Everything

Question 1

What is a Lambda Authorizer for an API Gateway?

Answer 1

A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller’s identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token. For an example application, see Open Banking Brazil - Authorization Samples on GitHub.

A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller’s identity in a combination of headers, query string parameters, stageVariables, and $context variables.

For WebSocket APIs, only request parameter-based authorizers are supported.

Question 2

What are the types of EC2 Instance pricing tiers?

Answer 2

on demand:
Anytime, any amount, pay as you go
spot:
marketplace for excess compute, steep discount but can be terminated at anytime
reserved:
reserved instances with savings plans, get discounts for guaranteeing payment by contract

Question 3

What is a multi-tenant EC2 ?

Question 4

DynamoDB V.S. RDS?

Question 5

How would you collect info from an on-prem setup to inform a migration plan?

Question 6

What is an OU in AWS organizations?

Answer 6

Logical grouping of aws accounts. OU’s can be organized hierarchically with permissions in higher level accounts applying to all accounts beneath them. This includes restricted access to services and the scope of policies that IAM users/roles in the OUs accounts can have.

Question 7

What is an AWS Organization?

Answer 7

The globally accessible AWS service allowing for logical grouping of aws accounts under one master admin. Accounts can be organized into different trees of OUs with their own restricted access to aws services and IAM policy rules.

Billing is consolidated for the organization and visible at the account level

Question 8

What is an Elastic IP address?

Question 9

What does a NAT Gateway allow?

Question 10

What does an Internet Gateway allow?

Question 11

What is VPC peering?

Question 12

what is the relationship between VPCs and AWS accounts?

Question 13

What is AWS Fsx?

Question 14

What is AWS Transit Gateway?

Question 15

What is AWS Direct Connect?

Question 16

AWS Route 53?

Question 17

AWS application discovery service?

Question 18

AWS Security Hub?

Answer 18

AWS Security Hub provides you with a comprehensive view of your security state in AWS and helps you assess your AWS environment against security industry standards and best practices.

Security Hub collects security data across AWS accounts, AWS services, and supported third-party products and helps you analyze your security trends and identify the highest priority security issues.

Send alerts for certain vulnerabilities with amazon event bridge

Question 19

What is AWS Cloudtrail?

Answer 19

An event in CloudTrail is the record of an activity in an AWS account. This activity can be an action taken by an IAM identity, or service that is monitorable by CloudTrail. CloudTrail events provide a history of both API and non-API account activity made through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. There are three types of events that can be logged in CloudTrail: management events, data events, and CloudTrail Insights events. By default, trails log management events, but not data or Insights events.

management events:
Management events provide information about management operations that are performed on resources in your AWS account.
changing config rules

data events:
Data events provide information about the resource operations performed on or in a resource

Insights events:
CloudTrail Insights events capture unusual API call rate or error rate activity in your AWS account by analyzing CloudTrail management activity

Question 20

AWS Identity and Access Management Access Analyzer?

Answer 20

Cross account IAM user access analytics and state

Question 21

Amazon Macie

Answer 21

ML based cross account data security analyzer

Question 22

What is a heterogenous database migration?

Answer 22

heterogeneous migration: A migration from source databases to target databases where the source and target databases are of different database management systems from different providers.Oct 28, 2022

Question 23

AWS Schema Conversion Tool

Answer 23

The AWS Schema Conversion Tool (AWS SCT) makes heterogeneous database migrations predictable by automatically converting the source database schema and a majority of the database code objects, including views, stored procedures, and functions, to a format compatible with the target database.

Question 24

AWS Database Migration Service (AWS DMS)

Answer 24

At a basic level, AWS DMS is a server in the AWS Cloud that runs replication software. You create a source and target connection to tell AWS DMS where to extract data from and where to load it. Next, you schedule a task that runs on this server to move your data. AWS DMS creates the tables and associated primary keys if they don’t exist on the target. You can create the target tables yourself if you prefer. Or you can use AWS Schema Conversion Tool (AWS SCT) to create some or all of the target tables, indexes, views, triggers, and so on.

Question 25

RDS Proxy

Answer 25

By using Amazon RDS Proxy, you can allow your applications to pool and share database connections to improve their ability to scale. RDS Proxy makes applications more resilient to database failures by automatically connecting to a standby DB instance while preserving application connections.

Question 26

How best to back up data in EC2 EBS volumes?

Answer 26

EBS snapshots managed by Amazon Data Lifecycle Manager

Question 27

VPC Route Table Concepts

Answer 27

Destination: Where IP packets end up
Target: Where packet router is, e.g. local, IG, transit gateway etc.

Question 28

AWS Resource Manager

Question 29

AWS cloudformation stack sets

Answer 29

AWS CloudFormation StackSets extends the capability of stacks by enabling you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation. Using an administrator account, you define and manage an AWS CloudFormation template, and use the template as the basis for provisioning stacks into selected target accounts across specified AWS Regions.

Question 30

What is S3 Object Lock?

Answer 30

S3 Object Lock blocks permanent object deletion during a customer-defined retention period so that you can enforce retention policies as an added layer of data protection or for regulatory compliance.

Question 31

S3 Intelligent-Tiering?

Answer 31

Amazon S3 Intelligent-Tiering is the only cloud storage class that delivers automatic storage cost savings when data access patterns change, without performance impact or operational overhead

Question 32

Amazon Route 53 private hosted zone

Answer 32

A set of records allowing a domain hosted within a VPC to be resolved and routed according to routing rules

Question 33

S3 transfer acceleration

Answer 33

Amazon S3 Transfer Acceleration is a bucket-level feature that enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of the globally distributed edge locations in Amazon CloudFront. As the data arrives at an edge location, the data is routed to Amazon S3 over an optimized network path.

Question 34

AWS Global Accelerator

Answer 34

AWS Global Accelerator is a networking service that improves the performance of your users’ traffic by up to 60% using Amazon Web Services’ global network infrastructure. When the internet is congested, AWS Global Accelerator optimizes the path to your application to keep packet loss, jitter, and latency consistently low.

Question 35

S3 cross region replication

Answer 35

To automatically replicate new objects as they are written to the bucket, use live replication, such as Cross-Region Replication (CRR). To replicate existing objects to a different bucket on demand, use S3 Batch Replication. For more information about replicating existing objects, see When to use S3 Batch Replication.

Question 36

How to do canary deployments with lambda?

Answer 36

Traffic shifting with lambda aliases with weighted traffic proportions

Question 37

VPCE

Answer 37

An interface VPC endpoint (interface endpoint) allows you to connect to services powered by AWS PrivateLink. These services include some AWS services, services hosted by other AWS customers and Partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace Partner services. The owner of the service is the service provider, and you, as the principal creating the interface endpoint, are the service consumer.

AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture.

Interface VPC endpoints, powered by AWS PrivateLink, connect you to services hosted by AWS Partners and supported solutions available in AWS Marketplace. By powering Gateway Load Balancer endpoints, AWS PrivateLink brings the same level of security and performance to your virtual network appliances or custom traffic inspection logic.

Question 38

AWS Private Link

Answer 38

An interface VPC endpoint (interface endpoint) allows you to connect to services powered by AWS PrivateLink. These services include some AWS services, services hosted by other AWS customers and Partners in their own VPCs (referred to as endpoint services), and supported AWS Marketplace Partner services. The owner of the service is the service provider, and you, as the principal creating the interface endpoint, are the service consumer.

AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture.

Interface VPC endpoints, powered by AWS PrivateLink, connect you to services hosted by AWS Partners and supported solutions available in AWS Marketplace. By powering Gateway Load Balancer endpoints, AWS PrivateLink brings the same level of security and performance to your virtual network appliances or custom traffic inspection logic.

Question 39

AWS Service Catalog

Answer 39

Platform for allowing users to deploy specific resource sets (products) but only those sets. An access management platform

Question 40

What is a service control policy as it relates to an AWS organization?

Answer 40

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization. SCPs help you to ensure your accounts stay within your organization’s access control guidelines. SCPs are available only in an organization that has all features enabled. SCPs aren’t available if your organization has enabled only the consolidated billing features. For instructions on enabling SCPs, see Enabling and disabling policy types.

SCPs alone are not sufficient to granting permissions to the accounts in your organization. No permissions are granted by an SCP. An SCP defines a guardrail, or sets limits, on the actions that the account’s administrator can delegate to the IAM users and roles in the affected accounts. The administrator must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies.