Notes Flashcards
What is Durability?
Durability can be described as the probability that you will eventually be able to get your object back from the storage system from one of the stores and archives
What is Availability?
Availability is the probability that you will be able to get an object back the moment that you ask for it (the object might be persistent but you might not be able to read it all the time)
What are the 5 pillars of the Well-Architected Framework?
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimization
What are the 4 available plans for AWS Support?
- Basic
- Developer
- Business
- Enterprise
How can you access AWS resources without an AWS Account?
You can authenticate using a corporate portal (SSO) which generates a SAML authentication response. This response is redirected to an AWS console endpoint which gives users account or IAM role access depending on the setup
What type of consistency do new files have in S3?
Read after Write Consistency
What type of consistency do updates to existing files in S3 have?
Eventual consistency
What type of consistency does deletions in S3 have?
Eventual consistency
If you update a file in S3, can you receive the file in a partially updated or corrupted state?
No, changes are atomic meaning that you will either receive the old version or the new version.
What are the 5 storage classes for data?
- Standard
- Reduced Redundancy
- Standard Infrequently Accessed
- One Zone IA
- Archived (Glacier)
If you have data that is highly reproducible and are willing to lose some of it, what is the best storage option without losing availability?
Reduced Redundancy
If you have data that needs strong durability, but does not need to be read often, what is the best storage option without losing availability?
Standard Infrequently Accessed
What is the most cost effective data storage option for data that almost never has to be accessed and does not require immediate access?
Archive in Glacier
What are the 3 encryption options for S3 data at rest?
- SSE-S3 : Fully managed encryption
- SSE-C: Encryption at rest with custom keys that are not stored by AWS
- SSE-KMS : Encryption at rest using keys managed by Amazon Key Management Service (KMS)
What is a way to ensure greater security to protect against deletes in S3?
You can enable multi factor authentication to be able to delete a file
How can you optimize data transfer if latency is an issue (ex. uploading a lot of files)?
S3 Transfer Acceleration
How can you optimize data transfer if transfer speed is an issue (ex. uploading a large file)?
Multi-Part Upload
What AWS service should you use to transfer massive amounts of data into AWS?
Snowball
If you need a hybrid storage solution (both in the cloud and on premises), what service should you use?
Storage Gateway
What are the four gateway types for Storage Gateway?
- File Gateway: For flat files, stored directly in S3
- Cached Volumes Gateway: stores files in the cloud and keeps a local cache to speed up reads. Block based storage for things like Virtual Hard Disks
- Stored Volumes Gateway: optimized for low latency, storing files locally and asynchronously sends a back up point-in-time snapshot to S3. Block based storage for things like Virtual Hard Disks
- Gateway Virtual Tape Library:
Used for backup and uses popular backup applications like NetBackup
What are the requirements to enable Cross Region Replication (CRR) on an S3 bucket?
- Both source and destination bucket must have versioning enabled
What is the default url for a bucket named MYBUCKET with a resource named MYRESOURCE
https://MYBUCKET.s3.amazonaws.com/MYRESOURCE
What is the default url for a static web page hosted in an S3 bucket named MYBUCKET in us-east-1?
https://MYBUCKET.s3-website-us-east-1.amazonaws.com
What is Amazon SQS
A message based queue system. The system is a pull based system meaning that consumers of the queue have to read from the queue instead of having the data pushed to them.
What are the 2 types of queues for SQS?
- Standard : Higher throughput, messages delivered at least once, best effort ordering
- FIFO: Lower throughput, messages processed exactly once, guarantees order
What is the visibility timeout in connection with Amazon SQS?
The visibility timeout is the time it takes for a message to become visible again within the queue. If the consumer takes too long to process the data, then the message will become visible again and can be consumed again. The default is 30s and it can be set as high as 12 hours.
What are delay seconds in connection with Amazon SQS?
Delay seconds is the amount of time it takes for a message to become visible within the queue. The default is 0 seconds and it can be set as high as 15 minutes.
What is Long Polling in connection with Amazon SQS?
Long polling reduces the number of polls to the queue from the consumer. It does this by not responding to the consumer until a message is found or a set amount of time has passed.
What is the maximum retention period for Messages in SQS?
14 days
What are the two types of virtual machine images
- HVM (Hardware Virtual Machine): fully virtualized hardware and boot, best performance.
- PV (Paravirtual) : uses a special boot loader that runs on hardware that doesn’t have support for virtualization. Recommended for older generation instances.
What is the Metadata API endpoint?
https://169.254.169.254/latest/meta-data
If you are planning on running EC2 instances for several years and want to reduce costs and ensure compliance, what should you use?
Dedicated Hosts or Dedicated Instances
What is the difference between Dedicated Hosts and Dedicated Instances
Dedicated hosts gives you additional visibility and control over the number of instances on your physical server which allows for the use of server bound licenses.
Dedicated Instances are less configurable and don’t allow added capacity.
What is an EBS Volume?
An EBS volume is a block level storage devices that you can attach to a SINGLE ec2 instance. That can be used as primary storage for data that requires frequent updates such as storage for a database application.
