AWSexam_1 Flashcards

Question

What characterises S3 Intelligent Tiering?

Answer 1

* designed for cost-efficiency by automatically moving data to the most cost-effective access tier, without performance impact or operational overhead

Answer 2

* Retrieval times from minutes to hours

Answer 3

* cheapest storage option but used for archival only * retrieval time of 12 hours is acceptable

Answer 4

* Storage * Requests * Storage Management Pricing (meta-data) * Data Transfer Pricing * Transfer Acceleration

Answer 5

Amazon S3 Transfer acceleration enables fast, easy, and secure transfer of files over long distances between your end users and an S3 bucket. =\> CloudFront CDN

Answer 6

* Client Side Encryption * Server Side Encryption * with Amazon S3 Managed Keys =\> SSE-S3 * with KMS =\> SSE-KMS * with Customer Provided Keys =\> SSE-C

Answer 7

Buckets are by default PRIVATE and All objects inside are PRIVATE by default

Answer 8

US East (N. Virginia) - where all new services come out first - however, goes out more often

Answer 9

Distinct geographical areas - and each region always consists of two or more availability zones A Region is a physical location in the world which consists of two or more Availability Zones (AZ)

Answer 10

An Availability Zone (AZ) is one or more discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities.

Answer 11

Edge Locations are endpoints for AWS which are used for caching content. Typically this consists of CloudFront, Amazon’s Content Delivery Network (CDN) Example: someone from Sydney downloads something from New York - the content can be cached in Sydney so someone else from Sydney can download it directly from Sydney instead of NY.

Answer 12

Can be typical exam questions!

Answer 13

Networking Services A Virtual Private Cloud (VPC) is a virtual network dedicated to a single AWS account. It is logically isolated from other virtual networks in the AWS cloud, providing compute resources with security and robust networking functionality.

Answer 14

S3 and EFS both provide the ability to store files in the cloud. EC2 provides compute, and is often augmented with other storage services. VPC is a networking service. Further information: https://aws.amazon.com/efs/https://aws.amazon.com/s3/https://aws.amazon.com/ec2/https://aws.amazon.com/vpc/

Answer 15

of Edge Locations \> # of Availability Zones \> # of Regions The number of Edge Locations is greater than the number of Availability Zones, which is greater than the number of Regions. Further information: https://aws.amazon.com/about-aws/global-infrastructure/

Answer 16

Both Lambda and EC2 offer computing in the cloud. S3 is a storage offering while VPC is a network service. Further information: https://aws.amazon.com/ec2/https://aws.amazon.com/lambda/https://aws.amazon.com/s3/https://aws.amazon.com/vpc/

Answer 17

RDS is a service for relational databases provided by AWS. DynamoDB is AWS' fast, flexible, no-sql database service. S3 provides the ability to store files in the cloud and is not suitable for databases, while EC2 is part of the compute family of services. Further information: https://aws.amazon.com/dynamodb/https://aws.amazon.com/rds/https://aws.amazon.com/ec2/https://aws.amazon.com/s3/

Answer 18

Cloudfront + VPC VPC allows you to provision a logically isolated section of the AWS where you can launch AWS resources in a virtual network. Cloudfront is a fast, highly secure and programmable content delivery network (CDN). EC2 provides compute resources while RDS is Amazon's Relational Database System. Further information: https://aws.amazon.com/vpc/https://aws.amazon.com/cloudfront/https://aws.amazon.com/ec2/https://aws.amazon.com/rds/

Answer 19

CloudFront content is cached in Edge Locations.

Answer 20

Not having to deal with the collateral damage of failed experiments The ability to try out new ideas and experiment without an upfront commitment Public cloud allows organisations to try out new ideas, new approaches and experiment with little upfront commitment. If it doesn't work out, organisations have the ability to terminate the resources and stop paying for them. Further information: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/six-advantages-of-cloud-computing.html

Answer 21

VPC stands for Virtual Private Cloud. Further information: https://aws.amazon.com/vpc/

Answer 22

Distinct locations from within an AWS region that are engineered to be isolated from failures. An Availability Zone (AZ) is a distinct location within an AWS Region. Each Region comprises at least two AZs. Further information: https://aws.amazon.com/about-aws/global-infrastructure/

Answer 23

A distinct location within a geographic area designed to provide high availability to a specific geography. Each region is a separate geographic area. Each region has multiple, isolated locations known as Availability Zones. Further information: https://aws.amazon.com/about-aws/global-infrastructure/

Answer 24

A region is a geographical area divided into Availability Zones. Each region contains at least two Availability Zones.

Answer 25

Identity Access Management = Allows you to manage users and their level of access to the AWS console.

Answer 26

* Centralised control of your AWS account * Shared access to your AWS account * Granular permissions * Identity Federation (including Active Directory, Facebook, LinkedIn, etc.) * Multi Factor Authentication * Temporary access for users/deviced and services * Set up own password rotation policy * Integrates with many AWS services * Support PCI DSS Compliance (e.g. when taking credit card details)

Answer 27

1. Users 1. end-users such as employees 2. Groups 1. A collection of users (with certain permissions) 2. Each user of inherit the permissions of the group 3. Policies 1. Permission documents 4. Roles 1. Some have more power than others

Answer 28

Security, Identity, and Compliance

Answer 29

The account you can do EVERYTHING with and has unlimited resources.

Answer 30

Virtual MFA device, U2F security key, Other hardware MFA device

Answer 31

Global - i.e. ALL regions

Answer 32

No access at all

Answer 33

An Access Key ID and Secret Access Key (these are not those you use to login to the AWS console, but can be used with APIs and command line access). They can only be viewed once.

Answer 34

Use multi factor authentication

Answer 35

Management & Governance

Answer 36

Simple Storage Service

Answer 37

Simply a file that consist of: Key (name of file), Value (data of the file), Version ID, Metadata (data about data)

Answer 38

Simply a folder - their name must be unique as this is what appears on the web-address

Answer 39

Read after Write for PUTS of new Objects Eventual Consistency for overwrite PUTS and DELETES

Answer 40

Built for 99.99% availability Guaranteed 99.9% availability Guaranteed 11x9s durability

Answer 41

S3 Standard (designed to sustain loss of 2 facilities concurrently) S3 - IA (Infrequently Accessed) but needs rapid access when needed (charged retrieval fee) S3 One Zone - IA (RRS) (Infrequently Accessed) same as above but just for one zone S3 Intelligent Tiering (uses AI to intelligently move your files to correct tier) S3 Glacier (used for archiving but retrieval takes from minutes to hours) S3 Glacier Deep Archive (cheapest option where retrieval takes 12 hours)

Answer 42

Storage, Requests, Storage Management Pricing, Data Transfer Pricing, Transfer Acceleration, Cross Region Replication Pricing

Answer 43

Turn on multi factor authentication delete

Answer 44

The FAQ: https://aws.amazon.com/s3/faqs/

Answer 45

* Encryption in transit = HTTPS * Achieved through SSL/TLS * Encryption at rest (server side) * Achieved by * S3 Managed Keys (SSE-S3) (Amazon manages for you) * AWS Key Management Service (SSE-KMS) - you manage with Amazon * Server Side Encryption with Customer provided keys (SSE-C) - you provide keys to amazon * Client Side encryption * You just upload an encrypted object

Answer 46

* Stores all versions of an object (including all writes and even if you delete an object) * =\> GREAT backup tool

Answer 47

No… Once enabled, versioning cannot be disabled, only suspended.

Answer 48

A feature in S3 versioning, which requires the use of multi-factor authentication to provide an additional layer of security for when you try to delete things.

Answer 49

Yes… you will return to not being accessible / all blocked and you have to allow access again.

Answer 50

it will still keep the earlier versions in the versioning backup - it just puts a delete marker as the most recent version.

Answer 51

Automates moving your objects (files) between different storage tiers E.g. if you want it in S3 standard and later want it in S3 infrequently accessed (IA) depending on time

Answer 52

The files will NOT be in the new bucket. The new bucket will have the same permissions as in the other region but the objects/files will not be present.

Answer 53

Versioning must be enabled on both the source and destination buckets

Answer 54

NEW files will be automatically replicated across the two region buckets but existing files at creation will not appear.

Answer 55

No - neither individual deletes nor delete markers

Answer 56

S3 transfer acceleration utilises the CloudFront Edge Network to accelerate your upload to S3 (CDN) ….so from edge location to S3 bucket in availability zone

Answer 57

You simply upload to an edge location that then uploads to the main bucket instead of you uploading directly to the main bucket, which can be slower.

Answer 58

* CloudFront * Amazon’s Content Delivery Network (CDN) * Edge Location * Location where content will be cached * Origin * Origin of all the files that the CDN will distribute. This can be an S3 Bucket, an EC2 instance, an Elastic Load Balancer or Route52 * Distribution * Name given to the CDN which consists of a collection of edge locations (Web Distributions and RTMP distributions)

Answer 59

websites (part of cloudfront)

Answer 60

Media Streaming (part of cloudfront)

Answer 61

Both - you can certainly read from them but you can also write = put an object in them (which should be more or less the same as transfer acceleration)

Answer 62

Time To Live = the time objects are cached for in the cdn distribution. up to the user to set TTL

Answer 63

they will be deleted BUT you will be charged.

Answer 64

E.g. if only paying customers can access the content they need to have a signed URL to access the content (e.g. Netflix)

Answer 65

A way to quickly remove/invalidate content from the CloudFront, e.g. if you uploaded the wrong media or there is an error (but you’ll be charged).

Answer 66

Petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data in and out of S3 AWS = a big desk. 50TB or 80TB

Answer 67

up to 100TB data WITH on-board storage and compute capabilities useful to support local workloads in remote or offline locations (such as on an airplane) = a portable version of AWS essentially

Answer 68

An EXABYTE-scale data transfer service. Up to 100 PB per snowmobile, which is a 45-foot long shipping container.

Answer 69

Service that connects on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and AWS’s storage infrastructure.

Answer 70

* File Gateway (NFS & SMB) * files are stored in your S3 bucket * Volume Gateway (iSCSI) * Stored Volumes * store your ENTIRE primary data locally and backed up in AWS * Cached Volumes * only has the most frequently used data locally (NOT entire data) * Tape Gateway (VTL) * way to archive your data in the AWS cloud = good to move your backup to the cloud

Answer 71

Access to all AWS services except the management of groups and users within IAM.

Answer 72

https://s3-eu-west-1.amazonaws.com/acloudguru1234

Answer 73

Glacier: The recovery rate is a key decider. The record shortage must be; safe, durable, low cost, and the recovery can be slow.

Answer 74

No access to any AWS services.

Answer 75

Organizational Units

Answer 76

99.50% OneZone-IA is only stored in one Zone. While it has the same Durability, it may be less Available than normal S3 or S3-IA.

Answer 77

Grant her Administrator access by adding her to the Administrators' group.

Answer 78

IAM allows you to manage users, groups, roles, and their corresponding level of access to the AWS Platform.

Answer 79

CloudFront Signed Cookies CloudFront Signed URLs CloudFront Origin Access Identity

Answer 80

An AWS service designed for long term data archival.

Answer 81

Will be able to interact with AWS using their access key ID and secret access key using the API, CLI, or the AWS SDKs.

Answer 82

Remove the ability for images to be served publicly to the site and then use signed URLs with expiry dates.

Answer 83

Administrator Access

Answer 84

Design your application to use the Multipart Upload API for all objects.

Answer 85

You will need to configure Users and Policy Documents only once, as these are applied globally.

Answer 86

S3 - One Zone-Infrequent Access

Answer 87

Create individual user accounts with minimum necessary rights and tell the staff to log in to the console using the credentials provided. Create a customized sign-in link such as "yourcompany.signin.aws.amazon.com/console" for your new users to use to sign in with.

Answer 88

Simple Storage Service

Answer 89

overwrite PUTS and DELETES

Answer 90

Read After Write Consistency

Answer 91

You cannot log in to the AWS console using the Access Key ID / Secret Access Key pair. Instead, you must generate a password for the user, and supply the user with this password and your organization's unique AWS console login URL.

Answer 92

Implement Multi-Factor Authentication for all accounts.

Answer 93

Bucket names are global, not regional. This is a popular bucket name and is already taken. You should choose another bucket name.

Answer 94

It is a physical or virtual appliance that can be used to cache S3 locally at a customer's site.

Answer 95

No Permissions

Answer 96

IAM allows you to set up biometric authentication, so that no passwords are required.

Answer 97

Set up an account using their company email address.

Answer 98

S3 - OneZone-IA is the recommended storage for when you want cheaper storage for infrequently accessed objects.

Answer 99

S3 - IA Glacier has a long recovery time at a low cost or a shorter recovery time at a high cost, and 1Zone-IA has a lower Availability level which means that it may not be available when needed.

Answer 100

Enact a strong password policy: user passwords must be changed every 45 days, with each password containing a combination of capital letters, lower case letters, numbers, and special symbols.

Answer 101

Change the trigger level to around 3000 as S3 can now accommodate much higher PUT and GET levels.

Answer 102

a web service that provides resizable compute capacity in the cloud * reduces the time required to obtain and boot new server instances to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change.

Answer 103

As you go, for what you use, less as you use more, and even less when you reserve capacity 4 overall options: 1. On Demand = fixed rate by the hour (or by the second) with no commitment 2. Reserved = capacity reservation (contracts of 1-3 years but significant discounts) 3. Spot = when Amazon has excess capacity, you can bid whatever price you want for instance capacity. Great if you have flexible start and end times for your needs 4. Dedicated Hosts = physical EC2 servers dedicated for your use

Answer 104

* Low cost and flexible with no up-front payment or long-term commitment * applications with short term, spiku, or unpredictable workloads that cannot be interrupted * New tests on EC2

Answer 105

* Steady state or predictable usage * Applications that require reserved capacity * when you can afford making up-front payments 1. Standard reserved instances (up to 75 % off) 2. Convertible Reserved instances (up to 54 % off) 3. Scheduled Reserved Instances (specific time windows)

Answer 106

Applications that have flexible start and end times as Amazon can buy them back Applications that are only feasible at very low compute prices Users with urgent computing needs for large amounts of additional capacity

Answer 107

* For regulatory requirements * Great for licensing which does not support multi-tenant or cloud deployments (like licenses with Oracle) * Can be purchased on-demand (hourly) * Can be purchased as a reservation for up to 70 % off standard price

Answer 108

If the Spot instance is terminated by Amazon EC2, you’ll not be charged for a partial hour of usage. However, if you terminate the instance yourself, you’ll be charged for any hour in which the instance ran.

Answer 109

low cost, general purpose instances (used for web servers and small databases)

Answer 110

If terminated by Amazon, you will not be charged for a partial hour of usage. However, if you terminate the instance yourself, you will be charged for any hour in which the instance ran.

Answer 111

Instance Output Per second = how fast your harddisk drive is

Answer 112

yes… Even from the beginning when you create it can also be encrypted using third party tools such as bit locker

Answer 113

It is turned OFF by default so you must turn it on

Answer 114

On an EBS-backed instance, the default action is for the root EBS volume to be deleted when the instance is terminated

Answer 115

IMMEDIATELY

Answer 116

it also creates an outbound rule at the same time

Answer 117

the security is set to block ALL inbound traffic by default (all outbound traffic is allowed)

Answer 118

any number

Answer 119

No… you can have multiple security groups attached to one EC2 instance

Answer 120

if you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again

Answer 121

Using Network Access Control Lists (NOT using security groups)

Answer 122

NO! only allow rules (no deny rules) (deny rules can be made in Network Access Control Lists but that is different)

Answer 123

Elastic Block Store = virtual hard disk in the cloud that provides persistent block storage volumes for use with Amazon EC2 instances.

Answer 124

* General Purpose SSD * Most workloads * Provisioned IOPS SSD * Databases * Throughput Optimised HDD * Big data and data warehouses * Cold HDD (also magnetic) * File servers * EBS Magnetic * workloads where data is infrequently accessed

Answer 125

EBS volumes will always be in the same availability zone as your EC2 instance

Answer 126

By default, the ROOT volume is terminated together with the EC2 instance. However, additional volumes are not deleted unless specified.

Answer 127

photographs of the hard disk (point in time copies of volumes)

Answer 128

only the blocks that have changed since your last snapshot are moved/replicated to S3

Answer 129

you should stop the instance before taking the snapshot when trying to create a snapshot for Amazon EBS volumes that serve as root devices but… you can also take a snapshot while the instance is running.

Answer 130

on the fly both size and storage types can be changed any time.

Answer 131

take a snapshot of it, create an AMI from the snapshot and then use the AMI to launch the EC2 instance in a new availability zone.

