Ops excellent Architecture

Question 1

How many times will a message be delivered when using a standard SQS queue?

A) Once and only once
B) At least once
C) Once for each request of the relevant message in the queue
D) The answer is application dependent.

Answer 1

B. AWS does guarantee that all SQS messages will be delivered at least once, but the message may be delivered more than once (making option A incorrect). This is not related to the number of requests to the queue or the applications using the queue; therefore, both C and D are incorrect. This leaves B, the correct answer.

Question 2

Which of the following services allow you to access the underlying operating system? (Choose two.)

A) RDS
B) EC2
C) EMR
D) DynamoDB

Answer 2

B, C. This is a common question AWS often asks to ensure that you understand that managed services like RDS and DynamoDB are indeed completely managed: You cannot access the underlying operating system of the service. This leaves EC2 and EMR as the remaining, and correct, answers. While EMR does provide you with a lot of functionality “out of the box,” it still allows root level access, as do EC2 instances.

Question 3

You are using an SQS queue in your web application. You are able to confirm that messages in the queue are being picked up by application instances for processing, but then nothing happens for over 12 hours. Then, after that period of time, the message appears in the queue again and processing restarts. What could be occurring?

A) The SQS queue has a visibility timeout that is set too high. The timeout should be reduced so that application instances can process the message more quickly.
B) SQS messages expire every 12 hours and must be reentered into the queue. The time that the message is invisible triggers the queue to ask for and receive the message from the original sender.
C) Processing is failing, or not completing, in the application instance. The message disappears because the SQS queue keeps it “invisible” for 12 hours while it is being processed. The message is then returned to the queue for processing if not handled prior to that timeout.
D) Your SQS queue needs to be restarted; it is likely not correctly queuing messages. The polling interval is also set too high, causing the long lack of visibility of the message.

Answer 3

C. SQS queues have a visibility timeout that controls how long a message in the queue is marked as “invisible” while being processed. This accounts for the message “disappearing.” Then, if application processing fails—as in option C—the message is remarked as visible and is available for processing again. Option A correctly notes this timeout, but reducing the timeout would not cause the message to be processed correctly. It would just reduce the time that the message is “invisible.” Option B is not how queues work; they cannot ask a sender to resend a message. Option D is incorrect as well, as the queue is operating as intended with regard to visibility of messages and timeouts.

Question 4

Which of the following is a valid method of performing actions on an EBS snapshot?

A) Use the AWS console with a username and password.
B) Use the AWS CLI with an application key.
C) Use the AWS REST APIs with an application key.
D) All of the above
E) None of the above

Answer 4

D. Snapshots are accessible through the console via username/password and through AWS CLI and APIs via application key.

Question 5

Which of the following is most like a mailing list?

A) SQS
B) SNS
C) SWF
D) S3

Answer 5

B. SNS is the Simple Notification Service and functions like a mailer, sending out notifications that can be subscribed to by other applications.

Question 6

In which of the following managed services are messages not pushed?

A) SQS
B) SNS
C) SWF
D) Redshift

Answer 6

A. SNS sends out notifications to subscribed listeners, and SWF pushes out messages as they arrive. Only SQS holds messages until the queue is polled. Redshift is not a messaging service at all but rather a data warehousing solution.

Question 7

In which of the following managed services can messages be pulled by an application?

A) SWF
B) SQS
C) SNS
D) S3

Answer 7

B. SNS and SWF operate on a push approach. SQS holds messages until they are pulled out of the queue. S3 is not a message store.

Question 8

Which of the following managed services guarantees single assignment of a message?

A) S3
B) SQS
C) SNS
D) SWF

Answer 8

D. Both SWF and SQS deliver a message at least once, but only SWF guarantees that a message will only be delivered a single time.

Question 9

Which of the following managed services calls the messages it receives tasks?

A) S3
B) SWF
C) SNS
D) SQS

Answer 9

B. Messages in SWF are tasks; messages in SQS are messages; messages in SNS are notifications. S3 is a storage solution, not a messaging solution.

Question 10

Which of the following managed services calls the messages it receives notifications?

A) S3
B) SWF
C) SNS
D) SQS

Answer 10

C. Messages in SWF are tasks; messages in SQS are messages; messages in SNS are notifications. S3 is not a messaging solution at all.

Question 11

Which of the following managed services calls the messages it receives “messages”?

