EC2 (ACG)

Question 1

How would you connect to a newly created EC2 instance from the terminal?

Answer 1

1. After creating the new EC2 instance, browse to the download of the new key pair
2. Change to read only:
   chmod 400 mynewkp.pem
3. ssh ec2-user@[instance IP goes here] -i mynewkp.pem
4. sudo su
5. yum update -y

Question 2

How would you list and create S3 buckets from the terminal?

Answer 2

aws S3 ls

aws S3 mb s3://mybucket-john-1234

Bucket names must be unique across all AWS accounts in all the AWS regions within a partition. A partition is a group of Regions.

Question 3

What are the AWS partitions?

Answer 3

A partition is a group of Regions. AWS currently has three partitions:

1. Standard Regions (aws)
2. China Regions (aws-cn)
3. AWS GovCloud US (aws-us-gov)

Question 4

What is Amazon’s fully managed RDS engine?

Answer 4

Amazon Aurora which is compatible with MySQL and PostgreSQL. Aurora can deliver up to five times the throughput of MySQL and up to three times the throughput of PostgreSQL without requiring changes to most of your existing applications.

Question 5

What is the difference between OLTP and OLAP?

Answer 5

Online Transaction Processing (OLTP) is all about data processing and completing large numbers of small transactions in real-time, for example, customer orders, banking transactions, payments and booking systems.

Online Analytics Processing (OLAP) processes complex queries to analyze historical data, for example, analyzing net profit figures from the past 3 years, and sales forecasting.

Question 6

What are RDS database types?

Answer 6

SQLServer, Oracle, MySQL, PostgreSQL, Maria DB, and Amazon Aurora.

Question 7

RDS is designed for which type of workloads?

Answer 7

OLTP workloads. Great for processing lots of small transactions like customer orders, banking transactions, payments, and booking systems.

Question 8

RDS is suitable for OLAP workloads. True or false?

Answer 8

False, RDS is not suitable for OLAP. Use Redshift for data warehousing and OLAP tasks, like analyzing large amounts of data, reporting, and sales forecasting.

Question 9

What is Multi-AZ?

Answer 9

It is an exact copy of your production database in another Availability Zone. AWS handles the replication for you. When you write to your production database, this right will automatically synchronize to the standby database.

Question 10

Which RDS types can be configured as Multi-AZ?

Answer 10

All of them. SQL Server, Oracle MySQL, PostgreSQL and MariaDB.

Question 11

What happens in the event of unplanned failure in RDS Multi-AZ?

Answer 11

RDS will automatically fail over to the standby during a failure so that database operations can resume quickly without administrative intervention. Multi-AZ is for disaster recovery, not for improving performance, so you cannot connect to the standby when the primary DB is active.

Question 12

What can you do to improve performance of your RDS database?

Answer 12

Add read replicas. A read replica is a read-only copy of your primary database. Great for read heavy workloads and takes the load off your primary database. Each read replica has its own DNS endpoint which is different and independent from the primary database.

Question 13

Read Replicas are primarily used for disaster recovery. True or false?

Answer 13

FALSE

Read replicas are primarily used for scaling, not for disaster recovery.

Question 14

Read replicas requires automatic backups. True or false?

Answer 14

TRUE

Automatic backups must be enabled in order to deploy a read replica.

Question 15

Multiple read replicas are supported. True or false?

Answer 15

TRUE

MySQL, Maria DB, PostgreSQL, Oracle, and SQL Server allow you to add up to five read replicas to each DB instance.

Question 16

Multi-AZ is used for disaster recovery. True or false?

Answer 16

TRUE

Question 17

Read replicas provide a read-only copy of your primary database in the same AZ, cross-AZ or cross-region. True or false

Answer 17

TRUE

Question 18

What are three key characteristics of Multi-AZ?

Answer 18

1. An exact copy of your production database in another AZ.
2. Used for DR (disaster recovery).
3. In the event of a failure, RDS will automatically fail over to the standby instance.

Question 19

What are three key characteristics of read replica?

