines the speed and availability of high-end commercial databases.

Answer 239

A

Starts at 10gb (scales in 10gb increments to 64 TB)

computer resources can scale up to 32vCPUs and 244GB memory

2 copies of your data in contained in each availability zone, with minimum of 3 availability zones (6 copies of your data)

Answer 240

A

Aurora replicas (up to 15 available)
- automated failover only available with Aurora replicas
MySQL Read replicas (up to 5 available)

Answer 241

A

Automated backups are enabled on Amazon Aurora DB instances
Snapshots are also possible
- and these can be shared with other AWS accounts

Answer 242

A

used to improve the performance of web applications by allowing you to retrieve information from fast, managed, in-memory caches, instead of relying entirely on slower disk-based databases.

used to speed up performance of existing databases (frequent identical queries)

Answer 243

A

Memcached
- for very simple things
Redis
- multi-AZ and backup and restores possible

Answer 244

A

False

Technically a destination port number is needed, however with a DB security group the RDS instance port number is automatically applied to the RDS DB Security Group.

Answer 245

A

There is no charge associated with this action.

Answer 246

A

Redshift would be the most suitable for online analytics processing.

Answer 247

A

Apache Parquet

JSON

Apache ORC

Amazon Athena is an interactive query service that makes it easy to analyse data in Amazon S3, using standard SQL commands. It will work with a number of data formats including “JSON”, “Apache Parquet”, “Apache ORC” amongst others, but “XML” is not a format that is supported.

Answer 248

A

I/O may be briefly suspended while the backup process initializes (typically under a few seconds), and you may experience a brief period of elevated latency.

Answer 249

A

Oracle, SQL Server, MySQL, PostgreSQL

Answer 250

A

If you use online transaction processing in your production environment.

Provisioned IOPS becomes important when you are running production environments requiring rapid responses, such as those which run e-commerce websites. Without high performant responses from an RDS instance page loads of the website could suffer resulting in loss of business. If your workloads are not latency sensitive or you are running a test environment the additional cost of provisioned IOPS will not be cost beneficial to your project.

Answer 251

A

Add 4 additional EBS SSD volumes and create a RAID 10 using these volumes.

Answer 252

A

Storage of Data

Read and Write Capacity

There will always be a charge for provisioning read and write capacity and the storage of data within DynamoDB, therefore these two answers are correct. There is no charge for the transfer of data into DynamoDB, providing you stay within a single region (if you cross regions, you will be charged at both ends of the transfer.) There is no charge for the actual number of tables you can create in DynamoDB, providing the RCU and WCU are set to 0, however in practice you cannot set this to anything less than 1 so there always be a nominal fee associated with each table.

Answer 253

A

Immediately

Answer 254

A

Redis & Memcached

Answer 255

A

Single availability zone by default

DynamoDB is the AWS managed NoSQL database service. It has many features that are being added to constantly, making it a great service to use for many different requirements. The feature which was incorrect is DynamoDB only being single availability zone by default making this the correct answer. DynamoDB is distributed across three geographically distinct datacentres by default, all of the other options listed are valid features of DynamoDB.

Answer 256

A

because DNS is on port53

Answer 257

A

just think of a phone book.

DNS is used to convert human friendly domain names into an IPv4 or IPv6.

So from acloud.guru to 82.124.53.1

Answer 258

A

IPv4 is a 32-bit field with +4 billion different addresses
IPv6 has 128-bits which gives 340 undecillion addresses
- = invented because the 4.3 billion addresses of IPv4 were not enough

Currently both IPv4 and IPv6 are used

Answer 259

A

.com

.edu

.gov(top-level)

.co(second-level).uk(top-level)

.com(second-level).au(top-level)

Answer 260

A

Internet Assigned Numbers Authority

those that make the top-level domains

Answer 261

A

entities which serve the purpose of organising the distribution of domain names such that they are not duplicated.

all registered domain names end up in WhoIS.

(examples….GoDaddy.com, 123-reg.co.uk, Amazon, DanDomain.dk etc.)

Answer 262

A

Name Server Records

used by Top Level Domain servers to direct traffic to the Content DNS server which contains the authoritative DNS records

Answer 263

A

An “A” record is the fundamental type of DNS record.

A stands for Address.

The A record is used by a computer to translate the name of the domain to an IP address so from www.acloud.guru to 123.10.10.80

Answer 264

A

Time to Live

the length that a DNS record is cached on either the Resolving Server or the users own local PC is equal to the value of the the “time to live” TTL in seconds.

so for example a user could cache your homepage for 48 hours.

Answer 265

A

A Canonical Name … can be used resolve one domain name to another.

essentially just that you have both..

https: //m.acloud.guru and
https: //mobile.acloud.guru

Answer 266

A

used to map resource record sets in your hosted zone to Elastic Load Balancers, CloudFront distributions, or S3 buckets that are configured as websites.

Alias Records work like CNAME records BUT….. CNAME can’t be used for naked domain names (= without www in front of it)

Answer 267

A

No…

You must resolve to them using a DNS name.

Answer 268

A

Always Alias Record

Answer 269

A

SOA Records (state of authority)
NS Records (Name Server)
A Records (Address)
CNAMES (Canonical Name)
MX Records
PTR Records

Answer 270

A

Simple Routing
Weighted routing
Latency-based Routing
Failover Routing
Geolocation Routing
GeoProximity Routing
Multivalue Answer Routing

Answer 271

A

you can only have one record with multiple IP addresses.

if you specify multiple values (IP addresses) in a record, Route53 returns all values to the user in a random order

(it will pick a new place randomly when the TTL expires)

Answer 272

A

allows you to split your traffic based on different weight assigned

fx 10 % to US-EAST-1 and 90% to EU-WEST-1

(remember TTL still determines when you can update and get different results)

Answer 273

A

Allows you to route your traffic based on the lowest network latency for your end user (which gives them the fastest response time)

to do this you have to create a latency resource record set for the Amazon EC2 (or ELM) resource in each region that hosts your website.

Answer 274

A

used when you want to create an active/passive set up.

= you may want your primary site to be in EU-WEST-2 and your secondary DR site in AP-SOUTHEAST-2

Route 53 will monitor the health of your primary site using a health check => If a failure is detected in the Active region, users will be directed to the passive.

Answer 275

A

lets you choose where your traffic will be sent based on the geographic location of your users

= all queries from europe to routed to a fleet of EC2 instances that are specifically configured for European customers (language, prices etc.)

Can be done by country or by continent

(different from latency-based routing)

Answer 276

A

route traffic to your resources based on the geographic location of your users and your resources.

+you can also insert a bias to route more or less traffic to a resource

(only in Route53 traffic flow mode)

Answer 277

A

lets you configure route53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries.

The same as simple routing HOWEVER multivalue answers allows you to put health checks on each record set.

Answer 278

A

50 is set by default BUT you can increase this limit by contacting AWS support.

Answer 279

A

Failover Routing and Latency-based Routing

Failover Routing and Latency-based Routing are the only two correct options, as they consider routing data based on whether the resource is healthy or whether one set of resources is more performant than another. Any answer containing location based routing (Geoproximity and Geolocation) cannot be correct in this case, as these types only consider where the client or resources are located before routing the data. They do not take into account whether a resource is online or slow. Simple Routing can also be discounted as it does not take into account the state of the resources.

Answer 280

A

True and False. With Route 53, there is a default limit of 50 domain names. However, this limit can be increased by contacting AWS support.

Answer 281

A

Multivalue answer routing lets you configure Amazon Route 53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries. Route 53 responds to DNS queries with up to eight healthy records and gives different answers to different DNS resolvers. The choice of which to use is left to the requesting service effectively creating a form or randomisation.

Answer 282

A

Alias Records provide a Route 53–specific extension to DNS functionality

Alias Records have special functions that are not present in other DNS servers. Their main function is to provide special functionality and integration into AWS services. Unlike CNAME records, they can also be used at the Zone Apex, where CNAME records cannot. Alias Records can also point to AWS Resources that are hosted in other accounts by manually entering the ARN.

Answer 283

A

Route 53 - Geoproximity routing policy

Route 53 - Geolocation routing policy

The instruction from the CTO is clear that that the division is based on geography. Latency based routing will approximate geographic balance only when all routes and traffic evenly supported which is rarely the case due to infrastructure and day night variations. You cannot combine blacklisting and whitelisting in CloudFront. Weighted routing is randomized and will not respect Geo boundaries. Geolocation is based on national boundaries and will meet the needs well. Geoproximity is based on Latitude & Longitude and will also provide a good approximation with potentially less configuration.

Answer 284

A

Geolocation routing policy

Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region.

Answer 285

A

The DNS Port is on Port 53 and Route 53 is a DNS Service.

Answer 286

A

A virtual data center in the cloud (logical datacenter in AWS)

…so you create your own data center within AWS and then have a ton of opportunities for customisation and management.

Answer 287

A

Internet gateways or Virtual Private gateways
Route Tables
Network access control lists
Subnets
Security groups

Answer 288

A

Internet Gateway
Virtual Private Gateway

Answer 289

A

10.0.0.0
172.16.0.0
192.168.0.0 (192.168.255.255 for example)

Answer 290

A

Launch instances into a subnet of our choosing
- and Instance security groups
Assign custom IP address ranges
Configure route tables between subnets
Create internet gateway
Better security control’
Subnet network access control lists (ACLS)

Answer 291

A

Default VPC is
- super user friendly
- have a route out to the internet
- Each EC2 instance has both a public AND private IP address

Answer 292

A

connect one VPC with another via a direct network route using private IP addresses.

you can also peer VPCs with other AWS accounts

Peering is in a star configuration = 1 central VPC peers with 4 others.

BUT.. there is no transitive peering (cannot go through A to get to C = has to be direct peering between two)

Answer 293

A

The VPC
A route table
A Network ACL
A default Security group

(no subnets, no internet gateway)

Answer 294

A

Only 1 internet gateway

Answer 295

A

create new route table

then go and edit the routes and add

0.0.0.0/0 to internet gateway and choose your vpc

Answer 296

A

security groups cannot span across VPCs.

Answer 297

A

Network Address Translation instances and gateways

to ensure that the subnets are not public BUT that we can still download software from our private subnet. So NAT are to connect to the internet gateways

(NAT instances are on their way out while NAT gateways are what is used today)

Answer 298

A

NAT Gateways = single EC2 instance
Nat Instances = Highly available gateway that allows you to communicate with the internet from the private subnet without becoming public

Answer 299

A

Disable Source/Destination Check on the instance

Answer 300

A

that they become bottlenecks = too much traffic = you must increase the instance size

Answer 301

A

Autoscaling Groups
Multiple subnets in different availability zones
script to automate failover

Answer 302

A

They can survive the failure of the EC2 instances that power NAT gateways = redundant inside the AZ
NAT Gateways can not span different availability zones
- so have NAT gateway in each availability zone you use
No need to patch operating system (you must for NAT instances)
Automatically assigned a public IP address
Not associated with security groups

Answer 303

A

With new Access Control Lists, all traffic is DENIED / BLOCKED as default

(when you create custom network ACLs)

Answer 304

A

Ephemeral ports are short-lived transport protocol ports for IP communications.

on servers, Ephemeral ports may also be used as the port assignment on the server end of a communication. This is done to continue communications with a client that initially connected to one of the server’s well-known service listening ports

Answer 305

A

the ACL by default allows all outbound and inbound traffic

Answer 306

A

Yes… All need one.

Thus, if you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL

Answer 307

A

using Network ACLs (Access Control Lists)

(not possible with security groups)

Answer 308

A

in order with the lowest numbered rule first

Answer 309

A

That you must both add the same rules in both inbound traffic and outbound traffic

(for security groups it is different as they are stateful)

Answer 310

A

A feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Flow log data is stored using Amazon CloudWatch Logs. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.

Answer 311

A

3 different

VPC
Subnet
Network Interface Level

Answer 312

A

for VPCs that are peered with your VPC unless the VPC is in your account

Answer 313

A

you cannot tag a flow log
After you have created a flow log, you cannot change its configuration
You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account

Answer 314

A

Traffic generated by instances when they contact the Amazon DNS server
traffic generated by a Windows instance for Amazon Windows license activation
Traffic to and from 169.254.169.254 for instance metadata
DHCP traffic
Traffic to the reserved IP address for the default VPC router

Answer 315

A

provide internet traffic to EC2 instances in a private subnet

Answer 316

A

special purpose computer on a network specifically designed and configured to withstand attacks.

A Bastion is used to securely administer EC2 instances (Using SSH or RDP).

The computer usually hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.

(cannot use a NAT Gateway as a Bastion host)

Answer 317

A

A cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. = a direct connection from your data center to AWS

Useful for high throughput workloads (lots of network traffic) so if you want a stable and reliable and secure connection, use direct connect between your database and AWS

Answer 318

A

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink WITHOUT requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect Connection.

(no need to go outside the AWS network)

Answer 319

A

Interface Endpoints
- Elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service
Gateway Endpoints
- supported for Amazon S3 and DynamoDB

Answer 320

A

Stateful = Security Groups (creating an inbound rule also creates an outbound rule)
Stateless = Network Access Control Lists (must create rules in both inbound and outbound)

Answer 321

A

they are randomised so 1A is most often not the same place as 1A for another AWS account

Answer 322

A

the allow rules trump deny rules so….

Put DENY first if you want to deny something

Answer 323

A

Virtual Private Gateway AND Customer Gateway.

when connecting a VPN between AWS and a third party site, the customer gateway is created within AWS, but it contains information about the third party site, eg. the external IP address and type of routing.

The Virtual Private Gateway has the information regarding the AWS side of the VPN and connects a specified VPC to the VPN.

Answer 324

A

True

In a custom VPC with new subnets in each AZ, there is a Route that supports communication across all subnets/AZs.

Answer 325

A

Security Groups support “allow” rules only

Security Groups operate at the instance level

Security Groups evaluate all rules before deciding which to allow traffic

Answer 326

A

at least 2

Answer 327

A

Create an Elastic IP address and associate it with your instance

Answer 328

A

Network ACLs

Answer 329

A

True

In a custom VPC with new subnets in each AZ, there is a Route that supports communication across all subnets/AZs. Plus a Default SG with an allow rule ‘All traffic, All protocols, All ports, from anything using this Default SG’.

Answer 330

A

In Amazon VPC, an instance does not retain its private IP.

Answer 331

A

Allows VPC based IPv6 traffic to communicate to the Internet

Prevents IPv6 based Internet resources initiating a connection into a VPC

The purpose of an “Egress-Only Internet Gateway” is to allow IPv6 based traffic within a VPC to access the Internet, whilst denying any Internet based resources the possibility of initiating a connection back into the VPC.

Answer 332

A

Security Groups are stateful and Network Access Control Lists are stateless.

Answer 333

A

Subnet Level

VPC Level

Network Interface Level

Answer 334

A

As transitive peering is not allowed, VPC ‘B’ can communicate directly only with VPC ‘A’.

Answer 335

A

A Private IP Address & Public IP Address

Answer 336

A

No

0.0.0.0/0 would allow ANYONE from ANYWHERE to connect to your instances. This is generally a bad plan. The phrase ‘web-facing subnets’ does not mean just web servers. It would include any instances in that subnet some of which you may not strangers attacking. You would only allow 0.0.0.0/0 on port 80 or 443 to to connect to your public facing Web Servers, or preferably only to an ELB. Good security starts by limiting public access to only what the customer needs. Please see the AWS Security white paper for complete details.

Answer 337

A

False

You may peer a VPC to another VPC that’s in your same account, or to any VPC in any other account.

Answer 338

A

Network ACLs

Answer 339

A

Security Groups support “allow” rules only.

Security Groups operate at the instance level.

Security Groups evaluate all rules before deciding whether to allow traffic.

Answer 340

A

False

Each subnet must reside entirely within one Availability Zone and cannot span zones.

Answer 341

A

Create an Elastic IP address and associate it with your instance

Although creating a new NIC & associating an EIP also results in your instance being accessible from the internet, it leaves your instance with 2 NICs & 2 private IPs as well as the Public Address and is therefore not the simplest solution. By default, any user-created VPC subnet WILL NOT automatically assign Public IPv4 Addresses to instances – the only subnet that does this is the “Default” VPC subnets automatically created by AWS in your account.

Answer 342

A

Depends on the type of scan and the service being scanned. Some scans can be performed without alerting AWS, some require you to alert.

Until recently customers were not permitted to conduct Penetration Testing without AWS engagement. However that has changed. There are still conditions however.

Answer 343

A

A Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet. Don’t confuse Bastions and NATs, which allow outside traffic to reach an instance in a private subnet.

Answer 344

A

Access Control List

Route Table

Security Group

When you create a custom VPC, a default Security Group, Access control List, and Route Table are created automatically. You must create your own subnets, Internet Gateway, and NAT Gateway (if you need one.)

Answer 345

A

Virtual Private Cloud

Answer 346

A

VPC Gateway Endpoints ensure traffic between your VPC and the other service does not leave the Amazon network.

In contrast to a NAT Gateway, traffic between your VPC and the other service does not leave the Amazon network when using VPC Gateway Endpoints. There are also VPC Interface Endpoints, which are used by individual services.

Answer 347

A

Customer Gateway

Virtual Private Gateway

The correct answers are “Customer Gateway” and “Virtual Private Gateway”. When connecting a VPN between AWS and a third party site, the Customer Gateway is created within AWS, but it contains information about the third party site e.g. the external IP address and type of routing. The Virtual Private Gateway has the information regarding the AWS side of the VPN and connects a specified VPC to the VPN. “Direct Connect Gateway” and “Cross Connect” are both Direct Connect related terminology and have nothing to do with VPNs.

Answer 348

A

False

You may have only one Internet Gateway per VPC.

Answer 349

A

physical or virtual device that is designed to help you balance the network load across multiple web servers

Answer 350

A

Application Load Balancers (intelligent)
Network Load Balancers (for extreme performance)
Classic Load Balancers (very basic and cost-effective)

Answer 351

A

best suited for load balancing of HTTP and HTTPS traffic = websites basically

operate at layer 7 and are application-aware. Quite intelligent

Answer 352

A

best suited for load balancing of TCP traffic where extreme performance is required

= can handle millions of requests per second, while maintaining ultra-low latencies

operating at the connection level (layer 4).

Answer 353

A

legacy Elastic Load Balancers.

can load HTTP/HTTPS applications

only use if you don’t care about load balancing

use layer 7-specific features and can also use strict layer 4 load balancing. Not very intelligent

Answer 354

A

helps ensure that we actually also get the users public IP after going through the elastic load balancer. without getting the public IPs, we do not know where our users are coming from

Answer 355

A

that the gateway has timed out = that the application is not responding within the idle timeout period

Answer 356

A

trouble shoots the application and see if the error is coming from the Web Server OR Database server

Answer 357

A

Always only their own DNS name

(never IP address)

Answer 358

A

Sticky sessions allow you to bind a user’s session to a specific EC2 instance such that all requests from the user during the session are sent to the same instance.

(if not enabled, the classic LB will route each request independently to the registered EC2 instance with the smallest load)

Answer 359

A

with no cross zone load balancing, our traffic is split evenly across availability zones…

but we may not have the same amount of instances in the different availability zones.

WITH cross zone load balancing, this is taken care of such that all instances get the same load.

= > Cross zone = the instances can send traffic across availability zones

Answer 360

A

path-based routing = you can create a listener with rules to forward requests based on the URL path

example… enabling path patterns here such that we can send traffic regarding www.myurl.com/images to the second availability zone, US-EAST-1B

Answer 361

A

plan for failure = everything fails = that’s why Netflix created the Simian Army (including Chaos Monkey)

when you have the same setup in two different regions, you can tolerate issues and make failover

use multiple availability zones and multiple regions where you can

Answer 362

A

Scaling out = auto-scaling groups to add additional EC2 instances
Scaling up = increasing the power of the existing EC2 instances

Answer 363

A

CloudFormation is a way of completely scripting your cloud environment = automating the architecture setup

Answer 364

A

a bunch of CloudFormation templates already built by AWS solutions architects allowing you to create complex environments very quickly.

Answer 365

A

essentially just a way to deploy applications to the cloud (without knowing anything about AWS)

=>

You can deploy and manage applications in the AWS cloud without worrying about the infrastructure that runs those applications. You simply upload the code for your application, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling and application health monitoring.

Answer 366

A

S3

the key point in the questions is that the data is non-replaceable, and is frequently updated. The 1st excludes anything the has reduced Durability, the 2nd excluded anything with long recall, reduced availability, or billing based on infrequent access.

Answer 367

A

Application Load Balancers (ALB)

The ALB has functionality to distinguish traffic for different targets (mysite.co/accounts vs. mysite.co/sales vs. mysite.co/support) and distribute traffic based on rules for; target group, condition, and priority.

Answer 368

A

Availability

Each word has a specific meaning and your ability to select the correct answer may depend on understanding the difference. Availability can be described as the % of a time period when the service will be able to respond to your request in some fashion.

Answer 369

A

Durability

Each word has a specific meaning and your ability to select a correct answer may depend on understanding the difference. Durability refers to the on-going existence of the object or resource. Note that it does not mean you can access it, only that it continues to exist.

Answer 370

A

99.999999999 percent

Answer 371

A

Scaling Up

Scaling out is where you have more of the same resource separately working in parallel (visualize services sitting side by side). Scaling Up is where you make it bigger and bigger like and ugly tower with more floors being added after the initial design was finished

Answer 372

A

S3 Standard-IA
The key drivers here are availability and cost, so an awareness of cost is necessary to answer this. Full S3 is quite expensive at around $0.023 per GB for the lowest band. S3 standard IA is $0.0125 per GB, S3 OneZone-IA is $0.01 per GB, and Legacy S3-RRS is around $0.024 per GB for the lowest band. Of the offered solutions S3 One Zone-IA is the cheapest suitable option. Glacier cannot be considered as it is not intended for direct access, however it comes in at around $0.004 per GB. S3 has an availability of 99.99%, S3-IA has an availability of 99.9% while S3-1Zone-IA only has 99.5%

Answer 373

A

Network Load Balancers (NLB)

The Network Load Balancer is specifically designed for high performance traffic that is not conventional Web traffic. The Classic LB might also do the job, but would not offer the same performance.

Answer 374

A

Use a Classic Load Balancer to spread the load over several availability zones.

Use Route 53 with health checks to distribute load across multiple ELBs.

Use multiple autoscaling groups and boundaries for a staged or ‘canary’ deployment process.

Use several Target groups or auto scaling groups under each Load Balancers.

Using Route 53 to distribute work direct to compute resources can work, but is hard to manage, and is not a recommended AWS pattern. ELB can spread load across AZs not regions. Deploying updates to all groups simultaneously will not reduce risk. Using Route 53 in combination with ELBs is a good pattern to distribute regionally as well as across AZs. Although the methods vary, you can place multiple autoscaling or target groups behind ELBs.

Answer 375

A

Consider replacing it with Aurora before go live.

Convert the RDS instance to a multi-AZ implementation.

There are two issues to be addressed in this question. Minimizing outages, whether due to required maintenance or unplanned failures. Plus the possibility of needing to scale up or down. Read-replicas can help you with high read loads, but are not intended to be a solution to system outages. Multi-AZ implementations will increase availability because in the event of an instance outage one of the instances in another AZs will pick up the load with minimal delay. Aurora provided the same capability with potentially higher availability and faster response.

Answer 376

A

Resiliency

Each word has a specific meaning and your ability to select the correct answer may depend on understanding the difference. Resiliency can be described as the ability to a system to self heal after damage or an event. Note that this does not mean that it will be available continuously during the event, only that it will self recover.

Answer 377

A

Copy the files from the NAS to an S3 bucket with the One Zone-IA class

S3 OneZone-IA provides on-line access to files, while offering the same 11 9’s of durability as all other storage classes. The trade-off is in the availability - 99.5% as opposed to 99.9%-99.99%. However in this brief as cost is more important than availability, S3 OneZone-IA is the logical choice . RRS is deprecated and new uses are strongly discouraged by AWS.

Answer 378

A

A spread placement group is a group of instances that are each placed on distinct underlying hardware

There is only one answer that is specific to Spread Placement Groups, and that is the final option. Whilst some of these answers are correct for either Cluster Placement Groups only, or for both Cluster and Spread Placement Groups, the question stated that only options specific to Spread Placement Groups should be chosen. This would rule out two options as they are true for both Spread & Cluster type placement groups. The Logical grouping of instances within a single Availability Zone is only true of Cluster Placement Groups and is also incorrect.

Answer 379

A

Reliability

Each word has a specific meaning and your ability to select a correct answer may depend on understanding the difference. Reliability is closely related to Availability, however a system can be ‘Available’ but not be working properly. Reliability is the probability that a system will work as designed. This term is not used much in AWS, but is still worth understanding.

Answer 380

A

Simple Queue Service… (used to decouple your infrastructure such that not all crash if one thing crashes)

web service that gives you access to a message queue that can be used to store messages while waiting for a computer to process them.

the queue acts as a buffer between the component producing and saving data, and the component receiving the data for processing

SQS is pull based

(btw also the 1st AWS service)

Answer 381

A

256 kb in size

Answer 382

A

SQS Standard (default)
- high throughput and nearly-unlimited number of transactions per second BUT be aware that one copy of a message might be delivered out of order and there may be duplicates (generally same order as they are sent but not always)
FIFO Queues (first-in-first-out)
- always the same order as sent (ordered) and surely NO duplicates
- 300 transactions per second

Answer 383

A

the amount of time that the message is invisible in the SQS queue after a reader picks up that message. If the job is processed/completed before the visibility time expires, the message will be deleted from the queue (Visibility Timeout Maximum is 12 hours)

However, if the job is not processed within the visibility time-out, it will become visible again and another reader will process it = hence, some messages can be delivered twice.

