Practice 2

Question 1

AWS OpsWorks is a

Answer 1

configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers.

Question 2

Access Keys are used for

Answer 2

api calls and not for logging in to EC2

Question 3

Canary:

Answer 3

Traffic is shifted in two increments. You can choose from predefined canary options that specify the percentage of traffic shifted to your updated Lambda function version in the first increment and the interval, in minutes, before the remaining traffic is shifted in the second increment.

Question 4

Linear:

Answer 4

Traffic is shifted in equal increments with an equal number of minutes between each increment. You can choose from predefined linear options that specify the percentage of traffic shifted in each increment and the number of minutes between each increment.

Question 5

All-at-once

Answer 5

All traffic is shifted from the original Lambda function to the updated Lambda function version at once.

Question 6

Instance metadata

Answer 6

the data about your instance that you can use to configure or manage the running instance. You can get the instance ID, public keys, public IP address and many other information from the instance metadata by firing a URL command in your instance to this URL:
http://169.254.169.254/latest/meta-data/

Question 7

The best way to implement a bastion host is to

Answer 7

create a small EC2 instance which should only have a security group from a particular IP address for maximum security.

Question 8

AWS Certificate Manager (ACM) is a service that lets you

Answer 8

easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources

Question 9

AWS IoT Core is a

Answer 9

managed cloud service that lets connected devices easily and securely interact with cloud applications and other devices.

Question 10

Steps to minimize backup time in Raid array

Answer 10

1. Stop all applications from writing to the RAID array.
2. Flush all caches to the disk.
3. Confirm that the associated EC2 instance is no longer writing to the RAID array by taking actions such as freezing the file system, unmounting the RAID array, or even shutting down the EC2 instance.
4. After taking steps to halt all disk-related activity to the RAID array, take a snapshot of each EBS volume in the array.

Question 11

principle of least privilege

Answer 11

means granting only the permissions required to perform a task

Question 12

AWS services encrypts data at rest by default

Answer 12

AWS Storage Gateway

Amazon Glacier

Question 13

Enabling encryption for Amazon RDS, ECS and Lambda

Answer 13

you still have to enable and configure them first with tools like AWS KMS to encrypt the data at rest. (not by default)

Question 14

Perfect Forward Secrecy

Answer 14

feature that provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised

Question 15

two AWS services that supportPerfect Forward Secrecy

Answer 15

CloudFront and Elastic Load Balancing

Question 16

DynamoDB is a fully managed service which automatically scales its storage - T or F

Answer 16

true

Question 17

shared responsibility model - AWS manages the security of the following assets

Answer 17

• -Facilities
• -Physical security of hardware
• -Network infrastructure
-Virtualization infrastructure

Question 18

shared responsibility model - Customer responsibility

Answer 18

• -Amazon Machine Images (AMIs)
• -Operating systems
• -Applications
• -Data in transit
• -Data at rest
• -Data stores
• -Credentials
-Policies and configuration

Question 19

Classic Load Balancer supportServer Name Indication (SNI) - true or false

Answer 19

false; it does not support

Question 20

Server Name Indication (SNI)

Answer 20

allows multiple domains to serve SSL traffic over the same IP address by including the hostname which the viewers are trying to connect to

Question 21

2 services that allows you to decouple architecture in AWS

Answer 21

SQS and SWF

Question 22

ENI

Answer 22

Elastic Network Interface - logical networking component in a VPC that represents a virtual network card

Question 23

You can attach a network interface to an EC2 instance in the following ways:

Answer 23

1. When it’s running (hot attach)
2. When it’s stopped (warm attach)
3. When the instance is being launched (cold attach).

Question 24

Amazon S3 supports the following destinations where it can publish events:

Answer 24

SQS, SNS and Lambda

Question 25

DynamoDB Time-to-Live (TTL) mechanism enables you to manage web sessions of your application easily - T or F

Answer 25

true

Question 26

Size Capacity for TB Snowball appliance

Answer 26

80 TB (72 usable)

Question 27

Size capacity for TB Snowball edge

Answer 27

100 TB (83 usable)

Question 28

AWS Cognito to issue JSON Web Tokens (JWT)

Answer 28

used for user authentication and not for providing access to your AWS resources. AJSON Web Token (JWT) is meant to be used for user authentication and session management

Question 29

Amazon Data Lifecycle Manager (Amazon DLM)

Answer 29

used to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes

Question 30

In Auto Scaling, the following statements are correct regarding the cooldown period:

Answer 30

1. It ensures that the Auto Scaling group does not launch or terminate additional EC2 instances before the previous scaling activity takes effect.
2. Its default value is 300 seconds.
3. It is a configurable setting for your Auto Scaling group.

Question 31

Max number of EC2 instance per region

Answer 31

20

Question 32

Can EBS tolerate an Availability Zone failure each and every time?

Answer 32

No, all EBS volumes are stored and replicated in a single AZ only.

Question 33

What needs to be configured outside of the VPC for you to have a successful site-to-site VPN connection?

