Networking Flashcards
Where is data encrypted with encrypted AWS EBS?
Data at rest, snapshots and data moving between the volume and the instance is encrypted
How do you setup an IPsec (site-to-site VPN) between an on-premise and AWS VPC?
Create a Virtual Private Gateway on the AWS side and a customer gateway on the on-premise side
What is VPN CloudHub?
Provides secure coms between multiple site-to-site VPN connections for both on-premise and VPCs
What is a VPC Endpoint?
Connect your VPC to supported AWS services without traffic leaving AWS
What is a VPC Peering connection?
Connection between two VPCs in AWS
What is AWS Shield Advanced?
Sophisticated protection against DDOS attacks, costs $3k / month / org. Cost is per org if consolidated billing enabled
When is user data script run?
When an instance is first started - can set it to be everytime instance restarts but not by default
What is RDS Custom?
Allows you to customize your database and operating system but still use RDS
What is Amazon FSx Lustre?
Highpperformance file system, useful for HPC
What is an EC2 Launch Configuration
Instance configuration template that an Auto Scaling group uses to launch EC2 instances
Can you modify an EC2 Launch Configuration?
No, you must create a new launch configuration and then modify the auto scaling group
What is Amazon Aurora?
MySQL and PostgreSQL compatbile relational database for the cloud
Can a NAT instance be used as a bastion host?
Yes
Are security groups associated with a NAT instance?
Yes
Can port forwarding be enabled on a NAT instance?
Yes
Can port forwarding be enabled on a NAT gateway?
No
Are security groups associated with a NAT gateway?
No
What is CloudTrail?
Log management API calls to your AWS account
What is AWS Global Accelerator?
Network layer service that directs traffic to optimal endpoints over the AWS global network.
Protected by AWS Shield
Can do weighted routing which is great for global blue/green deployments
What is Amazon Redshift?
Uses SQL to analyze data across data warehouses and data lakes for BigData queries
What is Amazon Redshift Spectrum?
Directly query S3 without having to load data into Redshift tables. Offload processing to the Redshift Spectrum layer
What are IAM Permission Boundaries?
limits the maximum permissions for a given IAM principle
What are placement groups?
Describes the spread of EC2 instances
Cluster - packs instances physically close together for low latency
Partition - spread instances across different AZs but in the same rack
Spread - Places small group of instances across AZs
What is the minimum storage period before you can transition objects to IA?
30 days
What are the different S3 storage tiers?
S3 Standard, Standard IA, S3 Intelligent Tiering, S3 One Zone-IA, S3 Glacier
What are the different Aurora DB endpoints?
Primary DB instance - Supports read/write operations, only one DB instance
Aurora Replica - Supports only read operations, can have up to 15 replicas in this cluster
What is VPC sharing?
Allows multiple AWS accounts to share subnets, so that different accounts can deploy resources to subnets with other accounts. There is a primary account which controls the VPC
How to stream S3 data files and changes to Amazon Kinesis Data Streams?
Use AWS DMS (Database Migration Service) as a bridge between S3 and Kinesis Data Streams
I need to stream data from RDS into Redshift for querying, how should I do this?
Use AWS Database Migration Service to replicate the data from the database into Amazon Redshift
What is AWS EMR?
Elastic Map Reduce (Hadoop Clusters)
Run BigData open source petabyte data scale with Apache Spark, Hive or Presto
A serverless option
What is AWS Glue?
Extract, Transform and load (ETL) service for preparing their data for analytics.
Describe S3 consistency
Strong read-after-write consistency
What is AWS DataSync?
Online data transfer service that simplifies, automates and accelerates copying large data between on-premise and AWS Storage services as well as between AWS Storage services
When would you use EC2 dedicated hosts?
Gives you the physical server dedicated for you use. Great for server-bound licences
When would you use EC2 dedicated instances?
Instances are physically isolated from instances from other AWS accounts, can’t be used for server-bound licences
What is AWS Direct connect?
On-premise connection to AWS without going over the internet.
What is Amazon GuardDuty?
Threat detection service that monitors for malicous activity by monitoring across AWS data sources including CloudTrail, VPC Flow Logs and DNS logs
Can integrate with EventBridge
Can you directly copy data from Snowball into S3 Glacier?
No, it goes directly into S3 Standard Tier. You can create an S3 lifecycle policy to move it into S3 Glacier
What is the maximum number of instances running in an AVailability Zone for a spread placement group?
