Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS Professional > misc > Flashcards

misc Flashcards

1
Q

How does Kinesis determine the shard for a newly inserted record?

A

Using the MD5 hash of a user-specifified partition key

From the Kinesis Developer Guide (http://docs.aws.amazon.com/kinesis/latest/dev/key-concepts.html):
“A partition key is used to group data by shard within a stream. Amazon Kinesis segregates the data records belonging to a stream into multiple shards, using the partition key associated with each data record to determine which shard a given data record belongs to.
Partition keys are Unicode strings with a maximum length limit of 256 bytes. An MD5 hash function is used to map partition keys to 128-bit integer values and to map associated data records to shards. A partition key is specified by the applications putting the data into a stream.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In the context of IAM identity federation, what is an Identity Broker?

A

A custom application that authenticates against an identity store and provides access to AWS

From the IAM User Guide ():
“””
To enable your organization’s users to access the AWS Management Console, you can create a custom “identity broker” that performs the following steps:
1. Verify that the user is authenticated by your local identity system.
2. Call the AWS Security Token Service (AWS STS) AssumeRole (recommended) or GetFederationToken APIs to obtain temporary
security credentials for the user. The credentials are associated with permissions that control what the user can do.
3. Call an AWS federation endpoint and supply the temporary security credentials to get a sign-in token.
4. Construct a URL for the console that includes the token.
5. Give the URL to the user or invoke the URL on the user’s behalf.
“””
This blog goes into a lot more
detail of how to do this with GetFederationToken, including some nice pictures and examples. (https://aws.amazon.com/blogs/aws/aws-identity-and-access-management-now-with-identity-federation/)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Does increasing an RDS instance’s storage cause downtime?

A

No

From the RDS User Guide (http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIOPS.StorageTypes.html):

“Data storage in Amazon RDS is specified by selecting a storage type and providing a storage size (GB) when you create or modify a DB instance. You can change the type of storage your instance uses by modifying the DB instance, but changing the type of storage in some cases might result in a short outage for the instance. Changing from Magnetic to either General Purpose (SSD) or Provisioned
IOPS (SSD) results in an outage. Also, changing from General Purpose (SSD) or Provisioned IOPS (SSD) to Magnetic results in an outage. The outage time is typically 60–120 seconds. For more information about Amazon RDS storage types, see Amazon RDS
Storage Types.
Increasing the allocated storage does not result in an outage. Note that you cannot reduce the amount of storage once it has been allocated. The only way to reduce the amount of storage allocated to a DB instance is to dump the data out of the DB instance, create a new DB instance with less storage space, and then load the data into the new DB instance.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the largest possible size for a VPC?

  1. /14
  2. /16
  3. /24
A

/16 (65,536 addresses)

From the VPC documentation (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#VPC_Sizing):
“VPC Sizing
You can assign a single CIDR block to a VPC. The allowed block size is between a /28 netmask and/16 netmask. In other words, the VPC can contain from 16 to 65,536 IP addresses. You can’t change the size of a VPC after you create it. If your VPC is too small to meet your needs, create a new, larger VPC, and then migrate your instances to the new VPC. To do this, create AMIs from your running instances, and then launch replacement instances in your (new, larger VPC. You can then terminate your old instances, and delete your smaller VPC. For more information, see Deleting Your VPC.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the default permissions for a VPCs default NACL?

  1. Deny all
  2. Allow all inbound and outbound
A

Allow all inbound and outbound

From the VPC documentation (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html#default-network-acl):
“Default Network ACL
To help you understand what ACL rules look like, here’s what the default network ACL looks like in its initial state. It is configured to allow all traffic to flow in and out of each subnet. Each network ACL includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other rules, it’s denied. You can’t modify or remove this rule.”
also:
“Your VPC automatically comes with a modifiable default network ACL; by default, it allows all inbound and outbound traffic.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Route 53

How quickly do DNS changes propagate globally?

  1. Within 60 seconds
  2. Within 120 seconds
  3. Within 300 seconds
A

Within 60 seconds

From the Route 53 FAQ (https://aws.amazon.com/route53/faqs/):

“Q. How quickly will changes I make to my DNS settings on Amazon Route 53 propagate globally?
Amazon Route 53 is designed to propagate updates you make to your DNS records to its world-wide network of authoritative DNS servers within 60 seconds under normal conditions. A change is successfully propagated world-wide when the API call returns an INSYNC status listing. Note that caching DNS resolvers are outside the control of the Amazon Route 53 service and will cache your resource record sets according to their time to live (TTL). The INSYNC or PENDING status of a change refers only to the state of Route 53’s authoritative DNS servers.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Is all data in Glacier encrypted by default?

A

Yes

From Glacier FAQ (https://aws.amazon.com/glacier/faqs/)

“Yes, all data in the service will be encrypted on the server side. Amazon Glacier handles key management and key protection for you. Amazon Glacier uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256). 256-bit is the largest key size defined for AES. Customers wishing to manage their own keys can encrypt data prior to uploading it.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the initial rules for a VPC’s default security group?

A

Allow all outbound traffic
Allow all inbound traffic from other instances in the security group

From the EC2 Security Group documentation (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html):
“””
Default Security Groups
Your VPC automatically comes with a default security group. Each EC2 instance that you launch in your VPC is automatically associated with the default security group if you don’t specify a different security group when you launch the instance.
The following table describes the default rules for a default security group.
You can change the rules for the default security group.
You can’t delete a default security group.
“””

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What can be modified on an existing Reserved Instance?

A

Availability Zone
Switching between EC2-VPC and EC2-Classic
Changing the instance type within the same instance family

From the Reserved Instance documentation (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ri-modifying.html):
“When your computing needs change, you can modify your Reserved Instances and continue to benefit from your capacity reservation.
Modification does not change the remaining term of your Reserved Instances; their end dates remain the same. There is no fee, and you do not receive any new bills or invoices. Modification is separate from purchasing and does not affect how you use, purchase, or sell Reserved Instances. You can modify your whole reservation, or just a subset, in one or more of the following ways:
* Switch Availability Zones within the same region
* Change between EC2-VPC and EC2-Classic
* Change the instance type within the same instance family”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How long does it take to retrieve a tape from a Virtual Tape Shelf into a Virtual Tape Library?

