Exams 1 & 2

Question 1

collect key value data every 1 minute. Process and store with hig availability.

Answer 1

Lambda plus dynamo db, elasticashe was wrong, maybe kinesis too?

Need more info, but the data is not streaming at 2mb per sec, which is.a hint for not Kinesis.

Lambda, DynamoDB

Question 2

millions or req per sec. Network load balancer with many EC2 instances in a public subnet. NLB configured with targets that are instance id. What IP does NLB use?

Answer 2

NLB uses the private ip of the instance, not public

Question 3

What kind of policy to give users access to buckets on different accounts

Answer 3

S3 Bucket policies work x account, not IAM policies.

memorise, a bucket filled with sciptures or policy documents, old books.

Question 4

Permissions for Lambda to access S3, how to steps.

Answer 4

Create an
* IAM role for Lamdba function,
* grant access to bucket,
* set the role as the Lambda execution role.
* Make sure the bucket policy also grants access to the Lambda function

memorise, bucket with policy, role documents, lambda, and an executioner.

Question 5

agency stores re-creatable assets in S3, large number of users for first few days, and access falls down a lot after one week. must be immediately accessible. Suggest cost optimised solution.

Answer 5

lifecyle policy to transation to S3 one zone IA after 30 days which is the minimum

Question 6

How to automatically reboot EC2 if it has problems

Answer 6

Cloudwatch alarms can automatically reboot EC2 directly, nothing else needed. Cloudwatch alarms can also send messages to SNS, and lambda

Question 7

Best database that is multi region and transactional

Answer 7

Aurora global database, compat with mysql and postgres

Question 8

Reads causing high IO in aurora multi AZ setup. what do you do?

Answer 8

Set up read replicas in multi az. They share the data volume with the primary writable db.

Question 9

To access SQS over the internet, what is the best way?

Answer 9

VPC (interface) endpoint, not internet gateway, not vpc gateway enphoint which only work for S3 and Dynamo

Question 10

Secure access to RDS database (any) what do you do?

Answer 10

database will be in a subnet, use SSL access, not IAM security not security groups not NACL.

Question 11

Parallel and high performance processing of massive volumes of: hot data, cold data. hot data process and store quickly, cold kept for reference and quick access. What solution?

Answer 11

FSx Lustre high perf computing file system connected to aws S3, which presents objects as files in fsx. hot data can be processed in parallel and fast.

Question 12

High frequency trading system want to read objects just after writing them, in near real time. How will that work with S3?

Answer 12

S3 will always return the latest version of the object, hard to belive, but memorise.

Question 13

Data streaming at high volumes, what is the max throughput option?

Answer 13

Kinesis data streams enhanced fan out with 2 mb per shard, per consumer. Standard is 2 mb per shard

standard; ingest 1 MB per shard, output 2 MB per shard.
enhanced fan out will output 2 MB per shard per consumer with multiple consumers possible. before this engineers would create multiple streams to get throughput.

Question 14

SQS need to move from standard to fifo, how?

Answer 14

Create new fifo queue, name with .fifo (mandatory), Delete the old queue.
Queues can handle 3000 per second with batching, 300 per second on demand, no batching.

Memorise,. 300 people in a queue for ice cream. 10 x in groups. per second…clock ticking tick tick.

Question 15

Users need to login with API gateway and Application load balancer ALB, how?

Answer 15

Cognito User Pools, user logins work with API Gateway and ALB. Not Identity pools. (bad name)

Question 16

Difference between NAT instance and NAT gateway

Answer 16

GW is managed by AWS, instance by you
bandwidth of gw up to 100 GBPS, instance depends on type

memorise NAT (ure) is 100 percent good

Cost of GW depends on use, instance depends on EC2
Things in common:
Elastic IP address attached
Private ip address from subnet
use NACL to control trafic in out of subnet
Cloudwatch

Question 17

What services are supported by VPC Gateway Endpoints?

Answer 17

S3 and DynamoDB, all other services suppoct VPC interface endpoints

memorise: Gateway with giant Bucket filled with blue Dye (namo) in water in bucket.

Question 18

Blue green (active / inactive) test deployment what services best for this?

Answer 18

Global Accelerator can send a portion of traffic to one deployment. Elastic LB can’t do this.

memorise: blue green superman suit or rocket, superman is the global accelerator flying around the world. global accelerator is multi region and AZ, rocket splits in 2 directions.

