Ch14 Best Practices Flashcards
When designing a loosely coupled system, which AWS services provide an intermediate
durable storage layer between components? (Choose 2 answers)
A. Amazon CloudFront
B. Amazon Kinesis
C. Amazon Route 53
D. AWS CloudFormation
E. Amazon Simple Queue Service (Amazon SQS)
B, E. Amazon Kinesis is a platform for streaming data on AWS, offering powerful services
to make it easy to load and analyze streaming data. Amazon SQS is a fast, reliable,
scalable, and fully managed message queuing service. Amazon SQS makes it simple and
cost-effective to decouple the components of a cloud application.
Which of the following options will help increase the availability of a web server farm?
(Choose 2 answers)
A. Use Amazon CloudFront to deliver content to the end users with low latency and
high data transfer speeds.
B. Launch the web server instances across multiple Availability Zones.
C. Leverage Auto Scaling to recover from failed instances.
D. Deploy the instances in an Amazon Virtual Private Cloud (Amazon VPC).
E. Add more CPU and RAM to each instance.
B, C. Launching instances across multiple Availability Zones helps ensure the application
is isolated from failures in a single Availability Zone, allowing the application to achieve
higher availability. Whether you are running one Amazon EC2 instance or thousands,
you can use Auto Scaling to detect impaired Amazon EC2 instances and unhealthy
applications and replace the instances without your intervention. This ensures that your
application is getting the compute capacity that you expect, thereby maintaining your
availability.
Which of the following AWS Cloud services are designed according to the Multi-AZ
principle? (Choose 2 answers)
A. Amazon DynamoDB
B. Amazon ElastiCache
C. Elastic Load Balancing
D. Amazon Virtual Private Cloud (Amazon VPC)
E. Amazon Simple Storage Service (Amazon S3)
A, E. Amazon DynamoDB runs across AWS proven, high-availability data centers. The
service replicates data across three facilities in an AWS region to provide fault tolerance
in the event of a server failure or Availability Zone outage. Amazon S3 provides durable
infrastructure to store important data and is designed for durability of 99.999999999% of
objects. Your data is redundantly stored across multiple facilities and multiple devices in
each facility. While Elastic Load Balancing and Amazon ElastiCache can be deployed
across multiple Availability Zones, you must explicitly take such steps when creating
them.
Your e-commerce site was designed to be stateless and currently runs on a fleet of
Amazon Elastic Compute Cloud (Amazon EC2) instances. In an effort to control cost and
increase availability, you have a requirement to scale the fleet based on CPU and network
utilization to match the demand curve for your site. What services do you need to meet
this requirement? (Choose 2 answers)
A. Amazon CloudWatch
B. Amazon DynamoDB
C. Elastic Load Balancing
D. Auto Scaling
E. Amazon Simple Storage Service (Amazon S3)
A, D. Auto Scaling enables you to follow the demand curve for your applications closely,
reducing the need to provision Amazon EC2 capacity manually in advance. For example,
you can set a condition to add new Amazon EC2 instances in increments to the Auto
Scaling group when the average CPU and network utilization of your Amazon EC2 fleet
monitored in Amazon CloudWatch is high; similarly, you can set a condition to remove
instances in the same increments when CPU and network utilization are low.
Your compliance department has mandated a new requirement that all data on Amazon Elastic Block Storage (Amazon EBS) volumes must be encrypted. Which of the following
steps would you follow for your existing Amazon EBS volumes to comply with the new
requirement? (Choose 3 answers)
A. Move the existing Amazon EBS volume into an Amazon Virtual Private Cloud
(Amazon VPC).
B. Create a new Amazon EBS volume with encryption enabled.
C. Modify the existing Amazon EBS volume properties to enable encryption.
D. Attach an Amazon EBS volume with encryption enabled to the instance that hosts
the data, then migrate the data to the encryption-enabled Amazon EBS volume.
E. Copy the data from the unencrypted Amazon EBS volume to the Amazon EBS
volume with encryption enabled.
B, D, E. There is no direct way to encrypt an existing unencrypted volume. However, you
can migrate data between encrypted and unencrypted volumes.
