Deck 2 Flashcards
How long does an object need to sit in S3 Standard storage classes before they can be moved down to the infrequent access tier?
30 days (even using a lifecycle policy)
What is the name of AWS’ serverless user management tool, and what does it do in a few words?
Cognito User Pools, which provides a user directory you can use for your application
When is using Route 53 weighted routing not a good idea for testing blue/green application deployments?
When DNS caching will have a significant effect on the rollout.
Which applications would you use in your stack if you want to buffer or throttle the traffic coming into your system?
Why?
Amazon API Gateway, Amazon SQS and Amazon Kinesis
API Gateway has a “bucket” of authentication tokens it can give out, which naturally throttles it.
SQS is a queuing system so creates a buffer.
Kinesis is fully managed and scalable, so it will always able to handle the queries (why this means you can consider it throttled I don’t know).
Of SNS and SQS, which applications is capable of queuing requests and which isn’t?
SQS can queue requests - SNS cannot.
Which tools would you use to make sure only permitted EC2 instances can communicate with an EFS file system?
An IAM policy on the file system
EFS Access Points
VPC security groups
What are GuardDuty’s data sources?
CloudTrail Logs
VPC Flow Logs
DNS Logs
What is Amazon CloudFront?
AWS’ Global CDN (Content Distribution Network)
What’s the best way to sync S3 data across regions?
Copy data from source to destination using the AWS S3 sync command
Does S3 Cross-Region replication work to copy objects already in S3?
No - cross region replication only works on data that is added after the replication is enabled.
Which services can use VPC Gateway Endpoints?
DynamoDB and Amazon S3
Which services would you use to build a highly available solution to store and reliably process key-value pairs data that is collected once a minute?
Why?
Lambda - means you only pay when code is being executed
DynamoDB - key:value pair database with high performance and high availability
How do you modify a launch configuration after you’ve created it?
You can’t - you need to create a new one.
Can you copy items directly into AWS Glacier?
No - you need to put it into standard S3 first, and then move it across.
What would you do to provide good protection against items in your S3 buckets being deleted?
Enable versioning and MFA delete
What can S3 bucket policies do?
Allow public access to the bucket
Force objects to be encrypted at upload
Grant access to another account (cross account)
Can S3 buckets replicate across accounts?
Yes they can.
S3 Replications - What are the use cases for cross region replication?
Compliance, lower latency access, replication across accounts
S3 Replications - What are the use cases for same region replication?
Log aggregation, live replication between production and test accounts
What are the six tiers of S3 storage class?
S3 Standard S3 Standard IA (Infrequent Access) S3 One Zone IA S3 Intelligent Tiering Glacier Glacier Deep Archive
What are the retrieval options for AWS Glacier storage?
Expedited: 1-5 minutes
Standard: 3-5 hours
Bulk: 5-12 hours
What are the retrieval options for AWS Glacier Deep Archive storage?
Standard: 12 hours
Bulk: 48 hours
What is the minimum storage duration for AWS Glacier items?
90 days
What is the minimum storage duration for AWS Glacier Deep Archive items?
180 days
What is the minimum storage duration for any object that involves the Infrequent Access storage tiers?
30 days
When using a Network Load Balancer (NLB), how is traffic routed to the target instances?
Traffic is routed to instances using the primary private IP address specified in the primary private network interface for the instance.
What are the similarities between AWS Global Accelerator and AWS CloudFront?
Both services use the AWS global network and the edge locations around the world
Both services integrate with AWS Shield for DDoS protection
What are the differences between AWS Global Accelerator and AWS CloudFront?
CloudFront is a caching solution, which is good for static content, APIs and some dynamic content.
Global Accelerator is much better for non-HTTP traffic like gaming or VoIP, or for HTTP traffic that absolutely needs a static IP address.
What is AWS Global Accelerator?
Amazon’s Global Proxying solution.
Traffic comes into the nearest edge location to the end user, and is routed over Amazon’s core network to the required region.
You get two static (Anycast) IPs which you can use worldwide, which are then routed.