Answer 132

take a snapshot of it, create an AMI from the snapshot and then COPY the AMI from one region to the other Next, use the copied AMI to launch the new EC2 instance in the new region

Answer 133

* EBS Volumes * root device for an instance launched from the AMI is an Amazon EBS Volume created from an Amazon EBS snapshot * Instance Store Volumes (Ephemeral Storage) * root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3.

Answer 134

1. Region 2. Operating system 3. Architecture (32bit or 64bit) 4. Launch permissions 5. Storage for the root device 1. Instance Store Volumes 2. EBS Backed Volumes

Answer 135

* CANNOT be stopped. * If the underlying host fails, you will lose your data * can reboot

Answer 136

* CAN be stopped * will not lose your data if it is stopped * can reboot * can tell AWS to keep the root volume when terminating the EBS volume if you want

Answer 137

The hard disk that has the operating system on it. back in the days you could not encrypt this when you created it, but now you can encrypt it immediately at creation if you have not done it from the beginning * Create a snapshot of the unencrypted root device volume * Create a copy of the snapshot and select the encrypt option * Create an AMI from the encrypted snapshot * Use that AMI to launch new encrypted instances

Answer 138

back in the days you could not encrypt this when you created it, but now you can encrypt it immediately at creation if you have not done it from the beginning * Create a snapshot of the unencrypted root device volume * Create a copy of the snapshot and select the encrypt option * Create an AMI from the encrypted snapshot * Use that AMI to launch new encrypted instances

Answer 139

Amazon CloudWatch is a monitoring service to monitor your AWS resources as well as the applications you run within AWS = PERFORMANCE MONITORING Monitor * Computed * EC2 instances, autoscaling groups, elastic load balances, route53 health checks * Storage and content delivery * EBS Volumes * Storage Gateways * CloudFront

Answer 140

* CPU * Network * Disk * Status Check

Answer 141

think of CloudTrail as a CCTV (camera) that increases visibility into your user and resource activity by recording AWS Management Console actions and API calls. Using CloudTrail, you can identify which users and accounts that called AWS, the source IP Address from which the calls were made and when the calls occurred. (DO NOT confuse with CloudWatch which is for performance monitoring)

Answer 142

every 5 minutes by default but can be turned even longer down to 1 minute (detailed monitoring) intervals for example

Answer 143

* Dashboards * awesome dashboards to see what is happening with your AWS environment * Alarms * alarms to notify when you reach specified thresholds * Events * helps you respond to state changes in your AWS resources * Logs * helps you aggregate, monitor and store logs

Answer 144

Can be used through terminal after connecting with key pair and setting up the access through IAM. then AWS can be accessed from anywhere in the world

Answer 145

* Roles are more secure than storing your access key and secret access key on individual EC2 instances * Roles are also easier to manage * Roles can be assigned to an EC2 instance after it is created using the console & command line * Roles are universal - you can use them in any region

Answer 146

A way of automating your AWS EC2 deployment. running it at the command line =\> can run individual command line commands as scripts (updates, installations, httpd starts, opening of web page, make buckets, create files etc.) (set up when configuring instances from the AMI creation panel)

Answer 147

used to get information about an instance (fx public IP) get by something like.… curl http://169.254.169.254/latest/meta-data/ curl http://169.254.169.254/latest/user-data/

Answer 148

Elastic File System = a file storage service for Amazon Elastic Compute Cloud (EC2) instances. =\> With amazon EFS, storage capacity is ELASTIC, growing and shrinking automatically as you add and remove files, so your applications have the storage they need, when they need it

Answer 149

* Cluster Placement Group * Spread Placement Group * Partitioned Placement Group

Answer 150

A grouping of instances within a single availability zone. Recommended for applications that need low network latency, high network throughput, or both. putting instances as close as possible

Answer 151

* group of instances each placed on DISTINCT underlying hardware * Spread placement groups are recommended for applications that have a small number of critical EC2 instances that should be kept separate from each other * can only have 7 running instances per availability zone think of individual instances (opposite of clustered placement group)

Answer 152

* Similar to spread placement groups BUT you can have multiple EC2 instances within a partition. * each partition is on each own set of racks where each rack has its own network and power source * this allows you to isolate the impact of hardware failure within your application * for multiple EC2 instances: HDFS, HBase, Cassandra think of multiple instances

Answer 153

* Clustered * only within one availability zone * Spread and Partitioned * within MULTIPLE availability zones BUT still the same region

Answer 154

unique within your own AWS account

Answer 155

homogenous instances = same type of hardware and so on in the horizontal scaling

Answer 156

no… but…. you can create an AMI from your existing instance, then launch a new instance from the AMI into a placement group.

Answer 157

aws ec2 create-snapshot

Answer 158

availability zones

Answer 159

Nitro and Xen

Answer 160

block based storage

Answer 161

configure encryption when creating the EBS volume

Answer 162

cold (sc1) throughput optimised (st1)

Answer 163

Yes, though the AWS APIs, CLI, and AWS Console

Answer 164

incrementally

Answer 165

Incrementally

Answer 166

Solution 1: us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances. Solution 2: us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances. You need to work through each case to find which will provide you with the required number of running instances even if one AZ is lost. Hint: always assume that the AZ you lose is the one with the most instances. Remember that the client has stipulated that they MUST have 100% fault tolerance.

Answer 167

Configure encryption when creating the EBS volume The use of encryption at rest is default requirement for many industry compliance certifications. Using AWS managed keys to provide EBS encryption at rest is a relatively painless and reliable way to protect assets and demonstrate your professionalism in any commercial situation.

Answer 168

False There are slight differences between a normal 'new' Security Group and a 'default' security group in the default VPC. For an 'new' security group nothing is allowed in by default.

Answer 169

Migrate documents to File Gateway presented as NFS and make use of life-cycle using Infrequent Access storage. Migrate documents to EFS storage and make use of life-cycle using Infrequent Access storage. Trying to use S3 without File Gateway in front would be a major impact to the user environment. Using File Gateway is the recommended way to use S3 with shared document pools. Life-cycle management and Infrequent Access storage is available for both S3 and EFS. A restriction however is that 'Using Amazon EFS with Microsoft Windows is not supported'. File Gateway does not support iSCSI in the client side.

Answer 170

Retrieve the instance Metadata from http://169.254.169.254/latest/meta-data/. Instance Metadata and User Data can be retrieved from within the instance via a special URL. Similar information can be extracted by using the API via the CLI or an SDK.

Answer 171

True Spread Placement Groups can be deployed across availability zones since they spread the instances further apart. Cluster Placement Groups can only exist in one Availabiity Zone since they are focused on keeping instances together, which you cannot do across Availability Zones

Answer 172

The placement group can only have 7 running instances per Availability Zone Spread placement groups have a specific limitation that you can only have a maximum of 7 running instances per Availability Zone and therefore this is the only correct option. Deploying instances in a single Availability Zone is unique to Cluster Placement Groups only and therefore is not correct. The last two remaining options are common to all placement group types and so are not specific to Spread Placement Groups.

Answer 173

Your fleet of EC2 instances requires high network throughput and low latency within a single availability zone. Cluster Placement Groups are primarily about keeping you compute resources within one network hop of each other on high speed rack switches. This is only helpful when you have compute loads with network loads that are either very high or very sensitive to latency.

Answer 174

False Standard Reserved Instances cannot be moved between regions. You can choose if a Reserved Instance applies to either a specific Availability Zone, or an Entire Region, but you cannot change the region.

Answer 175

Spread Placement Groups can be deployed across availability zones since they spread the instances further apart. Cluster Placement Groups can only exist in one Availability Zone since they are focused on keeping instances together, which you cannot do across Availability Zones.

Answer 176

http://169.254.169.254

Answer 177

Schedule snapshots of HDD based volumes for periods of low use Stripe volumes together in a RAID 0 configuration. Ensure that your EC2 instances are types that can be optimized for use with EBS There are a number of ways you can optimise performance above that of choosing the correct EBS type. One of the easiest options is to drive more I/O throughput than you can provision for a single EBS volume, by striping using RAID 0. You can join multiple gp2, io1, st1, or sc1 volumes together in a RAID 0 configuration to use the available bandwidth for these instances. You can also choose an EC2 instance type that supports EBS optimisation. This ensures that network traffic cannot contend with traffic between your instance and your EBS volumes. The final option is to manage your snapshot times, and this only applies to HDD based EBS volumes. When you create a snapshot of a Throughput Optimized HDD (st1) or Cold HDD (sc1) volume, performance may drop as far as the volume's baseline value while the snapshot is in progress. This behaviour is specific to these volume types. Therefore you should ensure that scheduled snapshots are carried at times of low usage. The one option on the list which is entirely incorrect is the option that states "Never use HDD volumes, always ensure that SSDs are used" as the question first states "In addition to choosing the correct EBS volume type for your specific task". HDDs may well be suitable to certain tasks and therefore they shouldn't be discounted because they may not have the highest specification on paper.

Answer 178

Block based storage EBS, EFS, and FSx are all storage services base on Block storage.

Answer 179

ESX Xen Until very recently AWS exclusively used Xen Hypervisors, Recently they started making use of Nitro Hypervisors.

Answer 180

Yes, although it may take some time.

Answer 181

Yes, through the AWS APIs, CLI, and AWS Console.

Answer 182

Tags Tagging is a key part of managing an environment. Even in a lab, it is easy to lose track of the purpose of a resources, and tricky determine why it was created and if it is still needed. This can rapidly translate into lost time and lost money.

Answer 183

Only if I specify (using either the AWS Console or the CLI) that it should do so. You can control whether an EBS root volume is deleted when its associated instance is terminated. The default delete-on-termination behaviour depends on whether the volume is a root volume, or an additional volume. By default, the DeleteOnTermination attribute for root volumes is set to 'true.' However, this attribute may be changed at launch by using either the AWS Console or the command line. For an instance that is already running, the DeleteOnTermination attribute must be changed using the CLI.

Answer 184

Cold (sc1) Throughput Optimized (st1) Of all the EBS types, both current and of the previous generation, HDD based volumes will always be less expensive than SSD types. Therefore, of the options available in the question, the Cold (sc1) and Throughout Optimized (st1) types are HDD based and will be the lowest cost options.

Answer 185

5/RAID 10/RAID 0 configurations using those volumes. True

Answer 186

aws ec2 create-snapshot

Answer 187

In Availability Zones

Answer 188

* Multi-Availability Zones = for disaster recovery * Read replicas = for performance * can send some of the traffic to the read replicas to your site does not crash

Answer 189

used to pull in very large and complex data sets… usually used by management to do queries on data

Answer 190

Online Transaction Processing (OLTP) = for relational databases and… Online Analytical Processing (OLAP) (a lot of queries, more complicated) = for non-relational databases these two differ widely

Answer 191

Redshift is for OLAP (online analytical processing) by Amazon. Data warehouse solution by Amazon. Redshift is used for business intelligence.

Answer 192

OLTP: Online Transaction Processing (OLTP) = for relational databases * SQL * MySQL * PostgreSQL * Oracle * Aurora * MariaDB

Answer 193

virtual machines and you have no access to those virtual assistance (you cannot log in to these operating systems) Patching of the RDS operating system and DB is Amazon’s responsibility

Answer 194

no… (with the exception of Aurora Serverless)

Answer 195

* Automatic backups * recover your database to any point in time within a “retention period”. * Automated backups take full daily snapshots * Automated backups are enabled by default * Backups are stored in S3 * You Get free storage space equal to the size of your database (10gb RDS Instance = 10gb worth of storage) * Database Snapshots * Are user-initiated / done manually * Stored even after you delete the original RDS instance (unlike automated backups

Answer 196

When you restore a backup, the restored version will be a new RDS instance with a new DNS endpoint.

Answer 197

As soon as your RDS instance is encrypted, the data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas and snapshots.

Answer 198

in the event of planned database maintenance, DB instance failure or an Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention the backup/copy of your production database is automated when it has been enabled

Answer 199

* SQL Server * Oracle * MySQL Server * PostgreSQL * MariaDB (NOT Aurora as it has its own different architecture)

Answer 200

Read replicas allow you to have a read-only copy of your production database. You use read-replicas primarily for very read-heavy database workloads Used for scaling / to increase performance

Answer 201

* Oracle * MySQL Server * PostgreSQL * MariaDB * Aurora (NOT for SQL Server)

Answer 202

all 6 database systems. Set up using KMS (Key Management Service) * SQL Server * Oracle * MySQL Server * PostgreSQL * MariaDB * Aurora

Answer 203

5 and you can have read replicas of read replicas (which may give latency)

Answer 204

You can have read replicas that have multi-AZ and… you can create read replicas of multi-AZ source databases (you have even have a read replica in a second region)

Answer 205

each read replica will have its own DNS endpoint

Answer 206

it will break the other read replicas

Answer 207

Amazon’s noSQL database solutions (opposite of RDS) when need consistent, single-digit millisecond latency at any scale DynamoDB = SERVERLESS

Answer 208

* Stored on SSD Storage * Spread across 3 geographically distinct data centres * Eventual consistent read (default) (1 second) * Strongly consistent read (optional = less than 1 second)

Answer 209

* Eventual consistent read * Consistency across all copies of data is usually reached within a second * Strongly consistent read * a strongly consistent read returns a result that reflects all writes that received a successful response prior to the read = this is basically immediate (in less than 1 second)

Answer 210

* Single-node (160gb) * or… Multi Node * Leader node (client connections and receives queries) * Compute node (store data and perform queries and computations) can have up to 128 compute nodes behind the leqder node

Answer 211

as non-relational database system you can compress the data much more and thus uses much less space

Answer 212

Massively Parallel Processing a part of Amazon Redshift that automatically distributes data and query load across all nodes. for fast query performance as data warehouse grows

Answer 213

* Enabled by default with a 1 day retention period * Maximum retention period is 35 days * Always attempts to maintain at least 3 copies of your data (original, replica and backup in S3) * can also replicate snapshots to S3 in another region for disaster recovery

Answer 214

* Compute node Hours = total number of hours you run across all your compute nodes for the billing period * not charged for leader node hours * backups * Data transfer

Answer 215

Only available in 1 availability zone at a time

Answer 216

a MySQL compatible, relational database engine that combines the speed and availability of high-end commercial databases.

Answer 217

Starts at 10gb (scales in 10gb increments to 64 TB) computer resources can scale up to 32vCPUs and 244GB memory 2 copies of your data in contained in each availability zone, with minimum of 3 availability zones (6 copies of your data)

Answer 218

* Aurora replicas (up to 15 available) * automated failover only available with Aurora replicas * MySQL Read replicas (up to 5 available)

Answer 219

* Automated backups are enabled on Amazon Aurora DB instances * Snapshots are also possible * and these can be shared with other AWS accounts

Answer 220

used to improve the performance of web applications by allowing you to retrieve information from fast, managed, in-memory caches, instead of relying entirely on slower disk-based databases. used to speed up performance of existing databases (frequent identical queries)

Answer 221

* Memcached * for very simple things * Redis * multi-AZ and backup and restores possible

Answer 222

False Technically a destination port number is needed, however with a DB security group the RDS instance port number is automatically applied to the RDS DB Security Group.

Answer 223

There is no charge associated with this action.

Answer 224

Redshift would be the most suitable for online analytics processing.

Answer 225

Apache Parquet JSON Apache ORC Amazon Athena is an interactive query service that makes it easy to analyse data in Amazon S3, using standard SQL commands. It will work with a number of data formats including "JSON", "Apache Parquet", "Apache ORC" amongst others, but "XML" is not a format that is supported.

Answer 226

I/O may be briefly suspended while the backup process initializes (typically under a few seconds), and you may experience a brief period of elevated latency.

Answer 227

Oracle, SQL Server, MySQL, PostgreSQL

Answer 228

If you use online transaction processing in your production environment. Provisioned IOPS becomes important when you are running production environments requiring rapid responses, such as those which run e-commerce websites. Without high performant responses from an RDS instance page loads of the website could suffer resulting in loss of business. If your workloads are not latency sensitive or you are running a test environment the additional cost of provisioned IOPS will not be cost beneficial to your project.

Answer 229

Add 4 additional EBS SSD volumes and create a RAID 10 using these volumes.

Answer 230

Storage of Data Read and Write Capacity There will always be a charge for provisioning read and write capacity and the storage of data within DynamoDB, therefore these two answers are correct. There is no charge for the transfer of data into DynamoDB, providing you stay within a single region (if you cross regions, you will be charged at both ends of the transfer.) There is no charge for the actual number of tables you can create in DynamoDB, providing the RCU and WCU are set to 0, however in practice you cannot set this to anything less than 1 so there always be a nominal fee associated with each table.

Answer 231

Immediately

Answer 232

Redis & Memcached

Answer 233

Single availability zone by default DynamoDB is the AWS managed NoSQL database service. It has many features that are being added to constantly, making it a great service to use for many different requirements. The feature which was incorrect is DynamoDB only being single availability zone by default making this the correct answer. DynamoDB is distributed across three geographically distinct datacentres by default, all of the other options listed are valid features of DynamoDB.