Your e-commerce application provides daily and ad hoc reporting to various business
units on customer purchases. This is resulting in an extremely high level of read traffic
to your MySQL Amazon Relational Database Service (Amazon RDS) instance. What can
you do to scale up read traffic without impacting your database’s performance?
A. Increase the allocated storage for the Amazon RDS instance.
B. Modify the Amazon RDS instance to be a Multi-AZ deployment.
C. Create a read replica for an Amazon RDS instance.
D. Change the Amazon RDS instance DB engine version
A, C, D. The attack surface is composed of the different Internet entry points that allow
access to your application. The strategy to minimize the attack surface area is to (a)
reduce the number of necessary Internet entry points, (b) eliminate non-critical Internet
entry points, (c) separate end user traffic from management traffic, (d) obfuscate
necessary Internet entry points to the level that untrusted end users cannot access them,
and (e) decouple Internet entry points to minimize the effects of attacks. This strategy
can be accomplished with Amazon VPC.
Your website is hosted on a fleet of web servers that are load balanced across multiple
Availability Zones using an Elastic Load Balancer (ELB). What type of record set in
Amazon Route 53 can be used to point myawesomeapp.com to your website?
A. Type A Alias resource record set
B. MX record set
C. TXT record set
D. CNAME record set
C. Amazon RDS read replicas provide enhanced performance and durability for Amazon
RDS instances. This replication feature makes it easy to scale out elastically beyond the
capacity constraints of a single Amazon RDS instance for read-heavy database workloads.
You can create one or more replicas of a given source Amazon RDS instance and serve
high-volume application read traffic from multiple copies of your data, thereby
increasing aggregate read throughput.
Your website is hosted on a fleet of web servers that are load balanced across multiple
Availability Zones using an Elastic Load Balancer (ELB). What type of record set in
Amazon Route 53 can be used to point myawesomeapp.com to your website?
A. Type A Alias resource record set
B. MX record set
C. TXT record set
D. CNAME record set
A. An alias resource record set can point to an ELB. You cannot create a CNAME record at the top node of a Domain Name Service (DNS) namespace, also known as the zone
apex, as the case in this example. Alias resource record sets can save you time because
Amazon Route 53 automatically recognizes changes in the resource record sets to which
the alias resource record set refers.
You need a secure way to distribute your AWS credentials to an application running on
Amazon Elastic Compute Cloud (Amazon EC2) instances in order to accesssupplementary AWS Cloud services. What approach provides your application access to
use short-term credentials for signing requests while protecting those credentials from
other users?
A. Add your credentials to the UserData parameter of each Amazon EC2 instance.
B. Use a configuration file to store your access and secret keys on the Amazon EC2
instances.
C. Specify your access and secret keys directly in your application.
D. Provision the Amazon EC2 instances with an instance profile that has the
appropriate privileges.
D. An instance profile is a container for an AWS Identity and Access Management (IAM)
role that you can use to pass role information to an Amazon EC2 instance when the
instance starts. The IAM role should have a policy attached that only allows access to the
AWS Cloud services necessary to perform its function.
You are running a suite of microservices on AWS Lambda that provide the business logic
and access to data stored in Amazon DynamoDB for your task management system. You
need to create well-defined RESTful Application Program Interfaces (APIs) for these
microservices that will scale with traffic to support a new mobile application. What AWS
Cloud service can you use to create the necessary RESTful APIs?
A. Amazon Kinesis
B. Amazon API Gateway
C. Amazon Cognito
D. Amazon Elastic Compute Cloud (Amazon EC2) Container Registry
B. Amazon API Gateway is a fully managed service that makes it easy for developers to
publish, maintain, monitor, and secure APIs at any scale. You can create an API that acts
as a “front door” for applications to access data, business logic, or functionality from your
code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in
accepting and processing up to hundreds of thousands of concurrent API calls, including
traffic management, authorization and access control, monitoring, and API version
management.
