General Info

Question 1

AWS history

Answer 1

2003 internal infrastructure started selling as a service
2006 AWS officially launched
2007 over 180000 developers
2010 amazon.com moved over
2012 reinvent first amazon conference.

Question 2

Regions and AZ

Answer 2

19 regions 57 av;s 2018, 5 more regions in 2019 15 more az

Question 3

Region to AZ

Answer 3

A region contains 2 or more availability zones.

Question 4

Edge locations

Answer 4

cache content. Typically this consists of cloud front and CDN.
There are many more edge locations than regions. Currently there are 150 edge locations.

Question 5

what is a must to pass AWS SAA

Answer 5

Security
Identity
Compliance
Network and content Delivery
Compute 
storage
Database
AWS Global infrastructure

Question 6

What are the four levels of AWS premium support

Answer 6

Basic, Developer, Business, and Enterprise

Question 7

What is the maximum response time for a Business Level ‘production down’ Support Case?

Answer 7

1hr

Question 8

What is the maximum VisibilityTimeout of an SQS message in a FIFO queue

Answer 8

12hrs

Question 9

You’ve been tasked with building a new application with a stateless web tier for a company that produces reusable rocket parts. Which three services could you use to achieve this

Answer 9

RDS for structured data, DynamoDB for unstructured data, and ElastiCache

Question 10

For all new AWS accounts, there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased.

Answer 10

region

Question 11

For all new AWS accounts, there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry the template after your limit has been increased.

Answer 11

region

Question 12

AWS WAF

Answer 12

Size Constraint Conditions, IP Match Conditions, String Match Conditions

Question 13

AWS WAF

Answer 13

Size Constraint Conditions, IP Match Conditions, String Match Conditions

Question 14

DynamoDB

Answer 14

The combined Value and Name combined must not exceed 400 KB.

Question 15

Your company likes the idea of storing files on AWS. However, low-latency service of the majority of files is important to customer service. Which Storage Gateway configuration would you use to achieve both of these ends?

Answer 15

Gateway-Stored, File Gateways

Question 16

AWS direct connect routing

Answer 16

Edit the VPC subnet route table, adding a route back to the on-premise data center.
Enable route propagation on your route table

Question 17

AWS direct connect routing

Answer 17

Edit the VPC subnet route table, adding a route back to the on-premise data center.
Enable route propagation on your route table

Question 18

You are reviewing Change Control requests and you note that there is a proposed change designed to reduce errors due to S3 Eventual Consistency by updating the “DelaySeconds” attribute. What does this mean?

Answer 18

When a new message is added to the SQS queue, it will be hidden from consumer instances for a fixed period.

Question 19

How long can a message be retained in an SQS Queue

Answer 19

14days

Question 20

How can I connect to my Amazon VPC

Answer 20

https://aws.amazon.com/premiumsupport/knowledge-center/connect-vpc/

Question 21

options to connect my Amazon VPC

Answer 21

VPN
DIrect connect(1G to 10G)
vpc peering
vpc endpoint
EC2 classiclink(link instance to a VPC in your account within the same region)
internet gateway
NAT gateway

Question 22

Virtual private gateways is aka

Answer 22

VPW

Question 23

VPC endpoint limitations

Answer 23

Can’t create an endpoint between VPC and AWS resources in other regions
You can’t tag and endpoint
You can’t transfer and endpoint from one VPC to another
You can’t extend an endpoint connection outside the VPC

Question 24

ASN

Answer 24

Autonomous System Number.

Question 25

AWS Site-to-Site VPN

Answer 25

You can create an IPsec VPN connection between your VPC and your remote network. On the AWS side of the Site-to-Site VPN connection, a virtual private gateway provides two VPN endpoints (tunnels) for automatic failover. You configure your customer gateway on the remote side of the Site-to-Site VPN connection.

Question 26

You can connect your Amazon VPC to remote networks and users using the following VPN connectivity option

Answer 26

AWS Site-to-Site VPN - connect your on-premises network or branch office site to AWS VPC
AWS Client VPN - connect users to AWS or on-premises networks
AWS VPN CloudHub
Third party software VPN appliance

Question 27

multipart upload

Answer 27

throughput
Quick recovery from any network issues
Pause and resume object uploads
Begin an upload before you know the final object size - You can upload an object as you are creating it.

Question 28

bucker naming

Answer 28

http: //mynewbucket.s3-aws-region.amazonaws.com
http: //s3-aws-region.amazonaws.com/mynewbucket

Question 29

Can I connect ElastiCache in front of RDS as a transparent cache?

Answer 29

ElastiCache is simply a service for caching. What gets cached and if the cache is used needs to be built into your application. It does not magically sit in front of an RDS instance and cache things based on queries executed

Question 30

Clustered placement group

Answer 30

A cluster placement group is a logical grouping of instances within a single Availability Zone.
Cluster placement groups are recommended for applications that benefit from low network latency, high network throughput, or both, and if the majority of the network traffic is between the instances in the group.

Question 31

Partition placement groups

Answer 31

Partition placement groups help reduce the likelihood of correlated hardware failures for your application. No two partitions within a placement group share the same racks, allowing you to isolate the impact of hardware failure within your application

Question 32

Spread placement groups are recommended for applications that have a small number of critical instances that should be kept separate from each other.

Answer 32

A spread placement group can span multiple Availability Zones in the same Region. You can have a maximum of seven running instances per Availability Zone per group.

Question 33

DR implementation

Answer 33

Work with the customer’s engineers to identify the key servers and data. Help them setup an AWS account with IAM users, groups, and roles. Build templates of the critical web/app servers and save these as AMIs. Agree upon RDS specifications that meet the stated requirements. Set up the Storage Gateway and the Snapshot schedule to meet the RPO. Document, script, or automate the steps to initiate the RDS instance, the EC2 instances, the steps to restore the latest data from the Storage Gateway snapshots into RDS, plus any DNS changes. Test the process with each of the Operations team shifts.

Question 34

When copying an AMI, which of the following types of information must be manually copied to the new instance

Answer 34

Launch permissions, S3 bucket permissions, and user-defined tags must be copied manually to an instance based on an AMI. User data is part of the AMI, itself, and does not need to be copied manually.

Question 35

DynamoDB

Answer 35

Use cases include storing JSON data, BLOB data and storing web session data.

Question 36

Multivalue Answer Routing

Answer 36

Multivalue answer routing lets you configure Amazon Route 53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries. You can specify multiple values for almost any record, but multivalue answer routing also lets you check the health of each resource, so Route 53 returns only values for healthy resources

Question 37

AWS Opsworks

Answer 37

OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments

Question 38

With EBS

Answer 38

You cannot create an unencrypted volume from an encrypted snapshot or encrypt an existing volume.

Question 39

With EBS

Answer 39

Create an encrypted snapshot from an unencrypted snapshot by creating an encrypted copy of the unencrypted snapshot.
Create an encrypted volume from a snapshot of another encrypted volume.

Question 40

You receive a ProvisionedThroughputExceededException error. However, the DynamoDB metrics show that your table or Index has not been operating at maximum provisioned throughput. What could the error be caused by?

Answer 40

The throughput is not balanced across your partitions. One partition is being subjected to a disproportionate amount of the traffic and is, therefore, exceeding limits.

Question 41

AWS Fargate

Answer 41

is a compute engine for Amazon ECS and EKS that allows you to run containers without having to manage servers or clusters

Question 42

AWS Elastic Beanstal

Answer 42

AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.

Question 43

Request Headers provide in line control of how the object will be handled and stored by S3.

Answer 43

PUT /Key+ HTTP/1.1
Host: Bucket.s3.amazonaws.com
x-amz-acl: ACL
Cache-Control: CacheControl
Content-Disposition: ContentDisposition
Content-Encoding: ContentEncoding
Content-Language: ContentLanguage
Content-Length: ContentLength
Content-MD5: ContentMD5
Content-Type: ContentType
Expires: Expires
x-amz-grant-full-control: GrantFullControl
x-amz-grant-read: GrantRead
x-amz-grant-read-acp: GrantReadACP
x-amz-grant-write-acp: GrantWriteACP
x-amz-server-side-encryption: ServerSideEncryption
x-amz-storage-class: StorageClass
x-amz-website-redirect-location: WebsiteRedirectLocation
x-amz-server-side-encryption-customer-algorithm: SSECustomerAlgorithm
x-amz-server-side-encryption-customer-key: SSECustomerKey
x-amz-server-side-encryption-customer-key-MD5: SSECustomerKeyMD5
x-amz-server-side-encryption-aws-kms-key-id: SSEKMSKeyId
x-amz-server-side-encryption-context: SSEKMSEncryptionContext
x-amz-request-payer: RequestPayer
x-amz-tagging: Tagging
x-amz-object-lock-mode: ObjectLockMode
x-amz-object-lock-retain-until-date: ObjectLockRetainUntilDate
x-amz-object-lock-legal-hold: ObjectLockLegalHoldStatus

Question 44

Using a Curl or Get Command to get the latest meta-data from

Answer 44

http://169.254.169.254/latest/meta-data/

Question 45

Create a public subnet

Answer 45

Attach an Internet Gateway (IGW) to the VPC.