  1. 12 hours
  2. 24 hours
A

24 hours

From the Storage Gateway documentation (http://docs.aws.amazon.com/storagegateway/latest/userguide/storage-gateway-vtl-concepts.html):
“Retrieving tapes – Tapes archived to the VTS cannot be read directly. To read an archived tape, you must first retrieve it to your gateway-VTL either by using the AWS Storage Gateway console or by using the AWS Storage Gateway API. A retrieved tape will be available in your VTL in about 24 hours.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How long does it take for Route 53 to execute a DNS failover?

  1. Under one minute
  2. Under two minutes
  3. Under five minutes
A

Under two minutes

From this re:Invent presentation (https://www.youtube.com/watch?v=f9y-T7mQVxs):

The top bar represents the time to respond a failover “manually” by personally reacting to a CloudWatch alarm and reconfiguring Route
53 and other components in the best case.
The second bar represents how long it takes for Route 53 itself to execute a DNS failover using the native feature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Does DynamoDB background maintenance consume burst capacity?

A

Yes

From the Amazon S3 documentation
(http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GuidelinesForTables.html#GuidelinesForTables.Bursting):
“DynamoDB provides some flexibility in the per-partition throughput provisioning: When you are not fully utilizing a partition’s throughput, DynamoDB reserves a portion of your unused capacity for later “bursts” of throughput usage. DynamoDB currently
reserves up 5 minutes (300 seconds) of unused read and write capacity. During an occasional burst of read or write activity, this reserved throughput can be consumed very quickly — even faster than the per-second provisioned throughput capacity that you’ve defined for your table. However, do not design your application so that it depends on burst capacity being available at all times:
DynamoDB can and does use burst capacity for background maintenance and other tasks without prior notice.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the total amount of data that can be stored in a single Gateway-Stored gateway appliance (in multiple volumes):

  1. 262 TB
  2. 192 TB
A

192 TB
Single Volume 16TB

From the Storage Gateway FAQ (https://aws.amazon.com/storagegateway/faqs/):
“Q. How much volume data can I manage per gateway?

Each Gateway-Stored gateway can support up to 12 volumes for a maximum of 192 TB of data (12 volumes, each 16 TB in size).”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

To which entities can I assign an IAM policy?

  1. Role
  2. Group
  3. User
A

All of these entities can be assigned a policy.

Further, you can also assign user policies indirectly via group memberships.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the provisioned read capacity of a Kinesis shard?

  1. 5 TPS up to 2MB/s
  2. 10 TPS up 10MB/s
A

5 TPS up to 2MB/s

From the Kinesis Developer Guide (http://docs.aws.amazon.com/kinesis/latest/dev/key-concepts.html):
“A shard is a uniquely identified group of data records in an Amazon Kinesis stream. A stream is composed of multiple shards, each of which provides a fixed unit of capacity. Each shard can support up to 5 transactions per second for reads, up to a maximum total data read rate of 2 MB per second and up to 1,000 records per second for writes, up to a maximum total data write rate of 1 MB per second (including partition keys). The data capacity of your stream is a function of the number of shards that you specify for the stream.
The total capacity of the stream is the sum of the capacities of its shards.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When will ElastiCache automatically upgrade a Memcached cluster?

  1. whenever a new version is released
  2. to address security vulnerabilities
A

to address security vulnerabilities

From the ElastiCache FAQ (https://aws.amazon.com/elasticache/faqs/):
“Q: Can I control if and when the engine version powering Amazon ElastiCache Cluster is upgraded to new supported versions?
Amazon ElastiCache allows you to control if and when the Memcached protocol-compliant software powering your Cache Cluster is upgraded to new versions supported by Amazon ElastiCache. This provides you with the flexibility to maintain compatibility with specific Memcached versions, test new versions with your application before deploying in production, and perform version upgrades on your own terms and timelines. Version upgrades involve some compatibility risk, thus they will not occur automatically and must be initiated by you. This approach to cache software patching puts you in the driver’s seat of version upgrades, but still offloads the work of patch application to Amazon ElastiCache. You can learn more about version management by reading the FAQs that follow. Alternatively, you can refer to the Amazon ElastiCache User Guide. While Cache Engine Version Management functionality is intended to give you
as much control as possible over how patching occurs, we may patch your Cache Cluster on your behalf if we determine there is any security vulnerability in the system or cache software.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is an IAM External ID and how is it used?

A

An identifier that an AWS managed service provides when assuming a role in its customers’ accounts

From the IAM documentation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html):

“At times, you need to give a third party access to your AWS resources (delegate access). One important aspect of this scenario is the External ID, an optional piece of information that you can use in an IAM role trust policy to designate who can assume the role.

In abstract terms, the external ID allows the user that is assuming the role to assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances. The primary function of the external ID is to address and prevent the “confused deputy” problem.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the default retention period for RDS backups?

  1. 7 days
  2. 14 days
  3. 1 day
A

1 day

From the RDS User Guide (http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html):

“Amazon RDS can automatically back up all of your DB instances. You can set the backup retention period when you create a DB instance. If you don’t set the backup retention period, Amazon RDS uses a default period retention period of one day. “

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What data is an IAM Request Context?

A 
Calling principal 
Environment data (IP address, user agent, etc.)
Resource data (e.g., DynamoDB table name)

From the IAM documentation (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html):

“The Request Context
When AWS authorizes a request, information about the request is assembled from several sources:

  • Principal (the requester), which is determined based on the secret access key. This might represent the root user, an IAM user, a federated user (via STS), or an assumed role, and includes the aggregate permissions that are associated with that principal.
  • Environment data, such as the IP address, user agent, SSL enabled, the time of day, etc. This information is determined from the
    request.
  • Resource data, which pertains to information that is part of the resource being requested. This can include information such as a DynamoDB table name, a tag on an Amazon EC2 instance, etc.
    This information is gathered into a request context, which is a collection of information that’s derived from the request. During evaluation, AWS uses values from the request context to determine whether to allow or deny the request. For example, does the action in the request context match an action in the Action element? If not, the request is denied. Similarly, does the resource in the request
    context match one of the resources in the Resource element? If not, the request is denied.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which STS APIs can be called by users that do not have AWS root or IAM credentials?

