Exam Pro Cheat Sheets Flashcards
How does S3 provide high availability?
Replicate data across at least 3 AZs
What size can S3 objects be?
Between 0 Bytes and 5 Terraytes
True or False; S3 Bucket names must be unique across all accounts?
True
What is used to automatically move S3 objects between storage classes and automatically delete based on a schedule?
Lifecycle Managment
True or False; S3 MFA delete requires versioning to be turned on?
True
True or False; you can turn off versioning on S3?
False; once versioning is turned on it cannot be turned off, only suspended
True or False; all new S3 Buckets are private by default?
True
Two ways access is controlled in S3 Buckets?
- Bucket Policies
- Access Control Lists (ACL) (LEGACY)
How are Bucket Policies defined?
Using JSON documents
What is security in transit (S3)?
Uploading files over SSL
What does SSE stand for?
Server Side Encryption
What are the 3 options for S3 server side encryption?
- SSE-AES
- SSE-KMS
- SSE-C
True or False; for CRR in S3, you must have versioning turned on in the source and destination bucket?
True
True or False; using CRR in S3, you can replicate to a bucket in another AWS account?
True
What S3 option provides faster and secure uploads from anywhere in the world using a distinct URL and an Edge Location?
Transfer Acceleration
What are commonly used to access private S3 objects?
Presigned URLs
What 2 ways can you use to generate S3 presigned URLs?
- AWS CLI
- AWS SDK
What provides temporary access to write or download object data in S3
Presigned URLs
6 different S3 storage classes
- Standard
- Intelligent Tiering
- Standard Infrequent Access
- Infrequent Access One Zone
- Glacier
- Glacier Deep Archive
Which S3 tier should you use if you access your files less than once a month?
Standard Infrequently Accessed
What availability is S3 One Zone IA?
99.5%
How long is data retrieval for Glacier?
Minutes to hours
How long is data retrieval for Glacier Deep Archive?
12 hours
What size does Snowballs come in?
- 50TB
- 80TB
What size does Snow Edges come in?
- 100TB
- 100TB clustered
What size does a Snowmobile come in?
100PB
True or False; You can use Snowballs or Snowmobiles to both export and import data?
True
Which member of the Snow family can undertake local processing and edge-computing workloads?
Snowball Edge
3 Snowball Edge device configurations:
- Storage optimised (24 vCPUs)
- Compute optimised (54 vCPUs)
- GPU (54 vCPUs)
Which service helps keep traffic between AWS services within the AWS network?
VPC Endpoints
What are the 2 types of VPC Endpoints?
- Interface Endpoint
- Gateway Endpoint
True or False; Interface Endpoints are free?
False
True or False; Gateway Endpoints are free?
True
Which type of VPC Endpoint uses an Elastic Network Interface (ENI) with Private IP?
Interface Endpoint
Which type of VPC Endpoint is a target for a specific route in your route table?
Gateway Endpoint
True or False; Interface Endpoints support many AWS Services?
True
True or False; Gateway Endpoints support many AWS Services?
False, Gateway Endpoints only support S3 and DynamoDB
Which VPC service monitors the in-and-out traffic of your Network Interfaces within your VPC?
VPC Flow Logs
At which 3 levels can you utilise VPC Flow Logs
- VPC
- Subnet
- Network Interface
True or False; you can change the configuration of a flow log after it’s created?
False
True or False; you cannot enable flow logs for VPCs which are peered with your VPC?
True, unless it is in the same account
Where can VPC Flow Logs be delivered to?
- S3
- CloudWatch Logs
What two pieces of information are contained in VPC Flow Logs?
- Source IP address
- Destination IP address
Which pieces of instance traffic are not monitored by VPC Flow Logs (5)?
- Instance traffic generated by contacting the AWS DNS servers
- Windows license activation traffic
- Traffic between instance metadata address (169.254.169.254_
- DHCP Traffic
- Any traffic to the reserved IP address of the default VPC router
What does NACL stand for?
Network Access Control List
What rules are automatically given to the default NACL?
- Allow all outbound and inbound traffic
True or False; each subnet within a VPC must be associated with a NACL?
