General

Question 1

What is one serverless AWS service for noSQL and one for SQL databases?

Answer 1

DynamoDB & Aurora Serverless

Question 2

If you want to run a custom container image on Lambda what needs to be implemented in the image and what other services should be used if it isn’t in the image?

Answer 2

Lambda Runtime API. ECS or Fargate can be used to run the image in a container on the cloud instead of Lambda.

Question 3

Is the maximum size of a DynamoDB item:

• 4 KB
• 400 KB
• 4 MB
• 40 MB

Answer 3

400 KB

Question 4

T or F: API Gateway supports WebSocket protocol

Answer 4

TRUE

Question 5

What 2 CLI commands are used to package & deploy a SAM template?

Answer 5

sam package & sam deploy

Question 6

Why kind of header is used to indicate a cloudformation is a SAM template?

Answer 6

a Transform header: Transform: AWS::Serverless-2016-10-31

Question 7

What 3 resources are specific to SAM templates?

Answer 7

AWS::Serverless::(Function, Api, SimpleTable)

Question 8

What service can be used if a custom domain or HTTPS is desired for an AppSync endpoint?

Answer 8

CloudFront

Question 9

What is used as an initial bootstrap script for EC2 instances?

Answer 9

EC2 User Data

Question 10

T or F: EBS volumes are shared across availability zones

Answer 10

FALSE

Question 11

T or F: Taking a snapshot of an EBS volume requires detaching it from any EC2 instances

Answer 11

FALSE but it is recommended to do so to get a clean snapshot.

Question 12

What is one reason you would create a custom AMI instead of using EC2 User Data for environment setup?

Answer 12

The initial boot time when an EC2 is started is significantly reduced when using an AMI instead of EC2 User Data.

Question 13

Why would someone choose an EC2 instance store over an EBS volume? What is a downside to using an instance store?

Answer 13

Better IOPS throughput/performance (~10ks vs ~100ks-1,000ks) but it is ephemeral storage (i.e. nothing is saved when instance stops running). This creates a risk of data loss if the hardware fails.

Question 14

What are the 3 major types of EBS volume?

Answer 14

General Purpose SSD (gp3 & gp2), Provisioned IOPS SSD (io2 & io1), & Throughput Optimized (st1) and Cold (sc1) HDD.

Question 15

If a Provisioned IOPS SSD EBS volume is being used what additionally is required to increase the max IOPS above 32K?

Answer 15

Nitro EC2 instance will increase the max to 64K

Question 16

What EBS volume types support multi-attach?

Answer 16

Provisioned IOPS SSD (io1 & io2)

Question 17

T or F: EFS can be used on Windows AMIs

Answer 17

FALSE only supports Linux AMIs

Question 18

What 2 performance modes are available for an EFS on creation time and what are their pros and cons?

Answer 18

General Purpose: low latency

Max I/O: higher latency but higher throughput

Question 19

What 2 throughput modes are available for an EFS and what are their pros and cons?

Answer 19

Bursting: storage/throughput ratio is set at 1TB/50MiB/s w/ burst up to 100MiB/s
Provisioned: set any throughput regardless of how much storage exists

Question 20

What 2 storage tiers are available for an EFS?

Answer 20

Standard: free to retrieve
Infrequent Access (EFS-IA): cost to retrieve, lower storage price

Question 21

What are the 3 types of ELB and what web protocols do they support?

Answer 21

Classic (v1, Layer 4 or 7): HTTP, HTTPS, TCP
Application (v2, Layer 7): HTTP, HTTPS, WebSocket
Network (v2, Layer 4): TCP, TLS (secure TCP), UDP

Question 22

What are the possible target groups for an Application Load Balancer?

Answer 22

EC2 instances (could also be an ASG)
ECS tasks
Lambda functions (HTTP translated to JSON)
IP Addresses (only private IPs)

Question 23

How would an ALB target group get a client’s IP, protocol, or port?

Answer 23

HTTP headers: X-Forwarded-(For | Port | Proto)

Question 24

List 3 reasons why an NLB would be chosen over an ALB

Answer 24

lower latency: ~100ms vs ~400ms
better scalability: millions of request/s
static IP per AZ: useful for IP whitelisting

Question 25

I have an NLB with an EC2 target group. The EC2 security group only allows inbound traffic from the NLB’s security group but traffic is being denied. What is wrong?