Answer 234

because DNS is on port53

Answer 235

just think of a phone book. DNS is used to convert human friendly domain names into an IPv4 or IPv6. So from acloud.guru to 82.124.53.1

Answer 236

* IPv4 is a 32-bit field with +4 billion different addresses * IPv6 has 128-bits which gives 340 undecillion addresses * = invented because the 4.3 billion addresses of IPv4 were not enough Currently both IPv4 and IPv6 are used

Answer 237

.com .edu .gov(top-level) .co(second-level).uk(top-level) .com(second-level).au(top-level)

Answer 238

Internet Assigned Numbers Authority those that make the top-level domains

Answer 239

entities which serve the purpose of organising the distribution of domain names such that they are not duplicated. all registered domain names end up in WhoIS. (examples….GoDaddy.com, 123-reg.co.uk, Amazon, DanDomain.dk etc.)

Answer 240

Name Server Records used by Top Level Domain servers to direct traffic to the Content DNS server which contains the authoritative DNS records

Answer 241

An “A” record is the fundamental type of DNS record. A stands for Address. The A record is used by a computer to translate the name of the domain to an IP address so from www.acloud.guru to 123.10.10.80

Answer 242

Time to Live the length that a DNS record is cached on either the Resolving Server or the users own local PC is equal to the value of the the “time to live” TTL in seconds. so for example a user could cache your homepage for 48 hours.

Answer 243

A Canonical Name … can be used resolve one domain name to another. essentially just that you have both.. https: //m.acloud.guru and https: //mobile.acloud.guru

Answer 244

used to map resource record sets in your hosted zone to Elastic Load Balancers, CloudFront distributions, or S3 buckets that are configured as websites. Alias Records work like CNAME records BUT….. CNAME can’t be used for naked domain names (= without www in front of it)

Answer 245

No… You must resolve to them using a DNS name.

Answer 246

Always Alias Record

Answer 247

* SOA Records (state of authority) * NS Records (Name Server) * A Records (Address) * CNAMES (Canonical Name) * MX Records * PTR Records

Answer 248

* Simple Routing * Weighted routing * Latency-based Routing * Failover Routing * Geolocation Routing * GeoProximity Routing * Multivalue Answer Routing

Answer 249

you can only have one record with multiple IP addresses. if you specify multiple values (IP addresses) in a record, Route53 returns all values to the user in a random order (it will pick a new place randomly when the TTL expires)

Answer 250

allows you to split your traffic based on different weight assigned fx 10 % to US-EAST-1 and 90% to EU-WEST-1 (remember TTL still determines when you can update and get different results)

Answer 251

Allows you to route your traffic based on the lowest network latency for your end user (which gives them the fastest response time) to do this you have to create a latency resource record set for the Amazon EC2 (or ELM) resource in each region that hosts your website.

Answer 252

used when you want to create an active/passive set up. = you may want your primary site to be in EU-WEST-2 and your secondary DR site in AP-SOUTHEAST-2 Route 53 will monitor the health of your primary site using a health check =\> If a failure is detected in the Active region, users will be directed to the passive.

Answer 253

lets you choose where your traffic will be sent based on the geographic location of your users = all queries from europe to routed to a fleet of EC2 instances that are specifically configured for European customers (language, prices etc.) Can be done by country or by continent (different from latency-based routing)

Answer 254

route traffic to your resources based on the geographic location of your users and your resources. +you can also insert a bias to route more or less traffic to a resource (only in Route53 traffic flow mode)

Answer 255

lets you configure route53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries. The same as simple routing HOWEVER multivalue answers allows you to put health checks on each record set.

Answer 256

50 is set by default BUT you can increase this limit by contacting AWS support.

Answer 257

Failover Routing and Latency-based Routing Failover Routing and Latency-based Routing are the only two correct options, as they consider routing data based on whether the resource is healthy or whether one set of resources is more performant than another. Any answer containing location based routing (Geoproximity and Geolocation) cannot be correct in this case, as these types only consider where the client or resources are located before routing the data. They do not take into account whether a resource is online or slow. Simple Routing can also be discounted as it does not take into account the state of the resources.

Answer 258

True and False. With Route 53, there is a default limit of 50 domain names. However, this limit can be increased by contacting AWS support.

Answer 259

Multivalue answer routing lets you configure Amazon Route 53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries. Route 53 responds to DNS queries with up to eight healthy records and gives different answers to different DNS resolvers. The choice of which to use is left to the requesting service effectively creating a form or randomisation.

Answer 260

Alias Records provide a Route 53–specific extension to DNS functionality Alias Records have special functions that are not present in other DNS servers. Their main function is to provide special functionality and integration into AWS services. Unlike CNAME records, they can also be used at the Zone Apex, where CNAME records cannot. Alias Records can also point to AWS Resources that are hosted in other accounts by manually entering the ARN.

Answer 261

Route 53 - Geoproximity routing policy Route 53 - Geolocation routing policy The instruction from the CTO is clear that that the division is based on geography. Latency based routing will approximate geographic balance only when all routes and traffic evenly supported which is rarely the case due to infrastructure and day night variations. You cannot combine blacklisting and whitelisting in CloudFront. Weighted routing is randomized and will not respect Geo boundaries. Geolocation is based on national boundaries and will meet the needs well. Geoproximity is based on Latitude & Longitude and will also provide a good approximation with potentially less configuration.

Answer 262

Geolocation routing policy Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region.

Answer 263

The DNS Port is on Port 53 and Route 53 is a DNS Service.

Answer 264

A virtual data center in the cloud (logical datacenter in AWS) ...so you create your own data center within AWS and then have a ton of opportunities for customisation and management.

Answer 265

* Internet gateways or Virtual Private gateways * Route Tables * Network access control lists * Subnets * Security groups

Answer 266

* Internet Gateway * Virtual Private Gateway

Answer 267

* 10.0.0.0 * 172.16.0.0 * 192.168.0.0 (192.168.255.255 for example)

Answer 268

* Launch instances into a subnet of our choosing * and Instance security groups * Assign custom IP address ranges * Configure route tables between subnets * Create internet gateway * Better security control’ * Subnet network access control lists (ACLS)

Answer 269

* Default VPC is * super user friendly * have a route out to the internet * Each EC2 instance has both a public AND private IP address

Answer 270

connect one VPC with another via a direct network route using private IP addresses. you can also peer VPCs with other AWS accounts Peering is in a star configuration = 1 central VPC peers with 4 others. * BUT.. there is no transitive peering (cannot go through A to get to C = has to be direct peering between two)

Answer 271

* The VPC * A route table * A Network ACL * A default Security group * (no subnets, no internet gateway)

Answer 272

Only 1 internet gateway

Answer 273

create new route table then go and edit the routes and add 0.0.0.0/0 to internet gateway and choose your vpc

Answer 274

security groups cannot span across VPCs.

Answer 275

Network Address Translation instances and gateways to ensure that the subnets are not public BUT that we can still download software from our private subnet. So NAT are to connect to the internet gateways (NAT instances are on their way out while NAT gateways are what is used today)

Answer 276

* NAT Gateways = single EC2 instance * Nat Instances = Highly available gateway that allows you to communicate with the internet from the private subnet without becoming public

Answer 277

Disable Source/Destination Check on the instance

Answer 278

that they become bottlenecks = too much traffic = you must increase the instance size

Answer 279

* Autoscaling Groups * Multiple subnets in different availability zones * script to automate failover

Answer 280

* They can survive the failure of the EC2 instances that power NAT gateways = redundant inside the AZ * NAT Gateways can not span different availability zones * so have NAT gateway in each availability zone you use * No need to patch operating system (you must for NAT instances) * Automatically assigned a public IP address * Not associated with security groups

Answer 281

With new Access Control Lists, all traffic is DENIED / BLOCKED as default (when you create custom network ACLs)

Answer 282

Ephemeral ports are short-lived transport protocol ports for IP communications. on servers, Ephemeral ports may also be used as the port assignment on the server end of a communication. This is done to continue communications with a client that initially connected to one of the server’s well-known service listening ports

Answer 283

the ACL by default allows all outbound and inbound traffic

Answer 284

Yes… All need one. Thus, if you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL

Answer 285

using Network ACLs (Access Control Lists) (not possible with security groups)

Answer 286

in order with the lowest numbered rule first

Answer 287

That you must both add the same rules in both inbound traffic and outbound traffic (for security groups it is different as they are stateful)

Answer 288

A feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.

Answer 289

3 different * VPC * Subnet * Network Interface Level

Answer 290

for VPCs that are peered with your VPC unless the VPC is in your account

Answer 291

* you cannot tag a flow log * After you have created a flow log, you cannot change its configuration * You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account

Answer 292

* Traffic generated by instances when they contact the Amazon DNS server * traffic generated by a Windows instance for Amazon Windows license activation * Traffic to and from 169.254.169.254 for instance metadata * DHCP traffic * Traffic to the reserved IP address for the default VPC router

Answer 293

provide internet traffic to EC2 instances in a private subnet

Answer 294

special purpose computer on a network specifically designed and configured to withstand attacks. A Bastion is used to securely administer EC2 instances (Using SSH or RDP). The computer usually hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. (cannot use a NAT Gateway as a Bastion host)

Answer 295

A cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. = a direct connection from your data center to AWS Useful for high throughput workloads (lots of network traffic) so if you want a stable and reliable and secure connection, use direct connect between your database and AWS

Answer 296

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink WITHOUT requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect Connection. (no need to go outside the AWS network)

Answer 297

* Interface Endpoints * Elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service * Gateway Endpoints * supported for Amazon S3 and DynamoDB

Answer 298

* Stateful = Security Groups (creating an inbound rule also creates an outbound rule) * Stateless = Network Access Control Lists (must create rules in both inbound and outbound)

Answer 299

they are randomised so 1A is most often not the same place as 1A for another AWS account

Answer 300

the allow rules trump deny rules so…. Put DENY first if you want to deny something

Answer 301

Virtual Private Gateway AND Customer Gateway. when connecting a VPN between AWS and a third party site, the customer gateway is created within AWS, but it contains information about the third party site, eg. the external IP address and type of routing. The Virtual Private Gateway has the information regarding the AWS side of the VPN and connects a specified VPC to the VPN.

Answer 302

True In a custom VPC with new subnets in each AZ, there is a Route that supports communication across all subnets/AZs.

Answer 303

Security Groups support “allow” rules only Security Groups operate at the instance level Security Groups evaluate all rules before deciding which to allow traffic

Answer 304

at least 2

Answer 305

Create an Elastic IP address and associate it with your instance

Answer 306

Network ACLs

Answer 307

True In a custom VPC with new subnets in each AZ, there is a Route that supports communication across all subnets/AZs. Plus a Default SG with an allow rule 'All traffic, All protocols, All ports, from anything using this Default SG'.

Answer 308

In Amazon VPC, an instance does not retain its private IP.

Answer 309

Allows VPC based IPv6 traffic to communicate to the Internet Prevents IPv6 based Internet resources initiating a connection into a VPC The purpose of an "Egress-Only Internet Gateway" is to allow IPv6 based traffic within a VPC to access the Internet, whilst denying any Internet based resources the possibility of initiating a connection back into the VPC.

Answer 310

Security Groups are stateful and Network Access Control Lists are stateless.

Answer 311

Subnet Level VPC Level Network Interface Level

Answer 312

As transitive peering is not allowed, VPC 'B' can communicate directly only with VPC 'A'.

Answer 313

A Private IP Address & Public IP Address

Answer 314

No 0.0.0.0/0 would allow ANYONE from ANYWHERE to connect to your instances. This is generally a bad plan. The phrase 'web-facing subnets' does not mean just web servers. It would include any instances in that subnet some of which you may not strangers attacking. You would only allow 0.0.0.0/0 on port 80 or 443 to to connect to your public facing Web Servers, or preferably only to an ELB. Good security starts by limiting public access to only what the customer needs. Please see the AWS Security white paper for complete details.

Answer 315

False You may peer a VPC to another VPC that's in your same account, or to any VPC in any other account.

Answer 316

Network ACLs

Answer 317

Security Groups support "allow" rules only. Security Groups operate at the instance level. Security Groups evaluate all rules before deciding whether to allow traffic.

Answer 318

False Each subnet must reside entirely within one Availability Zone and cannot span zones.

Answer 319

Create an Elastic IP address and associate it with your instance Although creating a new NIC & associating an EIP also results in your instance being accessible from the internet, it leaves your instance with 2 NICs & 2 private IPs as well as the Public Address and is therefore not the simplest solution. By default, any user-created VPC subnet WILL NOT automatically assign Public IPv4 Addresses to instances – the only subnet that does this is the “Default” VPC subnets automatically created by AWS in your account.

Answer 320

Depends on the type of scan and the service being scanned. Some scans can be performed without alerting AWS, some require you to alert. Until recently customers were not permitted to conduct Penetration Testing without AWS engagement. However that has changed. There are still conditions however.

Answer 321

A Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet. Don't confuse Bastions and NATs, which allow outside traffic to reach an instance in a private subnet.

Answer 322

Access Control List Route Table Security Group When you create a custom VPC, a default Security Group, Access control List, and Route Table are created automatically. You must create your own subnets, Internet Gateway, and NAT Gateway (if you need one.)

Answer 323

Virtual Private Cloud

Answer 324

VPC Gateway Endpoints ensure traffic between your VPC and the other service does not leave the Amazon network. In contrast to a NAT Gateway, traffic between your VPC and the other service does not leave the Amazon network when using VPC Gateway Endpoints. There are also VPC Interface Endpoints, which are used by individual services.

Answer 325

Customer Gateway Virtual Private Gateway The correct answers are "Customer Gateway" and "Virtual Private Gateway". When connecting a VPN between AWS and a third party site, the Customer Gateway is created within AWS, but it contains information about the third party site e.g. the external IP address and type of routing. The Virtual Private Gateway has the information regarding the AWS side of the VPN and connects a specified VPC to the VPN. "Direct Connect Gateway" and "Cross Connect" are both Direct Connect related terminology and have nothing to do with VPNs.

Answer 326

False You may have only one Internet Gateway per VPC.

Answer 327

physical or virtual device that is designed to help you balance the network load across multiple web servers

Answer 328

* Application Load Balancers (intelligent) * Network Load Balancers (for extreme performance) * Classic Load Balancers (very basic and cost-effective)

Answer 329

best suited for load balancing of HTTP and HTTPS traffic = websites basically operate at layer 7 and are application-aware. Quite intelligent

Answer 330

best suited for load balancing of TCP traffic where extreme performance is required = can handle millions of requests per second, while maintaining ultra-low latencies operating at the connection level (layer 4).

Answer 331

legacy Elastic Load Balancers. can load HTTP/HTTPS applications only use if you don’t care about load balancing use layer 7-specific features and can also use strict layer 4 load balancing. Not very intelligent

Answer 332

helps ensure that we actually also get the users public IP after going through the elastic load balancer. without getting the public IPs, we do not know where our users are coming from

Answer 333

that the gateway has timed out = that the application is not responding within the idle timeout period

Answer 334

trouble shoots the application and see if the error is coming from the Web Server OR Database server

Answer 335

Always only their own DNS name (never IP address)

Answer 336

Sticky sessions allow you to bind a user’s session to a specific EC2 instance such that all requests from the user during the session are sent to the same instance. (if not enabled, the classic LB will route each request independently to the registered EC2 instance with the smallest load)

Answer 337

with no cross zone load balancing, our traffic is split evenly across availability zones… but we may not have the same amount of instances in the different availability zones. WITH cross zone load balancing, this is taken care of such that all instances get the same load. = \> Cross zone = the instances can send traffic across availability zones

Answer 338

path-based routing = you can create a listener with rules to forward requests based on the URL path example… enabling path patterns here such that we can send traffic regarding www.myurl.com/images to the second availability zone, US-EAST-1B

Answer 339

plan for failure = everything fails = that’s why Netflix created the Simian Army (including Chaos Monkey) when you have the same setup in two different regions, you can tolerate issues and make failover use multiple availability zones and multiple regions where you can

Answer 340

* Scaling out = auto-scaling groups to add additional EC2 instances * Scaling up = increasing the power of the existing EC2 instances

Answer 341

CloudFormation is a way of completely scripting your cloud environment = automating the architecture setup

Answer 342

a bunch of CloudFormation templates already built by AWS solutions architects allowing you to create complex environments very quickly.

Answer 343

essentially just a way to deploy applications to the cloud (without knowing anything about AWS) =\> You can deploy and manage applications in the AWS cloud without worrying about the infrastructure that runs those applications. You simply upload the code for your application, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling and application health monitoring.