True
True or False; subnets can only be associated with 1 NACL at a time?
True, associating a subnet with a new NACL will remove the previous association
True or False; NACLs have inbound and outbound rules?
True
True or False; NACLs can either allow or deny traffic?
True
True or False; NACLs are stateful?
False, NACLs are stateless
What does stateless mean?
Responses to outbound traffic are not automatically allowed, they’re subject to inbound traffic rules. And Vice versa.
What does statefull mean?
Response to outbound / inbound traffic are automatically allowed
True or False; when you create a NACL it will deny all traffic by default?
True
True or False; NACLs contain a numbered list of rules that gets evaluated in order from lowest to highest?
True
True or False; NACLs can be used to block a single IP address?
True, NACLs have both allow and deny rules
What acts as a firewall at the instance level?
Security Groups
True or False; in security groups all inbound traffic is allowed by default?
False, inbound traffic is blocked by default
True or False; in security groups all outbound traffic is allowed by default?
True
Security Groups are stateful or stateless?
Security Groups are statefull
True or False; EC2 instances can belong to multiple security groups?
True
True or False; security groups can contain multiple EC2 instances?
True
True or False; you can block specific IP addresses using Security Groups?
False, you would need to use NACLs to do this
How many Security Groups can you have per region?
10,000 (default 2,500)
How many rules can you have per Security Group?
60 inbound and 60 outbound
How many security groups can be associated with an ENI?
16 (default is 5)
Which AWS service connects on-premise storage to cloud storage?
Storage Gateway
3 types of storage gateways:
- File Gateway
- Volume Gateway
- Tape Gateway
Which type of storage gateway acts as a local file system using NFS or SMB, extending your local hard drive to S3?
File Gateway
Which type of storage gateway is used for backups?
Volume Gateway
What are the two types of Volume Gateway?
- Stored Volume Gateway
- Cached Volume Gateway
Which type of Volume Gateway has the primary data on-premise?
Stored Volume Gateway
Which type of Volume Gateway continuously backs up local storage to S3 as EBS Snapshots?
Stored Volume Gateway
Which type of Volume Gateway has the primary stored on S3?
Cached Volume Gateway
Which type of Volume Gateway cached the frequently used files on-premise?
Cached volume Gateway
How big are stored volumes for Volume Storage Gateway?
1GB to 16TB
How big are cached volumes for Cached Volume Gateway?
1GB to 32GB
Which type of storage gateway backs up virtual tapes to S3 Glacier for long archive storage?
Tape Gateway
True or False; when creating a NAT instance you must disable source and destination checks on the instance?
True
True or False; NAT instances must exist in a private subnet?
False, NAT instances must exist in a public subnet?
True or False; you must have a route out of the private subnet to the NAT instance?
True
True or False; the size of a NAT instance determines how much traffic can be handled?
True
True or False; NAT Gateways are redundant inside an Availability Zone?
True, they can survive failure of an EC2 instance
True or False; you can have multiple NAT Gateways inside an AZ?
False, you can only have 1 NAT Gateway in an AZ, which cannot span AZs
What speeds can a NAT Gateway get?
5 Gbps to 45 Gbps
True or False; when creating a NAT Gateway you must disable source and destination checks on the instance?
False, for NAT Instances this is True
True or False; NAT Gateways are automatically assigned a public IP address?
True
True or False; resources in multiple AZs sharing a Gateway will lose internet access if the Gateway goes down?
True, unless you create a Gateway in each AZ and configure route tables accordingly
Which AWS service is used to manage access to users and resources?
IAM
What does IAM stand for?
Identity Access Management
True or False; new IAM accounts have no permissions by default?
True
3 parts to IAM:
- IAM Users
- IAM Groups
- IAM Roles
What is the name for JSON documents which grant permissions for a specific user, group, or role to access services?
IAM Policies
What is the name for IAM policies provided by AWS and cannot be edited?
Managed Policies
What is the name for IAM policies created by you the customer, which you can edit?
Customer Managed Policies
What is the name for IAM policies which are directly attached to a user?
Inline Policies
Which AWS service would you use when you need to easily add authentication to your mobile and desktop app?
