Exam Review Flashcards
True or False: Instances in the standby state are not a part of the ASG?
False. They do not actively handle application traffic but are still a part of the ASG; they will not be actively replaced as your desired capacity is actually reduced by one
What is Amazon Aurora Global Database?
Designed for globally distributed applications, where a single Amazon Aurora database spans multiple regions. It replicates your data with no impact on DB performance.
It consists of one primary DB in a primary region and up to five read replicas in secondary regions
What is Amazon Guard Duty?
Amazon Guard Duty uses machine learning to inspect CloudTrail S3 Event Logs, CloudTrail Events, VPC Flow Logs and DNS Logs for threats
What is Amazon Inspector?
Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure. Amazon Inspector automatically discovers and scans running Amazon EC2 instances, container images in Amazon Elastic Container Registry (Amazon ECR), and AWS Lambda functions
What is a permissions boundary?
A permissions boundary is an advanced IAM concept where you can use a managed or custom IAM policy to set the maximum allowable permission on an IAM principal
What is the rate limit of requests per second in an S3 bucket?
S3 buckets can theoretically scale infinitely, but each prefix can get up to 3,500 writes and 5,500 read requests per second
We host files for customers in S3 buckets for our customers, why would it be a bad idea to have a bucket for each customer?
Bucket names need to be globally unique so this would have to be done manually and names may not be available. You would also need to have the connections string for each bucket
What would be the major advantage of EFS over S3?
EFS can be used if you need EC2 instances to be closer to zero latency network communication, especially if in a cluster
What is consolidated billing?
It allows you to track and manage spending across multiple accounts
What services does AWS savings plan cover?
EC2, Lambda and Fargate
How many messages can you batch together for SQS?
10 messages is the max for both standard and FIFO
How many messages per second can FIFO queue support when you batch?
3,000 messages per second if you are batching 10 messages (maximum) per API operation; 10 messages x 300 operations (max requests per second) per second = 3,000 messages
What is AWS Direct Connect?
Direct Connect lets you establish a direct connection from your on premise network to AWS Direct Connect locations
Why would you use AWS Direct Connect plus site-to-site VPN?
The VPN allows for a more robust secure connection and Direct Connect allows lower latency and greater bandwidth
Does RDS multi-az provide synchronous or async capabilities? What about Read Replicas?
Multi-AZ is syncronous and spans at least two AZs; Read Replicas are async and can span one AZ, cross AZ or Cross-Region
We need to order and replay records in a data pipeline, should we use Kinesis Data Streams or Firehose?
Data Streams
You need real time processing of data, would you use SQS or Kinesis Streams?
Kinesis Streams; also, if we want multiple applications to consume the same data concurrently, then Kinesis Streams is also the better choice
What is RDS Custom?
RDS Custom allows for you to customize your database environment and the underlying operating system
RDS itself does not allow access to customize the DB server host and OS
What is S3 Transfer Acceleration?
Utilizes the CloudFront edge locations to upload data to S3; as the data arrives at the edge locations, it uses an optimized path through Amazons network to deliver to S3
True or False: AWS Firehouse can write directly into Lambda
False
What is AWS FSx for Windows?
Allows you to host a Windows File Server in AWS that scales and is supported. Can access it through the file gateway
We need to upload files to S3 faster, what should we use: Transfer Acceleration or Global Accelerator?
S3 Transfer Acceleration.
Global Acceleration is for utilizing AWS network endpoints to give access to Amazons network for faster application access and response times. It is used for ALB, NLB and EC2. Work through TCP or UDP
True or False: we can apply a retention period to an object version
True and we must supply the Retain Until Date
True or False: We cannot apply Object Lock to different object versions
False
When should we choose between Snowball and Snowmobile?
Snowmobile is for datasets larger than 10PB and Snowball is for datasets less than 10PB or distributed in multiple locations
Snowball provides Edge storage optimized device(s) that can store up to 80 TB
How does CloudFront work?
