Practice Test #1 Flashcards
For EFS on an EC2 instance, how many days since last access do you do you choose for your lifecycle policy to automatically move files to IA storage?
7 days since last access
After cloud migration from on-prem, which are fully managed AWS services?
DynamoDB & RDS
What would you use to provide a library of metabolism assessment functions to developers to share?
Lambda
Company in NY needs S3 bucket in SF that is same of current prod S3 bucket. What 2 things should you configure?
S3 Bucket Versioning, Cross-Region Replication (requires the versioning!)
What does Amazon S3 Glacier Vault Lock guarantee?
Non-rewriteable && non-erasable format (Write-Once-Read-Many)
What service do you use to ensure that users in Europe are directed to this website. www.poopbutthole.com ?
Route53 - Geolocation routing allows you to use the location of users
What two services does AWS Instance Scheduler help with?
RDS and EC2 Instances
Need a highly available de-coupled web application. What 3 services should you use?
SQS, EC2, and Elastic Load Balancer
In Change Controls, for S3 Eventual Consistency, what does updating ‘DelaySeconds’ attribute mean?
DelaySeconds = new message is added to a SQS queue, it will be hidden from consumers instances for fixed period.
When are the messages hidden for a VisibilityTimeout in a SQS queue?
After it is consumed from the queue
What is the minimum size of an S3 Object?
0 bytes
What type of routing policy allows for multiple servers to be sent traffic randomly?
Multivalue Routing (basically Simple Routing - multiplied)
Of RDS, DynamoDB, EC2, and S3, which ones need you to design redundancy into them?
EC2 & RDS
What is RAID 0 vs RAID 1?
RAID is a configuration to use with a traditional bare metal server for EBS.
RAID 0 = for greater I/O performance with a single volume
RAID 1 = on-instance redundancy, mirror 2 volumes together
DO NOT BOOT FROM RAID VOLUME
Is Elastic Load Balancer stateful?
YES BITCH
What do you need to create a second copy of prod env in US-EAST-1 and copy needs to be in US-EAST-2 ?
Route53 Private Hosted Zone records, VPC, Security Groups
Confidential data in S3 but need it available in different geographical location?
Enable Cross-Region Replication for the S3 bucket
Oracle software license?
Dedicated Hosts
A Multi-AZ RDS deployment will automatically fail-over as a result of what?
Loss of availability in primary AZ & Loss of network connectivity to Primary
Is S3 Transfer Acceleration a HIPAA compliant program?
YES mam, also S3 TA won’t take more than a week
What is proactive event-based scaling vs. cyclic scaling?
Cyclic scaling - occurs at a fixed interval
What is supported by the Basic Support plan?
Service Limit Increase, Account and Billing Support (other is Technical Support only higher levels)
What service allows you to store files as objects in Amazon S3?
AWS Storage Gateway
How can you avoid error of max object size exceeded when uploading a HD video to S3 bucket?
Use Multipart Upload API to copy to S3
What service enables on-prem to use AWS storage?
AWS Storage Gateway
What service is serverless interactive query service to analyze data in S3?
Amazon Athena
Which port does Amazon EC2 throttle traffic to all EC2 instances?
Port 25
Which layers of DDoS attacks does AWS automatically address?
Layer 3 & Layer 4
What 2 things do you need to deploy code to the CLl?
Access Key and Secret Access Key in CLI config
If you don’t want to use or maintain client-side encryption library, what S3 encryption option can you use to secure data at rest?
SSE-C - Customer controlled
What can you use to bypass existing web server for uploads to avoid increasing load on server?
Use Pre-Signed URLs to upload images
Requirement for applications to be separate on cloud, but need to exchange data and communicate with the on-prem data centers. What should you use?
Individual VPCs for each app with peering connections between them.
Shared VPC with Direct Connect to the on-prem
Application’s load balancer will need to always be on same IP Address. Which config do you use for your Load Balancer?
Network Load Balancer in public subnet
What are the 3 types of server-side encryption for S3?
SSE-S3, SS3-C, SSE-KMS, or a client library like S3 Encryption Client
What can you use to connect your cloud resources to your own IPSec VPN connections?
VPC ya dumb bitch
Name the 4 types of EBS volumes and what you should use them for.
gp2 - General Purpose SSD - most workloads
io1 - Provisioned IOPS SSD - Databases
st1 - Throughput Optimized HDD - Big Data & Data Warehouses
sc1 - Cold HDD - File Servers
How many Read Replicas of a DB can you have?
5, and each RR will have its own DNS endpoint
What kind of storage and how many AZ does a DynamoDB have?
SSD storage && 3 geographically distinct data centers
What is an Eventually Consistent Read (DynamoDB)?
Default, consistency usually within a second! Best Read Performance
What is an Strongly Consistent Read (DynamoDB)?
Takes < 1 second
Returns result that reflects all writes that received a successful response prior to read
Explain ElastiCache for Memcached and ElastiCache for Redis.
