Miscellaneous Flashcards

Question 1

Q

What is AWS Savings Plan?

Answer

A

Savings Plans provides you lower prices for your Amazon EC2 usage, Fargate, and Lambda in exchange for a commitment to a consistent usage amount (measured in $/hour) for a one or three year term

Question 2

Q

What formats are allowed to be used for CloudFormation templates?

Answer

A

JSON and YAML

Question 3

Q

What are the four core pricing tiers of AWS accounts?

Answer

A

Free Tier
Developer
Buisness
Enterprise

Question 4

Q

What is ClassicLink used for?

Answer

A

Linking EC2-Classic instances with VPC resources

Question 5

Q

Does CloudFront Signed Cookies / URLs prevent you from being able to directly access S3 buckets via S3 URLs?

Question 6

Q

Does AWS PrivateLink support access to S3?

Question 7

Q

Does AWS PrivateLink support access to ECS?

Question 8

Q

Does AWS PrivateLink support access to ECR?

Question 9

Q

What does an Amazon Gateway Endpoint do?

Answer

A

provides secure access to S3 and DynamoDB without traffic routing to the internet

Question 10

Q

At a high level, what is AWS Data Pipeline?

Answer

A

AWS Data Pipeline is a web service that you can use to automate the movement and transformation of data

Question 11

Q

What does AWS stand for?

Answer

A

Amazon Web Services

Question 12

Q

At a high level, what it AWS? What does it provide?

Answer

A

AWS is a Cloud Provider
They provide you with servers and services that you can use on demand and that scale easily

Question 13

Q

What is the default ASG termination policy sequence on Scale-in operation?

Answer

A

AZ with most instances
Oldest launch configuration
Closest to the billing hour
Random

Question 14

Q

How to grant permission to application running on ECS?

Answer

A

You define the IAM role to use in your task definitions, or you can use a taskRoleArn override when running a task manually with the RunTask API operation.

Question 15

Q

How to enable encryption for existing RDS instance?

Answer

A

Take a snapshot of the RDS instance. Create an encrypted copy of the snapshot. Restore the RDS instance from the encrypted snapshot

Question 16

Q

A web application is deployed in multiple regions behind an ELB Application Load Balancer. You need deterministic routing to the closest region and automatic failover. Traffic should traverse the AWS global network for consistent performance.

Answer

A

Configure AWS Global Accelerator and configure the ALBs as targets

Question 17

Q

A solutions architect has been tasked with designing a highly resilient hybrid cloud architecture connecting an on-premises data center and AWS. The network should include AWS Direct Connect (DX).

Which DX configuration offers the HIGHEST resiliency?

Answer

A

Configure DX connections at multiple DX locations

Question 18

Q

How can you scale compute layer based on the number of jobs to be processed?

Answer

A

Create an Amazon SQS queue to hold the jobs that needs to be processed. Create an Amazon EC2 Auto Scaling group for the compute application. Set the scaling policy for the Auto Scaling group to add and remove nodes based on the number of items in the SQS queue

Question 19

Q

An application is running on Amazon EC2 behind an Elastic Load Balancer (ELB). Content is being published using Amazon CloudFront and you need to restrict the ability for users to circumvent CloudFront and access the content directly through the ELB.

How can you configure this solution?

Answer

A

he only way to get this working is by using a VPC Security Group for the ELB that is configured to allow only the internal service IP ranges associated with CloudFront. As these are updated from time to time, you can use AWS Lambda to automatically update the addresses. This is done using a trigger that is triggered when AWS issues an SNS topic update when the addresses are changed.

Question 20

Q

How can you enable encryption in transit between ELB and EC2?

Answer

A

Use a Network Load Balancer (NLB) with a TCP listener, then terminate SSL on EC2 instances
Use an Application Load Balancer (ALB) with an HTTPS listener, then install SSL certificates on the ALB and EC2 instances

Question 21

Q

Can you use AWS WAF with Network Load Balancer?

Question 22

Q

How to enable file system that can be mounted on EC2 Windows AND Linux instances?

