Deck 3

Question 1

How many servers can you have per AZ in a spread placement group?

Answer 1

7

Question 2

Which AWS service can you use to import data from supported databases into AWS Redshift?

Answer 2

DMS (Database Migration Service)

Question 3

What subnet and VPC combinations are allowed when using the VPC Creation Wizard?

Answer 3

VPC with a single public subnet
VPC with public and private subnets (NAT)
VPC with public and private subnets and with hardware VPN access
VPC with a private subnet only and hardware VPN access

Question 4

What is the best way to reuse code in multiple Lambda functions?

Answer 4

Create a Lambda layer

Question 5

Which VPC does a Lambda function usually run in, and what do you need to do if you change this?

Answer 5

They run in an AWS owned VPC by default

If you run a Lambda function in your own VPC it will need a route through a NAT gateway to access public resources.

Question 6

What type of access control gives user level control, but not AWS account level control for S3 buckets?

Answer 6

IAM Policies

Question 7

What type of access control gives AWS account level control, but not user level control for S3 buckets?

Answer 7

ACLs

Question 8

What type of access control gives both AWS account level control and user level control for S3 buckets?

Answer 8

Bucket Policies

Question 9

What is the best way to improve S3 upload speed?

Answer 9

Use multipart uploads (allows for parallel uploads)

Use Amazon S3 Transfer Acceleration (transfers file to an edge location)

(do not accept Global Accelerator as an answer)

Question 10

What is the most efficient way to send data from AWS S3 to Kinesis Data Streams?

Answer 10

AWS DMS service

Question 11

Which storage classifications can S3 Storage Class Analysis offer recommendations for?

Answer 11

Standard IA only.

Question 12

How could you prevent another website from using your assets in a public S3 bucket?

Answer 12

Remove the public read access and use pre-signed URLs with expiry dates.

Question 13

What AWS services would you use to implement a “follow” feature in a DynamoDB social network?

Answer 13

DynamoDB Stream, with an AWS Lambda trigger to process the data and publish to an SNS topic.

Question 14

What happens if there is an explicit deny in an IAM policy?

Answer 14

All other allows are overriden.

Question 15

What is the correct tool to use for mitigating DDoS attacks?

Answer 15

AWS Shield Advanced

Question 16

What is the best way to take data from an EC2 application with an RDS database, and push it through a distributed processing system?

Answer 16

On the EC2 instance, create a function or procedure to invoke a Lambda function. Configure the function to send event notifications to an SQS queue to be processed by the distributed system.

Question 17

What two AWS services could you use to store web session data?

Answer 17

ElastiCache and DynamoDB

Question 18

Does Amazon ECS support resource-based policies?

Answer 18

No - you need to use IAM (execution) roles instead.

Question 19

What’s the best way to get detailed monitoring of your RDS instance, including percentage of CPU bandwidth and memory used by each process?

Answer 19

Enabling enhanced monitoring in RDS

Question 20

How would you enable a lot of employees to use S3 to store their personal documents?

Answer 20

Set up a Federation Proxy or Identify provider and use AWS Security Token Service to generate temporary tokens and set up an IAM Policy and Role to allow access to S3.

Question 21

List the standard EC2 Cloudwatch metrics

Answer 21

Broad statistics:

• CPU Utilisation
• Disk read and write
• Network in/out

Question 22

How would you protect a serverless, API application in times of large traffic spikes?

Answer 22

Enable throttling limits and result caching in API Gateway

Question 23

What is an HTTP 504 error?

Answer 23

A Gateway Timeout server error, caused but it not being able to communicate with an upstream server in time

Question 24

Given a company that needs to have a minimum of two EC2 instances for its normal application workload, and that they want it to be highly available and fault tolerant, scaling up to a maximum of six EC2 instances for high loads, how would you size the auto-scaling groups across AZs to facilitate this?

Answer 24

Create an Auto Scaling group with two instances in each AZ, and a maximum capacity of six instances.

Question 25

Which AWS service do you use to connect on premises Active Directory to AWS?

Answer 25

AWS Directory Service AD Connector

Question 26

How would you ensure your RDS database can only be accessed using an access token or profile credentials?

Answer 26

Enable IAM DB Authentication

Question 27

What is the most secure option to keep a Lambda function’s API keys and database credentials from being read by other members of the team?

Answer 27

Create a new KMS key and use it to enable encryption when creating the function.

Question 28

What is AWS Rekognition?

Answer 28

Amazon’s AI image recognisation platform

Question 29

What is AWS Inspector?

Answer 29

Amazon’s automated vulnerability scanner

Question 30

What is Amazon Macie, and what does it do?

Answer 30

Machine learning powered data security and privacy service.

Tells you where your sensitive data is and where your risks/vulnerabilities are.

Question 31

What are DynamoDB streams?

Answer 31

A stream of information about the data that has changed in a Dynamo database. Allows for event driven programming.

Question 32

What feature must you enable to enable DynamoDB global tables?

Answer 32

DynamoDB Data Streams

Question 33

How does object level versioning differ from Object Lock?

Answer 33

Versioning allows items to be overwritten at a later date. With object lock an object is immutable.

Question 34

If you need to filter messages going from SNS into SQS, which application should the filtering be done in?

Answer 34

SNS

Question 35

What types of attacks can AWS Web Application Firewall be used to block?

Answer 35

SQL injection and cross site scripting

Question 36

What does VPC sharing allow you to do?

Answer 36

Allows you to share subnets with other AWS accounts in the same organisation

Question 37

What does VPC peering allow?

Answer 37

Network communication between two VPCs to allow for privately routed traffic