Memecached - scales horziontally, multi-threaded
Redis - Advanced data types, pub/sub/ sorting, Multi-AZ & restore abilities
How is Multivalue Policy different than Simple Routing Policy in Route53?
Multivalue - puts health checks on each record set
Simple Routing - one record with multiple iP addresses - random order
If you have a question on Route53 and it mentions subdomain, which Policy do you use?
C-name, but usually use Alias!
Explain the difference between Security Groups and Network ACLs.
Network ACLs - stateless - can block IP addresses (allow and deny rules)
Security Groups = stateful
What do you use to access a private subnet from a public subnet?
A Bastion host - SSH into the private subnet from the public subnet
What is the largest and smallest subnet Amazon allows in VPC?
Largest = /16 Smallest = /28
What comes with the default VPC?
- All subnets are internet accessible
- each EC2 instance has both public and private IP addresses
- get a NACL, Security Groups & Route Table
What is VPC peering?
using private IP addresses to connect VPCs together
Is there 1 subnet per 1 Availability Zone?
Yes, only 1 subnet for 1 AZ, but you can have multiple subnets in the same AZ
How many IP addresses are actually available in IPv4?
Only 251, Amazon reserves 5 IP addresses
Is there 1 Internet Gateway attached to one VPC?
Yes
What does a NAT Instance help you do & what is it always behind?
NAT Instance enables you to install software to a private subnet
- NEED to Disable Source/ Destination Check on Instance
- ALWAYS behind a Security Group
- If bottleneck, go up in size
What is a NAT Gateway and when do you use it?
NAT Gateway - NAT instance but redundant (scales automatically)
- use for Enterprise
- NO Security Group
- Spread across EC2 instances
NACLs are evaluated before Security Groups. True or False bish?
TRUE BISH
How many subnets do you need to provision an Elastic Load Balancer?
At least 2 public subnets
What do VPC Flow Logs do?
- capture information on the IP traffic going in and out of network interfaces on VPC
- can be stored in CloudWatch Logs
- can be created at VPC, Subnet, or Network Interface Level
What is a VPC Endpoint?
- Connects VPC to AWS services powered by PrivateLink (virtual devices)
- Traffic doesn’t leave Amazon network
- Interface and Gateway endpoints
What are the two types of VPC Endpoints and what do they do?
ENI = Interface Endpoints - attach to an EC2 - work with private IP address to act as entry point for traffic
Gateway Endpoints - just like a NAT Gateway - supports S3 and DynamoDB
What is Egress-Only Internet Gateway?
Allows IPv6 within a VPC to access internet
Which Layers do Application, Network and Classic Load Balancers work on, respectively?
Application Load Balancer = works on Layer 7 & application aware
Network Load Balancer - extreme performance - Layer 4
Classic - Layer 7-specific features, x-forwarded, sticky sessions + Strict Layer 4
What does a X-forwarded-for header get? (Classic Load Balancer)
A user’s public IPv4 address
How are instances monitored by ELBs reported as?
InService/OutOfService
What do you use for Disaster Recovery and for Performance?
Multi-AZ - DR Read Replicas (Caching) - Performance
What are the JSON files that CloudFormation is based off of?
STACKS BITCH
What is AWS Quick Start?
Quick Start is a bunch of CloudFormation templates already built to create complex environments quickly
Can you use the secondary database as an independent read node if you have deployed an RDS database into Multi-AZ?
NO YA BOOB
Describe SQS vs SNS.
SQS - pull based - polling, messaging queue for web service - DECOUPLING
SNS - push-based, notifications to subscribers
How long can messages in a SQS queue be kept?
1 minute - 14 days, default retention is 4 days
In terms of SQS, what is the visibility timeout?
Time a message is invisible in the queue to the instance
- if message is processed before this amount, its deleted
- if you get duplicate messages, increase this time limit
- max value is 12 hours
For SWF (Simple Workflow Service), can a task be duplicated?
No, a task is assigned only once and is never duplicated
- SWF = coordination of tasks
- may have human component
- Actors, starters, deciders, activity workers
API Gateway is…
fully managed service to publish and manage API to scale access data or functionality from back-end services
- think LAMBDA
- FRONT DOOR to aws
What does CORS do?
- enables the browser to request a resource outside of the domain of the first resource
- use when js/ajax
- enable on Api Gateway
What do you enable if you see “Origin policy cannot be read at the remote resource.”
CORS on the API Gateway
What is Amazon Kinesis?
helps you continuously stream media
- can use Kinesis Analytics on both types of Kinesis flows
Explain Kinesis Streams
- Streams persistently store data 24hrs - 7 days
- uses Shards to save data
Explain Kinesis Firehouse
- analyzes data immediately as it comes in
- no persistent storage
- best for Transforming and loading data into S3, data stores
What is always recommended for mobile apps in terms of sign up and sign in?
AWS Cognito, a Web Identity Federation Service
- sign in/up w Facebook, google, etc via token exchange
What are the two different types of Cognito Pools?