Answer

A

Amazon FSx for Windows File Server provides a fully managed native Microsoft Windows file system so you can easily move your Windows-based applications that require shared file storage to AWS. You can easily connect Linux instances to the file system by installing the cifs-utils package. The Linux instances can then mount an SMB/CIFS file system.

Question 23

Q

A company runs a business-critical application in the us-east-1 Region. The application uses an Amazon Aurora MySQL database cluster which is 2 TB in size. A Solutions Architect needs to determine a disaster recovery strategy for failover to the us-west-2 Region. The strategy must provide a recovery time objective (RTO) of 10 minutes and a recovery point objective (RPO) of 5 minutes.

Answer

A

Recreate the database as an Aurora global database with the primary DB cluster in us-east-1 and a secondary DB cluster in us-west-2. Use an Amazon EventBridge rule that invokes an AWS Lambda function to promote the DB cluster in us-west-2 when failure is detected

Question 24

Q

An organization is extending a secure development environment into AWS. They have already secured the VPC including removing the Internet Gateway and setting up a Direct Connect connection. What else needs to be done to add encryption?

Answer

A

A VPG is used to setup an AWS VPN which you can use in combination with Direct Connect to encrypt all data that traverses the Direct Connect link. This combination provides an IPsec-encrypted private connection that also reduces network costs, increases bandwidth throughput, and provides a more consistent network experience than internet-based VPN connections.

Question 25

Q

A High Performance Computing (HPC) application needs storage that can provide 135,000 IOPS. The storage layer is replicated across all instances in a cluster.

What is the optimal storage solution that provides the required performance and is cost-effective?

Answer

A

Instance stores offer very high performance and low latency. As long as you can afford to lose an instance, i.e. you are replicating your data, these can be a good solution for high performance/low latency requirements.

Question 26

Q

An application generates unique files that are returned to customers after they submit requests to the application. The application uses an Amazon CloudFront distribution for sending the files to customers. The company wishes to reduce data transfer costs without modifying the application.

How can this be accomplished?

Answer

A

Use Lambda@Edge to compress the files as they are sent to users

Question 27

Q

A company needs to migrate a large quantity of data from an on-premises environment to Amazon S3. The company is connected via an AWS Direct Connect (DX) connection. The company requires a fully managed solution that will keep the data private and automate and accelerate the replication of the data to AWS storage services.

Which solution should a Solutions Architect recommend?

Answer

A

Deploy an AWS DataSync agent for the on-premises environment. Configure a task to replicate the data and connect it to a VPC endpoint

Question 28

Q

Cost-effectiveness of storage solutions (in increasing order)

Answer

A

S3 < EBS < EFS

Question 29

Q

An application that runs a computational fluid dynamics workload uses a tightly-coupled HPC architecture that uses the MPI protocol and runs across many nodes. A service-managed deployment is required to minimize operational overhead.

Which deployment option is MOST suitable for provisioning and managing the resources required for this use case?

Answer

A

An AWS Batch multi-node parallel job is compatible with any framework that supports IP-based, internode communication, such as Apache MXNet, TensorFlow, Caffe2, or Message Passing Interface (MPI)

Question 30

Q

An application that runs a computational fluid dynamics workload uses a tightly-coupled HPC architecture that uses the MPI protocol and runs across many nodes. A service-managed deployment is required to minimize operational overhead.

Which deployment option is MOST suitable for provisioning and managing the resources required for this use case?

Answer

A

An AWS Batch multi-node parallel job is compatible with any framework that supports IP-based, internode communication, such as Apache MXNet, TensorFlow, Caffe2, or Message Passing Interface (MPI)

Question 31

Q

What’s the maximum execution time for Lambda function?

Answer

A

900 seconds (15mins)

Question 32

Q

An organization has a data lake on Amazon S3 and needs to find a solution for performing in-place queries of the data assets in the data lake. The requirement is to perform both data discovery and SQL querying, and complex queries from a large number of concurrent users using BI tools.

