Deck 2

Question 1

How long does an object need to sit in S3 Standard storage classes before they can be moved down to the infrequent access tier?

Answer 1

30 days (even using a lifecycle policy)

Question 2

What is the name of AWS’ serverless user management tool, and what does it do in a few words?

Answer 2

Cognito User Pools, which provides a user directory you can use for your application

Question 3

When is using Route 53 weighted routing not a good idea for testing blue/green application deployments?

Answer 3

When DNS caching will have a significant effect on the rollout.

Question 4

Which applications would you use in your stack if you want to buffer or throttle the traffic coming into your system?

Why?

Answer 4

Amazon API Gateway, Amazon SQS and Amazon Kinesis

API Gateway has a “bucket” of authentication tokens it can give out, which naturally throttles it.

SQS is a queuing system so creates a buffer.

Kinesis is fully managed and scalable, so it will always able to handle the queries (why this means you can consider it throttled I don’t know).

Question 5

Of SNS and SQS, which applications is capable of queuing requests and which isn’t?

Answer 5

SQS can queue requests - SNS cannot.

Question 6

Which tools would you use to make sure only permitted EC2 instances can communicate with an EFS file system?

Answer 6

An IAM policy on the file system

EFS Access Points

VPC security groups

Question 7

What are GuardDuty’s data sources?

Answer 7

CloudTrail Logs
VPC Flow Logs
DNS Logs

Question 8

What is Amazon CloudFront?

Answer 8

AWS’ Global CDN (Content Distribution Network)

Question 9

What’s the best way to sync S3 data across regions?

Answer 9

Copy data from source to destination using the AWS S3 sync command

Question 10

Does S3 Cross-Region replication work to copy objects already in S3?

Answer 10

No - cross region replication only works on data that is added after the replication is enabled.

Question 11

Which services can use VPC Gateway Endpoints?

Answer 11

DynamoDB and Amazon S3

Question 12

Which services would you use to build a highly available solution to store and reliably process key-value pairs data that is collected once a minute?

Why?

Answer 12

Lambda - means you only pay when code is being executed

DynamoDB - key:value pair database with high performance and high availability

Question 13

How do you modify a launch configuration after you’ve created it?

Answer 13

You can’t - you need to create a new one.

Question 14

Can you copy items directly into AWS Glacier?

Answer 14

No - you need to put it into standard S3 first, and then move it across.

Question 15

What would you do to provide good protection against items in your S3 buckets being deleted?

Answer 15

Enable versioning and MFA delete

Question 16

What can S3 bucket policies do?

Answer 16

Allow public access to the bucket

Force objects to be encrypted at upload

Grant access to another account (cross account)

Question 17

Can S3 buckets replicate across accounts?

Answer 17

Yes they can.

Question 18

S3 Replications - What are the use cases for cross region replication?

Answer 18

Compliance, lower latency access, replication across accounts

Question 19

S3 Replications - What are the use cases for same region replication?

Answer 19

Log aggregation, live replication between production and test accounts

Question 20

What are the six tiers of S3 storage class?

Answer 20

S3 Standard
S3 Standard IA (Infrequent Access)
S3 One Zone IA
S3 Intelligent Tiering
Glacier
Glacier Deep Archive

Question 21

What are the retrieval options for AWS Glacier storage?

Answer 21

Expedited: 1-5 minutes
Standard: 3-5 hours
Bulk: 5-12 hours

Question 22

What are the retrieval options for AWS Glacier Deep Archive storage?

Answer 22

Standard: 12 hours
Bulk: 48 hours

Question 23

What is the minimum storage duration for AWS Glacier items?

Answer 23

90 days

Question 24

What is the minimum storage duration for AWS Glacier Deep Archive items?

Answer 24

180 days

Question 25

What is the minimum storage duration for any object that involves the Infrequent Access storage tiers?

Answer 25

30 days

Question 26

When using a Network Load Balancer (NLB), how is traffic routed to the target instances?

Answer 26

Traffic is routed to instances using the primary private IP address specified in the primary private network interface for the instance.

Question 27

What are the similarities between AWS Global Accelerator and AWS CloudFront?

Answer 27

Both services use the AWS global network and the edge locations around the world

Both services integrate with AWS Shield for DDoS protection

Question 28

What are the differences between AWS Global Accelerator and AWS CloudFront?

Answer 28

CloudFront is a caching solution, which is good for static content, APIs and some dynamic content.

Global Accelerator is much better for non-HTTP traffic like gaming or VoIP, or for HTTP traffic that absolutely needs a static IP address.

Question 29

What is AWS Global Accelerator?

Answer 29

Amazon’s Global Proxying solution.

Traffic comes into the nearest edge location to the end user, and is routed over Amazon’s core network to the required region.

You get two static (Anycast) IPs which you can use worldwide, which are then routed.

Question 30

What is AWS CloudFront?

