Digital Cloud Training Flashcards
You would like to share some documents with public users accessing an S3 bucket over the internet. What are two valid methods of granting public red permissions so you can share the documents?
Grant public read access to the objects when uploading.
Use the AWS Policy Generator to create a bucket policy for your Amazon S3 bucket granting read access to public anonymous users.
Why would using CloudFront and a static website not be ideal for sharing documents from an S3 bucket over the Internet?
It’s not necessary when you can grant public read access through the AWS Policy Generator or the object policy, and it imposes some contraints on the solution.
Dynamo DB
A Fully managed NoSQL database solution that can scale seamlessly and has very low read/write latency.
Push Button Scaling
Scale the Database without incurring downtime. A key feature of DynamoDB.
You are building an application that will collect information about user behavior. The application will rapidly ingest large amounts of dynamic data and requires very low latency. The database must be scalable without incurring downtime. Which database solution would you recommend for this scenario?
DynamoDB
A Solutions Architect is building a complex application with several back-end APIs. The architect is considering using Amazon API Gateway. With Amazon API Gateway what are features that assist with creating and managing APIs?
Metering - define plans that meter and restrict third-party developer access to APIs
Lifecycle Management - Operate multiple API versions and multiple stages for each version simultaneously so that existing applications can continue to call previous versions after new API versions are published.
Your company would like to restrict the ability of most users to change their own passwords whilst continuing to allow a select group of users within specific user groups. What is the best way to achieve this:
1) Under the IAM Password Policy, deselect the option to allow users to change their own passwords.
2) Create an IAM Policy that grants users the ability to change their own password and attach it to the groups that contain those users.
What are IAM Roles used for?
IAM roles are Identity and Access Management entities that define a set of permissions for making AWS service requests. They are NOT associated with a specific user or group.
What is the best way to restrict a port and protocol combination from a security group?
Update the security group by removing the rule. You can only assign permit rules in a security group, you cannot assign deny rules.
You need to design a solution for distributing load across a number of EC2 instances across multiple AZs within a region. Customers will connect to several different applications running on the client’s serers through their browser using multiple domain names and SSL ceritificates. The certificates are stored in AWS Certificate Manager (ACM).
What is the optimal architecture to ensure HA, Cost Effectiveness, and performance?
Launch a single ALB and bind multiple SSL certificates to the same secure listener. Clients will use the Server Name Indication (SNI) extension.
With Server Name Indication (SNI) a client indicates the hostname to connect to. SNI supports multiple secure websites using a single secure listener.
SNI
Server Name Indication - An extension to the TLS protocol that is supported by browsers and clients released after 2010. If you configure CloudFront to server HTTPS requests using SNI, CloudFront associates your alternate domain name with an IP address for each edge location. This is the recommended method if you want viewers to use HTTPS and also use alternate domain names for your files.
What is the other option for allowing CloudFront to serve HTTPS requests?
Dedicated IP Addresses. This will incur an additional monthly charge.
What are the two ways you can encrypt data stored on an EBS volume without downtime?
Either create an encrypted volume and migrate the data, or take a snapshot, encrypt it, and create a new encrypted volume from the snapshot.
A customer has asked you to recommend the best solution for a highly available database. The database is relational OLTP type of database and the customer does not want to manage the operating system the database runs on. Failover between AZs must be automatic.
Use RDS in a Multi-AZ configuration. RDS is a managed service that will allow you to configure Multi-AZ which creates a replica in another AZ and synchronously replicates to it (DR only)
What is the difference between OLTP and OLAP
Online Transaction Processing is a class of software capable of supporting transactional-based software over the internet. Online Analytical Processing is a technology for report viewing and complex analytical calculations.
Name an AWS service that is used for OLAP
RedShift is used for data warehous analytics
Name an AWS service that is used for OLTP
RDS
Name all RDS database engines
Amazon Aurora PostgreSQL MySQL MariaDB Oracle MS SQL Server
What are the benefits of Amazon Aurora
Cost-effectiveness of Open Source Databases (MySQL) 3x faster than PostgreSQL 5x faster than MySQL 1/10th the cost of Commercial Databases Fully Managed by RDS 64TB fault-tolerant, self healing, distributed storage per instance up to 15 low-latency read replicates Replication across 3 AZs Continuous backup to S3
You are troubleshooting a connectivity issue where you cannot connect to an EC2 instance in a public subnet in your VPC from the Internet. Which configuration items would you check first?
The subnet has “Auto-assign public IPv4 address” set to “Yes”
The security group attached to the EC2 instance has an inbound rule allowing the traffic.
Public subnets are subnets that have:
“Auto-assign public IPv4 address” set to “Yes” which will assign a public IP
The subnet route tabe has an attached Internet Gateway
The instance will also need a security group with an inbound rule allowing the traffic.
When using a public subnet with an Internet Gateway, the instance needs ______ to be addressable from the Internet?
a Public IP address
NAT Gateways
Used to enable Outbound Internet access for instances in private subnets. Managed service, and provides availability, higher bandwidth, and requires less effort than a NAT Instance.
NAT Instances
A Non-managed NAT option to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic from the Internet.
You would like to provide some on-demand and live streaming video to your customers. The plan is to provide the users with both the media player and the media files from the AWS cloud. One of the features you need is for the content of the media files to begin playing while the file is still being downloaded.
What AWS services can deliver these requirements?
Use CloudFront with a Web and RTMP distribution:
-A web distribution for the media player
-An RTMP distribution for the media files
Store the Media files in an S3 bucket.
RTMP
Adobe Real-Time Messaging Protocol
Distribute streaming media files using Adobe Flash Media Server’s RTMP protocol
Allows an end user to begin playing a media file before the file has finished downloading from a CloudFront edge location
Files must be stored in an S3 buicket (NOT an EBS volume or EC2 instance)
There is a requirement to implement in-memory caching for an application due to increasing read-heavy load. The data must be stored persistenly. Automatic failover across AZs is also required. What two items deliver these requirements?
ElastiCache with the Redis engine - Stores data persistently.
Multi-AZ with Cluster mode and Automatic Failover enabled.
Redis vs Memcache
Redis: Stores Data persistenly, Supports Multi-AZ using read replicas in other AZs int he same Region, fully falut tolerant and automated if both cluster mode and multi-AZ failover are enabled.
Memcache: Does NOT store data persistently, Does NOT support Multi-AZ failover or Replication.
ECS
Elastic Container Service - A highly scalable, high performance service that supports Docker containers and allows you to run applications across a managed cluster of EC2 instances.
ECS Task
Instances of Containers that are run on underlying compute, but are more or less isolated.
ECR
Elastic Container Registry - An AWS managed registry of Container images that is secure, scalable, and reliable.
You have launched a Spot instance on EC2 for working on an application development project. What are the possible behaviors that can be configured in the event of an interruption?
Hibernate
Stop
Terminate (Default)
You create a new ASG with 6 instances distributed evenly between two AZs, AZ1 and AZ2. After creating these, you find that all 6 EC2 instances are being hosted on AZ1 since AZ2 does not currently have the capacity for your instance type. What will happen once AZ2 does have the capacity?
The ASG will try to redistribute the EC2 instances evenly between the two availability zones. They will only delete the instances in AZ1 once the instances in AZ2 have been created and verified.
You would like to create a highly available web application that serves static content hosted on multiple On-Demand EC2 instances. What three features can help you do that?
Multiple Availability Zones
Elastic Load Balancer
Auto Scaling Group
An EBS-backed EC2 instance has been configured with some proprietary software that uses an embedded license. You need to move the EC2 instance to another AZ in the region. What is the best way to accomplish this?
Create an image from the instance and launch an instance from the image from the AMI in the destination AZ.
Spread Placement Group
A group of EC2 instances that are each placed on distinct underlying hardware.
An application that you will be deploying in your VPC requires 14 EC2 instances that must be placed on distinct underlying hardware to reduce the impact of the failure of a hardware node. The instances will use varying instance types. What configuration will cater to these requirements taking cost-effectiveness into account?
Use Spread Placement Group across two AZs.
How many IAM roles can you apply to a Task Definition?
One
How can you apply granular permissions to distinct containers hosted on the same EC2 instance?
Create separate Task Definitions for any Task/Container you’d like to alter permissions on.
PFS
Perfect Forward Secrecy - provides additional afeguards against eavesdropping of encrypted data through the use of a unique random session key.
Can you use Instance IDs with On-Premises targets?
No. Be sure to utilize IP address targets, which are supported by either Network or Application Load Balancers. A VPN or Direct Connect connection is required for On-Premises communication.
You would like to start recording source IP addresses of traffic that hits your Web Applications that are behind an Elastic Load Balancer. What ELB features will you enable with which protocols?
Proxy Protocol for TCP
X-Forwarded-For response header for HTTP
You would like to record source IP addresses of traffic that hit your Elastic Load Balancers before they get to the EC2 instances hosted behind it. What feature would you enable to start that?
Access Logs
According to EC2 IO optimized SLAs, what would be the average IOPS an io1 EBS volume configured to provide 1000 IOPS give most of the time throughout the year?
900 - SLAs for Provisioned Optimized IOPS guarantees to be within 10 percent of the provisioned IOPS 99.9 percent of the time.
