From practice tests Flashcards
AWS RAM
AWS Resource Access Manager (AWS RAM) enables you to share specified AWS resources that you own with other AWS accounts. To enable trusted access with AWS Organizations:
trusted service can create an IAM role called a service-linked role in every account in your organization whenever that role is needed
trusted access
From the AWS RAM CLI, use the enable-sharing-with-aws-organizations command.
Name of the IAM service-linked role that can be created in accounts when trusted access is enabled: AWSResourceAccessManagerServiceRolePolicy.
SCPs
SCPs DO NOT affect any service-linked role. Service-linked roles enable other AWS services to integrate with AWS Organizations and can’t be restricted by SCPs.
Direct Connect gateway
You can attach multiple private virtual interfaces to your Direct Connect gateway.
With Direct Connect Gateway, you no longer need to establish multiple BGP sessions for each VPC; this reduces your administrative workload as well as the load on your network devices.
ElasticCache Redis
An ElastiCache Redis cluster provides varying levels of data durability, performance, and cost for implementing disaster recovery or fault tolerance of your cached data. You can choose the following options to improve the data durability of your ElastiCache cluster:
- Daily automatic backups
- Manual backups using Redis append-only file (AOF)
- Setting up a Multi-AZ with Automatic Failover
What to do if your Lambda function needs Internet access?
if your Lambda function requires Internet access (for example, to access AWS services that don’t have VPC endpoints ), you can configure a NAT instance inside your VPC or you can use the Amazon VPC NAT gateway.
You cannot use an Internet gateway attached to your VPC, since that requires the ENI to have public IP addresses.
****
Do not attach it to a public subnet or to a private subnet without Internet access. Instead, attach it only to private subnets with Internet access through a NAT instance or an Amazon VPC NAT gateway. You should also ensure that the associated security group of the Lambda function allows outbound connections.
A multinational investment bank has a hybrid cloud architecture which uses a single 1 Gbps AWS Direct Connect connection to integrate their on-premises network to AWS Cloud
Which of the following is the MOST cost-effective solution that you should implement in order to improve the connection redundancy of your hybrid network?
It costs a lot of money to establish a Direct Connect connection which you rarely use. For a more cost-effective solution, you can configure a backup VPN connection for failover with your AWS Direct Connect connection.
If you want a short-term or lower-cost solution, you might consider configuring a hardware VPN as a failover option for a Direct Connect connection. VPN connections are not designed to provide the same level of bandwidth available to most Direct Connect connections. Ensure that your use case or application can tolerate a lower bandwidth if you are configuring a VPN as a backup to a Direct Connect connection.
You were just promoted as the IT Manager of a small, yet rapidly developing software consultancy company. Your CTO asked you to prepare the needed items in order to have a hybrid cloud architecture in which you have to connect your on-premises network to AWS Cloud.
Which of the following will enable federated user access to the AWS Management Console?
- Inside your organization’s network, you configure your identity store (such as Windows Active Directory) to work with a SAML-based identity provider (IdP) like Windows Active Directory Federation Services, Shibboleth, etc
- Create a SAML provider in IAM and create an IAM role that establishes a trust relationship between IAM and your organization’s IdP that identifies your IdP as a principal (trusted entity) for purposes of federation.
Must create SAML in IAM
ELB Elastic IP
It is not recommended to use EIP on top of ELB. Also, you should use an Alias record instead of an A record:
SSM Parameters Store vs Secrets Manager
If you want a single store for configuration and secrets, you can use Parameter Store. If you want a dedicated secrets store with lifecycle management, use Secrets Manager.
Global DDB
Global DynamoDB Tables, it will not automatically create new replica tables on all AWS regions. You have to manually specify and create the replica tables in the specific AWS regions where you want to replicate your data. Take note as well that the DynamoDB Stream option must be enabled in order for the Global DynamoDB Table to work.
Multi-region, multi-master. Data automatically replicated into chosen regions.
How can you ensure high availability of the online portal even in the event of application and database server failure?
