Practice 1

Question 1

ASG Dynamic Scaling Plan

Answer 1

add/remove resources to maintain resource utilization at the specified target value

Question 2

ASG Predictive Scaling Plan

Answer 2

> forecast future load demands by analyzing historical records for a metric (allows you to schedule accordingly)
only available for EC2 ASG

Question 3

IAM DB Authentication

Answer 3

> you don’t need to use a password when you connect to a DB instance. Instead, you use an authentication token

• a unique string of characters thatAmazon RDSgenerates on request ;
• Each token has a lifetime of 15 minutes. You don’t need to store user credentials in the database, because authentication is managed externally using IAM.

Question 4

AWS Security Token Service (STS)

Answer 4

> generate temporary tokens
web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)

Question 5

AWS Budgets

Answer 5

gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount

Question 6

When using ssh:
Error: Server refused our keyor
Error: No supported authentication methods

Answer 6

> appropriate user name for your AMI

> private key (.pem) file has been correctly converted to the format recognized by PuTTY (.ppk)

Question 7

Amazon DynamoDB advantage over RDS

Answer 7

> schemaless

> low latency

Question 8

Cloud watch Custom Metric

Answer 8

1. Memory utilization
2. Disk swap utilization
3. Disk space utilization
4. Page file utilization
   5 Log collection

Question 9

Default Cloudwatch metric

Answer 9

1. Disk reads
2. CPU utilization
3. Network utilization

Question 10

AWS Lambda encrypts environment variables using

Answer 10

the AWS Key Management Service

Question 11

AWS CloudHSM

Answer 11

is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud.

Question 12

AWS CloudHSM vs AWS KMS

Answer 12

You should consider using AWS CloudHSM if you require:
• Keys stored in dedicated, third-party validated hardware security modules under your exclusive control.
• FIPS 140-2 compliance.
• Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.
High-performance in-VPC cryptographic acceleration (bulk crypto).

Question 13

To calculate the total number of IP addresses of a given CIDR Block

Answer 13

1. Subtract32with the mask number :
(32 - 27) =5
2. Raisethe number2to the power of the answer in Step #1 :
2^5= (2 * 2 * 2 * 2 * 2)
 =32

Question 14

Amazon Athena

Answer 14

is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.

Question 15

S3 Select is

Answer 15

an Amazon S3 feature that makes it easy to retrieve specific data from the contents of an object using simple SQL expressions without having to retrieve the entire object.

Question 16

Amazon Redshift Spectrum

Answer 16

is a feature of Amazon Redshift that enables you to run queries against exabytes of unstructured data in Amazon S3 with no loading or ETL required.

Question 17

Amazon Elasticsearch Service (Amazon ES)

Answer 17

is a managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the AWS Cloud. Elasticsearch is a popular open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and clickstream analysis

Question 18

Route Origin Authorization (ROA)

Answer 18

is a document that you can create through your Regional internet registry (RIR), such as the American Registry for Internet Numbers (ARIN) or Réseaux IP Européens Network Coordination Centre (RIPE). It contains the address range, the ASNs that are allowed to advertise the address range, and an expiration date

Question 19

IP match condition in CloudFront

Answer 19

primarily used in allowing or blocking the incoming web requests based on the IP addresses that the requests originate from

Question 20

Elastic IP address

Answer 20

static IPv4 address designed for dynamic cloud computing. An Elastic IP address is associated with your AWS account. With an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account.

Question 21

AWS WAF

Answer 21

web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.

Question 22

Amazon DynamoDB Accelerator (DAX)

Answer 22

fully managed, highly available, in-memory cache that can reduce Amazon DynamoDB response times from milliseconds to microseconds, even at millions of requests per second.

Question 23

AWS Device Farm

Answer 23

app testing service that lets you test and interact with your Android, iOS, and web apps on many devices at once, or reproduce issues on a device in real time

Question 24

RAID 0

Answer 24

increase the write performance

Question 25

RAID 1

Answer 25

provide mirroring, redundancy, and fault-tolerance

Question 26

Linux Amazon Machine Images use one of two types of virtualization

Answer 26

1. paravirtual (PV) - slower

2. hardware virtual machine (HVM) - faster boot

Question 27

Public Data Set Volume Encryption

Answer 27

public data sets are designed to be publicly accessible

Question 28

Cost for transferring data from an EC2 instance to Amazon S3, Amazon Glacier, Amazon DynamoDB, Amazon SES, Amazon SQS, or Amazon SimpleDB in the same AWS Region

Answer 28

None

Question 29

AWS Directory Service AD Connector

Answer 29

If the company is using a corporate Active Directory, it is best to useAWS Directory Service AD Connector for easier integration.

Question 30

AWS Directory Service Simple AD

Answer 30

provides a subset of the features offered by AWS Managed Microsoft AD, including the ability to manage user accounts and group memberships, create and apply group policies, securely connect to Amazon EC2 instances, and provide Kerberos-based single sign-on (SSO)

Question 31

Multi-AZ deployment

Answer 31

synchronous replication - highly durable

Question 32

Read Replica

Answer 32

asynchronous replication - highly scalable

Question 33

Enable Enhanced Monitoring in RDS

Answer 33

monitor how the different processes or threads on a DB instance use the CPU, including the percentage of the CPU bandwidth and total memory consumed by each process

Question 34

Amazon EMR (Elastic Map Reduce)

Answer 34

> is an Amazon Web Services (AWS) tool for big data processing and analysis. Amazon EMR offers the expandable low-configuration service as an easier alternative to running in-house cluster computing.
not a fully managed Service (you can access your OS)

Question 35

Amazon Neptune

Answer 35

fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets.

Question 36

110.238.98.71/32 denotes

Answer 36

1 IP Address

Question 37

110.238.98.71/0 denotes

Answer 37

refers to the entire network

Question 38

Amazon Redshift workload management (WLM)

Answer 38

define the number of query queues that are available, and how queries are routed to those queues for processing. WLM is part of parameter group configuration. A cluster uses the WLM configuration that is specified in its associated parameter group

Question 39

A web application that you developed stores sensitive information on a non-boot, unencrypted Amazon EBS data volume attached to an Amazon EC2 instance. How can you provide protection to the sensitive data of your Amazon EBS volume?

Answer 39

Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume and finally, delete the old Amazon EBS volume.
(Correct)

Question 40

EBS encryption is done during

Answer 40

volume creation not after

Question 41

Amazon Redshift Enhanced VPC Routing

Answer 41

> forces all COPY and UNLOAD traffic between your cluster and your data repositories through your Amazon VPC.
you can use standard VPC features, such as VPC security groups, network access control lists (ACLs), VPC endpoints, VPC endpoint policies, internet gateways, and Domain Name System (DNS) servers

Question 42

Kinesis Client Library (KCL)

Answer 42

using this, you can develop a consumer application for Amazon Kinesis Data Streams

Question 43

DynamoDB Streams Kinesis Adapter

Answer 43

recommended way to consume Streams from DynamoDB

Question 44

Amazon Elastic Container Service (Amazon ECS)

Answer 44

highly scalable, high-performancecontainerorchestration service that supportsDockercontainers and allows you to easily run and scale containerized applications on AWS. Amazon ECS eliminates the need for you to install and operate your own container orchestration software, manage and scale a cluster of virtual machines, or schedule containers on those virtual machines.

Question 45

AWS Secrets Manager

Answer 45

helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Question 46

AWS Systems Manager Parameter Store

Answer 46

provides secure, hierarchical storage for configuration data management and secrets management.

Question 47

Amazon Inspector

Answer 47

automated security assessment service that helps you test the network accessibility of your Amazon EC2 instances and the security state of your applications running on the instances. It does not provide a custom metric to track the memory and disk utilization of each and every EC2 instance in your VPC

Question 48

you cannot directly assign an EIPto an Auto Scaling - group - true or false

Answer 48

True

Question 49

Match Viewer

Answer 49

Origin Protocol Policy which configures CloudFront to communicate with your origin using HTTP or HTTPS, depending on the protocol of the viewer request. CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols

Question 50

CloudFront signed URLs and signed cookies provide the same basic functionality:

Answer 50

they allow you to control who can access your content

Question 51

Usesigned URLsfor

Answer 51

• -You want to use an RTMP distribution. Signed cookies aren’t supported for RTMP distributions.
• -You want to restrict access to individual files, for example, an installation download for your application.
-Your users are using a client (for example, a custom HTTP client) that doesn’t support cookies.

Question 52

Usesigned cookiesfor

Answer 52

• You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers’ area of a website.
  • -You don’t want to change your current URLs.

Question 53

Termination policy for the scale in in ASG

Answer 53

If there are multiple instances to terminate based on the above criteria, determine which unprotected instances are closest to the next billing hour. (This helps you maximize the use of your EC2 instances and manage your Amazon EC2 usage costs.) If there is one such instance, terminate it.

Question 54

pre-signed URLs

Answer 54

> grant time-limited permission to download the objects.
When you create a pre-signed URL for your object, you must provide your security credentials, specify a bucket name, an object key, specify the HTTP method (GET to download the object) and expiration date and time.
The pre-signed URLs are valid only for the specified duration.