Maximum in 7
How can you secure data in transit with RDS?
Configure RDS to use SSL for data in transit. RDS will create a certificate so the client can verify the connection
What is the difference between a Launch Template and Launch Configuration?
Launch Configuration - used by ASGs
Launch Template - used to launch spot / on-demand instances
SQS FIFO
SQS FIFO
Max throughput 3000 messages per second
Queue name must end in ‘.fifo’
Must specify queue type at creation time, if you want to change the type you must recreate the queue
Exactly once delivery
What is Amazon Macie?
Removes PII from data automatically with AI
What is Amazon GuardDuty?
Intelligent threat discovery with machine learning
What data sources are supported by GuardDuty?
CloudTrail, VPC Flow Logs, DNS Logs and K8 logs
What are the targets of a CloudWatch alarm?
EC2 action, auto scaling action or SNS
What is a Launch template?
Similar to launch configuration but allows you to provision capacity across multiple instance types and using Spot and On-Demand instances.
Your Amazon Kinesis Data Stream has many consumers reading from it, how do you speed it up?
Use enhanced fan-out feature so that each consumer can consume it’s own output pipe of 2MB/second pipe per shard
What is a VPC Gateway Endpoint?
Specify a target in your route table directly to an AWS service. Current supported are DynamoDB and S3
What is a VPC Interface Endpoint?
An Elastic Network Interface with a private IP address to route to an AWS service
How can you copy data from one bucket to another?
Use aws S3 sync command that copies objects that aren’t in the target bucket but are in the source bucket. Can run multiple times.
Set up S3 batch replication
How can you save money on EC2 instances based on your usage?
Use AWS Cost Explorer Resource Optimization to get a report of EC2 instances that are idle or have low utilization
Use the AWS Compute Optimizer to look at instance type recommendations
How can you speed up client bucket uploads?
Use Amazon S3 Transfer Acceleration to enable faster file uploads
Use multipart uploads for faster file uploads
What is the AWS Database Migration Service?
Helps you migrate databases to AWS quickly and securely
What is AWS Schema Conversion Tool?
Converts the source schema and code to match that of the target database
What is a transit gateway?
A network transit hub that you can use to interconnect VPCs and on-premise networks
Can connect Transit Gateways with Inter-Region peering
What is AWS Global Accelerator?
Provides static IP addresses as a fixed entry point to your applications
Routes traffic to the optimal endpoint based on performance
What are the pillars of the AWS Well-Architected Framework?
Operational excellence
Security
Reliability
Performance efficiency
Cost Optimization
Sustainability
What is EBS?
Elastic Block Store: Network drive you can attach to a single instance
One EBS can be attached to only on EC2 instance
Bound to a specific AZ
How to query meta data on an EC2 instance?
169.254.169.254/latest/meta-data
Holds IAM credentials, private IP
How to migrate an EBS volume across regions?
Create a snapshot, then restore that snapshot into another region
What is an EC2 instance store?
Ephemeral storage for EC2 instance that is physically connected to EC2 instance for high I/O. But data is lost when EC2 instance crashes.
How to encrypt a non encrypted EBS volume?
Create an encrypted snapshot form volume, create a volume from the encrypted snapshot
What is EFS?
Elastic File System - NFS a single EFS can be mounted to many EC2 instances. Can be across multiple AZs within a single region
Access control is done with Security Groups
Supports 1000s of attached EC2 instances
What is a Gateway Load Balancer?
GLB - routes traffic via a target group and then to a destination. Operates at level 3 and is good for firewalls or packet inspection
What is Cross-Zone Load Blancing
Allows the load balancer instance to distribute traffic across all registered instances in all AZs. Enabled by default for ALB.
What are the Auto Scaling Groups Dynamic scaling policies?
Target Tracking Scaling, tracks a simple metric
Step scaling - When a CloudWatch alarm is triggered then step up/down
Scheduled scaling - Change the capacity at a time period
Predicative Scaling - forecast load and schedule scaling
What is RDS Read Replicas?
For read scalability
Up to 5 read replicas
Can be cross region/AZ
Each replica has it’s own DNS name
Asynchronous replication
What is RDS Multi-AZ?
Used for failover not scaling
Increases availability
Synchronous replication
Can only connect to it in the event of a failure
What is RDS Custom?