When a user requests content/files, they are routed to the nearest edge location. If the edge location has the assets/files, it will deliver it. If not, it will reach out to the origin host, retrieve them there and then cache.
This all utilized AWS backbone network
True or False: CloudFront can have a Route53 DNS record as an endpoint
False
How can we block requests from specific countries using AWS WAF?
Geo Match Conditions in AWS WAF allow us to restrict application access based on the geographical location of our viewers
Which is better for improving performance over TCP/UDP: CloudFront or Global Accelerator?
Global Accelerator; GA is a great fit for non-http use cases
What is DynamoDB Acccelerator (DAX)?
DAX is an in-memory cache for DynamoDB that delivers up to 10x performance improvement
We need a high-performance file system where files can be accessed rapidly and that can easily integrate with S3. What can we use?
FSx for Lustre. We use FSx for Lustre for workloads where speed matters such as machine learning, high performance computing, video processing and financial modeling
What is Amazon EMR?
EMR is a managed cluster platform that simplifies running big data frameworks like Hadoop and Spark
What is the difference in pricing between ECS (with EC2) and ECS Fargate?
ECS with EC2 charges based on number of instances and EBS volumes
Fargate charges based on vCPU and memory resources that the containerized application requests
How many concurrent requests per account does Lambda support?
- Past that, you need to contact AWS support
What content types skip the regional cache in cloudfront?
Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin
Dynamic content, as determined at request time
For our application, we do not want to provide our own encryption keys but do want to maintain an audit trail of the when the encryption key was used and by whom. What do we use?
AWS SSE-KMS
We accidentally deleted a key in AWS KMS, what can we do?
Keys deleted in KMS go into a “waiting” period. The waiting period is 7 days and can be configured to go up to 30 days
What is the difference between AWS Storage Gateway - Volume Gateway vs AWS Storage Gateway - File Gateway?
Volume Gateway is a block storage and File Gateway is a file system
Storage Gateway is a cloud-hybrid storage option
When does the user data on an EC2 execute?
When you first boot up the instance
True or False: Scripts entered as EC2 user data are executed with root user privileges
True
What is AWS Transit Gateway?
Transit Gateway provides a hub and spoke design for connecting VPCs and on-premises networks as a fully managed service without requiring to provision virtual appliances
No VPN overlay is needed and AWS manages high availability and scalability
If we are doing big data workloads on EC2 and need it to be highly available would we use partition or spread placement group?
We want partition. Partition has clusters which is great for big data and spread across different racks so it is fault tolerant and highly available
What is AWS Data Sync?
It is a data discovery and migration service provided by AWS; helps move data quickly and securely between services such as S3, NFS, Snowcone, FSx for Lustre, ect.
Transfers data online
Why would you use an S3 VPC endpoint?
It provides a way for a resource in a private subnet to reach out to an S3 bucket
Stays within the AWS network
True or False: Objects uploaded to an S3 bucket are owned by the up-loader and not the bucket owner
True. By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account.
True or False: RDS read replicas improve both scalability and availability
False. The improve scalability but not availability.
What is the health check grace period for ASG?
The HealthCheckGracePeriod determines how long the ASG will wait before checking the health status of an EC2 instance
Does an ASG use the ELB health check?
Not by default, but it can be set up
What is the difference between Cognito User Pools and Identity Pools?
User Pools are for Authentication and Identity Pools are for Authorization
What is the difference between AWS PrivateLink and Direct Connect?
PrivateLink ensures data security in connections with the cloud. Primarily used for security
Direct Connect goes through a private network, but does not ensure security with encryption (need a VPN for that). Primarily used for low-latency, higher bandwith use cases
What is the difference between AWS PrivateLink and Direct Connect?
