End of Lecture Questions

Question 1

You have attached an Internet Gateway to your VPC, but your EC2 instances still don’t have access to the internet. What isNOTa possible issue?

Answer 1

The Security Group does not allow traffic in
Note:
Security groups are stateful and if traffic can go out, then it can go back in.

Question 2

You would like to provide Internet access to your EC2 instances in private subnets with IPv4 while making sure this solution requires the least amount of administration and scales seamlessly. What should you use?

Answer 2

A: NAT Gateway

Question 3

When using VPC Endpoints, what are the only two AWS services that have a Gateway Endpoint available?

Answer 3

A: Amazon S3 & DynamoDB
Note:
These two services have a VPC Gateway Endpoint (remember it), all the other ones have an Interface endpoint (powered by Private Link - means a private IP).

Question 4

You have 3 VPCs A, B, and C. You want to establish a VPC Peering connection between all the 3 VPCs. What should you do?

Answer 4

Establish 3 VPC Peering connections (A-B, A-C, B-C)

Question 5

How can you capture information about IP traffic inside your VPCs?

Answer 5

Enable VPC Flow Logs
Note:
VPC Flow Logs is a VPC feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Question 6

You need to set up a dedicated connection between your on-premises corporate datacenter and AWS Cloud. This connection must be private, consistent, and traffic must not travel through the Internet. Which AWS service should you use?

Answer 6

AWS Direct Connect

Question 7

A web application hosted on a fleet of EC2 instances managed by an Auto Scaling Group. You are exposing this application through an Application Load Balancer. Both the EC2 instances and the ALB are deployed on a VPC with the following CIDR192.168.0.0/18. How do you configure the EC2 instances’ security group to ensure only the ALB can access them on port80?

Answer 7

Add an Inbound Rule with port 80 and ALB’s Security Group a the source
Note:
This is the most secure way of ensuring only the ALB can access the EC2 instances. Referencing by security groups in rules is an extremely powerful rule and many questions at the exam rely on it. Make sure you fully master the concepts behind it!

Question 8

You have a 25 GB file that you’re trying to upload to S3 but you’re getting errors. What is a possible solution for this?

Answer 8

Use Multi-Part upload when uploading files larger the 5GB
Note:
Multi-Part Upload is recommended as soon as the file is over 100 MB.

Question 9

You’re getting errors while trying to create a new S3 bucket nameddev. You’re using a new AWS Account with no S3 buckets created before. What is a possible cause for this?

Answer 9

A: S3 bucket names must be globally unique and dev is already taken

Question 10

You have enabled versioning in your S3 bucket which already contains a lot of files. Which version will the existing files have?

Answer 10

A: null

Question 11

You have updated an S3 bucket policy to allow IAM users to read/write files in the S3 bucket, but one of the users complain that he can’t perform aPutObjectAPI call. What is a possible cause for this?

Answer 11

A: The IAM user must have an explicit DENY in the Attached IAM Policy
Note:
Explicit DENY in an IAM Policy will take precedence over an S3 bucket policy.

Question 12

You want the content of an S3 bucket to be fully available in different AWS Regions. That will help your team perform data analysis at the lowest latency and cost possible. What S3 feature should you use?

Answer 12

A: S3 Replication
Note:
S3 Replication allows you to replicate data from an S3 bucket to another in the same/different AWS Region.

Question 13

You have 3 S3 buckets. One source bucket A, and two destination buckets B and C in different AWS Regions. You want to replicate objects from bucket A to both bucket B and C. How would you achieve this?

Answer 13

A: Configure replication from bucket A to bucket B, then from bucket A to bucket C
Note:
Cannot string replications

Question 14

An application hosted on an EC2 instance wants to upload objects to an S3 bucket using thePutObjectAPI call, but it lacks the required permissions. What should you do?

Answer 14

Ask an administrator to attach an IAM Policy to the IAM Role on your EC2 instance that authorizes it to do the required API call
Note:
IAM Roles are the right way to provide credentials and permissions to an EC2 instance.

Question 15

You and your colleague are working on an application that’s interacting with some AWS services through making API calls. Your colleague can run the application on his machine without issues, while you get API Authorization Exceptions. What should you do?

Answer 15

Compare both your IAM Policy and his IAM policy in AWS Policy Simulator to understand the difference

Question 16

Your administrator launched a Linux EC2 instance and gives you the EC2 Key Pair so you can SSH into it. After getting into the EC2 instance, you want to get the EC2 instance ID. What is the best way to do this?

Answer 16

Query the metadata at http://169.254.169.254/latest/meta-data

Question 17

You’re running an application on an on-premises server. The application needs to perform API calls to an S3 bucket. How can you achieve this in the most secure manner?