How can you back up an EBS volume?
AWS Snapshots. These are point in time, incremental backups of your data. Each snapshot saves the disk changes since the last snapshot.
(T/F) A snapshot is by default available to all regions?
False, a snapshot is only available in the region it was created and must be copied to another region before using it to create new volumes
How can you take application consistent snapshots of your data?
Shut down your EC2 instance and detach the EBS volume. Then take a snapshot
How can you encrypt an EBS volume?
Take a snapshot, encrypt the snapshot, and then create a volume using the encrypted snapshot.
What is Amazon ECS?
AWS Container Service: This is a container management service that can be used to manage and deploy docker containers across clusters of EC2 instances.
What is Dynamo DB?
AWS NoSQL database service
How do you control the performance of a Dynamo DB instance?
Dynamo DB performance is defined using read capacity units and write capacity units.
What is the capacity of a read capacity unit in Dynamo DB?
A read capacity unit means one strongly consistent read per second or two eventually consistent reads per second for up to 4KB in size.
What is the capacity of a write capacity unit in Dynamo DB?
A write capacity unit means one write per second for an item up to 1KB in size.
What is Amazon Redshift?
AWS analytics database. This is often used to do columnar operations on databases (ex. find total number of units sold across all stores). Redshift is commonly used with OLAP (online analytics processing)
What types of databases does Amazon RDS Support?
- Oracle
- Sql Server
- MySQL
- MariaDB
- PostgreSQL
- Amazon Aurora
If you want duplicate a Relational Database for read operations what should you use
Read Replicas
What consistency do Read Replicas of DB’s have
Eventual Consistency
What types of Databases are Read Replicas supported for?
- MySQL
- MariaDB
- PostgreSQL
- Amazon Aurora
Can you encrypt an unencrypted database directly?
No, you have to create a new database that is encrypted and then manually copy over your data.
What can you do to protect the availability of your database against outages or failures?
Use Multi-AZ deployment which will automatically route traffic to the replica upon failure.
What is AWS VPC?
Amazon’s Virtual Private Cloud which allows you to create complex private networks in the cloud.
What is AWS Cloudwatch?
Cloudwatch is a service that allows you to collect metrics, logs, and monitor provisioned resources such as EC2 instances. You can also create dashboards and alerts around these metrics (stored for 15 months by default)
What is AWS SWF?
Amazons Simple Workflow Service allows you to define and run workflows with parallel or sequential steps. This is a push based system than can allow for manual (human) steps.
What are AWS Organizations?
Organizations allow policy based managements for multiple aws accounts, creation of groups of accounts, and a centralized billing location for multiple accounts with consolidated billing.
(T/F) When using consolidated billing, the payment account should only be used for billing purposes?
True
What is the benefit of consolidated billing?
Volume based pricing can reduce costs for large volumes of use.
What are the benefits of tagging resources in AWS?
Tags can be used for Cost Allocation and Conditional Access Control Policies which define permission based on tags
What is a resource group?
A collection of resources that share one or more tags
What are some ways you can mitigate against a DDOS attack?
- Distribute the load (ELB)
- Scale to absorb the attack (auto scaling)
- Use CloudWatch to analyze expected traffic
- Safeguard resources by using aliases to hide IPs
- Use CloudFront geo restriction
- NACLs
T/F IAM is restricted to the region it was created in?
False. IAM roles are global
What is RTO?
Recovery Time Objective: The time it takes after a disruption to restore a business process to its service level.
What is RPO?
Recovery Point Objective: Acceptable amount of data loss measured in time before the disaster occurs
What are the four techniques for disaster recovery from the Disaster Recovery White paper
- Backup & Restore: Data is backed up and restored. Nothing is running in the meantime
- Pilot light: Only minimal critical services while the rest are recreated and scaled
- Warm Standby: Fully functional site with minimal configuration is available and can be scaled during recovery
- Multi-site: Fully functional site with identical configuration is available and picks up the load
You need to monitor the performance of your EC2 instances (including metrics such as CPU Utilization, Disk IO, etc.) Which service would best meet this requirement?
a) Cloudaudit
b) CloudWatch
c) CloudTrail
d) CloudMonitor
b) Cloudwatch
Which AWS service is used for collating large amounts of data streamed from multiple sources?
a) Kinesis
b) SQS
c) Cloudcapture
d) CloudFront
a) Kinesis
Which AWS service is a Content Delivery Network?
a) CloudFront
b) CloudStream
c) CloudPush
d) CloudFormation
a) CloudFront
Which of the following is a petabyte scale data transfer solution?
a) Snowball
b) SQS
c) SWF
d) Avalanche
a) Snowball
You need a service that will aggregate your data from multiple sources (S3, DynamoDB, RDS, etc.) and provide business intelligence based on this data. Which AWS service should you use?
a) Spice
b) CloudViewer
c) Quick Sight
d) CloudOracle
c) Quick Sight
- Quick Sight is a fast cloud powered business analytic service that makes it easy to build visualizations, perform analysis, and quickly get business insight from your data.