A

AssumeRoleWithSAML

AssumeRoleWithWebIdentity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What conditions trigger an automated failover of a multi-AZ RDS instance?

A

An Availability Zone outage
Failure of the primary DB instance
Change of the DB instance’s server type
Patching the DB instance’s operating system
Manual failover initiated using “Reboot with Failover”

From the RDS User Guide (http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html):
“””
Amazon RDS handles failovers automatically so you can resume database operations as quickly as possible without administrative intervention. The primary DB instance switches over automatically to the standby replica if any of the following conditions occur:
An Availability Zone outage
The primary DB instance fails
The DB instance’s [storage] type is changed
The operating system of the DB instance is undergoing software patching
A manual failover of the DB instance was initiated using Reboot with failover
“””

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the smallest possible size for a VPC?

  1. /20
  2. /24
  3. /28
A

/28 (16 addresses)

From the VPC documentation (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#VPC_Sizing):
“VPC Sizing
You can assign a single CIDR block to a VPC. The allowed block size is between a /28 netmask and/16 netmask. In other words, the VPC can contain from 16 to 65,536 IP addresses. You can’t change the size of a VPC after you create it. If your VPC is too small to meet your needs, create a new, larger VPC, and then migrate your instances to the new VPC. To do this, create AMIs from your running instances, and then launch replacement instances in your new, larger VPC. You can then terminate your old instances, and delete your smaller VPC. For more information, see Deleting Your VPC.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Is it possible to reduce the storage of an RDS instance?

A

No

From the RDS User Guide (http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIOPS.StorageTypes.html):

“Data storage in Amazon RDS is specified by selecting a storage type and providing a storage size (GB) when you create or modify a DB instance. You can change the type of storage your instance uses by modifying the DB instance, but changing the type of storage in some cases might result in a short outage for the instance. Changing from Magnetic to either General Purpose (SSD) or Provisioned IOPS (SSD) results in an outage. Also, changing from General Purpose (SSD) or Provisioned IOPS (SSD) to Magnetic results in an outage. The outage time is typically 60–120 seconds. For more information about Amazon RDS storage types, see Amazon RDS
Storage Types.
Increasing the allocated storage does not result in an outage. Note that you cannot reduce the amount of storage once it has been allocated. The only way to reduce the amount of storage allocated to a DB instance is to dump the data out of the DB
instance, create a new DB instance with less storage space, and then load the data into the new DB instance.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Is it possible that clients might see a message on an SQS queue even after the message has been deleted?

A

Yes

From the SQS FAQ (https://aws.amazon.com/sqs/faqs/):
“Q: Can a deleted message be received again?
Yes, under rare circumstances you might receive a previously deleted message again. This can occur in the rare situation in which a DeleteMessage operation doesn’t delete all copies of a message because one of the servers in the distributed Amazon SQS system isn’t available at the time of the deletion. That message copy can then be delivered again. You should design your application so that
no errors or inconsistencies occur if you receive a deleted message again. “

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the valid Auto Scaling custom termination policies supported by AWS?

A 
OldestInstance
NewestInstance
OldestLaunchConfiguration
ClosestToNextInstanceHour
Default

From the Auto Scaling documentation
()http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/AutoScalingBehavior.InstanceTermination.html):
“Auto Scaling currently supports the following custom termination policies:
* OldestInstance. Auto Scaling terminates the oldest instance in the group. This option is useful when you’re upgrading the instances in the Auto Scaling group to a new EC2 instance type, and want to eventually replace instances with older instances with newer ones.
* NewestInstance. Auto Scaling terminates the newest instance in the group. This policy is useful when you’re testing a new launch configuration but don’t want to keep it in production.
* OldestLaunchConfiguration. Auto Scaling terminates instances that have the oldest launch configuration. This policy is useful when you’re updating a group and phasing out the instances from a previous configuration.
* ClosestToNextInstanceHour. Auto Scaling terminates instances that are closest to the next billing hour. This policy helps you maximize the use of your instances and manage costs.
* Default. Auto Scaling uses its default termination policy. This policy is useful when you have more than one scaling policy associated with the group.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are some DynamoDB best practices that can improve performance?

A
  • Concatenate query attributes into a single LSI (e.g., if you need to query on status and date, create a single range key with status + date
  • Split tables by access frequency (by projecting those specific attributes into a GSI) to reduce query IOPS
  • Ensure that keys are evenly distributed across partitions
  • Shard writes of extremely hot tables by spreading the items across a fixed number of shards and appending a random shard identifier (e.g., an integer from 1 to 10) to an item’s hash key for each write; aggregate reads across multiple shards
  • Move less frequently access items into a separate table with lower provisioned I/O
  • Cache read-heady items

Lots of detail in this presentation (https://www.youtube.com/watch?v=KmHGrONoif4)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

For which workloads would you choose Redshift over RDS?

A

Analytics and reporting
Workloads with very large data sets
Workloads where analytics can’t interfere with OLTP

From the Redshift FAQ (https://aws.amazon.com/redshift/faqs/):
“Q: When would I use Amazon Redshift vs. Amazon RDS?
Both Amazon Redshift and Amazon RDS enable you to run traditional relational databases such as MySQL, Oracle and SQL Server in the cloud while offloading database administration. Customers use Amazon RDS databases both for online-transaction processing (OLTP) and for reporting and analysis. Amazon Redshift harnesses the scale and resources of multiple nodes and uses a variety of
optimizations to provide order of magnitude improvements over traditional databases for analytic and reporting workloads against very
large data sets. Amazon Redshift provides an excellent scale-out option as your data and query complexity grows or if you want to prevent your reporting and analytic processing from interfering with the performance of your OLTP workload.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What are the possible outcomes when CloudFormation updates a resource?