Answer 17

A: Create an IAM user to be used by the application, then generate IAM credentials and put the credentials into environment variables
Note:
Here, it’s about creating a dedicated IAM user for the application, as using your own personal IAM credentials would blur the lines between actual users and applications. Or, you can run aws configure on the on-premises server.

Question 18

When an IAM role is attached to your EC2 instance, you can retrieve both the IAM role name and the IAM policies attached to the role.

Answer 18

False
Note:
You can retrieve the IAM role name attached to your EC2 instance using the Instance Metadata service, but you can not retrieve the IAM policies themselves.

Question 19

What is the goal of Exponential Backoff?

Answer 19

To increase the delay between retries exponentially, reducing the load on the server by spreading out the requests more as retries increase.

Question 20

This approach helps prevent the server from becoming overwhelmed, allowing it to respond to as many requests as possible, especially when multiple clients are attempting retries simultaneously.

Answer 20

Exponential Backoff

Question 21

What is the “AWS CLI Credentials Provider Chain”

Answer 21

The order the CLI will look for credentials.

Question 22

What is the “AWS SDK Default Credentials Provider Chain”

Answer 22

The order the Java SDK (example) will look for credentials.

Question 23

How can you be notified when there’s an object uploaded to your S3 bucket?

Answer 23

S3 Event Notifications

Question 24

You have an S3 bucket that has S3 Versioning enabled. This S3 bucket has a lot of objects, and you would like to remove old object versions to reduce costs. What’s the best approach to automate the deletion of these old object versions?

Answer 24

S3 Lifecycle Rules - Expiration Actions

Question 25

How can you automate the transition of S3 objects between their different tiers?

Answer 25

S3 Lifecycle Rules

Question 26

While you’re uploading large files to an S3 bucket using Multi-part Upload, there are a lot of unfinished parts stored in the S3 bucket due to network issues. You are not using these unfinished parts and they cost you money. What is the best approach to remove these unfinished parts?

Answer 26

Use an S3 Lifecycle Policy to automate old/unfinished parts deletion

Question 27

You are looking to build an index of your files in S3, using Amazon RDS PostgreSQL. To build this index, it is necessary to read the first 250 bytes of each object in S3, which contains some metadata about the content of the file itself. There are over 100,000 files in your S3 bucket, amounting to 50 TB of data. how can you build this index efficiently?

Answer 27

Create an application the will traverse the S3 bucket, issue a Byte Range Fetch for the first 250 bytes, and store that information in RDS

Question 28

You have a large dataset stored on-premises that you want to upload to the S3 bucket. The dataset is divided into 10 GB files. You have good bandwidth but your Internet connection isn’t stable. What is the best way to upload this dataset to S3 and ensure that the process is fast and avoid any problems with the Internet connection?

Answer 28

Use S3 Multi-part Upload & S3 Transfer Acceleration

Question 29

You would like to retrieve a subset of your dataset stored in S3 with the CSV format. You would like to retrieve a month of data and only 3 columns out of 10, to minimize compute and network costs. What should you use?

Answer 29

S3 Select

Question 30

Before making API calls against MFA-protected API, you should use ………….. to get temporary credentials.

Answer 30

STS GetSessionToken

Question 31

AWS CLI and AWS SDKs sign API requests for you using your AWS access key. If you’re writing your custom code, you must sign AWS API requests using .…

Answer 31

Signature Version 4 (SigV4)

Question 32

The last API calls you made to AWS KMS begin to throttle, as you have reached the max allowed API calls per second. What should you do?

Answer 32

Use Exponential Backoff Strategy

Question 33

AWS CLI requires …………………….. as its runtime.

Answer 33

Python

Question 34

AWS CLI uses credentials located in multiple locations and certain locations take precedence over others. Which of the following is the correct order for locations AWS CLI uses to find credentials?

Answer 34

Command-Line Options → Environment Variables → EC2 Instance Profile

Question 35

Your client wants to make sure that file encryption is happening in S3, but he wants to fully manage the encryption keys and never store them in AWS. You recommend him to use ..…

Answer 35

SSE-C
Note:
With SSE-C, the encryption happens in AWS and you have full control over the encryption keys.

Question 36

A company you’re working for wants their data stored in S3 to be encrypted. They don’t mind the encryption keys stored and managed by AWS, but they want to maintain control over the rotation policy of the encryption keys. You recommend them to use ……

Answer 36

SSE-KMS
Note:
With SSE-KMS, the encryption happens in AWS, and the encryption keys are managed by AWS but you have full control over the rotation policy of the encryption key. Encryption keys stored in AWS.