Question 19

Global accelerator can handle UDP traffic?

Answer 19

True. Cloudfront cannot, only http rtmp.

memorise - Global accelerator is the blue green rocket ship flying around the world. Can split traffic, or route based on rules. UDP? (user datagram proto) Gamers inside rocket.

Question 20

Company with one VPC and direct connect to HQ. VPN to branches. What solution to allow branches to talk to themselves, HQ and aws?

Answer 20

VPN Cloud Hub.
VPC endponint will not allow branches to talk to on another
VPC peering does allow VPC to talk to eachother but not branches.

different to transit gateway which is good for many, hundreds of VPCS connected together.

memorise: shopping mall in the clouds. with private connections to earth.

Question 21

What is user data in EC2?

Answer 21

Runs scripts and init tasks on launch by default and at boot time if configured
Executed as root
16 kb max size before base 64 encoded.
Cloud formation is more powerful but user data can be simpler.

Question 22

What is IAM permissions boundary?

Answer 22

Add it to IAM permissions policy and the intersection is the effective permissions. (not the union, meaning that permissions that intersect or match are used)
Policy can’t be greater than the boundary.

memorise with ven diagram intersection of 2 circles. (….(.xxx) ….)

Question 23

When EC2 is terminated, what happens to EBS root volumes?

Answer 23

EBS root volumes are also terminated.

Question 24

How to use Server bound software licences in AWS?

Answer 24

EC2 dedicated hosts, not reserved instances

Question 25

‘Amazon Kinesis’ questions placeholder..

Answer 25

when worded like this, it can mean any form of Kinesis, including data streams, firehose, analytics.
differences between each type….
Firehose can invoke lambda to transform.
data streams can capture many sources with manual work, firehose can use the same sources as data streams. see other slides

Question 26

What is AWS Macie?

Answer 26

Macie looks for S3 issues with PII, unencrypted buckets, access controls, iam gaps…; in s3 macie looks for this activity using ML
Guard duty monitors
Vpc flow logs
DnS logs
Cloud trail logs
Kuberneties EKS audit logs

Question 27

how to make an app (App LB, auto scale group, aurora) more resilient to periodic spikes?

Answer 27

Cloudfront = ONE correct answer.
Aurora read replica option two.
(maybe data cache? but not in question)

memorise Cloudfront cold front shaped like a sharp wedge.

Question 28

About Lambda brain dump

Answer 28

Incorrect - bigger deployment package, slower lambda to start - not true. Backed up by independent blog. Weird. Java and .net 100 times slower than py or js.
Lambda operates from a aws owned vpc and can access pub internet or pub aws apis, like dynamo
**When lambda is vpc enabled it no longer has pub access ** and will need a route through a nat gateway in a public subnet to access pub resources.
Use Lambda layer for reusable code between functions
Yes You can package a lambda function in ECS container images, new. (i got this wrong)
Best practice - Set up CW alarm for concurrent executions or invocations over a threshold.
Max run time 15 min.

Question 29

What config is available in the VPC console wizard?

Answer 29

PUB, PRIV, NAT, VPN, CIDR

Vpc with single pub subnet
Vpc with pub and private and site to site vpn
Vpc with pub and private subnets and NAT
cidr rules for the above.

NOT SUPPORTED vpc with pub and private subnets and vpn site to site. ?? weird.

Question 30

delays in processing video uploads to S3 what to do?

Answer 30

USE multipart upload and s3 transfer accelerator S3TA. Speed increase of 50 to 500%. For long distance and larger objects. Shortens the upload point for remote locations. Routes transfers through cloudfront edge locations.

memorise, transfer accelerator, a different rocket ship that transfers cargo in buckets with baggage handlers to other rockets in clouds. not a global accelerator rocket.

Question 31

I want to transfer one PB of data in S3 from us west to us east, what is the best way?

Answer 31

Can’t use snowball.
Use s3 batch replication – plus s3 sync copy.

• Sync all the new or changed objects, only current versions if bucket versioned.
• Batch replication copies existing objects, not changes or new ones. This is why both are needed.

memorise: batches of buckets, on pallets on a ship. copy sync, the ship has a giant kitchen sink.

Sync can be used from on prem device directory. - true but not relevant.

Question 32

Most efficient way to connect up to thousands of VPC and on prem vpn / direct connect networks, without vpc peering

Answer 32

Transit Gateway, more efficient than vpc peering

memorise: Transit lounge virgin lounge. thousands of private clouds in the lounge. different to cloud hub which is a shopping mall in the clouds.

Question 33

interaction between NACL and security groups in vpc for requests

Answer 33

NACL is stateless, SEcurity group is statefull therefore it knows to allow the response of a request out (due to session) regardless of rules. NACL needs a rule.

Question 34

subnet masks, what does /8 /16 /24 mean?

Answer 34

/32 = 1 ip address = 2 ^ 0 (2 ^ (32 - 32))
/31 = 2 ip address = 2 ^ 1
/30 = 4 ip address = 2 ^ 2 (2 ^ (32 - 30))
/24 = 256 ip address = 2 ^ 8

/8 means last 3 octets are available 10.x x x
/16 means last 2 octets avail 10.0.x.x
/24 means last 1 octet avail 10.0.0.x

Question 35

what services can subscribe to SNS, and how many topics and subscribers

Answer 35

Total 7 services.
Human subsrcibers (M E S)
* Emails
* Sms and
* mobile push

AWS services ( F H Q L – f**ing hot in queensland)
* SQS
* Http endpoints on EC2 made to spec
* Lambda
* Kinesis firehose.

12.5 million subscribers
100,000 topics.

throughput is 10 - 20 per sec for sms or email, but some questions say unlimited. and lambda threshold of 1000 per sec is the problem. be careful.

Question 36

SQS message visibility timeout, what is it?

Answer 36

• After a message is polled by a consumer, it becomes invisible to other consumers
• By default, the “message visibility timeout” is 30 seconds
• That means the message has 30 seconds to be processed
• After the message visibility timeout is over, the message is “visible” in SQS
  If a message is not processed within the visibility timeout, it will be processed twice • A consumer could call the ChangeMessageVisibility API to get more time
  • If visibility timeout is high (hours), and consumer crashes, re-processing will take time • If visibility timeout is too low (seconds), we may get duplicates

Question 37

live streaming video from Europe into USA. Only users in US can live stream, other countries denied. must enforce.

Answer 37

Use georestriction in CloudFront, to prevent users in specific locations.
Use Route 53 based geolocation routing policy to restrict distn of content to only locations specified.
Do not use Route 53 weighted routing policy, which lets you associate domains with weighted routing, more for LB.

Question 38

S3 for customer uploads. Scalability issues, uploads failing duing peaks of 5000 requests per second. What is Most efficient resource and cost way to solve

Answer 38

Create customer specific custom prefixes within a single bucket, then upload daily files into prefixed locations
S3 can handle :
3,500 put copy post delete reqs
5,500 get head req
** PER SECOND PER PREFIX **
NO limits to number of prefixes in a bucket. use this to increase performance with parellelised reads. with 10 prefixes we could get 55,000 reads per sec.
Therefore the prefix becomes like a shard in kinesis. (my logic)

INCORRECT change to use EFS.

Question 39

logistics, multi tier app, location of trucks. data points must be accessible in real time in analytics platform via rest api.

Answer 39

API Gateway plus Kinesis data analytics.
use kinesis DA with Apache Fink to transform and analyse streaming data in real time.
Kinesis DA for logs, clickstream, IOT, ad tech, gaming.
Streaming ETL, continuous metrics, real time analytics, interactive querying of data streams.
This combo can handle 50 GB running storage per kinesis processing unit.

API gateway - pub, monitor secure APIs at scale. http, rest, web socket apis.

INCORRECT - quicksight with redshift,
api gateway with lambda, athena with s3.

Question 40

healthcare, PII data, encrypted in S3. encryption keys in AWS not on prem. wants audit trail of keys. what kind of encryption?

Answer 40

server side encryption: SSE-KMS

no audit trail on these: therefor not SSE-s3
SSE-C
not client side encryption.

Question 41

Security recommendations for AWS root user account?

Answer 41

Create a strong password
Enable MFA on root

Not !! create user access keys and share with the business owner. Not recommended. unless as a last resort.

Question 42

dynamic website retail, on prem data centre in usa, launching website in asia for new users, wants to Optimise website loading times.

Answer 42

CloudFront with custom origin pointing to on prem servers. global network of edge caches.

Do not migrate to S3 because dynamic. Route 53 does not cache. Route 53 with geo proximity routing to US would not speed up requests.

Question 43

audit reports created 2 x per year, hundreds of TB, need millisecond latency. which storage class?