Answer 25

an NLB preserves the incoming traffic’s IP and protocol when forwarding traffic so the EC2 security group needs to allow inbound traffic from all IPs.

Question 26

What 2 ELB types are compatible with sticky sessions?

Answer 26

Classic & Application load balancers

Question 27

What are the 2 basic types of cookies used for ELB sticky sessions and what are some reasons why one would be chosen over the other

Answer 27

Application-based cookies:
- can be custom, target generated with any
custom attributes with custom cookie name for
each target group
- expiry can be set by the application
Duration-based cookies
- expiry can be set by the load balancer

Question 28

For which ELB type/s is it possible to disable cross-zone load balancing?

Answer 28

NLB & CLB

Question 29

What is Server Name Indication used for and for what services is it compatible?

Answer 29

Allows loading multiple SSL certs for a single web server so a single server can route traffic to multiple target groups with different SSL certs.
Requires client to specify hostname of target server on initial SSL handshake

ELB: ALB & NLB (not CLB)
Cloudfront

Question 30

What is a ‘deregistration delay’ used for on ALB/NLB’s?

Answer 30

When a target group enters ‘draining’ mode as a prelude to shutting down it is the maximum time this mode is sustained in which time the EC2 instance is handling existing connections while the balancer does not send any extra traffic. Can be 0-3600 seconds. default is 300.

This is used to make sure an EC2 isn’t terminated in the middle of handling a request for an ALB/NLB.

Question 31

How are scaling actions triggered for ASGs? List some metrics that can be used to trigger these.

Answer 31

CloudWatch alarms

• average CPU usage
• # of requests per instance
• average Network throughput In or Out
• a preset schedule

Question 32

What is used to launch an ASG?

Answer 32

Launch Configuration or the newer Launch Template

Question 33

If an EC2 instance in an ASG becomes unhealthy will it be restarted or terminated and a new instance launched?

Answer 33

terminated & new instance launched

Question 34

What is an ASG scaling cooldown?

Answer 34

It is the period of time after a scaling action where an ASG will not launch or terminate instances. This allows the metrics to stabilize with the new or lost instances accounted for.

After the cooldown the ASG will begin evaluating the metrics again for potential new scaling actions.

Question 35

What is a good way to reduce the scaling cooldown needed by an ASG?

Answer 35

use a custom AMI instead of EC2 user data to reduce instance startup time

Question 36

What are the 3 main types of ASG scaling policies?

Answer 36

Dynamic, predictive, & scheduled

Question 37

What are the 3 types of Dynamic scaling policies for an ASG?

Answer 37

• Target Tracking scaling (i.e. keep CPU usage around 40%)
• Simple scaling (i.e when a CW alarm like CPU above 70% or CPU below 40% is triggered add/remove # instances)
• Step scaling is like simple scaling but allows add/removing a custom # of instances depending on how badly a metric has triggered a CW alarm.

Question 38

Which type/s of ELB has/have a static IP?

Answer 38

NLB

Question 39

What are the 6 database engines that AWS RDS supports?

Answer 39

Postgres, MySQL, MariaDB, Oracle, Microsoft SQL Server, Aurora

Question 40

What is the max number of allowed read replicas for RDS?

Answer 40

5 for MySQL, 15 with Aurora.

Question 41

T or F: Read replicas are only available within the same AZ as the database

Answer 41

False: they can be, but can also be created in a different AZ or even region.

Question 42

T or F: RDS Read replicas are eventually consistent

Answer 42

True

Question 43

In what situation would a read replica be charged a network cost for traffic between it and the database?

Answer 43

Only when the replica is in a different region

Question 44

How could RDS read replicas be used to increase availability?

Answer 44

using an RDS Multi AZ deployment a read replica is created in a separate AZ and updated by the DB SYNCHRONOUSLY. If the DB goes down the read replica is automatically used as the new RDS DB.

Question 45

How is a currently running RDS DB converted from single AZ to multi AZ?

Answer 45

you simply modify the DB configuration and the read replica is created with 0 operational downtime

Question 46

T or F: RDS Read replicas as part of a Multi AZ deployment are eventually consistent

Answer 46

False

Question 47

Describe the steps needed to encrypt an unencrypted production RDS DB

Answer 47

• Create a snapshot of the DB
• Copy the snapshot & enable encryption
• Start a DB from the encrypted snapshot
• Migrate applications that use the DB from the old one to the new encrypted one & delete the old one

Question 48

What service can be used to enable encryption at rest for an RDS DB when setting up a DB?

Answer 48

KMS (AES-256)

Question 49

What can be used to enable in-flight encryption with RDS?

Answer 49

encryption using an SSL cert. This typically must be set using a parameter inside the DB

Question 50

T or F: RDS allows a user to SSH into a DB instance

Answer 50

False. As a managed service RDS does not expose the instance that runs the DB

Question 51

For what DB engines can IAM be used to manage in-DB user creation/permissions

Answer 51

MySQL & PostgreSQL & Aurora

Question 52

What is the maximum amount of data that Aurora can auto-expand to?

Answer 52

The Aurora shared storage volume can be between 10GB to 64TB

Question 53

How does Aurora manage supplying the correct write/read endpoints to applications calling the DB?

Answer 53

A writer endpoint points to the current Master DB in the case of one writer or load balances across multiple writers if applicable

A reader endpoint that automatically implements load balancing to the autoscaling group of read replicas.

Question 54

You expect your DB workload to be highly intermittent and unpredictable. Which DB feature should be enabled

• One Writer & Multiple readers
• Serverless

Answer 54

Serverless. A minimum & maximum capacity can be specified and the available capacity is automatically scaled for cost saving.

Question 55

At a high level explain the differences between Redis & Memcached as elasticache options

Answer 55

• Redis (High availability features) similar to RDS in that there are read replicas, data persistence, backup/restore features, multi-AZ with failover
• Memcached (pure cache) partitions data using multinode (sharding), is nonpersistent, no backup/restore features, uses multithreaded architecture.

Question 56

What is Lazy Loading? (also called Cache-aside, Lazy Population). Describe some of the pros and cons.

Answer 56

In instances of cache misses the DB response is written to the cache for subsequent calls.

pros: guarantees only useful data is cached and also means node failures of the cache will not lead to data loss but simply increased latency during the cache warm-up period.
cons: noticeable delay on a cache miss because results in 3 round trips (1 to the cache, then to the DB, and back to the cache with the data). Cache can easily contain stale data & is eventually consistent at best.

Question 57

Describe pros & cons of the Write Through caching strategy.

Answer 57

pros: data is never stale. There is never a delay on read calls, only a write penalty (involves 2 calls, 1 to write to DB & 1 to write to cache).

con: data can be missing until added or updated to the DB. (Note: can be mitigated by combining this with Lazy Loading).
This strategy opens the door to cache churn. Because cache will always have the entire DB there is good chance it could contain irrelevant data that is never read.

Question 58

What kind of data would fit setting a short TTL (time to live) for an elasticache?

Answer 58

data that could be changing very often:

leaderboards, activity streams, comments

Question 59

You’ve implemented a caching solution for your website but notice the cache is frequently losing useful data due to Cache Eviction. How would you solve this problem?

Answer 59

scale up (or out) the available data storage for the elasticache.

Cache Eviction occurs when the data limit is reached for a cache by removing data that hasn’t been read in the longest time (LRU: least recently used).

Question 60

Is Redis “cluster mode” useful for scaling Read operations or Write operations?

Answer 60

Write operations.

When cluster mode is on each node is a ‘shard’, only containing a portion of all data. Each shard can still have their own read replicas for multi-AZ availability.

Question 61

What is the difference between a CNAME versus an alias?

Answer 61

CNAME points a hostname -> hostname only for non root domain urls. (ie ‘app.domain.com’ not ‘domain.com’). Each CNAME incurs a cost.

An alias points a hostname -> AWS resource. It works for both root domain & non root domain hostnames. Aliases are free & include a native health check (ie can integrate with the health check of the load balancer being pointed to).

Question 62

You want to implement client-side load balancing through a route 53 endpoint but you don’t need any other features like health checks. Which routing policy should be selected?

Answer 62

Simple Routing Policy

Question 63

How many health checkers are standard for a Route 53 Health check?

Answer 63

15 health checkers spread across regions.