Question 55

Oracle Recovery Manager (RMAN) and Oracle Real Application Clusters (RAC) are supported in RDS - true or false

Answer 55

false

Question 56

Amazon MQ

Answer 56

recommended if you’re using messaging with existing applications and want to move your messagingservice to the cloud quickly and easily

Question 57

If you are building brand new applications in the cloud, then it is highly recommended that you consider ? for messaging queue:

Answer 57

Amazon SQS and Amazon SNS

Question 58

How to protect back end spikes if using API Gateway and lambda

Answer 58

use throttling limits in API Gateway

Question 59

Aurora cluster endpoint

Answer 59

> also known as a writer endpoint for an Aurora DB cluster simply connects to the current primary DB instance for that DB cluster.
This endpoint is the only one that can perform write operations in the database such as DDL statements, which is perfect for handling production traffic but not suitable for handling queries for reporting.

Question 60

Lambda@Edge

Answer 60

lets you run Lambda functions to customize the content that CloudFront delivers, executing the functions in AWS locations closer to the viewer.

Question 61

AWS Serverless Application Model (SAM) service

Answer 61

open-source framework that you can use to buildserverless applicationson AWS

(Aserverless applicationis a combination of Lambda functions, event sources, and other resources that work together to perform tasks.)

Question 62

How to improve the DynamoDB performance by distributing the workload evenly and using the provisioned throughput efficiently

Answer 62

use of partition keys with high-cardinality attributes, which have a large number of distinct values for each item.

Question 63

How to secure the session data in the portal by requiring them to enter a password before they are granted permission to execute Redis commands.

Answer 63

Using RedisAUTHcommand can improve data security by requiring the user to enter a password before they are granted permission to execute Redis commands on a password-protected Redis server

Question 64

(DDoS)attack

Answer 64

A distributed denial-of-service (DDoS)attackis a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.

Question 65

AWS Shield Advanced

Answer 65

In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS (distributed denial-of-service) attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall.

Question 66

AWS Firewall Manager

Answer 66

is mainly used to simplify your AWS WAF administration and maintenance tasks across multiple accounts and resources. It does not protect your VPC against DDoS attacks.

Question 67

AWS WAF

Answer 67

can help you block common attack patterns to your VPC such as SQL injection or cross-site scripting, this is still not enough to withstand DDoS attacks

Question 68

Lifecycle hook

Answer 68

you can add it o your ASG to perform custom actions when instances launch or terminate

Question 69

Target tracking scaling

Answer 69

increase or decrease the current capacity of the group based on target value for specific metric

Question 70

Step scaling

Answer 70

increase or decrease current capacity of the group based on a set of scaling adjustments know as step adjustments, that vary based on size of the alarm breach

Question 71

simple scaling

Answer 71

increase or decrease the current capacity of the group based on the a single scaling adjustment

Question 72

scale out cooldown period

Answer 72

amount of time in seconds after a scale out activity completes before another scale out activity can start

Question 73

scale in cooldown period

Answer 73

amount of time in seconds after a scale in activity completes before another scale in activity can start

Question 74

permission policy

Answer 74

describes who has access to what

Question 75

identity based policies

Answer 75

IAM policies

Question 76

resource based policies

Answer 76

policies attached to a resource

Question 77

Amazon RDS supports only which policies?

Answer 77

identity based policies (IAM)

Question 78

You need to associate an Elastic IP address with your instance to enable communication with the internet - T or F

Answer 78

true

Question 79

every instance in a vpc has a default network interface called

Answer 79

primary network interface (eth0)

Question 80

DynamoDB Streams

Answer 80

optional feaure that captures data modification events in DynamoDB tables

Question 81

Cloudwatch log Insights

Answer 81

enables you to interactively search and analyze your log data in Cloudwatch logs using queries

Question 82

Cloudwatch Vended logs

Answer 82

logs that are natively published by AWS services on behalf of the Customer (VPC flow logs) is the first vended log type that will benefit from this tiered model

Question 83

VPN connection consists of

Answer 83

1. VPG

2. Customer Gateway

Question 84

Amazon Kinesis can load streaming data into

Answer 84

Amazon ElasticSearch service

Question 85

Amazon Kinesis agent

Answer 85

a pre built java application that offers an easy way to collect and send data to your Amazon Kinesis data stream

Question 86

Blue/Green deployment

Answer 86

refers to the practice of running 2 production environments, one live and one idle, and switching the 2 as you make software changes

Question 87

DynamoDB and Cloudfront do not have a Read Replica Feature - T or F

Answer 87

True

Question 88

Multi-AZ deployments are available for

Answer 88

MySQL, MariaDB, Oracle, and PostgreSQL

Question 89

CloudWatch gathers metrics about CPU utilization from

Answer 89

the hypervisor for a DB instance

Question 90

Enhanced Monitoring gathers its metrics from

Answer 90

an agent on the instance