Answer 344

S3 the key point in the questions is that the data is non-replaceable, and is frequently updated. The 1st excludes anything the has reduced Durability, the 2nd excluded anything with long recall, reduced availability, or billing based on infrequent access.

Answer 345

Application Load Balancers (ALB) The ALB has functionality to distinguish traffic for different targets (mysite.co/accounts vs. mysite.co/sales vs. mysite.co/support) and distribute traffic based on rules for; target group, condition, and priority.

Answer 346

Availability Each word has a specific meaning and your ability to select the correct answer may depend on understanding the difference. Availability can be described as the % of a time period when the service will be able to respond to your request in some fashion.

Answer 347

Durability Each word has a specific meaning and your ability to select a correct answer may depend on understanding the difference. Durability refers to the on-going existence of the object or resource. Note that it does not mean you can access it, only that it continues to exist.

Answer 348

99.999999999 percent

Answer 349

Scaling Up Scaling out is where you have more of the same resource separately working in parallel (visualize services sitting side by side). Scaling Up is where you make it bigger and bigger like and ugly tower with more floors being added after the initial design was finished

Answer 350

S3 Standard-IA The key drivers here are availability and cost, so an awareness of cost is necessary to answer this. Full S3 is quite expensive at around $0.023 per GB for the lowest band. S3 standard IA is $0.0125 per GB, S3 OneZone-IA is $0.01 per GB, and Legacy S3-RRS is around $0.024 per GB for the lowest band. Of the offered solutions S3 One Zone-IA is the cheapest suitable option. Glacier cannot be considered as it is not intended for direct access, however it comes in at around $0.004 per GB. S3 has an availability of 99.99%, S3-IA has an availability of 99.9% while S3-1Zone-IA only has 99.5%

Answer 351

Network Load Balancers (NLB) The Network Load Balancer is specifically designed for high performance traffic that is not conventional Web traffic. The Classic LB might also do the job, but would not offer the same performance.

Answer 352

Use a Classic Load Balancer to spread the load over several availability zones. Use Route 53 with health checks to distribute load across multiple ELBs. Use multiple autoscaling groups and boundaries for a staged or 'canary' deployment process. Use several Target groups or auto scaling groups under each Load Balancers. Using Route 53 to distribute work direct to compute resources can work, but is hard to manage, and is not a recommended AWS pattern. ELB can spread load across AZs not regions. Deploying updates to all groups simultaneously will not reduce risk. Using Route 53 in combination with ELBs is a good pattern to distribute regionally as well as across AZs. Although the methods vary, you can place multiple autoscaling or target groups behind ELBs.

Answer 353

Consider replacing it with Aurora before go live. Convert the RDS instance to a multi-AZ implementation. There are two issues to be addressed in this question. Minimizing outages, whether due to required maintenance or unplanned failures. Plus the possibility of needing to scale up or down. Read-replicas can help you with high read loads, but are not intended to be a solution to system outages. Multi-AZ implementations will increase availability because in the event of an instance outage one of the instances in another AZs will pick up the load with minimal delay. Aurora provided the same capability with potentially higher availability and faster response.

Answer 354

Resiliency Each word has a specific meaning and your ability to select the correct answer may depend on understanding the difference. Resiliency can be described as the ability to a system to self heal after damage or an event. Note that this does not mean that it will be available continuously during the event, only that it will self recover.

Answer 355

Copy the files from the NAS to an S3 bucket with the One Zone-IA class S3 OneZone-IA provides on-line access to files, while offering the same 11 9's of durability as all other storage classes. The trade-off is in the availability - 99.5% as opposed to 99.9%-99.99%. However in this brief as cost is more important than availability, S3 OneZone-IA is the logical choice . RRS is deprecated and new uses are strongly discouraged by AWS.

Answer 356

A spread placement group is a group of instances that are each placed on distinct underlying hardware There is only one answer that is specific to Spread Placement Groups, and that is the final option. Whilst some of these answers are correct for either Cluster Placement Groups only, or for both Cluster and Spread Placement Groups, the question stated that only options specific to Spread Placement Groups should be chosen. This would rule out two options as they are true for both Spread & Cluster type placement groups. The Logical grouping of instances within a single Availability Zone is only true of Cluster Placement Groups and is also incorrect.

Answer 357

Reliability Each word has a specific meaning and your ability to select a correct answer may depend on understanding the difference. Reliability is closely related to Availability, however a system can be 'Available' but not be working properly. Reliability is the probability that a system will work as designed. This term is not used much in AWS, but is still worth understanding.

Answer 358

Simple Queue Service… (used to decouple your infrastructure such that not all crash if one thing crashes) web service that gives you access to a message queue that can be used to store messages while waiting for a computer to process them. the queue acts as a buffer between the component producing and saving data, and the component receiving the data for processing SQS is pull based (btw also the 1st AWS service)

Answer 359

256 kb in size

Answer 360

* SQS Standard (default) * high throughput and nearly-unlimited number of transactions per second BUT be aware that one copy of a message might be delivered out of order and there may be duplicates (generally same order as they are sent but not always) * FIFO Queues (first-in-first-out) * always the same order as sent (ordered) and surely NO duplicates * 300 transactions per second

Answer 361

the amount of time that the message is invisible in the SQS queue after a reader picks up that message. If the job is processed/completed before the visibility time expires, the message will be deleted from the queue (Visibility Timeout Maximum is 12 hours) However, if the job is not processed within the visibility time-out, it will become visible again and another reader will process it = hence, some messages can be delivered twice.

Answer 362

Simple Work Flow Service… = a web service that makes it easy to coordinate work across distributed application components = a way of coordinating your applications and manual processors (human beings) (Amazon uses this… you buy a book online. all is based on computers, including payment, but then human labor needs to help in the warehouse to get the package ready) You use SWF if there is any manual processing involved

Answer 363

* SQS (Simple Queue Service) * Retention Period of up to 14 days * Message-oriented API * Tasks may be duplicated * need to implement your own application-level tracking * SWF (Simple Work Flow Service) * Retention period/Workflow execution period up to 1 year * Task-oriented API * NEVER duplicated. Each task only once * Keeps track of all tasks and events in an application

Answer 364

* WORKFLOW STARTERS * application that can initiate (start) a workflow * example: your e-commerce website following the placement of an order * DECIDERS * control the flow of activity tasks in a workflow execution = if something has finished (or failed) in a workflow, a Decider decides what to do next * ACTIVITY WORKERS * Carry out the activity tasks

Answer 365

Simple Notification Service…. a web service that makes it easy to set up, operate, and send notifications from the cloud SNS is PUSH-based Allows you to make push notifications to Apple, Google, Fire OS, Windows devices, Android Devices in China with Baidu Cloud Push + can also deliver notifcations by SMS and email

Answer 366

Topics in SNS allows you to group multiple recipients = you can group together iOS, Android and SMS recipients for example and all subscribers within this group will receive the same messages from SNS (Simple Notifications Service)

Answer 367

* Instantaneous PUSH-based delivery * Simple APIs and easy integration with applications * Flexible message delivery over multiple transport protocols

Answer 368

* SNS (Simple Notifications Service) * PUSH-based * SQS (Simple Queue Service) * Pull-based (poll) (both are messaging services in AWS)

Answer 369

A media transcoder in the cloud = a way to convert media files from their original source format into different formats that will play on different devices (smartphones, tablets, pc)

Answer 370

a fully managed service that makes it easy for developers to publish, maintain, monitor and secure APIs at any scale = you can make a “front door” for applications to access stuff from your back-end services API Gateway scales automatically

Answer 371

with caching, you can reduce the number of calls made to your endpoint and also improve the latency of the requests to your API (API caching can be enabled in Amazon API Gateway) used to increase performance

Answer 372

that web page A can access data in web page B, IF both web pages have the same origin (= the same domain name) (but when using AWS, we use different domain names all the time so we need to use CORS)

Answer 373

Cross-Origin Resource Sharing = a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the first resource was served

Answer 374

the problem here is that CORS is not enabled on the API Gateway

Answer 375

data that is generated continuously by thousands of data sources Examples: * Stock prices * Gaming Data (as the gamer plays) * Social network data (twitter for example) * Geospatial data (fx uber) * iOT sensor data (say from AgTech sensors) * Purchases from online stores (amazon.com)

Answer 376

a platform on AWS to send your streaming data to Kinesis makes it easy to load and analyze streaming data

Answer 377

* Kinesis Streams * Kinesis Firehose * Kinesis Analytics

Answer 378

a place to store streaming data within a Kinesis stream, you have SHARDS

Answer 379

with Kinesis Firehose, the streaming data is not stored, it must instead be analyzed as it comes in and then sent out again

Answer 380

Kinesis Analytics help analyze the streaming data inside Kinesis (inside both Kinesis Firehose and Kinesis Streams)

Answer 381

it lets you give your users access to AWS resources AFTER they have successfully authenticated with a web-based identity provider like Amazon, Facebook, Google etc. = you get access after you have “login using Facebook”

Answer 382

a web identity federation service for sign-up and sign-ins to your apps. Cognito brokers between the app and Facebook/Google to provide temporary credentials which map to an IAM role allowing access to the required resources

Answer 383

used to manage sign-in and sign-up for mobile and web applications focused on users and thus handles things like user registration, authentication, and account recovery

Answer 384

provide temporary AWS credentials to access AWS services like S3 or DynamoDB identity pools authorise access to your AWS resources

Answer 385

SNS is a push notification service, whereas SQS is message system that requires worker nodes to poll a queue. SNS is a Notification service for sending text based communication of different types to different destinations. SQS is a Queue system for asynchronously manages tasks (called messages)

Answer 386

An Amazon Resource Name is created.

Answer 387

SQS In IT the term 'message' can be used in the common sense, or to describe a piece of data of Task in an asynchronous queueing system such as MQseries, RabbitMQ or SQS.

Answer 388

Simple Email Service

Answer 389

Coordinate synchronous and asynchronous tasks Similar to SQS SWF manages queues of work, however unlike SQS it can have out-of-band parallel and sequential task to be completed by humans and non AWS services.

Answer 390

False While there are a limited range of SDKs available for SWF, AWS provides an HTTP based API which allows you to interact using any language as long as you phrase the interactions in HTTP requests.

Answer 391

True One time only completion is a key feature of SWF. At one time this was a key distinction from SQS, however with SQS FiFo queues, this is no longer a distinguishing feature.

Answer 392

A collection of related workflows

Answer 393

Simple Work Flow

Answer 394

you don’t worry about your infrastructure as such. you only worry about your code and pay for the amount of time your code runs

Answer 395

a compute service where you can upload your code and create a Lambda function. the ultimate abstraction layer = AWS Lambda is on top of data center, hardware, assembly code/protocols, operating systems, APIs/application layer etc.

Answer 396

* An an event-driven computer service where AWS Lambda runs your code in response to events such as changes in an Amazon S3 bucket * As a compute service to run your code in response to HTTP requests using Amazon API Gateway or API calls made using AWS SDKs

Answer 397

Traditional = user - root53 to ELB - web server - RDS/Database Serverless = user - API Gateway - Lambda - DynamoDB/AuroraServerless With serverless you do not have to worry about auto-scaling

Answer 398

1. Number of requests and 2. Duration of time your code runs

Answer 399

continuously/automatically but remember that it scales OUT (not up)

Answer 400

1 event = 1 function but… one Lambda function can trigger other Lambda functions so 1 event can = x functions if functions trigger other functions

Answer 401

a service that helps you see and debug what is happening inside your architecture (useful as architecture turns complicated)

Answer 402

Yes… Lambda can do things globally so you can fx use it to backup S3 buckets to other S3 buckets

Answer 403

Out Lambda scales out automatically - each time your function is triggered, a new, separate instance of that function is started. There are limits, but these can be adjusted on request.

Answer 404

Multiple instances of the Lambda function will be triggered, one for each image Each time a Lambda function is triggered, an isolated instance of that function is invoked. Multiple triggers result in multiple concurrent invocations, one for each time it is triggered.

Answer 405

Duration of execution billed in fractions of seconds. The amount of memory assigned. Lambda billing is based on both The MB of RAM reserved and the execution duration in 100ms units.

Answer 406

API Gateway S3 DynamoDB API-Gateway Events, S3 Events and DynamoDB Events are all valid triggers for Lambda functions

Answer 407

Create a duplicate sign up page that stores registration details in DynamoDB for asynchronous processing using SQS & Lambda. Work with your web design team to create some web pages with embedded JavaScript to emulate your 5 most popular information web pages and sign up web pages. A 500x increase is beyond the scope of a well designed single server system to absorb unless it is already hugely overspecialised to accommodate this sort of burst load. An AWS solution for this situation might include S3 static web pages with client side scripting to meet high demand of information pages. Plus use of a noSQL database to collect customer registration for asynchronous processing, and SQS backed by scalable compute to keep up with the requests. Lightsail does provide a scalable provisioned service solutions, but these still need to be designed an planned by you and so offer no significant advantage in this situation. A standby server is a good idea, but will not help with the anticipated 500x load increase.

Answer 408

EC2, ECS, & Lambda. The exact ratio of cores to memory has varied over time for Lambda instances, however Lambda like EC2 and ECS supports hyper-threading on one or more virtual CPUs (if your code supports hyper-threading).

Answer 409

AWS X-Ray AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices & serverless architectures

Answer 410

A native Cloud Architecture that allows customers to shift more operational responsibility to AWS. The ability to run applications and services without thinking about servers or capacity provisioning. 'Serverless' computing is not about eliminating servers, but shifting most of the responsibility for infrastructure and operation of the infrastructure to a vendor so that you can focus more on the business services, not how to manage the infrastructure that they run on. Billing does tend to be based on simple units, but the choice of services, intended usage pattern (RIs), and amount of capacity needed also influences the pricing.

Answer 411

Your lambda function does not have sufficient Identity Access Management (IAM) permissions to write to DynamoDB. Like any services in AWS, Lambda needs to have a Role associated with it that provide credentials with rights to other services. This is exactly the same as needing a Role on an EC2 instance to access S3 or DDB.

Answer 412

1. Number of requests and 2. Duration of time your code runs it is dirt cheap!

Answer 413

continuously/automatically but remember that it scales OUT (not up)

Answer 414

1 event = 1 function but… one Lambda function can trigger other Lambda functions so 1 event can = x functions if functions trigger other functions

Answer 415

a service that helps you see and debug what is happening inside your architecture (useful as architecture turns complicated)

Answer 416

Yes… Lambda can do things globally so you can fx use it to backup S3 buckets to other S3 buckets

Answer 417

* Encryption in S3 * Client-side * uploading an encrypted object * Server-side * S3 managed keys, SSE-S3 * amazon manages encryption keys for you * AWS Key Management Service, SSE-KMS * you manage keys with amazon * Server side encryption with customer provided keys (SSE-C) * you provide keys to amazon * Encryption in transit = HTTPS * achieved through SSL/TLS. when you browse using HTTPS

Answer 418

* requires that versioning is enabled on both the source and destination buckets * only replicates NEW objects, NOT deletes nor existing files

Answer 419

= Amazon’s CDN… distributed servers that delivers web content based on the geographic locations of users

Answer 420

* Web Distribution (part of cloudfront) = for websites * RTMP (part of cloudfront) = for media streaming

Answer 421

Can invalidate data/files on the distribution = taking it away from the edge locations. you will be charged for this.

Answer 422

a service that connects an on-premise software appliance with cloud-based storage to provide seamless and secure integration.