Your system administrators need to receive notification of specified events affecting your AWS environment such as alarms. Which service should you enable?
a) Mobile Hub
b) Device Farm
c) SNS
d) Cognito
c) SNS
What AWS Service would you use primarily for data warehousing?
a) Redshift
b) DynamoDB
c) DMS
d) RDS
Redshift
Which AWS service would you use to migrate a database from Oracle to MySQL?
a) Redshift
b) DMS
c) RDS
d) Elasticache
c) DMS - AWS Database Migration Service
Which AWS service allows you to run code without having to worry about provisioning any underlying resources (such as VMs, databases, etc.)
a) Lambda
b) EC2 Container Service
c) DynamoDB
d) EC2
a) Lambda
You need to implement an automated service that will scan your AWS environment with the goal of both improving security and reducing costs
a) Service Catalog
b) Config Rules
c) CloudTrail
d) Trusted Advisor
d) Trusted Advisor
An AWS VPC is a component of which group of AWS services?
a) Networking Services
b) Global Infrastructure
c) Compute Services
d) Database Services
a) Networking Services
You need a configuration management service that will allow your system administrators to use Chef to configure and operate your web applications. Which AWS service would best suit your needs?
a) CloudTrail
b) OpsWorks
c) CloudWatch
d) Trusted Advisor
b) OpsWorks
Your company is interested in implementing a VDI solution to replace their local desktop environment. Which AWS service should you consider?
a) ioT
b) WorkMail
c) WorkDocs
d) WorkSpaces
WorkSpaces
What is the fundamental difference between Elastic BeanStalk and CloudFormation?
Elastic Beanstalk automatically handles the deployment of your code – from capacity provisioning, load balancing, auto-scaling to application health monitoring – based on the code you upload to it, whereas CloudFormation is an automated provisioning engine designed to deploy entire cloud environments via a JSON script.
What does an AWS Region consist of?
A distinct location within a geographic area designed to provide high availability to a specific geography.
Which AWS service is specifically designed to automatically provision the resources required to host the code a developer uploads during the Development process?
a) CloudFormer
b) Elastic Beanstalk
c) CloudFormation
d) CloudTrail
b) Elastic Beanstalk
Which AWS service is specifically designed to assist you in processing large data sets?
a) Elasticache
b) Big data Processing
c) EMR
d) EC2
c) EMR - a service that makes it easy to process large amounts of data efficiently
Which AWS service is effectively a NAS in the cloud, allowing you to connect it to multiple EC2 instances at once?
a) SQS
b) SNS
c) EBS
d) EFS
d) EFS
You need to add new users to your AWS account and set password rotation policies for these new users. Which AWS service should you use to do so?
a) IAM
b) Inspector
c) Directory Service
d) Key Management Service
a) IAM
Which of the following services connects an on-premise software appliance (or virtual machine) with cloud based storage?
a) S3
b) Snowball
c) Storage Gateway
d) Glacier
c) Storage Gateway
Your digital media agency needs to convert its media files to formats that can be viewed on a variety of devices. Which AWS service should you use to meet this need?
a) SQS
b) SWF
c) Appstream
d) Elastic Transcoder
d) Elastic Transcoder
Amazon’s highly scalable DNS service is known as
a) Directory Service
b) Route 53
c) CloudTrail
d) Elastic Map Reduce
b) Route53
Describe Availability Zones
Distinct locations from within an AWS region that are engineered to be isolated from failures.
You need to supply auditors with logs showing which Users provisioned given resources on your AWS infrastructure. Which service would best satisfy this need?
a) CloudFormation
b) OpsWorks
c) CloudTrail
d) CloudWatch
c) CloudTrail - a service that enables governance, compliance, operational auditing, and risk auditing of you AWS account.
(T/F) Using SAML (Security Assertion Markup Language 2.0), you can give your federated users single sign-on (SSO) access to the AWS Management Console.
True
Power User Access allows ________.
Access to all AWS services except the management of groups and users within IAM
You have created a new AWS account for your company and are about to create your new users. What is a good strategy to consider in order to ensure that there is good security on these accounts?
Enact a strong password policy: user passwords must be changed every 45 days, with each password containing a combination of capital letters, lower case letters, numbers, and special symbols.
T/F You only need to set up Users AND Policy documents only once, as these are applied globally?
True
What is the default level of access a newly created IAM User is granted?
No access to any AWS services
T/F IAM allows you to setup biometric authentication, so that no passwords are required?
False
What is a Policy?
A document that provides a formal statement of one or more permissions
What language are policy documents written in?
JSON
What are 3 ways to allow users to have secure access to private files located in S3?
- Cloudfront Origin Access Identity
- CloudFront Signed URLs
- CloudFront Signed Cookies
How many S3 buckets can I have per account by default?
a) 10
b) 20
c) 50
d) 100
d) 100
S3 has eventual consistency for which HTTP Methods?
overwrite PUTS and DELETES
What is AWS Storage Gateway?
It is a virtual appliance that can be used to cache S3 locally at the customers site.
You run a popular photo sharing website that depends on S3 to store content. Paid advertising is your primary source of revenue. However, you have discovered that other websites are linking directly to the images in your buckets, not to the HTML pages that serve the content. This means that people are not seeing the paid advertising, and you are paying AWS unnecessarily to serve content directly from S3. How might you resolve this issue?
Remove the ability for images to be served publicly to the site and then use signed URLs with expiry dates.
You work for manufacturing company who operate a hybrid infrastructure with systems located both in a local Datacentre and in AWS, connected via Direct Connect. Currently, all on premise servers are backed up to a local NAS, but your CTO wants you decide on the best way to store copies of these backups in AWS. He has asked you to propose a solution which; maintains maximum durability, on-demand access to the files, but minimizes cost. Choose the best option from the following which meets the brief.
a) S3 One Zone IA
b) S3 Standard
c) S3 Reduced Redundancy
d) Copy thee files to an EC2 instance with a large EBS volume attached
a) S3 One Zone IA
What is the minimum file size I can store on S3?
0 bytes
(T/F) I can move a reserved instance from one region to another?
False
What is the underlying HyperVisor for EC2 (choose 2)
a) Hyper-V
b) Xen
c) Nitro
d) OVM
e) ESX
b) and c)
Xen and Nitro
(T/F) I can change the permission on a role, even if that role is already assigned to an existing EC2 instance, and these changes will take effect immediately.
True
The use of a placement group is ideal _____
a) Your fleet of EC2 instances requires high network throughput and low latency within a single availability zone.
b) When you need to distribute content on a CDN network.
c) When you need to deploy EC2 instances that require high disk IO.
d) Your fleet of EC2 Instances requires low latency and high network throughput across multiple availability zones.
a) Your fleet of EC2 instances requires high network throughput and low latency within a single availability zone.
(T/F) You can add multiple volumes to an EC2 instance and then create your own RAID 5/RAID 10/RAID 0 configurations using those volumes.
True
What is RAID?
RAID, short for redundant array of independent disks, is a disk subsystem that stores your data across multiple disks to either increase the performance or provide fault tolerance to your system (some levels provide both).
(T/F) You can delete a snapshot of an EBS Volume that is used as the root device of a registered AMI?
False. The emphasis is if the snapshot is of a volume that is still registered.
If you need to know both the private IP address and public IP address of your EC2 instance you should ____
a) Run IPCONFIG (Windows) or IFCONFIG (Linux)
b) Retrieve the instance metadata from http://169.254.169.254/latest/meta-data
c) Use the following command: AWS EC2 DisplayIP
d) b) Retrieve the instance Userdata from http://169.254.169.254/latest/meta-data
b) Retrieve the instance metadata from http://169.254.169.254/latest/meta-data
Will an Amazon EBS root volume persist independently from the life of the terminated EC2 instance to which it was previously attached? In other words, if I terminated an EC2 instance, would that EBS root volume persist?
a) Only if I specify that it should do so
b) yes
c) no
d) It depends on the region in which the EC2 instance is provisioned
a) Only if I specify that it should do so
You want to ensure that traffic from Asia is directed to the India Region. What two routing policies would allow you to accomplish that?
Route 53: Geoproximity and Geolocation routing policies
(T/F) Route 53 supports naked domain names (zone apex records)
True. This is done using Alias or “A” records as opposed to CNAMES which are not able to support naked domain names.
Which Route53 policy allows you to route data to a second resource if the first is unhealthy?
Failover Routing
Which Route53 policy allows you to route data to resources that have better performance?
Latency-based Routing
(T/F) I can “force” a failover for any RDS instance that has Multi-AZ configured?
True
(T/F) You can SSH into an RDS instance to see what is going on with the operating system?
False
(T/F) With new RDS DB instances, automated backups are enables by default?
True
How many copies of my data does RDS Aurora store by default?
6
MySQL installations default to what port number?
3306
With RDS Multi AZ deployment can the secondary database be used as an independent read node?
No, Multi AZ deployment only uses the secondary database in failover events
What is Amazon Athena?
An interactive query service that makes it easy to analyze data in S3 using SQL commands.
(T/F) you can only have one internet gateway per VPC
True
(T/F) An application Load Balancer must be deployed into at least 2 subnets
True
What is a Bastion Host?
A Bastion host allows you to securely administer via SSH or RDP an EC2 instance located in a private subnet.
What is the chief advantage of using VPC endpoints to connect your VPC to services such as S3?
Traffic between your VPC and the other service does not leave the Amazon network.
Security groups act like a firewall at the instance level, whereas _________ are an additional layer of security that act at the subnet level?
Network Access Control Lists
(T/F) Security Groups are Stateful
True, they automatically allow outbound traffic to an IP if the inbound traffic was allowed
(T/F) Network Access Control Lists are Stateful
False. All outbound traffic must be explicitly allowed.
By default how many VPCs am I allowed in each AWS region?
5
(T/F) Security Groups Operate at the Instance Level
True
(T/F) When I create a new security group, all outbound traffic is allowed by default
True
(T/F) A Subnet can span multiple availability zones
False
(T/F) You can peer VPCs in different AWS accounts
True
In SWF, what does a “domain” refer to?