You have access to the underlying OS and control it but still within RDS
What is Amazon Aurora?
A performant manage relational database service
Compatible with Postgres & MySQL
More performant than RDS
Up to 15 replicas
Can backtrack to snapshots in the past
What are the Aurora scaling methods?
Serverless - auto scaling based on actual usage
Multi-Master - Instance failover if the master DB crashes
What is Global Aurora?
High availability of aurora across the globe, great for disaster recovery
What is Aurora Machine Learning?
Simple SQL interface for ML based predications on data
Your RDS instance is dropping connections frequently, how to solve?
Use Amazon RDS Proxy, a fully managed proxy for RDS which intelligently reuses DB connections to reduce stress on DB
What is Amazon ElastiCache?
Managed Redis / Memcached for read intensive workloads
When to use Redis?
Multi AZ, replicas, with data durability and supports complex queries
When to use Memcached?
Simple key-value data that does not need to be persisted
How is access managed on ElastiCache?
Security Groups
What are the caching strategies?
Lazy loading: data is added to cache as it is read with TTL
Write through: adds / updates cache when written to the DB
What is Amazon Route 53?
Fully managed DNS service for registering certificates
What are the DNS record types?
A - maps a hostname to IPv4
AAAA - maps a hostname to IPv6
CNAME - maps a hostname to another hostname
NS - Name Servers for the Hosted Zone
What are Route 53 hosted Zones?
Public Hosted Zones - contains records that specify how to route traffic on the internet
Private Hosted Zones - contains records that specify how your traffic is routed within a VPC
What is the difference between CNAME vs Alias?
CNAME: Points a hostname to any other hostname for non root domains
Alias (A or AAAA): Points a hostname to an AWS Resource
What are the Route 53 Routing Policies?
Simple: specify multiple values in same record
Weighted: control the % of requests that go to each resource
Failover: DNS lookup can point to a different ip based on a health check
Latency: redirect to resource that is closed to the user
Geolocation: direct to a server based on Geolocation
Geoproximity: Direct to a server based on distance, can set a bias to attract more traffic
What is Elastic Beanstalk?
Platform-as-a-Service tool that manages an application for you including:
ECS instances, ALB, RDS, SQS and CloudWatch it uses CloudFormation under the hood at no extra cost!
What are the different Elastic Beanstalk tiers and what are their uses?
Web Server tier: handling web requests
Work Environment Tier: handling longer running jobs, e.g periodic or background tasks. Can be triggered by SQS
What is the max S3 object size?
5 TB
What is the max S3 object single part upload size?
5 GB but consider doing it smaller than that as it will be faster
What are the main S3 access controls?
IAM: Role based policies
Bucket policies - bucket wide rules
What are the S3 Storage classes?
Standard
Standard IA
S3 Glacier
What S3 Lifecycle Rules?
Automatically transition objects between storage classes or deleting them
What are S3 Event Notifications?
Become notified of s# event with object pattern name filtering
Destination can be SQS queue, Lambda, EventBridge or SNS
What are the S3 Server-Side encryption options?
SSE-S3: Encryption keys entirely handled by AWS, enabled by default
SSE-KMS: Encryption managed by a key AWS KMS
SSE-C: Server side encryption using keys managed by the customer
S3 encryption in transit
Use SSL/TLS, S3 exposes a HTTP and HTTPS endpoint.
Can force encryption with a bucket policy to refuce API calls without encryption options
Must use HTTPS for SSE-C
What is S3 CORS?
Web Browser based mechanism to control request to other origins
If the resource server does not have the origin ‘Access-Control-Allow-Origin’ header then the request will fail.
How is the CloudFront cache invalidated?
Data is refreshed after the TTL has expired
OR
You can force a cache refresh by performing a CloudFront Invalidation
What is Athena?
Serverless query service to analyze data stored in S3. Integrated with QuickSight
What is Athena Federated Query
Use lambda to run queries across many data sources (S3, RDS, DDB, CloudWatch)
What is Amazon ElasticSearch / Open Search Service?
Search any field, supports partial matches
What is Amazon QuickSight?
Create interactive dashboards, integrates with RDS, Aurora, Athena Redshift, OpenSearch
What is AWS Glue?
ETL (Extract, Transform and Load) service. Convert data between formats
What is AWS Lake Formation?
Central place for data to be stored for analytics
What is Amazon Rekognition?