What is the BEST combination of AWS services to use in this situation?

Answer

A

You can use both Athena and Redshift Spectrum against the same data assets. You would typically use Athena for ad hoc data discovery and SQL querying, and then use Redshift Spectrum for more complex queries and scenarios where a large number of data lake users want to run concurrent BI and reporting workloads.

Question 33

Q

IAM - what are possible access types?

Answer

A

Programmatic access: The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user.

AWS Management Console access: If the user needs to access the AWS Management Console, create a password for the user. Disabling console access for a user prevents them from signing in to the AWS Management Console using their user name and password. It does not change their permissions or prevent them from accessing the console using an assumed role.

Question 34

Q

What are DR approaches?

Question 35

Q

What’s the data migration process when using Snowball Edge?

Answer

A

You use the AWS Schema Conversion Tool (AWS SCT) to extract the data locally and move it to an Edge device.
You ship the Edge device or devices back to AWS.
After AWS receives your shipment, the Edge device automatically loads its data into an Amazon S3 bucket.
AWS DMS takes the files and migrates the data to the target data store. If you are using change data capture (CDC), those updates are written to the Amazon S3 bucket and then applied to the target data store.

Question 36

Q

Which data formats does Amazon Athena support?

Answer

A

Amazon Athena is an interactive query service that makes it easy to analyse data in Amazon S3, using standard SQL commands. It will work with a number of data formats including “JSON”, “Apache Parquet”, “Apache ORC” amongst others, but “XML” is not a format that is supported.

Question 37

Q

Which of the conditions you can set when configuring AWS WAF?

Answer

A

Size constraint, IP match, String match

Question 38

Q

Is it possible to store data directly in S3 Glacier?

Question 39

Q

What can you do to increase the performance of your volume?

Answer

A

Ensure EC2 instances are types that can be optimized to use with EBS
Schedule snapshots of HDD based volumes for periods of low use
Stripe volumes together in a RAID 0 config

Question 40

Q

What is a public subnet?

Answer

A

Has at least one route in its route in its routing table that uses an Internet Gateway

Question 41

Q

What are CloudFormation template sections

Answer

A

Description
Parameters
Mappings
Resources
Outputs
Metadata
Rules
Conditions
Transform

Question 42

Q

You have created a Direct Connect Link from your on premise data center to your Amazon VPC. The link is now active and routes are being advertised from the on-premise data center. You can connect to EC2 instances from your data center; however, you cannot connect to your on premise servers from your EC2 instances. Which of the following solutions would remedy this issue?

Answer

A

There is no route connecting your VPC back to the on premise data center. You need to add this route to the route table and then enable propagation on the Virtual Private Gateway.

Question 43

Q

If you don’t use one of the AWS SDKs, you can perform DynamoDB operations over HTTP using the POST request method. The POST method requires you to specify the operation in the header of the request and provide the data for the operation in JSON format in the body of the request. Which of the following are valid DynamoDB Headers attributes?

Answer

A

content-type

host

x-amz-date

x-amz-target

Question 44

Q

You have three AWS accounts (A, B & C) that share data. In an attempt to maximize performance between the accounts, you deploy the instances owned by these three accounts in ‘eu-west-1b’. During testing, you find inconsistent results in transfer latency between the instances. Transfer between accounts A and B is excellent, but transfers between accounts B and C, and C and A, are slower. What could be the problem?

Answer

A

The names of the AZs are randomly applied so es-west-1b is not necessarily same physical location for all three accounts!

Question 45

Q

How is the public IP address managed in an instance?

Answer

A

The public IP address is not managed on the instance. It’s an alias applied as a network address translation of the private IP address.

Question 46

Q

You need to keep Auto Scaling from scaling up and down so rapidly. Which of the following options would help you to achieve this?

Answer

A

Modify the ASG cool-down timers

Modify the Amazlon CloudWatch alarm period

Question 47

Q

What’s the limit of EC2 instances?

Answer

A

20 per region, soft limit

Question 48

Q

Which RDS database engines have a limit on the number of dbs that can run per instance?

Answer

A

SQL Server

Oracle

Question 49

Q

What are the hypervisors for EC2?

Question 50

Q

What is the consistency model in DynamoDB?

Answer

A

You can specify whether a read is eventually consistent or strongly consistent. To get a strongly consistent read result, you can specify optional parameters in a request. It takes more resources to process a strongly consistent read than an eventually consistent read.

Question 51

Q

Which Elasticache services have native encryption at rest?

Answer

A

Elasticache for Redis.

Memcached not.

Question 52

Q

What are the RDS replication modes?

Answer

A

Multi-AZ RDS creates a replica in another AZ and synchronously replicates to it (DR only).

Asynchronous replication is used by RDS for Read Replicas.

Question 53

Q

What are the throttling modes at API gateway?

Answer

A

AWS throttling limits are applied across all accounts and clients in a region. These limit settings exist to prevent your API—and your account—from being overwhelmed by too many requests. These limits are set by AWS and can’t be changed by a customer.

Per-account limits are applied to all APIs in an account in a specified Region

Per-API, per-stage throttling limits are applied at the API method level for a stage

Per-client throttling limits are applied to clients that use API keys associated with your usage plan as client identifier

Question 54

Q

A Solutions Architect is writing some code that uses an AWS Lambda function and would like to enable the function to connect to an Amazon ElastiCache cluster within an Amazon VPC in the same AWS account. What VPC-specific information must be included in the function to enable this configuration?

Answer

A

To enable your Lambda function to access resources inside your private VPC, you must provide additional VPC-specific configuration information that includes VPC subnet IDs and security group IDs. AWS Lambda uses this information to set up elastic network interfaces (ENIs) that enable your function.

Question 55

Q

According to the policy, what is AWS’s position on penetration testing?

Answer

A

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services. Please check the AWS link below for the latest information.

Question 56

Q

What is TrustedAdvisor?

Answer

A

Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices.

AWS Trusted Advisor offers a Service Limits check (in the Performance category) that displays your usage and limits for some aspects of some services.

Question 57

Q

A large multinational retail company has a presence in AWS in multiple regions. The company has established a new office and needs to implement a high-bandwidth, low-latency connection to multiple VPCs in multiple regions within the same account. The VPCs each have unique CIDR ranges.

What would be the optimum solution design using AWS technology?

Answer

A

The company should implement an AWS Direct Connect connection to the closest region. A Direct Connect gateway can then be used to create private virtual interfaces (VIFs) to each AWS region.

Direct Connect gateway provides a grouping of Virtual Private Gateways (VGWs) and Private Virtual Interfaces (VIFs) that belong to the same AWS account and enables you to interface with VPCs in any AWS Region (except AWS China Region).

Question 58

Q

What’s the procedure for troubleshooting ECS?

Answer

A

The ECS container agent is included in the Amazon ECS optimized AMI and can also be installed on any EC2 instance that supports the ECS specification (only supported on EC2 instances). Therefore, you don’t need to verify that the agent is installed.

You need to verify that the installed agent is running and that the IAM instance profile has the necessary permissions applied.

Troubleshooting steps for containers include:

Verify that the Docker daemon is running on the container instance.
Verify that the Docker Container daemon is running on the container instance.
Verify that the container agent is running on the container instance.
Verify that the IAM instance profile has the necessary permissions.

Question 59

Q

What’s valid origin for CloudFront RTMP distribution?

Answer

A

For RTMP CloudFront distributions files must be stored in an S3 bucket.

Question 60

Q

What is AWS Opsworks?

Answer

A

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers.

Question 61

Q

The application sits behind an Auto Scaling group and requires new instances of the Auto Scaling group to identify their public and private IP addresses. How can you achieve this?

Answer

A

curl to …/latest/meta-data/

Question 62

Q

At which level can you create VPC Flow Logs?

