Misc

Question 1

What does AWS Trusted Advisor makes recommendations for?

Answer 1

Cost
Performance
Fault Tolerance
Security
Service Limits

Question 2

AWS Glue

Answer 2

fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.

Question 3

AWS Neptune

Answer 3

fully-managed graph database service

Question 4

How do you create a shared resource with AWS Resource Access Manager

Answer 4

1. create a Resource Share
2. specify resources
3. specify accounts

Question 5

AWS Resource Access Manager (RAM), describe and how is it billed?

Answer 5

a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization (or OU) or with IAM users and roles

RAM is available to you at no additional charge.

Question 6

What can be shared in AWS Resource Access Manager?

Answer 6

You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM and more.

Question 7

Amazon Cognito Identity Pools

Answer 7

Identity pools provide AWS credentials to grant your users access to other AWS services.

Question 8

Amazon Cognito User Pools

Answer 8

A user pool is a user directory in Amazon Cognito. You can leverage Amazon Cognito User Pools to either provide built-in user management or integrate with external identity providers, such as Facebook, Twitter, Google+, and Amazon.

Question 9

Features of AWS WAF

Answer 9

Create policy
Block & Filter traffic
Monitor web traffic

Question 10

AWS WAF

Answer 10

a web application firewall
protects your web applications or APIs against common web exploits and DDOS

controls how traffic reaches your applications with security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define

Question 11

AWS Organizations

Answer 11

Account management service that enables you to consolidate multiple AWS accounts into an organization that you centrally manage

Accounts can be organized in a hierarchy*

AWS Organizations includes account management and consolidated billing capabilities across accounts

Enables budget management, security guard rails/restrictions, and compliance across accounts

Using AWS Organizations, you can automate account creation, create groups of accounts to reflect your business needs, and apply policies for these groups for governance

Question 12

Amazon GuardDuty

Answer 12

Threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.

Question 13

AWS Shield

Answer 13

a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency. There are two tiers of AWS Shield - Standard and Advanced.

Question 14

AWS CloudFront

Answer 14

Delivers content to end users with lower latency to edge locations located around the world

Global service

Uses cache at edge location (Edge Cache) to prevent latency

Can serve both dynamic and static content.

Question 15

AWS Region

Answer 15

Two or more availability zones

User enables and controls data replication across regions

Select a region to store data baed on compliance and network latency requirements

AWS services are available by region; not all regions have same services

Question 16

Availability Zone

Answer 16

One or more data centers
Designed for fault tolerance
AWS recommends replicating across AZ for resiliency

Question 17

AWS Fargate

Answer 17

Fargate is a fully managed serverless service for running containers on AWS.

Question 18

AWS CloudHSM

Answer 18

AWS CloudHSM your keys are held in AWS in a hardware security module.

Question 19

Amazon CloudWatch

Answer 19

Performance monitoring

Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time.

You can create alarms that watch metrics and send notifications (SNS) or automatically make changes to the resources you are monitoring when a threshold is breached (ASG).

Question 20

AWS Cloud Trail

Answer 20

Auditing

Logs AWS API calls to account to CloudWatch or S3

Question 21

Origin Access Identity

Answer 21

Used to restricting access to Amazon S3 content exposed by CloudFront

1. Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution.
2. Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there.

Question 22

To migrate accounts between AWS Organizations what is needed?

How do you migrate resources?

Answer 22

Root or IAM access to both the member and master accounts.

Resources will remain under the control of the migrated account.

Question 23

Amazon Athena

Answer 23

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.

Question 24

What are the default metrics CloudWatch collects?

Answer 24

Instance metrics - CPU Util, Network In/Out, Disk Read/Write Ops, Disk Read/Write Bytes, Network Packets In/Out, MetadataNoToken
CPU credit metrics
Dedicated Host metrics
Amazon EBS metrics for Nitro-based instances
Status check metrics
Traffic mirroring metrics
Amazon EC2 metric dimensions
Amazon EC2 usage metrics

Question 25

Cloud Watch vs Cloud Trail

Answer 25

``` Cloud Watch Performance Monitor Logs events across AWS services e.g. operations High level logging Stores logs indefinitely Alarm History for 14 days ``` Cloud Trail Auditing Logs activity across API calls e.g. activity Granular or low level logging Stores logs in S3 or CloudWatch indefinitely No native alarming, must sent logs to cloud watch and use cloud watch alarm Both support multiple accounts

Question 26

AWS API Gateway

Answer 26

Fully managed service that allows you to create, publish, maintain, monitor, and secure APIs at scale

Question 27

What APIs does AWS API Gateway support?

Answer 27

Stateful Websocket API Stateless HTTP and REST APIs HTTP API - low latency cost effective REST APIs - offer more features

Question 28

AWS API Gateway Features

Answer 28

1. Stateless and stateful APIs 2. Authentication using IAM, Lamda authorizer functions and Cognito user pools 3. Developer portal for publishing APIs 4. Throttles request to your API 4. Canary release deployments 5. CloudTrail logging and monitoring of API usage/changes 6. CloudWatch access and execution logging, set alarms 7. API creation with CloudFormation 8. Custom domain names 9. Integration with AWS WAF and AWS X-Ray

Question 29

Canary release deployments

Answer 29

allows test and prod deployments and small and random amount of live traffic goes to test

Question 30

AWS X-Ray

Answer 30

helps developers analyze and debug production, distributed applications, such as those built using a microservices architecture provides an end-to-end view of requests as they travel through your application, and shows a map of your application’s underlying components

Question 31

What well architected principle does shield not address AWS Shield?

Answer 31

Shield cannot be used to improve application resiliency to handle spikes in traffic.

Question 32

AWS Shield Standard

Answer 32

Provides protection for all AWS customers and defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.

Question 33

AWS Shield Advanced

Answer 33

enhanced protections for more sophisticated and larger attacks on EC2, ELB, CloudFront, Global Accelerator, and Route53 supports automatic mitigation in some scenarios and real time notification of suspected DDOS engage Shield Response Team 24x7

Question 34

How is AWS Shield billed?

Answer 34

Standard is built in and no additional costs Advance is 3K per month per organization You can save by consolidating accounts into an organization, enable Advance in each account and only pay the monthly fee once as along as accounts are under a single consolidated billing and you own all the accounts and resources

Question 35

What does GuardDuty use as input for continuous monitoring? Why are these inputs used?

Answer 35

1. CloudTrail Management Events - monitor AWS accounts 2. CloudTrail S3 Data Events - monitor data access 3. VPC Flow Logs - monitor network 4. DNS Logs - monitor network

Question 36

How can you take action on Guard Duty identified threats?

Answer 36

Review findings in console and integrate into event management or workflow system or trigger lambda for automated remediation

Question 37

What are possible actions in AWS GaurdDuty lifecycle?

Answer 37

Enable in console Suspend the service in general settings - stops analyzing data sources but doesn't delete findings or configuration Disable in general settings - delete all remaining data including findings and configuration before relinquishing service permissions and resetting service

Question 38

How can you limit geographies with WAF?

Answer 38

Use WAF with ALB Use Geo Match Conditions to allow or deny application access based on geolocation of user

Question 39

Languages supported by Lambda

Answer 39

``` Java Go PowerShell Node.js C# Python Ruby provides a Runtime API allowing you to use any additional programming languages to author your functions. ```

Question 40

AWS Lambda

Answer 40

AWS Lambda is a serverless compute service that runs your code in response to events and automatically manages the underlying compute resources for you. runs for up to 15 mins can be allocated up to 10 gb memory

Question 41

AWS Lambda Billing

Answer 41

you pay for execution duration rather than server unit

Question 42

Amazon EventBridge

Answer 42

serverless event bus to build event-driven applications at scale using events generated from your applications, integrated Software-as-a-Service (SaaS) applications, and AWS services

Question 43

Amazon ECS task definition

Answer 43

required to run Docker containers in Amazon ECS

Question 44

Amazon Inspector

Answer 44

automated vulnerability management service that continually scans Amazon Elastic Compute Cloud (EC2) and container workloads for software vulnerabilities and unintended network exposure

Question 45

CloudWatch vs CloudTrail

Answer 45

CloudWatch: “What is happening on AWS?” and logging all the events for a particular service or application. CloudTrail: “Who did what on AWS?” and the API calls to the service or resource. CloudTrail logs can be ingested into CloudWatch to monitor and identify your AWS account activity against security threats, and create a governance framework for security best practices.

Question 46

Languages supported by Elastic Beanstalk?

Answer 46

Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker

Question 47

AWS Elastic Beanstalk

Answer 47

is an easy-to-use service for deploying and scaling web applications and services simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. At the same time, you retain full control over the AWS resources powering your application and can access the underlying resources at any time.

Question 48

How is Elastic Beanstalk billed?

Answer 48

There is no additional charge for Elastic Beanstalk - you pay only for the AWS resources needed to store and run your applications.

Question 49

AWS WAF integration

Answer 49

ALB CloudFront API Gateway AppSync GraphQL

Question 50

Lambda core components

Answer 50

Event source - publish events function - code that runs your function handler that will recieve the event IAM role function can assume to run the function compute resources allocated delivery timeout