Prac exam number 3 and above

Question 1

account has a private hosted zone and associated VPC. DNS queries of private hosted zone are unresolved. What needs to be fixed.
Options overlapping namespace, resolver rules, Enable DNS hostnames etc for PHZ, fix the NS record.

Answer 1

Correct - enable DNS hostnames and DNS resolution for private hosted zones.
* PHZ queries must be by amazon Vpc dns, they are not enabled for non default privat clouds not created by wizard.
* route 53 auctomatically creates NS and SOA records.

memorise: shrine domain private hosted zone, private party in the shine, hostname guest list.

Incorrect answered by me - remove overlapping namespaces for the priv and pub hosted zones.
incorrect - fix the NS record and SOA records that could be incorrect
fix conflicst between PHZ and any resolver rules

Question 2

content management app with web servers on EC2 and Aurora. everything is in us-east-1. 90 % customers in US and europe. poor performance from customers in europe, high load times. Options to fix

Answer 2

plausible options

a. Setup another fleet of EC2 instances for web in eu-west-1. enable latency routing in route 53

b. Setup another fleet of ec2 … as above… enable geolocation routing policy in Route 53

c. Create Auora read replicas in eu-west-1

a and c correct. (memorise: route 53 - route 66 - latency route highway fastest road, throw the map out the window)
b incorrect, my response.

“you cannot use geolocation routing to reduce latency” hard to believe, use caution, learn this.

Question 3

auora multi az. db reads causing high io and latency for writes. What would you do?

Answer 3

Set up read replica modify the app to use the correct endpoint

Auora db cluster = ( db instances + cluster volume spanning multi AZ) and (cluster has a primary rw and replicas ro)
max 15 read replicas.
automatic fali over to replicas.

distractors:
provision another db, link to primary as read rep.
read through caching
use multi az standby instance to read.

Question 4

Web App Firewall attached to CF. ALB is under CF. how to block an IP?

Answer 4

easy one. Create a ip match condition on the WAF to block the ip.
WAF can
block SQL injection.
cross site scripting
filter trafic patterns

WAf can be in front of CF, ALB, API gateway.

Question 5

multiple AWS accounts in one region, managed by (one?) aws organisation. all EC2 instances should be able to communicate privately. most cost effective solution?

Answer 5

options:
Create a transit gateway and link all the VPC in all accounts together.

Create a VPC in one account and share one or more subnets with the other accounts using Resource Access Manager.

VPC peering.

answer - resource access manager. RAM. The big wooly sheep that shares its hay with others.
transit gw would work but be more expensive.
vpc peering would work but me a mess, and comilicated. and not scalable with too many connections.

Share resources with (between) any aws accounts that are **within an org*. Share:
transit gateways
subnets
licence manager config
rout 53 resolver rules.
policies and perms are transfered applied when shared.
eliminates duplicate resources in multiple accounts.

steps
create a resource share, specify resources, specify account principles. There is no cost for RAM.

Question 6

share a sensitive db from RDS with another aws account 3rd party. they must have their own copy. options:

Answer 6

read replica with iam db auth

snapshot in s3 with iam role

encrypted snapshot of db. encrypt with key management service and give access to KMS to 3rd party account. (using KMS key policy) – correct answer.

snap in s3 is incorrect because users can’t access the snap, its for db use only.
read replica is overkill for audit purposes, and the auditor wont have their own copy of the db.

Question 7

monitoring app for desktop, sending telemetry data to AWS every 1 minute. must process in order. independently. scale the number of consumers to be equal to the number of desktops. options

Answer 7

Kinesis data stream send data with partition id that uses desktop id.

SQS fifo queue, data is sent with group id attribute, representing desktop id.

correct but lucky. - sqs fifo. Group id allows us to have a consumer per group id attribute, each consumer filters on group id, and scale the number of consumers.

incorrect kinesis data streams. with desktop id per shard. this would sort of work, but you would need to have too many shards when you scale. with one shard per cosumer. in practice kinesis has many more producers than shards. many to one.