Cognito
What part of AWS Cognito allows users to authenticate using OAuth to IpD such as Facebook, Google, Amazon to connect to web-applications?
User pools
What do Cognito User Pools use to persist authentication?
JWTs (JSON web tokens)
How do Cognito Identity Pools allow access to AWS services?
Using temporary AWS credentials
What does Cognito Sync snyc across devices with one line of code?
User data and preferences
What is OIDC?
A type of Identity Provider which uses OAuth
What is SAML?
A type of Identity Provider which is used for Single Sign-on
What does DNS (Domain Name System) do?
An internet service that converts domain names into routable IP addresses
How many bits are in an IPv4 address?
32 bits
How many bits are in an IPv6 address?
128 bits
Give an example of a top-level domain
amazon.com (the .com)
give an example of a second-level domain
amazon.co.uk (the .co)
What is the name of 3rd party companies who you register domains through?
Domain Registrars
What is a Name Server
The server(s) which contain the DNS records for a domain
What is a Start of Authority (SOA)?
Contains information about the DNS zone and associated DNS records
What does an A record do?
Directly converts a domain name into an IP address
What does a CNAME record do?
Lets you convert a domain name into another domain name
What is Time to Live (TTL)?
The time that a DNS record will be cached for
7 Route53 routing policies:
- Simple Routing
- Weighted Routing
- Latency-Based Routing
- Failover Routing
- Geolocation Routing
- Geo-proximity Routing
- Multi-Value Routing
Which Route53 tool is a visual editor, for chaining routing policies which allows versioning for easy rollback?
Traffic Flow
What is the name of AWS’ smart DNS record that detects changed IPs for AWS resources and adjusts automatically?
AWS Alias Record
What part of Route53 lets you regionally route DNS queries between your VPCs and your network Hybrid Environments?
Route53 Resolver
5 EC2 instance types specialised for different roles?
- General Purpose
- Compute Optimised
- Storage Optimised
- Memory Optimised
- Accelerated Optimised
What EC2 Instance type is ideal for compute bound applications that benefit from high performance processor
Compute Optimised
Which EC2 Instance type provides fast performance for workloads that process large data sets in memory?
Memory optimised
Which EC2 Instance type provide high, sequential read and write access to very large data sets on local storage?
Storage optimised
What allows you to choose the logical placement of your EC2 instance to optimise for communication, performance or durability?
Placement Groups
What is the IP address to get an EC2 instances metadata?
http://169.254.169.254/latest/meta-data
What is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts?
Instance Profile
4 EC2 pricing models:
- On-demand
- Reserved
- Spot
- Dedicated
What provides the information required to launch an instance?
AMI
True or False; AMIs are region specific?
True
True or False; you can copy an AMI into another region using ‘Copy AMI’?
True
What information does an AMI hold?
- A template for the root volume for the instance, eg, an operating system, an application server, and applications
- Launch permissions that control which AWS accounts can use the AMI to launch instances
- A block device mapping that specifies the volumes to attach to the instance when it’s launched
What is the name for a collection of EC2 instances grouped for scaling and management?
Auto Scaling Group
What 3 things are an Auto Scaling Group based on?
- Min
- Max
- Desired Capacity
Which ASG scaling policy scales based on when a target value for a metric is breached?
Target Scaling Policy
Which ASG scaling policy triggers a scaling when an alarm is breached?
Simple Scaling
What does an ASG use to launch a new instance?
Launch Configuration
True or False; Launch Configurations cannot be edited and must be cloned or a new one created?
True
3 types of Elastic Load Balancers?
- Classic Load Balancer
- Network Load Balancer
- Application Load Balancer
What is the minimum number of availability zones for an ELB?
2 AZs min
True or False; ELBs can be cross-region?
False; not cross-region, you must create one per region
What 3 things does an ALB use to route traffic?
- Listeners
- Rules
- Target Groups
What 2 things does an NLB use to route traffic?
- Listeners
- Target Groups
How does the classic load balancer route traffic?
It uses listeners and EC2 instances are directly registered as targets to CLB
What protocols is Network load Balancer for?
TCP / UDP
When is Network Load Balancer used?