Answer

A

VPC → Subnet → Network Interface

Question 63

Q

Their legacy IBM AS400 servers will remain on-premise within their own datacenter. However, they will need to be able to communicate to the AWS environment over a site-to-site VPN connection. What do you need to do to establish the VPN connection?

Answer

A

Set a ASN for the VPG

Question 64

Q

How can you prevent forced shutdown of a spot instance?

Answer

A

Use Termination Protection
Delay300

Answer 57

A

The purpose of an “Egress-Only Internet Gateway” is to allow IPv6 based traffic within a VPC to access the Internet, whilst denying any Internet based resources the possibility of initiating a connection back into the VPC.

Answer 58

A

Amazon Lightsail is a cloud service offered by Amazon Web Services (AWS) that bundles cloud compute power and memory for new or less experienced cloud users.

Answer 59

A

Route 53 has a security feature that prevents internal DNS from being read by external sources. The work around is to create a EC2 hosted DNS instance that does zone transfers from the internal DNS, and allows itself to be queried by external servers.

Answer 60

A

When you create a virtual private gateway, you can specify the private Autonomous System Number (ASN) for the Amazon side of the gateway. If you don’t specify an ASN, the virtual private gateway is created with the default ASN (64512).

A customer gateway is a resource that you create in AWS that represents the customer gateway device in your on-premises network. When you create a customer gateway, you provide information about your device to AWS.

Answer 61

A

Multipart upload provides options for more robust file upload in addition to handling larger files than single part upload.

Answer 62

A

Spread Placement Groups are recommended for applications that have a small number of critical instances which need to be kept separate from each other. Launching instances in a Spread Placement Group reduces the risk of simultaneous failures that might occur when instances share the same underlying hardware.

Answer 63

A

Wrong. AWS holds compliance certification for the services that ‘AWS’ runs. As a customer you are still responsible for the compliance certification of the code and process and configurations that ‘you’ manage. However you can avoid the cost and complication of proving that the underlying services are compliant.

Answer 64

A

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives.

However, a NAT instance must be able to send and receive traffic when the source or destination is not itself.

Answer 65

A

Once a VPC is set to Dedicated hosting, it can be changed back to default hosting via the CLI, SDK or API. Note that this will not change hosting settings for existing instances, only future ones. Existing instances can be changed via CLI, SDK or API but need to be in a stopped state to do so

Answer 66

A

When you create a custom VPC, a default Security Group, Access control List, and Route Table are created automatically. You must create your own subnets, Internet Gateway, and NAT Gateway

Answer 67

A

Virtual style puts your bucket name 1st, s3 2nd, and the region 3rd.

Path style puts s3 1st and your bucket as a sub domain. Legacy Global endpoint has no region.

S3 static hosting can be your own URL or your bucket name 1st, s3-website 2nd, followed by the region.

AWS are in the process of phasing out Path style, and support for Legacy Global Endpoint format is limited and discouraged.

Answer 68

A

Run Command is designed to support a wide range of enterprise scenarios including installing software, running ad hoc scripts or Microsoft PowerShell commands, configuring Windows Update settings, and more.

Run Command can be used to implement configuration changes across Windows instances on a consistent yet ad hoc basis and is accessible from the AWS Management Console, the AWS Command Line Interface (CLI), the AWS Tools for Windows PowerShell, and the AWS SDKs.

Answer 69

A

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It is not used for ad-hoc script execution.

Answer 70

A

Instances in a peered VPC.
AWS resources that are addressable by IP address and port.
On-premises resources linked to AWS through Direct Connect or a VPN connection

Answer 71

A

A VPC automatically comes with a default network ACL which allows all inbound/outbound traffic. A custom NACL denies all traffic both inbound and outbound by default.

Answer 72

A

To prevent direct connectivity to the EC2 instances from the internet you can deploy your EC2 instances in a private subnet and have the ELB in a public subnet. To configure this you must enable a public subnet in the ELB that is in the same AZ as the private subnet.

