New

Question 1

S3 - What are the file restrictions in S3?

Answer 1

0bytes to 5TB
Files need to be uploaded in multipart when >5GB

IA: min 128KB and min. duration of 30days

Question 2

S3 - What are the two types of meta data?

Answer 2

System metadata: last modified, MD5 digest, Content-Type

User Metadata: key-value for user defined tags

Question 3

S3 - How is an URL for a file in S3 structured?

Answer 3

http://[BUCKET].s3.amazonaws.com/[FILENAME]

Question 4

S3 - What API actions can be done in S3?

Answer 4

GET, PUT, DELETE, LIST

Question 5

S3 - How many facilities can fail in S3 at one time?

Answer 5

Two

Question 6

S3 - What is RRS in S3?

Answer 6

Durability 99.99%

Lower costs

Question 7

S3 - What are atomic reads for eventual consistent reads?

Answer 7

An old version or the new version will be delivered, but not a mix

Question 8

S3 - How can access be controlled in S3?

Answer 8

coarse grained: Access Control Lists

fine grained: Bucket Policy, IAM, query-string authentication

Question 9

S3 - What can be done with Bucket Policies?

Answer 9

Restrict access based on IP-Range, time-of-day, which bucket

Question 10

S3 - Can you assign a IAM Policy to another account?

Answer 10

No, use roles

Question 11

S3 - How are static websites structured?

Answer 11

[BUCKET].s3-website-[REGION].amazonaws.com

Question 12

S3 - What mechanisms can be used to encrypt?

Answer 12

Before sending: Client Side Encryption
In-Flight: SSL
At Rest: SSE-S3, SSE-KMS, SSE-C (All using AES 256bit)

Question 13

S3 - What is a Range GET?

Answer 13

Get the n-first bytes of S3/Glacier

Question 14

S3 - What gets logged in S3 Access Logs?

Answer 14

Account/IP
Bucket name
Time
Action (PUT, GET...)
Response Code

Question 15

S3 - How are files stored in Glacier?

Answer 15

Archives (up to 40TB)
Identified with an archive ID (not user defined)
Automatically encrypted
Immutable, cannot be modified

Question 16

EC2 - What is an EBS optimized instance?

Answer 16

Optimized configuration to take full advantage of EBS storage. Comes with an additional hourly cost

Question 17

VPC - Can you have more than one Route Table?

Answer 17

Yes

Question 18

VPC - What is an ENI?

Answer 18

Elastic Network Interface
Can be attached to the Instance
Handles the Security Group
Can have one public and multiple private IPs (>1 -> Dual Homed)

Question 19

ELB - What Protocols does ELB support?

Answer 19

HTTP
HTTPS
TCP
SSL

Question 20

ELB - How to use SSL on ELB?

Answer 20

Install the SSL Certificate, which terminates the connection, decryptes the request, then sends it to the backend
If there are multiple websites, you need to use Subject Alternative Name (SAN)

Question 21

ELB - What is a Listener on the ELB?

Answer 21

Process that checks for a connection request
CNAME, A-Recored e.g.
COnfigured with a protocol and port

Question 22

ELB - What OSI Levels does ELB use?

Answer 22

Layer 7 for applications (HTTP/HTTPS)

Layer 4 for TCP traffic

Question 23

ELB - What are the configurable features in ELB? (6)

Answer 23

Idle Connection Timeout
Cross Zone Load Balancing
Connection Draining
Proxy Protocol
Sticky Sessions
Health Checks

Question 24

ELB - How can ELB help to keep instances updated?

Answer 24

By terminating long running instances and replace them with fresh AMIs

Question 25

CloudWatch - Name two types of actions that CW can send an altert/message to?

Answer 25

SNS

AutoScalingGroup

Question 26

CloudWatch - Can CW aggregate data across regions?

Answer 26

No

Question 27

CloudWatch - What two metrics are not visible to AWS and need to be send as custom metrics?

Answer 27

Instance memory consumption

Disk metrics

Question 28

CloudWatch - How can you store logs indefinately?

Answer 28

Store the logs in S3 (else the data is retained by two weeks)

Question 29

ASG - What are the four scaling plans?

Answer 29

Maintain Current Instance Level
Manual Scaling
Scheduled Scaling
Dynmaic Scaling

Question 30

ASG - Can the AutoScalingGroup reference a spot and a on-demand instance at the same time?