Answer 43

S3 standard infrequent access IA.

Not intelligent tiering, IA has “lower per GB storage price and GB retrieval”
Glacier <top> is a possibility not sure why it was not in the answer.
Deep archive hase minutes to hours retrieval.</top>

Question 44

ecomm company, documenting process flow to provision EC2 instances via the API. used for internal HR app. What volume types can’t be used as a boot vol?

Answer 44

Cold HDD sc1 (tick)
Throughput optimised St1 also HDD. so HDD are not boot volumes.

INCORRECT therefore can be used for boot volumes:
* instance store
* Provisioned iops SSD io1, and io2
* SSD gp2 and gp3

memorise: instagram store, io jupiter moon 1, grand prix 2 on the moon.

HDD backed volumes are throughput (MiB/s) optimised for large streaming workloads , compared with iops optimised SSD which is number of ops.

Question 45

what are supported lifecycle transitons for S3 tiers

Answer 45

From top to bottom, a higer tier can transfer to any lower tier, not in reverse.

• 1. Standard
• 1. Standard Infrequent access IA
• 1. Intelligent Tiering
• 1. One Zone IA (skips Glacier instant)
• 1. Glacier (Instant then Flexible)
• 1. Glacier deep archive

Question 46

financial services co using GuardDuty to analyse account metadata for compliance. Wants to stop GuardDuty. Must delete all GD data.

Answer 46

Guard duty threat detection, monitor protect, accounts, workloads, data in S3. monitors streams from CloudTrail events, VPC flow logs, DNS logs. integrated threat intelligence from IP address,s and ML.

Correct: disable GD in general settings. deletes all data.
incorrect - suspend does not delete, deregister does not exist.

guard duty memorise - trail, vpc flow, domains, guard besite a river - flow, walking trail, with a fenced domain.

Question 47

telecom company, thousands of net devices, real time status data fed (streamed) into comms app for notifications. Simultaneously, another app needs to stream the same data. Which soln

Answer 47

Kinesis data streams, has the ability for multiple apps to consume the same stream concurrently.
Supports ordered data, real time processing.
stores data for up to 1 year.

Not SNS and or SQS or simple email service

Question 48

data analytics app is at peak when EC2 instances have 50% cpu. Has autoscaling group and App load balancer. Make the app run at peak.

Answer 48

config auto scaling group to use target tracking policy and set CPU util as target metric with value of 50%

auto scaling creates and manages the cloudwatch alarms that trigger the scaling policy

memorise: archery target, rolling down railway tracks, with a policy document stuck to it with an arrow.

Incorrect - config auto scale group to use simple scaling policy. or step scaling. neither of these can be set with a target, they use threshold values from CW alarms.

auto scale group cannot directly use CW alarms as the source of the scale in or out. must use policy.

Question 49

EC2 instance 1A in region A. Snapshot 1A then creates a new AMI in region A from snap, then copies AMI to region B, then provisions instance 1B in region B. What entities exist in region B?

Answer 49

EC2 instance
AMI
Snapshot (see below)

when an api is copied to a new region, it creates a snapshot in the new region because ami s are based on the underlying snapshots.

Question 50

car maker build car-as-a-sensor service, using serverless components. Wants capacity to be automatically provisioned. create a solution.

options SQS+Lambda+DynamoDB
Kinesis firehose + EC2 + Dynamo

Answer 50

sensor data into SQS standard queue.
Poll with Lambda in batches
Write to auto scalled DynamoDB for processing

incorrect
ingest data with kinesis data streams
polled by EC2 (a server!) , write into dynamodb.

kinesis firehose cannot write into dynamo without custom code or lambda.

Question 51

ecomm company, maintenance on EC2 instance part of autoscaling group, using step scaling. Avoid the ASG provisioning another instance when they patch each server. Most time and resource efficient solution.

Answer 51

Suspend the ReplaceUnhealthy process type in the ASG and apply the patch. When done and ec2 healthy activate ReplaceUnhealthy process.
Put the instance in standby state then update the instance with patch. then exit standby.

memorise; replace unhealthy. push an old man in i wheelchair off a cliff. process type, he is holding a process document.. standby and watch. horrible memorable.