Answer 19

1. A read-only copy of your primary database in the same AZ, cross-AZ, or cross-region.
2. Used to increase or scale read performance.
3. Great for read-heavy workloads and takes the load off your primary database for read only workloads, e.g., business intelligence reporting jobs.

Question 20

What are the two ways to backup RDS?

Answer 20

1. Database snapshot

2. Automated Backup (enabled by default)

Question 21

You can enable encryption at any time on an RDS DB instance. True or false?

Answer 21

FALSE

You can’t enable encryption on an unencrypted RDS DB instance. Encryption must be enabled when first creating your database.

Question 22

How would you encrypt an existing unencrypted RDS DB instance?

Answer 22

Create a snapshot, encrypt the snapshot, and then do a database restore with the encrypted snapshot.

Question 23

What are four key characteristics of automated backups?

Answer 23

1. Automated, enabled by default, you define the backup window
2. Point-in-time snapshot plus transaction logs
3. Retention period of 1 to 35 days
4. Can be used to recover your database to any point in time within the retention period

Question 24

What are four key characteristics of a DB snapshot?

Answer 24

1. User initiated, ad hoc
2. Point-in-time snapshot only
3. No retention period; stored indefinitely until you delete
4. Used to back up your DB instance to a known state and restore to that specific state at any time, e.g., before major changes to a database

Question 25

What are three things to keep in mind regarding RDS encryption?

Answer 25

1. Must be enabled at creation. Includes all underlying storage, automated backups, snapshots, logs, and read replicas.
2. Uses the AWS Key Management Service (KMS) service for AES-256 encryption.
3. Existing unencrypted RDS instances can be encrypted through snapshots. You can create a new RDS instance from the encrypted snapshot.

Question 26

What is ElastiCache?

Answer 26

ElastiCache stores frequently accessed data in an in-memory cache. Memory is faster than disk.

Question 27

What are the two types of ElastiCache?

Answer 27

1. Memcached - great for object caching, scales horizontally, but no persistence, Multi-AZ, or failover.
2. Redis - more sophisticated solution with enterprise features like persistence, replication, Multi-AZ, and failover. Supports sorting and ranking data, and complex data types like lists and hashes.

Question 28

When should you use ElastiCache?

Answer 28

When your database is read heavy and the data is not prone to frequent changing.

Question 29

ElastiCache is great for write heavy loads. True or false?

Answer 29

FALSE

ElastiCache is an in-memory cache designed to improve read performance for read-heavy databases.

Question 30

When should you use memcached?

Answer 30

1. Fast in-memory, key-value data store
2. Object caching is your primary goal
3. You want to keep things as simple as possible
4. You don’t need persistence or Multi-AZ
5. You don’t need to support advanced data types or sorting

Question 31

When should you use redis?

Answer 31

1. Fast in memory, key-value data store
2. You are performing data sorting and ranking, such as gaming leaderboards
3. You have advanced data types, such as lists and hashes
4. You need data persistence
5. You need Multi-AZ

Question 32

What is Parameter Store?

Answer 32

Parameter store is a great way to store confidential information, such as, passwords, database connection strings, license codes, etc.

You can store values as plain text or encrypt them through KMS.

You can reference your parameters using the parameter name, e.g., in a bootstrap script.

You can use Parameter Store with AWS services such as EC2, CloudFormation, Lambda, CodeBuild, CodePipeline and CodeDeploy.

Question 33

What is EC2?

Answer 33

EC2 is like a virtual machine that is hosted in AWS instead of your data center. EC stands for elastic compute which allows you to:

• select the capacity that you need right now
• grow and shrink when you need
• pay for what you use
• wait minutes, not months

Question 34

What are the four EC2 instance pricing options?

Answer 34

1. On-Demand - pay by the hour or the second on the type of instance you run. Great for flexibility.
2. Reserved - reserve capacity for one or three years. Up to 72% discount on the hourly charge. Great if you have known, fixed requirements.
3. Spot - purchased unused capacity at a discount of up to 90%. Prices fluctuate with supply and demand. Great for applications with flexible start and end times.
4. Dedicated - a physical EC2 server dedicated for your use. Great if you have server-bound licenses to reuse or compliance requirements.