Answer 30

No

Question 31

ASG - What service integrates Active Directory?

Answer 31

AWS Directory Service

Question 32

IAM - What is a principal in IAM?

Answer 32

Is the permanent or temporary right to interact with an AWS resource

Question 33

IAM - For which three purposes are roles used?

Answer 33

As EC2-Role: Allows to use applications on an instance
As Cross-Account-Access
For Federation: Access granted by external system

Question 34

IAM - What is a securtiy token and who provides it?

Answer 34

The AWS Security Token Service provides it.

Allows temp. acces for 15min to 36 hrs

Question 35

IAM - What are ways to assign a policy?

Answer 35

Direcly on the IAM User
As a policy, which is then attached to the user
Directly on a Group
As a policy, which is then attached to a group

Question 36

IAM - How are permissions handeled?

Answer 36

Per default everything is denied
Only allow -> allow
Only deny -> deny
allow and deny -> deny

Question 37

Security - What is Storage Device Decommission?

Answer 37

Storage devices that reached the end of life will be decommissioned/destroyed so that no data can be exposed

Question 38

Security - Does AWS have access to the instance or the OS?

Answer 38

No

Question 39

Security - Best practise to auto update an instance

Answer 39

Launch the latest AMI

Question 40

Security - Should you use additional firewalls

Answer 40

In best case: yes, like windows firewall or IPtables

Question 41

Security - How is EBS being replicated?

Answer 41

At no additional costs, in the SAME Availability Zone

Question 42

Security - Can you share EBS snapshots and can those be altered by other accounts?

Answer 42

Yes, they can be shared.

But, they cannot be modified by other accounts

Question 43

Security - Can EBS volumes be encrypted?

Answer 43

Yes, but it requires processing power and therefore to ensure no latency this feature is only possible for more powerful EC2 instances

Question 44

Security - What is Perfect Forward Secrecy?

Answer 44

Keys used for SSL on the ELB are ephemeral and never stored

Question 45

Security - How many route tables are in a VPC?

Answer 45

One (or more) per subnet

Question 46

Security - How many NACLs are in a VPC?

Answer 46

One per routing table

Question 47

Security - What is a VPG?

Answer 47

Virtual Private Gateway, used for private connectivity between VPC and another network

Question 48

Security - Can CloudFront access be geo restricted?

Answer 48

Yes

Question 49

Security - Can you grant access to CF, but not the origin S3?

Answer 49

Yes, using the S3 ACL

Question 50

Security - Describe the four access restriction for S3

Answer 50

IAM Policies: attached to a User

ACL:Read/Write on a bucket level to users or groups

Bucket Policies: permissions to single files or the bucket for users, groups or buckets

Query String Authentication: Temporary access to a pre-sign URL for up to 7 days. Can be combined with additional rules. (Geo, IP..)

Question 51

Security - Are the meta data in S3 encrypted?

Answer 51

No

Question 52

Security - How can access to S3 be logged?

Answer 52

Using S3 Access Logs

Question 53

Security - What is the process to retrieve data from Glacier?

Answer 53

Initiate retrieval job
Wait 3-5 hrs
Data can be accessed with HTTP GET for the full or partial data
Data is available for 24 hrs

Question 54

Security - What is Storage Gateway and how are files transferred?

Answer 54

Connects on premise data with the cloud.
Used for backups and disaster recovery
Data is asynchronously transferred

Question 55

Security - How to backup DynamoDB

Answer 55

Using a special template in AWS DataPipeline for copying the tables

Question 56

Security - Describe the process of RDS snapshots and backups in detail

Answer 56

- Backup -
Automatic (Per default enabled)
Point in time recovery
Allows to restore DB to a specific second up to 5 min of the failure
35 days retention rate

- Snapshots - 
Manually done
Full copy
Can be used to create another DB
Is using I/O therefore writes are suspended. Should be done in the Multi A/Z standby

Question 57

Security - How to first-access Linux/Windows instances

Answer 57

Linux: Using the full key pair (presenting the private key)
Windows: Using the private key to decrypt the admin password

Question 58

Security - Which seven services can use encryption at rest

Answer 58

SEGS RRW

S3
EBS
Glacier
StorageGateway
RDS
Redshift
Workspaces

Question 59

CDN - How to create a subdomain?