Question 52

identify invalid storage transitions for s3

Answer 52

Intelligent tiering to Standard (correct and invalid)
One zone IA to standard IA. (missed and correct and invalid)

Std > IA > Intel > IA One Z > Glac Inst > Glac Flex > Glac Deep

memorise:
std > IA > Intel > one zone IA
Instant (skip) > FLexible > Deep

IA One zone skips Glac Inst

Question 53

integrate data file server from on prem analytics app with aws storage (hybrid). on prem compatibility should be NFS. what is most efficient solution

Answer 53

Storage Gateway - File Gateway. A hybrid service that gives on prem access to unlimited cloud storage. Tape, File and Volume. They cache data locally for low latency.
File gateway (S3), seamless way to store files in S3, the files appear to be on SMB or NFS locally, but in background, by translating requests into http S3 requests.

File gw supports SMB or NFS.
File gateway also supports FSx for Windows File Server as an alternative to S3 in AWS

Requires IAM roles, and SMB supports AD on prem.

Volume gateway supports iscsi block storage in cloud to on prem. does not support NFS. Volume gw has cache and …. mode which indicates where the primary data is stored)

Memorise. Storage gateway. shipping container at diggers with doors open. File cabinet, volume on guitar amp, tape player

Question 54

Aurora in 5 multi AZ read replias with tiers and sizes. In a failover what rules does Aurora use to promote?

Answer 54

Aurora will promote the read repliaca that has
* the highest priority (which means the lowest tier number)
* If 2 or more with same priority, then promote the replica with the largest size.

choice was between tier-1 32 TB or tier-1 16 TB.

Aurora allows you create up to 15 read replicas to increase read throughput and for use as failover targets. The replicas share storage with the primary instance and provide lightweight, fine-grained replication that is almost synchronous, with a replication delay on the order of 10 to 20 milliseconds.

Question 55

order of storage charges between 10 GB file in EBS Gen purpose SSD gp2 size 100GB, S3 standard, EFS standard storage.

Answer 55

Higest to lowest
EBS due to 100GB total size
EFS because based on usage, bytes used.
S3 standard based on usage.

Question 56

retail co. Network LB target group of EC2 web servers in auto scale group, across 3 AZ. Poor availability, NLB can’t detect http errors. Manual EC2 restarts needed. Solve problem with no coding.

Answer 56

Replace NLB with Application LB, config http health checks. use auto scale group to replace unhealthy instances. (using the ALB health checks)

NLB at layer 4 of osi model. uses TCP connection. does not support http health checks. (although documentation says it does with limitations on TLS version, be careful. Possible CORRECTION)

Question 57

company wants HA and to migrate a website from on prem to multiple EC2 instances. We need to allow for content based routing which means headers and URLs. what solution

Answer 57

use Application LB with EC2 instances across multi AZ.
Plus Auto scale group.
ALB can configure content based routing using headers or urls. (/api -> A /mobile-> B)

memorise: app LB (scales with weights, the weights are mobile phones with apps, at a crossroads (route) there is content on the phones)

incorrect. Network LB, EC2, private ip addresses. (pretty obvious, no auto scale, no HA.)

Question 58

co. uses DynamoDB for customer data, profiles, clicks, user events, visited links. some use cases require millions of req. per second, low latency, reliability. co. wants to add caching layer for reads. what services would you suggest? pick 2

Answer 58

ElastiCache (redis and …d) which can be used with DynamoDB
DynamoDB DAX

incorrect ElastiSearch.

Question 59

What is the maximum number of partitions per AZ in an EC2 partion placement group

Answer 59

seven. PPG alow you to have separate network hardware and rack per instance for HA. partition is like a rack.

spread placement group is where each instance is in a separate partition or rack.

memorise: partition seven. seven deadly partitions, each one has a venemous animal.

Question 60

What is AWS Shield what does it do how does it protect?

Answer 60

protect from a DDOS attack
standard version free and active for all accounts

advanced version for sophisticated attacks on
EC2
Elastic LB
Cloudfront
global accelerator

adds WAF rules and WAF is integral to the service.
has a team on call 24 7

AWS Shield Standard provides always-on network flow monitoring, which inspects incoming traffic to AWS services and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real time.

Question 61

company has 200 TB data on SMB file shares used by Windows apps and want to migrate to cloud. Should continue to have low latency access to the data with no disruptions after the migration. New apps can also access the data.

Answer 61

FSx File Gateway for on prem access to AWS FSx for Windows File Server.

incorrect - Storage Gateway / File Gateway does not support shares for windows.

memorise - storage gateway is a container with doors with filing cabinets and volume amp does not have any windows.