Question 37

Your company does not trust AWS for the encryption process and wants it to happen on the application. You recommend them to use ..…

Answer 37

Client-Side Encryption
Note:
With Client-Side Encryption, you have to do the encryption yourself and you have full control over the encryption keys. You perform the encryption yourself and send the encrypted data to AWS. AWS does not know your encryption keys and cannot decrypt your data.

Question 38

You have a website that loads files from an S3 bucket. When you try the URL of the files directly in your Chrome browser it works, but when you try to visit a website with a different domain that tries to load these files it doesn’t. What’s the problem?

Answer 38

CORS is wrong
Note:
Cross-Origin Resource Sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain.

Question 39

Which S3 encryption method mandates that you use HTTPS while uploading/download objects?

Answer 39

SSE-C

Question 40

You have enabled versioning and want to be extra careful when it comes to deleting files on an S3 bucket. What should you enable to prevent accidental permanent deletions?

Answer 40

Enable MFA Delete
Note:
MFA Delete forces users to use MFA codes before deleting S3 objects. It’s an extra level of security to prevent accidental deletions.

Question 41

You suspect that some of your employees try to access files in an S3 bucket that they don’t have access to. How can you verify this is indeed the case without them noticing?

Answer 41

Enable S3 Access Logs and analyze them using Athena
Note:
S3 Access Logs log all the requests made to S3 buckets and Amazon Athena can then be used to run serverless analytics on top of the log files.

Question 42

You would like all your files in an S3 bucket to be encrypted by default. What is the optimal way of achieving this?

Answer 42

Do nothing, Amazon S3 automatically encrypt new objects using Server-Side Encryption with S3-Managed Keys (SSE-S3)

Question 43

You are looking to provide temporary URLs to a growing list of federated users to allow them to perform a file upload on your S3 bucket to a specific location. What should you use?

Answer 43

S3 Pre-Signed URL
Note:
S3 Pre-Signed URLs are temporary URLs that you generate to grant time-limited access to some actions in your S3 bucket.

Question 44

You have a paid content that is stored in the S3 bucket. You want to distribute that content globally, so you have set up a CloudFront Distribution and configured the S3 bucket to only exchange data with your CloudFront Distribution. Which CloudFront feature allows you to securely distribute this paid content?

Answer 44

CloudFront Signed URL
Note:
CloudFront Signed URLs are commonly used to distribute paid content through dynamically generated signed URLs.

Question 45

You have a CloudFront Distribution that serves your website hosted on a fleet of EC2 instances behind an Application Load Balancer. All your clients are from the United States, but you found that some malicious requests are coming from other countries. What should you do to only allow users from the US and block other countries?

Answer 45

Use CloudFront Geo Restriction

Question 46

You have a static website hosted on an S3 bucket. You have created a CloudFront Distribution that points to your S3 bucket to better serve your requests and improve performance. After a while, you noticed that users can still access your website directly from the S3 bucket. You want to enforce users to access the website only through CloudFront. How would you achieve that?

Answer 46

Configure your CloudFront Distribution and create an Origin Access Control, then update your S3 Bucket Policy to only accept requests from your CloudFront Distribution

Question 47

A website is hosted on a set of EC2 instances fronted by an Application Load Balancer. You have created a CloudFront Distribution and set up its origin to point to your ALB. What should you use to provide access to hundreds of private files served by your CloudFront distribution?

Answer 47

CloudFront Signed Cookies
Note:
Signed Cookies are useful when you want to access multiple files.

Question 49

<aside>
❕ What does this S3 bucket do?

`{`

`"Version": "2012-10-17",`

`"Id": "Mystery policy",`

`"Statement": [{`

`"Sid": "What could it be?",`

`"Effect": "Allow",`

`"Principal": {`

`"Service": "cloudfront.amazonaws.com"`

`},`

`"Action": "s3:GetObject",`

`"Resource": "arn:aws:s3:::examplebucket/*", "Condition": { "StringEquals":{ "AWS:SourceArn": "arn:aws:cloudfront::123456789012:distribution/EDFDVBD6EXAMPLE" } }`

`}]`

`}`

</aside>

Answer 49

Only allows the S3 bucket content to be accessed from your CloudFront Distribution

Question 50

You have a React Single Page Application hosted on an S3 Bucket and served through CloudFront Distribution. You have made an update to your React application and pushed it to S3, but the old version is still cached at CloudFront, and clients still see the old version. You want the new update to be propagated immediately. What would you do?

Answer 50

Use CloudFront Invalidation

Question 51

You are hosting highly dynamic content in an S3 bucket in theus-east-1region. You want to make this data to be available with low latency in Singapore’sap-southeast-1region. What do you recommend?

Answer 51

S3 Cross-Region Replication
Note:
S3 Cross-Region Replication allows you to replicate the data from one S3 bucket in an AWS region to another S3 bucket in another AWS region.