Your WordPress website is hosted on a fleet of Amazon Elastic Compute Cloud (Amazon
EC2) instances that leverage Auto Scaling to provide high availability. To ensure that the
content of the WordPress site is sustained through scale up and scale down events, you
need a common file system that is shared between more than one Amazon EC2 instance.
Which AWS Cloud service can meet this requirement?
A. Amazon CloudFront
B. Amazon ElastiCache
C. Amazon Elastic File System (Amazon EFS)
D. Amazon Elastic Beanstalk
C. Amazon EFS is a file storage service for Amazon EC2 instances. Multiple Amazon EC2
instances can access an Amazon EFS file system at the same time, providing a common
data source for the content of the WordPress site running on more than one instance.
You are changing your application to move session state information off the individual
Amazon Elastic Compute Cloud (Amazon EC2) instances to take advantage of the
elasticity and cost benefits provided by Auto Scaling. Which of the following AWS Cloud
services is best suited as an alternative for storing session state information?
A. Amazon DynamoDB
B. Amazon Redshift
C. Amazon Storage Gateway
D. Amazon Kinesis
A. Amazon DynamoDB is a NoSQL database store that is a great choice as an alternative
due to its scalability, high-availability, and durability characteristics. Many platforms
provide open-source, drop-in replacement libraries that allow you to store native
sessions in Amazon DynamoDB. Amazon DynamoDB is a great candidate for a session
storage solution in a share-nothing, distributed architecture.
A media sharing application is producing a very high volume of data in a very short
period of time. Your back-end services are unable to manage the large volume of
transactions. What option provides a way to manage the flow of transactions to your back-end services?
A. Store the inbound transactions in an Amazon Relational Database Service (Amazon
RDS) instance so that your back-end services can retrieve them as time permits.
B. Use an Amazon Simple Queue Service (Amazon SQS) queue to buffer the inbound
transactions.
C. Use an Amazon Simple Notification Service (Amazon SNS) topic to buffer the
inbound transactions.
D. Store the inbound transactions in an Amazon Elastic MapReduce (Amazon EMR)
cluster so that your back-end services can retrieve them as time permits.
B. Amazon SQS is a fast, reliable, scalable, and fully managed message queuing service.
Amazon SQS should be used to decouple the large volume of inbound transactions,
allowing the back-end services to manage the level of throughput without losing
messages.
Which of the following are best practices for managing AWS Identity and Access
Management (IAM) user access keys? (Choose 3 answers)
A. Embed access keys directly into application code.
B. Use different access keys for different applications.
C. Rotate access keys periodically.
D. Keep unused access keys for an indefinite period of time.
E. Configure Multi-Factor Authentication (MFA) for your most sensitive operations.
B, C, E. You should protect AWS user access keys like you would your credit card
numbers or any other sensitive secret. Use different access keys for different applications
so that you can isolate the permissions and revoke the access keys for individual
applications if an access key is exposed. Remember to change access keys on a regular
basis. For increased security, it is recommended to configure MFA for any sensitive
operations. Remember to remove any IAM users that are no longer needed so that the
user’s access to your resources is removed. Always avoid having to embed access keys in
an application.
You need to implement a service to scan Application Program Interface (API) calls and
related events’ history to your AWS account. This service will detect things like unused
permissions, overuse of privileged accounts, and anomalous logins. Which of the
following AWS Cloud services can be leveraged to implement this service? (Choose 3
answers)
A. AWS CloudTrail
B. Amazon Simple Storage Service (Amazon S3)
C. Amazon Route 53
D. Auto Scaling
E. AWS Lambda
A, B, E. You can enable AWS CloudTrail in your AWS account to get logs of API calls and
related events’ history in your account. AWS CloudTrail records all of the API access
events as objects in an Amazon S3 bucket that you specify at the time you enable AWS
CloudTrail. You can take advantage of Amazon S3’s bucket notification feature by
directing Amazon S3 to publish object-created events to AWS Lambda. Whenever AWS
CloudTrail writes logs to your Amazon S3 bucket, Amazon S3 can then invoke your AWS
Lambda function by passing the Amazon S3 object-created event as a parameter. The
AWS Lambda function code can read the log object and process the access records logged
by AWS CloudTrail.