A collection of related workflows
What is Amazon SES?
AWS Simple Email Service
With which AWS orchestration service can you implement Chef recipes?
a) Opsworks
b) CloudFormation
c) Lambda
d) Elastic Beanstalk
a) Opsworks
For which of the following metrics would you need to design a custom cloudwatch metric?
a) Disk reads
b) CPU usage
c) Network in
d) Memory Usage
d) Memory Usage
The default metrics include things like:
- CPU utilization
- Disk Read/Write
- Network In/Out
(T/F) Once enabled, Versioning cannot be disabled
True
S3 Cross Region Replication requires what?
Versioning on
What is S3 Lifecycle Mangement
A system of transferring data over time from standard S3 to infrequently accessed (after 30 days) to Glacier (30 days after IA, if relevant)
What are the two types of distribution for Content Delivery Networks
- Web distribution : typically used for websites
- RTMP - Used for media streaming
(T/F) You can write to CloudFront Edge locations
True
(T/F) By default all newly created S3 Buckets are Public
False
What are the three types of snowball?
- Standard
- Snowball Edge: storage plus compute capabilities
- Snowmobile: 100 Petabytes worth of storage
What are the different pricing models for EC2
- On demand : pay by the hour
- Spot : big a certain price and only turns on when the price is below that threshold
- Reserved: reserve capacity for 12-36 months
- Dedicated hosts: Typically used for licensing or regulations that don’t allow for multi tenanted hardware.
What are the 11 EC2 instance Types?
F - Field Programmable Gate Array I - IOPS G - Graphics H - High Disk Throughput T - cheap general purpose D - Density R - RAM M - main choice for general purpose apps C - Compute P - Graphics (Pictures) X - Extreme Memory
What are the 5 disc types for EBS?
Bootable:
- General Purpose - SSD
- Provisioned IOPS - SSD
- Magnetic - cheap, infrequently accessed
Not Bootable:
- Throughput Optimized - HDD
- Cold - HDD (less frequently accessed)
(T/F) You can share encrypted snapshots
False
Whats the main difference between Instance Store Volumes and EBS
Instance Store Volumes can’t be stopped
(T/F) You have to pay up front for storage on EFS?
False, you only pay for what you use.
What are the two types of placement groups:
- Cluster Placement groups (also called placement groups) only in one availability zone
- Spread Placement Groups: You have critical EC2 instances that you don’t want on the same hardware.
What are Placement Groups?
A series of EC2 instances that make up an application. It’s used to either decrease latency between instances or to spread out instances across different pieces of hardware.
What are the 7 different types of Routing available on AWS?
- Simple Routing
- Weighted Routing
- Latency-based routing
- Failover routing
- Geolocation Routing
- Geoproximity Routing
- Multivalue Answer Routing
What is Elasticache?
In Memory Caching of frequently accessed data in the web. Improves performance of web applications by allowing you to retrieve information from fast caches. Supports two open source engines:
- Memcached
- Redis
What should you do if a data block in your aurora db has an error?
Nothing, aurora is self healing and continually scans data block and disks for errors which it repairs automatically.
How does scaling differ between dynamo db and RDS
Dynamo has push button scaling meaning that you can scale with no downtime
RDS typically involves downtime by using a bigger instance or adding read replicas
What are the two types of configurations for Redshift?
- Single Node (160Gb)
- Multi Node: Made up of leader node which manages client connections and queries and compute nodes which store data and perform the computations.
When created a NAT instance make sure to ____ ?
Disable Source/Destination Check
By default the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.
(T/F) NAT instance must be in a private subnet
False. A NAT instance must be in the public subnet so that it can route traffic FROM the private subnet to the internet.
What route do you need to get NAT instances to work?
A route out of the private subnet to the NAT instance
If traffic is slow with your NAT instance what should you do to increase throughput?
Increase the instance size
What are NAT Gateways?
The preferred enterprise solution to giving private instances access to the internet. Unlike NAT instance they are automatically scalable, you don’t have to patch, they aren’t associated with a security group and they are automatically assigned a public ip address.
(T/F) A subnet can be associated with only one network ACL?
True
(T/F) NACLs list of rules are evaluated in a random order
False, they evaluate sequentially.
As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that may contradict it.
If you want to block IP addresses you need to use
a) NACLS
b) Security Groups
a) NACLs
What are VPC Flow Logs?
Logs that enable monitoring of all traffic across our elastic network interfaces
What traffic do VPC Flow Logs not monitor?
- Traffic from instances contacted Amazon’s DNS server
- Traffic generated by a windows instance
- Traffic from the metadata IP
- DHCP traffic
- Traffic to the reserved IP address for the default VPC router
If you want to communicate with a service such as S3 from a private subnet without going over the internet what should you do?
Create an S3 endpoint/gateway in your private subnet that can communicate with S3 without using the public internet.