For high network throughput, eg. video games
What can be used to get the original IP of incoming traffic passing through an ELB?
X-Forwarded-For (XFF)
Which type of ELB can be attached to a WAF?
ALB
True or False; You can attach Amazon Certification Manager SSL to any of the ELBs for SSL?
True
True or False; ALB has advanced Request Routing rules where you can route based on subdomain header, path and other HTTP(S) information?
True
True or False; sticky sessions can be enabled for CLB and ALB via cookies?
True
What protocol does EFS support?
Network File System version 4 (NFSv4)
How are you charged for EFS?
per GB of storage per month
How large can EFS volumes grow to?
Petabytes
True or False; EFS volumes can grow and shrink to meet current data stored?
True
True or False; EFS can support thousands of concurrent connections?
True
With EFS your data is storage across multiple AZs within a region?
True
True or False; you can mount multiple EC2 instances to a single EFS?
True, as long as they are all in the same VPC
True or False; EFS creates Mount Points in all your VPC subnets so you can mount from anywhere within your VPC?
True
What type of consistency does EFS provide?
Read After Write
True or False; EBS snapshots are incremental?
True
What is a durable, block-level storage device that you can attach to a single EC2 instance?
EBS volume
True or False; EBS Volumes can be modified on the fly, eg, storage type or volume size?
True
What are temporary storage types located on disks that are physically attached to a host machine?
Instance Store Volumes
True or False; EBS volumes can have termination protection?
True
True or False; Snapshots or restored encrypted volumes will also be encrypted?
True
True or False; you can share snapshots that have been encrypted?
False
True or False; unencrypted snapshots can be shared with other AWS accounts or made public?
True
Which AWS service makes a website load faster by serving cached content that is nearby?
CloudFront
True or False; CloudFront Edge Locations are read-only?
False; you can write to them, eg. PUT Objects
What CloudFront features defines how long until the cache expires?
TTL (Time To Live)
How do you force a CloudFront cache to immediately expire?
Invalidate it
True or False; refreshing a CloudFront cache costs money because of transfer costs to update edge locations?
True
Regarding CloudFront, what is the name given to where the original copies of your files reside?
Origin
Regarding CloudFront, what is a collection of edge locations and behaviour on how it should handle your cached content?
Distribution
Two types of CloudFront distributions:
- Web distribution (static website content)
- RTMP (streaming media)
What does OAI stand for?
Origin Identity Access
What does CloudFront use to access private S3 buckets?
OAI (Origin Identity Access)
How can access to cached content in CloudFront be protected?
Signed URLs or Signed Cookies
What CloudFront feature allows you to pass each request through a Lambda to change the behaviour of the response?
Lambda@Edge
6 relational database options for RDS:
- Postgres
- MySQL
- Aurora
- MariaDB
- Oracle
- Microsoft SQL Server
True or False; RDS Multi-AZ automatically synchronises changes in the database over to the standby copy?
True
True or False; RDS Multi-AZ has automatic failover protection?
True, if one AZ goes down failover will occur and the standby slave will be promoted to master
What can be enabled on your RDS database to alleviate the workload of your primary database to improve performance?
Read-replicas
True or False; RDS Read-Replicas use synchronous replication?
False, RDS read-replicas use asynchronous replication
True or False; you must have automatic backups enabled to use Read Replicas?
True
What is the max number of RDS read-replicas you can have?
5
True or False; you can have RDS read-replicas in another region?
True (Cross-Region Read Replicas)
True or False; you can have replicas of read-replicas?
True
What are the 2 types of RDS backup solutions?
- Automated Backups
- Manual Snapshots
What is the retention period for RDS Automated Backups?
Between 1 and 35 days
What is the costs for RDS automated backup storage?
No additional cost
What RDS database is fully-managed, scalable and has automatic backups and high availability?
Aurora
How much faster is Aurora over MySQL and Postgres
- MySQL 5x
- Postgres 3x
How does Aurora replicate your database across different availability zones?
Aurora replicates 6 copies of your database across 3 availability zones
How many replicas can Aurora have?
Aurora allows up to 15 replicas
True or False; an Aurora database can span multiple regions?