Find object, people in images/video using ML
What is Amazon Transcribe?
Convert speech to text
Able to automatically remove PII
Amazon Polly
Convert text to speech
Amazon Translate
Natural and accurate language translation
Amazon Lex
Automatic speech recognition
Natural Language understanding
Helps to build chatbots and call center bots
What is Amazon Connect
Virtual contact center solutions using Lex
What is Comprehend
Natural Language Processing that is serverless. Finds relationships in text
What is Amazon Comprehend Medical?
Detects & returns useful info in clinical text
What is Amazon SageMaker?
Fully managed service for building ML models
What is Amazon Forecast?
Fully managed amazon service to make predications from data in S3
What is Amazon Kendra?
Fully managed document search analyzer across many document sources
What is Amazon Personalzie?
Fully managed ML service to build apps and make personalized recommendations
What is Amazon Textract?
Extracts text, handwritting and data from scanned documents
What are the EC2 metrics?
Out of the box metrics: disk IO, CPU and network IO
Install unified agent to get more
What is Amazon EventBridge?
Schedule events
Schedule to event patterns
Send event to destinations
What is CloudTrail Insights?
Using a baseline for normal management events then detects anomalies of this and creates an event in EventBridge
What is AWS Config?
See how a resource was modified over time
Auditing and record compliance
Periodically evaluate or when config changes
What is AWS Organizations?
Manage multiple AWS accounts with consolidated billing
What are Service Control Policies?
SCPs limit permissions within an account or OU
What are IAM conditions?
Set conditions such as NotIpAddress or RequestRegion to trigger when IAM policy is in affect
What is Cognito User Pools?
Allows users to sign-in/sign-up against a user pool or 3p federated idp
Integrates with API G/W or ALB
What is Cognito Identity Pools?
Exchange a token from user pool for temporary AWS credentials so that the user can access AWS resources directly
What is AWS IAM Identity Center?
Integrates with AWS to allow developers to integrate with multiple AWS accounts
One login (single sign-on SSO) for all your AWS accounts
What is AWS Control Tower?
Detect policy violations and remediate them within an Organizational Unit
Offers guardrails for control of your AWS environment and prevents config changes.
Automates account creation.
What is AWS Firewall Manager?
Manage rules in all accounts of an AWS Organization
Manage:
* WAF, AWS Shield, Security Groups, Network Firewall, Route 53 Resolver DNS firewall
What is Amazon Inspector?
Automated Security Assessments for running EC2 instances, ECR and lambda functions
How many VPCs can you have per region?
5 , but this is a soft limit
How many IP addresses does AWS resource in a subnet?
5, so you need to be aware of that when determining the subnet size
What are the characteristics of a subnet?
Within a single VPC,
Has a CIDR range
Within a single AZ
What are the characteristics of a VPC?
Within a single AWS region
Has a CIDR range
Contains multiple subnets
What is an Internet Gateway?
Allows resources in a VPC to connect to the internet in a VPC but be used with route table and router for internet access
What is a route table?
Associated with a subnet(s) and contains traffic routing rules to other subnets or IGW
What is a NAT Gateway?
AWS managed NAT, highly available and high bandwidth
Links a private subnet to the NATGW to the IGW
One NAT gateway per public subnet / AZ
What is a NACL?
Network Access Control List
Operates at the subnet level
Inbound/outbound rules and is stateless
Default accepts everything inbound/outbound
Be wary of ephemeral ports on the NACL rules!
What is S3 Object Lock?
Store objects using a write-once-read-many (WORM) model to prevent objects from being deleted.
What is S3 Object Lock Governance mode?
Locks the object over a retention period but certain IAM users can delete the protect object versions
What is S3 Object Lock Compliance mode?
Locks the object over a retention period but no users can delete the protected object
What is the S3 Legal Hold?
Legal hold prevents an object from being deleted and remains in place until the legal hold is removed. Legal holds can be removed by users with correct permission
Do Lambdas have resource based permissions?
Yes, to allow a role or AWS service to invoke the function on your behalf
What is a Lambda execution role?
The role that lambda assumes when the function is launched
What is AWS Trusted Advisor?
Analyzes your AWS accounts and provides recommendations for cost, performance, security, fault tolerance and service limits
What is AWS Application Migration Service (MGN)?
An automated lift-and-shift (rehost) service to move a workload from on-premise to AWS.