Answer 73

A

Route tables determine where network traffic is directed. In your route table, you must add a route for your remote network and specify the virtual private gateway as the target. This enables traffic from your VPC that’s destined for your remote network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you.

Answer 74

A

You can associate an AWS Direct Connect gateway with either of the following gateways:

A transit gateway when you have multiple VPCs in the same Region.
A virtual private gateway.

In this case account Z owns the Direct Connect gateway so a VPG in accounts A and B must be associated with it to enable this configuration to work. After Account Z accepts the proposals, Account A and Account B can route traffic from their virtual private gateway to the Direct Connect gateway.

“Associate the Direct Connect gateway to a transit gateway in each region” is incorrect. This would be a good solution if the accounts were in VPCs within a region rather than across regions.

Answer 75

A

Default security groups have inbound allow rules (allowing traffic from within the group) whereas custom security groups do not have inbound allow rules (all inbound traffic is denied by default). All outbound traffic is allowed by default in custom and default security groups.

Answer 76

A

Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so.

Answer 77

A

Glacier is designed for durability of 99.999999999% of objects across multiple Availability Zones. Data is resilient in the event of one entire Availability Zone destruction.

Glacier is “designed for” availability of 99.99%

Answer 78

A

You can restore a DB instance to a specific point in time, creating a new DB instance. When you restore a DB instance to a point in time, the default DB security group is applied to the new DB instance. If you need custom DB security groups applied to your DB instance, you must apply them explicitly using the AWS Management Console, the AWS CLI modify-db-instance command, or the Amazon RDS API ModifyDBInstance operation after the DB instance is available.

Restored DBs will always be a new RDS instance with a new DNS endpoint and you can restore up to the last 5 minutes.

Answer 79

A

Amazon DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This is the most efficient and cost-effective solution to optimizing for cost.

Answer 80

A

Amazon Neptune is a new product that offers a fully-managed Graph database.

Answer 81

A

You can control who can administer your file system using IAM. You can control access to files and directories with POSIX-compliant user and group-level permissions. POSIX permissions allows you to restrict access from hosts by user and group. EFS Security Groups act as a firewall, and the rules you add define the traffic flow.

Answer 82

A

All EBS types and all instance families support encryption but not all instance types support encryption. There is no direct way to change the encryption state of a volume. Data in transit between an instance and an encrypted volume is also encrypted.

Answer 83

A

If using an ELB it is best to enable ELB health checks as otherwise EC2 status checks may show an instance as being healthy that the ELB has determined is unhealthy. In this case the instance will be removed from service by the ELB but will not be terminated by Auto Scaling

More information on ASG health checks:

By default uses EC2 status checks.
Can also use ELB health checks and custom health checks.
ELB health checks are in addition to the EC2 status checks.
If any health check returns an unhealthy status the instance will be terminated.
With ELB an instance is marked as unhealthy if ELB reports it as OutOfService
A healthy instance enters the InService state.
If an instance is marked as unhealthy it will be scheduled for replacement.
If connection draining is enabled, Auto Scaling waits for in-flight requests to complete or timeout before terminating instances.
The health check grace period allows a period of time for a new instance to warm up before performing a health check (300 seconds by default).

Answer 84

A

You can use VPC Flow Logs to capture detailed information about the traffic going to and from your Elastic Load Balancer. Create a flow log for each network interface for your load balancer. There is one network interface per load balancer subnet.

Answer 85

A

EBS Throughput Optimized HDD is good for the following use cases (and is the most cost-effective option:

Frequently accessed, throughput intensive workloads with large datasets and large I/O sizes, such as MapReduce, Kafka, log processing, data warehouse, and ETL workloads.

Throughput is measured in MB/s, and includes the ability to burst up to 250 MB/s per TB, with a baseline throughput of 40 MB/s per TB and a maximum throughput of 500 MB/s per volume.

Answer 86

A

only when you launch an instance. You can’t attach instance store volumes to an instance after you’ve launched it.

Brainscape's Knowledge GenomeTM

Miscellaneous Flashcards

Brainscape's Knowledge Genome^TM