A) S3
B) SWF
C) SNS
D) None of these

Answer 11

D. Messages in SWF are tasks; messages in SQS are messages; messages in SNS are notifications. S3 is not a message store. Since SQS is not an option, the answer is D, none of these.

Question 12

Which of the following managed services coordinates activities between different applications?

A) S3
B) SNS
C) SWF
D) SQS

Answer 12

C. SWF is more than a simple queue. It automates workflow, moving a task (what SWF calls its messages) from one application component to the next in a predetermined order.

Question 13

What does SWF stand for?

A) Simple Workflow Foundation
B) Simple Workflow Service
C) Sequential Workflow Service
D) Synchronous Workflow Foundation

Answer 13

B. SWF is not exactly a true acronym. It stands for Simple Workflow Service but is not represented by SWS. Instead, the WF refers to workflow.

Question 14

What services are suitable for running compute-intensive custom scripts? (Choose two.)

A) EC2
B) S3
C) Redshift
D) ECS

Answer 14

A, D. Both EC2 and ECS provide environments on which your custom code can run, and both are compute services. S3 is a storage service, and Redshift is a data warehousing solution. While Redshift can be helpful in analysis of data, it is not suitable for running custom scripts.

Question 15

Which AWS service is ideal for hosting a website while requiring the least amount of AWS staff and knowledge?

A) S3 website hosting
B) Amazon Lightsail
C) EC2
D) ECS

Answer 15

B. Of the choices available, Amazon Lightsail is the easiest solution for getting simple applications running quickly. EC2 and ECS are both much more complex. While S3 website hosting is a web hosting solution, it does require quite a bit of AWS knowledge (security, permissions, etc.).

Question 16

You have a registered AMI using an EBS volume as a root device, created from a volume snapshot. However, you have detected malicious code running in the EBS volume and want to remove the AMI and delete the EBS volume and its snapshot. What steps are required? (Choose two.)

A) Immediately delete the EBS volume snapshot.
B) Immediately deregister the AMI.
C) After the EBS volume has been deleted, deregister the AMI.
D) After the AMI has been deregistered, remove the AMI, and delete the EBS volume and its snapshot.

Answer 16

B, D. An EBS snapshot cannot be deleted if it is the root device of a registered AMI while that AMI is in use. You’ll need to deregister the AMI first (B), and then you can delete the EBS volume and any snapshots and stop using the AMI.

Question 17

Which of the following AWS CLI commands is used to operate upon EBS volumes?

A) aws ec2 [command]
B) aws ebs [command]
C) aws instance [command]
D) You cannot operate upon EBS volumes directly from the AWS CLI.

Answer 17

A. EBS is considered a subset of EC2 functionality. Therefore, you use the aws ec2 commands; for example, aws ec2 delete-snapshot.

Question 18

You have a website running at applestoapples.net. However, many of your users have mistakenly entered in applestoapples.com as the URL in their browser. To correct this, you’ve recently purchased the additional domain applestoapples.com and now want to point all requests to this domain to applestoapples.net. Which DNS record set would you use?

A) MX
B) AAAA
C) CNAME
D) A

Answer 18

C. A records are used to point a specific domain or subdomain to an IP address. CNAMEs point to a different URL, which in turn can be resolved further by DNS. In this case, you’d want to create a CNAME record for applestoapples.com and point that record to applestoapples.net and then let DNS resolve that domain. Using an A record means you’d have to lock the record to a specific IP rather than the domain name for applestoapples.net. That’s a problem, though, as over time, the domain may be served by different resources with different IP addresses, making the A record dated and incorrect.

Question 19

Your website has mostly static content, but you are adding a new section driven by an EC2 instance fleet behind an Elastic Load Balancer. You want to create a subdomain and direct all traffic to that subdomain toward the ELB. Which DNS record set would you use?

A) CNAME
B) AAAA
C) SOA
D) MX

Answer 19

A. A records are used to point a specific domain or subdomain to an IP address. CNAMEs point to URLs or other domain names. In this case, since you’re pointing at an ELB, you’d need to use a CNAME, as ELBs don’t expose a public IP address.

Question 20

Your domain is hosted and managed by Route 53. You want to create a new subdomain and point it to a fleet of EC2 instances behind an application load balancer. What is the best approach to this?

A) Create an A record and configure it as an alias to the ALB.
B) Create a CNAME record pointed at the URL of the ALB.
C) Create an A record pointed at the IP address of the ALB.
D) Set the ALB to send a redirect header to clients with the IP addresses of the currently active EC2 instances.

Answer 20

A. This is a little trickier in terms of picking the best answer. It is possible to set a CNAME up and point that at the ALB’s URL (B). However, AWS prefers that you use an A record and configure it as an alias record, allowing you to direct traffic to the ALB. This is different than a standard A record, which can only point at an IP address. Option C is incorrect because ALBs don’t expose an IP address, and D doesn’t even make sense in this context.

Question 21

Does Route 53 supports zone apex records?

A) Yes, for all domains
B) Yes, but only for domains hosted on AWS
C) Yes, but only for services hosted on AWS
D) No

Answer 21

A. AWS supports zone apex records for all domains. A zone apex record is a DNS record at the root, or apex, of a DNS zone. So amazon.com is an apex record (sometimes called a naked domain record). Route 53 absolutely will support zone apex records and allows alias records (of A type) at this level as well.

Question 22

Which of the following statements are false? (Choose two.)

A) Route 53 does not allow aliases for naked domain names.
B) Route 53 supports zone apex records.
C) Route 53 allows aliases for domains hosted on AWS.
D) Route 53 only supports zone apex records for AWS-hosted services.

Answer 22

A, D. First, A is false. A zone apex record is a DNS record at the root, or apex, of a DNS zone. So amazon.com is an apex record (sometimes called a naked domain record). Route 53 absolutely will support zone apex records and allows alias records (of A type) at this level as well. D is also false; Route 53 supports zone apex records for AWS and non-AWS domains and services.

Question 23

Which of the following statements are true? (Choose two.)

A) Route 53 supports Auto Scaling groups.
B) Route 53 automatically configures DNS health checks for registered domains.
C) Route 53 automatically sets up Auto Scaling groups for services to which it points.
D) Route 53 is automatically highly available.

Answer 23

A, D. Route 53 is scalable by design, so there are no steps required to make it highly available; this makes D true. Additionally, it supports all AWS services, including auto-scaling, so A is true.

Question 24

How many domain names can you manage using Route 53?

A) 50
B) 100, but you can raise that limit by contacting AWS support.
C) Unlimited
D) 50, but you can raise that limit by contacting AWS support.

Answer 24

D. By default, a single account can manage 50 domains using Route 53. However, this is a default, and AWS will raise it pretty willingly if you call and explain your need for management of additional domains.

Question 25

Which of the following is the best approach to accessing an RDS instance to troubleshoot operating system problems?

A) SSH
B) RDP
C) SFTP
D) None of these

Answer 25

D. RDS is a managed system by AWS and does not allow any access to its underlying operating system.

Question 26

Which of the following are true about VPC peering? (Choose two.)

A) A VPC peering connection is a networking connection between two VPCs within a single region.
B) A VPC peering connection is a VPN-based connection.
C) A VPC peering connection can help facilitate data transfer and file sharing.
D) Peered VPCs can exist in different regions.

Answer 26

C, D. VPC peering is a networking connection between two VPCs but is not limited to a single region (so A is false) and is neither VPN nor gateway-based (so B is false). This leaves C and D, both of which are true: VPCs can be used to share data and can peer across regions.

Question 27

You have two VPCs paired across two different regions. What is another name for this type of connection?

A) Inter-VPC peering connection
B) Inter-region VPC peering connection
C) Inter-VPC region connection
D) Multi-region peering connection

Answer 27

B. AWS calls a connection between two VPCs via peering across regions an inter-region VPC peering connection.

Question 28

Which of the following statements about peered VPCs is false?

A) Both VPCs do not need to be within the same region.
B) Both VPCs do not need to be in the same AWS account.
C) Both VPCs will automatically have routing set up when the connection is created.
D) Traffic can flow in both directions between peered VPCs by default.

Answer 28

C. When a VPC peering connection is set up, each VPC will need a route manually added to allow communication to the peered VPC.

Question 29

Which of the following statements about peered VPCs is true?

A) Both VPCs need to be within the same region.
B) Both VPCs need to be in the same AWS account.
C) Each VPC must use a unique security group.
D) The two VPCs cannot have overlapping CIDR blocks.