Answer 423

= Elastic File System for EC2 * very similar to EBS. Difference is that EBS can only be mounted to 1 EC2 instance. * EFS automatically grow and shrink based on the files you have in your EFS

Answer 424

* File Gateway (NFS & SMB) * files stored in your S3 bucket * Volume Gateway (iSCSI) - to store Hard disk drive in AWS * Stored Volumes * store ENTIRE primary data locally and backed up in AWS * Cached Volumes * stores the most frequently used data locally (NOT entire data) and the rest of the data in S3 * Tape Gateway (VLT) * way to archive your data in the AWS cloud = good to move your backup to the cloud

Answer 425

EBS, virtual hard disk in the cloud for use with EC2, Elastic Block Store, used with EC2,

Answer 426

* General Purpose SSD = gp2 * most workloads * Provisioned IOPS SSD = io1 * databases * Throughput optimised HDD = st1 * big data & data warehouses * Cold HDD = sc1 * file servers * EBS Magnetic = standard * where data is infrequently accessed

Answer 427

= backup of EBS volumes

Answer 428

= stop the ebs volume instance and then take snapshot

Answer 429

* Automatic Backups * enabled by default and take full daily snapshots * stored in S3 * Database Snapshots * user-initiated * stored even after you delete the original RDS instance

Answer 430

the restored version will be a new RDS instance with a new DNS endpoint

Answer 431

* Aurora replicas (up to 15), automated failover * MySQL read replicas (up to 5)

Answer 432

Region ,operating system, architecture (32 vs 64 bit), launch permissions, storage for the root (EBS volumes vs. Instance store volumes)

Answer 433

* EBS Volumes * created from the snapshot of an EBS * Instance Store Volumes (Ephemeral Storage = if stops, you’ll lose your data) * created from template stored in Amazon S3

Answer 434

* CPU * Network * Disk * Status check

Answer 435

* Internet Gateway or Virtual Private Gateway * Router * route table * access control lists * subnets * NAT instances, network address translation * NAT instances, NAT gateways * security groups * instances * EC2 * Bastion * VPC Endpoint * interface endpoint * gateway endpoint

Answer 436

* A record = Address Record * point a logical domain name, such as "google.com", to the IP address of Google's hosting server, "74.125. 224.147". * CName = Canonical Name * A Canonical Name or CNAME record is a type of DNS record that maps an alias name to a true or canonical domain name. ... For example, a CNAME record can map the web address www.example.com to the actual web site for the domain example.com * CName can’t be used for naked domain names = without www,. you will need an A-record or an Alias record then * SOA = state of authority * the name of the server that supplied the data for the zone, the administrator of the zone, the current version of the data file and the default number of second for the TTL file on resource records * NS records = Name Server records * used by Top Level Domain servers to direct traffic to the Content DNS server which contains the authoritative DNS records * gives us access to the SOA which contains the other DNS records such as the A-Record, * MX Records * used for mail * PTR records * opposite of an A-record = you find the hyperlink from an IP-address * Alias record * used to map resource record sets to elastic load balancers, very similar to CName. Same thing but cannot be used for naked domain names

Answer 437

* A Canonical Name or CNAME record is a type of DNS record that maps an alias name to a true or canonical domain name. ... For example, a CNAME record can map the web address www.example.com to the actual web site for the domain example.com * CName can’t be used for naked domain names = without www,. you will need an A-record or an Alias record then

Answer 438

* Address Record * point a logical domain name, such as "google.com", to the IP address of Google's hosting server, "74.125. 224.147".

Answer 439

used to map resource record sets to elastic load balancers, very similar to CName. Same thing but cannot be used for naked domain names

Answer 440

data that is generated continuously by thousands of data sources,kb-size data

Answer 441

* a platform to send your streaming data to * Kinesis Streams for storage, consist of SHARDS (24h-7days), * Kinesis Firehose for analyzing on the go, * Kinesis Analytics can analyze inside both Kinesis Firehose and Kinesis Streams

Answer 442

= access to AWS resources after “login with Facebook”

Answer 443

* Amazon’s web identity federation service * User pools: user directories to manage sign-up and sign-in functionality, users can sign in directly or with facebook, amazon, google etc, This is about USERS (emails, passwords, user registration, account recovery etc.) * Identity pools: enable temporary AWS credentials to access AWS services like S3 or DynamoDB. This is about GRANTING/AUTHORISING access

Answer 444

* User pools: user directories to manage sign-up and sign-in functionality, users can sign in directly or with facebook, amazon, google etc, This is about USERS (emails, passwords, user registration, account recovery etc.) * Identity pools: enable temporary AWS credentials to access AWS services like S3 or DynamoDB. This is about GRANTING/AUTHORISING access

Answer 445

CloudFormation = advanced AWS users ElasticBeanstalk = people that have no clue about AWS and just want to get their website up

Answer 446

1. First checks if instances are in multi-AZ. If yes, an instance is shut down from the AZ with the most running instances 2. If even number of instances across AZs, the oldest configured EC2 is terminated first 3. if all equal, at random

Answer 447

* CPU utilization * Network utilization * Disk Performance * Disk reads/writes

Answer 448

* Memory utilization * Disk-swap * Disk-space * Page file utilization * Log collection

Answer 449

32 - 27 = 5 2^5 = 32

Answer 450

32 because… 32-32 = 0 2^0 = 1 ip address

Answer 451

* SSD = small, random I/O operations * HDD = large, sequential I/O operations

Answer 452

the operating system of the instance

Answer 453

in the private subnet

Answer 454

* Autoscaling Groups =\> EC2 Status Check =\> Replaces unhealthy instances * ELB Health checks =\> stops sending traffic to the unhealthy instance If ELB on top of auto scaling, the ELB process is dominating

Answer 455

Amazon Message queue Amazon MQ, Amazon SQS, and Amazon SNS are messaging services that are suitable for anyone from startups to enterprises. If you're using messaging with existing applications and want to move your messaging service to the cloud quickly and easily, it is recommended that you consider Amazon MQ. It supports industry-standard APIs and protocols so you can switch from any standards-based message broker to Amazon MQ without rewriting the messaging code in your applications.

Answer 456

S3 Select is a new Amazon S3 capability designed to pull out only the data you need from an object, which can dramatically improve the performance and reduce the cost of applications that need to access data in S3

Answer 457

Redshift Spectrum is a feature of Amazon Redshift that allows you to query data stored on Amazon S3 directly and supports nested data types

Answer 458

* Amazon Redshift is a relational, OLAP-style database. It’s a data warehouse built for the cloud, to run the most complex analytical workloads. * Amazon Redshift Spectrum is a feature of Amazon Redshift. Spectrum is a query processing engine that allows to join data that sits in Amazon S3 with data in Amazon Redshift.

Answer 459

Elasticsearch is a highly scalable open-source full-text search and analytics engine. It allows you to store, search, and analyze big volumes of data quickly and in near real time.

Answer 460

Amazon Elasticsearch Service (Amazon ES) is a managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the AWS Cloud. You can load streaming data into Elasticsearch Service

Answer 461

Amazon Athena is a service that enables a data analyst to perform interactive queries on data stored in S3. Because Athena is a serverless query service, an analyst doesn't need to manage any underlying compute infrastructure to use it.

Answer 462

You can speed up your queries dramatically by compressing your data, provided that files are splittable or of an optimal size (optimal S3 file size is between 200MB-1GB). Smaller data sizes mean less network traffic between Amazon S3 to Athena = and thus higher speed

Answer 463

Route Origin Authorization. A ROA tells the world who is allowed to advertise your IP address range. = used to give AWS the authorization to advertise your IP address range.

Answer 464

DAX = Dynamo DB Accelerator Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second. = used to speed up queries from your DynamoDB no-sql database

Answer 465

Device Farm is an app testing service that you can use to test and interact with your Android, iOS, and web apps on real, physical phones and tablets that are hosted by Amazon Web Services (AWS). There are two main ways to use Device Farm: * Automated testing of apps using a variety of testing frameworks. * Remote access of devices onto which you can load, run, and interact with apps in real time.

Answer 466

Stripe set or striped volume. RAID 0 helps stripe = split data evenly across two or more disks, without parity information, redundancy or fault tolerance. USED for….. increasing read and write transfer rates = for high performance but with lower reliability (see below) since there is no fault tolerance or redundancy, the failure of one drive will cause the entire array to fail and thus lose all data in such cases.

Answer 467

RAID 1 consist of an exact copy MIRROR of a set of data on two or more disks. USED for… when READ performance or RELIABILITY is more important than write performance

Answer 468

RAID 0 = split data evenly across two or more disks =\> to increase read AND write transfer rates =\> for high performance but with lower reliability RAID 1 = exact copy/MIRROR of a set of data on two or more disk = used when READ performance or RELIABILITY is more important than write performance

Answer 469

Redundant Array of Independent Disks configurations to create large reliable data stores from multiple HDDs (in relation to RSD)

Answer 470

Security Assertion Markup Language…. is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). used… This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS APIs without you having to create an IAM user for everyone in your organization. By using SAML, you can simplify the process of configuring federation with AWS, because you can use the IdP's service instead of writing custom identity proxy code. Used = for example with Active directory (by Microsoft)

Answer 471

Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate NOTE…. Although STS is used to send temporary tokens for authentication, this is not a compatible use case for RDS

Answer 472

Active Directory. Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network. ... As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.

Answer 473

An Amazon service to connect to Microsoft Active directory

Answer 474

RDS Enhanced Monitoring provides visibility into the health of your Amazon RDS instances

Answer 475

Elastic MapReduce =\> Amazon EMR is the industry leading cloud-native big data platform for processing vast amounts of data quickly and cost-effectively at scale. Using open source tools such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi (Incubating), and Presto, coupled with the dynamic scalability of Amazon EC2 and scalable storage of Amazon S3, EMR gives analytical teams the engines and elasticity to run Petabyte-scale analysis for a fraction of the cost of traditional on-premises clusters. Used for = big data processing and analysis

Answer 476

in regards to IP addresses…. * TCP * connection-oriented protocol = establishes a connection between sender and receiver before data can be sent * Reliable * SSH Protocol + HTTPS * UDP * connection-less protocol = does not establish a connection before data is sent * FASTER but less reliable * HTTP with UDP + HTTPS

Answer 477

Polling is a technique by which the client asking the server for new data regularly * Long Polling * Long Polling basically involves making an HTTP request to a server and then holding the connection open to allow the server to respond at a later time (as determined by the server). * short polling * Short polling is an AJAX-based timer that calls at fixed delays

Answer 478

* DynamoDB * database * good for OLTP (online transaction processing) * Redshift * data warehouse * good for OLAP (online analytics processing)

Answer 479

Workload Management = (WLM) uses machine learning to dynamically manage memory and concurrency helping maximize query throughput. In addition, you can now easily set the priority of your most important queries, even when hundreds of queries are being submitted. Part of REDSHIFT

Answer 480

Allows you to direct Redshift COPY and UNLOAD traffic through your VPC When you use Amazon Redshift Enhanced VPC Routing, Amazon Redshift forces all COPY and UNLOAD traffic between your cluster and your data repositories through your Amazon VPC. By using Enhanced VPC Routing, you can use standard VPC features, such as VPC security groups, network access control lists (ACLs), VPC endpoints, VPC endpoint policies, internet gateways, and Domain Name System (DNS) servers, as described in the Amazon VPC User Guide. You use these features to tightly manage the flow of data between your Amazon Redshift cluster and other resources.

Answer 481

An Amazon Redshift data warehouse is a collection of computing resources called nodes, which are organized into a group called a cluster. Each cluster runs an Amazon Redshift engine and contains one or more databases. Each cluster consist of: * The Leader Node * manages communication between the compute nodes and the client applications * not billable btw * Compute node(s) - has CPU, Memory, Disk storage * stores data and execute queries * billed by total number of compute node hours

Answer 482

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster. It is comparable to Kubernetes, Docker Swarm, and Azure Container Service. For example, ECS allows your applications the flexibility to use a mix of Amazon EC2 and AWS Fargate with Spot and On-Demand pricing options.

Answer 483

a Cluster is a group of ECS Container Instances * clusters are REGION-specific * may contain a mix of tasks using EITHER the Fargate or EC2 Launch types * may contain a mix of both Auto Scaling group capacity providers and Fargate capacity providers * IAM policies may be created to allow or restrict user access to clusters

Answer 484

AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS)

Answer 485

Throttling is a process that is used to control the usage of APIs by consumers during a given period. ou can define throttling at the application level and API level. Throttling limit is considered as cumulative at API level. ... For example, you can limit the number of total API requests as 10000/day USED.. * to protect your backend systems from traffic spikes by using throttling limits on the API gateway

Answer 486

* Want to provide access to multiple restricted files (subscriber area of a platform) * You do not want to change your current URLs (CloudFront signed URLs and signed cookies provide the same basic functionality: they allow you to control who can access your content.)

Answer 487

* Signed URLs * Restrict access to individual files, for example, an installation download for your application * Users are using HTTP which does not support cookies * RTMP distribution * Signed Cookies * Want to provide access to multiple restricted files (subscriber area of a platform) * You do not want to change your current URLs

Answer 488

Lambda@Edge is a _feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency._ With Lambda@Edge, you don't have to provision or manage infrastructure in multiple locations around the world.

Answer 489

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS

Answer 490

What is DDoS attacks?

Answer 491

The partition key portion of a table's primary key determines the logical partitions in which a table's data is stored. (part of DynamoDB) More partition keys = more data divisions = more division of provisioned I/O capacity = better distribution of workload evenly and less risk of throttling (DynamoDB stores data as groups of attributes, known as items. Items are similar to rows or records in other database systems. DynamoDB stores and retrieves each item based on the primary key value, which must be unique. Items are distributed across 10-GB storage units, called partitions (physical storage internal to DynamoDB)

Answer 492

AWS KMS is a managed service that enables you to easily create and control the keys used for cryptographic operations. USED * You can use it in your applications to create, store and control encryption keys to encrypt your data * Want to encrypt data FIRST before writing it to the disk (EBS) for storage use AWS KMS API

Answer 493

Amazon Web Application Firewall.. AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources

Answer 494

Amazon Simple E-mail Service designed to help digital marketers and application developers send marketing, notification, and transactional emails.

Answer 495

An Internet-routable IP address (statis) of the customer gateway’s external interface for the on-premises network. Although the term VPN connection is a general term, in the Amazon VPC documentation, a VPN connection refers to the connection between your VPC and your own network. AWS supports Internet Protocol security (IPsec) VPN connections. A customer gateway is a physical device or software application on your side of the VPN connection. To create a VPN connection, you must create a customer gateway resource in AWS, which provides information to AWS about your customer gateway device. Next, you have to set up an Internet-routable IP address (static) of the customer gateway's external interface.

Answer 496

In software testing, a canary is a push of programming code changes to a small group of end users who are unaware that they are receiving new code. Because the canary is only distributed to a small number of users, its impact is relatively small and changes can be reversed quickly should the new code prove to be buggy. = to deploy test of new software fx

Answer 497

Blue-green deployment is a technique that reduces downtime and risk by running two identical production environments called Blue and Green. At any time, only one of the environments is live, with the live environment serving all production traffic. For this example, Blue is currently live and Green is idle

Answer 498

The canonical name record (CNAME) is switched form the primary to standby instance In Amazon RDS, failover is automatically handled so that you can resume database operations as quickly as possible without administrative intervention in the event that your primary database instance went down. When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.

Answer 499

* you pay only for the API calls you receive and the amount of data transferred out * you can run your APIs without any servers

Answer 500

* Alias with a type “AAAA” record set * Alias with a type “A” record set Alias with a type "AAAA" record set and Alias with a type "A" record set are correct. To route domain traffic to an ELB load balancer, use Amazon Route 53 to create an alias record that points to your load balancer. An alias record is a Route 53 extension to DNS. It's similar to a CNAME record, but you can create an alias record both for the root domain, such as tutorialsdojo.com, and for subdomains, such as portal.tutorialsdojo.com. (You can create CNAME records only for subdomains.) To enable IPv6 resolution, you would need to create a second resource record, tutorialsdojo.com ALIAS AAAA -\> myelb.us-west-2.elb.amazonnaws.com, this is assuming your Elastic Load Balancer has IPv6 support.

Answer 501

FALSE almost correct. But instead of storing the volume to Amazon RDS, the EBS Volume snapshots are actually sent to Amazon S3.

Answer 502

Network Load Balancer Host-based routing is what enables virtual servers on web servers. It's also used by application services like load balancing and ingress controllers to achieve the same thing. One IP address, many hosts URL Path Based Routing allows you to route traffic to back-end server pools basedon URL Paths of the request

Answer 503

Cognito ID You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application so that your users can access AWS resources. Amazon Cognito identity pools support both authenticated and unauthenticated identities. You can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately if you're allowing unauthenticated users or after you've set the login tokens in the credentials provider if you're authenticating users. That is why the correct answer for this question is Cognito ID.

Answer 504

* Lambda Function * SQS * SNS

Answer 505

* SNS * CloudWatch , you can use Amazon CloudWatch to monitor the database and then Amazon SNS to send the emails to the Operations team. Take note that you should use SNS instead of SES (Simple Email Service) when you want to monitor your EC2 instances.

Answer 506

Deploy a Windows Bastion host with an elastic IP address in the public subnet and allow RDP access to bastion only from the corporate IP address The correct answer is to deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow RDP access to bastion only from the corporate IP addresses. A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. If you have a bastion host in AWS, it is basically just an EC2 instance. It should be in a public subnet with either a public or Elastic IP address with sufficient RDP or SSH access defined in the security group. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets.

Answer 507

Amazon Simple Queue Service (SQS) and Amazon Simple Workflow Service (SWF)are the services that you can use for creating a decoupled architecture in AWS. Decoupled architecture is a type of computing architecture that enables computing components or layers to execute independently while still interfacing with each other. Amazon SQS offers reliable, highly-scalable hosted queues for storing messages while they travel between applications or microservices. Amazon SQS lets you move data between distributed application components and helps you decouple these components. Amazon SWF is a web service that makes it easy to coordinate work across distributed application components.