True, via Aurora Global Database
What Aurora feature allows you to stop and start Aurora and scale automatically while keeping costs low?
Aurora Serverless
What type of projects is Aurora Serverless ideal for?
New projects or projects with infrequent database usage
What is Redshift
Redshift is a Columnar Store database which can make SQL-like queries and is OLAP
How many data can Redshift handle?
Petabytes worth of data
2 common use cases for Redshift?
- Data warehousing
- Business Intelligence
How many AZs can Redshift run in?
1 (Single-AZ)
True or False; Redshift can run via a single node or multi-node (clusters)?
True
What is the size of a single Redshift node?
160GB
What is the two types of node in Redshift multi-node mode?
- 1 Leader
- Multiple compute nodes
How are you charged for Redshift nodes?
You are billed per hour for each node (excluding leader node - which isn’t charge for)
How many Redshift compute nodes can you have?
128
What are the two types of nodes in Redshift?
- Dense Compute
- Dense Storage
How does Redshift attempt to backup your data?
3 copies:
- the original
- on compute node
- on S3
On Redshift how is similar data stored for faster reads?
Sequentially
Two ways Redshift database can be encrypted?
- AWS KMS
- CloudHSM
Redshift default and maximum backup retention?
- Default is 1 day
- Max is 35 days
True or False; Redshift can asynchronously back up your snapshot to another region via S3?
True
What does Redshift use to distribute queries and data across all loads?
Massively Parallel Processing (MPP)
Which AWS service is a fully-managed NoSQL key/value and document database?
DynamoDB
True or False; DynamoDB scales with whatever read and write capacity per second that you specify?
True
Two types of data consistency in DynamoDB?
- Eventually consistent reads
- Strongly consistent reads
What is DynamoDB Eventually consistent reads?
Data is returned immediately but can be inconsistent. Copies of data will be generally consistent in 1 second
What is DynamoDB Strongly Consistent Reads?
DynamoDB will wait until data is consistent. Data will never be inconsistent but latency will be higher. Copies of data will be consistent with a guarantee of 1 second
How does DynamoDB store copies of data?
IT stores 3 copies of data on SSD drives across 3 regions
Two formats that CloudFormation template can be written in?
- JSON
- YAML
What happens when CloudFormation encounters an error?
It will rollback with ‘ROLLBACK_IN_PROGRESS’
Max size of CloudFormation template for direct upload?
51,200 bytes / 0.05 MB
How can large CloudFormation templates be imported?
Via an S3 bucket
What helps you break up CloudFormation templates into smaller reuseable templates that can be composed into larger templates?
NestedStacks
What must be defined in a CloudFormation template for it to be valid?
At least one resource
In CloudFormation what is MetaData used for?
Providing extra information about your template
CloudWatch is a collection of monitoring services. Name 5 of these services:
- Dashboards
- Events
-Alarms - Logs
- Metrics
What does CloudWatch logs do?
Log data from AWS services, eg. CPU Utilisation
What does CloudWatch Metrics do?
Represents a time-ordered set of data points, a variable to monitor, eg. CPU utilisation over time
What does CloudWatch Events do?
Trigger an event based on a condition, eg. every hour take a snapshot of the server
What do CloudWatch Alarms do?
Triggers notifications based on metrics when a defined threshold is breached
What does CloudWatch dashboard do?
Creates visualisations based on metrics
How often does CloudWatch monitor services?
- EC2 every 5 minutes or every 1 minute for detailed monitoring
- Most other services monitor at 1 minute intervals
Installing a CloudWatch Agent on an EC2 instance allows you to track which 2 metrics?
- Memory usage
- Disk size
True or False; CloudWatch Custom Metrics allow you to track High Resolution Metrics a sub minute intervals all the way down to 1 second?
True
What does CloudTrail do?
CloudTrail logs calls between AWS services
What 4 key terms relate to CloudTrail?
- Governance
- Compliance
- Operational auditing
- Risk auditing
What AWS service do you use when you need to know who to blame?
CloudTrail
CloudTrail’s Event History covers events for the previous how many days?
90
In CloudTrail, what does Log File Validation do?