Answer 30

CloudFront is AWS’ CDN, which uses their global network to cache data at the Edge.

Question 31

How should you handle installing applications on an EC2 instance when it launches?

Answer 31

Use a lifecycle hook to put the instance in a wait state and run a script to install the software.

Question 32

What is the maximum storage you can have in an Aurora database?

Answer 32

128TB

Question 33

How many read replicas can an Aurora database have?

Answer 33

15

Question 34

How does AWS Aurora (non-serverless) support high availability and read scaling?

Answer 34

Data is stored in 6 copies across 3 AZs
One instance takes writes
Other instances can be read replicas

Also supports multi-master for instant failover

Question 35

How is Global Aurora set up?

Answer 35

Uses cross-region replicas
One primary region (read & write)
Up to 5x secondary (read-only) regions

Up to 16 read-replicas per secondary region
Promoting another region to master takes <1 minute

Question 36

What is an AWS dedicated instance?

Answer 36

An instance running on hardware dedicated to you.

Less access to underlying hardware than a dedicated host, so no licencing benefits, but requirement of “no shared hosts” is met.

Question 37

What is a dedicated host?

Answer 37

Your own EC2 host that only you can use. Allows you to use your own legacy licences and satisfy shared tenancy compliance requirements.

Question 38

What is AWS Transit Gateway?

Answer 38

Allows transitive peering between VPC and on-premises connections

Question 39

How can you improve the bandwidth of your site-to-site VPN?

Answer 39

Use multiple parallel VPNs and set up equal-cost multi-path routing (ECMP) to balance traffic

Question 40

Can you share Direct Connect between multiple AWS accounts?

Answer 40

Yes - use Transit Gateway

Question 41

How can you inspect traffic going to an interface without interfering with it?

Answer 41

Use Traffic Mirroring to copy the network traffic to a different set of EC2 instances for analysis

Question 42

What are Cognito Identity Pools?

Answer 42

A service that allows your users to authenticate into other AWS services.

Question 43

How do Cognito Identity Pools integrate with Cognito User Pools?

Answer 43

A user from the User Pool exchanges its tokens for another token from the Identity Pool.

Question 44

How much data can be in a Kinesis shard per second?

Answer 44

1MB (per second)

Question 44

How much data can be in a Kinesis share per second?

Answer 44

1MB (per second)

Question 45

How many messages can be in a Kinesis shard per second?

Answer 45

1000 (messages per second)

Question 46

What does the Enhanced Fan-Out mode of Kinesis offer over the standard mode?

Answer 46

You can pull 2MB/s of data per consumer, rather than across all of them.

Question 47

What do AWS’ DMS, Glue and Schema Conversion Tool services do?

Answer 47

DMS is designed for migrating databases from on-premises to the cloud, and vice versa. It can be set up to run the copy continuously.

Glue is a data transformation program, designed to work when data is being ingested.

Schema conversion allows you to move your schema between different database engines (like SQL Server to MySQL etc.)

Question 48

What management does a NAT Instance need?

Answer 48

Resilience
Patching
Security groups

Question 49

What are the advantages of a NAT Gateway over a NAT Instance?

Answer 49

No patching required
Higher bandwidth
No security groups to manage

Question 50

What are the drawbacks of a NAT Gateway over a NAT instance?

Answer 50

You can’t use it from an EC2 instance in the same subnet it’s in
You can’t use it as a Bastion host (unlike a NAT instance)
Doesn’t support port forwarding

Question 51

What is AWS X-Ray?

Answer 51

Amazon’s debugging and analytics application, which helps you to visualise your application and its requests.

Question 52

What levels of access restrictions are there for AWS S3 buckets?

Answer 52

User based:
IAM Policies

Resource based:
Bucket Policies
Object Access Control list
Bucket Access Control list

Question 53

What can be used as a final “hard stop” to prevent a user or resource accessing an S3 bucket?

Answer 53

An explicit deny in the bucket policy.

Question 54

Of Launch Templates and Launch Configurations, which is newer and what can it do above the older one?

Answer 54

Launch Templates are newer.

They support:

• multiple versions
• partial configuration to allow substitution with values upon use
• on-demand or spot instances (or both)

Question 55

What do you use to connect to most AWS services, without hitting the public internet, that aren’t S3 and DynamoDB?

Answer 55

Interface endpoints

Question 56

Which sites does a site-to-site VPN connect?

Answer 56

Your site to AWS

Question 57

What options do (non-Aurura) RDS databases have for availability?

Answer 57

Multi-AZ standby deployments

Question 58

What are some drawbacks of AWS’ read replicas?

Answer 58

The client connection string needs to be changed in the applications.

They are asynchronously linked to the main database, so they are “eventually consistent”.

Question 59

What does AWS’ Redshift Spectrum service allow you to do?

Answer 59

Query Redshift data in S3 without loading it