Create a route in the route table of the subnet allowing a route out of the Internet Gateway (IGW).

Question 46

You are reviewing Change Control requests, and you note that there is a change designed to reduce costs by updating the “WaitTimeSeconds” attribute. What does this mean?

Answer 46

When the consumer instance polls for new work, the SQS service will allow it to wait a certain time for one or more messages to be available before closing the connection.

Question 47

AWS Trusted Adviser service offer advice

Answer 47

Advice on security groups and what ports have unrestricted access
Whether there is MFA configure on the Root Account

Question 48

You need to restrict access to an S3 bucket. Which of the following methods can you use to do so

Answer 48

S3 Bucket policies

Access Control Lists for S3 (Permissions)

Question 49

DNS, the services in the other company are unable to resolve names of your AWS services.

Answer 49

Route 53 has a security feature that prevents internal DNS from being read by external sources. The work around is to create a EC2 hosted DNS instance that does zone transfers from the internal DNS, and allows itself to be queried by external servers.

Question 50

For lambda you can specify the amount of ram it needs

Answer 50

this will lower the time it takes for the lambda function to start executing and complete execution. Although you specify only RAM it automatically bumps up the cpu.

Question 51

lambda first 1M request/month is free

Answer 51

is it for each lambda function? or all lambda functions included?

Question 52

For Lambda to reach the RDS instance, you need to associate the Lambda function with the VPC when you create it. IAM isn’t necessary.

Answer 52

lambda requires IAm access only for AWS services like s3, dynamo DB

Question 53

cloud watch contains

Answer 53

metrics(standard gathered by hypervisor, , logs and events

Question 54

cloud watch for seding metrics

Answer 54

put metrics

Question 55

You can create alarm for metrics

Answer 55

send notification or trigger ASG.

load balancer latency and cpu utilization are typical triggers to trigger AS action

Question 56

standard level monitoring for EC2 vs detailed monitoring

Answer 56

standard: metrics collected at 5min interval

detialed at 1min interval

Question 57

metrics can be created from log streams

Answer 57

example how many 404 errrors in apache logs

Question 58

Amazon Lightsail

Answer 58

Amazon Lightsail is the easiest way to get started with AWS for developers who just need virtual private servers. Lightsail includes everything you need to launch your project quickly – a virtual machine, SSD-based storage, data transfer, DNS management, and a static IP – for a low, predictable price

Question 59

Amazon RDS is one of the eight allowed services for penetration testing without prior approval

Answer 59

s3 is not one

Question 60

services on which penertration testing is allowed.

Answer 60

Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers
Amazon RDS
Amazon CloudFront
Amazon Aurora
Amazon API Gateways
AWS Lambda and Lambda Edge functions
Amazon Lightsail resources
Amazon Elastic Beanstalk environments

Question 61

Prohibited activities on peneratration testing

Answer 61

DNS zone walking via Amazon Route 53 Hosted Zones
Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
Port flooding
Protocol flooding
Request flooding (login request flooding, API request flooding)

Question 62

AWS IAM users are created independently from a specific region, but has eventual consistency.

Answer 62

Users can be created in any region, but it does take time for changes to replicate worldwide.

Question 63

CloudFormation can be used in disaster recovery to reduce the time it takes your system to recover (RTO).

Answer 63

In CloudFormation’s stack details section

Question 64

Assign an IAM inline policy

Answer 64

This is a method for granting access to a resource.

Question 65

What is the maximum number of groups an IAM user can belong to

Answer 65

When associating Users with a Group, there is an upper limit of 10 groups per User. You are also limited to 100 groups per AWS account — so be sure to plan your access carefully

Question 66

IAM Groups are a collection of IAM Users who inherit permissions within the same AWS account.

Answer 66

IAM Roles easily allow IAM Users from another account to cross access accounts by adding their account to an IAM Role’s trust policy.

Question 67

What is the max limit of access keys an IAM User may possess at a time?

Answer 67

2

Question 68

A root user on a Master Account cannot be restricted but a root user on an Organizational Unit can be restricted.

Answer 68

Creating and attaching an SCP is a way to restrict a root user on Organizational Unit

Question 69

What URL is used to access instance metadata?

Answer 69

http://169.254.169.254/latest/meta-data

Question 70

Snapshots

Answer 70

Snapshots are replicated within the same region’s AZ.

Snapshots are pushed to the cost-effective storage solution, S3.

Question 71

CloudTrail stores information into the event history section for up to:

Answer 71

90