PrivateLink ensures data security in connections with the cloud. Primarily used for security
Direct Connect goes through a private network, but does not ensure security with encryption (need a VPN for that). Primarily used for low-latency, higher bandwidth use cases
True or False: You can move from Snowball straight to S3 Glacier
False. You need to go through S3 Standard then implement a Lifecycle Policy if we want it directly to Glacier
We need to ensure cross-account control and user-level control on an S3 bucket, should we use ACLs, Bucket policies or IAM policies
Bucket policies because we can control them on an account and personal level
ACLs will do cross-account but not user-level (Note: ACLs are no longer recommended by AWS)
IAM policies can do a user level but not cross-account
Which are costlier, dedicated hosts or instances
Hosts. They reserve a physical server and give you complete control to how instances are placed on there
True or False: We can directly integrate Cognito Authentication via Cognito User Pools with a CloudFront distribution
False. We would need a Lambda@Edge function to create the rest of the authentication logic
You want to share specific resources in one AWS account with another for low cost and can scale. What should we use?
AWS Resource Access Manager. Allows you to share resources cross-account and determine permissions. RAM is available with no additional charge, so it is also cheap
We could use VPC Peering but that we would have to manage for each account connection and that would be higher cost and would not scale well
Transit Gateway would be expensive
True or False: To grant a Lambda cross-account access to an S3 bucket, we need to give the Lambda the proper IAM execution role
False. We also need to make sure the bucket policy allows the Lambda functions execution role
What must we configure in a Site-to-Site VPN?
A Virtual Private Gateway on the AWS side and a Customer Gateway on the on-premise side
What is a VPC endpoint?
VPC endpoint enables the creation of a private connection between VPC to supported AWS services and VPC endpoint services powered by PrivateLink using its private IP address
What is the difference between AWS Database Migration Service and AWS Glue?
DMS is for moving entire datasets and schemas over in a managed fashion. Almost like a point and shoot.
Glue helps you perform ETL which is more involved with discovery, transformation scripts and transfer
AWS Glue is not for database migrations
What is the difference between an SQS delay queue and a visibility timeout?
Visibility timeout is for pausing retrieval from the queue, delay queue is for pausing the insertion
True or False: Schema Conversion Tool and Database Migration Service are the same service
True. Schema Conversion Tool is part of the Database Migration Service
True or False: EFS supports SMB protocol
False
True or False: NAT gateways can exist in multiple AZs
False
We want to reduce the price of our SQS usage, what can we use?
Long polling
If we have files that are larger than 1GB in S3 and they need to be delivered, what can we do?
For files larger than 1GB, we can use Transfer Acceleration
True or False: Terminated instances cannot be recovered. A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata.
True
True or False: if your instance has a public IPv4 address, it retains the public IPv4 address after recovery.
True
True or False: You can copy AMI across Regions but not across accounts
False. You can copy across both
What is the difference between a Internet Gateway and a VPC Gateway Endpoint?
An Internet Gateway allows a subnet to connect to the Internet whereas a VPC Gateway Endpoint allows resources in subnets to access S3 or DynamoDB without using a NAT Instance of IG
True or False: NAT Gateway supports port forwarding
False. NAT Instances support port forwarding
True or False: An Application Load Balancer can be assigned an Elastic IP
False
What is the best service option when trying to decouple a monolithic application into microservices
SQS
What is AWS CloudHub?
CloudHub helps you manage multiple site-to-site VPN connections
True or False: AWS File Gateway can move files to EFS
False. File Gateway can only transfer to S3
What is VPC Sharing?
VPC sharing is a part of Resource Access Manager that allows AWS accounts to create their resources in a centrally-managed VPC by sharing a subnet (NOT sharing a VPC)
True or False: An Internet Gateway ID can be a custom source in a security group
False
What is Cross-Zone Load Balancing?
With Cross-Zone Load Balancing enabled, each NODE gets a fair share of the traffic across AZs; when it is disabled, the traffic is spread across the AZs
True or False: you cannot create a CNAME record for the top node the same DNS namespace
True: example.com cannot go to www.example.com
Which service can we consume concurrently, Kinesis Streams or Firehose?
Streams
You need to set up a consistent resource provisioning process across AWS Organization departments so that each resource is pre-defined. What can we use?
CloudFormation StackSets; they allow you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation
