Pre-exam SSA

Question 1

How would you connect to an RDS database using profile credentials specific to an EC2?

Answer 1

IAM DB authentication

Question 2

How long is an RDS auth token valid for?

Answer 2

15m

Question 3

Which DB engines support IAM auth in RDS?

Answer 3

MySQL and Postgres

Question 4

Is IAM DB auth in RDS over SSL?

Answer 4

Yes

Question 5

How would you grant access to a secret manager (e.g. parameter store or secret manager) from an ECS container, resource-based policy or IAM role?

Answer 5

IAM role - a resource based policy would be too broad

Question 6

If you have a legacy web-app with a static hard-coded IP address, how can you introduce some fault tolerance?

Answer 6

Can’t use ELB, so use lambda script to switch elastic IP from one instance to another if health check (written in the lambda) fails

Question 7

Can a single custom aurora endpoint handle different sorts of traffic and direct them to the correct instances?

Answer 7

Yes - read and write traffic can be sent to the relevant group of instances, or for read traffic to the read endpoint (which load balances across all read-capable instances)

Question 8

Does an aurora replica increase write capacity?

Answer 8

No - only read capacity. They can act as failover targets

Question 9

What is the most cost-effective EBS volume for high-throughput access to infrequently-accessed data?

Answer 9

Cold HDD (SC1) (good for throughput compared to IOPS, and fine for IA data)

Question 10

Which EBS volumes can be boot volumes?

Answer 10

Provisioned IOPS (IO1) and general purpose (GP2)

Question 11

What are the 3 deployment types available for lambda in CodeDeploy?

Answer 11

Canary (new version gets some traffic and then all the remaining later on)

Linear (more traffic shifted over time)

All at once (switch over straight away)

Question 12

What can you change about an EBS volume while it’s running?

Answer 12

If using a supported instance (all current generation) and storage was attached after 3rd November 2016, you can modify the volume’s size, type and IOPS capacity without service interruptions.

You can’t decrease the size of a volume (you’d have to migrate data to a new disk).

You can’t change an attached gp1 to st1 or sc1 (any of the magnetic family) - you have to detach first

Question 13

Can you take an EBS snapshot while an app is running?

Answer 13

Yes - an in-progress snapshot is not affected by ongoing reads and writes to the volume.

If you’re using a RAID config, you need to stop things, flush caches etc.

Question 14

How can you setup SNI SSL for a website in AWS?

Answer 14

Application Load Balancer

Cloudfront web distribution

NOT a classic load balancer

Question 15

What is the relationship between EBS volumes, EBS snapshots and EC2 instances in terms of the AZs they’re in?

Answer 15

EBS volume in one AZ

EBS volume can only be attached to an EC2 instance in the same AZ

Snapshots redundantly stored across multiple AZs

Question 16

What’s the easiest way to asynchronously process a simple request to an application?

Answer 16

Invoke a lambda function asynchronously

Question 17

Describe glacier expedited retrieval and provisioned retrieval capacity

Answer 17

Expedited retrieval is a way of retrieving archives quickly. Other ways are standard and bulk. Expedited is the most expensive, and for archives <250mb, is typically done within 1-5 minutes.

The speed of expedited retrieval will vary depending on load, so you can buy provisioned capacity to guarantee 150mb/s throughput. It’s expensive ($105 per unit per month).

Each unit guarantees 3 expedited retrievals every 5 minutes and up to 150mb/s of retrieval throughput

Question 18

Is read/write autoscaling enabled by default in DynamoDB?

Answer 18

No

Question 19

What is “edge to edge routing via a gateway” and is it supported?

Answer 19

Where two VPCs are peered and one of them has some gateway (e.g. a VPN or internet gateway) - the VPC without the gateway can’t route to the gateway in the other VPN

Question 20

What is “edge to edge routing via a gateway” and is it supported?

Answer 20

Where two VPCs are peered and one of them has some gateway (e.g. a VPN or internet gateway) - the VPC without the gateway can’t access resources on the OTHER SIDE of the gateway in the other VPC (e.g. a corporate network). Likewise, the resources in the corporate network couldn’t access the other VPC

Question 21

How can you configure active-active and active-passive routing in Route53?