What are the 3 actors in SWF
- Workflow Starters: An application that initiates the workflow
- Deciders: Control the flow of activity tasks in a workflow execution. Deciders choose what to do next
- Activity Workers: Carry out the tasks (can be humans or programs)
What are all the different types of subscribers to SNS topics?
- HTTP
- HTTPS
- Email-JSON
- SQS
- Application
- Lambda
What are the 3 kinesis services?
- Kinesis Streams: Producers stream data to shards which pipe data to consumers (fleet of ec2 instances)
- Kinesis Firehose: Doesn’t store data and sends straight to s3.
- Kinesis Analytics: sits on top of kinesis and allows you to do sql queries of data and process the data before it is sent to other applications.
What is AWS Direct Connect?
An easy way to establish a dedicated network connection from your premises to AWS that doesn’t go over the internet. This can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience.
What is AWS Budgets?
AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount.
What is the default time period that AWS CloudWatch recieves and aggregates from EC2 by default? And With Detailed Monitoring enabled?
5 minutes and 1 minute
(T/F) EBS volumes are not resizable?
False, you can change the size of the volume even when it is attached to an instance.
What is AWS Elastic Map Reduce?
Amazon EMR provides a managed Hadoop framework that makes it easy, fast, and cost-effective to process vast amounts of data across dynamically scalable Amazon EC2 instances. Users also have full admin access to the underlying hardware.
How many IP addresses are available if you set up a subnet with the following CIDR block:
172.0.0.0/27
- Subtract 32 with the mask number :
(32 - 27) = 5
- Raise the number 2 to the power of the answer in Step #1 :
2^ 5 = (2 * 2 * 2 * 2 * 2)
= 32
The answer to Step #2 is the total number of IP addresses available in the given CIDR netmask. Don’t forget that in AWS, the first 4 IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance.
The allowed block size for a subnet is between ____ and ____
/28 netmask and /16 netmask
What services can Kinesis Firehose stream to?
S3, Redshift, Elasticsearch service, and splunk
Which AWS service can you use to reduce DynamoDB response times from milliseconds to microseconds?
Amazon DynamoDB Accelerator (DAX)
What is the protocol used for SSH connections?
TCP
What is Redshift WLM?
In Amazon Redshift, you use workload management (WLM) to define the number of query queues that are available, and how queries are routed to those queues for processing
What are the two things required to enable “Sticky Sessions”, meaning a requests during a specific users session will route to the same instance?
- A HTTP/HTTPS load balancer
2. At least one healthy instance in each availability zone
What is AWS Cognito?
Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.
What is an elastic IP address (EIP)?
A static IPv4 address designed fro dynamic cloud computing. The IP address is associated with your account and you can use it to mask a failure of an instance by rapidly remapping the address to another instance in your account.
(T/F) If you are associating an elastic IP address with an instance and want to connect with the internet, it must also be in a public subnet.
True
(T/F) If you stop an instance it is disassociated with its elastic IP address.
False, though you are charged a small hourly fee for associated it with a stopped instance.
Which database service is most suitable for simple mobile apps?
DynamoDB, since the application does not have complicated data relationships compared to enterprise web applications.
(T/F) The default subnet of your VPC is a public subnet
True. To make the subnet private you have to remove the route to the internet gateway.
In SWF, what is the purpose of a decision task?
It tells the decider the state of the workflow execution
(T/F) When you stop and start an ec2 instance, the underlying host for the instance is possibly changed
True
If you need to be able to retrieve data from Glacier quickly, what can you do?
Use expedited retrieval and purchase provisioned retrieval capacity.
What is AWS Shield?
A managed DDoS protection service that safeguards applications running on AWS.
What is the largest object size that can be sent in a single PUT operation in S3?
5 Gb
(T/F) The total volume of data and number of objects you can store in S3 is unlimited.
True
What is Active-Active Failover?
This failover configuration when you want all of your resources to be available the majority of the time.
What is Active-Passive Failover?
This failover configuration when you want a primary resources/group of resources to be available the majority of the time with secondary resources available in case the primary becomes unavailable.
Which database service allows you to not worry about database management tasks such as hardware/software provisioning, setup, configuration, scaling, and backups?
DynamoDB
If you want more detailed information about S3 requests such as the requestor, what should you use?
S3 server access logging
(T/F) EC2 Classic instances retain their private IP addresses when they are stopped?
False, they are returned to EC2 when the instances are stopped or terminated
What are the 5 things that AWS Trusted Advisor provides recommendations on?
Cost Optimization Performance Fault Tolerance Security Service Limits
(T/F) You can’t modify a launch configuration after you’ve created it?
True
What are AWS Step Functions?
A service that provides serverless orchestration for applications. It centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between steps.
(T/F) You can tag every resource in AWS?
False, you cant tag egress only internet gateways, VPC flow logs, VPC endpoints, and many others.
What are ARNs?
Amazon Resource Names. They uniquely identify AWS resources. They are required when you have to specify a resource unambiguously across all of AWS such as in IAM policies, RDS tags, and API calls.
Where does CloudTrail store all of the logs it creates?