Question 64

A Route 53 failover routing policy involves a primary and secondary target. Which targets (if any) require a health check?

Answer 64

Only the primary target requires a health check because that health check will be used to trigger the failover to the secondary target.

Question 65

You have a Route 53 ‘A’ record pointing to an EC2 instance’s public IP address. This works in production but the EC2 is briefly stopped and restarted. Route 53 is now no longer redirecting traffic to the EC2. What’s wrong?

Answer 65

When an EC2 is stopped and restarted its public IP v4 address is changed. The route 53 record is still pointing to the old IP and needs to be updated.

Question 66

What are the 7 available routing policies in Route 53?

Answer 66

Simple, Weighted, Latency, Failover, Geolocation, Geoproximity, and Multi-value.

Question 67

What is the range of available bias values for a Route 53 Geoproximity routing policy?

Answer 67

-99 to 99

Question 68

You want configure your application so that your clients,
when looking up a hostname on Route 53, are be able to select from an array of healthy ip addresses. What routing policy should be used to set up this behavior in Route 53?

Answer 68

Multi-value routing policy

Question 69

Are VPCs global, regional or AZ level resources?

Answer 69

regional

Question 70

Are subnets global, regional or AZ level resources?

Answer 70

AZ

Question 71

What is the typical infrastructure that would allow an EC2 instance in a private subnet to access the internet?

Answer 71

The instance would call a route in the private subnet that goes to a NAT Gateway inside a public subnet. The NAT Gateway would then use the route in the public subnet that calls an Internet Gateway.

Question 72

What information is provided in VPC flow logs?

Answer 72

It captures ALL information related to network traffic going in/out of subnets, including the ENI (Elastic Network Interface, calls to EC2, etc), calls made from/to managed services (RDS, ELB, Elasticache, etc)

Question 73

What are NACLs used for?

Answer 73

They allow defining a list of ALLOW & DENY rules for specific IP addresses (or address ranges) acting as a firewall for a particular subnet.

Question 74

What can be used to connect to an EC2 that is inside a private subnet from S3 without using public ip addresses?

Answer 74

use a VPC Endpoint Gateway. VPC endpoints are the only way to privately connect managed AWS resources outside the VPC to EC2s (& other things) inside.

Question 75

What can be used to connect 2 different VPCs to each other?

Answer 75

VPC peering. Keep in mind that the CIDR blocks of each VPC cannot be overlapping.

Question 76

What are the 2 methods to connect on-prem resources to an AWS VPC?

Answer 76

1. Site-to-site VPN. Connects an on-prem VPN to a VPC over the public internet. The connection is automatically encrypted.
2. Direct Connect. Establishes a physical connection between on-prem and AWS. This is a private connection outside the internet. Takes at least a month to establish.

NOTE: for both options VPC endpoints are unavailable to on-prem resources because they are internal to AWS only.

Question 77

Describe the typical 3-tier architecture

Answer 77

Route 53 is used to get address of:

1. ) An Elastic Load Balancer inside a public subnet. The target is:
2. ) An EC2 scaling group inside a private subnet. To access application data these call:
3. ) a database/cache solution located on the data subnet.

Question 78

Are S3 buckets global, regional or AZ level resources?

Answer 78

regional

NOTE: but must have globally (across all AWS accounts) unique name!

Question 79

The max object size in S3 is:

• 5 GB
• 50 GB
• 500 GB
• 5 TB

Answer 79

5 TB (but anything over 5GB needs to use multi-part upload)

Question 80

What are the 4 encryption methods for S3?

Answer 80

SSE-S3 keys managed by AWS
SSE-KMS use KMS to manage keys
SSE-C manage keys manually
Client Side Encryption

Question 81

What would be 2 benefits to using SSE-KMS for S3 encryption?

Answer 81

1) allows setting which IAM users have access to the key

2) provides access to an audit trail

Question 82

What protocol is used to do encryption in flight for S3?

Answer 82

HTTPS using SSL/TLS certs

Question 83

What are the 2 major types of policies used to control access to S3 buckets?

Answer 83

User-based: IAM policies

Resource-based: Bucket policies (bucket-wide policies, allow cross-account), Object ACL (fine grained policies), Bucket ACL (very uncommon)