Pre-exam Flashcards

Question 1

Q

What can you use NACL for?

Answer

A

you can monitor IP addresses

Question 2

Q

NACL, deny or allow rules?

Answer

A

Can both make deny and allow rules. Must also create both inbound and outbound rules (stateless)

Question 3

Q

what is stateful?

Answer

A

security groups = both inbound and outbound is created (stateful)

Question 4

Q

where can you not make deny rules?

Answer

A

in security groups = o Cannot make deny rules since everything is denied by default so you can only make allow rules

Question 5

Q

what is ElastiCache for?

Answer

A

= to store session state data + improve performance through caching

Question 6

Q

What are the two properties of Redis?

Answer

A

Redis Elasticache = persistent storage, key-value storage

Question 7

Q

What are the two properties of Memcached?

Answer

A

o Not persistent

o High-performance distributed memory cache service

Question 8

Q

what are VPC endpoints for?

Answer

A

PrivateLink = ensures traffic does not traverse the internet

Question 9

Q

what is Gateway endpoint?

Answer

A

VPC endpoint for S3 + DynamoDB

Question 10

Q

what is Interface endpoint?

Answer

A

VPC endpoint for almost all services (just not s3 and DynamoDB which is for gateway endpoint)

Question 11

Q

what is s3 for?

Answer

A

object-based storage

Question 12

Q

how is the consistency for S3?

Answer

A

o Read after write for PUT

o Eventual consistency for deletes and modifications of objects

Question 13

Q

what is efs for?

Answer

A

file-storage, NFSv4.1 protocol, also works with block, concurrent ec2 instances.

also good for big data and analytics

Question 14

Q

how is the consistency for efs?

Answer

A

o Reflects the last write always (always read after write)

Question 15

Q

what is DynamoDB for?

Answer

A

OLTP workloads
no-sql (schema-less)
serverless (no worry of infrastructure)

Question 16

Q

how is dynamo db indexed?

Answer

A

Indexed by primary key

Question 17

Q

what can DynamoDB not do?

Answer

A

No join across tables

Question 18

Q

how is consistency for dynamo db?

Answer

A

o Eventual consistent for writes

- Can enable “strongly consistent reads” to fix this

Question 19

Q

is dynamo db serverless?

Answer

A

yes, …. Unless using provisioned throughput

Question 20

Q

how can joins be made with aurora?

Answer

A

joins across multiple tables possible

Question 21

Q

how is consistency for aurora?

Answer

A

Low-latency write consistency

Question 22

Q

what is ALB for?

Answer

A

o HTTP/HTTPS (Layer 7)

o Host and path-based routing

Question 23

Q

what is NLB for?

Answer

A

o TCP, TLS, UDP, TCP_UDP, (Layer 4)

Question 24

Q

what is CLB for?

Answer

A

o TCP, Layer 4

o Proxy protocols = TCP as back-end always

Question 25

Q

how is multi-az replication?

Answer

A

synchronous (active-passive)

Question 26

Q

how is read replica replication?

Answer

A

Read replica = read performance improved, asynchronous

Question 27

Q

what are A records for?

Answer

A

Ipv4 (google.com to IP address)

Question 28

Q

what are AAAA records for?

Question 29

Q

what are Alias records for?

Answer

A

Used with apex (domain apex digitalcloud.training) to connect to ELB

Alias records let you route traffic to selected AWS resources, such as CloudFront distributions and Amazon S3 buckets. They also let you route traffic from one record in a hosted zone to another record.

Question 30

Q

what is PTR record?

Answer

A

solves an IP address to a fully-qualified domain name (FQDN) as an opposite to what A record does. PTR records are also called Reverse DNS records

Question 31

Q

what is identity federation?

Answer

A

= IAM supports federation for delegated access to the Console or AWS APIs

Question 32

Q

what is STS?

Answer

A

(for single-sign-on) web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (such as federated users from an on-premise directory)

Question 33

Q

what are Temporary security credentials ?

Answer

A

aws access key, secret key and security token. Valued for default 12 hours, min 15m, max 36h

Question 34

Q

what is SAML 2.0?

Answer

A

what is usually used for federation (authentication) and grants temporary access based on the users AD credentials so you can access IAM without having a user

Question 35

Q

what is Cognito for?

Answer

A

used to authenticate users to web and mobile apps

Question 36

Q

what is user pool?

Answer

A

Directory in Cognito. Users can sign in to web or mobile apps
Can also use Facebook, amazon, and SAML to log in

Question 37

Q

what is identity pool?

Answer

A

User can obtain temporary AWS credentials to access AWS services

Question 38

Q

what are the limits for EBS General Purpose?

Answer

A

1 GiB to 16 TiB, Max 16,000 iops

- 3 IOPS per GB up to 16,000

Question 39

Q

what are the limits for EBS IOPS optimized?

Answer

A

4 Gib to 16 TiB, max 64,000 iops

- Up to 50 IOPS per GB

Question 40

Q

what are the limits for EBS throughput optimized?

Answer

A

Volume 500 Gib to 16 TiB, can burst, max 500/mb/s per volume, 500iops

Question 41

Q

what are EBS magnetic optimized for?

Answer

A

Cheap for infrequently accessed

- can be a boot volume

Question 42

Q

what are the limits for EBS cold?

Answer

A

Volume 500 GiB to 16 TiB, max 250/mb/s per volume, 250 iops
Cannot be boot volume
cheapest version we have

Question 43

Q

what are some serverless applications?

Answer

A

API Gateway
Lambda
S3
DynamoDB
SNS
SQS
Kinesis
AWS Glue
AWS Fargate (in ECS)

Question 44

Q

what does Lambda track?

Answer

A

Lambda (tracks latency per request + number of requests + error requests)

Question 45

Q

what is Raid 0 for?

Answer

A

no redundancy but writes data to multiple disks. Increases performance

Question 46

Q

what is Raid 1 for?

Answer

A

improve redundancy / availability = mirror

Question 47

Q

what is kinesis streams for?

Answer

A

real-time processing of streaming data

Question 48

Q

what is kinesis firehose for?

Answer

A

delivers streams to AWS services such as S3, Splunk, Redshift and elasticsearch

Question 49

Q

what is kinesis analytics for?

Answer

A

processing and analyzing real-time streaming data

Question 50

Q

what does Elastic Network Adapter (ENA) offer?

Answer

A

high-performance-computing/network,

Question 51

Q

what does Elastic Fabric Adapter (EFA) offer?

Answer

A

o High-performance-computing (HPC) for machine learning

o OS by-pass functionality

Question 52

Q

what is Active-passive ?

Answer

A

failover policy. One instance running and one backup (Multi-az)

Question 53

Q

what is Active-active ?

Answer

A

multiple instances running at the same time

Question 54

Q

what is important about simple AD?

Answer

A

fully cloud-based… does not connect to on-premise

Question 55

Q

what is AD Connector for?

Answer

A

directory gateway to redirect requests to your on-premise AD and eliminates the need for direct synchronization = when you want to use an existing AD with AWS

Question 56

Q

what is a small and a big AD connector?

Answer

A

o Small connector up to 500 users

o Large connector for 500-4999

Question 57

Q

what is AD connector for Microsoft for?

Answer

A

best choice if +5000 users

Question 58

Q

what is custom origin for?

Answer

A

to avoid direct access to the instances behind (used with EC2)
(CloudFront)

Question 59

Q

what is RTMP for?

Answer

A

RTMP.= serve video files (stored in S3)

CloudFront

Question 60

Q

what is Web distribution for?

Answer

A

Web = serve files with http

CloudFront

Question 61

Q

what is CloudFormation for?

Answer

A

Provision infrastructure

- Describes exactly what resources are provisioned, their settings and changes to them

Question 62

Q

what is CloudWatch for?

Answer

A

monitoring

Question 63

Q

what is CloudTrail for?

Question 64

Q

what can you audit with CloudTrail?

Answer

A

Data Events: also known as data plane operations

- Management Events: also knows as control plane operations

Answer 63

A

File Gateway (NFS & SMB) = stored in S3
Volume Gateway (iSCSI)
o Stored volumes
o Cached volumes
Tape Gateway (VTL) = for archiving / backup

Answer 64

A

File Gateway (NFS & SMB) = stored in S3

Answer 65

A

Volume Gateway (iSCSI)
o Stored volumes
o Cached volumes

Answer 66

A

Tape Gateway (VTL) = for archiving / backup

Answer 67

A

automates application deployment to amazon ec2 instances, on-premises instances, or serverless Lambda functions

Answer 68

A

fully managed extract, transform and load service (ETL)

Answer 69

A

to mitigate DDoS attacks

Answer 70

A

self-service cloud-based contact center

Answer 71

A

HTTPS endpoints always, REST API,

Answer 72

A

improves availability and performance with both local and global users using static Anycast IP addresses

Answer 73

A

for software version control, hosts Git repositories

Answer 74

A

real time guidance to help provision resources following AWS best practices, reduce cost and increase performance and security, can display current usage and limits of services

Answer 75

A

Cloud Hardware Security Module… hardware-based storage solution for cryptographic keys.

