Deck 3 Flashcards
How many servers can you have per AZ in a spread placement group?
7
Which AWS service can you use to import data from supported databases into AWS Redshift?
DMS (Database Migration Service)
What subnet and VPC combinations are allowed when using the VPC Creation Wizard?
VPC with a single public subnet
VPC with public and private subnets (NAT)
VPC with public and private subnets and with hardware VPN access
VPC with a private subnet only and hardware VPN access
What is the best way to reuse code in multiple Lambda functions?
Create a Lambda layer
Which VPC does a Lambda function usually run in, and what do you need to do if you change this?
They run in an AWS owned VPC by default
If you run a Lambda function in your own VPC it will need a route through a NAT gateway to access public resources.
What type of access control gives user level control, but not AWS account level control for S3 buckets?
IAM Policies
What type of access control gives AWS account level control, but not user level control for S3 buckets?
ACLs
What type of access control gives both AWS account level control and user level control for S3 buckets?
Bucket Policies
What is the best way to improve S3 upload speed?
Use multipart uploads (allows for parallel uploads)
Use Amazon S3 Transfer Acceleration (transfers file to an edge location)
(do not accept Global Accelerator as an answer)
What is the most efficient way to send data from AWS S3 to Kinesis Data Streams?
AWS DMS service
Which storage classifications can S3 Storage Class Analysis offer recommendations for?
Standard IA only.
How could you prevent another website from using your assets in a public S3 bucket?
Remove the public read access and use pre-signed URLs with expiry dates.
What AWS services would you use to implement a “follow” feature in a DynamoDB social network?
DynamoDB Stream, with an AWS Lambda trigger to process the data and publish to an SNS topic.
What happens if there is an explicit deny in an IAM policy?
All other allows are overriden.
What is the correct tool to use for mitigating DDoS attacks?
AWS Shield Advanced
What is the best way to take data from an EC2 application with an RDS database, and push it through a distributed processing system?
On the EC2 instance, create a function or procedure to invoke a Lambda function. Configure the function to send event notifications to an SQS queue to be processed by the distributed system.
What two AWS services could you use to store web session data?
ElastiCache and DynamoDB
Does Amazon ECS support resource-based policies?
No - you need to use IAM (execution) roles instead.
What’s the best way to get detailed monitoring of your RDS instance, including percentage of CPU bandwidth and memory used by each process?
Enabling enhanced monitoring in RDS
How would you enable a lot of employees to use S3 to store their personal documents?
Set up a Federation Proxy or Identify provider and use AWS Security Token Service to generate temporary tokens and set up an IAM Policy and Role to allow access to S3.
List the standard EC2 Cloudwatch metrics
Broad statistics:
- CPU Utilisation
- Disk read and write
- Network in/out
How would you protect a serverless, API application in times of large traffic spikes?
Enable throttling limits and result caching in API Gateway
What is an HTTP 504 error?
A Gateway Timeout server error, caused but it not being able to communicate with an upstream server in time
Given a company that needs to have a minimum of two EC2 instances for its normal application workload, and that they want it to be highly available and fault tolerant, scaling up to a maximum of six EC2 instances for high loads, how would you size the auto-scaling groups across AZs to facilitate this?
Create an Auto Scaling group with two instances in each AZ, and a maximum capacity of six instances.
Which AWS service do you use to connect on premises Active Directory to AWS?
AWS Directory Service AD Connector
How would you ensure your RDS database can only be accessed using an access token or profile credentials?
Enable IAM DB Authentication
What is the most secure option to keep a Lambda function’s API keys and database credentials from being read by other members of the team?
Create a new KMS key and use it to enable encryption when creating the function.
What is AWS Rekognition?
Amazon’s AI image recognisation platform
What is AWS Inspector?
Amazon’s automated vulnerability scanner
What is Amazon Macie, and what does it do?
Machine learning powered data security and privacy service.
Tells you where your sensitive data is and where your risks/vulnerabilities are.
What are DynamoDB streams?
A stream of information about the data that has changed in a Dynamo database. Allows for event driven programming.
What feature must you enable to enable DynamoDB global tables?
DynamoDB Data Streams
How does object level versioning differ from Object Lock?
Versioning allows items to be overwritten at a later date. With object lock an object is immutable.
If you need to filter messages going from SNS into SQS, which application should the filtering be done in?
SNS
What types of attacks can AWS Web Application Firewall be used to block?
SQL injection and cross site scripting
What does VPC sharing allow you to do?
Allows you to share subnets with other AWS accounts in the same organisation
What does VPC peering allow?
Network communication between two VPCs to allow for privately routed traffic