What is AWS CloudFront?
CloudFront is AWS’ CDN, which uses their global network to cache data at the Edge.
How should you handle installing applications on an EC2 instance when it launches?
Use a lifecycle hook to put the instance in a wait state and run a script to install the software.
What is the maximum storage you can have in an Aurora database?
128TB
How many read replicas can an Aurora database have?
15
How does AWS Aurora (non-serverless) support high availability and read scaling?
Data is stored in 6 copies across 3 AZs
One instance takes writes
Other instances can be read replicas
Also supports multi-master for instant failover
How is Global Aurora set up?
Uses cross-region replicas
One primary region (read & write)
Up to 5x secondary (read-only) regions
Up to 16 read-replicas per secondary region
Promoting another region to master takes <1 minute
What is an AWS dedicated instance?
An instance running on hardware dedicated to you.
Less access to underlying hardware than a dedicated host, so no licencing benefits, but requirement of “no shared hosts” is met.
What is a dedicated host?
Your own EC2 host that only you can use. Allows you to use your own legacy licences and satisfy shared tenancy compliance requirements.
What is AWS Transit Gateway?
Allows transitive peering between VPC and on-premises connections
How can you improve the bandwidth of your site-to-site VPN?
Use multiple parallel VPNs and set up equal-cost multi-path routing (ECMP) to balance traffic
Can you share Direct Connect between multiple AWS accounts?
Yes - use Transit Gateway
How can you inspect traffic going to an interface without interfering with it?
Use Traffic Mirroring to copy the network traffic to a different set of EC2 instances for analysis
What are Cognito Identity Pools?
A service that allows your users to authenticate into other AWS services.
How do Cognito Identity Pools integrate with Cognito User Pools?
A user from the User Pool exchanges its tokens for another token from the Identity Pool.
How much data can be in a Kinesis shard per second?
1MB (per second)
How much data can be in a Kinesis share per second?
1MB (per second)
How many messages can be in a Kinesis shard per second?
1000 (messages per second)
What does the Enhanced Fan-Out mode of Kinesis offer over the standard mode?
You can pull 2MB/s of data per consumer, rather than across all of them.
What do AWS’ DMS, Glue and Schema Conversion Tool services do?
DMS is designed for migrating databases from on-premises to the cloud, and vice versa. It can be set up to run the copy continuously.
Glue is a data transformation program, designed to work when data is being ingested.
Schema conversion allows you to move your schema between different database engines (like SQL Server to MySQL etc.)
What management does a NAT Instance need?
Resilience
Patching
Security groups
What are the advantages of a NAT Gateway over a NAT Instance?
No patching required
Higher bandwidth
No security groups to manage
What are the drawbacks of a NAT Gateway over a NAT instance?
You can’t use it from an EC2 instance in the same subnet it’s in
You can’t use it as a Bastion host (unlike a NAT instance)
Doesn’t support port forwarding
What is AWS X-Ray?
Amazon’s debugging and analytics application, which helps you to visualise your application and its requests.
What levels of access restrictions are there for AWS S3 buckets?
User based:
IAM Policies
Resource based:
Bucket Policies
Object Access Control list
Bucket Access Control list
What can be used as a final “hard stop” to prevent a user or resource accessing an S3 bucket?
An explicit deny in the bucket policy.
Of Launch Templates and Launch Configurations, which is newer and what can it do above the older one?
Launch Templates are newer.
They support:
- multiple versions
- partial configuration to allow substitution with values upon use
- on-demand or spot instances (or both)
What do you use to connect to most AWS services, without hitting the public internet, that aren’t S3 and DynamoDB?
Interface endpoints
Which sites does a site-to-site VPN connect?
Your site to AWS
What options do (non-Aurura) RDS databases have for availability?
Multi-AZ standby deployments
What are some drawbacks of AWS’ read replicas?
The client connection string needs to be changed in the applications.
They are asynchronously linked to the main database, so they are “eventually consistent”.
What does AWS’ Redshift Spectrum service allow you to do?
Query Redshift data in S3 without loading it