Cognito User Pools = user directory - manages username, passwords and actual user sign in via JWT
Cognito Identity Pools = gives AWS credentials to services themselves (S3 or DynamoDB)
How does Lambda scale?
One request to one lambda function
What 2 factors does Lambda pricing depend on?
- Amount of memory - Number of requests (first million are free)
- Duration - how long function runs
Which service is an asynchronous (non-direct) trigger for Lambda and which cannot trigger Lambda?
Non-direct = S3
Can’t use trigger Lambda = RDS
What can you use to identity a Lambda?
ARN id
Name 3 services that super hyper-threading on one or more virtual CPUs.
EC2, ECS, Lambda
What is Amazon Lightsail?
Creates virtual private servers on the cloud
Are IAM Roles and Route53 global across a console?
Ya betch ur ass
DynamoDB uses parallel processing to have predictable performance and does so by utilizing these two things:
- SSD storage
- partitioned across multiple nodes
Name 2 things that AWS provide when you are launching a new instance from a copied AMI
- Launch permissions
- user-defined tags
- S3 bucket permissions from source AMI to new AMI
What metric does CloudWatch NOT have? (What metric do you need to make custom to track with CloudWatch)
Memory Usage
Explain Virtual Style, Path Style, Legacy Global, and Static Hosting Style Path naming conventions.
Virtual = bucketname.s3.region
Path = s3-bucket_name.region
Global - no region
Static = given DNS name.s3.region
What are the default rates for logging metrics in CloudWatch for an EC2 instance?
every 5 minutes default,
every 1 minute detailed
Do you need to make DynamoDB MultiAZ (no the answer is no, its regional)
No its Regional service (better for stateless)
Which Storage Gateway Configuration would you use to store files on AWS with low-latency?
- File Gateways
- Gateway-Cached
What is Amazon Workspaces?
Serves virtual cloud-based desktop sessions to your desktop/laptop users (windows or linux)
- Browser can be used from WorkSpaces to access web servers & use a NAT Gateway because traffic is initiated from the laptop itself
- provides creating an authentication directory and an ENI for each session inherently
Which two services allows you root-level access to underling OS?
EMR and EC2 (hEE heEEE)
- can SSH to access the OS
Can you enable hibernation on an existing instance? Ex. to re-use it later?
NO, Hibernation can be enabled only at instance launch and not when running or stopped
Is encrypting an existing RDS DB instance currently supported? Will an outage be required?
NO! You have to create a new DB instance with encryption enabled and manually migrate your data into.
And yes, an outage will be required
How do you reduce the number of empty responses in terms of SQS ?
Use long polling by setting “RecieveMessageWaitTimeSeconds” > 0
What should you use to upload files that are greater than 100 Mb ?
Multipart Upload! Its required for files 5 GB and larger
List the two ways RDS provides to back up and restore DB instances:
- Automatic Backups
2. database snapshots
How do you encrypt data on S3 at rest?
- Enable Server Side Encryption on bucket - automatically apply AES-256 encryption
- Encrypt data locally using encryption keys and transfer encrypted data to S3
What 2 fucking things do you need to SSH into the EC2 instance?
Access Key and Secret Access Key in the CLI configuration
What is AWS Firewall Manager?
Service to mange firewall rules across accounts in AWS Organizations. Manager must be Administrator account
Can you peer two VPCs with overlapping CIDR ranges assigned?
Absu-fucking-lootly not ya ASS HOLE
Does Route53 support DNSSEC or DNSKEY? Hmm hmn does it?
NO YOU FUCKING IDIOT
How many Elastic IP addresses can you have in a region?
5
What happens when an EC2 instance with an Elastic IP is stope and restarted?
- Lose all instance store data
2. underlying host for the instance may be changed
Elastic IP Addresses CANNOT be used with ELB, ALB or RDS. True or False
TRUE RTURURUUEUUEE
Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which 2 services?
CloudFront and Elastic Load Balancing
Using Classic Load Balancer, you need to secure application to allow many domains to serve SSL traffic on same IP address.
- Make SSL certificate in AWS Certificate manager
- Create CloudFront web distribution
- Link certificate to distribution and enable SNI (Server Name Indication)
What events will make an Multi-AZ RDS automatically failover to the standby replica?
Loss of availability in primary AZ && Storage failure on primary DB
What happens when all primary resources are unhealthy?
Route53 will include only healthy secondary resources in response to DNS queries
What types of data would you want to store in EFS storage?
Big Data analytics, enterprise applications, database backups, developer tools, container storage
What 2 requirements must be met to integrate an standard S3 bucket and web domain name registered with Route53?
S3 bucket name must == domain name
Registered domain name
What do you need to log into an EC2 instance?
Key pairs
Which EBS storage class for large, sequential I/O operations?
sc1 = Cold HDD
What is the unique Amazon Cognito Identifier that ti returns as a temporary, limited-privilege credential?
Cognito ID
What are the 3 services that are destinations for S3 to publish events when enabling notifications?
Lambda, SQS, SNS