Answer 29

D. Most of these statements are false: VPCs in different regions (A) and in different accounts (B) can be peered, and if both VPCs are in the same account, they can share a security group (C). However, two peered VPCs cannot have overlapping CIDR blocks (D).

Question 30

What kind of relationship is a VPC peering connection?

A) One-to-one between subnets
B) One-to-one between VPCs
C) One-to-many between subnets
D) One-to-many between VPCs

Answer 30

B. A VPC can have multiple subnets, so a VPC peering relationship is a one-to-one relationship between two VPCs (B).

Question 31

VPC A is peered to both VPC B and VPC C. How can you allow traffic to flow from VPC B to VPC C?

A) You can’t; transitive peering relationships are not allowed in AWS.
B) You must enable route forwarding in VPC A.
C) You must peer VPC B to VPC C.
D) You must enable route forwarding on VPC B.

Answer 31

C. While it is true that transitive peering relationships are not allowed (A), you can still peer VPCs B and C to allow traffic to flow between the two VPCs.

Question 32

VPC C has an overlapping CIDR block with VPC D. Given that, which of the following statements are true? (Choose two.)

A) VPC C and VPC D can be peered as is.
B) VPC C and VPC D cannot be peered as is.
C) To peer VPC C and VPC D, you must remove the overlap in their CIDR block.
D) To peer VPC C and VPC D, you must switch one to use IPv6 addresses.

Answer 32

B, C. VPCs with overlapping CIDR blocks cannot be removed as is (B), and therefore the overlap must be removed (C). Changing either VPC to IPv6 might be a working solution (D) but is not a requirement.

Question 33

How many peering connections are allowed between two VPCs?

A) One
B) Two
C) One for each subnet in each VPC
D) One for each NACL associated with each VPC

Answer 33

A. Regardless of subnet, NACL, or any other networking consideration, you can only create one VPC connection between two VPCs at a time.

Question 34

How many peering connections can a single VPC be a part of?

A) One
B) Unlimited, within AWS overall account limits
C) One for each subnet in each VPC
D) One for each NACL associated with each VPC

Answer 34

B. A VPC can be a part of an unlimited number of VPC connections, as long as those connections are all with different VPCs and you stay within AWS’s overall account limits. Only one peering connection between two specific VPCs is possible; for example, only one connection can exist between VPC A and VPC B. But VPC A can have as many peering connections–each with a different VPC–as there are VPCs with which you can connect.

Question 35

How does AWS facilitate transitive peering VPC relationships?

A) Transitive VPC relationships are only allowed if a bastion host is used.
B) Transitive VPC relationships are only allowed if a hub-and-spoke network model is used.
C) It does not; transitive VPC peering is not allowed in AWS.
D) It uses IPv4 for connection from a source VPC to a hub VPC and IPv6 from the hub to the origin VPC.

Answer 35

C. Transitive VPC relationships are not allowed in AWS. Most of these answers are complete gibberish!

Question 36

How does AWS support IPv6 communication in a VPC peering relationship? (Choose two.)

A) AWS does not support IPv6 communication in VPC peering.
B) You must associate IPv6 addresses with both VPCs and then set up routing to use these addresses.
C) You must associate IPv6 addresses with both VPCs and then set up a security group to use these addresses.
D) You must make sure the two VPCs are in the same region.

Answer 36

B, D. First, AWS does not support IPv6 inter-region communication. This means that for IPv6 communication to work, the two VPCs must be in the same region (D). Then, you must ensure that both VPCs have IPv6 addresses and that routing is set up to use those addresses (B).

Question 37

Which of the following are advantages of launching instances into a VPC as opposed to EC2-Classic? (Choose two.)

A) You can assign multiple IP addresses to your instances.
B) Your instances automatically run on multi-tenant hardware.
C) You can attach multiple network interfaces to your instances.
D) Your network is flat instead of layered.

Answer 37

A, C. EC2-Classic was a flat network that offered very little in the way of multiple options. With VPCs, you can assign multiple IP addresses as well as multiple network interfaces (A and C).

Question 38

Which of the following are differences between the default VPC and a custom VPC? (Choose two.)

A) Default VPCs have an internet gateway but custom VPCs do not.
B) Custom VPCs have public subnets but default VPCs do not.
C) Custom VPCs have an internet gateway but default VPCs do not.
D) Default VPCs have public subnets but custom VPCs do not.

Answer 38

A, D. Default VPCs come with both an internet gateway and public subnets. If you think through this, these two go hand in hand: A public subnet would need an internet gateway to function as public.

Question 39

How does the default VPC make instances in its public subnets available to Internet traffic? (Choose two.)

A) Through a default routing table that provides routing to the Internet
B) Through a virtual private gateway
C) Through a default security group that provides access out to the Internet
D) Through an internet gateway

Answer 39

A, D. The default VPC has public subnets within it. Further, it provides a default routing table that provides access to and from these instances and the public Internet (A). Additionally, an internet gateway is added to the VPC by default (D).

Question 40

Which of the following is assigned to instances launched into non-default subnets?

A) A private IPv6 address
B) A public IPv4 address
C) A private IPv4 address
D) A public IPv6 address

Answer 40

C. Non-default subnets and their instances are not public by default. Therefore, they are assigned a private IPv4 address (C) rather than a public one.

Question 41

You want to provide Internet access for an instance in a non-default subnet. What do you need to do? (Choose two.)

A) Assign a private IP address to the instance.
B) Assign a public IP address to the instance.
C) Attach an internet gateway to the VPC in which the subnet resides.
D) Attach a NAT instance to the subnet.

Answer 41

B, C. Non-default subnets are private by default. Therefore, you need an internet gateway on the containing VPC (C) as well as giving the instance a public IP address (B). While a NAT instance might work (D), it would need to be in a different, public subnet rather than in the same subnet as the instance trying to reach the Internet.

Question 42

What technology can you use to provide single sign-on to the AWS management console?

A) JSON
B) CloudFormation
C) YAML
D) SAML

Answer 42

D. SAML, the Security Assertion Markup Language, allows you to provide federated single sign-on access to the AWS management console.

Question 43

You have created a new user in IAM. What default permissions does that user have?

A) Read access to all AWS services
B) Read and write access to all AWS services
C) No access to any AWS services
D) Read access only to the IAM service

Answer 43

C. Remember that AWS provides a principle of least privilege and always wants to limit access to only what a user (or service) needs. Therefore, new IAM users do not have any access to AWS services and must be granted access to any service explicitly.

Question 44

What does IAM stand for?

A) Interoperative Access Management
B) Identity and Access Management
C) Independent Access Management
D) Identity and Authorization Management

Answer 44

B. IAM stands for Identity and Access Management.

Question 45

You have created a new IAM user and created their sign-in URL. You give the user their URL. What else will they need to log in to the AWS management console? (Choose two.)

A) Their username
B) Their access key ID
C) Their password
D) Their secret access key

Answer 45

A, C. IAM users logging into the AWS console will need a username, password, and the sign-in URL. If the user needs access to AWS APIs or the SDK, then they will need their access key ID and secret access key. Keep in mind that these credential pairs are not interchangeable.

Question 46

Which of the following IAM groups will allow users within it to interact with all AWS services?

A) Administrator
B) Power User
C) The default IAM permissions provide this level of access.
D) Support User

Answer 46

A. Of these groups, only the Administrator group provides write access to all AWS services. The Power User group provides access to developer-related services, but not all services (like IAM). The Support User group is for creating and viewing support cases.

Question 47

You have created a new IAM user and given the credentials to the user. However, she still is unable to log in to the AWS management console. What might the problem be?

A) You have not enabled Multi-Factor Authentication.
B) You have not enabled the User Login policy.
C) You have not provided the user her access key ID.
D) You have not provided the user her customized sign-in link.

Answer 47

D. New users will need a customized sign-in link for accessing the console (D). They will then use this link to sign in using their username and password.

Question 48

You have been tasked with building an application that provides backend servicing for a mobile game with millions of users. Which of the following services might you use to receive and process the messages that the mobile clients send?

A) EC2, Mobile SDK
B) Amazon Kinesis, Mobile SDK
C) Amazon Kinesis, RDS
D) EC2, Lambda

Answer 48

B. There are two key parts to this question: the mobile client that must have an endpoint to which it can send data and the receiver for a huge amount of data, as the question indicates millions of users. Mobile SDK is a bit of a giveaway for the mobile component. This also helpfully narrows the answer choices down to A and B. Of the two options, Kinesis and EC2, only Kinesis is built to handle a massive data stream. While you could theoretically scale up enough EC2 instances to serve an API for that volume of requests, it really makes no sense. Kinesis is built for incoming data streams, so is the better option.