Ensure log have not been tampered with
What can you use to encrypt CloudTrail logs?
KMS
True or False; CloudTrail logs can be streamed to CloudWatch logs?
True
Where are CloudTrail Trails outputed to?
An S3 bucket that you specify
CloudTrail logs; two kinds of events?
- Management events
- Data events
What do CloudTrail management events log?
Management operations, eg. AttachRolePolicy
What do CloudTrail Data Events log?
Data operations for resources, eg. GetObject, DeleteObject, PutObject
True or False; CloudTrail management events are disabled by default when creating a trail?
False, management events are enabled, data events are disabled
Which AWS service can be used to analyse CloudTrail Trail logs?
Athena
Max AWS Lambda runtime?
15 minutes
How are you charged for Lambda usage?
Pay per invocation (the duration and the amount of memory used). The first 1m requests per month are free
Max AWS Lambda memory?
3008 MB
True or False; by default Lambdas run in no VPC?
True
How many concurrent functions can lambda scale to?
1,000 as default (more with AWS service limit increase)
Which AWS service lets you decouple services and allows apps to talk to each other
SQS
Is SQS push or pull based?
Pull
Two types of SQS queues
- Standard
- FIFO
How many messages per second using SQS Standard queue?
Nearly unlimited
Does SQS Standard queue guarantee order of delivery?
No
How many times is a SQS Standard Queue message delivered?
At least once, you must protect against duplicate message being processed
What is the limit of a SQS FIFO queue?
300
What are the 2 types of SQS queue polling?
- Short polling
- Long polling
What is SQS short polling?
Returns message immediately, even if the message queue being polled is empty
What is SQS long polling?
Long polling waits until message arrives in the queue, or the long poll timeout expires
Generally, which is preferred, short or long polling?
Long polling
What is SQS visibility time-out?
The period of time that messages are invisible in the SQS queue
What is the default SQS visibility time-out?
30 seconds
What is the range of SQS visibility timeouts, min and max?
- Min = 0 seconds
- Max = 12 hours
What is the range that SQS can retain messages?
- min = 60 seconds
- max = 14 days
- default = 4 days
What is the range of SQS message size?
1 byte to 256 bytes
Which AWS service is a managed in-memory caching service?
ElastiCache
What are the 2 types of caches that ElastiCache can launch?
- Memcached
- Redis
Which type of ElastiCache is a simple key / value store preferred for caching HTML fragments?
Memcache
Which type of ElastiCache has richer data types and operations. Is great for leaderboards, geospatial data or keeping track of unread notifications
REdis
What type of info are usually stores in a cache?
The most frequently accessed identical queries
True or False; resources only within the same VPC may connect to ElasticCache to ensure low latencies
True
Which AWS service handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring?
Elastic Beanstalk
When should you use Elastic Beanstalk?
When you want to run a web-application but you don’t want to have to think about the underlying infrastructure
True or False; Elastic Beanstalk is recommended for production environments?
False, it is recommended for test or development environments, not production
True or False; you can run dockerised environments on Elastic Beanstalk?
True
What is API Gateway?
API Gateway is a solution for creating secure APIs in your cloud environment at any scale
How many requests per second is API Gateway throttled at?
10,000 requests per second (can be increased via service request)
In API Gateway what allows you to have multiple published versions of your API?
Stages
True or False; CORS can be enabled on all or individual endpoints?
True, CORS (cross origin resource sharing)
How can you require authorisation to your API Gateway endpoints?
- AWS Cognito
- Custom lambda
What is Amazon Kinesis?
It’s the AWS solution for collecting, processing and analysing streaming data in the cloud
Which AWS service should you think of when you need ‘real-time’?
Kinesis
How long does data persist for in AWS Kinesis?
24 hours (default) to 168 hours
What is Kinesis Firehose?
Pay for only data ingested, data immediately disappears once processed
What is Kinesis Data Analytics?
Allows you to perform queries in real-time. Needs a Kinesis Data Stream/Firehose as the input and output
What is Kinesis Video Analytics?
Securely ingests and stores video and audio encoded data to consumers such as SageMaker, Rekognitio or other services to apply Machine Learning and video processing