Answer 508

AWS Snowball Edge Although an AWS Snowball device costs less than AWS Snowball Edge, it cannot store 80 TB of data in one device. Take note that the storage capacity is different from the usable capacity for Snowball and Snowball Edge. Remember that an 80 TB Snowball appliance and 100 TB Snowball Edge appliance only have 72 TB and 83 TB of usable capacity respectively. Hence, it would be costly if you use two Snowball devices compared to using just one AWS Snowball Edge device.

Answer 509

Security and Compliance is a shared responsibility between AWS and the customer.

Answer 510

Order multiple AWS Snowball devices to upload the files to amazon S3

Answer 511

Attaching an ENI to an instance when it is stopped. An elastic network interface (ENI) is a logical networking component in a VPC that represents a virtual network card. You can attach a network interface to an EC2 instance in the following ways: When it's running (hot attach) When it's stopped (warm attach) When the instance is being launched (cold attach). Therefore, attaching an ENI to an instance when it is stopped is the correct answer.

Answer 512

Establish another AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1 Establish a hardware VPN over the internet between VPC-1 and the common on-premises network

Answer 513

Create CloudWatch alarms that stop and start the instance based on status check alarms.

Answer 514

* Before sending the data to amazon S3 over HTTPS, encrypt the data locally first using your own encryption keys * Enable server-side encryption on an S3 bucket to make use of AES-256 encryption Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. For example, if you share your objects using a pre-signed URL, that URL works the same way for both encrypted and unencrypted objects.

Answer 515

The correct answer is Pilot Light. The term pilot light is often used to describe a DR scenario in which a minimal version of an environment is always running in the cloud. The idea of the pilot light is an analogy that comes from the gas heater. In a gas heater, a small flame that’s always on can quickly ignite the entire furnace to heat up a house. This scenario is similar to a backup-and-restore scenario. For example, with AWS you can maintain a pilot light by configuring and running the most critical core elements of your system in AWS. When the time comes for recovery, you can rapidly provision a full-scale production environment around the critical core.

Answer 516

Warm standby is a method of redundancy in which the scaled-down secondary system runs in the background of the primary system. Doing so would not optimize your savings as much as running a pilot light recovery since some of your services are always running in the background.

Answer 517

it is best to create 2 separate SQS queues for each type of members. The SQS queues for the premium members can be polled first by the EC2 Instances and once completed, the messages from the free members can be processed next.

Answer 518

For this scenario, using Route 53 with the failover option to a static S3 website bucket or CloudFront distribution is correct. You can create a new Route 53 with the failover option to a static S3 website bucket or CloudFront distribution as an alternative.

Answer 519

Using an Elastic Load Balancer is an ideal solution for adding elasticity to your application. Alternatively, you can also create a policy in Route 53, such as a Weighted routing policy, to evenly distribute the traffic to 2 or more EC2 instances. Hence, setting up two EC2 instances and then put them behind an Elastic Load balancer (ELB) and setting up two EC2 instances and using Route 53 to route traffic based on a Weighted Routing Policy are the correct answers.

Answer 520

Instance Metadata Instance metadata is the data about your instance that you can use to configure or manage the running instance. You can get the instance ID, public keys, public IP address and many other information from the instance metadata by firing a URL command in your instance to this URL: http://169.254.169.254/latest/meta-data/

Answer 521

* Amazon S3 Glacier * AWS Storage Gateway All data transferred between any type of gateway appliance and AWS storage is encrypted using SSL. By default, all data stored by AWS Storage Gateway in S3 is encrypted server-side with Amazon S3-Managed Encryption Keys (SSE-S3). Also, when using the file gateway, you can optionally configure each file share to have your objects encrypted with AWS KMS-Managed Keys using SSE-KMS. This is the reason why AWS Storage Gateway is correct. Data stored in Amazon Glacier is protected by default; only vault owners have access to the Amazon Glacier resources they create. Amazon Glacier encrypts your data at rest by default and supports secure data transit with SSL. This is the reason why Amazon S3 Glacier is correct.

Answer 522

using the principle of least privilege which means granting only the permissions required to perform a task

Answer 523

* CloudFront and Elastic Load Balancing Perfect Forward Secrecy is a feature that provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised. CloudFront and Elastic Load Balancing are the two AWS services that support Perfect Forward Secrecy. Hence, the correct answer is: CloudFront and Elastic Load Balancing.

Answer 524

AWS Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance and reliability, or closing security gaps.

Answer 525

an isolated Amazon Web Service (AWS) designed to allow customers and the U.S government agencies to move their confidential data into the cloud to address their compliance and specific regulatory requirements. It runs under ITAR, the U.S. International Traffic in Arms Regulations

Answer 526

Create snapshots of the EBS volumes Creating snapshots of the EBS Volumes is correct. You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. This minimizes the time required to create the snapshot and saves on storage costs by not duplicating data. When you delete a snapshot, only the data unique to that snapshot is removed. Each snapshot contains all of the information needed to restore your data (from the moment the snapshot was taken) to a new EBS volume.

Answer 527

In this scenario, it is stated that the SQS queue is configured with the maximum message retention period. The maximum message retention in SQS is 14 days that is why the option that says: Tell the users that the application will be operational shortly and all received requests will be processed after the web application is restarted is the correct answer i.e. there will be no missing messages.

Answer 528

300 seconds… In Auto Scaling, the following statements are correct regarding the cooldown period: It ensures that the Auto Scaling group does not launch or terminate additional EC2 instances before the previous scaling activity takes effect. Its default value is 300 seconds. It is a configurable setting for your Auto Scaling group.

Answer 529

DynamoDB Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model, reliable performance, and automatic scaling of throughput capacity makes it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications. The following diagram shows an example of data stored as key-value pairs in DynamoDB:

Answer 530

Create a Lambda function that will asynchronously process the requests. AWS Lambda supports synchronous and asynchronous invocation of a Lambda function. You can control the invocation type only when you invoke a Lambda function. When you use an AWS service as a trigger, the invocation type is predetermined for each service. You have no control over the invocation type that these event sources use when they invoke your Lambda function. Since the processing only takes 5 minutes, Lambda is also a cost-effective choice.

Answer 531

Security Token Service (STS) AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.

Answer 532

AWS OpsWork AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments. OpsWorks has three offerings - AWS Opsworks for Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.

Answer 533

The best way to implement a bastion host is to create a small EC2 instance which should only have a security group from a particular IP address for maximum security. This will block any SSH Brute Force attacks on your bastion host. It is also recommended to use a small instance rather than a large one because this host will only act as a jump server to connect to other instances in your VPC and nothing else.

Answer 534

AWS IoT Core is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices.

Answer 535

Here are the prerequisites for routing traffic to a website that is hosted in an Amazon S3 Bucket: - An S3 bucket that is configured to host a static website. The bucket must have the same name as your domain or subdomain. For example, if you want to use the subdomain portal.tutorialsdojo.com, the name of the bucket must be portal.tutorialsdojo.com. - A registered domain name. You can use Route 53 as your domain registrar, or you can use a different registrar. - Route 53 as the DNS service for the domain. If you register your domain name by using Route 53, we automatically configure Route 53 as the DNS service for the domain.

Answer 536

Use Amazon Data Licecycle Manager (DLM) to automate the creation of EBS snapshots You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes. Automating snapshot management helps you to: - Protect valuable data by enforcing a regular backup schedule. - Retain backups as required by auditors or internal compliance. - Reduce storage costs by deleting outdated backups.

Answer 537

Network ACL Rules are evaluated by rule number, from lowest to highest, and executed immediately when a matching allow/deny rule is found.

Answer 538

No, all EBS volumes are stored and replicated in a single AZ only The option that says: No, all EBS volumes are stored and replicated in a single AZ only is correct because when you create an EBS volume in an Availability Zone, it is automatically replicated within that zone only to prevent data loss due to a failure of any single hardware component. After you create a volume, you can attach it to any EC2 instance in the same Availability Zone. The option that says: Yes, EBS volume is fault-tolerant and has multiple copies across multiple AZ is incorrect because it is the EBS snapshots, not the EBS volume, that has a copy of the data which is stored redundantly in multiple Availability Zones.

Answer 539

* FTP used TCP * and we need to allow only one IP address so Create a new inbound rule in the security group of the EC2 instance with: Protocol: TCP Port Range: 20-21 Source: 175.45.116.100/32 The /32 denotes one IP address while /0 refers to the entire network.

Answer 540

AWS X-Ray You can use AWS X-Ray to trace and analyze user requests as they travel through your Amazon API Gateway APIs to the underlying services. API Gateway supports AWS X-Ray tracing for all API Gateway endpoint types: regional, edge-optimized, and private. You can use AWS X-Ray with Amazon API Gateway in all regions where X-Ray is available. (CloudTrail is incorrect because this is primarily used for API logging of all of your AWS resources.)

Answer 541

store the files in S3 then after amonth, change the storage class of the tutorialsdojo-finance prefix to One Zone-AI while the remaining go to Glacier using lifecycle policy. Since the files are easily reproducible and some of them are needed to be retrieved quickly based on a specific prefix filter (tutorialsdojo-finance), S3-One Zone IA would be a good choice for storing them. The other files that do not contain such prefix would then be moved to Glacier for low cost archival. This setup would also be the most cost-effective for the client.

Answer 542

Enable Cross-Region Replication In this scenario, you need to enable Cross-Region Replication to ensure that your S3 bucket would not be affected even if there is an outage in one of the Availability Zones or a regional service failure in us-east-1. When you upload your data in S3, your objects are redundantly stored on multiple devices across multiple facilities within the region only, where you created the bucket. Hence, if there is an outage on the entire region, your S3 bucket will be unavailable if you do not enable Cross-Region Replication, which should make your data available to another region. Note that an Availability Zone (AZ) is more related with Amazon EC2 instances rather than Amazon S3 so if there is any outage in the AZ, the S3 bucket is usually not affected but only the EC2 instances deployed on that zone.

Answer 543

Create an Amazon Kinesis Stream to collect the messages =\> Two important requirements that the chosen AWS service should fulfill is that data should not go missing, is durable, and streams data in the sequence of arrival. Kinesis can do the job just fine because of its architecture. A Kinesis data stream is a set of shards that has a sequence of data records, and each data record has a sequence number that is assigned by Kinesis Data Streams. Kinesis can also easily handle the high volume of messages being sent to the service.

Answer 544

* using Amazon CloudFront with website as the custom origin and * using Amazon ElastiCache for the website's in-memory data store or cache. The global news website has a problem with latency considering that there are a lot of readers of the site from all parts of the globe. In this scenario, you can use a content delivery network (CDN) which is a geographically distributed group of servers which work together to provide fast delivery of Internet content. And since this is a news website, most of its data are read-only, which can be cached to improve the read throughput and avoid the repetitive requests from the server. In AWS, Amazon CloudFront is the global content delivery network (CDN) service that you can use and for web caching, Amazon ElastiCache is the suitable service. Hence, the correct answers here are using Amazon CloudFront with website as the custom origin and using Amazon ElastiCache for the website's in-memory data store or cache.

Answer 545

* Configure the S3 bucket policy to set all objects to public read * In S3, set the permissions of the object to public read during upload By default, all Amazon S3 resources such as buckets, objects, and related subresources are private which means that only the AWS account holder (resource owner) that created it has access to the resource. The resource owner can optionally grant access permissions to others by writing an access policy. In S3, you also set the permissions of the object during upload to make it public. Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. Access policies you attach to your resources (buckets and objects) are referred to as resource-based policies. For example, bucket policies and access control lists (ACLs) are resource-based policies. You can also attach access policies to users in your account. These are called user policies. You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources. Configuring the ACL of the S3 bucket to set all objects to be publicly readable and writeable is incorrect as ACLs are primarily used to grant basic read/write permissions to AWS accounts and not suitable for providing public access over the Internet. Creating an IAM role to set the objects inside the S3 bucket to public read is incorrect. Although with IAM, you can create a user, group, or role that has certain permissions to the S3 bucket, it does not control the individual objects that are hosted in the bucket.

Answer 546

CloudWatch

Answer 547

Install CloudWatch monitoring scripts in the instances. Send custom metrics to CloudWatch which will trigger your Auto Scaling group to scale up. The premise of the scenario is that the EC2 servers have **high memory** usage, but since this specific metric is not tracked by the Auto Scaling group by default, the scaling up activity is not being triggered. Remember that by default, CloudWatch doesn't monitor memory usage but only the CPU utilization, Network utilization, Disk performance and Disk Reads/Writes. This is the reason why you have to install CloudWatch Monitoring Scripts in your EC2 instances to collect and monitor the custom metric (memory usage), which will be used by your Auto Scaling Group as a trigger for scaling activities.

Answer 548

Add Multi-factor authentication MFA to a user pool in Cognito to protect the identity of your users. You can add multi-factor authentication (MFA) to a user pool to protect the identity of your users. MFA adds a second authentication method that doesn't rely solely on user name and password. You can choose to use SMS text messages, or time-based one-time (TOTP) passwords as second factors in signing in your users. You can also use adaptive authentication with its risk-based model to predict when you might need another authentication factor. It's part of the user pool advanced security features, which also include protections against compromised credentials.

Answer 549

To be able to run SQL queries, use AWS Athena to analyze the export data file in S3 Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL. With a few actions in the AWS Management Console, you can point Athena at your data stored in Amazon S3 and begin using standard SQL to run ad-hoc queries and get results in seconds. Athena is serverless, so there is no infrastructure to set up or manage, and you pay only for the queries you run. Athena scales automatically—executing queries in parallel—so results are fast, even with large datasets and complex queries. Athena helps you analyze unstructured, semi-structured, and structured data stored in Amazon S3. Examples include CSV, JSON, or columnar data formats such as Apache Parquet and Apache ORC. You can use Athena to run ad-hoc queries using ANSI SQL, without the need to aggregate or load the data into Athena. . You can use a cost-effective option (AWS Athena), which is a serverless service that enables you to pay only for the queries you run.

Answer 550

EFS In this question, you should take note of the two keywords/phrases: "file operation" and "allows concurrent connections from multiple EC2 instances". There are various AWS storage options that you can choose but whenever these criteria show up, always consider using EFS instead of using EBS Volumes which is mainly used as a "block" storage and can only have one connection to one EC2 instance at a time. Amazon EFS provides the scale and performance required for big data applications that require high throughput to compute nodes coupled with read-after-write consistency and low-latency file operations. EBS is incorrect because it does not allow concurrent connections from multiple EC2 instances hosted on multiple AZs and it does not store data redundantly across multiple AZs by default, unlike EFS. S3 is incorrect because although it can handle concurrent connections from multiple EC2 instances, it does not have the ability to provide low-latency file operations, which is required in this scenario.

Answer 551

Set up a new Amazon RDS Read Replica of the production database. Direct the Data Analytics team to query the production data from the replica. Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, Oracle and PostgreSQL, as well as Amazon Aurora. You can reduce the load on your source DB instance by routing read queries from your applications to the read replica. These replicas allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. Because read replicas can be promoted to master status, they are useful as part of a sharding implementation. To shard your database, add a read replica and promote it to master status, then, from each of the resulting DB Instances, delete the data that belongs to the other shard.

Answer 552

S3 Select, Amazon Athena, Amazon Redshift Spectrum Amazon S3 allows you to run sophisticated Big Data analytics on your data without moving the data into a separate analytics system. In AWS, there is a suite of tools that make analyzing and processing large amounts of data in the cloud faster, including ways to optimize and integrate existing workflows with Amazon S3: 1. S3 Select Amazon S3 Select is designed to help analyze and process data within an object in Amazon S3 buckets, faster and cheaper. It works by providing the ability to retrieve a subset of data from an object in Amazon S3 using simple SQL expressions. Your applications no longer have to use compute resources to scan and filter the data from an object, potentially increasing query performance by up to 400%, and reducing query costs as much as 80%. You simply change your application to use SELECT instead of GET to take advantage of S3 Select. 2. Amazon Athena Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL expressions. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries you run. Athena is easy to use. Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL expressions. Most results are delivered within seconds. With Athena, there’s no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets. 3. Amazon Redshift Spectrum Amazon Redshift also includes Redshift Spectrum, allowing you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, ORC, Parquet, RCFile, RegexSerDe, SequenceFile, TextFile, and TSV. Redshift Spectrum automatically scales query compute capacity based on the data being retrieved, so queries against Amazon S3 run fast, regardless of data set size.

Answer 553

Amazon S3 Select is designed to help analyze and process data within an object in Amazon S3 buckets, faster and cheaper. It works by providing the ability to retrieve a subset of data from an object in Amazon S3 using simple SQL expressions. Your applications no longer have to use compute resources to scan and filter the data from an object, potentially increasing query performance by up to 400%, and reducing query costs as much as 80%. You simply change your application to use SELECT instead of GET to take advantage of S3 Select.

