Practice 5 Flashcards
AWS Systems Manager Session Manager
lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI.
if you need to have a distributed session data management, use:
Elasticache
Why is sticky session not a good choice for distributed session?
- in the event of a failure, you are likely to lose the sessions that were resident on the failed node
- In the event that the number of your web servers change when your Auto Scaling kicks in, it’s possible that the traffic may be unequally spread across the web servers as active sessions may exist on particular servers
GetSessionToken
one of the available actions in STS which returns a set of temporary credentials for an AWS account or IAM user
Fully Managed means
You no longer need to perform management tasks such as hardware provisioning, software patching, setup, configuration, monitoring, failure recovery, and backups.
Redis support ? for security
Redis Auth
Memcached support ? for authentication
SASL (Simple Authentication and Security Layer )authentication
None of the caches support IAM authentication - True of False
True
IAM Policies on the Elasticache are only used for
AWS API - Level security
Patterns for Elasticache
- Lazy Loading - all the read data is cached, data can become stale in cache
- Write Through - adds or updates data in the cache when written to a DB (no stale data)
- Session Store - store temporary session data in cache (using TTL feature)
AWS Glue
is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics
AWS Glue Advantage
- Serverless
- Schema-inference
- Autogen ETL scripts
you can directly upload archives to Glacier by using the management console - T or F
False
How to upload data to Glacier?
AWS CLI or write code to make requests, by using either the REST API directly or by using the AWS SDKs
Error if the private key that you are using has a file permission of 0777
Unprotected Private Key File
You might be unable to log into an EC2 instance if:
• You’re using an SSH private key but the corresponding public key is not in the authorized_keys file.
• You don’t have permissions for your authorized_keys file.
• You don’t have permissions for the .ssh folder.
• Your authorized_keys file or .ssh folder isn’t named correctly.
• Your authorized_keys file or .ssh folder was deleted.
• Your instance was launched without a key, or it was launched with an incorrect key.
To connect to your EC2 instance after receiving the error “Server refused our key,” you can update the instance’s user data to append the specified SSH public key to the authorized_keys file, which sets the appropriate ownership and file permissions for the SSH directory and files contained in it.
ClassicLink
allows you to link an EC2-Classic instance to a VPC in your account, within the same region (using private IPv4 addresses - no need to use public IPv4 addresses or Elastic IP addresses)
AWS Trusted Advisore ensure
that all of the AWS resources in your VPC don’t go beyond their service limit
AWS Trusted Advisor analyzes your AWS environment and provides best practice recommendations in these five categories:
- Cost Optimization,
- Performance,
- Fault Tolerance,
- Security, and
- Service Limits
CPFSS
Target tracking scaling
Increase or decrease the current capacity of the group based on a
target value for a specific metric
Step scaling
Increase or decrease the current capacity of the group based on a
set of scaling adjustments,
Simple scaling
Increase or decrease the current capacity of the group based on a
single scaling adjustment.
Use Server-Side Encryption
You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects
Use Client-Side Encryption
You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools
Amazon Neptune
fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. The core of Amazon
When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:
- Data at rest inside the volume
- All data moving between the volume and the instance
- All snapshots created from the volume
- All volumes created from those snapshots
ALB supported protocols
HTTP and HTTPS
NLB supported protocols
TCP and TLS
CLB supported protocols
TCP, SSL/TLS, HTTP, HTTPS
you can modify the Availability Zones for your load balancer at any time. T or F
true
AWS Schema Conversion Tool
to convert the source schema and code to match that of the target database
AWS Database Migration Service
to migrate data from the source database to the target database.
AWS Systems Manager Run Command lets you
remotely and securely manage the configuration of your managed instance without having to establish a RDP or SSH connection
EC2Config
Windows AMIs for Windows Server 2012 R2 and earlier include an optional service
AWS CodePipeline is a fully managedcontinuous deliveryservice that helps you
automate your release pipelines for fast and reliable application and infrastructure updates.
If you have an Amazon Aurora Replica in the same or a different Availability Zone, when failing over,
Amazon Aurora flips the canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary
If you do not have an Amazon Aurora Replica (i.e. single instance), Aurora will
first attempt to create a new DB Instance in the same Availability Zone as the original instance. If unable to do so, Aurora will attempt to create a new DB Instance in a different Availability Zone.
Amazon SimpleDB
highly available and scalable NoSQL database, it has a limit on the request capacity or storage size for a given table, unlike DynamoDB
In order for you to access your EC2 instance from the Internet, you need to have:
- An Internet Gateway (IGW) attached to the VPC.
- A route entry to the Internet gateway in the Route table of the VPC.
- A Public IP address attached to the EC2 instance.
How can you obtain a copy of the keys that you have stored on CloudHardware Security Module?
you can’t. If your HSM is zeroized,all keys, certificates, and other data on the HSM is destroyed
You should consider using AWS CloudHSM if you require:
- Keys stored in dedicated, third-party validated hardware security modules under your exclusive control.