Answer 76

A

Simple Notification Service, to send notifications through Lambda, HTTP/S, Email, SMS, SQS,

Answer 77

A

identifying IP address connecting to a web server through HTTP proxy or load balancer

Answer 78

A

for TCP/SSL

Answer 79

A

manages Database configurations

Answer 80

A

provide temporary access to a specific object to those who do not have AWS credentials

Answer 81

A

CloudFront signed cookies allow you to control who can access your content when you don’t want to change your current URLs or when you want to provide access to multiple restricted files, for example, all of the files in the subscribers’ area of a website

Answer 82

A

for CloudFront and ELB

Answer 83

A

coordinate multiple AWS services into serverless workflows (Lambda, ECS etc.) = orchestrate serverless workflows

Answer 84

A

allows VPC based IPv6 traffic

Answer 85

A

when you want to connect your network into the cloud and also directly access the internet from your VPC. IPsec AWS Site-to-Site VPN Connection

Answer 86

A

essentially just a “hub”/center for multiple VPN connections from different customer networks entering into AWS

Answer 87

A

DynamoDB Streams help you to keep a list of item level changes or provide a list of item level changes that have taken place in the last 24hrs. Amazon DynamoDB is integrated with AWS Lambda so that you can create triggers—pieces of code that automatically respond to events in DynamoDB Streams

Answer 88

A

AWS Policy Generator to create a bucket policy for your Amazon S3 bucket. Bucket policies can be used to grant permissions to objects
You can define permissions on objects when uploading and at any time afterwards using the AWS Management Console.
You cannot use a bucket ACL to grant permissions to objects within the bucket. You must explicitly assign the permissions to each object through an ACL attached as a subresource to that object

Answer 89

A

A password policy can be defined for enforcing password length, complexity etc. (applies to all users)
You can allow or disallow the ability to change passwords using an IAM policy and you should attach this to the group that contains the users, not to the individual users themselves

Answer 90

A

With Server Name Indication (SNI) a client indicates the hostname to connect to. SNI supports multiple secure websites using a single secure listener

Answer 91

A

Elastic Map Reduce (EMR) is used for processing and analyzing data using the Hadoop framework. It is not used for transforming streaming data

Answer 92

A

AWS CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation

Answer 93

A

CloudFront is ideal for caching static content such as the files in this scenario and would increase performance

Answer 94

A

Kinesis Firehose which captures, transforms, and loads streaming data into “destinations” such as S3, RedShift, Elasticsearch and Splunk

Answer 95

A

Kinesis Streams

Answer 96

A

Querying such as SQL querying from S3 buckets

Answer 97

A

Scheduled scaling: Scaling based on a schedule allows you to set your own scaling schedule for predictable load changes. To configure your Auto Scaling group to scale based on a schedule, you create a scheduled action. This is ideal for situations where you know when and for how long you are going to need the additional capacity

Answer 98

A

Other AWS principals can then create a connection from their VPC to your endpoint service using an interface VPC endpoint. => to connect to another VPC’s endpoint

Answer 99

A

Server access logging provides detailed records for the requests that are made to a bucket. To track requests for access to your bucket, you can enable server access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and an error code,

Answer 100

A

The AWS KMS API can be used for encrypting data keys (envelope encryption)

Answer 101

A

AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources

Answer 102

A

AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. Budget alerts can be sent via email and/or Amazon Simple Notification Service (SNS) topic

Answer 103

A

The AWS Cost Explorer is a free tool that allows you to view charts of your costs

Answer 104

A

The AWS Billing Dashboard can send alerts when you’re bill reaches certain thresholds but you must use AWS Budgets to created custom budgets that notify you when you are forecast to exceed a budget

Answer 105

A

Key pairs

Answer 106

A

Intelligent… NAT Gateway: A ‘middle-man’ sitting in your public subnet between your private subnet and the internet. Used to e.g. download updates for your instances or servers in the private subnet. Blocks all incoming traffic. Limited to 45Gbps.

Answer 107

A

NAT Instance: Basically, the same as NAT Gateway expect that you’re launching and controlling the instance (i.e. same as setting up an RDS versus creating an EC2 and using that as a server), you generally just want to use a NAT Gateway which is managed and also redundant across multiple EC2.

Answer 108

A

Eth0 (cannot Be moved), eth1 (can be detaches sand attached to other instances),

Elastic Network Interface (ENI): Can be used to attach multiple network interfaces to an instance, e.g. when you want one network interface in the public subnet with access to the internet, and another network interface on the same instance in a private subnet with access to the corporate network.

Answer 109

A

Bastion Host: Used to securely deliver remote (SSH / RDP) access to instances in a private subnet through the public internet. So, Bastion Hosts are used for secure access to instances in other networks, whereas NAT Gateway/Instances are used for outbound traffic to e.g. fetch an update to the server from the internet.

Answer 110

A

Internet Gateway (IGW): Serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. What makes a subnet public is basically whether the subnet’s route-table directs traffic to the internet gateway.

Answer 111

A

AnyCast IP: Allows multiple instances to share the same IP address and is used with AWS Global Accelerator to give access to the instance that is closest to the user.

Answer 112

A

AWS WAF: a web application firewall service that helps protect your web apps from common exploits that could affect app availability, compromise security, or consume excessive resources. Although this can help you against DDoS attacks, AWS WAF alone is not enough to fully protect your VPC

Answer 113

A

AWS Firewall Manager: simplifies your AWS WAF administration and maintenance tasks across multiple accounts and resources.

Answer 114

A

Amazon GuardDuty: an intelligent threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads

Answer 115

A

AWS Transit Gateway: Enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. With AWS Transit Gateway, you only have to create and manage a single connection from the central gateway into each Amazon VPC, on-premises data center, or remote office across your network.

Answer 116

A

Run Command: enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the console to configure instances without having to login to each instance.

Answer 117

A

Windows. Windows AMIs for Windows Server 2012 R2 and earlier include an optional service, the EC2Config service. EC2Config runs initial startup tasks when the instance is first started and then disables the

Answer 118

A

t enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.

Answer 119

A

Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution. You can use Amazon WorkSpaces to provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe.

Answer 120

A

Graph databases, AWS Neptune: fast, reliable, fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets.

Answer 121

A

AWS Inspector: an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.

Answer 122

A

AWS SQS Polling: The ReceiveMessageWaitTimeSeconds is the queue attribute that determines whether you are using Short or Long polling. By default, its value is zero which means it is using Short polling. If it is set to a value greater than zero, then it is Long pollin

Answer 123

A

ROA authorizes Amazon to advertise an address range under a specific AS number. Used for Bring Your Own IP (BYOIP) when you want to transfer an on-premises IP- range to AWS.

Answer 124

A

CodeDeploy: a fully managed deployment service that automates software deployments to a variety of compute-services such as Amazon EC2, AWS Fargate, AWS Lambda, and your on-premises servers.

Answer 125

A

: When a Lambda function is called (invoked): Invoke: [cause a procedure to be carried out.]

Answer 126

A

CloudWatch Log Agents: provides an automated way to send log data to CloudWatch Logs from Amazon EC2 instances. A plug-in to the AWS CLI that pushes log data to CloudWatch Logs. A script (daemon) that initiates the process to push data to CloudWatch Logs. A cron job that ensures that the daemon is always running.

Answer 127

A

launch and run the world’s most popular high-performance file system. For workloads where speed matters, such as machine learning, high performance computing (HPC), video processing, and financial modeling. Works natively with S3 with a high-performance POSIX interface.

Answer 128

A

dedicated network connection from your premises to AWS. Connects you to a region and all AZs within that region.

Answer 129

A

AWS Consolidated Billing: consolidate billing and payment for multiple AWS accounts or multiple Amazon Internet Services accounts. Every organization in AWS Organizations has a master (payer) account that pays the charges of all the member (linked) accounts.

Answer 130

A

IAM Cross Account Access: by setting up cross-account access in this way, you don’t need to create individual IAM users in each account. In addition, users don’t have to sign out of one account and sign into another in order to access resources in different AWS accounts.

Answer 131

A

Read and write to ADs. Lightweight Directory Access Protocol (LDAP): a standard communications protocol used to read and write data to and from Active Directory. Some applications use LDAP to add, remove, or search users and groups in Active Directory or to transport credentials for authenticating users in Active Directory.

Answer 132

A

Global Tables: provides a fully managed solution for deploying a multi- region, multi-master database.

Answer 133

A

Cluster Subnet Group: allows you to specify a set of subnets in your VPC

Answer 134

A

S3 Static Website: Bucket name same as website and an Alias Record pointing to the bucket.

Answer 135

A

The cumulative size of attributes per item must fit within the maximum DynamoDB item size (400 KB). Recommended to use S3 to store objects larger than 400 KB.

Answer 136

A

Aurora Global Database: designed for globally distributed applications, allowing a single Amazon Aurora database to span multiple AWS regions.

Brainscape's Knowledge GenomeTM

Pre-exam Flashcards

Brainscape's Knowledge Genome^TM