Question 62

photo sharing website in 3 countries. runs on EC2 behind an Application LB. must block access to 2 countries and allow access to home country.

Answer 62

WAF (web application firewall) attached to the Application LB in a VPC. use ip address to block. configure the WAF based on rules in the ACL with geo match conditions. not in obvious docs.

Correction suggestion. Geo restriction feature of cloudfront. aparently incorrect because CF is not in the VPC.

Question 63

photo sharing website in 3 countries. runs on EC2 behind an Application LB. must block access to 2 countries and allow access to home country.

Answer 63

WAF (web application firewall) on the Application LB in a VPC. use ip address to block. configure the WAF based on rules in the ACL with geo mathch conditions.

Waf can be deployed on
App LB
API gateway
Cloudfront

incorrect - Geo restriction feature of cloudfront. aparently incorrect because CF is not in the VPC and harder and more $.

memorise - spider web putting out the fire on the wall with a scales with apps on mobile phones on the scale.

Question 64

video analytics co. 10 apps on prem each with 70 TB. migrate in 2 weeks.

Answer 64

10 Snowball edge storage optimised devices
VPN site to site for on going connectivity.

Each snowball edge has 80 tB of HDD and 1 TB SSD and 40 vcpus. 40 GB network connectivity. Same storage as the old Snowball device.

• Snowmobile 100 PB
• Snowball Edge 210TB (104 vcpu, 416 GB mem)
• Snowball Edge 80TB (40 vcpu, 80 GB mem)
• Snowball Edge Compute Optimised 28 TB (104 vcpu, 416 GB mem)
• Snowcone 8TB (4 vcpu, 4GB mem)

Question 65

geology data for last 100 years. data velocity of 1 GB per minute. store data with most relevant attributes only. most cost effective solution, and least infra mainenance.’

Answer 65

Kinesis data firehose with Lambda to filter and transform the stream, send output to S3 (dumped). kinesis data streams, or Kinesis agent and all the same sources as KDS can be used to capture the data. The question may be incomplete.

incorrect - Kinesis data analytics, with SQL queries to filter and transform, write to s3

Question 66

gaming co. wants HA and perf for app that uses UDP, needs fast regional failover. continue using custome DNS.

Answer 66

Global Accelerator, multi region, supports UDP. improve perf lower latency, less variation of latency, increased throughput. good fit for non http. such as gaming and IOT, voice. Use with ELB.

incorrect - Elastic LB. one region only.

Gamers in the blue green global accelerator rocket, gamers use udp.

Question 67

fleet of EC2 for task wih high IO performance. each instance access to data that is replicated across instances. if an instance goes down the underlying architecture will ensure replacement has access to dataset. what kind of storage?

Answer 67

Instance store based EC2. temp block storage, disks physically attached. frequently changing data. works well for replicated data. high random io perf. at low cost.

incorrect - EFS mount points ruled out because of extra cost and complexity, and lower IO perf.

Question 68

What are the retrieval modes for S3 Glacier Flexible Retrieval?

Answer 68

expedited 1-5 min
standard 3-5 hours
bulk 5 - 12 hours
everything above Flexible retrieval is millisecond

Max time memorise
5 minutes / 5 hours / 12 hours
5m / 5h / 12h

Question 69

What are the retrieval modes for S3 Glacier deep archive?

Answer 69

Standard 12h, or Bulk 48h

12 x 4 = 48. half day or 2 days. long time. starting at max time of flex retrieval.

Question 70

What are the security policies that can be applied to S3?

Answer 70

User based policy
Bucket policies which allows cross account access
Object ACL, Bucket ACL

IAM principle (user, app) can access S3 object if

(the user IAM perms Allow OR the resource policy allows) AND there is no explicit Deny

Question 71

What kinds of S3 event notifications and permissions are there?

Answer 71

SNS,
SQS,
Lambda,
Event Bridge
…can receive events from bucket object actions

For each of the above, there are ____ Resource access policies, Bucket policy, bucket and object ACL, principle, effect, Action, resource, condition….

Question 72

What kinds of S3 event notifications and permissions are there?

Answer 72

SNS, SQS, Lambda, event bridge. can receive events from bucket object actions
For each of the above, there are ____ Resource access policies, principle, effect, Action, resource, condition….
Similar to s3 bucket policies.
Not IAM roles!!