Question 35

What is an instance type?

Answer 35

An instance type determines the hardware of the host computer. Each instance type offers different compute, memory, and storage capabilities. These types are grouped in instance families.

Question 36

Name instance types you would select based on application requirements.

Answer 36

General purpose (web servers/code repos)

Compute optimized (batch processing, media transcoding, high performance web servers, machine learning)

Memory optimized (large data sets in memory, open-source DBs, real time big analytics)

Accelerated computing (machine learning, computational fluid dynamics, autonomous vehicles, speech recognition)

Storage optimized (search engines, data analytics workloads)

Question 37

What are EBS volumes?

Answer 37

Elastic Block Store (EBS). Highly available and scalable storage volumes you can attach to an EC2 instance.

Question 38

What are the different types of EBS volumes?

Answer 38

For general apps up to 16,000 IOPS:
gp2 - general purpose SSD
gp3 - latest gen SSD and cheaper!)

For online transaction processing (OLTP) up to 64,000 IOPS:
io1 - provisioned IOPS SSD 50 IOPS/GiB
io2 - latest gen SSD 500 IOPS/GiB

For up to 256,000 IOPS:
io3 - largest, most critical, high performance apps: SAP HANA, Oracle, Microsoft SQL Server

For big data and warehousing:
st1 - throughout optimized HDD 500 MB/s, cannot be boot vol
sc1 - cold storage HDD 250 MB/s, cannot be boot vol

Question 39

What are EBS snapshots?

Answer 39

A point-in-time copy of an EBS volume. Great for backing up EBS volumes. You can use a snapshot to create a new EBS volume.

Question 40

If you create a new EBS volume from an encrypted snapshot, then you will get an encrypted volume. True or false?

Answer 40

TRUE

Question 41

Describe Application Load Balancers

Answer 41

Intelligent load balancing for http/https. Routes requests to a specific web server based on the request type. Such as a car dealership website that routes requests based on the department, e.g., sales, service, finance, etc.

Question 42

Describe Network Load Balancers

Answer 42

Provides high performance load balancing for TCP traffic. Most expensive.

Question 43

Describe Classic Load Balancers

Answer 43

The legacy option that supports both HTTP/HTTPS and TCP.

Question 44

Describe Gateway Load Balancers

Answer 44

Provides load balancing for third-party virtual appliances.

Question 45

X-Forwarded-For

Answer 45

If you need the IPv4 address of your end user, look for the X-Forwarded-For HTTP header.

Question 46

504 Error

Answer 46

Gateway timeout. The application is not responding within the time out. Troubleshoot your application or database server.

Question 47

What is Route 53?

Answer 47

Amazon’s DNS service. Allows you to map a domain name to either an EC2 instance, Elastic Load Balancer, or S3 bucket.

Question 48

What is a Hosted Zone in Route 53?

Answer 48

A container for DNS records for your domain.

Question 49

What is an Alias in Route 53?

Answer 49

Allows you to route traffic addressed to the zone apex, or the top of the DNS namespace e.g. ilovecloud.com, and send it to a resource within AWS, such as an elastic load balancer.

Question 50

What is an A Record in Route 53?

Answer 50

Allows you to route traffic to a resource, such as a web server, using an IPv4 address.

Question 51

What is the principle of least privilege?

Answer 51

Always give your users the minimum amount of access required to do their job.

Question 52

It is best practice to use groups. True or false?

Answer 52

TRUE

It is best practice to create IAM groups and assign your users to groups.

Group permissions are assigned using IAM policy documents.

Your users will automatically inherit the permissions of the group.

Question 53

You can retrieve your secret access key from the AWS console. True or false?

Answer 53

FALSE

You will only see your secret access key once. If you lose it, you can delete the access key ID and secret access key and regenerate them. You will need to run ‘aws configure’ again.