A

No interruption
Some interruption
Full replacement

From the CloudFormation User Guide (http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html):

“You modify stack resources by submitting an updated template or by submitting updated input parameters. When you submit an update, AWS CloudFormation updates resources based on differences between what you submit and the stack’s current template.
Resources that have not changed run without disruption during the update process. Resources that are updated could be interrupted or
replaced, depending on the resources and properties that are being updated. AWS CloudFormation uses one of the following
techniques to update resources:
Update with No Interruption
AWS CloudFormation updates the resource without disrupting operation of that resource and without changing the resource’s physical name. For example, if you update any properties on anAWS::CloudWatch::Alarm resource, AWS CloudFormation updates the alarm’s
configuration and, during the update, the alarm’s operation continues without disruption.
Updates with Some Interruption
AWS CloudFormation updates the resource with some interruption but the physical name is retained. For example, if you update certain
properties on an AWS::EC2::Instance resource, the instance might have some interruption while AWS CloudFormation and Amazon EC2 reconfigure the instance.
Replacement
AWS CloudFormation recreates the resource during an update, which also generates a new physical ID. AWS CloudFormation creates the replacement resource first, changes references from other dependent resources to point to the replacement resource, and then deletes the old resource. For example, if you update the Engine property of an AWS::RDS::DBInstance resource, AWS CloudFormation creates a new resource and replaces the current DBInstance resource with the new one.
To learn more about updating a particular resource, see the documentation that is associated with that resource. For example, the Amazon EC2 documentation provides details about what changes interrupt an instance. See also the AWS Resource Types Reference, where the effects of updating a resource are listed for each property.”

29
Q

What is the maximum number of accumulated CPU credits for the T2 (burstable) server class?

  1. 24 hours of credits
  2. 48 hours of credits
A

24 hours of credits

From this blog (https://aws.amazon.com/blogs/aws/low-cost-burstable-ec2-instances/):
“Credits will continue to accumulate if they aren’t used, until they reach the level which represents an entire day’s worth of baseline
accumulation:
t2.micro – 144 – (6 CPU Credits / hour * 24 hours)
t2.small – 288 (12 CPU Credits / hour * 24 hours)
t2.medium – 576 (24 CPU Credits / hour * 24 hours)
No further credits accumulate once an instance reaches this level. In general, suitable workloads for T2 instances will generally maintain a positive credit balance. If you find that you are consistently maxing out on credits, you might consider switching to a smaller instance size to reduce your costs.”

30
Q

What are some benefits of SQS Long Polling?

A
  • ReceiveMessage requests don’t return until a message appears on the queue, reducing the number of required API calls
  • All of the queue servers are queried to service the request, so the ReceiveMessage response always includes all available messages

From the SQS Developer Guide (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-long-polling.html):
“One benefit of long polling with Amazon SQS is the reduction of the number of empty responses, when there are no messages available to return, in reply to a ReceiveMessage request sent to an Amazon SQS queue. Long polling allows the Amazon SQS
service to wait until a message is available in the queue before sending a response. So unless the connection times out, the response to the ReceiveMessage request will contain at least one of the available messages (if any) and up to the maximum number requested in the ReceiveMessage call.
Another benefit is helping to eliminate false empty responses, where messages are available in the queue but are not included in the response. This happens when Amazon SQS uses short (standard) polling, the default behavior, where only a subset
of the servers (based on a weighted random distribution) are queried to see if any messages are available to include in the response.
On the other hand, when long polling in enabled, Amazon SQS queries all of the servers.
Reducing the number of empty responses and false empty responses also helps reduce your cost of using Amazon SQS.”

Note that the feature is triggered via the WaitTimeSeconds parameter:
“Short polling occurs when the WaitTimeSeconds parameter of a ReceiveMessage call is set to 0. This happens in one of two ways – either the ReceiveMessage call sets WaitTimeSeconds to 0, or theReceiveMessage call doesn’t set WaitTimeSeconds and the queue attribute ReceiveMessageWaitTimeSeconds is 0.”

31
Q

What is the maximum configurable retention period for Kinesis records?

  1. 7 days
  2. 24 hours
A

7 days

From the Kinesis Developer Guide (http://docs.aws.amazon.com/kinesis/latest/dev/key-concepts.html):
“The length of time data records are accessible after they are added to the stream. A stream’s retention period is set to a default of 24 hours after creation. You can increase the retention period up to 168 hours (7 days) using the IncreaseRetentionPeriod operation, and decrease the retention period down to a minimum of 24 hours using the DecreaseRetentionPeriod operation.”

32
Q

What is a Route 53 hosted zone?

A

A collection of resource record sets that share a common domain name suffix

From the Route 53 FAQ (https://aws.amazon.com/route53/faqs/):

“Q. What is the difference between a Domain and a Hosted Zone?
A domain is a general DNS concept. Domain names are easily recognizable names for numerically addressed Internet resources. For example, amazon.com is a domain. A hosted zone is an Amazon Route 53 concept. A hosted zone is analogous to a traditional DNS zone file; it represents a collection of records that can be managed together, belonging to a single parent domain name. All resource record sets within a hosted zone must have the hosted zone’s domain name as a suffix. For example, the amazon.com hosted zone may contain records named www.amazon.com, and www.aws.amazon.com, but not a record named www.amazon.ca. You can use the Route 53 Management Console or API to create, inspect, modify, and delete hosted zones. You can also use the Management Console or API to register new domain names and transfer in existing domain names into Route 53’s management.”

33
Q

What is the smallest possible granularity of the byte range specified for a Glacier range retrieval?

A

1 MB

From the Glacier FAQ (https://aws.amazon.com/glacier/faqs/):

“Q: Can I retrieve part of an archive?
When initiating a retrieval job using range retrievals, you provide a byte range that can start at zero (which would be the beginning of your archive), or at any 1MB interval thereafter (e.g. 1MB, 2MB, 3MB, etc). The end of the range can either be the end of your archive or any 1MB interval greater than the beginning of your range.”

also from the Glacier Developer Guide (http://docs.aws.amazon.com/amazonglacier/latest/dev/downloading-an-
archive.html#downloading-an-archive-range):
“When initiating a retrieval job using range retrievals, you must provide a range that is megabyte aligned. This means that the byte range can start at zero (which would be the beginning of your archive), or at any 1 MB interval thereafter (1 MB, 2 MB, 3 MB, etc.). The end of the range can either be the end of your archive or any 1 MB interval greater than the beginning of your range. Furthermore, if you want to get checksum values when you download the data (after the retrieval job completes), the range you request in the job initiation must also be tree-hash aligned. Checksums are a way you can ensure that your data was not corrupted during transmission.
For more information about megabyte alignment and tree-hash alignment, see Receiving Checksums When Downloading Data.”

34
Q

Using Route 53, is it possible to associate multiple IP addresses to a single record?

A

Yes

From the Route 53 FAQ (https://aws.amazon.com/route53/faqs/):

“Q. Can I associate multiple IP addresses with a single record?
Yes. Associating multiple IP addresses with a single record is often used for balancing the load of geographically-distributed web servers. Amazon Route 53 allows you to list multiple IP addresses for an A record and responds to DNS requests with the list of all configured IP addresses.”

35
Q

What’s required to create an SSO URL for federated users?

A

Temporary credentials obtained from STS
Calling the AWS federation endpoint
Constructing a url from the token obtained from the federation endpoint
Using SAML’s built-in SSO capability

From the IAM User Guide (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html):

“””
You can write and run code to create a URL that lets users who sign in to your organization’s network securely access the AWS Management Console. The URL includes a sign-in token that you get from AWS and that authenticates the user to AWS.

Note
If your organization uses an identity provider (IdP) that is compatible with SAML, such as Microsoft’s Active Directory Federation Services or open-source Shibboleth, you can set up access to the AWS Management Console without writing code. For details, see Enabling SAML 2.0 Federated Users to Access the AWS Management Console.
To enable your organization’s users to access the AWS Management Console, you can create a custom “identity broker” that performs the following steps:
1. Verify that the user is authenticated by your local identity system.
2. Call the AWS Security Token Service (AWS STS) AssumeRole (recommended) or GetFederationToken APIs to obtain temporary
security credentials for the user. The credentials are associated with permissions that control what the user can do.
3. Call an AWS federation endpoint and supply the temporary security credentials to get a sign-in token.
4. Construct a URL for the console that includes the token.
5. Give the URL to the user or invoke the URL on the user’s behalf.
The URL that the federation endpoint provides is valid for 15 minutes after it is created. The temporary security credentials associated with the URL are valid for the duration you specified when you created them, starting from the time they were created.
Important
Keep in mind that the URL grants access to your AWS resources through the AWS Management Console to the extent that you have enabled permissions in the associated temporary security credentials. For this reason, you should treat the URL as a secret. We recommend returning the URL through a secure redirect, for example, by using a 302 HTTP response status code over an SSL
connection. For more information about the 302 HTTP response status code, go to RFC 2616, section 10.3.3.
“””

36
Q

Is it possible to enable encryption for a currently unencrypted EBS volume?

A

No

From the EC2 User Guide (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html):
“There is also no way to encrypt an existing volume. However, you can migrate existing data between encrypted volumes and unencrypted volumes.”

More detail about migrating data is here
(http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#EBSEncryption_migrating_data):
“If you have existing data that you would like to store on an encrypted volume, you need to migrate the data from your unencrypted volume to a new encrypted volume.
Likewise, if you have data that currently resides on an encrypted volume that you would like to share with others, you need to migrate the data you want to share from your encrypted volume to a new unencrypted volume.”
It goes on to describe how to do this using rsync.

37
Q

What is the maximum Data transfer rate per CloudFront distribution?

  1. 10 Gbps
  2. 100 Gbps
A

10 Gbps

See (http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.html)

38
Q

What is an EC2 Instance Profile?

  1. A summary of the instance’s configuration
  2. Used to mount EBS drives to instances at startup
  3. Used to associate IAM roles to instance at startup
A

Used to associate IAM roles to instance at startup

From the IAM User Guide (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html):

“An instance profile is a container for an IAM role that you can use to pass role information to an EC2 instance when the instance starts.”

39
Q

When IAM evaluates an API request it calculates a “request context”, which includes a Calling Principal. What is a Calling Principal?

A

An IAM group
An EC2 instance id
A managed role

From the IAM documentation (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html):

“The Request Context
When AWS authorizes a request, information about the request is assembled from several sources:
* Principal (the requester), which is determined based on the secret access key. This might represent the root user, an IAM user, a federated user (via STS), or an assumed role, and includes the aggregate permissions that are associated with that principal.
* Environment data, such as the IP address, user agent, SSL enabled, the time of day, etc. This information is determined from the
request.
* Resource data, which pertains to information that is part of the resource being requested. This can include information such as a DynamoDB table name, a tag on an Amazon EC2 instance, etc.

This information is gathered into a request context, which is a collection of information that’s derived from the request.

40
Q

What is the maximum size of a DynamoDB item?

  1. 4 KB
  2. 400 KB
  3. 100 KB
A

400 KB

See http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Limits.html
“Cannot exceed 400 KB which includes both attribute name binary length (UTF-8 length) and attribute value lengths (again binary length). The attribute name counts towards the size limit. For example, consider an item with two attributes: one attribute named “shirt-color” with value “R” and another attribute named “shirt-size” with value “M”. The total size of that item is 23 bytes.
For attribute values that are of type binary, the application must encode the data in base64 format before sending it to DynamoDB.
Upon receipt of the data, DynamoDB decodes it into an unsigned byte array and uses that as the length of the attribute.
These limits apply to items stored in tables, and also to items in secondary indexes.
For each local secondary index on a table, there is a 400 KB limit on the total size of the following:
* The size of an item’s data in the table.
* The size of the local secondary index entry corresponding to that item, including its key values and projected attributes.”

41
Q

ElastiCache

How many read replicas can I create for a given ElastiCache master cluster?

  1. 5
  2. 10
A

5

From the ElastiCache FAQ (https://aws.amazon.com/elasticache/faqs/):
“Q: How many read replicas can I create for a given primary cache node?
At this time, Amazon ElastiCache allows you to create up to five (5) read replicas for a given primary cache node.”

42
Q

What is the maximum delay period for an SQS delay queue?

  1. 5 minutes
  2. 15 minutes
  3. 30 minutes
A

15 minutes

From the SQS documentation (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-delay-
queues.html):
“Delay queues allow you to postpone the delivery of new messages in a queue for a specific number of seconds. If you create a delay queue, any message that you send to that queue will be invisible to consumers for the duration of the delay period. You can use CreateQueue to create a delay queue by setting the DelaySeconds attribute to any value between 0 and 900 (15 minutes). You can also turn an existing queue into a delay queue by using SetQueueAttribute to set the queue’s DelaySeconds attribute.”