S3
(T/F) Redshift and S3 can withstand AWS region outage
False
Which of the following services acts as a firewall that controls the traffic allowed to reach one or more EC2 instances?
a) Security Group
b) NACL
c) IAM
d) Private IP Addresses
Security Group
Can a standard queue in SQS ever guarantee one time processing?
Nope, consider using SWF instead.
What AWS feature allows you to run shell scripts or cloud-init directories at launch of EC2 Instances?
User Data
What is AWS X-Ray
A service used to trace and analyze user requests as they travel through your Amazon API Gateway APIs to the underlying services. They give you an end to end view of your entire request.
What happens to a spot instance by default if it gets interrupted by EC2 for capacity requirements?
It gets terminated. It can be set to stop or hibernate but not by default.
What is S3 Select?
A service that uses SQL statements to filter the contents of S3 objects and retrieve subsets of the data you need.
What is an AWS Service that you can use to provide a distributed session management service?
Elasticache. You can manage HTTP session data from the web servers using an in memory key/value store
What is AWS Glue?
A fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics.
What is the standard retrieval time for AWS Glacier?
3-5 hours
If a spot instance is terminated from AWS due to a price increase what will you be charged?
If its within the first hour you wont be charged anything and after the first hour you pay a prorated fee based on the time (ie 90 minutes at $0.04 an hour would cost $0.06)
What are the 3 criteria that an Auto Scaling uses to determine which instance to delete?
- The availability zone with the most instances
- The instance with the oldest launch configuration
- The instance that is closest to the next billing hour
If you are using a single Aurora Db instance and there is a failover what will Aurora do to react to the failure?
Aurora will attempt to create a new DB instance in the same availability zone and if it is unable to do so it will attempt to create one in a different availability zone.
If you are using an Aurora DB instance with a Replica as well and there is a failure, what will Aurora do to react to the failure?
It will flip the CNAME record to point to the healthy replica, which is promoted to become the new primary.
(T/F) By default, CloudTrail event log files are encrypted by S3 SSE
True
(T/F) IP addresses for Elastic Load Balancers are static?
False, they can change at any time due to scaling or software updates so it is recommended that you use the DNS name and not the IP address.
(T/F) Amazon KMS allows you to use BOTH Amazon managed keys and keys that you personally create and manage?
True
If you want to analyze traffic patterns on an application load balancer what should you do?
Enable access logs on the application load balancer.
What type of protocol will APIs through API Gateway expose?
HTTPS
If you no longer need a reserved instance but still have it under contract for a time, what can you do.
Sell it on the AWS Reserved Instance Marketplace
How long can Kinesis store data.
The minimum is 24 hours and the maximum is 1 week.
What is Redshift Spectrum?
A service of Redshift that allows you to directly query open data formats stored in S3. This eliminates the need for unnecessary data movement.
What is AWS Config?
A service that enables you to assess, audit, and evaluate the configurations of your AWS resources.
What is EC2Config?
A service for older Windows instances that performs tasks during startup and each time you stop or start an instance. It can also perform tasks on demand.
What are DB Parameter Groups?
A tool used for managing DB engine configuration for one or more DB instances.
What is AWS CloudHSM
A cloud-based hardware security module that enables you to easily generate and own your own encryption keys on the cloud.
What is AWS Systems Manager?
A service that gives you visibility and control of your infrastructure. It provides a unified user interface so you can view operational data from multiple services and allows you to automate operational tasks across your resources.
What is AWS Systems Manager Run Command?
A service of Systems Manager that lets you remotely and securely manage the configuration of your managed instances. This enables you to automate common administrative tasks and perform ad hoc configuration changes at scale.
What is AWS Neptune?
A fully managed graph database service that makes it easy to build and run applications that run with highly connected datasets. An example use case for this service would be for social networking sites where users and actions are highly linked.
(T/F) You can use auto scaling with Amazon RDS
False
What happens if you reboot an instance store backed ec2 instance?
The instance will start normally with its data intact. A reboot only restarts the OS.
(T/F) When you create a new instance with an EBS snapshot it will read slowly at first
True. Brand new EBS volumes perform well as soon as they are created. However, if they are created from snapshots, reads will be slow the first time a block is read.
What is an IAM Role?
A role is something that a user, application or service can “assume” to receive temporary security credentials that provide access to a resource.
How can you improve the performance of EFS?
Provision more throughput than is required. You can now provision throughput independently from the amount of data stored.
(T/F) Internet Gateways automatically scale and have no bandwidth limit
True
What can you use to connect your AWS resources from all regions with your direct connect connection?
Public Virtual Interface. It allows you to connect to all of your public AWS endpoints.
What is AWS OpsWorks?
OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. These are automation platforms that allow you to use code to automate how servers are configured, deployed, and managed across your instances or on premise environments.
What is the difference between Network Load Balancers, Application Load Balancers, and Classic Load Balancers?
- Network Load Balancers make routing decisions at the transport layer (TCP/SSL) and can handle millions of requests per second.
- Application Load Balancers make routing decisions at the application layer (HTTP/HTTPS), support path-based routing, and can route requests to one or more ports on each container instance.