Question 54

You can temporarily share key pairs to provide another developer access. True or false?

Answer 54

FALSE

Each developer should have their own access key ID and secret access key. Just like passwords, they should not be shared.

Question 55

Where can you install the AWS CLI?

Answer 55

You can install the CLI on your Mac, Linux, or Windows PC. You can also use it on EC2 instances.

Question 56

What is the preferred option from a security perspective to give EC2 instances access to AWS resources like S3?

Answer 56

Roles can be used to give EC2 instances access to AWS resources.

Question 57

Briefly describe how to provide an EC2 instance access to S3.

Answer 57

Create an IAM Role with S3 access, attach the role to the EC2 instance, and now you should be able to access S3 from the EC2 instance.

Question 58

What are the benefits of using roles with EC2 instances?

Answer 58

1. Avoid hard coding your credentials. Roles allow you to provide access without having to manage access key IDs and secret access keys.
2. Policies control our role’s permissions.
3. You can update a policy attached to a role, and it will take immediate effect.
4. You can attach and detach roles to running EC2 instances without having to stop or terminate these instances.

Question 59

You have a WordPress site hosted on EC2 with a MySQL database hosted on RDS. The majority of your traffic is read traffic. There is only write traffic when you create a new blog. One of your blogs has gone viral and your WordPress site is struggling to cope. You check your CloudWatch metrics and notice your RDS instance is at 100% CPU utilization. What two steps should you take to reduce the CPU utilization?

Answer 59

1. Create an ElastiCache cluster and use this to cache your most frequently read blog posts.
2. Create multiple RDS read replicas and point multiple EC2 instances to these read replicas, thereby spreading the load.

Question 60

What can be used to securely store confidential information like credentials and license codes so that they can be accessed by EC2 instances?

Answer 60

Systems Manager Parameter Store

Question 61

A new CIO joins your company and implements a new company policy that all EC2 EBS backed instances must have encryption at rest. What is the quickest and easiest way to apply this policy to your existing EC2 EBS backed instances?

Answer 61

Create a snapshot of the EC2 volume. Then create a copy of the snapshot, checking the box to enable encryption. Create an AMI of the copied snapshot and then redeploy the EC2 instance using the encrypted AMI. Delete the old EC2 instance.

Question 62

You work for a web analytics firm who have recently migrated their application to AWS. The application sits behind an Elastic Load Balancer and it monitors user traffic to their website. You have noticed that in the application logs you are no longer seeing your users public IP addresses, instead you are seeing the private IP address of the elastic load balancer. This data is critical for your business and you need to rectify the issue immediately. What should you do?

Answer 62

Update the application to log the x-forwarded-for header to get your users public IPv4 addresses.

Question 63

You see a “timed out” error when using the AWS CLI to list all the files in an S3 bucket containing thousands of files. What could be the reason for this?

Answer 63

Too many results are being returned which is causing the command to time out.

Question 64

You work for a government contractor who supply services that are critical to national security. Because of this your corporate IT policy states that no multi-tenant virtualization is authorized within the company. Despite this, they are interested in moving to AWS, but they cannot violate corporate IT policy. Which EC2 billing model would you recommend that they use to achieve this?

Answer 64

Dedicated Instances.

Question 65

You are the IT manager at a furniture retailer and they are considering moving their web application to AWS. They currently colocate their servers in a co-location facility and the contract for this facility is now coming to an end. Management are comfortable signing a 3 year contract and want to get the cheapest web servers as possible while still maintaining availability. Their traffic is very steady and predictable. What EC2 pricing model would you recommend to maintain availability and to get the lowest cost price available?

Answer 65

Reserved Instances.

Question 66

You work for a media production company that streams popular TV shows to millions of users. They are migrating their web application from an in house solution to AWS. They will have a fleet of over 10,000 web servers to meet the demand and will need a reliable layer 4 load balancing solution capable of handling millions of requests per second. What AWS load balancing solution would best suit their needs?

Answer 66

Network Load Balancer.