- FIPS 140-2 compliance.
- Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.
- High-performance in-VPC cryptographic acceleration (bulk crypto).
CloudHSM can be provisioned outside an Amazon VPC - T or F
False; To protect and isolate your AWS CloudHSM from other Amazon customers, CloudHSM must be provisioned inside an Amazon VPC.
AWS strongly recommends that you use at least two HSMs in two different Availability Zones for any production workload. T or F
true
Which section of the template should you configure to get the Domain Name Server hostname of the ELB upon the creation of the AWS stack?
Outputs - describes the values that are returned whenever you view your stack’s properties
By default, CloudTrail event log files are encrypted using
Amazon S3 server-side encryption (SSE)
Default option when you create a trail in the CloudTrail console
trail that applies to all regions - cloudtrail records events in each region and delivers the cloudtrail event log files to an S3 bucket that you specify
Default option when you create a trail using the AWS CLI or CloudTrail API
trail that applies to one region - cloudtrail records the events in the region that you specify only
organizational trail
log all events for all AWS accounts in an org created by AWS organizations - trails must be created in the master account
HDD volumes can be used as a bootable volume - T or F
False;
HDD volumes cannot be used as a bootable volume
Amazon WorkSpaces is a
managed, secure cloud desktop service
The instance that you want to attach to an EC2 Auto Scaling must meet the following criteria:
- The instance is in therunningstate.
- The AMI used to launch the instance must still exist.
- The instance is not a member of another Auto Scaling group.
- The instance is launched into one of the Availability Zones defined in your Auto Scaling group.
- If the Auto Scaling group has an attached load balancer, the instance and the load balancer must both be in EC2-Classic or the same VPC. If the Auto Scaling group has an attached target group, the instance and the load balancer must both be in the same VPC.
DB parameter groups act as a
containerfor engine configuration values that are applied to one or more DB instances.
You should be using an Alias record pointing to the DNS name of the load balancer since the IP address of the load balancer can change at any time. T or F
true
alias record can only redirect queries to selected AWS resources:
- Amazon S3 buckets
- CloudFront distributions
- Another record in the Route53 hosted zone that you’re creating the alias record in
Route53 doesn’t charge for CNAME queries. T or F
false; Route53 charges for CNAME queries.
Route53 doesn’t charge for alias queries to AWS resources. T or F
true
The alias property is visible only in the
Route53 console or in the response to a programmatic request, such as an AWS CLI list-resource-record-sets command.
DNS record A:
URL to IPV4
DNS record AAAA:
URL to IPV6
DNS record CNAME :
URL to URL
DNS record ALIAS:
URL to AWS resource
Advanced features of Route53:
- Load Balancing
- Health Checks
- Routing policy
Route 53 is ? service (global or regional)
global
Route53 charges ? per month per hosted zone
$0.50
Alias has a native health check - t or F
true
Route53 charges for Alias usage - T or F
false; it is free
SSD is best for workloads with:
small, random IO operations
HDD is best for workloads with:
large, sequential I/O operations
Aninterface endpointis
an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service.
Agateway endpointis a
gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service (S3 and DynamoDB)
SQS default message retention period is
4 days (max 14 SetQueueAttributes)
In EBS encryption, what service does AWS use to secure the volume’s data at rest?
> By using your own keys in AWS Key Management Service (KMS).
By using Amazon-managed keys in AWS Key Management Service (KMS).
The ? command shows the status of the EC2 instances including the recently terminated instances.
describe-instances
Your HSMs are in your Virtual Private Cloud (VPC) and isolated from other AWS networks -T or F
true
Cloud HSM provides a secure key storage in tamper-resistant hardware available in a single Availability Zone - T or F
false ; It provides a secure key storage in tamper-resistant hardware available in multiple AZ
ELB Access Logging
disabled by default; Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses
All of the APIs created with Amazon API Gateway exposeHTTPSendpoints only - T or F
true (no HTTP)
CloudTrail vs Xray
AWS X-Ray is usually used to debug and analyze your microservices applications with request tracing so you can find the root cause of issues and performance and does not record record the API calls which is what AWS CloudTrail does
The ? is thequeue attribute that determines whether you are using Short or Long polling.
ReceiveMessageWaitTimeSeconds
ReceiveMessageWaitTimeSeconds = 0
short polling
ReceiveMessageWaitTimeSeconds > 0
Long polling
Snapshots areincrementalbackups, which means that only the blocks on the device that have changed after your most recent snapshot are saved.- T or F
TRUE; First snapshot will be full, second snapshot will only reference the full and add new changes; third snapshot will reference first and second and add new changes
The Reserved Instance Marketplace is a platform
that supports the sale of third-party and AWS customers’ unused Standard Reserved Instances, which vary in terms of lengths and pricing option
To stop incurring charges for the Reserved instances, what cost-effective steps will you take?
- Go to the AWS Reserved Instance Marketplace and sell the Reserved instances.
- Terminate the Reserved instances as soon as possible to avoid getting billed at the on-demand price when it expires
