Practice 5

Question 1

AWS Systems Manager Session Manager

Answer 1

lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI.

Question 2

if you need to have a distributed session data management, use:

Answer 2

Elasticache

Question 3

Why is sticky session not a good choice for distributed session?

Answer 3

1. in the event of a failure, you are likely to lose the sessions that were resident on the failed node
2. In the event that the number of your web servers change when your Auto Scaling kicks in, it’s possible that the traffic may be unequally spread across the web servers as active sessions may exist on particular servers

Question 4

GetSessionToken

Answer 4

one of the available actions in STS which returns a set of temporary credentials for an AWS account or IAM user

Question 5

Fully Managed means

Answer 5

You no longer need to perform management tasks such as hardware provisioning, software patching, setup, configuration, monitoring, failure recovery, and backups.

Question 6

Redis support ? for security

Answer 6

Redis Auth

Question 7

Memcached support ? for authentication

Answer 7

SASL (Simple Authentication and Security Layer )authentication

Question 8

None of the caches support IAM authentication - True of False

Answer 8

True

Question 9

IAM Policies on the Elasticache are only used for

Answer 9

AWS API - Level security

Question 10

Patterns for Elasticache

Answer 10

1. Lazy Loading - all the read data is cached, data can become stale in cache
2. Write Through - adds or updates data in the cache when written to a DB (no stale data)
3. Session Store - store temporary session data in cache (using TTL feature)

Question 11

AWS Glue

Answer 11

is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics

Question 12

AWS Glue Advantage

Answer 12

1. Serverless
2. Schema-inference
3. Autogen ETL scripts

Question 13

you can directly upload archives to Glacier by using the management console - T or F

Answer 13

False

Question 14

How to upload data to Glacier?

Answer 14

AWS CLI or write code to make requests, by using either the REST API directly or by using the AWS SDKs

Question 15

Error if the private key that you are using has a file permission of 0777

Answer 15

Unprotected Private Key File

Question 16

You might be unable to log into an EC2 instance if:

Answer 16

• You’re using an SSH private key but the corresponding public key is not in the authorized_keys file.
• You don’t have permissions for your authorized_keys file.
• You don’t have permissions for the .ssh folder.
• Your authorized_keys file or .ssh folder isn’t named correctly.
• Your authorized_keys file or .ssh folder was deleted.
• Your instance was launched without a key, or it was launched with an incorrect key.
To connect to your EC2 instance after receiving the error “Server refused our key,” you can update the instance’s user data to append the specified SSH public key to the authorized_keys file, which sets the appropriate ownership and file permissions for the SSH directory and files contained in it.

Question 17

ClassicLink

Answer 17

allows you to link an EC2-Classic instance to a VPC in your account, within the same region (using private IPv4 addresses - no need to use public IPv4 addresses or Elastic IP addresses)

Question 18

AWS Trusted Advisore ensure

Answer 18

that all of the AWS resources in your VPC don’t go beyond their service limit

Question 19

AWS Trusted Advisor analyzes your AWS environment and provides best practice recommendations in these five categories:

Answer 19

1. Cost Optimization,
2. Performance,
3. Fault Tolerance,
4. Security, and
5. Service Limits
   CPFSS

Question 20

Target tracking scaling

Answer 20

Increase or decrease the current capacity of the group based on a

target value for a specific metric

Question 21

Step scaling

Answer 21

Increase or decrease the current capacity of the group based on a

set of scaling adjustments,

Question 22

Simple scaling

Answer 22

Increase or decrease the current capacity of the group based on a

single scaling adjustment.

Question 23

Use Server-Side Encryption

Answer 23

You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects

Question 24

Use Client-Side Encryption

Answer 24

You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools

Question 25

Amazon Neptune

Answer 25

fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets. The core of Amazon

Question 26

When you create an encrypted EBS volume and attach it to a supported instance type, the following types of data are encrypted:

Answer 26

• Data at rest inside the volume
• All data moving between the volume and the instance
• All snapshots created from the volume
• All volumes created from those snapshots

Question 27

ALB supported protocols

Answer 27

HTTP and HTTPS

Question 28

NLB supported protocols

Answer 28

TCP and TLS

Question 29

CLB supported protocols

Answer 29

TCP, SSL/TLS, HTTP, HTTPS

Question 30

you can modify the Availability Zones for your load balancer at any time. T or F

Answer 30

true

Question 31

AWS Schema Conversion Tool

Answer 31

to convert the source schema and code to match that of the target database

Question 32

AWS Database Migration Service

Answer 32

to migrate data from the source database to the target database.