Answer 384

A

Simple Work Flow Service… = a web service that makes it easy to coordinate work across distributed application components

= a way of coordinating your applications and manual processors (human beings)

(Amazon uses this… you buy a book online. all is based on computers, including payment, but then human labor needs to help in the warehouse to get the package ready)

You use SWF if there is any manual processing involved

Answer 385

A

SQS (Simple Queue Service)
- Retention Period of up to 14 days
- Message-oriented API
- Tasks may be duplicated
- need to implement your own application-level tracking
SWF (Simple Work Flow Service)
- Retention period/Workflow execution period up to 1 year
- Task-oriented API
- NEVER duplicated. Each task only once
- Keeps track of all tasks and events in an application

Answer 386

A

WORKFLOW STARTERS
- application that can initiate (start) a workflow
- example: your e-commerce website following the placement of an order
DECIDERS
- control the flow of activity tasks in a workflow execution = if something has finished (or failed) in a workflow, a Decider decides what to do next
ACTIVITY WORKERS
- Carry out the activity tasks

Answer 387

A

Simple Notification Service…. a web service that makes it easy to set up, operate, and send notifications from the cloud

SNS is PUSH-based

Allows you to make push notifications to Apple, Google, Fire OS, Windows devices, Android Devices in China with Baidu Cloud Push + can also deliver notifcations by SMS and email

Answer 388

A

Topics in SNS allows you to group multiple recipients = you can group together iOS, Android and SMS recipients for example and all subscribers within this group will receive the same messages from SNS (Simple Notifications Service)

Answer 389

A

Instantaneous PUSH-based delivery
Simple APIs and easy integration with applications
Flexible message delivery over multiple transport protocols

Answer 390

A

SNS (Simple Notifications Service)
- PUSH-based
SQS (Simple Queue Service)
- Pull-based (poll)

(both are messaging services in AWS)

Answer 391

A

A media transcoder in the cloud = a way to convert media files from their original source format into different formats that will play on different devices (smartphones, tablets, pc)

Answer 392

A

a fully managed service that makes it easy for developers to publish, maintain, monitor and secure APIs at any scale = you can make a “front door” for applications to access stuff from your back-end services

API Gateway scales automatically

Answer 393

A

with caching, you can reduce the number of calls made to your endpoint and also improve the latency of the requests to your API (API caching can be enabled in Amazon API Gateway)

used to increase performance

Answer 394

A

that web page A can access data in web page B, IF both web pages have the same origin (= the same domain name)

(but when using AWS, we use different domain names all the time so we need to use CORS)

Answer 395

A

Cross-Origin Resource Sharing = a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the first resource was served

Answer 396

A

the problem here is that CORS is not enabled on the API Gateway

Answer 397

A

data that is generated continuously by thousands of data sources

Examples:

Stock prices
Gaming Data (as the gamer plays)
Social network data (twitter for example)
Geospatial data (fx uber)
iOT sensor data (say from AgTech sensors)
Purchases from online stores (amazon.com)

Answer 398

A

a platform on AWS to send your streaming data to

Kinesis makes it easy to load and analyze streaming data

Answer 399

A

Kinesis Streams
Kinesis Firehose
Kinesis Analytics

Answer 400

A

a place to store streaming data

within a Kinesis stream, you have SHARDS

Answer 401

A

with Kinesis Firehose, the streaming data is not stored, it must instead be analyzed as it comes in and then sent out again

Answer 402

A

Kinesis Analytics help analyze the streaming data inside Kinesis (inside both Kinesis Firehose and Kinesis Streams)

Answer 403

A

it lets you give your users access to AWS resources AFTER they have successfully authenticated with a web-based identity provider like Amazon, Facebook, Google etc.

= you get access after you have “login using Facebook”

Answer 404

A

a web identity federation service for sign-up and sign-ins to your apps.

Cognito brokers between the app and Facebook/Google to provide temporary credentials which map to an IAM role allowing access to the required resources

Answer 405

A

used to manage sign-in and sign-up for mobile and web applications

focused on users and thus handles things like user registration, authentication, and account recovery

Answer 406

A

provide temporary AWS credentials to access AWS services like S3 or DynamoDB

identity pools authorise access to your AWS resources

Answer 407

A

SNS is a push notification service, whereas SQS is message system that requires worker nodes to poll a queue.

SNS is a Notification service for sending text based communication of different types to different destinations. SQS is a Queue system for asynchronously manages tasks (called messages)

Answer 408

A

An Amazon Resource Name is created.

Answer 409

A

SQS

In IT the term ‘message’ can be used in the common sense, or to describe a piece of data of Task in an asynchronous queueing system such as MQseries, RabbitMQ or SQS.

Answer 410

A

Simple Email Service

Answer 411

A

Coordinate synchronous and asynchronous tasks

Similar to SQS SWF manages queues of work, however unlike SQS it can have out-of-band parallel and sequential task to be completed by humans and non AWS services.

Answer 412

A

False

While there are a limited range of SDKs available for SWF, AWS provides an HTTP based API which allows you to interact using any language as long as you phrase the interactions in HTTP requests.

Answer 413

A

True

One time only completion is a key feature of SWF. At one time this was a key distinction from SQS, however with SQS FiFo queues, this is no longer a distinguishing feature.

Answer 414

A

A collection of related workflows

Answer 415

A

Simple Work Flow

Answer 416

A

you don’t worry about your infrastructure as such. you only worry about your code and pay for the amount of time your code runs

Answer 417

A

a compute service where you can upload your code and create a Lambda function.

the ultimate abstraction layer = AWS Lambda is on top of data center, hardware, assembly code/protocols, operating systems, APIs/application layer etc.

Answer 418

A

An an event-driven computer service where AWS Lambda runs your code in response to events such as changes in an Amazon S3 bucket
As a compute service to run your code in response to HTTP requests using Amazon API Gateway or API calls made using AWS SDKs

Answer 419

A

Traditional = user - root53 to ELB - web server - RDS/Database

Serverless = user - API Gateway - Lambda - DynamoDB/AuroraServerless

With serverless you do not have to worry about auto-scaling

Answer 420

A

Number of requests and
Duration of time your code runs

Answer 421

A

continuously/automatically but remember that it scales OUT (not up)

Answer 422

A

1 event = 1 function

but… one Lambda function can trigger other Lambda functions so 1 event can = x functions if functions trigger other functions

Answer 423

A

a service that helps you see and debug what is happening inside your architecture (useful as architecture turns complicated)

Answer 424

A

Yes… Lambda can do things globally so you can fx use it to backup S3 buckets to other S3 buckets

Answer 425

A

Out

Lambda scales out automatically - each time your function is triggered, a new, separate instance of that function is started. There are limits, but these can be adjusted on request.

Answer 426

A

Multiple instances of the Lambda function will be triggered, one for each image

Each time a Lambda function is triggered, an isolated instance of that function is invoked. Multiple triggers result in multiple concurrent invocations, one for each time it is triggered.

Answer 427

A

Duration of execution billed in fractions of seconds.

The amount of memory assigned.

Lambda billing is based on both The MB of RAM reserved and the execution duration in 100ms units.

Answer 428

A

API Gateway

S3

DynamoDB

API-Gateway Events, S3 Events and DynamoDB Events are all valid triggers for Lambda functions

Answer 429

A

Create a duplicate sign up page that stores registration details in DynamoDB for asynchronous processing using SQS & Lambda.

Work with your web design team to create some web pages with embedded JavaScript to emulate your 5 most popular information web pages and sign up web pages.

A 500x increase is beyond the scope of a well designed single server system to absorb unless it is already hugely overspecialised to accommodate this sort of burst load. An AWS solution for this situation might include S3 static web pages with client side scripting to meet high demand of information pages. Plus use of a noSQL database to collect customer registration for asynchronous processing, and SQS backed by scalable compute to keep up with the requests. Lightsail does provide a scalable provisioned service solutions, but these still need to be designed an planned by you and so offer no significant advantage in this situation. A standby server is a good idea, but will not help with the anticipated 500x load increase.

Answer 430

A

EC2, ECS, & Lambda.

The exact ratio of cores to memory has varied over time for Lambda instances, however Lambda like EC2 and ECS supports hyper-threading on one or more virtual CPUs (if your code supports hyper-threading).

Answer 431

A

AWS X-Ray

AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices & serverless architectures

Answer 432

A

A native Cloud Architecture that allows customers to shift more operational responsibility to AWS.

The ability to run applications and services without thinking about servers or capacity provisioning.

‘Serverless’ computing is not about eliminating servers, but shifting most of the responsibility for infrastructure and operation of the infrastructure to a vendor so that you can focus more on the business services, not how to manage the infrastructure that they run on. Billing does tend to be based on simple units, but the choice of services, intended usage pattern (RIs), and amount of capacity needed also influences the pricing.

Answer 433

A

Your lambda function does not have sufficient Identity Access Management (IAM) permissions to write to DynamoDB.

Like any services in AWS, Lambda needs to have a Role associated with it that provide credentials with rights to other services. This is exactly the same as needing a Role on an EC2 instance to access S3 or DDB.

Answer 434

A

Number of requests and
Duration of time your code runs

it is dirt cheap!

Answer 435

A

continuously/automatically but remember that it scales OUT (not up)

Answer 436

A

1 event = 1 function

but… one Lambda function can trigger other Lambda functions so 1 event can = x functions if functions trigger other functions

Answer 437

A

a service that helps you see and debug what is happening inside your architecture (useful as architecture turns complicated)

Answer 438

A

Yes… Lambda can do things globally so you can fx use it to backup S3 buckets to other S3 buckets

Answer 439

A

Encryption in S3
- Client-side
  - uploading an encrypted object
- Server-side
  - S3 managed keys, SSE-S3
    - amazon manages encryption keys for you
  - AWS Key Management Service, SSE-KMS
    - you manage keys with amazon
  - Server side encryption with customer provided keys (SSE-C)
    - you provide keys to amazon
- Encryption in transit = HTTPS
  - achieved through SSL/TLS. when you browse using HTTPS

Answer 440

A

requires that versioning is enabled on both the source and destination buckets
only replicates NEW objects, NOT deletes nor existing files

Answer 441

A

= Amazon’s CDN… distributed servers that delivers web content based on the geographic locations of users

Answer 442

A

Web Distribution (part of cloudfront) = for websites
RTMP (part of cloudfront) = for media streaming

Answer 443

A

Can invalidate data/files on the distribution = taking it away from the edge locations. you will be charged for this.

Answer 444

A

a service that connects an on-premise software appliance with cloud-based storage to provide seamless and secure integration.

Answer 445

A

= Elastic File System for EC2

very similar to EBS. Difference is that EBS can only be mounted to 1 EC2 instance.
EFS automatically grow and shrink based on the files you have in your EFS

Answer 446

A

File Gateway (NFS & SMB)
- files stored in your S3 bucket
Volume Gateway (iSCSI) - to store Hard disk drive in AWS
- Stored Volumes
  - store ENTIRE primary data locally and backed up in AWS
- Cached Volumes
  - stores the most frequently used data locally (NOT entire data) and the rest of the data in S3
Tape Gateway (VLT)
- way to archive your data in the AWS cloud = good to move your backup to the cloud

Answer 447

A

EBS, virtual hard disk in the cloud for use with EC2, Elastic Block Store, used with EC2,

Answer 448

A

General Purpose SSD = gp2
- most workloads
Provisioned IOPS SSD = io1
- databases
Throughput optimised HDD = st1
- big data & data warehouses
Cold HDD = sc1
- file servers
EBS Magnetic = standard
- where data is infrequently accessed

Answer 449

A

= backup of EBS volumes

Answer 450

A

= stop the ebs volume instance and then take snapshot

Answer 451

A

Automatic Backups
- enabled by default and take full daily snapshots
- stored in S3
Database Snapshots
- user-initiated
- stored even after you delete the original RDS instance

Answer 452

A

the restored version will be a new RDS instance with a new DNS endpoint

Answer 453

A

Aurora replicas (up to 15), automated failover
MySQL read replicas (up to 5)

Answer 454

A

Region ,operating system, architecture (32 vs 64 bit), launch permissions, storage for the root (EBS volumes vs. Instance store volumes)

Answer 455

A

EBS Volumes
- created from the snapshot of an EBS
Instance Store Volumes (Ephemeral Storage = if stops, you’ll lose your data)
- created from template stored in Amazon S3

Answer 456

A

CPU
Network
Disk
Status check

Answer 457

A

Internet Gateway or Virtual Private Gateway
Router
route table
access control lists
subnets
- NAT instances, network address translation
  - NAT instances, NAT gateways
- security groups
- instances
  - EC2
  - Bastion
VPC Endpoint
- interface endpoint
- gateway endpoint

Answer 458

A

A record = Address Record
- point a logical domain name, such as “google.com”, to the IP address of Google’s hosting server, “74.125. 224.147”.
CName = Canonical Name
- A Canonical Name or CNAME record is a type of DNS record that maps an alias name to a true or canonical domain name. … For example, a CNAME record can map the web address www.example.com to the actual web site for the domain example.com
- CName can’t be used for naked domain names = without www,. you will need an A-record or an Alias record then
SOA = state of authority
- the name of the server that supplied the data for the zone, the administrator of the zone, the current version of the data file and the default number of second for the TTL file on resource records
NS records = Name Server records
- used by Top Level Domain servers to direct traffic to the Content DNS server which contains the authoritative DNS records
- gives us access to the SOA which contains the other DNS records such as the A-Record,
MX Records
- used for mail
PTR records
- opposite of an A-record = you find the hyperlink from an IP-address
Alias record
- used to map resource record sets to elastic load balancers, very similar to CName. Same thing but cannot be used for naked domain names

Answer 459

A

A Canonical Name or CNAME record is a type of DNS record that maps an alias name to a true or canonical domain name. … For example, a CNAME record can map the web address www.example.com to the actual web site for the domain example.com
CName can’t be used for naked domain names = without www,. you will need an A-record or an Alias record then

Answer 460

A

Address Record
point a logical domain name, such as “google.com”, to the IP address of Google’s hosting server, “74.125. 224.147”.