Answer 59

Create a CNAME record (cdn.example.com) in Route53

Question 60

CDN - What is a use case for cache behaviour?

Answer 60

Target the caching by file name (.php / .jpg)

Question 61

CDN - What are the features of cache behavoiur?

Answer 61

Path Pattern
Origin
Should query strings to forwarded to the origin
Must have signed URLs
If it needs HTTPS
Caching time

Question 62

CDN - Use cases for CloudFront

Answer 62

Static Websites
Dynamic Websites / Applications
Widely geographically distributed
Large Files
Streaming media

Question 63

CDN - What cases is CloudFront NOT suited for?

Answer 63

Users from a single location

Users from a corporate VPN (if the all have the same IP)

Question 64

Storage Gateway - Use cases for the three different Storage Gateway types

Answer 64

Cached volumes: expand local hardware
Stored volumes: asynchronous backup
Tape: cost effective use of already used tape licenses

Question 65

Directory - Use cases for the three Directory Services

Answer 65

AWS Direcotry Service for MS AD (Enterprise): more than 5000 users
Simple AD: Cost effective (<5000 users)
AD Connector: on premise AD service

Question 66

Security - What are the two services for encrypting with own keys and what are their use cases

Answer 66

KMS & Cloud HSM

Scalable solution for symmetric key distribution and Compliance with processes validated by a third party

Question 67

CloudTrail - Can you use CT across regions

Answer 67

Yes, the same trails will be used on all regions and then stored in one S3 Bucket

Question 68

CloudTrail - Use cases for Cloud Trail

Answer 68

External Compliance Audits

Information which service are target for unauthorized access

Question 69

Kinesis - Difference between Firehose / Streams

Answer 69

Firehose: Storing data in the appropriate system
Kinesis: real time analysis

Question 70

EMR - Use cases for Elastic Map Reduce

Answer 70

Log processing
Clickstream analysis
Genomics and Life Science

Question 71

Data Pipeline - What is the Data Pipeline?

Answer 71

Used for scheduled tasks that involve moving data to the appropriate services.
Services can be started/stopped on its behalf, and if a task fails i can be retried.
It is also possible to check for preconditions before the task is started

Question 72

Import/Export - What are the two methods

Answer 72

Using snowball as a device presented by AWS

Use your own disk

Question 73

OpsWorks - What is it based on and what does it do?

Answer 73

It is based on Chef.
Creates an application stack that can be deployed
Used to host multi-tier Web Applications and supports continious integration

Question 74

AWS Config - Use cases

Answer 74

Discovery for all used ressources
Lists all the services used in the past
Used for incidents and troubleshooting

Question 75

CloudFront - What is the use case for CF Origin Access Ientifier?

Answer 75

Makes sure that the content of a S3 bucket is only accessible with CloudFront

Question 76

DB - How can Oracle and MS SQL be encrypted?

Answer 76

Using KMS

TDE for Enterprise tier

Question 77

DB - What are the storage options for RDS?

Answer 77

Magnetic, SSD, SSD IOPS
4GB to 6TB
up to 30.000 IOPS

Question 78

DB - What is RPO / RTO ?

Answer 78

Recovery Point Objective:
Max. data loss in an event of failure (should be minutes)

Recovery Time Objective:
How long does it take for the recovery to be fully effective

Question 79

DB - How to scale vertically for writes?

Answer 79

Using partitions or shards

Problem: Client/Application must know in which shard the data is

Question 80

DB - Which engines support Read Replicas

Answer 80

MySQL
MariaDB
PostgreSQL
Aurora

Question 81

DB - How to encrypt Redshift

Answer 81

in transit: SSL

At Rest: KMS or CLoudHSM

Question 82

DB - How to improve read throughput for DynamoDB

Answer 82

Distribute Requests accross range of keys

Question 83

DB - What is a secondary key in DynamoDB?

Answer 83

Used to further index the database to avoid scan operations

Global Sec. Key: can be created at any time
Local: on partition with the primary key, can only be created when the table is created

Question 84

DB - How are IOPS generated for DynamoDB?

Answer 84

One Partition can generate 3000 IOPS, scaling would improve this.
But if all reads go to one partition it wold be stuck at 3000

Question 85

DB - What are DynamoDB Streams?

Answer 85

List of all changes of the last 24h