In this scenario, the main priority is ensuring the availability of the online portal at all times. The application server as well as the database server should be configured to be highly available through the use of Auto Healing capabilities of OpsWorks stacks and RDS Multi-AZ deployments. If the Auto Healing capability in OpsWorks is enabled, any failed EC2 instances will be automatically replaced to avoid any downtime for the portal.
This is if no ASG
Lambda@Edge
Lambda@Edge lets you run Lambda functions to customize the content that CloudFront delivers, executing the functions in AWS locations closer to the viewer.
Route 53 Record Origins
EC2 - type A record, no alias
ELB, CloudFront, S3 - type A record with alias
RDS - CNAME record, no alias
169.254.169.253
Amazon DNS Server
CloudFront field encryption
Up to 10 fields, must specify public key
With Certificate manager pay
Mostly for Private CA and private certificates
Max DDB Item size
400KB
Redshift EC2 Limits
Cannot use Spot instances
Amazon Inspector
automated security assessment service that helps improve the security and compliance of applications deployed on AWS
Using Amazon Inspector, you can define a collection of AWS resources that you want to include in an assessment target. You can then create an assessment template and launch a security assessment run of this target.
Uses IAM service-linked role.
To activate the AWS generated tags
Activate it in the Billing and Cost Management console of the master account
CodeDeploy
CodeDeploy does not launch the required AWS resources automatically unlike CloudFormation, Opsworks, and Elastic Beanstalk. It automates application deployments to Amazon EC2 instances, on-premises instances, or serverless Lambda functions but these resources should already exist before CodeDeploy can work.
AWS Migration Hub
Provides a single location to track the progress of application migrations across multiple AWS and partner solutions. Using Migration Hub just allows you to choose the AWS and partner migration tools that best fits your needs while providing visibility into the status of migrations across your portfolio of applications. Although AWS Application Discovery Service can be integrated with AWS Migration Hub, this service alone is not enough to meet the requirement in this scenario.
OpsWorks
OpsWorks can be integrated with on-premises servers
IBM MQ to Amazon MQ
You cannot directly migrate your IBM MQ to Amazon MQ since these are two completely different systems. It is more suitable to host your IBM MQ on an EC2 instance.
Provisioned IOPS storage is a storage type
For production application that requires fast and consistent I/O performance, AWS recommends Provisioned IOPS (input/output operations per second) storage, it delivers predictable performance and consistently low latency.
AWS Trusted Advisor
Primarily used to check if your cloud infrastructure is in compliance with the best practices and recommendations across five categories: cost optimization; security; fault tolerance; performance; and service limits.
AWS Data Pipeline
Web service that helps you reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals. With AWS Data Pipeline, you can regularly access your data where it’s stored, transform and process it at scale, and efficiently transfer the results to AWS services such as Amazon S3, Amazon RDS, Amazon DynamoDB, and Amazon EMR.
AWS IoT Greengrass
Primarily used to enable connected devices to run AWS Lambda functions, execute predictions based on machine learning models, keep device data in sync, and communicate with other devices securely even without an Internet connection. Hence, this is not a suitable option for this scenario.
Using fast invalidate feature provided in CloudFront is incorrect
Because invalidate is used to remove the content from CloudFront edge locations cache before it expires. The next time a viewer requests the object, CloudFront fetches the content from the origin; whereas, setting TTL to 0 enforces CloudFront to deliver the latest content as soon as the origin updates it.
CloudFront origins
you cannot set EFS as the origin of your CloudFront web distribution.
API Gateway per region limit
API Gateway has a default per region limit of 10,000 requests per second. If required for
production, this limit can be increased.
Lambda and VPCs
Lambda functions cannot connect directly to a VPC with dedicated instance tenancy. To connect to resources in a dedicated VPC, peer it to a second VPC with default tenancy.
Lambda sync vs async
For asynchronous invocation, if you see an increase in errors without corresponding CloudWatch Logs, invoke the Lambda function synchronously in the console to get the error responses.
Elastic Load Balancing sticky
Elastic Load Balancing creates a cookie, named AWSELB, that is used to map the session to the instance.