Question 33

AWS Systems Manager Run Command lets you

Answer 33

remotely and securely manage the configuration of your managed instance without having to establish a RDP or SSH connection

Question 34

EC2Config

Answer 34

Windows AMIs for Windows Server 2012 R2 and earlier include an optional service

Question 35

AWS CodePipeline is a fully managedcontinuous deliveryservice that helps you

Answer 35

automate your release pipelines for fast and reliable application and infrastructure updates.

Question 36

If you have an Amazon Aurora Replica in the same or a different Availability Zone, when failing over,

Answer 36

Amazon Aurora flips the canonical name record (CNAME) for your DB Instance to point at the healthy replica, which in turn is promoted to become the new primary

Question 37

If you do not have an Amazon Aurora Replica (i.e. single instance), Aurora will

Answer 37

first attempt to create a new DB Instance in the same Availability Zone as the original instance. If unable to do so, Aurora will attempt to create a new DB Instance in a different Availability Zone.

Question 38

Amazon SimpleDB

Answer 38

highly available and scalable NoSQL database, it has a limit on the request capacity or storage size for a given table, unlike DynamoDB

Question 39

In order for you to access your EC2 instance from the Internet, you need to have:

Answer 39

1. An Internet Gateway (IGW) attached to the VPC.
2. A route entry to the Internet gateway in the Route table of the VPC.
3. A Public IP address attached to the EC2 instance.

Question 40

How can you obtain a copy of the keys that you have stored on CloudHardware Security Module?

Answer 40

you can’t. If your HSM is zeroized,all keys, certificates, and other data on the HSM is destroyed

Question 41

You should consider using AWS CloudHSM if you require:

Answer 41

• Keys stored in dedicated, third-party validated hardware security modules under your exclusive control.
• FIPS 140-2 compliance.
• Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.
• High-performance in-VPC cryptographic acceleration (bulk crypto).

Question 42

CloudHSM can be provisioned outside an Amazon VPC - T or F

Answer 42

False; To protect and isolate your AWS CloudHSM from other Amazon customers, CloudHSM must be provisioned inside an Amazon VPC.

Question 43

AWS strongly recommends that you use at least two HSMs in two different Availability Zones for any production workload. T or F

Answer 43

true

Question 44

Which section of the template should you configure to get the Domain Name Server hostname of the ELB upon the creation of the AWS stack?

Answer 44

Outputs - describes the values that are returned whenever you view your stack’s properties

Question 45

By default, CloudTrail event log files are encrypted using

Answer 45

Amazon S3 server-side encryption (SSE)

Question 46

Default option when you create a trail in the CloudTrail console

Answer 46

trail that applies to all regions - cloudtrail records events in each region and delivers the cloudtrail event log files to an S3 bucket that you specify

Question 47

Default option when you create a trail using the AWS CLI or CloudTrail API

Answer 47

trail that applies to one region - cloudtrail records the events in the region that you specify only

Question 48

organizational trail

Answer 48

log all events for all AWS accounts in an org created by AWS organizations - trails must be created in the master account

Question 49

HDD volumes can be used as a bootable volume - T or F

Answer 49

False;

HDD volumes cannot be used as a bootable volume

Question 50

Amazon WorkSpaces is a

Answer 50

managed, secure cloud desktop service

Question 51

The instance that you want to attach to an EC2 Auto Scaling must meet the following criteria:

Answer 51

• The instance is in therunningstate.
• The AMI used to launch the instance must still exist.
• The instance is not a member of another Auto Scaling group.
• The instance is launched into one of the Availability Zones defined in your Auto Scaling group.
• If the Auto Scaling group has an attached load balancer, the instance and the load balancer must both be in EC2-Classic or the same VPC. If the Auto Scaling group has an attached target group, the instance and the load balancer must both be in the same VPC.

Question 52

DB parameter groups act as a

Answer 52

containerfor engine configuration values that are applied to one or more DB instances.

Question 53

You should be using an Alias record pointing to the DNS name of the load balancer since the IP address of the load balancer can change at any time. T or F

Answer 53

true

Question 54

alias record can only redirect queries to selected AWS resources:

Answer 54

1. Amazon S3 buckets
2. CloudFront distributions
3. Another record in the Route53 hosted zone that you’re creating the alias record in

Question 55

Route53 doesn’t charge for CNAME queries. T or F

Answer 55

false; Route53 charges for CNAME queries.

Question 56

Route53 doesn’t charge for alias queries to AWS resources. T or F

Answer 56

true

Question 57

The alias property is visible only in the

Answer 57

Route53 console or in the response to a programmatic request, such as an AWS CLI list-resource-record-sets command.

Question 58

DNS record A:

Answer 58

URL to IPV4

Question 59

DNS record AAAA:

Answer 59

URL to IPV6

Question 60

DNS record CNAME :

Answer 60

URL to URL

Question 61

DNS record ALIAS:

Answer 61

URL to AWS resource

Question 62

Advanced features of Route53:

Answer 62

1. Load Balancing
2. Health Checks
3. Routing policy

Question 63

Route 53 is ? service (global or regional)

Answer 63

global

Question 64

Route53 charges ? per month per hosted zone

Answer 64

$0.50

Question 65

Alias has a native health check - t or F

Answer 65

true

Question 66

Route53 charges for Alias usage - T or F

Answer 66

false; it is free

Question 67

SSD is best for workloads with:

Answer 67

small, random IO operations

Question 68

HDD is best for workloads with:

Answer 68

large, sequential I/O operations

Question 69

Aninterface endpointis

Answer 69

an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service.

Question 70

Agateway endpointis a

Answer 70

gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service (S3 and DynamoDB)

Question 71

SQS default message retention period is

Answer 71

4 days (max 14 SetQueueAttributes)

Question 72

In EBS encryption, what service does AWS use to secure the volume’s data at rest?

Answer 72

> By using your own keys in AWS Key Management Service (KMS).
By using Amazon-managed keys in AWS Key Management Service (KMS).

Question 73

The ? command shows the status of the EC2 instances including the recently terminated instances.

Answer 73

describe-instances

Question 74

Your HSMs are in your Virtual Private Cloud (VPC) and isolated from other AWS networks -T or F

Answer 74

true

Question 75

Cloud HSM provides a secure key storage in tamper-resistant hardware available in a single Availability Zone - T or F

Answer 75

false ; It provides a secure key storage in tamper-resistant hardware available in multiple AZ

Question 76

ELB Access Logging

Answer 76

disabled by default; Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses

Question 77

All of the APIs created with Amazon API Gateway exposeHTTPSendpoints only - T or F

Answer 77

true (no HTTP)

Question 78

CloudTrail vs Xray

Answer 78

AWS X-Ray is usually used to debug and analyze your microservices applications with request tracing so you can find the root cause of issues and performance and does not record record the API calls which is what AWS CloudTrail does

Question 79

The ? is thequeue attribute that determines whether you are using Short or Long polling.

Answer 79

ReceiveMessageWaitTimeSeconds

Question 80

ReceiveMessageWaitTimeSeconds = 0

Answer 80

short polling

Question 81

ReceiveMessageWaitTimeSeconds > 0

Answer 81

Long polling

Question 82

Snapshots areincrementalbackups, which means that only the blocks on the device that have changed after your most recent snapshot are saved.- T or F

Answer 82

TRUE; First snapshot will be full, second snapshot will only reference the full and add new changes; third snapshot will reference first and second and add new changes

Question 83

The Reserved Instance Marketplace is a platform

Answer 83

that supports the sale of third-party and AWS customers’ unused Standard Reserved Instances, which vary in terms of lengths and pricing option

Question 84

To stop incurring charges for the Reserved instances, what cost-effective steps will you take?

Answer 84

1. Go to the AWS Reserved Instance Marketplace and sell the Reserved instances.
2. Terminate the Reserved instances as soon as possible to avoid getting billed at the on-demand price when it expires