Question 67

In order to enable encryption at rest using EC2 and Elastic Block Store, you must ____.

Answer 67

Configure encryption when creating the EBS volume

Question 68

Which of the following EBS volume types gives you SAN performance in the cloud and is suitable for the largest, most critical, high-performance applications?

Answer 68

Provisioned IOPS SSD io2 Block Express

Question 69

You work for an online gaming store which has a global worldwide leader board for players of the game. You need to implement a caching system for your leader board that has multiple availability zones in order to prevent an outage. Which ElastiCache solution should you use?

Answer 69

Redis

Amazon ElastiCache for Redis supports both Redis cluster and non-cluster modes and provides high availability via support for automatic failover by detecting primary node failures and promoting a replica to be primary with minimal impact. It allows for read availability for your application by supporting read replicas (across availability zones), to enable the reads to be served when the primary is busy with the increased workload.

Question 70

Which of the following is a suitable use case for Provisioned IOPS SSD io2 Block Express EBS volumes?

Answer 70

Large mission-critical applications that need SAN-level performance

Question 71

Your company has a web application on AWS. The application computes thousands of algorithms per second and is very CPU and disk intensive. The application runs on a c4.8xlarge, the largest C class instance available. The application stores its data locally on a General Purpose SSD (gp2) disk. Your application starts to perform slow. You check the logs and notice that your disk I/O is routinely reaching 16,000 IOPS. What should you do to remediate the issue?

Answer 71

Migrate the EBS volume from a standard EBS volume to a provisioned IOPS EBS volume.

Question 72

You have a three-tier web application with a web server tier, application tier, and database tier. The application is spread across multiple availability zones for redundancy and is in an Auto Scaling group with a minimum size of two and a maximum size of ten. The application relies on connecting to an RDS Multi-AZ database. When new instances are launched, they download a connection string file that is saved in an encrypted S3 bucket using a bootstrap script. During a routine scaling event, you notice that your new web servers are failing their health checks and are not coming into service. You investigate and discover that the web server’s S3 read-only role has no policies attached to it. What combination of steps should you take to remediate this problem while maintaining the principle of least privilege?

Answer 72

1. Attach the S3 – read-only policy to the role.

2. Leave the healthy instances as they are and allow new instances to come into service after fixing the policy issue.

Question 73

Name three types of Elastic Load Balancers.

Answer 73

Application Load Balancer
Classic Load Balancer.
Network Load Balancer

Question 74

You have an EC2 instance in a single availability zone connected to an RDS instance. The EC2 instance needs to communicate to S3 to download some important configuration files from it. You try the command aws s3 cp s3://yourbucket /var/www/html however you receive an error message. You log in to Identity Access Management (IAM) and discover there is no role created to allow EC2 to communicate to S3. You create the role and attach it to the existing EC2 instance. How fast will the changes take to propagate?

Answer 74

Almost immediately.

You can change the permissions on the IAM role associated with a running instance, and the updated permissions take effect almost immediately.

Question 75

You are a developer for a genomics firm that is moving its infrastructure to AWS. Their environment consists of a three-tier web application, a web tier, an application tier and a relational database tier. They have a separate fleet of virtual machines that are used to access large HPC clusters on the fly. Their lab researchers run multiple projects simultaneously and they will need to launch and decommission 1,000’s of nodes on-demand while reducing the time required to complete genomic sequencing from weeks to days. In order to stay competitive they need to do this at as low cost as possible, with no long-term contracts. These HPC clusters can run any time day or night and their workloads store information in S3, so the instances can be terminated at any time without any effect on the data. What is the most COST EFFECTIVE EC2 pricing model for their requirements?

Answer 75

Spot Instances

Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud and are the lowest cost option for on-demand and short term capacity requirements. As the HPC cluster nodes store the data in S3 the termination of Spot instances will not impact the data processing. Both on-demand and dedicated instances are more expensive than Spot instances, and reserved instances are for long running applications (1 to 3 years) so are not suitable for this HPC cluster scenario.