Question 49

Which of the following is required to set up a new AWS account for a company new to AWS?

A) Company name
B) Company email
C) Company account-holder username
D) Company URL

Answer 49

B. A new AWS account requires the company email (or account owner email) for the root account holder, or a generic email for the company as a whole.

Question 50

Which of the following AWS-defined IAM policies offer read and write access to the S3 and EC2 services? (Choose two.)

A) Administrator
B) Network Administrator
C) Support User
D) Power User

Answer 50

A, D. Both the Administrators and the Power Users default policies provide read and write access to most AWS services. Power Users limits access to IAM, but that would not affect access to S3 or EC2.

Question 51

What does AWS call a document that defines a set of one or more permissions?

A) Program unit
B) Organizational unit
C) Policy
D) Group

Answer 51

C. A policy is AWS’s document type for describing a set of permissions.

Question 52

What does the AWS service abbreviated as ECS stand for?

A) Elastic Compute Service
B) Elastic Container Service
C) Elastic Computer Service
D) Encapsulated Container Service

Answer 52

B. ECS is the Elastic Container Service, AWS’s service for running applications in containers and managing the starting, stopping, and scaling of those containers.

Question 53

Which of the following are advantages of using containers for applications in AWS compared to using EC2 instances? (Choose two.)

A) You can scale applications automatically.
B) You can run larger applications in a container.
C) You can reduce the startup time of applications.
D) You can avoid having to explicitly manage and provision servers.

Answer 53

C, D. Containers allow you to reduce startup times, as they are launched into already-running instances in most cases (C). This also touches on AWS’s facility to manage and provision the instances on which the containers run (D), another advantage. While you can scale applications in containers (A), you can just as easily scale applications on EC2 instances. Finally, option B is simply false.

Question 54

Which of the following sets of services are used in a typical AWS container stack?

A) ECR, ECS, EC2
B) ECS, EMR, EC2
C) Fargate, ECS, S3
D) ECR, ECS, S3

Answer 54

A. The first thing here is to know these various acronyms. ECR is the Elastic Container Registry, ECS is the Elastic Container Service, EC2 is Elastic Compute Cloud, EMR is Elastic MapReduce, and of course S3 is Simple Storage Service. Given that, only A has all the needed components: the registry (ECR), the management service (ECS), and instances on which to run containers (EC2). Note that even though you might not use EC2 explicitly for your containers, it or Fargate will be required to manage instances at some level, even if only by AWS for you.

Question 55

Which of the following services is typically associated with ECS?

A) EMR
B) S3
C) ECR
D) ECC

Answer 55

C. You’ll need to know these various acronyms. ECR is the Elastic Container Registry, ECS is the Elastic Container Service, EMR is Elastic MapReduce, and S3 is Simple Storage Service. ECC isn’t an AWS acronym, so it is immediately out. Of those left, ECR, the Elastic Container Registry, is most closely associated with ECS.

Question 56

Which of the following are good reasons to consider using containers in AWS for your applications? (Choose two.)

A) You want to reduce overall cost.
B) You want to more effectively use your existing compute instances.
C) You have limited resources for managing your existing EC2 instances.
D) You need to scale up and down your applications.

Answer 56

B, C. Containers allow you to co-locate applications on instances and more effectively use your available instances without a lot of overhead, so B is true. C is in a similar vein: Containers reduce the management overhead of instances. A is not true, as containers don’t significantly change your cost structure, and D is false, as containers and instances can both scale up and down to meet demand.

Question 57

Which of the following are differences between container-based applications and Lambda-based ones? (Choose two.)

A) Containers scale based on load and usage; Lambda scales based on events.
B) Containers live on underlying compute instances; Lambda code does not.
C) Containers are not as highly scalable as Lambda.
D) Containers can run entire application stacks; Lambda can only run isolated chunks of code.

Answer 57

A, D. Containers are applications (D) that scale based on application load (A). Lambda, in contrast, runs isolated pieces of code and not entire application tiers. Additionally, Lambda launches based on events rather than load. (Note that you could actually set up load monitors in CloudWatch and trigger Lambda based on load, although that is not automatic as it is in containers.)