What is AWS Compute Optimizer?
Recommends optimal AWS resource for your AWS workloads to reduce costs/improve performance using machine learning.
Can be run on:
* EC2, ASGs, EBS and Lambda
How to manage Prometheus and Grafana in AWS?
Use “AWS Manage Service for Prometheus” and set that workspace as the data source in “AWS Managed Grafana”
How to protect against CloudTrail log modifications/deletion?
Enable CloudTrail log file integrity validation and have the logs delivered to an S3 bucket
What is AWS Application Discovery Service?
Helps you plan your migration to AWS cloud by collecting usage and configuration data about your on-premises services.
It integrates wtih the AWS Migration Hub console to track the migration of each application.
What is Amazon Quantum Ledger Database (QLDB)?
A fully managed ledger database that provides transparent, immutable and cryptographically verifiable transaction log.
How to get more metrics from EC2 instances?
Install the CloudWatch agent to the EC2 instance
How to get more detailed metrics of RDS?
Enable enhanced monitoring
You have an on-premise provider IdP and you want to give users access to AWS resources, how to do this?
Setup an identity provider, app assumes role with SAML to get tokens to assume a role
How to avoid “hot” partitions in DynamoDB?
Choose high-cardinality partition keys which vary greatly between items
What is AWS Storage Gateway service?
File interface into S3 with mount points
Clients can use SMB or NFS to interact with it
Maintains a local cache for frequently accessed items
What is Amazon FSx
Launch and manage high performance file systems in the cloud
What is FSx for Windows?
Microsoft Active Directory (AD) integration
Accessible from Windows, Linux and Mac instances
How to capture changes from an Aurora DB or RDS instance?
Create a lambda and trigger than lambda on update events. Lambda can then send message in SQS.
What is AWS Artifact?
View compliance related information and security reports
What is AWS Security Hub?
Comprehensive view of high-priority security alerts and security of your AWS account
What is KMS custom key store?
Logical store to store keys but still use KMS for convenience. Customer is in full control of keys.
Can you CloudHSM or external key store for key material.
How to enable RDS data IAM access?
Enable IAM DB Authentication, so that authentication is managed through IAM
How do ASGs decide which instance to terminate?
Choose the AZ with the most number of instances
Select instances with the oldest launch config
Select the instance that is closest to the next billing hour
How to query data from buckets in multiple accounts?
Use AWS Lake Formation to consolidate data from multiple accounts into a single account
When to consider using the snow family over internet to transfer large amounts of data?
When it takes > 1 week to transfer the data
What is AWS Tape Gateway?
Backs up data to AWS Storage Gateway to backup data directly to S3 Glacier Flexible Retrieval / Deep Archive
What are cost allocation tags?
Tag AWS resources with a key value pair (department - eng).
Activate the tags in the Billing and Cost Management console, which generates a allocation report across the tags.
Can you directly transfer data into S3 glacier deep archive / flexible retrieval from DataSync?
Yes, you don’t have to wait 30 days
What is S3 Infrequent Access best for?
Long-lived, rapid but less frequently accessed data
What is One Zone S3 best for?
Data is only stored in one AZ so has lower availability (99.5%) but is cheaper
What are SNS filter policies?
A filter policy on an SNS subscription in which the subscriber would only receive messages that they are interested in
What is AWS Proton?
Deploy serverless / container-based applications with infrastructure broken down into environment and service templates
What is AWS Proton?
Deploy serverless / container-based applications with infrastructure broken down into environment and service templates
What is Amazon Simple Workflow Service (SWF)?
Coordinate work across distributed applications which are task-oriented
What is Amazon Database Migration Service (AWS DMS)?
Migrate data stores, good for one-time migrations and replicating ongoing changes between sources and targets.
Can also encrypt source/target endpoints with SSL but you need to add certificate tothe endpoint.
What is the relationship between load balancers and subnets?
An ELB can be associated with multiple subnets.
An ELB can forward traffic as needed into other subnets.
What is AWS Backup?
Configure backup policies for AWS / on-premise across accounts / regions
What is the SQS message retention period?
Default 4 days
Minimum 1 minute
Max 14 days
How to route traffic using Route 53 to a public website hosted in S3?
Configured bucket to host a static website and public access enabled
Name the bucket the same as your domain or subdomain
A registered domain name
What is Amazon Data Lifecycle Manager (Amazon DLM)?