EFS
has file locking capabilities
Snowball Edge
- Local compute with AWS Lambda
- Local compute instances
- Use with AWS Greengrass (IoT)
- Transfer files through NFS with a GUI
Migrate VMs from a vCenter environment to AWS
It is recommended by AWS to use the Server Migration Service (SMS) to migrate VMs from a vCenter environment to AWS. SMS automates the migration process by replicating on-premises VMs incrementally and converting them to Amazon machine images (AMIs). You can continue using your on-premises VMs while migration is in progress. The Server Migration Connector is a FreeBSD VM that you install in your on-premises virtualization environment
EC2Rescue
Can help you diagnose and troubleshoot problems on Amazon EC2 Linux and Windows Server instances. You can run the tool manually or you can run the tool automatically by using Systems Manager Automation and the AWSSupport-ExecuteEC2Rescue document. The AWSSupport-ExecuteEC2Rescue document is designed to perform a combination of Systems Manager actions, AWS CloudFormation actions, and Lambda functions that automate the steps normally required to use EC2Rescue.
HTTPS between viewers and CloudFront or between CloudFront and your origin
HTTPS between viewers and CloudFront
- You can use a certificate that was issued by a trusted certificate authority (CA) such as Comodo, DigiCert, Symantec or other third-party providers.
- You can use a certificate provided by AWS Certificate Manager (ACM)
HTTPS between CloudFront and a custom origin
- If the origin is not an ELB load balancer, such as Amazon EC2, the certificate must be issued by a trusted CA such as Comodo, DigiCert, Symantec or other third-party providers.
- If your origin is an ELB load balancer, you can also use a certificate provided by ACM.
- You cannot directly upload a self-signed certificate in your ALB.
The 502 internal server errors
The 502 internal server errors will be returned intermittently by API Gateway if the Lambda function
exceeds concurrency limits
AWS Systems Manager Run Command
Administrators use Run Command to perform the following types of tasks on their managed instances: install or bootstrap applications, build a deployment pipeline, capture log files when an instance is terminated from an Auto Scaling group, and join instances to a Windows domain, to name a few.
Kinesis Data Stream Shard limit
1MB
CW vs CT
–is-multi-region-trail and –include-global-service-events
CT has both
CW only has multi region
Redis AOF
AOF is disabled by default. To enable AOF for a cluster running Redis, you must create a parameter group with the appendonly parameter set to yes, and then assign that parameter group to your cluster. You can also modify the appendfsync parameter to control how often Redis writes to the AOF file.
AWS Application Discovery Service
Helps you to plan migration projects by gathering information about your on-premises data centers but this service is not a suitable migration service.
Benefits of using ELB health checks
There are certain benefits of using ELB health checks as opposed to the default EC2 status checks. It can monitor if your application is running on a certain port (e.g. 3000) which you cannot do with a regular EC2 status check. In addition, you can use many other health checks that suit your requirements such as HealthCheckPath, HealthyThresholdCount and many others
With vs Without Cognito
If you don’t use Amazon Cognito, then you choose to write a custom code or app that interacts with a web IdP (Login with Amazon, Facebook, Google, or any other OIDC-compatible IdP) and then call the AssumeRoleWithWebIdentity API to trade the authentication token you get from those IdPs for AWS temporary security credentials. If you have already used this approach for existing apps, you can continue to use it. You can also deploy your app in S3 bucket.
Setting up a diversified allocation strategy for your Spot Fleet
Using various instance types (c4.2xlarge, m3.2xlarge, r3.2xlarge etc…), it raises the chances that my Spot Instance requests will be approved.
Available for Spot Fleets but NOT ASG
Cloud HSM is a cluster and for HA
Must be deployed to multiple AZs
If you want to enable cross-region snapshot copy for an AWS KMS-encrypted cluster
You must configure a snapshot copy grant for a master key in the destination region so that Amazon Redshift can perform encryption operations in the destination region.
Rolling with additional batch
Only applicable in Elastic Beanstalk and not for Lambda.
Max VPC peering
125