43
Q

What is the maximum expiration for a pre-signed S3 URL?

  1. multiple years
  2. 24 hours
  3. 1 month
A

multiple years

The S3 documentation on pre-signed URLs
(http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth) describes the query string parameters used in a pre-signed URL, and the expires parameter is specified in seconds since the epoch. There is no mention of a limit, but this thread:

http://stackoverflow.com/questions/6633492/amazons3-getpresignedurlrequest-max-expires-date

Indicates that the practical expiry limit is 2038.

44
Q

How many VPC subnet addresses does AWS reserve for internal use?

  1. 4
  2. 5
A

5

From the VPC FAQ (https://aws.amazon.com/vpc/faqs/):
“Q. Can I use all the IP addresses that I assign to a subnet?
No. Amazon reserves the first four (4) IP addresses and the last one (1) IP address of every subnet for IP networking purposes. “

45
Q

What is an IAM Identity Provider?

A

An entity that manages users outside of AWS and can grant those users permissions to use AWS resources

From the IAM User Guide (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html):

“If you already manage user identities outside of AWS, you can use IAM identity providers instead of creating IAM users in your AWS account. With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. This is useful if your organization already has its own identity system, such as a corporate user directory. It is also useful if you are creating a mobile app or web application that requires access to AWS resources.
When you use an IdP, you don’t have to create custom sign-in code or manage your own user identities; the IdP provides that for you.
Your external users sign in through a well-known identity provider, such as Login with Amazon, Facebook, Google, and many others.
You can give those external identities permissions to use AWS resources in your account. Identity providers help keep your AWS account secure because you don’t have to distribute or embed long-term security credentials, such as IAM access keys, in your application.”

46
Q

What are the options available if you want CloudFront to deliver HTTPS content using your own domain name?

A

SNI Custom SSL
Dedicated IP Custom SSL

From Amazon CloudFront Custom SSL (https://aws.amazon.com/cloudfront/custom-ssl-domains/)

“Custom SSL certificate support lets you deliver content over HTTPS using your own domain name and your own SSL certificate. This gives visitors to your website the security benefits of CloudFront over an SSL connection that uses your own domain name in addition to lower latency and higher reliability.

SNI Custom SSL
Server Name Indication (SNI) Custom SSL relies on the SNI extension of the Transport Layer Security protocol, which allows multiple domains to serve SSL traffic over the same IP address. Amazon CloudFront delivers your content from each edge location and offers the same security as the Dedicated IP Custom SSL feature (see below).

When you use SNI Custom SSL, some users may not be able to access your content because some older browsers do not support SNI and will not be able to establish a connection with CloudFront to load the HTTPS version of your content. For more information on SNI, including a list of supported browsers, please visit our FAQ page.
There is no separate pricing for this feature. You can use SNI Custom SSL with no upfront or monthly fees for certificate management; you simply pay normal Amazon CloudFront rates for data transfer and HTTPS requests.

Set up is easy: simply follow the instructions outlined in the CloudFront Developer Guide and start serving your content quickly and securely.

Dedicated IP Custom SSL
If you need to deliver content to browsers that don’t support SNI, you can use the Dedicated IP Custom SSL feature. For this feature CloudFront allocates dedicated IP addresses to serve your SSL content at each CloudFront edge location.
To use Dedicated IP Custom SSL certificate support, upload a SSL certificate and use the AWS Management Console to associate it with your CloudFront distributions. If you need to associate more than two custom SSL certificate with your AWS Account, please include details about your use case and the number of custom SSL certificates you intend to use in the CloudFront Limit Increase Form.

Pricing for Dedicated IP Custom SSL is simple. Because of the added cost associated with dedicating IP addresses per SSL certificate, we charge a fixed monthly fee of $600 for each custom SSL certificate you associate with your CloudFront distributions, pro-rated by the hour. For example, if you had your custom SSL certificate associated with at least one CloudFront distribution for just 24 hours (i.e. 1 day) in the month of June, your total charge for using the custom SSL certificate feature in June will be (1 day / 30 days) * $600 = $20. Detailed pricing information for the Custom SSL Certificate feature is available on the CloudFront Pricing Page.”

47
Q

Does CloudFront accept self-signed certificates in distributions?

A

No

From the CloudFront documentation
(http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html):

“If you configure CloudFront to use HTTPS when communicating with your origin…CloudFront verifies that your certificate was issued by an established third-party certificate authority…You cannot use a self-signed certificate.”

48
Q

What are some of the features of EC2 enhanced networking?

A

High packet-per-second performance
Lower latency
Better scalability

From the EC2 FAQ (https://aws.amazon.com/ec2/faqs/):
“Q: Why should I use Enhanced Networking?
If your applications benefit from high packet-per-second performance and/or low latency networking, Enhanced Networking will provide significantly improved performance, consistence of performance and scalability.”

49
Q

Glacier

What is the maximum size of a Glacier archive?

  1. 40 GB
  2. 40 TB
  3. 40 PB
A

40 TB

From the Glacier FAQ (https://aws.amazon.com/glacier/faqs/):
“Q: What is an archive?
An archive is a durably stored block of information. You store your data in Amazon Glacier as archives.
You may upload a single file as an archive, but your costs will be lower if you aggregate your data. TAR
and ZIP are common formats that customers use to aggregate multiple files into a single file before
uploading to Amazon Glacier. The total volume of data and number of archives you can store are
unlimited. Individual Amazon Glacier archives can range in size from 1 byte to 40 terabytes. The
largest archive that can be uploaded in a single Upload request is 4 gigabytes. For items larger than
100 megabytes, customers should consider using the Multipart upload capability. Archives stored in
Amazon Glacier are immutable, i.e. archives can be uploaded and deleted but cannot be edited or
overwritten.”

50
Q

ElastiCache

Is it possible to change an ElastiCache cluster’s instance type “in-place”?