Used to automate the creation, retention and deletion of EBS volume snapshots
What is the ASG cooldown period?
300 secs
What is AWS Resource Access Manager (RAM)?
Helps you share resource across AWS accounts or within OUs.
What is EC2 hibernation?
Instance is put in hibernation, you pay only for the EBS volumes and Elastic IP address
Can you enable EC2 hibernation on a running instance?
No, you have to enable hibernation when launching an instance. Also the EBS volume must be encrypted.
Are you billed if your on-demand EC2 instance is stopping to hibernate?
Yes
Are you billed if an EC2 instance is shutting-down to terminate?
No
Are you billed if your spot EC2 instance is stopping?
No
Are you billed if your Reserved instance is in a terminated state?
Yes
Compare Transit Gateways to AWS VPN CloudHub?
Both interconnect VPCs and on-premise networks.
But
Transit Gateways use Direct connect a dedicated connection to connect to on-premise so traffic doesn’t traverse internet
AWS VPN CloudHub traverses the internetƒ
What is AWS AppSync?
Keep app data updated in real-time from DynamoDB and ElastiCache with Lambda
Serverless and uses GraphQL with pub/sub
What are the AWS Kinesis services?
Kinesis Data Streams, Kinesis Data Firehose, Kinesis Video Stream and Kinesis Data Analytics
What is Kinesis Data streams used for?
Process and store data streams
Kinesis Data Firehose?
Load data streams into AWS data stores
Transforms as well.
Kinesis Data Analytics?
Analyze data streams with SQL / Apache Flink
What should you do if you no longer need a reserved instance?
Sell the Reserved instances on the AWS Reserved Instance Marketplace OR
Terminate the Reserved instances to avoid being charged for the on-demand price once it expires
How does Amazon S3 Transfer Acceleration work?
Leverages CloudFront’s globally distributed AWS Edge locations so users can upload around the world
Is autoscaling enabled by default with DynamoDB?
No, you have to enable it manually
What is the cloudformation CreationPolicy attribute?
For when you want to wait on resource configuration actions before stack creation proceeds. You need to signal success wtih the cfn-signal helper script.
What is the Kinesis data stream retention period?
Time from when a record is added to when it is no longer available.
Default is 24 hours and can be increased to 365 days.
Can you peer two VPCs with overlapping CIDR blocks?
No
How to migrate an Aurora replica with no down time and performance being affected?
Use AWS DMS to migrate data
How can you quickly access small amounts of data quickly from S3 Glacier?
Quickly access your data for urgent requests for a subnet of archives
Purchase provisioned retrieval capacity (1 - 5 mins retrieval)
What is Route 53 active-active failover?
All your resources are routed to, when a resource becomes unavailable Route 53 can detect that and stop routing traffic to it
What is Route 53 active-passive failover?
When you want a primary resource to be available and a standby resource to be routed to in case the primary fails
Does an Elastic IP disassociate with an instance after it is stopped?
No, it remains attached
An RDS instance is running out of disk storage, how best to fix?
Enable storage autoscaling
What is the maximum backup retention period of Aurora?
35 days, if you need more use an AWS Backup plan
What limits how many EC2 instances you can launch?
The vCPU limit per account per region
How to grant users access to private content on CloudFront?
Using special CloudFront signed URLs / cookies
How to import a certificate into AWS?
Use AWS Certificate Manager or IAM certificate store
If your identity store is not compatible with SAML 2.0 how can you integrate it with AWS?
Develop a custom identity broker and use STS to issue AWS credentials
How is CloudWatch agent used with SSM Parameter store?
SSM Param store stores the CloudWatch agent config.
An EC2 instance launched doesn’t have a DNS name. Why?
DNS resolution and hostname of the VPC should be enabled
How to get logs from an EC2 instance?
Install the CloudWatch unified agent
Differences between DataSync and Storage Gateway?
DataSync supports a variety of AWS storage services whereas Storage G/W supports a few.
DataSync is more suitable in automating and accelerating data transfers or migrating data
Storage Gateway is more suitable for integrating on-premise with cloud.
What is RAID 0 instance store configuration?
Improves the IOPS
What is an Elastic Fabric Adapter? (EFA)
Network device you can attach to your EC2 instance to accelerate HPC
What is S3 server access logging?
Enabled per bucket, logs all access requests to bucket. Like CloudTrail but also includes referer.