Answer 554

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL expressions. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries you run. Athena is easy to use. Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL expressions. Most results are delivered within seconds. With Athena, there’s no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.

Answer 555

Amazon Redshift also includes Redshift Spectrum, allowing you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, ORC, Parquet, RCFile, RegexSerDe, SequenceFile, TextFile, and TSV. Redshift Spectrum automatically scales query compute capacity based on the data being retrieved, so queries against Amazon S3 run fast, regardless of data set size.

Answer 556

data is automatically deleted = ephemeral storage

Answer 557

S3 Select With Amazon S3 Select, you can use simple structured query language (SQL) statements to filter the contents of Amazon S3 objects and retrieve just the subset of data that you need. By using Amazon S3 Select to filter this data, you can reduce the amount of data that Amazon S3 transfers, which reduces the cost and latency to retrieve this data. Redshift Spectrum is incorrect because although Amazon Redshift Spectrum provides a similar in-query functionality like S3 Select, this service is more suitable for querying your data from the Redshift external tables hosted in S3. The Redshift queries are run on your cluster resources against local disk. Redshift Spectrum queries run using per-query scale-out resources against data in S3 which can entail additional costs compared with S3 Select.

Answer 558

MQ Amazon MQ, Amazon SQS, and Amazon SNS are messaging services that are suitable for anyone from startups to enterprises. If you're using messaging with existing applications and want to move your messaging service to the cloud quickly and easily, it is recommended that you consider Amazon MQ. It supports industry-standard APIs and protocols so you can switch from any standards-based message broker to Amazon MQ without rewriting the messaging code in your applications.

Answer 559

EBS Amazon Web Services (AWS) offers cloud storage services to support a wide range of storage workloads such as Amazon S3, EFS and EBS. Amazon EFS is a file storage service for use with Amazon EC2. Amazon EFS provides a file system interface, file system access semantics (such as strong consistency and file locking), and concurrently-accessible storage for up to thousands of Amazon EC2 instances. Amazon S3 is an object storage service. Amazon S3 makes data available through an Internet API that can be accessed anywhere. Amazon EBS is a block-level storage service for use with Amazon EC2. Amazon EBS can deliver performance for workloads that require the lowest-latency access to data from a single EC2 instance. You can also increase EBS storage for up to 16TB or add new volumes for additional storage. In this scenario, the company is looking for a storage service which can provide the lowest-latency access to their data which will be fetched by a single m5ad.24xlarge Reserved EC2 instance. This type of workloads can be supported better by using either EFS or EBS but in this case, the latter is the most suitable storage service. As mentioned above, EBS provides the lowest-latency access to the data for your EC2 instance since the volume is directly attached to the instance. In addition, the scenario does not require concurrently-accessible storage since they only have one instance.

Answer 560

Amazon Storage Gateway AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the AWS storage infrastructure. You can use the service to store data in the AWS Cloud for scalable and cost-effective storage that helps maintain data security.

Answer 561

AWS Shield AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. _AWS WAF_ is incorrect because this is a web application firewall service that helps protect your web apps from common exploits that could affect app availability, compromise security, or consume excessive resources. Although this can help you against DDoS attacks, AWS WAF alone is not enough to fully protect your VPC. You still need to use AWS Shield in this scenario. _AWS Firewall Manager_ is incorrect because this just simplifies your AWS WAF administration and maintenance tasks across multiple accounts and resources. _Amazon GuardDuty_ is incorrect because this is just an intelligent threat detection service to protect your AWS accounts and workloads. Using this alone will not fully protect your AWS resources against DDoS attacks.

Answer 562

AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications

Answer 563

Web Application Firewall this is a web application firewall service that helps protect your web apps from common exploits that could affect app availability, compromise security, or consume excessive resources. Although this can help you against DDoS attacks, AWS WAF alone is not enough to fully protect your VPC. You still need to use AWS Shield in this scenario. A WAF or Web Application Firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

Answer 564

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. ... GuardDuty analyzes tens of billions of events across multiple AWSdata sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs. = this is just an intelligent threat detection service to protect your AWS accounts and workloads.

Answer 565

Use DynamoDB Auto Scaling DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic, without throttling. When the workload decreases, Application Auto Scaling decreases the throughput so that you don't pay for unused provisioned capacity. “Adding the DynamoDB table to an Auto Scaling Group” is incorrect because you usually put EC2 instances on an Auto Scaling Group, and not a DynamoDB table.

Answer 566

S3… CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify.

Answer 567

Spot Instances You require an EC2 instance that is the most cost-effective among other types. In addition, the application it will host is designed to gracefully recover in case of instance failures. In terms of cost-effectiveness, Spot and Reserved instances are the top options. And since the application can gracefully recover from instance failures, the Spot instance is the best option for this case as it is the cheapest type of EC2 instance. Remember that when you use Spot Instances, there will be interruptions. Amazon EC2 can interrupt your Spot Instance when the Spot price exceeds your maximum price, when the demand for Spot Instances rise, or when the supply of Spot Instances decreases

Answer 568

Enable Amazon RDS Read Replicas Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, Oracle and PostgreSQL as well as Amazon Aurora.

Answer 569

Create an Origin Access Identity OAI for CloudFront and grant access to the objects in your S3 buckets to that OAI When you create or update a distribution in CloudFront, you can add an origin access identity (OAI) and automatically update the bucket policy to give the origin access identity permission to access your bucket. Alternatively, you can choose to manually change the bucket policy or change ACLs, which control permissions on individual objects in your bucket.

Answer 570

Amazon S3 for storing the application log files and Amazon Elastic MapReduce for processing the log files Amazon EMR is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. By using these frameworks and related open-source projects such as Apache Hive and Apache Pig, you can process data for analytics purposes and business intelligence workloads. Additionally, you can use Amazon EMR to transform and move large amounts of data into and out of other AWS data stores and databases such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB.

Answer 571

CNAME Failover is automatically handled by Amazon RDS so that you can resume database operations as quickly as possible without administrative intervention. When failing over, Amazon RDS simply flips the canonical name record (CNAME) in Route53 for your DB instance to point at the standby, which in turn is promoted to become the new primary.

Answer 572

3 instances in each of the 3 availability zones = 9 instances in total The option that says: 6 instances in eu-west-1a, 6 instances in eu-west-1b, and no instances in eu-west-1c is incorrect because although it provides fault-tolerance, it is not the most cost-effective solution as compared with the options above. This solution has 12 running instances, unlike the correct answer which only has 9 instances.

Answer 573

Kinesis Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information

Answer 574

First, look at the existing CloudWatch logs for keywords related to the application error to create a custom metric. Then, create a CloudWatch alarm for that custom metric which invokes an action to restart the EC2 instance. In this scenario, you can look at the existing CloudWatch logs for keywords related to the application error to create a custom metric. Then, create a CloudWatch alarm for that custom metric which invokes an action to restart the EC2 instance. You can create alarms that automatically stop, terminate, reboot, or recover your EC2 instances using Amazon CloudWatch alarm actions. You can use the stop or terminate actions to help you save money when you no longer need an instance to be running. You can use the reboot and recover actions to automatically reboot those instances or recover them onto new hardware if a system impairment occurs.

Answer 575

Use Lifecycle Policies

Answer 576

Store the audit logs in a Glacier vault and use the Vault Lock feature An Amazon S3 Glacier (Glacier) vault can have one resource-based vault access policy and one Vault Lock policy attached to it. A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements. Amazon S3 Glacier provides a set of API operations for you to manage the Vault Lock policies.

Answer 577

Amazon Glacier Vault Lock allows you to easily deploy and enforce compliance controls on individual Glacier vaults via a lockable policy. You can specify controls such as “Write Once Read Many” (WORM) in a Vault Lock policy and lock the policy from future edits A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements.

Answer 578

By using Lambda@Edge and Kinesis together, you can process real-time streaming data so that you can track and analyze globally-distributed user activity on your website and mobile applications, including clickstream analysis. Hence, the correct answer in this scenario is the option that says: Integrate CloudFront with Lambda@Edge in order to process the data in close geographical proximity to users and respond to user requests at low latencies. Process real-time streaming data using Kinesis and durably store the results to an Amazon S3 bucket.

Answer 579

The check on the EBS volume is still in progress Volume status checks are automated tests that run every 5 minutes and return a pass or fail status. You can view the results of volume status checks to identify any impaired volumes and take any necessary actions. If all checks pass, the status of the volume is **ok**. The option that says: All EBS Volume checks have been completed is therefore incorrect. If a check fails, the status of the volume is **impaired**. The option that says: All EBS Volume checks have failed is therefore incorrect. If the volume is severely degraded or the volume performance is well below expectations, then the status is **warning**. The option that says: The EBS Volume is severely degraded or the volume performance is well below expectations is therefore incorrect. If the status is **insufficient-data**, the checks may still be in progress on the volume. The option that says: The check on the EBS volume is still in progress is therefore correct.

Answer 580

AWS Global Accelerator AWS Global Accelerator and Amazon CloudFront are separate services that use the AWS global network and its edge locations around the world. CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery). Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover. Both services integrate with AWS Shield for DDoS protection.

Answer 581

AWS Global Accelerator is a service that improves the availability and performance of your applications with local or global users. ... AWS Global Accelerator continually monitors the health of your application endpoints and will detect an unhealthy endpoint and redirect traffic to healthy endpoints in less than 1 minute.

Answer 582

Amazon SWF provides useful guarantees around task assignment. It ensures that a task is never duplicated and is assigned only once. Thus, even though you may have multiple workers for a particular activity type (or a number of instances of a decider), Amazon SWF will give a specific task to only one worker (or one decider instance). Additionally, Amazon SWF keeps at most one decision task outstanding at a time for a workflow execution. Thus, you can run multiple decider instances without worrying about two instances operating on the same execution simultaneously. These facilities enable you to coordinate your workflow without worrying about duplicate, lost, or conflicting tasks.

Answer 583

The DNS resolution and DNS hostname of the VPC configuration has not been enabled yet. When you launch an EC2 instance into a default VPC, AWS provides it with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance. However, when you launch an instance into a non-default VPC, AWS provides the instance with a private DNS hostname only. New instances will only be provided with public DNS hostname depending on these two DNS attributes: the DNS resolutionand DNS hostnames, that you have specified for your VPC, and if your instance has a public IPv4 address. In this case, the new EC2 instance does not automatically get a DNS hostname because the DNS resolution and DNS hostnames attributes are disabled in the newly created VPC.

Answer 584

create a new launch configuration with the new instance type and update the Auto Scaling Group. You can only specify one launch configuration for an Auto Scaling group at a time, and you can't modify a launch configuration after you've created it. Therefore, if you want to change the launch configuration for an Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration.

Answer 585

Lightweight Directory Access Protocol (LDAP).... Lightweight Directory Access Protocol (LDAP) is a directory service that is based on Directory Access Protocol (DAP). ... … LDAP directory servers are often used as an authentication repository, and are often used to store sensitive information like passwords and other account details. As such, security is an important aspect of most directory servers.

Answer 586

Enable DynamoDB Streams to capture table activity and automatically trigger the Lambda function.. Amazon DynamoDB is integrated with AWS Lambda so that you can create triggers—pieces of code that automatically respond to events in DynamoDB Streams. With triggers, you can build applications that react to data modifications in DynamoDB tables. If you enable DynamoDB Streams on a table, you can associate the stream ARN with a Lambda function that you write. Immediately after an item in the table is modified, a new record appears in the table's stream. AWS Lambda polls the stream and invokes your Lambda function synchronously when it detects new stream records.

Answer 587

It is because Simple WorkFlow (SWF) is waiting human input from an activity task By default, each workflow execution can run for a maximum of 1 year in Amazon SWF. This means that it is possible that in your workflow, there are some tasks which require manual action that renders it idle. As a result, some orders get stuck for almost 4 weeks. Amazon SWF does not take any special action if a workflow execution is idle for an extended period of time. Idle executions are subject to the timeouts that you configure. For example, if you have set the maximum duration for an execution to be 1 day, then an idle execution will be timed out if it exceeds the 1 day limit. Idle executions are also subject to the Amazon SWF limit on how long an execution can run (1 year).

Answer 588

Enable Cross-Region Snapshots in your Amazon Redshift Cluster You can configure Amazon Redshift to copy snapshots for a cluster to another region. To configure cross-region snapshot copy, you need to enable this copy feature for each cluster and configure where to copy snapshots and how long to keep copied automated snapshots in the destination region. When cross-region copy is enabled for a cluster, all new manual and automatic snapshots are copied to the specified region

Answer 589

AWS CloudFormation

Answer 590

Configure Connection Draining To ensure that a Classic Load Balancer stops sending requests to instances that are de-registering or unhealthy while keeping the existing connections open, use connection draining. This enables the load balancer to complete in-flight requests made to instances that are de-registering or unhealthy. Hence, configuring Connection Draining is the correct answer.

Answer 591

Using sticky sessions (session affinity) configures a load balancer to bind user sessions to a specific instance, so all requests from a user during a session are sent to the same instance

Answer 592

When Connection Draining is enabled, Auto Scaling will wait for outstanding requests to complete before terminating instances. related to load balancers

Answer 593

AWS Step Functions.. AWS Step Functions provides serverless orchestration for modern applications. Orchestration centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between the steps. As your applications execute, Step Functions maintains application state, tracking exactly which workflow step your application is in, and stores an event log of data that is passed between application components. That means that if networks fail or components hang, your application can pick up right where it left off. (AWS Lambda is incorrect because although Lambda is used for serverless computing, it does not provide a direct way to coordinate multiple AWS services into serverless workflows.)

Answer 594

AWS Step Functions lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Using Step Functions, you can design and run workflows that stitch together services such as AWS Lambda and Amazon ECS into feature-rich applications You can use Step Functions to coordinate all of the steps of a checkout process on an ecommerce site, for example.

Answer 595

* OS Processes * RDS child processes OS processes – Shows a summary of the kernel and system processes, which generally have minimal impact on performance. Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. You can view the metrics for your DB instance using the console, or consume the Enhanced Monitoring JSON output from CloudWatch Logs in a monitoring system of your choice. RDS child processes – Shows a summary of the RDS processes that support the DB instance, for example aurora for Amazon Aurora DB clusters and mysqld for MySQL DB instances. Process threads appear nested beneath the parent process. Process threads show CPU utilization only as other metrics are the same for all threads for the process. The console displays a maximum of 100 processes and threads. The results are a combination of the top CPU consuming and memory consuming processes and threads. If there are more than 50 processes and more than 50 threads, the console displays the top 50 consumers in each category. This display helps you identify which processes are having the greatest impact on performance. RDS processes – Shows a summary of the resources used by the RDS management agent, diagnostics monitoring processes, and other AWS processes that are required to support RDS DB instances.

Answer 596

Attach an Elastic Fabric Adapter EFA on each Amazon EC23 instance to accelerate High Performance Computing HPC An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. EFA enables you to achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by the AWS Cloud. EFA provides lower and more consistent latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems. It enhances the performance of inter-instance communication that is critical for scaling HPC and machine learning applications. It is optimized to work on the existing AWS network infrastructure and it can scale depending on application requirements.

Answer 597

Deploy a NAT gateway in the public subnet and add a route to it from the private subnet where the web and application tiers are hosted.

Answer 598

the instance will be terminated You can choose to have your Spot instances terminated, stopped, or hibernated upon interruption. Stop and hibernate options are available for persistent Spot requests and Spot Fleets with the maintain option enabled. By default, your instances are terminated hence, the correct answer is the option that says: The instance will be terminated.

Answer 599

* AWS Certificate Manager * IAM Certificate Store If you got your certificate from a third-party CA, import the certificate into ACM or upload it to the IAM certificate store. Hence, **AWS Certificate Manager** and **IAM certificate store** are the correct answers.

Answer 600

Amazon Certificate Manager ACM lets you import third-party certificates from the ACM console, as well as programmatically. If ACM is not available in your region, use AWS CLI to upload your third-party certificate to the IAM certificate store.

Answer 601

= Access Control List

Answer 602

= Application Load Balancer

Answer 603

Amazon Machine Image An AMI is really just a template document that contains information telling EC2 what OS and application software to include on the root data volume of the instance it’s about to launch.