Question 52

Using a CloudFront Distribution, you can cache based on the following,EXCEPT…..

Answer 52

HTTP Methods

Question 53

When you’re configuring a CloudFront distribution to use Signed URLs/Cookies, it is recommended to use ……….. signer instead of ……… signer.

Answer 53

Trusted Key Group, CloudFront Key Pair

Question 54

You have multiple Docker-based applications hosted on-premises that you want to migrate to AWS. You don’t want to provision or manage any infrastructure, you just want to run your containers on AWS. Which AWS service should you choose?

Answer 54

Elastic Container Service (ECS) with Fargate Launch Type
Note:
AWS Fargate allows you to run your containers on AWS without managing any servers.

Question 55

Two of the launch types of ECS are:

Answer 55

Amazon EC2 Launch Type and Fargate Launch Type

Question 56

You have an application hosted on an ECS Cluster (EC2 Launch Type) where you want your ECS tasks to upload files to an S3 bucket. Which IAM Role for your ECS Tasks should you modify?

Answer 56

ECS Task Role
Note:
ECS Task Role is the IAM Role used by the ECS task itself. Use when your container wants to call other AWS services like S3, SQS, etc.

Question 57

You’re planning to migrate a WordPress website running on Docker containers from on-premises to AWS. You have decided to run the application in an ECS Cluster, but you want your Docker containers to access the same WordPress website content such as website files, images, videos, etc. What do you recommend to achieve this?

Answer 57

Mount EFS volume
Note:
EFS volume can be shared between different EC2 instances and different ECS Tasks. It can be used as a persistent multi-AZ shared storage for your containers.

Question 58

You are deploying an application on an ECS Cluster made of EC2 instances. Currently, the cluster is hosting one application that is issuing API calls to DynamoDB successfully. Upon adding a second application, which issues API calls to S3, you are getting authorization issues. What should you do to resolve the problem and ensure proper security?

Answer 58

Create an IAM task role for the new application

Question 59

You are migrating your on-premises Docker-based applications to Amazon ECS. You were using Docker Hub Container Image Library as your container image repository. Which is an alternative AWS service which is fully integrated with Amazon ECS?

Answer 59

Elastic Container Registry (ECR)
Note:
Amazon ECR is a fully managed container registry that makes it easy to store, manage, share, and deploy your container images. It won’t help in running your Docker-based applications.

Question 60

You have a Classic ECS cluster that you want to enable IAM roles for your ECS tasks so that they can make API requests to AWS services. Which ECS configuration option should you enable in/etc/ecs/ecs.config?

Answer 60

ECS_ENABLE_TASK_IAM_ROLE
Note:

Although this wasn’t discussed during the hands-on, you need to know about that important setting in the “ecs.config” file.

Question 61

You have a CodePipeline pipeline, which contains a build stage that uses AWS CodeBuild. This build stage builds your Docker images and pushes them to Amazon Elastic Container Registry (ECR). The build stage fails with an authorization issue. What is the issue?

Answer 61

Double-check your IAM role and permissions for the AWS CodeBuild service
Note:

Any permissions issues against ECR are most likely due to IAM permissions. Your CodeBuild service must have the required permissions to push Docker images to ECR repositories.

Question 62

You are looking to run multiple copies of the same application on the same EC2 instance and expose it with a load balancer. The application is available as a Docker image. You should use ….…

Answer 62

Application Load Balancer + ECS
Note:

Thanks to the Dynamic Port Mapping feature.

Question 63

You have a containerized application stored as Docker images in an ECR repository, that you want to run on an ECS cluster. You’re trying to launch two copies of the same Docker container on the same EC2 container instance. The first container successfully starts, but the second container doesn’t. You have checked that there’s enough CPU and RAM on the EC2 container instance. What is the problem here?

Answer 63

The host port defined in the task definition
Note:

To enable random host port, set host port = 0 (or empty), which allows multiple containers of the same type to launch on the same EC2 container instance.

Question 64

A newly launched EC2 container instance can’t be registered with your ECS cluster. What isNOTa reason for this issue?

Answer 64

The security group on the EC2 instance does not allow inbound traffic
Note:

Security Groups do not matter when an EC2 instance registers with the ECS service. By default, Security Groups allow all outbound traffic.

Question 65

You have an ECS cluster where you want to run 4 ECS services. Each ECS service needs to interact with various AWS services. Which of the following is the best practice while giving permissions to these ECS services?

Answer 65

Create 4 ECS Task roles and attach them to the relevant ECS Task definition

Question 66

Which ECS Task Placement strategy is the MOST cost-efficient?

Answer 66

Binpack

Question 67

Which ECS ECS Task Placement constraint allows you to place each ECS Task on a different EC2 container instance?

Answer 67

distinctInstance