Question 73

How to filter data set objects in S3 and reduce transfered data?

Answer 73

The data objects must be CSV, Json, parquet format, even when compressed.
Use S3 Select can use SQL to filter the contents of these S3 objects

Question 74

What is the encryption type and details of SSE-S3?

Answer 74

Server side encryption , type is AES-256, must set x-amz-sse header to AES256. enabled by default on new buckets and objects.

Question 75

How does SSE-KMS work? What features, limitations.

Answer 75

MANAge the keys in Key Management Service. benefits - user control and
* audit of key usage using CloudTrail.
* set S3 put header to x-amz-sse aws:kms.
Limitations, each request to en/decrypt counts to the KMS quota per second based on region.
* about 5500, to 30000 requests dependig on region

Question 76

How to restrict access to S3 object prefixes?

Answer 76

S3 Access points. each has a policy that restricts access for iam users to a prefix and read or write.
Simplifies the bucket policy, because the access points do the work.
access point has its own DNS name.

memorise prefix, they them pronouns, excess point, excessive party point, they point access excess.

Question 77

a company has a period where files (objects) must be protected from overwrites and deletes, compliance policy. what do you use? (plus all options)

Answer 77

Retention Compliance Mode (strict permanent)
Retention Governance Mode
Legal Hold
Glacier Vault Lock (strict permanent)
———
S3 object lock - retention compliance mode. object versions can’t be overwritten or deleted by any user including root. ever. Retention modes can’t be changed.

Versioning must be enabled.

Object Lock - Retention mode - governance. more relaxed. some users can delete or alter modes.

Retention period, project object for time.

Legal hold, protect object indefinitely, independent of retention period. hold can be removed.

Glacier Vault Lock. create policy. object can’t be changed or deleted, ever by anyone. The safe is buried under a glacier.

Question 78

high workload on EC2, to scale up/out, at designated time of day / month, what do you recommend to achieve this.

Answer 78

auto scale group with scheduled action that starts at hour/day of month.

Set desired capacity of instances to 10. this causes the scale out to happen before peak

incorrect - set the min and max to 10.
incorrect. - simple and target tracking.

Question 79

how to protect data in S3 from malicious activity, as well as check for vuln on EC2.

Answer 79

Guard duty for S3, plus accounts, workloads, cloudtrail events, vpc flow logs, dns logs.

amazon inspector for EC2, network access, vulnrblty.

Question 80

What are valid config settings for retention periods for objects and versions in S3?

Answer 80

apply a retention period to object version explicitly, you specify Retain Until Date - for the version

Different versions of an object can have different retention periods (got this wrong, but see above for hint.

incorrect - you cannot place retention period on an object version thgouh a bucket default setting.

Question 81

explain replication capability in terms of sync vs async of “RDS Multi AZ” and RDS read replicas.

Answer 81

Multi az has synchronous replication and spans 2 or more AZ in one region, the primary DB instance repliactes synchronously to standby instance in different AZ

Read repliacs have async replication and can be in AZ, cross AZ, cross region.

Incorrect !! Multi AZ has async replication

Question 82

S3 encryption with KMS, company owns the customer master key. it was accidentally deleted, which means they loose all data. what do you do

Answer 82

the key was deleted one day ago, it will be in ‘pending deletion’ status and can be recovered by canceling the delete.
you can set a waiting peirod of 7 - 30 days before the deleted keys are deleted, default 30.

Question 83

notification system SNS, handled by Lambda. Must handle 100 up to 5000 requests per sec in off peak / peak. Problem - at peak many messages not delivered. what has caused the issue and how to fix.?

Answer 83

SNS delivery to Lambda have crossed the concurrency quota for Lambda, contact aws support to raise the limit.

Lambda supports 1000 concurrent executions per AWS account per region.

incorrect - SNS has hit a scalability limit. SNS limits are 20 per second for email or sms. but SNS dynamically scales so it shoul never be a bottleneck. AWS documentation contradicts this. be careful.

Question 84

Do i need to pay for data ingress with S3 Transfer Accelleration?

Answer 84

Yes, if TA is used across AZ/region, if you go direct to source bucket in same AZ/region then no charges for S3 without TA.

Question 85

What Load Balancer for path based routing?

Answer 85

Application Load balancer is one that can, not sure about others.

ALB also does host based routing, header based routing, method based routing, query string param routing, source ip / cidr routing.