Answer 604

Availability Zone

Answer 605

= Classless Interdomain Routing

Answer 606

= Command Line Interface

Answer 607

= Cross Region Replication

Answer 608

= DynamoDB Accelerator

Answer 609

= Data Lifecycle Manager

Answer 610

= Domain Name System

Answer 611

Elastic Block Storage

Answer 612

= Elastic Compute Cloud

Answer 613

= Elastic Container Service

Answer 614

= Elastic File System

Answer 615

= Elastic Internet Protocol (IP)

Answer 616

Elastic MapReduce

Answer 617

= Elastic Network Interface

Answer 618

File Transfer Protocol

Answer 619

= High Availability

Answer 620

= Hardware Virtual Machine

Answer 621

= Infrequently Accessed

Answer 622

= Identity Access Management

Answer 623

= Input/Output Operations Per Second

Answer 624

= Key Management Service

Answer 625

= Lightweight Directory Access Protocol

Answer 626

= Massively Parallel Processing

Answer 627

= Network Access Control List

Answer 628

= Network Address Translation

Answer 629

= Network File System

Answer 630

= Network Load Balancer

Answer 631

= Online Analytical Processing

Answer 632

= Online Transaction Processing

Answer 633

= Port Address Translation

Answer 634

= Provisioned Capacity Unit

Answer 635

= Remote Desktop Protocol

Answer 636

= Relational Database Service

Answer 637

= Representational State Transfer

Answer 638

= Route Origin Authorization

Answer 639

= Real Time Messaging Protocol

Answer 640

= Simple Storage Service

Answer 641

= Security Assertion Markup Language

Answer 642

= Software Development Kit

Answer 643

= Simple Email Service

Answer 644

= Service Level Agreement

Answer 645

= Server Message Block

Answer 646

= Simple Notification Service

Answer 647

= Start of Authority

Answer 648

= Simple Queue Service

Answer 649

= Same Region Replication

Answer 650

= Server Side Encryption

Answer 651

= Secure Shell

Answer 652

= Single Sign On

Answer 653

= Simple Workflow Service

Answer 654

= Transmission Control Protocol

Answer 655

= Time To Live

Answer 656

= Virtual Private Cloud

Answer 657

= Virtual Tape Library

Answer 658

= Virtual Tape Shelf

Answer 659

= Workload Management

Answer 660

You are limited to running up to a total of 20 On-Demand instances across the instance family, purchasing 20 Reserved Instances, and requesting Spot Instances per your dynamic Spot limit per region. If the maximum size of your Auto Scaling group has already been reached, then it would not create any new EC2 instance. Hence, the correct answers are: - You already have 20 on-demand instances running in your entire VPC. - The maximum size of your Auto Scaling group is set to twenty.

Answer 661

Configure the lifecycle configuration rules on the Amazon S3 bucket to purge/delete the transaction logs after a month

Answer 662

Create a new VPC peering connection between PROD and DEV with the appropriate routes. A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.

Answer 663

* you will be billed when your Reserved Instance is in terminated state * you will be billed when your on demand instance is preparing to hibernate with a stopping state

Answer 664

Amazon S3 Transfer Acceleration Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket. Transfer Acceleration leverages Amazon CloudFront’s globally distributed AWS Edge Locations. As data arrives at an AWS Edge Location, data is routed to your Amazon S3 bucket over an optimized network path.

Answer 665

* Invocations * DeadLetterErrors AWS Lambda automatically monitors functions on your behalf, reporting metrics through Amazon CloudWatch. These metrics include total invocation requests, latency, and error rates. The throttles, Dead Letter Queues errors and Iterator age for stream-based invocations are also monitored. ReservedConcurrentExecutions is incorrect because CloudWatch does not monitor Lambda's reserved concurrent executions. You can view it through the Lambda console or via CLI manually. IteratorSize and ApproximateAgeOfOldestMessage are incorrect because these two are not Lambda metrics.

Answer 666

the action of invoking someone or something...An example of invocation is when you turn to an authority for help in proving your point, invoking or relying on the authority.

Answer 667

ReservedConcurrentExecutions. The number of concurrent executions that are reserved for this function.

Answer 668

Limits to how often you can submit requests. Throttling is the process of limiting the number of requests you (or your authorized developer) can submit to a given operation in a given amount of time.

Answer 669

Amazon S3 for storing ELB log files and Amazon EMR for analyzing the log files… ----Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time. Amazon EMR provides a managed Hadoop framework that makes it easy, fast, and cost-effective to process vast amounts of data across dynamically scalable Amazon EC2 instances. It securely and reliably handles a broad set of big data use cases, including log analysis, web indexing, data transformations (ETL), machine learning, financial analysis, scientific simulation, and bioinformatics. You can also run other popular distributed frameworks such as Apache Spark, HBase, Presto, and Flink in Amazon EMR, and interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB.

Answer 670

Create a new launch configuration For this scenario, you have to create a new launch configuration. Remember that you can't modify a launch configuration after you've created it. A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you specify information for the instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping. You can specify your launch configuration with multiple Auto Scaling groups. However, you can only specify one launch configuration for an Auto Scaling group at a time, and you can't modify a launch configuration after you've created it. Therefore, if you want to change the launch configuration for an Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration.

Answer 671

Amazon S3 Objects… Remember that the scenario requires a durable storage for static content. These two keywords are actually referring to S3, since it is highly durable and suitable for storing static content.

Answer 672

The best option to take is to deploy four EC2 instances in one Availability Zone and four in another availability zone in the same region behind an Amazon Elastic Load Balancer. In this way, if one availability zone goes down, there is still another available zone that can accommodate traffic. Take note that Auto Scaling will launch additional EC2 instances to the remaining Availability Zone/s in the event of an Availability Zone outage in the region.

Answer 673

* enable Amazon S3 Server-side or use Client-side encryption * enable EBS encryption Enabling EBS Encryption and enabling Amazon S3 Server-Side or use Client-Side Encryption are correct. Amazon EBS encryption offers a simple encryption solution for your EBS volumes without the need to build, maintain, and secure your own key management infrastructure.

Answer 674

Cross-Zone Load Balancing is disabled

Answer 675

5 GB Remember that the upload limit depends on whether you upload an object using a single PUT operation or via Multipart Upload. The largest object that can be uploaded in a single PUT is 5 GB. Please take note the phrase "... in a single PUT". If you are using the multipart upload API, then the limit is 5 TB.

Answer 676

5 TB… Remember that the upload limit depends on whether you upload an object using a single PUT operation or via Multipart Upload. The largest object that can be uploaded in a single PUT is 5 GB. Please take note the phrase "... in a single PUT". If you are using the multipart upload API, then the limit is 5 TB.

Answer 677

Use LifeCycle Policies in S3 to move obsolete data to Glacier

Answer 678

Associate an Elastic IP address to the fifth EC2 instance. Associating an Elastic IP address to the fifth EC2 instance is correct because the fifth instance does not have a public IP address since it was deployed on a nondefault subnet. The other 4 instances are accessible over the Internet because they each have an Elastic IP address attached, unlike the last instance which only has a private IP address. An Elastic IP address is a public IPv4 address, which is reachable from the Internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the Internet.

Answer 679

Placement Groups You can launch EC2 instances in a placement group, which determines how instances are placed on underlying hardware. When you create a placement group, you specify one of the following strategies for the group: Cluster - clusters instances into a low-latency group in a single Availability Zone Spread - spreads instances across underlying hardware

Answer 680

Placement Groups are logical groupings or clusters of instances in the selected AWS region. Placement groups are specifically used for launching cluster compute instance types. ( e.g. cc2.8xlarge) Cluster Compute Instances provide a large amount of CPU.

Answer 681

A Spread Placement group is a group of instances that are each placed on distinct underlying hardware. Reduces the risk of simultaneous failures that might occur when instances share the same underlying hardware.

Answer 682

Cluster Placement Group is a logical grouping of instances within a single Availability Zone. don't span across Availability Zones. recommended for applications that benefits from low network latency, high network throughput, or both

Answer 683

it will be allowed Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied immediately regardless of any higher-numbered rule that may contradict it. We have 3 rules here: 1. Rule 100 permits all traffic from any source. 2. Rule 101 denies all traffic coming from 110.238.109.37 3. The Default Rule (\*) denies all traffic from any source. The Rule 100 will first be evaluated. If there is a match, then it will allow the request. Otherwise, it will then go to Rule 101 to repeat the same process until it goes to the default rule. In this case, when there is a request from 110.238.109.37, it will go through Rule 100 first. As Rule 100 says it will permit all traffic from any source, it will allow this request and will not further evaluate Rule 101 (which denies 110.238.109.37) nor the default rule.

Answer 684

Use the built-in Reader endpoint of the Amazon Aurora database A reader endpoint for an Aurora DB cluster provides load-balancing support for read-only connections to the DB cluster. Use the reader endpoint for read operations, such as queries. By processing those statements on the read-only Aurora Replicas, this endpoint reduces the overhead on the primary instance. It also helps the cluster to scale the capacity to handle simultaneous SELECT queries, proportional to the number of Aurora Replicas in the cluster. Each Aurora DB cluster has one reader endpoint.

Answer 685

* Each subnet maps to a single AZ A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span zones * Every subnet that you create is automatically associated with the main route table for the VPC

Answer 686

allowed vlock size in VPC is between a/16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses)...

Answer 687

Removes one of more ingress rules from a security group...

Answer 688

Create a new IAM group and then add the users that require access to the S3 bucket. Afterwards, apply the policy to IAM group. = . This will enable you to easily add, remove, and manage the users instead of manually adding a policy to each and every 100 IAM users.

Answer 689

_Use S3 pre-signed URLs to ensure that only their client can access the files. Remove permission to use Amazon S3 URLs to read the files for anyone else is correct_ because using a presigned URL to your S3 bucket will prevent other users from accessing your private data which is intended only for a certain client. The option that says: Use CloudFront Signed Cookies to ensure that only their client can access the files is incorrect because the signed cookies feature is primarily used if you want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers' area of website. In addition, this solution is not complete since the users can bypass the restrictions by simply using the direct S3 URLs. The option that says: Use CloudFront signed URLs to ensure that only their client can access the files is incorrect because although this solution is valid, the users can still bypass the restrictions in CloudFront by simply connecting to the direct S3 URLs.

Answer 690

Store a snapshot of the volume.. You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved. When you no longer need an Amazon EBS volume, you can delete it. After deletion, its data is gone and the volume can't be attached to any instance. However, before deletion, you can store a snapshot of the volume, which you can use to re-create the volume later.

Answer 691

Configure the Security Group of the EC2 instance to permit ingress traffic over port 22 from your IP.. =\> When connecting to your EC2 instance via SSH, you need to ensure that port 22 is allowed on the security group of your EC2 instance. A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

Answer 692

* It provides elasticity to your Amazon RDS database * Improves performance of the primary database by taking workload from it Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, Oracle and PostgreSQL, as well as Amazon Aurora.

Answer 693

AWS Elastic Beanstalk = With Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications. AWS Elastic Beanstalk reduces management complexity without restricting choice or control. You simply upload your application, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring.

Answer 694

CloudFormation templates are free but you are charged for the underlying resources it builds

Answer 695

DynamoDB Basically, a database service in which you no longer need to worry about database management tasks such as hardware or software provisioning, setup and configuration is called a fully managed database. This means that AWS fully manages all of the database management tasks and the underlying host server. The main differentiator here is the keyword "scaling" in the question. In RDS, you still have to manually scale up your resources and create Read Replicas to improve scalability while in DynamoDB, this is automatically done. DynamoDB is the best option to use in this scenario. It is a fully managed non-relational database service – you simply create a database table, set your target utilization for Auto Scaling, and let the service handle the rest. (Redshift is incorrect because although this is fully managed, it is not a database service but a Data Warehouse.)

Answer 696

EBS Provisioned IOPS SSD (io1) The scenario requires a storage type for a relational database with a high IOPS performance. For these scenarios, SSD volumes are more suitable to use instead of HDD volumes. Remember that the dominant performance attribute of SSD is IOPS while HDD is Throughput.

Answer 697

* Purchase provisioned retrieval capacity * Use Expedited Retrieval to access the financial data Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it. Provisioned capacity ensures that your retrieval capacity for expedited retrievals is available when you need it. Each unit of capacity provides that at least three expedited retrievals can be performed every five minutes and provides up to 150 MB/s of retrieval throughput. You should purchase provisioned retrieval capacity if your workload requires highly reliable and predictable access to a subset of your data in minutes.

Answer 698

Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it.

Answer 699

Use Multipart upload

Answer 700

If your VPC does not have sufficient ENIs or subnet IPs, your Lambda function will not scale as requests increase, and you will see an increase in invocation errors with EC2 error types like EC2ThrottledException. Hence, the correct answers for this scenario are: You only specified one subnet in your Lambda function configuration. That single subnet runs out of available IP addresses and there is no other subnet or Availability Zone which can handle the peak load. Your VPC does not have sufficient subnet ENIs or subnet IPs.

Answer 701

* Managing a multi-step and multi-decision checkout process of an e-commerce mobile app. * Orchestrating the execution of distributed business processes

Answer 702

Amazon Kinesis Data Firehose Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards you are already using today.

Answer 703

the relation is that there is no relations as they are incompatible. they cannot work together.

Answer 704

* Enable DynamoDB Accelerator (DAX) and ensure that the Auto Scaling is enabled and increase the maximum provisioned read and write capacity * Use API Gateway in conjunction with Lambda and turn on the cachin on frequently accessed data and enable DynamoDB global replication

Answer 705

Amazon DynamoDB and AWS AppSync DynamoDB is durable, scalable, and highly available data store which can be used for real-time tabulation. You can also use AppSync with DynamoDB to make it easy for you to build collaborative apps that keep shared data updated in real time. You just specify the data for your app with simple code statements and AWS AppSync manages everything needed to keep the app data updated in real time. This will allow your app to access data in Amazon DynamoDB, trigger AWS Lambda functions, or run Amazon Elasticsearch queries and combine data from these services to provide the exact data you need for your app.

Answer 706

24 The time period from when a record is added to when it is no longer accessible is called the retention period. A Kinesis data stream stores records from 24 hours by default to a maximum of 168 hours.

Answer 707

The answer is No. The standby instance will not perform any read and write operations while the primary instance is running.

Answer 708

Security Group Inbound Rule; Protocol - TCP, Port Range - 22, Source 175.45.116.100/32 * SSH = with TCP * Security group as security groups act on INSTANCE level * When setting up a bastion host in AWS, you should only allow the individual IP of the client and not the entire network. Therefore, in the Source, the proper CIDR notation should be used. The /32 denotes one IP address and the /0 refers to the entire network.

Answer 709

There is a soft limit of 20 instances per region which is why subsequent requests failed. Just submit the limit increase form to AWS and retry the failed requests once approved.

Answer 710

It tells the decider the state of the workflow execution Amazon SWF issues decision tasks whenever a workflow execution has transitions such as an activity task completing or timing out. A decision task contains information on the inputs, outputs, and current state of previously initiated activity tasks. Your decider uses this data to decide the next steps, including any new activity tasks, and returns those to Amazon SWF. Amazon SWF in turn enacts these decisions, initiating new activity tasks where appropriate and monitoring them.

Answer 711

it tells the worker to perform a function

Answer 712

Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Route 53 can detect that it's unhealthy and stop including it when responding to queries. In active-active failover, all the records that have the same name, the same type (such as A or AAAA), and the same routing policy (such as weighted or latency) are active unless Route 53 considers them unhealthy. Route 53 can respond to a DNS query using any healthy record.

Answer 713

Use an active-passive failover configuration when you want a primary resource or group of resources to be available the majority of the time and you want a secondary resource or group of resources to be on standby in case all the primary resources become unavailable. When responding to queries, Route 53 includes only the healthy primary resources. If all the primary resources are unhealthy, Route 53 begins to include only the healthy secondary resources in response to DNS queries.

Answer 714

AWS Fargate AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). Fargate makes it easy for you to focus on building your applications. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

Answer 715

AWS CloudTrail AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure

Answer 716

Set up a small EC2 instance and a security group which only allows access on port 22 via your IP address

Answer 717

Redshift In this scenario, there is a requirement to have a storage service which will be used by a business intelligence application and where the data must be stored in a columnar fashion. Business Intelligence reporting systems is a type of Online Analytical Processing (OLAP) which Redshift is known to support. In addition, Redshift also provides columnar storage unlike the other options. Hence, the correct answer in this scenario is Amazon Redshift.

Answer 718

* All data on the attached instance-store devices will be lost * the underlying host for the instance is possibly changed This question did not mention the specific type of EC2 instance however, it says that it will be stopped and started. Since only EBS-backed instances can be stopped and restarted, it is implied that the instance is EBS-backed. Remember that an instance store-backed instance can only be rebooted or terminated and its data will be erased if the EC2 instance is terminated. If you stopped an EBS-backed EC2 instance, the volume is preserved but the data in any attached Instance store volumes will be erased. Keep in mind that an EC2 instance has an underlying physical host computer. If the instance is stopped, AWS usually moves the instance to a new host computer. Your instance may stay on the same host computer if there are no problems with the host computer. In addition, its Elastic IP address is disassociated from the instance if it is an EC2-Classic instance. Otherwise, if it is an EC2-VPC instance, the Elastic IP address remains associated.

Answer 719

Use an SQS queue to decouple the application components