  1. Yes, only a restart is required
  2. No, you have to recreate the cluster
A

No, you have to recreate the cluster

From the ElastCache User Guide (http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/Scaling.html#Scaling.UpDown):
“ElastiCache does not support dynamically changing a cluster’s node instance type. Therefore, when you scale up or down you must create a new cluster. If you are using the Redis engine, you can seed the cluster from a backup. New Memcached clusters always start out empty.”

51
Q

DynamoDB

What is a DynamoDB write capacity unit?

  1. 3 writes/second of items up to 1 KB per second
  2. 1 write/second of items up to 1 KB per second
A

1 write/second of items up to 1 KB per second

From the DynamoDB Developer Guide
(http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ProvisionedThroughputIntro.html):
“A unit of read capacity represents one strongly consistent read per second (or two eventually consistent reads per second) for items as large as 4 KB. A unit of write capacity represents one write per second for items as large as 1 KB.”

52
Q

Is it possible to create a persistent ElastiCache cluster?

  1. Yes
  2. No
  3. Yes, but only for Redis clusters
A

Yes, but only for Redis clusters

From the ElastiCache User Guide (http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/RedisAOF.html):
“By default, the data in a Redis node on ElastiCache resides only in memory, and is not persistent. If a node is rebooted, or if the underlying physical server experiences a hardware failure, the data in the cache is lost.
If you require data durability, you can enable the Redis append-only file feature (AOF). When this feature is enabled, the node writes all of the commands that change cache data to an append-only file. When a node is rebooted and the cache engine starts, the AOF is “replayed”; the result is a warm Redis cache with all of the data intact.
AOF is disabled by default.”

53
Q

EBS

What is an “EBS Optimized” EC2 instance?

  1. A creative marketing tactic
  2. An instance with dedicated network I/O and throughput to EBS volumes
A

An instance with dedicated network I/O and throughput to EBS volumes

From the EC2 User Guide ():
“An Amazon EBS–optimized instance uses an optimized configuration stack and provides additional, dedicated capacity for Amazon EBS I/O. This optimization provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance. EBS–optimized instances deliver dedicated throughput to Amazon EBS, with options between 500 Mbps and 4,000 Mbps, depending on the instance type you use. When attached to an EBS–optimized instance, General Purpose (SSD) volumes are designed to deliver within 10 percent of their baseline and burst performance 99.9 percent of the time in a given year, and Provisioned IOPS (SSD) volumes are designed to deliver within 10 percent of their provisioned performance 99.9 percent of the time in a given year.”

54
Q

How do you assume a role in an account in which you don’t otherwise have access?

A
  • Ask the role’s owner to modify the role’s trust policy to trust your account or an identity provider with which you’ve registered
  • Invoke one of the AssumeRole APIs with the role’s ARN and use the temporary credentials to access AWS resources

From the IAM User Guide (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html):
“To assume a role, an application calls the AWS STS AssumeRole API and passes the ARN of the role to use.TheAssumeRole API returns a set of temporary security credentials that you can use in subsequent AWS API calls to access resources in the account that owns the role. The temporary credentials have whatever permissions are defined in the role’s access policy.”
Also from the IAM User Guide (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html):
“You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted accounts. The trusting account owns the resource to be accessed and the trusted account contains the users who need access to the resource. After you create the trust relationship, an IAM user or an application from the trusted account can use the AWS Security Token Service (AWS STS) AssumeRole API action to obtain temporary security credentials that enable access to AWS resources in your account. The accounts can both be controlled by you, or the account with the users can be controlled by a third party.”

55
Q

What is the purpose of the “CreationPolicy” CloudFormation resource attribute?

A

To make CloudFormation wait on a signal before completing the creation of the associated resource

From the CloudFormation documentation ():
“You associate the CreationPolicy attribute with a resource to prevent its status from reaching create complete until AWS CloudFormation receives a specified number of success signals or the timeout period is exceeded. To signal a resource, you can use the cfn-signal helper script or SignalResource API. AWS CloudFormation publishes valid signals to the stack events so that you track the number of signals sent.
The creation policy is invoked only when AWS CloudFormation creates the associated resource. Currently, the only AWS CloudFormation resources that support creation policies areAWS::AutoScaling::AutoScalingGroup, AWS::EC2::Instance, and AWS::CloudFormation::WaitCondition.
The CreationPolicy attribute is helpful when you want to wait on resource configuration actions before stack creation proceeds. For example, if you install and configure software applications on an Amazon EC2 instance, you might want those applications up and running before proceeding. In such cases, you can add a CreationPolicy attribute to the instance and then send a success signal to the instance after the applications are installed and configured. “

56
Q

Does EBS volume encryption affect IOPS performance?

A

No

From the EC2 User Guide (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html):
“This feature is supported with all EBS volume types (General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic), and you can expect the same IOPS performance on encrypted volumes as you would with unencrypted volumes, with a minimal effect on latency. You can access encrypted volumes the same way that you access existing volumes; encryption and decryption are handled
transparently and they require no additional action from you, your EC2 instance, or your application.”

57
Q

How many SSL certificates can be associated with a CloudFront distribution?

  1. 5
  2. 1
A

1

See (http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.html)

58
Q

How can I configure a CloudFormation template to pause while an application is configured on a template-created EC2 instance?

A

Using wait conditions
Using creation policies and cfn-signal

CreationPolicies are the preferred mechanism. From the CloudFormation User Guide ():
“For Amazon EC2 and Auto Scaling resources, we recommend that you use a CreationPolicy attribute instead of wait conditions. Add a CreationPolicy attribute to those resources and use the cfn-signal helper script to signal when an instance has been successfully created.”

but either mechanism is valid:
“Using the AWS::CloudFormation::WaitCondition resource and CreationPolicy attribute, you can do the following:
* Coordinate stack resource creation with other configuration actions that are external to the stack creation
* Track the status of a configuration process

For example, you can start the creation of another resource after an application configuration is partially complete, or you can send signals during an installation and configuration process to track its progress.”

59
Q

What is the maximum number of Route 53 hosted zones per account?

  1. 100
  2. 500
A

500

See http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_route53

60
Q

What is the maximum size of a Kinesis record’s data blob?