What is the AWS Personal Health dashboard?
Shows AWS events which may affect resources in your account. Subscribe with EventBridge.
What is the Origin Access identity used for with S3?
Can give cloudFront permission to read the bucket but not make the bucket public.
CloudFront needs a Origin Access Identity (OAI)
What are the regular RDS metrics?
CPU Utilization, Database Connections, and Freeable Memory
What is AWS License Manager?
A service to manage your software licences. Gives visibility with SNS topics and reduces risk of non-compliance.
Do RDS Read replicas have their own DNS name?
Yes, you need to distribute requests amongst them yourself, route 53 can do this.
What is S3 cross-region replication?
Makes your bucket available, even in the event of a regional failure.
How can you use AWS Config to attempt remediation of non compliance
Use AWS Config to define the compliance rule, when Config detects a non-compliance event then trigger an EventBridge event which triggers Lambda to attempt remediation.
What EBS volumes support the multi attach feature?
io1 / io2, doesn’t support multi-az resiliency
What are EBS magnetic volumes?
Lowest cost per gigabyte, ideal for infrequently accessed data
Does SSE-S3 provide an audit trail?
No, must use SSE-KMS for this.
Does SSE-S3 provide an audit trail?
No, must use SSE-KMS for this.
What are the storage gateways?
S3 File Gateway - NFS/SMB with S3 backing
FSx File Gateway - integrates with FSx
Volume Gateway - can cache data volumes, data is on-premise
Tape Gateway - backed with S3 and S3 glacier
What are CloudTrail Management events?
Events for management operations (who, what action and if successful)
What are CloudTrail Data events?
S3 object activity/lambda invokes. Not logged by default.
What are the S3 lifecycle transition limits
Apply only to IA accessed. You must store the data for at least 30 days in the standard class.
Other transitions have no limits.
Do ALBs support weighted target groups
Yes, other ELBs don’t though
What is CloudWatch Application Insights?
Provides automated dashboards to show potential problem with monitored applications.
What is SQS visibility timeout?
30s default
12 hrs max
What is the Auto Scaling Group instance warm up time?
The time before the instance metrics are taken into account for the ASG action
What is ALB slow start mode?
ALB gradually increases percentage of traffic that target receives
What is Amazon Workspaces?
Virtual desktops to use in the cloud
What is the S3 GET /PUT limits?
3500 PUT requests / s
5000 GET requests /s
Does adding random prefixes to S3 objects help?
No, this is no longer needed
Can tags be used in IAM conditions?
Yes!
How to programatically ensure you are not close to exceeding your service limits?
Lambda function that refreshes the AWS Trusted Advisor Service checks and then capture these events with Amazon EventBridge
What is an Elastic Network Adapter? (ENA)
Like EFA but more compatible with windows
What is AWS Network Firewall?
Define rules that provide fine-grained control on in/egress traffic
Inspect traffic
What is AWS Systems Manager Run Command?
Manage the config of many EC2 instances (or on-premise) or run commands
What is an IAM role trust policy?
Who can assume this role? Other accounts/services
ASG Step scaling vs Target tracking
Use step scaling when you want to base the scaling based on a set of scaling adjustments
How to increase the throughput of Site-to-Site VPN connections?
Associate the VPCs to an Equal Cost Multipath Routing enabled transit gateway
What are On-Demand Capacity Reservations?
Enables you to reserve compute capacity for EC2 in a specific AZ for any duration
How to get notified of certificate expiry in ACM?
Use Amazon EventBridge to run every day to determine expiry of certificates
Use EventBridge and listen to expiration events from ACM, starts 45 days prior to expiration.
Use an AWS Config managed rule “built-in-acm-certificate-expiration-check”
Do IAM users need access keys to make API calls?
Yes
What is the minimum storage in S3 Deep Archive?
180 days
What is the RDS read replica asynchronous replication time
seconds
What is the Aurora replica asynchronous replication time
milliseconds
Do RDS instances have security groups?
Yes but can also use IAM auth when enabled
Does athena have security groups
No, access is controlled by IAM
Received a capacity error when launching an instance in a placement group that already has instances. What to do?
Stop and restart the instances in the placement group and launch the group again.
Athena queries slow, what to do?
Convert the S3 data with Glue to Apache Parquet
What is Aurora cloning?
Space and resource efficient clone of another aurora DB (records the diff)