Answer 461

A

used to map resource record sets to elastic load balancers, very similar to CName. Same thing but cannot be used for naked domain names

Answer 462

A

data that is generated continuously by thousands of data sources,kb-size data

Answer 463

A

a platform to send your streaming data to
- Kinesis Streams for storage, consist of SHARDS (24h-7days),
- Kinesis Firehose for analyzing on the go,
- Kinesis Analytics can analyze inside both Kinesis Firehose and Kinesis Streams

Answer 464

A

= access to AWS resources after “login with Facebook”

Answer 465

A

Amazon’s web identity federation service
- User pools: user directories to manage sign-up and sign-in functionality, users can sign in directly or with facebook, amazon, google etc, This is about USERS (emails, passwords, user registration, account recovery etc.)
- Identity pools: enable temporary AWS credentials to access AWS services like S3 or DynamoDB. This is about GRANTING/AUTHORISING access

Answer 466

A

User pools: user directories to manage sign-up and sign-in functionality, users can sign in directly or with facebook, amazon, google etc, This is about USERS (emails, passwords, user registration, account recovery etc.)
Identity pools: enable temporary AWS credentials to access AWS services like S3 or DynamoDB. This is about GRANTING/AUTHORISING access

Answer 467

A

CloudFormation = advanced AWS users

ElasticBeanstalk = people that have no clue about AWS and just want to get their website up

Answer 468

A

First checks if instances are in multi-AZ. If yes, an instance is shut down from the AZ with the most running instances
If even number of instances across AZs, the oldest configured EC2 is terminated first
if all equal, at random

Answer 469

A

CPU utilization
Network utilization
Disk Performance
Disk reads/writes

Answer 470

A

Memory utilization
Disk-swap
Disk-space
Page file utilization
Log collection

Answer 471

A

32 - 27 = 5

2^5 = 32

Answer 472

A

32 because…

32-32 = 0

2^0 = 1 ip address

Answer 473

A

SSD = small, random I/O operations
HDD = large, sequential I/O operations

Answer 474

A

the operating system of the instance

Answer 475

A

in the private subnet

Answer 476

A

Autoscaling Groups => EC2 Status Check => Replaces unhealthy instances
ELB Health checks => stops sending traffic to the unhealthy instance

If ELB on top of auto scaling, the ELB process is dominating

Answer 477

A

Amazon Message queue

Amazon MQ, Amazon SQS, and Amazon SNS are messaging services that are suitable for anyone from startups to enterprises. If you’re using messaging with existing applications and want to move your messaging service to the cloud quickly and easily, it is recommended that you consider Amazon MQ. It supports industry-standard APIs and protocols so you can switch from any standards-based message broker to Amazon MQ without rewriting the messaging code in your applications.

Answer 478

A

S3 Select is a new Amazon S3 capability designed to pull out only the data you need from an object, which can dramatically improve the performance and reduce the cost of applications that need to access data in S3

Answer 479

A

Redshift Spectrum is a feature of Amazon Redshift that allows you to query data stored on Amazon S3 directly and supports nested data types

Answer 480

A

Amazon Redshift is a relational, OLAP-style database. It’s a data warehouse built for the cloud, to run the most complex analytical workloads.
Amazon Redshift Spectrum is a feature of Amazon Redshift. Spectrum is a query processing engine that allows to join data that sits in Amazon S3 with data in Amazon Redshift.

Answer 481

A

Elasticsearch is a highly scalable open-source full-text search and analytics engine. It allows you to store, search, and analyze big volumes of data quickly and in near real time.

Answer 482

A

Amazon Elasticsearch Service (Amazon ES) is a managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the AWS Cloud.

You can load streaming data into Elasticsearch Service

Answer 483

A

Amazon Athena is a service that enables a data analyst to perform interactive queries on data stored in S3.

Because Athena is a serverless query service, an analyst doesn’t need to manage any underlying compute infrastructure to use it.

Answer 484

A

You can speed up your queries dramatically by compressing your data, provided that files are splittable or of an optimal size (optimal S3 file size is between 200MB-1GB). Smaller data sizes mean less network traffic between Amazon S3 to Athena = and thus higher speed

Answer 485

A

Route Origin Authorization. A ROA tells the world who is allowed to advertise your IP address range.

= used to give AWS the authorization to advertise your IP address range.

Answer 486

A

DAX = Dynamo DB Accelerator

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second.

= used to speed up queries from your DynamoDB no-sql database

Answer 487

A

Device Farm is an app testing service that you can use to test and interact with your Android, iOS, and web apps on real, physical phones and tablets that are hosted by Amazon Web Services (AWS).

There are two main ways to use Device Farm:

Automated testing of apps using a variety of testing frameworks.
Remote access of devices onto which you can load, run, and interact with apps in real time.

Answer 488

A

Stripe set or striped volume.

RAID 0 helps stripe = split data evenly across two or more disks, without parity information, redundancy or fault tolerance.

USED for….. increasing read and write transfer rates = for high performance but with lower reliability (see below)

since there is no fault tolerance or redundancy, the failure of one drive will cause the entire array to fail and thus lose all data in such cases.

Answer 489

A

RAID 1 consist of an exact copy MIRROR of a set of data on two or more disks.

USED for… when READ performance or RELIABILITY is more important than write performance

Answer 490

A

RAID 0

= split data evenly across two or more disks => to increase read AND write transfer rates => for high performance but with lower reliability

RAID 1

= exact copy/MIRROR of a set of data on two or more disk = used when READ performance or RELIABILITY is more important than write performance

Answer 491

A

Redundant Array of Independent Disks

configurations to create large reliable data stores from multiple HDDs (in relation to RSD)

Answer 492

A

Security Assertion Markup Language…. is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).

used… This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS APIs without you having to create an IAM user for everyone in your organization. By using SAML, you can simplify the process of configuring federation with AWS, because you can use the IdP’s service instead of writing custom identity proxy code.

Used = for example with Active directory (by Microsoft)

Answer 493

A

Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate

NOTE…. Although STS is used to send temporary tokens for authentication, this is not a compatible use case for RDS

Answer 494

A

Active Directory. Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network. … As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.

Answer 495

A

An Amazon service to connect to Microsoft Active directory

Answer 496

A

RDS Enhanced Monitoring provides visibility into the health of your Amazon RDS instances

Answer 497

A

Elastic MapReduce

=> Amazon EMR is the industry leading cloud-native big data platform for processing vast amounts of data quickly and cost-effectively at scale. Using open source tools such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi (Incubating), and Presto, coupled with the dynamic scalability of Amazon EC2 and scalable storage of Amazon S3, EMR gives analytical teams the engines and elasticity to run Petabyte-scale analysis for a fraction of the cost of traditional on-premises clusters.

Used for = big data processing and analysis

Answer 498

A

in regards to IP addresses….

TCP
- connection-oriented protocol = establishes a connection between sender and receiver before data can be sent
- Reliable
- SSH Protocol + HTTPS
UDP
- connection-less protocol = does not establish a connection before data is sent
- FASTER but less reliable
- HTTP with UDP + HTTPS

Answer 499

A

Polling is a technique by which the client asking the server for new data regularly

Long Polling
- Long Polling basically involves making an HTTP request to a server and then holding the connection open to allow the server to respond at a later time (as determined by the server).
short polling
- Short polling is an AJAX-based timer that calls at fixed delays

Answer 500

A

DynamoDB
- database
- good for OLTP (online transaction processing)
Redshift
- data warehouse
- good for OLAP (online analytics processing)

Answer 501

A

Workload Management = (WLM) uses machine learning to dynamically manage memory and concurrency helping maximize query throughput. In addition, you can now easily set the priority of your most important queries, even when hundreds of queries are being submitted.

Part of REDSHIFT

Answer 502

A

Allows you to direct Redshift COPY and UNLOAD traffic through your VPC

When you use Amazon Redshift Enhanced VPC Routing, Amazon Redshift forces all COPY and UNLOAD traffic between your cluster and your data repositories through your Amazon VPC. By using Enhanced VPC Routing, you can use standard VPC features, such as VPC security groups, network access control lists (ACLs), VPC endpoints, VPC endpoint policies, internet gateways, and Domain Name System (DNS) servers, as described in the Amazon VPC User Guide. You use these features to tightly manage the flow of data between your Amazon Redshift cluster and other resources.

Answer 503

A

An Amazon Redshift data warehouse is a collection of computing resources called nodes, which are organized into a group called a cluster.

Each cluster runs an Amazon Redshift engine and contains one or more databases.

Each cluster consist of:

The Leader Node
- manages communication between the compute nodes and the client applications
- not billable btw
Compute node(s) - has CPU, Memory, Disk storage
- stores data and execute queries
- billed by total number of compute node hours

Answer 504

A

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster. It is comparable to Kubernetes, Docker Swarm, and Azure Container Service.

For example, ECS allows your applications the flexibility to use a mix of Amazon EC2 and AWS Fargate with Spot and On-Demand pricing options.

Answer 505

A

a Cluster is a group of ECS Container Instances

clusters are REGION-specific
may contain a mix of tasks using EITHER the Fargate or EC2 Launch types
may contain a mix of both Auto Scaling group capacity providers and Fargate capacity providers
IAM policies may be created to allow or restrict user access to clusters

Answer 506

A

AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS)

Answer 507

A

Throttling is a process that is used to control the usage of APIs by consumers during a given period.

ou can define throttling at the application level and API level. Throttling limit is considered as cumulative at API level. …

For example, you can limit the number of total API requests as 10000/day

USED..

to protect your backend systems from traffic spikes by using throttling limits on the API gateway

Answer 508

A

Want to provide access to multiple restricted files (subscriber area of a platform)
You do not want to change your current URLs

(CloudFront signed URLs and signed cookies provide the same basic functionality: they allow you to control who can access your content.)

Answer 509

A

Signed URLs
- Restrict access to individual files, for example, an installation download for your application
- Users are using HTTP which does not support cookies
- RTMP distribution
Signed Cookies
- Want to provide access to multiple restricted files (subscriber area of a platform)
- You do not want to change your current URLs

Answer 510

A

Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency.

With Lambda@Edge, you don’t have to provision or manage infrastructure in multiple locations around the world.

Answer 511

A

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS

Answer 512

A

What is DDoS attacks?

Answer 513

A

The partition key portion of a table’s primary key determines the logical partitions in which a table’s data is stored. (part of DynamoDB)

More partition keys = more data divisions = more division of provisioned I/O capacity = better distribution of workload evenly and less risk of throttling

(DynamoDB stores data as groups of attributes, known as items. Items are similar to rows or records in other database systems. DynamoDB stores and retrieves each item based on the primary key value, which must be unique. Items are distributed across 10-GB storage units, called partitions (physical storage internal to DynamoDB)

Answer 514

A

AWS KMS is a managed service that enables you to easily create and control the keys used for cryptographic operations.

USED

You can use it in your applications to create, store and control encryption keys to encrypt your data
Want to encrypt data FIRST before writing it to the disk (EBS) for storage use AWS KMS API

Answer 515

A

Amazon Web Application Firewall..

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources

Answer 516

A

Amazon Simple E-mail Service

designed to help digital marketers and application developers send marketing, notification, and transactional emails.

Answer 517

A

An Internet-routable IP address (statis) of the customer gateway’s external interface for the on-premises network.

Although the term VPN connection is a general term, in the Amazon VPC documentation, a VPN connection refers to the connection between your VPC and your own network. AWS supports Internet Protocol security (IPsec) VPN connections.

A customer gateway is a physical device or software application on your side of the VPN connection.

To create a VPN connection, you must create a customer gateway resource in AWS, which provides information to AWS about your customer gateway device. Next, you have to set up an Internet-routable IP address (static) of the customer gateway’s external interface.

Answer 518

A

In software testing, a canary is a push of programming code changes to a small group of end users who are unaware that they are receiving new code. Because the canary is only distributed to a small number of users, its impact is relatively small and changes can be reversed quickly should the new code prove to be buggy.

= to deploy test of new software fx

Answer 519

A

Blue-green deployment is a technique that reduces downtime and risk by running two identical production environments called Blue and Green. At any time, only one of the environments is live, with the live environment serving all production traffic. For this example, Blue is currently live and Green is idle

Answer 520

A

The canonical name record (CNAME) is switched form the primary to standby instance

In Amazon RDS, failover is automatically handled so that you can resume database operations as quickly as possible without administrative intervention in the event that your primary database instance went down. When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.

Answer 521

A

you pay only for the API calls you receive and the amount of data transferred out
you can run your APIs without any servers

Answer 522

A

Alias with a type “AAAA” record set
Alias with a type “A” record set

Alias with a type “AAAA” record set and Alias with a type “A” record set are correct. To route domain traffic to an ELB load balancer, use Amazon Route 53 to create an alias record that points to your load balancer. An alias record is a Route 53 extension to DNS. It’s similar to a CNAME record, but you can create an alias record both for the root domain, such as tutorialsdojo.com, and for subdomains, such as portal.tutorialsdojo.com. (You can create CNAME records only for subdomains.) To enable IPv6 resolution, you would need to create a second resource record, tutorialsdojo.com ALIAS AAAA -> myelb.us-west-2.elb.amazonnaws.com, this is assuming your Elastic Load Balancer has IPv6 support.

Answer 523

A

FALSE

almost correct. But instead of storing the volume to Amazon RDS, the EBS Volume snapshots are actually sent to Amazon S3.

Answer 524

A

Network Load Balancer

Host-based routing is what enables virtual servers on web servers. It’s also used by application services like load balancing and ingress controllers to achieve the same thing. One IP address, many hosts

URL Path Based Routing allows you to route traffic to back-end server pools basedon URL Paths of the request

Answer 525

A

Cognito ID

You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application so that your users can access AWS resources. Amazon Cognito identity pools support both authenticated and unauthenticated identities. You can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately if you’re allowing unauthenticated users or after you’ve set the login tokens in the credentials provider if you’re authenticating users.

That is why the correct answer for this question is Cognito ID.

Answer 526

A

Lambda Function
SQS
SNS

Answer 527

A

SNS
CloudWatch

, you can use Amazon CloudWatch to monitor the database and then Amazon SNS to send the emails to the Operations team. Take note that you should use SNS instead of SES (Simple Email Service) when you want to monitor your EC2 instances.

Answer 528

A

Deploy a Windows Bastion host with an elastic IP address in the public subnet and allow RDP access to bastion only from the corporate IP address

The correct answer is to deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow RDP access to bastion only from the corporate IP addresses.

A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. If you have a bastion host in AWS, it is basically just an EC2 instance. It should be in a public subnet with either a public or Elastic IP address with sufficient RDP or SSH access defined in the security group. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets.

Answer 529

A

Amazon Simple Queue Service (SQS) and Amazon Simple Workflow Service (SWF)are the services that you can use for creating a decoupled architecture in AWS. Decoupled architecture is a type of computing architecture that enables computing components or layers to execute independently while still interfacing with each other.

Amazon SQS offers reliable, highly-scalable hosted queues for storing messages while they travel between applications or microservices. Amazon SQS lets you move data between distributed application components and helps you decouple these components. Amazon SWF is a web service that makes it easy to coordinate work across distributed application components.

Answer 530

A

AWS Snowball Edge

Although an AWS Snowball device costs less than AWS Snowball Edge, it cannot store 80 TB of data in one device. Take note that the storage capacity is different from the usable capacity for Snowball and Snowball Edge. Remember that an 80 TB Snowball appliance and 100 TB Snowball Edge appliance only have 72 TB and 83 TB of usable capacity respectively. Hence, it would be costly if you use two Snowball devices compared to using just one AWS Snowball Edge device.

Answer 531

A

Security and Compliance is a shared responsibility between AWS and the customer.

Answer 532

A

Order multiple AWS Snowball devices to upload the files to amazon S3

Answer 533

A

Attaching an ENI to an instance when it is stopped.

An elastic network interface (ENI) is a logical networking component in a VPC that represents a virtual network card. You can attach a network interface to an EC2 instance in the following ways:

When it’s running (hot attach)

When it’s stopped (warm attach)

When the instance is being launched (cold attach).

Therefore, attaching an ENI to an instance when it is stopped is the correct answer.

Answer 534

A

Establish another AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1

Establish a hardware VPN over the internet between VPC-1 and the common on-premises network

Answer 535

A

Create CloudWatch alarms that stop and start the instance based on status check alarms.

Answer 536

A

Before sending the data to amazon S3 over HTTPS, encrypt the data locally first using your own encryption keys
Enable server-side encryption on an S3 bucket to make use of AES-256 encryption

Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. For example, if you share your objects using a pre-signed URL, that URL works the same way for both encrypted and unencrypted objects.

Answer 537

A

The correct answer is Pilot Light.

The term pilot light is often used to describe a DR scenario in which a minimal version of an environment is always running in the cloud. The idea of the pilot light is an analogy that comes from the gas heater. In a gas heater, a small flame that’s always on can quickly ignite the entire furnace to heat up a house. This scenario is similar to a backup-and-restore scenario.

For example, with AWS you can maintain a pilot light by configuring and running the most critical core elements of your system in AWS. When the time comes for recovery, you can rapidly provision a full-scale production environment around the critical core.

Answer 538

A

Warm standby is a method of redundancy in which the scaled-down secondary system runs in the background of the primary system. Doing so would not optimize your savings as much as running a pilot light recovery since some of your services are always running in the background.

Answer 539

A

it is best to create 2 separate SQS queues for each type of members. The SQS queues for the premium members can be polled first by the EC2 Instances and once completed, the messages from the free members can be processed next.

Answer 540

A

For this scenario, using Route 53 with the failover option to a static S3 website bucket or CloudFront distribution is correct. You can create a new Route 53 with the failover option to a static S3 website bucket or CloudFront distribution as an alternative.

Answer 541

A

Using an Elastic Load Balancer is an ideal solution for adding elasticity to your application. Alternatively, you can also create a policy in Route 53, such as a Weighted routing policy, to evenly distribute the traffic to 2 or more EC2 instances. Hence, setting up two EC2 instances and then put them behind an Elastic Load balancer (ELB) and setting up two EC2 instances and using Route 53 to route traffic based on a Weighted Routing Policy are the correct answers.

Answer 542

A

Instance Metadata

Instance metadata is the data about your instance that you can use to configure or manage the running instance. You can get the instance ID, public keys, public IP address and many other information from the instance metadata by firing a URL command in your instance to this URL:

http://169.254.169.254/latest/meta-data/

Answer 543

A

Amazon S3 Glacier
AWS Storage Gateway

All data transferred between any type of gateway appliance and AWS storage is encrypted using SSL. By default, all data stored by AWS Storage Gateway in S3 is encrypted server-side with Amazon S3-Managed Encryption Keys (SSE-S3). Also, when using the file gateway, you can optionally configure each file share to have your objects encrypted with AWS KMS-Managed Keys using SSE-KMS. This is the reason why AWS Storage Gateway is correct.

Data stored in Amazon Glacier is protected by default; only vault owners have access to the Amazon Glacier resources they create. Amazon Glacier encrypts your data at rest by default and supports secure data transit with SSL. This is the reason why Amazon S3 Glacier is correct.

Answer 544

A

using the principle of least privilege which means granting only the permissions required to perform a task

Answer 545

A

CloudFront and Elastic Load Balancing

Perfect Forward Secrecy is a feature that provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.

CloudFront and Elastic Load Balancing are the two AWS services that support Perfect Forward Secrecy. Hence, the correct answer is: CloudFront and Elastic Load Balancing.

Answer 546

A

AWS Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance and reliability, or closing security gaps.

Answer 547

A

an isolated Amazon Web Service (AWS) designed to allow customers and the U.S government agencies to move their confidential data into the cloud to address their compliance and specific regulatory requirements. It runs under ITAR, the U.S. International Traffic in Arms Regulations

Answer 548

A

Create snapshots of the EBS volumes

Creating snapshots of the EBS Volumes is correct. You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved.

This minimizes the time required to create the snapshot and saves on storage costs by not duplicating data. When you delete a snapshot, only the data unique to that snapshot is removed. Each snapshot contains all of the information needed to restore your data (from the moment the snapshot was taken) to a new EBS volume.

Answer 549

A

In this scenario, it is stated that the SQS queue is configured with the maximum message retention period. The maximum message retention in SQS is 14 days that is why the option that says: Tell the users that the application will be operational shortly and all received requests will be processed after the web application is restarted is the correct answer i.e. there will be no missing messages.

Answer 550

A

300 seconds…

In Auto Scaling, the following statements are correct regarding the cooldown period:

It ensures that the Auto Scaling group does not launch or terminate additional EC2 instances before the previous scaling activity takes effect.

Its default value is 300 seconds.

It is a configurable setting for your Auto Scaling group.

Answer 551

A

DynamoDB

Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model, reliable performance, and automatic scaling of throughput capacity makes it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications.

The following diagram shows an example of data stored as key-value pairs in DynamoDB:

Answer 552

A

Create a Lambda function that will asynchronously process the requests.

AWS Lambda supports synchronous and asynchronous invocation of a Lambda function. You can control the invocation type only when you invoke a Lambda function. When you use an AWS service as a trigger, the invocation type is predetermined for each service. You have no control over the invocation type that these event sources use when they invoke your Lambda function. Since the processing only takes 5 minutes, Lambda is also a cost-effective choice.

Answer 553

A

Security Token Service (STS)

AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.

Answer 554

A

AWS OpsWork

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments. OpsWorks has three offerings - AWS Opsworks for Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.

Answer 555

A

The best way to implement a bastion host is to create a small EC2 instance which should only have a security group from a particular IP address for maximum security. This will block any SSH Brute Force attacks on your bastion host. It is also recommended to use a small instance rather than a large one because this host will only act as a jump server to connect to other instances in your VPC and nothing else.

Answer 556

A

AWS IoT Core is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices.

Answer 557

A

Here are the prerequisites for routing traffic to a website that is hosted in an Amazon S3 Bucket:

An S3 bucket that is configured to host a static website. The bucket must have the same name as your domain or subdomain. For example, if you want to use the subdomain portal.tutorialsdojo.com, the name of the bucket must be portal.tutorialsdojo.com.
A registered domain name. You can use Route 53 as your domain registrar, or you can use a different registrar.
Route 53 as the DNS service for the domain. If you register your domain name by using Route 53, we automatically configure Route 53 as the DNS service for the domain.

Answer 558

A

Use Amazon Data Licecycle Manager (DLM) to automate the creation of EBS snapshots

You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes. Automating snapshot management helps you to:

Protect valuable data by enforcing a regular backup schedule.
Retain backups as required by auditors or internal compliance.
Reduce storage costs by deleting outdated backups.

Answer 559

A

Network ACL Rules are evaluated by rule number, from lowest to highest, and executed immediately when a matching allow/deny rule is found.

Answer 560

A

No, all EBS volumes are stored and replicated in a single AZ only

The option that says: No, all EBS volumes are stored and replicated in a single AZ only is correct because when you create an EBS volume in an Availability Zone, it is automatically replicated within that zone only to prevent data loss due to a failure of any single hardware component. After you create a volume, you can attach it to any EC2 instance in the same Availability Zone.

The option that says: Yes, EBS volume is fault-tolerant and has multiple copies across multiple AZ is incorrect because it is the EBS snapshots, not the EBS volume, that has a copy of the data which is stored redundantly in multiple Availability Zones.

Answer 561

A

FTP used TCP
and we need to allow only one IP address so

Create a new inbound rule in the security group of the EC2 instance with:

Protocol: TCP

Port Range: 20-21

Source: 175.45.116.100/32

The /32 denotes one IP address while /0 refers to the entire network.

Answer 562

A

AWS X-Ray

You can use AWS X-Ray to trace and analyze user requests as they travel through your Amazon API Gateway APIs to the underlying services. API Gateway supports AWS X-Ray tracing for all API Gateway endpoint types: regional, edge-optimized, and private. You can use AWS X-Ray with Amazon API Gateway in all regions where X-Ray is available.

(CloudTrail is incorrect because this is primarily used for API logging of all of your AWS resources.)

Answer 563

A

store the files in S3 then after amonth, change the storage class of the tutorialsdojo-finance prefix to One Zone-AI while the remaining go to Glacier using lifecycle policy.

Since the files are easily reproducible and some of them are needed to be retrieved quickly based on a specific prefix filter (tutorialsdojo-finance), S3-One Zone IA would be a good choice for storing them. The other files that do not contain such prefix would then be moved to Glacier for low cost archival. This setup would also be the most cost-effective for the client.

Answer 564

A

Enable Cross-Region Replication

In this scenario, you need to enable Cross-Region Replication to ensure that your S3 bucket would not be affected even if there is an outage in one of the Availability Zones or a regional service failure in us-east-1. When you upload your data in S3, your objects are redundantly stored on multiple devices across multiple facilities within the region only, where you created the bucket. Hence, if there is an outage on the entire region, your S3 bucket will be unavailable if you do not enable Cross-Region Replication, which should make your data available to another region.

Note that an Availability Zone (AZ) is more related with Amazon EC2 instances rather than Amazon S3 so if there is any outage in the AZ, the S3 bucket is usually not affected but only the EC2 instances deployed on that zone.

Answer 565

A

Create an Amazon Kinesis Stream to collect the messages

=>

Two important requirements that the chosen AWS service should fulfill is that data should not go missing, is durable, and streams data in the sequence of arrival. Kinesis can do the job just fine because of its architecture. A Kinesis data stream is a set of shards that has a sequence of data records, and each data record has a sequence number that is assigned by Kinesis Data Streams. Kinesis can also easily handle the high volume of messages being sent to the service.

Answer 566

A

using Amazon CloudFront with website as the custom origin and
using Amazon ElastiCache for the website’s in-memory data store or cache.

The global news website has a problem with latency considering that there are a lot of readers of the site from all parts of the globe. In this scenario, you can use a content delivery network (CDN) which is a geographically distributed group of servers which work together to provide fast delivery of Internet content. And since this is a news website, most of its data are read-only, which can be cached to improve the read throughput and avoid the repetitive requests from the server.

In AWS, Amazon CloudFront is the global content delivery network (CDN) service that you can use and for web caching, Amazon ElastiCache is the suitable service. Hence, the correct answers here are using Amazon CloudFront with website as the custom origin and using Amazon ElastiCache for the website’s in-memory data store or cache.

Answer 567

A

Configure the S3 bucket policy to set all objects to public read
In S3, set the permissions of the object to public read during upload

By default, all Amazon S3 resources such as buckets, objects, and related subresources are private which means that only the AWS account holder (resource owner) that created it has access to the resource. The resource owner can optionally grant access permissions to others by writing an access policy. In S3, you also set the permissions of the object during upload to make it public.

Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. Access policies you attach to your resources (buckets and objects) are referred to as resource-based policies.

For example, bucket policies and access control lists (ACLs) are resource-based policies. You can also attach access policies to users in your account. These are called user policies. You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources.

Configuring the ACL of the S3 bucket to set all objects to be publicly readable and writeable is incorrect as ACLs are primarily used to grant basic read/write permissions to AWS accounts and not suitable for providing public access over the Internet.

Creating an IAM role to set the objects inside the S3 bucket to public read is incorrect. Although with IAM, you can create a user, group, or role that has certain permissions to the S3 bucket, it does not control the individual objects that are hosted in the bucket.

Answer 568

A

CloudWatch

Answer 569

A

Install CloudWatch monitoring scripts in the instances. Send custom metrics to CloudWatch which will trigger your Auto Scaling group to scale up.

The premise of the scenario is that the EC2 servers have high memory usage, but since this specific metric is not tracked by the Auto Scaling group by default, the scaling up activity is not being triggered. Remember that by default, CloudWatch doesn’t monitor memory usage but only the CPU utilization, Network utilization, Disk performance and Disk Reads/Writes.

This is the reason why you have to install CloudWatch Monitoring Scripts in your EC2 instances to collect and monitor the custom metric (memory usage), which will be used by your Auto Scaling Group as a trigger for scaling activities.

Answer 570

A

Add Multi-factor authentication MFA to a user pool in Cognito to protect the identity of your users.

You can add multi-factor authentication (MFA) to a user pool to protect the identity of your users. MFA adds a second authentication method that doesn’t rely solely on user name and password. You can choose to use SMS text messages, or time-based one-time (TOTP) passwords as second factors in signing in your users. You can also use adaptive authentication with its risk-based model to predict when you might need another authentication factor. It’s part of the user pool advanced security features, which also include protections against compromised credentials.

Answer 571

A

To be able to run SQL queries, use AWS Athena to analyze the export data file in S3

Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL. With a few actions in the AWS Management Console, you can point Athena at your data stored in Amazon S3 and begin using standard SQL to run ad-hoc queries and get results in seconds.

Athena is serverless, so there is no infrastructure to set up or manage, and you pay only for the queries you run. Athena scales automatically—executing queries in parallel—so results are fast, even with large datasets and complex queries.

Athena helps you analyze unstructured, semi-structured, and structured data stored in Amazon S3. Examples include CSV, JSON, or columnar data formats such as Apache Parquet and Apache ORC. You can use Athena to run ad-hoc queries using ANSI SQL, without the need to aggregate or load the data into Athena.

. You can use a cost-effective option (AWS Athena), which is a serverless service that enables you to pay only for the queries you run.

Answer 572

A

EFS

In this question, you should take note of the two keywords/phrases: “file operation” and “allows concurrent connections from multiple EC2 instances”. There are various AWS storage options that you can choose but whenever these criteria show up, always consider using EFS instead of using EBS Volumes which is mainly used as a “block” storage and can only have one connection to one EC2 instance at a time. Amazon EFS provides the scale and performance required for big data applications that require high throughput to compute nodes coupled with read-after-write consistency and low-latency file operations.

EBS is incorrect because it does not allow concurrent connections from multiple EC2 instances hosted on multiple AZs and it does not store data redundantly across multiple AZs by default, unlike EFS.

S3 is incorrect because although it can handle concurrent connections from multiple EC2 instances, it does not have the ability to provide low-latency file operations, which is required in this scenario.

Answer 573

A

Set up a new Amazon RDS Read Replica of the production database. Direct the Data Analytics team to query the production data from the replica.

Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.

You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, Oracle and PostgreSQL, as well as Amazon Aurora.

You can reduce the load on your source DB instance by routing read queries from your applications to the read replica. These replicas allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.

Because read replicas can be promoted to master status, they are useful as part of a sharding implementation. To shard your database, add a read replica and promote it to master status, then, from each of the resulting DB Instances, delete the data that belongs to the other shard.

Answer 574

A

S3 Select, Amazon Athena, Amazon Redshift Spectrum

Amazon S3 allows you to run sophisticated Big Data analytics on your data without moving the data into a separate analytics system. In AWS, there is a suite of tools that make analyzing and processing large amounts of data in the cloud faster, including ways to optimize and integrate existing workflows with Amazon S3:

S3 Select

Amazon S3 Select is designed to help analyze and process data within an object in Amazon S3 buckets, faster and cheaper. It works by providing the ability to retrieve a subset of data from an object in Amazon S3 using simple SQL expressions. Your applications no longer have to use compute resources to scan and filter the data from an object, potentially increasing query performance by up to 400%, and reducing query costs as much as 80%. You simply change your application to use SELECT instead of GET to take advantage of S3 Select.

Amazon Athena

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL expressions. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries you run. Athena is easy to use. Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL expressions. Most results are delivered within seconds. With Athena, there’s no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.

Amazon Redshift Spectrum

Amazon Redshift also includes Redshift Spectrum, allowing you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, ORC, Parquet, RCFile, RegexSerDe, SequenceFile, TextFile, and TSV. Redshift Spectrum automatically scales query compute capacity based on the data being retrieved, so queries against Amazon S3 run fast, regardless of data set size.

Answer 575

A

Amazon S3 Select is designed to help analyze and process data within an object in Amazon S3 buckets, faster and cheaper. It works by providing the ability to retrieve a subset of data from an object in Amazon S3 using simple SQL expressions. Your applications no longer have to use compute resources to scan and filter the data from an object, potentially increasing query performance by up to 400%, and reducing query costs as much as 80%. You simply change your application to use SELECT instead of GET to take advantage of S3 Select.

Answer 576

A

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL expressions. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries you run. Athena is easy to use. Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL expressions. Most results are delivered within seconds. With Athena, there’s no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.

Answer 577

A

Amazon Redshift also includes Redshift Spectrum, allowing you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, ORC, Parquet, RCFile, RegexSerDe, SequenceFile, TextFile, and TSV. Redshift Spectrum automatically scales query compute capacity based on the data being retrieved, so queries against Amazon S3 run fast, regardless of data set size.

Answer 578

A

data is automatically deleted = ephemeral storage

Answer 579

A

S3 Select

With Amazon S3 Select, you can use simple structured query language (SQL) statements to filter the contents of Amazon S3 objects and retrieve just the subset of data that you need. By using Amazon S3 Select to filter this data, you can reduce the amount of data that Amazon S3 transfers, which reduces the cost and latency to retrieve this data.

Redshift Spectrum is incorrect because although Amazon Redshift Spectrum provides a similar in-query functionality like S3 Select, this service is more suitable for querying your data from the Redshift external tables hosted in S3. The Redshift queries are run on your cluster resources against local disk. Redshift Spectrum queries run using per-query scale-out resources against data in S3 which can entail additional costs compared with S3 Select.

Answer 580

A

MQ

Amazon MQ, Amazon SQS, and Amazon SNS are messaging services that are suitable for anyone from startups to enterprises. If you’re using messaging with existing applications and want to move your messaging service to the cloud quickly and easily, it is recommended that you consider Amazon MQ. It supports industry-standard APIs and protocols so you can switch from any standards-based message broker to Amazon MQ without rewriting the messaging code in your applications.

Answer 581

A

EBS

Amazon Web Services (AWS) offers cloud storage services to support a wide range of storage workloads such as Amazon S3, EFS and EBS. Amazon EFS is a file storage service for use with Amazon EC2. Amazon EFS provides a file system interface, file system access semantics (such as strong consistency and file locking), and concurrently-accessible storage for up to thousands of Amazon EC2 instances. Amazon S3 is an object storage service. Amazon S3 makes data available through an Internet API that can be accessed anywhere. Amazon EBS is a block-level storage service for use with Amazon EC2. Amazon EBS can deliver performance for workloads that require the lowest-latency access to data from a single EC2 instance. You can also increase EBS storage for up to 16TB or add new volumes for additional storage.

In this scenario, the company is looking for a storage service which can provide the lowest-latency access to their data which will be fetched by a single m5ad.24xlarge Reserved EC2 instance. This type of workloads can be supported better by using either EFS or EBS but in this case, the latter is the most suitable storage service. As mentioned above, EBS provides the lowest-latency access to the data for your EC2 instance since the volume is directly attached to the instance. In addition, the scenario does not require concurrently-accessible storage since they only have one instance.

Answer 582

A

Amazon Storage Gateway

AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the AWS storage infrastructure. You can use the service to store data in the AWS Cloud for scalable and cost-effective storage that helps maintain data security.

Answer 583

A

AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

AWS WAF is incorrect because this is a web application firewall service that helps protect your web apps from common exploits that could affect app availability, compromise security, or consume excessive resources. Although this can help you against DDoS attacks, AWS WAF alone is not enough to fully protect your VPC. You still need to use AWS Shield in this scenario.

AWS Firewall Manager is incorrect because this just simplifies your AWS WAF administration and maintenance tasks across multiple accounts and resources.

Amazon GuardDuty is incorrect because this is just an intelligent threat detection service to protect your AWS accounts and workloads. Using this alone will not fully protect your AWS resources against DDoS attacks.

Answer 584

A

AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications

Answer 585

A

Web Application Firewall

this is a web application firewall service that helps protect your web apps from common exploits that could affect app availability, compromise security, or consume excessive resources. Although this can help you against DDoS attacks, AWS WAF alone is not enough to fully protect your VPC. You still need to use AWS Shield in this scenario.

A WAF or Web Application Firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

Answer 586

A

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. … GuardDuty analyzes tens of billions of events across multiple AWSdata sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs.

= this is just an intelligent threat detection service to protect your AWS accounts and workloads.

Answer 587

A

Use DynamoDB Auto Scaling

DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic, without throttling. When the workload decreases, Application Auto Scaling decreases the throughput so that you don’t pay for unused provisioned capacity.

“Adding the DynamoDB table to an Auto Scaling Group” is incorrect because you usually put EC2 instances on an Auto Scaling Group, and not a DynamoDB table.

Answer 588

A

S3…

CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify.

Answer 589

A

Spot Instances

You require an EC2 instance that is the most cost-effective among other types. In addition, the application it will host is designed to gracefully recover in case of instance failures.

In terms of cost-effectiveness, Spot and Reserved instances are the top options. And since the application can gracefully recover from instance failures, the Spot instance is the best option for this case as it is the cheapest type of EC2 instance. Remember that when you use Spot Instances, there will be interruptions. Amazon EC2 can interrupt your Spot Instance when the Spot price exceeds your maximum price, when the demand for Spot Instances rise, or when the supply of Spot Instances decreases

Answer 590

A

Enable Amazon RDS Read Replicas

Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, Oracle and PostgreSQL as well as Amazon Aurora.

Answer 591

A

Create an Origin Access Identity OAI for CloudFront and grant access to the objects in your S3 buckets to that OAI

When you create or update a distribution in CloudFront, you can add an origin access identity (OAI) and automatically update the bucket policy to give the origin access identity permission to access your bucket. Alternatively, you can choose to manually change the bucket policy or change ACLs, which control permissions on individual objects in your bucket.

Answer 592

A

Amazon S3 for storing the application log files and Amazon Elastic MapReduce for processing the log files

Amazon EMR is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. By using these frameworks and related open-source projects such as Apache Hive and Apache Pig, you can process data for analytics purposes and business intelligence workloads. Additionally, you can use Amazon EMR to transform and move large amounts of data into and out of other AWS data stores and databases such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB.

Answer 593

A

CNAME

Failover is automatically handled by Amazon RDS so that you can resume database operations as quickly as possible without administrative intervention. When failing over, Amazon RDS simply flips the canonical name record (CNAME) in Route53 for your DB instance to point at the standby, which in turn is promoted to become the new primary.

Answer 594

A

3 instances in each of the 3 availability zones = 9 instances in total

The option that says: 6 instances in eu-west-1a, 6 instances in eu-west-1b, and no instances in eu-west-1c is incorrect because although it provides fault-tolerance, it is not the most cost-effective solution as compared with the options above. This solution has 12 running instances, unlike the correct answer which only has 9 instances.

Answer 595

A

Kinesis

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information

Answer 596

A

First, look at the existing CloudWatch logs for keywords related to the application error to create a custom metric. Then, create a CloudWatch alarm for that custom metric which invokes an action to restart the EC2 instance.

In this scenario, you can look at the existing CloudWatch logs for keywords related to the application error to create a custom metric. Then, create a CloudWatch alarm for that custom metric which invokes an action to restart the EC2 instance.

You can create alarms that automatically stop, terminate, reboot, or recover your EC2 instances using Amazon CloudWatch alarm actions. You can use the stop or terminate actions to help you save money when you no longer need an instance to be running. You can use the reboot and recover actions to automatically reboot those instances or recover them onto new hardware if a system impairment occurs.

Answer 597

A

Use Lifecycle Policies

Answer 598

A

Store the audit logs in a Glacier vault and use the Vault Lock feature

An Amazon S3 Glacier (Glacier) vault can have one resource-based vault access policy and one Vault Lock policy attached to it. A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements. Amazon S3 Glacier provides a set of API operations for you to manage the Vault Lock policies.

Answer 599

A

Amazon Glacier Vault Lock allows you to easily deploy and enforce compliance controls on individual Glacier vaults via a lockable policy. You can specify controls such as “Write Once Read Many” (WORM) in a Vault Lock policy and lock the policy from future edits

A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements.

Answer 600

A

By using Lambda@Edge and Kinesis together, you can process real-time streaming data so that you can track and analyze globally-distributed user activity on your website and mobile applications, including clickstream analysis. Hence, the correct answer in this scenario is the option that says: Integrate CloudFront with Lambda@Edge in order to process the data in close geographical proximity to users and respond to user requests at low latencies. Process real-time streaming data using Kinesis and durably store the results to an Amazon S3 bucket.

Answer 601

A

The check on the EBS volume is still in progress

Volume status checks are automated tests that run every 5 minutes and return a pass or fail status. You can view the results of volume status checks to identify any impaired volumes and take any necessary actions.

If all checks pass, the status of the volume is ok. The option that says: All EBS Volume checks have been completed is therefore incorrect.

If a check fails, the status of the volume is impaired. The option that says: All EBS Volume checks have failed is therefore incorrect.

If the volume is severely degraded or the volume performance is well below expectations, then the status is warning. The option that says: The EBS Volume is severely degraded or the volume performance is well below expectations is therefore incorrect.

If the status is insufficient-data, the checks may still be in progress on the volume. The option that says: The check on the EBS volume is still in progress is therefore correct.

Answer 602

A

AWS Global Accelerator

AWS Global Accelerator and Amazon CloudFront are separate services that use the AWS global network and its edge locations around the world. CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery). Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover. Both services integrate with AWS Shield for DDoS protection.

Answer 603

A

AWS Global Accelerator is a service that improves the availability and performance of your applications with local or global users. … AWS Global Accelerator continually monitors the health of your application endpoints and will detect an unhealthy endpoint and redirect traffic to healthy endpoints in less than 1 minute.

Answer 604

A

Amazon SWF provides useful guarantees around task assignment. It ensures that a task is never duplicated and is assigned only once. Thus, even though you may have multiple workers for a particular activity type (or a number of instances of a decider), Amazon SWF will give a specific task to only one worker (or one decider instance). Additionally, Amazon SWF keeps at most one decision task outstanding at a time for a workflow execution. Thus, you can run multiple decider instances without worrying about two instances operating on the same execution simultaneously. These facilities enable you to coordinate your workflow without worrying about duplicate, lost, or conflicting tasks.

Answer 605

A

The DNS resolution and DNS hostname of the VPC configuration has not been enabled yet.

When you launch an EC2 instance into a default VPC, AWS provides it with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance.

However, when you launch an instance into a non-default VPC, AWS provides the instance with a private DNS hostname only. New instances will only be provided with public DNS hostname depending on these two DNS attributes: the DNS resolutionand DNS hostnames, that you have specified for your VPC, and if your instance has a public IPv4 address.

In this case, the new EC2 instance does not automatically get a DNS hostname because the DNS resolution and DNS hostnames attributes are disabled in the newly created VPC.

Answer 606

A

create a new launch configuration with the new instance type and update the Auto Scaling Group.

You can only specify one launch configuration for an Auto Scaling group at a time, and you can’t modify a launch configuration after you’ve created it. Therefore, if you want to change the launch configuration for an Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration.

Answer 607

A

Lightweight Directory Access Protocol (LDAP)….

Lightweight Directory Access Protocol (LDAP) is a directory service that is based on Directory Access Protocol (DAP). … … LDAP directory servers are often used as an authentication repository, and are often used to store sensitive information like passwords and other account details. As such, security is an important aspect of most directory servers.

Answer 608

A

Enable DynamoDB Streams to capture table activity and automatically trigger the Lambda function..

Amazon DynamoDB is integrated with AWS Lambda so that you can create triggers—pieces of code that automatically respond to events in DynamoDB Streams. With triggers, you can build applications that react to data modifications in DynamoDB tables.

If you enable DynamoDB Streams on a table, you can associate the stream ARN with a Lambda function that you write. Immediately after an item in the table is modified, a new record appears in the table’s stream. AWS Lambda polls the stream and invokes your Lambda function synchronously when it detects new stream records.

Answer 609

A

It is because Simple WorkFlow (SWF) is waiting human input from an activity task

By default, each workflow execution can run for a maximum of 1 year in Amazon SWF. This means that it is possible that in your workflow, there are some tasks which require manual action that renders it idle. As a result, some orders get stuck for almost 4 weeks.

Amazon SWF does not take any special action if a workflow execution is idle for an extended period of time. Idle executions are subject to the timeouts that you configure. For example, if you have set the maximum duration for an execution to be 1 day, then an idle execution will be timed out if it exceeds the 1 day limit. Idle executions are also subject to the Amazon SWF limit on how long an execution can run (1 year).

Answer 610

A

Enable Cross-Region Snapshots in your Amazon Redshift Cluster

You can configure Amazon Redshift to copy snapshots for a cluster to another region. To configure cross-region snapshot copy, you need to enable this copy feature for each cluster and configure where to copy snapshots and how long to keep copied automated snapshots in the destination region. When cross-region copy is enabled for a cluster, all new manual and automatic snapshots are copied to the specified region

Answer 611

A

AWS CloudFormation

Answer 612

A

Configure Connection Draining

To ensure that a Classic Load Balancer stops sending requests to instances that are de-registering or unhealthy while keeping the existing connections open, use connection draining. This enables the load balancer to complete in-flight requests made to instances that are de-registering or unhealthy. Hence, configuring Connection Draining is the correct answer.

Answer 613

A

Using sticky sessions (session affinity) configures a load balancer to bind user sessions to a specific instance, so all requests from a user during a session are sent to the same instance

Answer 614

A

When Connection Draining is enabled, Auto Scaling will wait for outstanding requests to complete before terminating instances.

related to load balancers

Answer 615

A

AWS Step Functions..

AWS Step Functions provides serverless orchestration for modern applications. Orchestration centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between the steps. As your applications execute, Step Functions maintains application state, tracking exactly which workflow step your application is in, and stores an event log of data that is passed between application components. That means that if networks fail or components hang, your application can pick up right where it left off.

(AWS Lambda is incorrect because although Lambda is used for serverless computing, it does not provide a direct way to coordinate multiple AWS services into serverless workflows.)

Answer 616

A

AWS Step Functions lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Using Step Functions, you can design and run workflows that stitch together services such as AWS Lambda and Amazon ECS into feature-rich applications

You can use Step Functions to coordinate all of the steps of a checkout process on an ecommerce site, for example.

Answer 617

A

OS Processes
RDS child processes

OS processes – Shows a summary of the kernel and system processes, which generally have minimal impact on performance. Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. You can view the metrics for your DB instance using the console, or consume the Enhanced Monitoring JSON output from CloudWatch Logs in a monitoring system of your choice.

RDS child processes – Shows a summary of the RDS processes that support the DB instance, for example aurora for Amazon Aurora DB clusters and mysqld for MySQL DB instances. Process threads appear nested beneath the parent process. Process threads show CPU utilization only as other metrics are the same for all threads for the process. The console displays a maximum of 100 processes and threads. The results are a combination of the top CPU consuming and memory consuming processes and threads. If there are more than 50 processes and more than 50 threads, the console displays the top 50 consumers in each category. This display helps you identify which processes are having the greatest impact on performance.

RDS processes – Shows a summary of the resources used by the RDS management agent, diagnostics monitoring processes, and other AWS processes that are required to support RDS DB instances.

Answer 618

A

Attach an Elastic Fabric Adapter EFA on each Amazon EC23 instance to accelerate High Performance Computing HPC

An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. EFA enables you to achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by the AWS Cloud.

EFA provides lower and more consistent latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems. It enhances the performance of inter-instance communication that is critical for scaling HPC and machine learning applications. It is optimized to work on the existing AWS network infrastructure and it can scale depending on application requirements.

Answer 619

A

Deploy a NAT gateway in the public subnet and add a route to it from the private subnet where the web and application tiers are hosted.

Answer 620

A

the instance will be terminated

You can choose to have your Spot instances terminated, stopped, or hibernated upon interruption. Stop and hibernate options are available for persistent Spot requests and Spot Fleets with the maintain option enabled. By default, your instances are terminated hence, the correct answer is the option that says: The instance will be terminated.

Answer 621

A

AWS Certificate Manager
IAM Certificate Store

If you got your certificate from a third-party CA, import the certificate into ACM or upload it to the IAM certificate store. Hence, AWS Certificate Manager and IAM certificate store are the correct answers.

Answer 622

A

Amazon Certificate Manager

ACM lets you import third-party certificates from the ACM console, as well as programmatically. If ACM is not available in your region, use AWS CLI to upload your third-party certificate to the IAM certificate store.

Answer 623

A

= Access Control List

Answer 624

A

= Application Load Balancer

Answer 625

A

Amazon Machine Image

An AMI is really just a template document that contains information telling EC2 what OS and application software to include on the root data volume of the instance it’s about to launch.

Answer 626

A

Availability Zone

Answer 627

A

= Classless Interdomain Routing

Answer 628

A

= Command Line Interface

Answer 629

A

= Cross Region Replication

Answer 630

A

= DynamoDB Accelerator

Answer 631

A

= Data Lifecycle Manager

Answer 632

A

= Domain Name System

Answer 633

A

Elastic Block Storage

Answer 634

A

= Elastic Compute Cloud

Answer 635

A

= Elastic Container Service

Answer 636

A

= Elastic File System

Answer 637

A

= Elastic Internet Protocol (IP)

Answer 638

A

Elastic MapReduce

Answer 639

A

= Elastic Network Interface

Answer 640

A

File Transfer Protocol

Answer 641

A

= High Availability

Answer 642

A

= Hardware Virtual Machine

Answer 643

A

= Infrequently Accessed

Answer 644

A

= Identity Access Management

Answer 645

A

= Input/Output Operations Per Second

Answer 646

A

= Key Management Service

Answer 647

A

= Lightweight Directory Access Protocol

Answer 648

A

= Massively Parallel Processing

Answer 649

A

= Network Access Control List

Answer 650

A

= Network Address Translation

Answer 651

A

= Network File System

Answer 652

A

= Network Load Balancer

Answer 653

A

= Online Analytical Processing

Answer 654

A

= Online Transaction Processing

Answer 655

A

= Port Address Translation

Answer 656

A

= Provisioned Capacity Unit

Answer 657

A

= Remote Desktop Protocol

Answer 658

A

= Relational Database Service

Answer 659

A

= Representational State Transfer

Answer 660

A

= Route Origin Authorization

Answer 661

A

= Real Time Messaging Protocol

Answer 662

A

= Simple Storage Service

Answer 663

A

= Security Assertion Markup Language

Answer 664

A

= Software Development Kit

Answer 665

A

= Simple Email Service

Answer 666

A

= Service Level Agreement

Answer 667

A

= Server Message Block

Answer 668

A

= Simple Notification Service

Answer 669

A

= Start of Authority

Answer 670

A

= Simple Queue Service

Answer 671

A

= Same Region Replication

Answer 672

A

= Server Side Encryption

Answer 673

A

= Secure Shell

Answer 674

A

= Single Sign On

Answer 675

A

= Simple Workflow Service

Answer 676

A

= Transmission Control Protocol

Answer 677

A

= Time To Live

Answer 678

A

= Virtual Private Cloud

Answer 679

A

= Virtual Tape Library

Answer 680

A

= Virtual Tape Shelf

Answer 681

A

= Workload Management

Answer 682

A

You are limited to running up to a total of 20 On-Demand instances across the instance family, purchasing 20 Reserved Instances, and requesting Spot Instances per your dynamic Spot limit per region.

If the maximum size of your Auto Scaling group has already been reached, then it would not create any new EC2 instance.

Hence, the correct answers are:

You already have 20 on-demand instances running in your entire VPC.
The maximum size of your Auto Scaling group is set to twenty.

Answer 683

A

Configure the lifecycle configuration rules on the Amazon S3 bucket to purge/delete the transaction logs after a month

Answer 684

A

Create a new VPC peering connection between PROD and DEV with the appropriate routes.

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.

Answer 685

A

you will be billed when your Reserved Instance is in terminated state
you will be billed when your on demand instance is preparing to hibernate with a stopping state

Answer 686

A

Amazon S3 Transfer Acceleration

Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket. Transfer Acceleration leverages Amazon CloudFront’s globally distributed AWS Edge Locations. As data arrives at an AWS Edge Location, data is routed to your Amazon S3 bucket over an optimized network path.

Answer 687

A

Invocations
DeadLetterErrors

AWS Lambda automatically monitors functions on your behalf, reporting metrics through Amazon CloudWatch. These metrics include total invocation requests, latency, and error rates. The throttles, Dead Letter Queues errors and Iterator age for stream-based invocations are also monitored.

ReservedConcurrentExecutions is incorrect because CloudWatch does not monitor Lambda’s reserved concurrent executions. You can view it through the Lambda console or via CLI manually.

IteratorSize and ApproximateAgeOfOldestMessage are incorrect because these two are not Lambda metrics.

Answer 688

A

the action of invoking someone or something…An example of invocation is when you turn to an authority for help in proving your point, invoking or relying on the authority.

Answer 689

A

ReservedConcurrentExecutions. The number of concurrent executions that are reserved for this function.

Answer 690

A

Limits to how often you can submit requests.

Throttling is the process of limiting the number of requests you (or your authorized developer) can submit to a given operation in a given amount of time.

Answer 691

A

Amazon S3 for storing ELB log files and Amazon EMR for analyzing the log files…

—-Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time.

Amazon EMR provides a managed Hadoop framework that makes it easy, fast, and cost-effective to process vast amounts of data across dynamically scalable Amazon EC2 instances. It securely and reliably handles a broad set of big data use cases, including log analysis, web indexing, data transformations (ETL), machine learning, financial analysis, scientific simulation, and bioinformatics. You can also run other popular distributed frameworks such as Apache Spark, HBase, Presto, and Flink in Amazon EMR, and interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB.

Answer 692

A

Create a new launch configuration

For this scenario, you have to create a new launch configuration. Remember that you can’t modify a launch configuration after you’ve created it.

A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you specify information for the instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping. You can specify your launch configuration with multiple Auto Scaling groups. However, you can only specify one launch configuration for an Auto Scaling group at a time, and you can’t modify a launch configuration after you’ve created it. Therefore, if you want to change the launch configuration for an Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration.

Answer 693

A

Amazon S3

Objects… Remember that the scenario requires a durable storage for static content. These two keywords are actually referring to S3, since it is highly durable and suitable for storing static content.

Answer 694

A

The best option to take is to deploy four EC2 instances in one Availability Zone and four in another availability zone in the same region behind an Amazon Elastic Load Balancer. In this way, if one availability zone goes down, there is still another available zone that can accommodate traffic.

Take note that Auto Scaling will launch additional EC2 instances to the remaining Availability Zone/s in the event of an Availability Zone outage in the region.

Answer 695

A

enable Amazon S3 Server-side or use Client-side encryption
enable EBS encryption

Enabling EBS Encryption and enabling Amazon S3 Server-Side or use Client-Side Encryption are correct. Amazon EBS encryption offers a simple encryption solution for your EBS volumes without the need to build, maintain, and secure your own key management infrastructure.

Answer 696

A

Cross-Zone Load Balancing is disabled

Answer 697

A

5 GB

Remember that the upload limit depends on whether you upload an object using a single PUT operation or via Multipart Upload. The largest object that can be uploaded in a single PUT is 5 GB. Please take note the phrase “… in a single PUT”. If you are using the multipart upload API, then the limit is 5 TB.

Answer 698

A

5 TB…

Remember that the upload limit depends on whether you upload an object using a single PUT operation or via Multipart Upload. The largest object that can be uploaded in a single PUT is 5 GB. Please take note the phrase “… in a single PUT”. If you are using the multipart upload API, then the limit is 5 TB.

Answer 699

A

Use LifeCycle Policies in S3 to move obsolete data to Glacier

Answer 700

A

Associate an Elastic IP address to the fifth EC2 instance.

Associating an Elastic IP address to the fifth EC2 instance is correct because the fifth instance does not have a public IP address since it was deployed on a nondefault subnet. The other 4 instances are accessible over the Internet because they each have an Elastic IP address attached, unlike the last instance which only has a private IP address. An Elastic IP address is a public IPv4 address, which is reachable from the Internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the Internet.

Answer 701

A

Placement Groups

You can launch EC2 instances in a placement group, which determines how instances are placed on underlying hardware. When you create a placement group, you specify one of the following strategies for the group:

Cluster - clusters instances into a low-latency group in a single Availability Zone

Spread - spreads instances across underlying hardware

Answer 702

A

Placement Groups are logical groupings or clusters of instances in the selected AWS region. Placement groups are specifically used for launching cluster compute instance types. ( e.g. cc2.8xlarge) Cluster Compute Instances provide a large amount of CPU.

Answer 703

A

A Spread Placement group is a group of instances that are each placed on distinct underlying hardware. Reduces the risk of simultaneous failures that might occur when instances share the same underlying hardware.

Answer 704

A

Cluster Placement Group is a logical grouping of instances within a single Availability Zone. don’t span across Availability Zones. recommended for applications that benefits from low network latency, high network throughput, or both

Answer 705

A

it will be allowed

Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied immediately regardless of any higher-numbered rule that may contradict it.

We have 3 rules here:

Rule 100 permits all traffic from any source.
Rule 101 denies all traffic coming from 110.238.109.37
The Default Rule (*) denies all traffic from any source.

The Rule 100 will first be evaluated. If there is a match, then it will allow the request. Otherwise, it will then go to Rule 101 to repeat the same process until it goes to the default rule. In this case, when there is a request from 110.238.109.37, it will go through Rule 100 first. As Rule 100 says it will permit all traffic from any source, it will allow this request and will not further evaluate Rule 101 (which denies 110.238.109.37) nor the default rule.

Answer 706

A

Use the built-in Reader endpoint of the Amazon Aurora database

A reader endpoint for an Aurora DB cluster provides load-balancing support for read-only connections to the DB cluster. Use the reader endpoint for read operations, such as queries. By processing those statements on the read-only Aurora Replicas, this endpoint reduces the overhead on the primary instance. It also helps the cluster to scale the capacity to handle simultaneous SELECT queries, proportional to the number of Aurora Replicas in the cluster. Each Aurora DB cluster has one reader endpoint.

Answer 707

A

Each subnet maps to a single AZ

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span zones

Every subnet that you create is automatically associated with the main route table for the VPC

Answer 708

A

allowed vlock size in VPC is between a/16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses)…

Answer 709

A

Removes one of more ingress rules from a security group…

Answer 710

A

Create a new IAM group and then add the users that require access to the S3 bucket. Afterwards, apply the policy to IAM group.

= . This will enable you to easily add, remove, and manage the users instead of manually adding a policy to each and every 100 IAM users.

Answer 711

A

Use S3 pre-signed URLs to ensure that only their client can access the files. Remove permission to use Amazon S3 URLs to read the files for anyone else is correct because using a presigned URL to your S3 bucket will prevent other users from accessing your private data which is intended only for a certain client.

The option that says: Use CloudFront Signed Cookies to ensure that only their client can access the files is incorrect because the signed cookies feature is primarily used if you want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers’ area of website. In addition, this solution is not complete since the users can bypass the restrictions by simply using the direct S3 URLs.

The option that says: Use CloudFront signed URLs to ensure that only their client can access the files is incorrect because although this solution is valid, the users can still bypass the restrictions in CloudFront by simply connecting to the direct S3 URLs.

Answer 712

A

Store a snapshot of the volume..

You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved.

When you no longer need an Amazon EBS volume, you can delete it. After deletion, its data is gone and the volume can’t be attached to any instance. However, before deletion, you can store a snapshot of the volume, which you can use to re-create the volume later.

Answer 713

A

Configure the Security Group of the EC2 instance to permit ingress traffic over port 22 from your IP..

=> When connecting to your EC2 instance via SSH, you need to ensure that port 22 is allowed on the security group of your EC2 instance.

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

Answer 714

A

It provides elasticity to your Amazon RDS database
Improves performance of the primary database by taking workload from it

Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.

You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, Oracle and PostgreSQL, as well as Amazon Aurora.

Answer 715

A

AWS Elastic Beanstalk

= With Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications. AWS Elastic Beanstalk reduces management complexity without restricting choice or control. You simply upload your application, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring.

Answer 716

A

CloudFormation templates are free but you are charged for the underlying resources it builds

Answer 717

A

DynamoDB

Basically, a database service in which you no longer need to worry about database management tasks such as hardware or software provisioning, setup and configuration is called a fully managed database. This means that AWS fully manages all of the database management tasks and the underlying host server. The main differentiator here is the keyword “scaling” in the question. In RDS, you still have to manually scale up your resources and create Read Replicas to improve scalability while in DynamoDB, this is automatically done.

DynamoDB is the best option to use in this scenario. It is a fully managed non-relational database service – you simply create a database table, set your target utilization for Auto Scaling, and let the service handle the rest.

(Redshift is incorrect because although this is fully managed, it is not a database service but a Data Warehouse.)

Answer 718

A

EBS Provisioned IOPS SSD (io1)

The scenario requires a storage type for a relational database with a high IOPS performance. For these scenarios, SSD volumes are more suitable to use instead of HDD volumes. Remember that the dominant performance attribute of SSD is IOPS while HDD is Throughput.

Answer 719

A

Purchase provisioned retrieval capacity
Use Expedited Retrieval to access the financial data

Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it.

Provisioned capacity ensures that your retrieval capacity for expedited retrievals is available when you need it. Each unit of capacity provides that at least three expedited retrievals can be performed every five minutes and provides up to 150 MB/s of retrieval throughput. You should purchase provisioned retrieval capacity if your workload requires highly reliable and predictable access to a subset of your data in minutes.

Answer 720

A

Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it.

Answer 721

A

Use Multipart upload

Answer 722

A

If your VPC does not have sufficient ENIs or subnet IPs, your Lambda function will not scale as requests increase, and you will see an increase in invocation errors with EC2 error types like EC2ThrottledException.

Hence, the correct answers for this scenario are:

You only specified one subnet in your Lambda function configuration. That single subnet runs out of available IP addresses and there is no other subnet or Availability Zone which can handle the peak load.

Your VPC does not have sufficient subnet ENIs or subnet IPs.

Answer 723

A

Managing a multi-step and multi-decision checkout process of an e-commerce mobile app.
Orchestrating the execution of distributed business processes

Answer 724

A

Amazon Kinesis Data Firehose

Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards you are already using today.

Answer 725

A

the relation is that there is no relations as they are incompatible. they cannot work together.

Answer 726

A

Enable DynamoDB Accelerator (DAX) and ensure that the Auto Scaling is enabled and increase the maximum provisioned read and write capacity
Use API Gateway in conjunction with Lambda and turn on the cachin on frequently accessed data and enable DynamoDB global replication

Answer 727

A

Amazon DynamoDB and AWS AppSync

DynamoDB is durable, scalable, and highly available data store which can be used for real-time tabulation. You can also use AppSync with DynamoDB to make it easy for you to build collaborative apps that keep shared data updated in real time. You just specify the data for your app with simple code statements and AWS AppSync manages everything needed to keep the app data updated in real time. This will allow your app to access data in Amazon DynamoDB, trigger AWS Lambda functions, or run Amazon Elasticsearch queries and combine data from these services to provide the exact data you need for your app.

Answer 728

A

24

The time period from when a record is added to when it is no longer accessible is called the retention period. A Kinesis data stream stores records from 24 hours by default to a maximum of 168 hours.

Answer 729

A

The answer is No. The standby instance will not perform any read and write operations while the primary instance is running.

Answer 730

A

Security Group Inbound Rule; Protocol - TCP, Port Range - 22, Source 175.45.116.100/32

SSH = with TCP
Security group as security groups act on INSTANCE level
When setting up a bastion host in AWS, you should only allow the individual IP of the client and not the entire network. Therefore, in the Source, the proper CIDR notation should be used. The /32 denotes one IP address and the /0 refers to the entire network.

Answer 731

A

There is a soft limit of 20 instances per region which is why subsequent requests failed. Just submit the limit increase form to AWS and retry the failed requests once approved.

Answer 732

A

It tells the decider the state of the workflow execution

Amazon SWF issues decision tasks whenever a workflow execution has transitions such as an activity task completing or timing out. A decision task contains information on the inputs, outputs, and current state of previously initiated activity tasks. Your decider uses this data to decide the next steps, including any new activity tasks, and returns those to Amazon SWF. Amazon SWF in turn enacts these decisions, initiating new activity tasks where appropriate and monitoring them.

Answer 733

A

it tells the worker to perform a function

Answer 734

A

Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Route 53 can detect that it’s unhealthy and stop including it when responding to queries.

In active-active failover, all the records that have the same name, the same type (such as A or AAAA), and the same routing policy (such as weighted or latency) are active unless Route 53 considers them unhealthy. Route 53 can respond to a DNS query using any healthy record.

Answer 735

A

Use an active-passive failover configuration when you want a primary resource or group of resources to be available the majority of the time and you want a secondary resource or group of resources to be on standby in case all the primary resources become unavailable. When responding to queries, Route 53 includes only the healthy primary resources. If all the primary resources are unhealthy, Route 53 begins to include only the healthy secondary resources in response to DNS queries.

Answer 736

A

AWS Fargate

AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). Fargate makes it easy for you to focus on building your applications. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

Answer 737

A

AWS CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure

Answer 738

A

Set up a small EC2 instance and a security group which only allows access on port 22 via your IP address

Answer 739

A

Redshift

In this scenario, there is a requirement to have a storage service which will be used by a business intelligence application and where the data must be stored in a columnar fashion. Business Intelligence reporting systems is a type of Online Analytical Processing (OLAP) which Redshift is known to support. In addition, Redshift also provides columnar storage unlike the other options. Hence, the correct answer in this scenario is Amazon Redshift.

Answer 740

A

All data on the attached instance-store devices will be lost
the underlying host for the instance is possibly changed

This question did not mention the specific type of EC2 instance however, it says that it will be stopped and started. Since only EBS-backed instances can be stopped and restarted, it is implied that the instance is EBS-backed. Remember that an instance store-backed instance can only be rebooted or terminated and its data will be erased if the EC2 instance is terminated.

If you stopped an EBS-backed EC2 instance, the volume is preserved but the data in any attached Instance store volumes will be erased. Keep in mind that an EC2 instance has an underlying physical host computer. If the instance is stopped, AWS usually moves the instance to a new host computer. Your instance may stay on the same host computer if there are no problems with the host computer. In addition, its Elastic IP address is disassociated from the instance if it is an EC2-Classic instance. Otherwise, if it is an EC2-VPC instance, the Elastic IP address remains associated.

Answer 741

A

Use an SQS queue to decouple the application components

Brainscape's Knowledge GenomeTM

AWSexam_1 Flashcards

Brainscape's Knowledge Genome^TM