Question 8

HARD. data centre unreliable, natural disasters. not ready to go fully cloud so set up fail over env in aws, web servers (EC2) that connect to external vendors. data must be uniform on prem and aws. focus on the** least amount of downtime.** options

Answer 8

A. 1. Set up route 53 failover record. route change from unhealthy resource to healthy.
2. Run app servers on EC2 behind App LB and auto scale group
3. Set up AWS storage gateway with stored volumes to back up to S3 (correct)

memorise - route 66 failed road bridge broken. the other road has a storage gateway, big self storage warehouse with a chinese gateway entrance.

B. route 53 failover record
direct connect from vpc to on prem data centre (long wait time)
App servers EC2, auto scale group.
Run **Lambda **to execute **cloud formation **template to create an App LB. (incorrect)

Cloud formation in other options takes time to provision and fails the criteria.

What is storage gateway ? - hybrid cloud service, on prem access to unlimited cloud storage.
low latency. caches frequently accessed data on prem
stores data securely and durably in aws.
syncs only data changes.
integrates with S3

Question 9

What are data transfer costs of read replicas within AZ, region, between regions?

Answer 9

Data replicates between the primary and the read replica which depends on it’s location
No charge within a region
Charges across regions.

Question 10

Auto scaling default termination policy. how does it apply to 4 instances A oldest launch template, B oldest launch config, C newest launch config, D next billing hour.

Answer 10

1. Which AZ have the most instances, and at least one instance not proteced from a scale in
2. Try to align to the allocation strategy of the on demand vs spot instance that is terminating
3. Whether any instances use the oldest launch template or config
4. After all of the above, which is closest to the next billing hour.

Question 11

RDS for MySQL performance issues even with read replicas. needs to address and move to global. most cost effective.

Answer 11

Auora global database. the other options were silly. easy one.

Question 12

EC2 user data default behaviour, which option is true:

Answer 12

correct
user data scripts exec as root
user data runs only during boot on first launch

(also shell scripts and cloud init directives, can add to launch wizard as file or text)

incorrect
instance is running, update UD using root creds
scripts do not have root privs for exec
user data exec every time ec2 is restarded (not by default but this can be configured)

Question 13

authentication for API gateway with built in user management, options for best fit:

Answer 13

Cognito user pools. built in user management, sign up, integrate with Google plus, fb, twitter, amazon, apple, sdk. customisable ui.
also provides saml, mfa, security, user migration with lambda triggers.

incorrect - api gataway lambda authorizer. not built in, dev needed.

identity pools, creds and pool tokens to access aws services. exchange pool tokens for aws creds. not an auth mechanism.

Question 14

RDS read replicas encription true/false options

Answer 14

master db encrypted, read replicas are encrypted.

other optinos stupid. master enc, rr anything
master unencr, rr encr ,or anything.

Question 15

social media on ec2 fleet, behind App LB. and cloudfront. decouple user auth from app. options for minimal dev effort

Answer 15

Cognito auth with user pools for App LB

incorrect - cognito user pools with CF.
Cognito identity pools with cf or alb.

note: user pool is auth sign in or with an identity provider
identit pool is a temp token to access services.

user pools does not integrate with cloudfront unless you use lambda at edge.

Question 16

mobile gaming app using RDS mysql, urgent issue storage available space low. minimum dev effort options:

Answer 16

storage auto scaling for my sql rds. or any RDS. triggers
< 10 percennt free
lasts for 5 min
6 hours since last modification.

other options silly.

Question 17

EBS volume connected to EC2, memorise one option for when EC2 terminates,

Answer 17

EBS defalut config is to delete volume on termination (true) of ec2 instance.

to change this -
DeleteOnTermination = false

Question 18

EBS volume termination setting options,

Answer 18

EBS defalut config is to delete volume on termination of ec2 instance.

DeleteOnTermination = false

Question 19

need single tennant hardware , most cost effective

Answer 19

Dedicated instance. dedicated hw to a single customer. may share hw with instances from the same aws account, that are not dedicated

incorrect - dedicated hosts would work but more expensive.

memorise - single tennancy renter does not need a dedicated air hostess, happy with dedicated instance virtual hostess ai bot.

ded host - byo licence, visibility of hardware cores etc.. instances on same physical server over time.

Question 20

how to encrypt a RDS db. steps.

Answer 20

snapshot the db
copy as encrypted snapshot
restore from this
terminate the previous instance.

Question 21

many vpc in many accounts. connect in astar network with on prem with direct connect

Answer 21

transit gateway. Virgin transit lounge in the cloud, full of hundresd of little clouds.. remove need for messy peering

Question 22

db password stored in secure place, auto rotation every 90 days, how?

Answer 22

** secrets manager **. (memorise, wizard in the corner that keeps secrets) it can rotate manage retrieve db creds, api keys, call the secrets manager api. rotation included.

incorrect - these are credible options but not perfect:

KMS key mgmt service, keys not creds.
cloud HSM - hardware sec. encryption keys, not a secrets store.
SSM systems manager parameter store. config data and secrets. can encrypt. can be encrypted. but no auto rotation

Question 23

move account from org A to B. steps?

Answer 23

in this exact order

remove account from old org
send invite from new org
accept invite to new org.

incorrect - rais a support ticket. other ordering of steps.

Question 24

4 x EC2 instances behind ALB, in one AZ. needs 4 instances for acceptable ux. solution to achieve HA and min cost.

Answer 24

incorrect answer - 2 AZ with 2 instances in each. if one AZ goes down UX will fall below acceptable. Bugger.

correct: 3 AZ with 2 in each. one az down still have 4 x and 2 AZ. still HA and perf.

Question 25

s3 bucket access to users in different accounts, options

Answer 25

Correct - bucket policies

However, an incorrect answer i did not expect - ACLs give read or w access on buckets to groups of users. Grant to accounts non specific users.

Question 26

HARD - network file system for Linux instances, files access frequently at first then infrequently., most cost effective soln.

Answer 26

Correct - EFS IA !!! - NFS file system, simple, scalable, integrates on prem. regional service cross AZ. HA and durable.

EFS IA storage class cost optimised for files not accessed every day, 92 percent lower cost than efs std.

memorise - elastic file system infrequent access. elastic band shooting files - paper planes into the sky, one per day, slow infrequent access.

incorrect - Lustre is linux for high performance. caution. expensive. parallel processing.

Question 27

HARD. S3 bucket in us-east-1 encrypted with SSE-KMS
Wants to replicate encrypted data to us-west-1. must use the same key to en/decrypt. how?

Answer 27

Simplifying answer. KMS keys cannot be converted or shared to multi region, you must create a new multi region key. this kind of key has the same key id and material in both regions, it works interchangeabley.

Therefore a new bucket must be created in us-east-1 and encrypted with the new multi region key, then
* encrypted data must be copied, then
* replication set up, and
* then data can be decrypted in us-west-1 with the multi region kms key. There is no cross region call, the key exists in both regions.

Not in the question, but there are complex bucket policies than need to be set up to enable the keys and enforce encryption using the correct kms key.

other options were distractors.

Question 28

inbound traffic to EC2 via security groups and NACL in the subnet. what rules?

Answer 28

easy bit correct answer. Sec groups are stateful and don’t need an outbound rule. NACLs need an outbound rule becaues they are not stateful.

info i forgot, althoug answer was correct
- inbound traffic is on a known port, outbound traffic is on an ephemeral port in the range 1024 - 65535 which will be the client’s source port.

by default. - nacls allow all in and out traffic. to restrict you need to find the exact port range for ephemeral ports outbound from ec2.

to accept traffic from internent, must establish a route through internet gateway.

for vpn or direct connec.t establish a route through vitual private gateway.

Question 29

EC2 instance takes 3 min to reboot. auxilary software programs need to be executed. how to speed up. ambiguous scenario. options:

Answer 29

user data
crate an AMI
use Hibernate (suspend to disk, saves Ram to EBS root volume and other attached storage)

answer that i got correct: hibernate, i got it correct. on reboot the ram contents are loaded from the ebs. processes are resumed.
previously attached volumes come back and instance retains it’s instance id.

user data won’t speed it up still needs to start apps

ec2 meta data can be used to config or manage the instance, host name, events, sec groups. distractor.

ami will help with dependencies but it won’t speed up the apps than need to start, they still do.

problem - why are you rebooting? if you want to solve a problem on the server, hibernate wont do that, if you want to save cost, no problem.

Question 30

improve the perf of big data processing workloads running Elastic File System. options: Max IO, Gen purpose, Bursting or provisioned throughput?

Answer 30

max I/O
Gen purpose
Bursting throughput
Provisioned thoughput (my answer)

correct - max I/O - scale to higher levels of aggregate throughput and ops per sec. scaling results in higher latency for file metadata. Paralellised workloads can benefit from this mode.

througput modes are real but distractors because they don’t address performance, which is different to throughput …?
Bursting - efs scales as the size of the file system grows
provisioned - instantly provision the needed throughput without waiting for the size to grow.

Question 31

multiple accounts connected hub and spoke with Transit Gateway. vpcs provisioned across these accounts to facilitate network isolation. which options reduce the admin and costs while providing shared access to services.?

Answer 31

build shared services VPC (correct guess, use **vpc endpoints to connect to shared resources ** in other vpcs. central location reduces admin and setup)
resources in private subnets are shared.

meshed vpc peers (complex hard to manage)
use aws direct connect (time and cost)

Transit VPC - a real option - uses EC2 instances as dedicated VPN with internet gateway. customer needs to set these up with client side vpn. more cost

Question 31

multiple accounts connected hub and spoke with Transit Gateway. vpcs provisioned across these accounts to facilitate network isolation. Which option will reduce the admin and costs while providing shared access (Q44)

Answer 31

build shared services VPC (correct guess, use vpc endpoints to connect to shared resources and workloads in other vpcs. central location reduces admin and setup)

Note difference to Q6 Resource access manager. EC2 instances want to communicate privately.

Transit gateway is in the same account as the shared vpc account (hub), vpc endpoints connect the (spoke) resources to this.

meshed vpc peers (complex hard to manage)
use aws direct connect (time and cost)

Transit VPC - a real option - uses EC2 instances as dedicated VPN with internet gateway. customer needs to set these up with client side vpn. more cost

Question 32

health app that can’t have downtime for db writes. Use Aurora, options:

Answer 32

multi master cluster - all instances actively writeable, no failoer, continuous availabilty

provisioned cluster
global database cluster
serverless db cluster.
real options but not as good.

Question 33

big data, ETL, handled by Hadoop cluster on prem. Migrate ETL work to aws. must be HA with 50 EC2 instances per AZ. which placement group to use?

Answer 33

cluster, spread, partition, combo?

Partition - to achieve HA - spreads instances across logical partitions, groups in one partition share HW resources, does not share HW across partitions with other groups.

“This strategy is used by large distributed and replicated workloads such as Hadoop, Cassandra and Kafka.”

Question 34

Big data workload, running for 2 hours per week, can be evenly distributed across servers of varying size and cpu. must withstand server failures. Most cost optimal solution.

Answer 34

Reserved instances
Dedicated hosts
Spot Fleet
Spot instances

Incorrect spot instances
Correct - spot fleet. selects spot instance pools that meet your needs and launches instances. the goal is to maintain target capacity by starting another instance of one gets removed. (this is the key difference). a bit like auto scale group. on demand instances can be requested in the spot fleet, as a fall back.

Question 35

Redshift cluster writes data to S3 bucket belonging to a different AWS account. files created in s3 using UNLOAD command are not accessible to the bucket owner. what reason?

Answer 35

incorrect - 2 accounts must share the bucket policies, cause is an erroneous policy

correct - By default an s3 **object is owned by the account that uploaded it. ** the bucket owner will not have access to objects created by redshift account, even though they own the bucket.

To access the files steps:
Create an IAM **bucket role **with perms to the bucket
Create a cluster role from Redshift cluster with perms to assume the bucket role
Grant the bucket role a trust relationship with the cluster role
run the redshift unload command with the Cluster and bucket roles.

Question 36

auto scaling group is not terminating an unhealthy EC2 instance. what steps to troubleshoot?

Answer 36

• instance may be impaired (correct, if so it waits a few mins to recover)
• instance failded ELB health check status (correct, my default auto scale does not use ELB health checks. this can be changed)
• health check grace period has not expired. (this means the period after launching that the auto scale waits before checking health. default 5 min from console)
• custom health check may have failed. (incorrect, this would not be a cause, once these are set correctly they will be terminated)

Question 37

team of devs, should be able to experiment with managed policies, by attaching them. prevent them from escalating privileges. How?

Answer 37

Create IAM group, define IAM permission boundary on the group, to restrict managed policies (incorrect, cant use a boundary on a group)

For each developer, define IAM permission boundary that will restrict managed policies they can attach (correct. memorise with individual one man boundary, not group boundary)

IAM policy attached to devs, prevents them from attaching Admin.. access. (incorrect, devs can remove the policy)
Service control policy that restricts (incorrect, scp applies to an organisation).

Question 38

Kinesis data stream is a source for Kinesis Firehose, can i add a Kinesis agent to firehose in parallel concurrently?

Answer 38

No. Firehose PutRecord (used by agent) is disabled when data stream is the source. it can however be added as a source to data stream.

Also,
* Agent can write directly to firehose, as long as there is no data stream.
* Firehose is unlikely to reach a limit, it autoscales.

Question 39

Exam 2 question 55, EFS, NFS, direct connect, data sync private VIF (virtual interface). ignore, too complex.

Answer 39

na

Question 40

photo sharing web app on EC2 behind ELB. how to most securely access DynamoDB and S3 from EC2?

Answer 40

• Attach an IAM Role to the EC2 instance profile to access Dyn and S3. (correct. the role is attached to the instance at launch time. role has access to s3 bucket etc. [memorise. instant - gram profile with role policy]. )
• Encrypt the credentials and save in a secret directory. app can decypt and make api calls. (incorrectly answered. this is bad security practice to have security credentials on the instance)

Question 41

How to store less frequently accessed files, concurrently accessed by hundreds of EC2 instances. Most cost effective file storage service.

Answer 41

Elastic File system, Standard IA storage class. Correct. reduced cost for files not accessed daily. HA, durability, elasticity. posix file system.

S3 standard IA. - incorrect does not store files, stores objects. read question. This is a tricky one because EC2 could convert them to objects, but the question is about semantics. be very careful.

Question 42

single log processing model for system, app, db logs. must be serverless, durably stored for downstream analytics. must auto scale to match throughput, with no ongoing admin.

Answer 42

Kinesis data streams (incorrect !, manually provision shards ahead of time)

Kinesis data firehose (correct ! - reliably capture and load streaming data into… automatically scales, removes the admin work in data streams)

More about Firehose capture / ingestion sources
* SDK
* Data streams
* Kinesis agent * this is probably what would load the logs.
* Cloud watch logs and events
* many aws services
* open source agent

Can use lamdba to transform data mid stream.

Differences and comparison:, Firehose can do this, (data streams can/not):
* load streaming data into S3, redshift, opensearch, custom http (streams can do with custom code)
* fully managed, no admin (streams needs manual set up)
* near real time buffer time 1 minute. (data streams is 200ms)
* No storage (streams has 1d - 1yr)
* No replay (streams has replay)

Question 43

notify security team 30 days before AWS certificate manager 3rd party certs expire. how?

Answer 43

AWS Config managed rule to check on ACM certs, trigger SNS notification to team.

ACM automatically renews certs created in the cert manager tool. no need to monito.

Can use days to expiry Cloud watch metric / alarm, but requires more work.

Question 44

manage mix of on demand and spot instances across multiple instance types. auto scale group to manage. true/false..

Answer 44

you can only use a** launch template** to provision multiple types for on demand and spot.

Cannot use launch config, although config can specify ami, instance id, instance type, key pair, security group.

Question 45

blue green deployment (active, inactive). customer phones prone to dns caching.

Answer 45

Global accelerator. (rocket blue green jetting around the world). not subject to dns caching. can shift traffic gradually from blue to green.

incorrect App LB can do this but not globally. weighted target groups.

Code deploy -i ncorrect.

Question 46

blue green deployment (active, inactive). customer phones prone to dns caching.

Answer 46

Global accelerator. (rocket blue green jetting around the world). not subject to dns caching. can shift traffic gradually from blue to green.

incorrect App LB can do this but not globally. weighted target groups.

Code deploy -i ncorrect.