Answer 33

An Internet-routable IP address (static) of the customer gateway’s external interface for the on-premises network

Question 34

having a secondary private IP address is only used within the VPC, not when connecting to the outside Internet - T or F

Answer 34

true

Question 35

Pilot Light

Answer 35

> quicker that Backup Restore because the core pieces of the system are already running and continually kept up to date (not as fast as Warm Standby)
describe a DR scenario in which a minimal version of an environment is always running in the cloud

Question 36

Warm standby

Answer 36

> faster in system restoration than performing Pilot Light but not as fast as Multi Site
method of redundancy in which the scaled-down secondary system runs in the background of the primary system (not cost effective since some of your services are always running in the background)

Question 37

Multi-site DR

Answer 37

> fastest in system restoration during a DR Event
one to one copy of your infrastructure that is located and running in another region or AZ (active-active configuration)

Question 38

Backup Restore DR

Answer 38

> slowest system restoration after a DR Event

Question 39

AWS Glue

Answer 39

fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. It does not provide scalability or elasticity to your instances

Question 40

What would happen to RDS if the primary database instance fails in a multi-AZ deployment?

Answer 40

The canonical name record (CNAME) is switched from the primary to standby instance

Question 41

Security Groups usually control

Answer 41

the list of ports that are allowed to be used by your EC2 instances

Question 42

NACLs control

Answer 42

which network or list of IP addresses can connect to your whole VPC

Question 43

If you need flexible application management and TLS termination then we recommend that you use

Answer 43

Application Load Balancer

Question 44

If extreme performance and static IP is needed for your application then we recommend that you use

Answer 44

Network Load Balancer

Question 45

If your application is built within the EC2 Classic network then you should use

Answer 45

Classic Load Balancer

Question 46

Application Load Balancers support

Answer 46

TLS termination capabilities, path-based routing, host-based routing and support for containerized applications

Question 47

you can’t create a CNAME record at the zone apex - TRUE OR FALSE

Answer 47

TRUE

Question 48

You can create CNAME records only for

Answer 48

subdomains

Question 49

Cognito ID

Answer 49

> used to deliver temporary, limited-privilege credentials to your application so that your users can access AWS resources.
unique Amazon identity ID for your end user immediately if you’re allowing authenticated users or after you’ve set the login tokens in the credentials provider if you’re authenticating users

Question 50

AWS Step Functions service

Answer 50

lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly

Question 51

Elastic Load Balancers distribute traffic among EC2 instances across multiple AvailabilityZones but not across AWS regions - T OR F

Answer 51

TRUE

Question 52

cloudFront geo-restriction feature is primarily used to

Answer 52

prevent users in specific geographic locations from accessing content that you’re distributing through a CloudFront web distribution.

Question 53

Cold HDD

Answer 53

throughput oriented storage for large volumes of data that is infrequently accessed

Question 54

Identity Providers can be managed in the IAM dashboard - true or false

Answer 54

true

Question 55

By default, all data stored by AWS Storage Gateway in S3 is encrypted server-side with Amazon S3-Managed Encryption Keys (SSE-S3) - T or F

Answer 55

true

Question 56

EBS volumes can be attached to any EC2 Instance in any Availability Zone. - true or false

Answer 56

false; you can attach it to any EC2 instance in THE SAME Availability Zone

Question 57

Can an EBS volume persist independently from the life of an instance - Yes or No?

Answer 57

Yes, An EBS volume is off-instance storage that can persist independently from the life of an instance

Question 58

Server Name Indication (SNI) is available in the CLB - true or false

Answer 58

Classic Load Balancer does not supportServer Name Indication (SNI). You have to use an Application Load Balancer instead or a CloudFront web distribution to allow the SNI feature

Question 59

What are the prerequisites when routing traffic using Amazon Route 53 to a website that is hosted in an Amazon S3 Bucket?

Answer 59

1. The S3 bucket name must be the same as the domain name. (For example, if you want to use the subdomain portal.tutorialsdojo.com, the name of the bucket must be portal.tutorialsdojo.com)
2. A registered domain name

Question 60

When you do you need to enable Cross-Origin Resource Sharing (CORS)?

Answer 60

when your client web application on one domain interacts with the resources in a different domain.

Question 61

CORS

Answer 61

Cross Origin Resource Sharing - one way the server at the other end (not the client code in the browser) can relax the same origin policy

Question 62

SQS - who is responsible for deleting the message from the queue?

Answer 62

Your application should delete it after processing

Question 63

Amazon S3 supports the following destinations where it can publish events:

Answer 63

1. SQS
2. SNS
3. Lambda

Question 64

AJSON Web Token (JWT) is meant to be used for

Answer 64

user authentication and session management.

Question 65

Can you do an EBS-cycle policy in Amazon S3?

Answer 65

NO, there is no such thing as EBS-cycle policy in Amazon S3

Question 66

Default Network ACL allowsallinbound and outbound IPv4 traffic - true or false

Answer 66

true

Question 67

Inbound and Outbound behavior of Non Default NACL

Answer 67

Inbound - Deny; Outbound - Deny