- Classic Load Balancers support both HTTP/HTTPS and TCP/SSL. They require a fixed relationship between the load balancer port and the instance port meaning instances cannot have different port routes than each other.
What type of flexibility do regional reserved instances provide?
They can be in different availability zones and can be resized
What allows you to give users from other AWS accounts access to resources that your accounts own?
Trust policies
What is Enhanced Networking?
It allows supported instance types to provide high-performance networking capabilities. It provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces.
What are Target Groups?
The Load Balancers targets which will be available to handle requests. Target groups can contain instances with any kind of characteristics.
What does TTL mean in the context of CloudFront?
TTL is the time to live in the cache for CloudFront, meaning that a resources will remain cached for the duration of the TTL before hitting the server again for the resource. High TTL times can cause lags to files that are updated frequently
How does a Hardware VPN connection work?
A device is installed in the client on premise servers (customer gateway) that will connect to a device on the AWS side (Virtual Private Gateway) over the internet. This connection is authenticated on both side and encrypted to ensure a private connection. The connection is used to communicate privately between on premise resources and AWS resources.
(T/F) An EC2 Classic instance will retain its private IP when it is stopped and started.
False
If you want to evenly distribute the load across instances in multiple availability zones, what should you enable?
Cross-zone load balancing. Without cross zone load balancing a load balancer will distribute the load at an availability zone record. So if you had 10 ec2 instances in one AZ and 3 instances in another, the 3 instances would get as much load as the 10 instances, without cross-zone load balancing.
If you want to cheaply and immediately update a file that is cached using CloudFront, what should you do?
Enable versioning on the file so the request will ask for the new version and not receive the old version.
What is AWS CodeDeploy?
CodeDeploy is a deployment service that automates application deployments to Amazon EC2 instances, on-premises instances, or serverless Lambda functions. It allows you to rapidly release new features, update Lambda function versions, avoid downtime during application deployment, and handle the complexity of updating your applications, without many of the risks associated with error-prone manual deployments.
When creating a user using the AWS CLI, what are the default credentials?
There are no default credentials, you have to create them specifically.
(T/F) You cannot use Auto Scaling without an ELB
True
What can you do to help API Gateway handle large bursts of network traffic?
Enable throttling limits
What are Access Keys used for?
API calls to AWS services
(T/F) CloudWatch Alarms can be used to stop and start instances based on health checks
True
(T/F) All data from any gateway appliance is encrypted by default?
True. This includes storage gateways and customer gateways used for hardware VPN connections.
What are the two types of rules for Security Groups?
Inbound and Outbound
What is an ENI?
An Elastic Network Interface that represents a network card. This can be used to add private or public IP addresses to an instance, as well as security groups and mac addresses
What are the different ways you can attach an ENI
- Hot attach when the instance is running
- Warm attach when the instance is stopped
- Cold attach when the instance is being launched
How can you automate snapshots of EBS volumes?
Use AWS Data Lifecycle Manager
(T/F) EBS volumes are backed up in multiple availability zones
False
What is a MX record set used for
Primarily for mail servers
What is an AAAA record set used for
It is similar to an A record in that it makes an IP address to a DNS name, but AAAA is used for ipv6
What is an A record set used for
Mapping an ipv4 address to a DNS name.
If you want to safely import and store SSL/TLS certificates on AWS what two services can you use?
AWS Certificate Manager or IAM certificate store
How can you connect 2 ec2 instances in different VPCs together?
Configure an inter region VPC peer between the VPCs and communicate using the private IP addresses
What is iSCSI storage?
Internet Small Computer Systems Interface. It is an IP based storage networking standard for linking data storage facilities. Storage Gateway uses iSCSI to connect to on premise datacenters.
(T/F) NAT Gateways are located at the subnet level
True, which makes them not resistant to AZ outages
How can you use IAM to restrict access based on IP.
Add a condition to the policies specifying the IP address registered for each user.
What ports do SSH use?
Port 22 for the request and a dynamic port for the response in the high ephemeral port range (1024-65535)
How do you access objects that have been moved from S3 to Glacier?
The S3 console
What all can CloudWatch events target?
- ec2 instances
- lambda functions
- kinesis streams
- ecs tasks
- systems manager
- sns topics
- sqs queues
- built in api calls like rebooting instances
(T/F) Internet Gateways are attached at the subnet level?
False, they are attached at the VPC level and therefore are resilient to AZ outages
When should you use Simple AD vs AD connector?
Simple AD is used when you require an inexpensive AD service running in AWS.
AD connector is used when you want to connect an existing AD database to AWS
What is Amazon MQ
A managed ActiveMQ that involves topics and consumers. Similar to Apache Kafka consumers read messages off the topic. This is not a serverless architecture however like SQS and doesn’t guarantee deliver of messages.
What is AWS AppSync
A serverless back end for mobile, web, and enterprise applications. AppSync manages data management takes like data access, data synchronization, and data manipulation across multiple sources. It uses GraphQL.
How can you encrypt communication between an ec2 instance and an rds instance?
Use SSL