Answer 21

These aren’t first class concepts in Route53.

Active-active: use any routing policy other than failover

Active-passive: use failover

Question 22

How would you lock down files in S3 to specific clients?

Answer 22

Use pre-signed S3 URLs and remove permissions for anyone else.

Could use S3 - set up an OAI and use CloudFront URLs or signed cookies.

Beware - some questions might give part of the solutions as a potential answer but you have to make sure everything is locked down

Question 23

How can you have SSL for multiple domains on an ALB?

Answer 23

Upload multiple certificates - ALB will use SNI to select the correct one

Use one certificate with Subject Alternative Name (SAN) - but you will have to reprovision the certificate every time you add a new domain

Question 24

What is the block size range for a VPC?

Answer 24

Between /16 and /28

Question 25

What IP address ranges are allowed in a VPC?

Answer 25

10/8

172. 16/12
173. 168/16

Question 26

In what scenario will you be billed for an on-demand instance being in the “stopping” state?

Answer 26

If it’s preparing to hibernate

Question 27

When might you use EFS over S3?

Answer 27

Low-latency file operations

Question 28

How can you enforce data retention and compliance requirements in glacier?

Answer 28

Use a vault lock policy

Question 29

How would you monitor memory usage on EC2 linux instances, and how does it relate to “Detailed monitoring”?

Answer 29

Install CloudWatch monitoring scripts to send in custom metrics.

Detailed monitoring increases the frequency of monitoring from 5 minutes to 1 minute

Question 30

How can you implement a cross-region DR plan for Redshift?

Answer 30

Enable cross-region snapshots for the Redshift cluster

Question 31

What additional info does RDS enhanced monitoring record?

Answer 31

RDS child processes
RDS processes
OS processes

Question 32

What does S3 server access logging provide that CloudTrail doesn’t?

Answer 32

Server access logging provides more detail on object-level operations, such as the referrer and turn-around time

Question 33

What are the default limits for number of EBS volumes and snapshots?

Answer 33

5,000 volumes

10,000 snapshots

Question 34

What is the storage to burst ratio for an EBS provisioned IOPS (IO1) volume?

Answer 34

It doesn’t have one - the IOPS are provisioned

Question 35

What does Systems Manager Agent (SSM Agent) do?

Answer 35

Allows actions from Systems Manager to be executed on the instance that it is installed on

Question 36

What is GuardDuty?

Answer 36

Intelligent threat detection. Monitors stuff like unusual API call patterns in your AWS account

Question 37

If you need to integrate an identity provider that uses LDAP with your VPC using IAM, what must you do?

Answer 37

Create a custom identity broker on the client side that uses STS to get short-lived credentials

Question 38

Can CloudTrail receive custom logs?

Answer 38

No

Question 39

Which service can help you make sure resources don’t go beyond service limits?

Answer 39

AWS Trusted Advisor

Question 40

What dynamic scaling policies does EC2 autoscaling support?

Answer 40

Target tracking scaling - increase/decrease capacity of group - bit like a boiler thermostat

Step scaling - vary capacity of group based on set of scaling adjustments (step adjustments) - different size steps depending on size of threshold breach (e.g. add 1 instance when cpu between 40 and 50, 2 instances when between 60 and 70 etc)

Simple scaling - based on single scaling adjustment

(Scheduled scaling is not considered dynamic)

Question 41

Are data moving between an encrypted EBS volume and an EC2 instance encrypted?

Answer 41

Yes. Encryption operations occur on the underlying servers that host the EC2 instances

Question 42

How can you remotely configure EC2 instances without using RDP/SSH?

Answer 42

Use Run Command, part of AWS Systems Manager

Question 43

What is EC2Config and EC2Launch?

Answer 43

EC2Launch replaces EC2Config. Both perform common configurations on Windows servers, e.g. routing and setting wallpaper to display instance info.

EC2Launch is a set of PowerShell scripts

Question 44

Are CloudTrail logs encrypted by default?

Answer 44

Yes, using S3 Server Side Encryption

Question 45

What CLI command might you use to find out why an instance was terminated?

Answer 45

aws ec2 describe-instances

Gives you a StateReason

Question 46

What’s the minimum file size for transitioning to standard_IA or onezone_IA?

Answer 46

128kb

Question 47

What’s the minimum storage time before transitioning current or previous objects between standard, standard_IA and onezone_IA?

Answer 47

30 days - this is the minimum storage time for these classes

Question 48

What’s the minimum storage time before transitioning current or previous objects from standard, standard_ia or onezone_IA to intelligent_tiering or glacier or glacier_deep_archive?

Answer 48

0 days

Question 49

What is File Gateway?

Answer 49

Part of Storage Gateway - provides NFS mounting and is only for flat files (it’s not block storage). Has a local cache for low-latency access to frequently accessed files.

Files are stored as S3 objects

Question 50

What sort of storage does Cached volumes and Stored volumes provide?

Answer 50

Block storage

Question 51

What is AWS Systems Manager Session Manager?

Answer 51

Allows management of EC2 instances via CLI or browser-based shell

Question 52

How does spot instance pricing work?

Answer 52

Not charge if AWS interrupt in first hour

If you interrupt in first hour, charged for whole hour

After first hour, charged to nearest second no matter who interrupts (apart from windows where you’ll pay for whole hour)

Question 53

What is AWS PrivateLink?

Answer 53

Allows IP-based connections within a VPC to AWS servies so traffic doesn’t leave the AWS network

You get ENIs to connect to

PrivateLink doesn’t yet support S3 or DynamoDB. You have to use a gateway, where you set up a route for traffic going to a particular IP address to direct it to an AWS service

Question 54

How can you prevent cryptographic data being lost in Cloud HSMs?

Answer 54

Daily backups

Multi-AZ

Secure with SGs

Don’t let admins enter an incorrect password more than twice!

Question 55

What are the maximum sizes of the EBS volumes?

Answer 55

GP2: 1GiB - 16TiB
IO1: 4GiB - 16TiB
ST1: 500GiB - 16TiB
SC1: 500GiB - 15TiB

Question 56

How can you capture detail about all requests going through an ALB? Where are the logs stored?

Answer 56

Enable access logging

Logs are stored as compressed files in S3 bucket that you specify

Question 57

How can you increase availability in RDS to accomodate OS patches and upgrades?

Answer 57

Multi-AZ. RDS applies updates by:

1. Upgrading the standby
2. Promoting the standby to primary
3. Upgrade new standby

Question 58

How can you control caching of objects in S3 behind CloudFront?

Answer 58

Use versioning

Question 59

Where are app and server logs stored when using Elastic Beanstalk?

Answer 59

App logs stored in S3.

Server logs optionally stored in S3 or CloudWatch.

Question 60

How can you resolve “insufficient capacity error” placement group errors?

Answer 60

Stop and restart instances in placement group (in an attempt to trigger migration to new hardware)

Question 61

How can you setup SSL comms between EC2 and RDS

Answer 61

Set rds.force_ssl parameter to true

Get AWS root cert and install on EC2 boxes and use to initiate connections

Question 62

What are the reserved private IPs in a VPC?

Answer 62

First 4 and last 1 addresses in each subnet CIDR block.

.0 - Network address
.1 - Router
.2 - DNS
.3 - reserved for future use by AWS
.4 - multicast networking

Question 63

What is EC2 enhanced networking?

Answer 63

Provides high-performance networking on supported instances.

Uses single-root I/O virtualisation (SR-IOV) - method of device virtualization that provides higher IO and lower CPU utilisation compared to traditional virtualised network interfaces.

No additional charge

Question 64

What hypervisor is used for EC2?

Answer 64

Nitro (KVM)

Was Xen

Question 65

What are the virtualization types?

Answer 65

Paravirtual (PV) - historically performed better

Hardware Virtual Machine (HVM) - can take advantage of special hardware extensions

PV recommended