A

1 MB

From the Kinesis Developer Guide (http://docs.aws.amazon.com/kinesis/latest/dev/key-concepts.html):
“A data record is the unit of data stored in an Amazon Kinesis stream. Data records are composed of a sequence number, partition key, and data blob, which is an immutable sequence of bytes. Amazon Kinesis does not inspect, interpret, or change the data in the blob in any way. A data blob can be up to 1 MB.”

61
Q

Which of the following are true about IAM groups?

  1. Groups make it easier to manage user permissions.
  2. Groups can be assigned managed IAM policies.
  3. Groups can be assigned inline IAM policies.
A

All 3

From the IAM FAQ (https://aws.amazon.com/iam/faqs/):

“Q: What is a group?
A group is a collection of IAM users. Group membership is managed as a simple list:
* Users can be added to or removed from a group.
* A user can belong to multiple groups.
* Groups cannot belong to other groups.
* Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user.
* Groups do not have security credentials, and cannot access web services directly; they exist solely to make it easier to manage user permissions. For details, see Working with Groups and Users.”

62
Q

What networking properties associated with an ENI are retained when an ENI is moved between instances?

A 
Private IP address 
Public IP address 
EIP 
Security group(s) 
MAC address 
Source/destination flag

From the VPC User Guide (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ElasticNetworkInterfaces.html):
“An elastic network interface (ENI) is a virtual network interface that can include the following attributes:
* a primary private IP address
* one or more secondary private IP addresses
* one Elastic IP address per private IP address
* one public IP address, which can be auto-assigned to the network interface for eth0 when you launch an instance, but only when you create a network interface for eth0 instead of using an existing network interface
* one or more security groups
* a MAC address
* a source/destination check flag
* a description
You can create an ENI, attach it to an instance, detach it from an instance, and attach it to another instance. An ENI’s attributes follow the ENI as it is attached or detached from an instance and reattached to another instance. When you move an ENI from one instance to another, network traffic is redirected to the new instance.”

63
Q

What are examples of “good” DynamoDB hash attributes that optimize for provisioned throughout efficiency?

A
  • User ID, where the application has many users
  • Device ID, where each device accesses data at relatively similar intervals

[Note: To me, whether or not the “Item creation date” is acceptable depends on context. If there are a consistent and relatively small number of items created per minute, and data is accessed evenly across time, it might be fine. If more recent data is accessed more frequently there would be an issue since the read distribution over the partitions would be weighted towards the more recent items. In
that case it would be better to use a hash/range index with the date as the range.]

From the DynamoDB documentation (http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GuidelinesForTables.html):
“The following table compares some common hash attribute schemas for provisioned throughput efficiency:

https://dl.dropboxusercontent.com/u/17031532/dynamodb.png

If a single table has only a very small number of hash attribute values, consider distributing your write operations across more distinct hash attribute values. In other words, structure the primary key elements to avoid one “hot” (heavily requested) hash attribute value that slows overall performance.
For example, consider a table with a composite primary key. The hash attribute represents the item’s creation date, rounded to the nearest day. The range attribute is an item identifier. On a given day, say 2014-07-09, all of the new items will be written to that same hash attribute value.
If the table will fit entirely into a single partition (taking into consideration growth of your data over time), and if your application’s read and write throughput requirements do not exceed the read and write capabilities of a single partition, then your application should not encounter any unexpected throttling as a result of partitioning.
However, if you anticipate scaling beyond a single partition, then you should architect your application so that it can use more of the table’s full provisioned throughput.”

64
Q

CloudFront

What is the maximum Requests per second per CloudFront distribution?

  1. 15,000
  2. 20,000
A

15,000

See (http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-limits.html)

65
Q

What is the maximum size of an S3 object?

A

5TB

66
Q

Is it possible to increase the storage of an existing RDS SQL Server instance?

A

No

From the RDS FAQ (http://aws.amazon.com/rds/faqs/#129):

“Q: How do I scale the compute resources and/or storage capacity associated with my Amazon RDS Database Instance?
[…]
Please note that for SQL Server, because of the extensibility limitations of striped storage attached to a Windows Server environment, Amazon RDS does not currently support increasing storage. While we plan to support this functionality in the future, we recommend you to provision storage based on anticipated future storage growth. In the interim, if you need to increase the storage of a SQL Server
DB Instance, you will need to export the data, create a new DB Instance with increased storage, and import the data into it. Please refer to the data import guide for SQL Server for more information.”

67
Q

Can an EC2 Security Group be configured to deny traffic?

A

No

From the EC2 Security Group documentation (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html):
“Security Group Basics
The following are the basic characteristics of security groups for your VPC:
You can create up to 100 security groups per VPC. You can add up to 50 rules to each security group. If you need to apply more than 50 rules to an instance, you can associate up to 5 security groups with each network interface. For more information about network interfaces, see Elastic Network Interfaces (ENI).
You can specify allow rules, but not deny rules.
You can specify separate rules for inbound and outbound traffic.
By default, no inbound traffic is allowed until you add inbound rules to the security group.
By default, an outbound rule allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only.
Security groups are stateful — responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa.
Instances associated with a security group can’t talk to each other unless you add rules allowing it (exception: the default security group has these rules by default).
Security groups are associated with network interfaces. After you launch an instance, you can change the security groups associated
with the instance, which changes the security groups associated with the primary network interface (eth0). You can also change the security groups associated with any other network interface.”

68
Q

How do I share a Direct Connect interlink between AWS accounts?

  1. Using a public VIF
  2. Using a hosted VIF
A

Using a hosted VIF

From the Direct Connect User Guide (http://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html):
“You must create a virtual interface to begin using your AWS Direct Connect connection. You can create a public virtual interface to connect to public resources, or a private virtual interface to connect to your VPC. You can configure multiple virtual interfaces on a single AWS Direct Connect connection, and you’ll need one private virtual interface for each VPC to connect to. Each virtual interface needs a VLAN ID, interface IP address, ASN, and BGP key.
To use your AWS Direct Connect connection with another AWS account, you can create a hosted virtual interface for that account. These hosted virtual interfaces work the same as standard virtual interfaces and can connect to public resources or a VPC.”

69
Q

a ___ assigns an alias record to a canonical name

A

CNAME record

AWS Professional (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions