General Info Flashcards
1
Q
AWS history
A
2003 internal infrastructure started selling as a service 2006 AWS officially launched 2007 over 180000 developers 2010 amazon.com moved over 2012 reinvent first amazon conference.
2
Q
Regions and AZ
A
19 regions 57 av;s 2018, 5 more regions in 2019 15 more az
3
Q
Region to AZ
A
A region contains 2 or more availability zones.
4
Q
Edge locations
A
cache content. Typically this consists of cloud front and CDN.
There are many more edge locations than regions. Currently there are 150 edge locations.
5
Q
what is a must to pass AWS SAA
A
Security Identity Compliance Network and content Delivery Compute storage Database AWS Global infrastructure
6
Q
What are the four levels of AWS premium support
A
Basic, Developer, Business, and Enterprise
7
Q
What is the maximum response time for a Business Level ‘production down’ Support Case?
A
1hr
8
Q
What is the maximum VisibilityTimeout of an SQS message in a FIFO queue
A
12hrs
9
Q
You’ve been tasked with building a new application with a stateless web tier for a company that produces reusable rocket parts. Which three services could you use to achieve this
A
RDS for structured data, DynamoDB for unstructured data, and ElastiCache
10
Q
For all new AWS accounts, there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased.
A
region
11
Q
For all new AWS accounts, there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased.
A
region
12
Q
AWS WAF
A
Size Constraint Conditions, IP Match Conditions, String Match Conditions
13
Q
AWS WAF
A
Size Constraint Conditions, IP Match Conditions, String Match Conditions
14
Q
DynamoDB
A
The combined Value and Name combined must not exceed 400 KB.
15
Q
Your company likes the idea of storing files on AWS. However, low-latency service of the majority of files is important to customer service. Which Storage Gateway configuration would you use to achieve both of these ends?
A
Gateway-Stored, File Gateways
16
Q
AWS direct connect routing
A
Edit the VPC subnet route table, adding a route back to the on-premise data center.
Enable route propagation on your route table
17
Q
AWS direct connect routing
A
Edit the VPC subnet route table, adding a route back to the on-premise data center.
Enable route propagation on your route table
18
Q
You are reviewing Change Control requests and you note that there is a proposed change designed to reduce errors due to S3 Eventual Consistency by updating the “DelaySeconds” attribute. What does this mean?
A
When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period.
19
Q
How long can a message be retained in an SQS Queue
A
14days
20
Q
How can I connect to my Amazon VPC
A
https://aws.amazon.com/premiumsupport/knowledge-center/connect-vpc/
21
Q
options to connect my Amazon VPC
A
VPN DIrect connect(1G to 10G) vpc peering vpc endpoint EC2 classiclink(link instance to a VPC in your account within the same region) internet gateway NAT gateway
22
Q
Virtual private gateways is aka
A
VPW
23
Q
VPC endpoint limitations
A
Can’t create an endpoint between VPC and AWS resources in other regions
You can’t tag and endpoint
You can’t transfer and endpoint from one VPC to another
You can’t extend an endpoint connection outside the VPC
24
Q
ASN
A
Autonomous System Number.
25
AWS Site-to-Site VPN
You can create an IPsec VPN connection between your VPC and your remote network. On the AWS side of the Site-to-Site VPN connection, a virtual private gateway provides two VPN endpoints (tunnels) for automatic failover. You configure your customer gateway on the remote side of the Site-to-Site VPN connection.
26
You can connect your Amazon VPC to remote networks and users using the following VPN connectivity option
AWS Site-to-Site VPN - connect your on-premises network or branch office site to AWS VPC
AWS Client VPN - connect users to AWS or on-premises networks
AWS VPN CloudHub
Third party software VPN appliance
27
multipart upload
throughput
Quick recovery from any network issues
Pause and resume object uploads
Begin an upload before you know the final object size - You can upload an object as you are creating it.
28
bucker naming
http: //mynewbucket.s3-aws-region.amazonaws.com
http: //s3-aws-region.amazonaws.com/mynewbucket
29
Can I connect ElastiCache in front of RDS as a transparent cache?
ElastiCache is simply a service for caching. What gets cached and if the cache is used needs to be built into your application. It does not magically sit in front of an RDS instance and cache things based on queries executed
30
Clustered placement group
A cluster placement group is a logical grouping of instances within a single Availability Zone.
Cluster placement groups are recommended for applications that benefit from low network latency, high network throughput, or both, and if the majority of the network traffic is between the instances in the group.
31
Partition placement groups
Partition placement groups help reduce the likelihood of correlated hardware failures for your application. No two partitions within a placement group share the same racks, allowing you to isolate the impact of hardware failure within your application
32
Spread placement groups are recommended for applications that have a small number of critical instances that should be kept separate from each other.
A spread placement group can span multiple Availability Zones in the same Region. You can have a maximum of seven running instances per Availability Zone per group.
33
DR implementation
Work with the customer's engineers to identify the key servers and data. Help them setup an AWS account with IAM users, groups, and roles. Build templates of the critical web/app servers and save these as AMIs. Agree upon RDS specifications that meet the stated requirements. Set up the Storage Gateway and the Snapshot schedule to meet the RPO. Document, script, or automate the steps to initiate the RDS instance, the EC2 instances, the steps to restore the latest data from the Storage Gateway snapshots into RDS, plus any DNS changes. Test the process with each of the Operations team shifts.
34
When copying an AMI, which of the following types of information must be manually copied to the new instance
Launch permissions, S3 bucket permissions, and user-defined tags must be copied manually to an instance based on an AMI. User data is part of the AMI, itself, and does not need to be copied manually.
35
DynamoDB
Use cases include storing JSON data, BLOB data and storing web session data.
36
Multivalue Answer Routing
Multivalue answer routing lets you configure Amazon Route 53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries. You can specify multiple values for almost any record, but multivalue answer routing also lets you check the health of each resource, so Route 53 returns only values for healthy resources
37
AWS Opsworks
OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments
38
With EBS
You cannot create an unencrypted volume from an encrypted snapshot or encrypt an existing volume.
39
With EBS
Create an encrypted snapshot from an unencrypted snapshot by creating an encrypted copy of the unencrypted snapshot.
Create an encrypted volume from a snapshot of another encrypted volume.
40
You receive a ProvisionedThroughputExceededException error. However, the DynamoDB metrics show that your table or Index has not been operating at maximum provisioned throughput. What could the error be caused by?
The throughput is not balanced across your partitions. One partition is being subjected to a disproportionate amount of the traffic and is, therefore, exceeding limits.
41
AWS Fargate
is a compute engine for Amazon ECS and EKS that allows you to run containers without having to manage servers or clusters
42
AWS Elastic Beanstal
AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
43
Request Headers provide in line control of how the object will be handled and stored by S3.
PUT /Key+ HTTP/1.1
Host: Bucket.s3.amazonaws.com
x-amz-acl: ACL
Cache-Control: CacheControl
Content-Disposition: ContentDisposition
Content-Encoding: ContentEncoding
Content-Language: ContentLanguage
Content-Length: ContentLength
Content-MD5: ContentMD5
Content-Type: ContentType
Expires: Expires
x-amz-grant-full-control: GrantFullControl
x-amz-grant-read: GrantRead
x-amz-grant-read-acp: GrantReadACP
x-amz-grant-write-acp: GrantWriteACP
x-amz-server-side-encryption: ServerSideEncryption
x-amz-storage-class: StorageClass
x-amz-website-redirect-location: WebsiteRedirectLocation
x-amz-server-side-encryption-customer-algorithm: SSECustomerAlgorithm
x-amz-server-side-encryption-customer-key: SSECustomerKey
x-amz-server-side-encryption-customer-key-MD5: SSECustomerKeyMD5
x-amz-server-side-encryption-aws-kms-key-id: SSEKMSKeyId
x-amz-server-side-encryption-context: SSEKMSEncryptionContext
x-amz-request-payer: RequestPayer
x-amz-tagging: Tagging
x-amz-object-lock-mode: ObjectLockMode
x-amz-object-lock-retain-until-date: ObjectLockRetainUntilDate
x-amz-object-lock-legal-hold: ObjectLockLegalHoldStatus
44
Using a Curl or Get Command to get the latest meta-data from
http://169.254.169.254/latest/meta-data/
45
Create a public subnet
Attach an Internet Gateway (IGW) to the VPC.
| Create a route in the route table of the subnet allowing a route out of the Internet Gateway (IGW).
46
You are reviewing Change Control requests, and you note that there is a change designed to reduce costs by updating the "WaitTimeSeconds" attribute. What does this mean?
When the consumer instance polls for new work, the SQS service will allow it to wait a certain time for one or more messages to be available before closing the connection.
47
AWS Trusted Adviser service offer advice
Advice on security groups and what ports have unrestricted access
Whether there is MFA configure on the Root Account
48
You need to restrict access to an S3 bucket. Which of the following methods can you use to do so
S3 Bucket policies
| Access Control Lists for S3 (Permissions)
49
DNS, the services in the other company are unable to resolve names of your AWS services.
Route 53 has a security feature that prevents internal DNS from being read by external sources. The work around is to create a EC2 hosted DNS instance that does zone transfers from the internal DNS, and allows itself to be queried by external servers.
50
For lambda you can specify the amount of ram it needs
this will lower the time it takes for the lambda function to start executing and complete execution. Although you specify only RAM it automatically bumps up the cpu.
51
lambda first 1M request/month is free
is it for each lambda function? or all lambda functions included?
52
For Lambda to reach the RDS instance, you need to associate the Lambda function with the VPC when you create it. IAM isn't necessary.
lambda requires IAm access only for AWS services like s3, dynamo DB
53
cloud watch contains
metrics(standard gathered by hypervisor, , logs and events
54
cloud watch for seding metrics
put metrics
55
You can create alarm for metrics
send notification or trigger ASG.
| load balancer latency and cpu utilization are typical triggers to trigger AS action
56
standard level monitoring for EC2 vs detailed monitoring
standard: metrics collected at 5min interval
| detialed at 1min interval
57
metrics can be created from log streams
example how many 404 errrors in apache logs
58
Amazon Lightsail
Amazon Lightsail is the easiest way to get started with AWS for developers who just need virtual private servers. Lightsail includes everything you need to launch your project quickly – a virtual machine, SSD-based storage, data transfer, DNS management, and a static IP – for a low, predictable price
59
Amazon RDS is one of the eight allowed services for penetration testing without prior approval
s3 is not one
60
services on which penertration testing is allowed.
```
Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
Amazon RDS
Amazon CloudFront
Amazon Aurora
Amazon API Gateways
AWS Lambda and Lambda Edge functions
Amazon Lightsail resources
Amazon Elastic Beanstalk environments
```
61
Prohibited activities on peneratration testing
DNS zone walking via Amazon Route 53 Hosted Zones
Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
Port flooding
Protocol flooding
Request flooding (login request flooding, API request flooding)
62
AWS IAM users are created independently from a specific region, but has eventual consistency.
Users can be created in any region, but it does take time for changes to replicate worldwide.
63
CloudFormation can be used in disaster recovery to reduce the time it takes your system to recover (RTO).
In CloudFormation's stack details section
64
Assign an IAM inline policy
This is a method for granting access to a resource.
65
What is the maximum number of groups an IAM user can belong to
When associating Users with a Group, there is an upper limit of 10 groups per User. You are also limited to 100 groups per AWS account — so be sure to plan your access carefully
66
IAM Groups are a collection of IAM Users who inherit permissions within the same AWS account.
IAM Roles easily allow IAM Users from another account to cross access accounts by adding their account to an IAM Role's trust policy.
67
What is the max limit of access keys an IAM User may possess at a time?
2
68
A root user on a Master Account cannot be restricted but a root user on an Organizational Unit can be restricted.
Creating and attaching an SCP is a way to restrict a root user on Organizational Unit
69
What URL is used to access instance metadata?
http://169.254.169.254/latest/meta-data
70
Snapshots
Snapshots are replicated within the same region's AZ.
| Snapshots are pushed to the cost-effective storage solution, S3.
71
CloudTrail stores information into the event history section for up to:
90
