RANDOM

Question 1

ALB/NLB weighted routing Policy

Answer 1

Although ALB/NLB support weighted routing, they can only span availability zones.

Question 2

SSL certificates Rotation condition

Answer 2

• NOT ELIGIBLE if imported.
• NOT ELIGIBLE if already expired.

Question 3

Trusted advisor checks

Answer 3

Trusted Advisor continuously evaluates your AWS environment using best practice checks across the categories of
* cost optimization,
* performance,
* resilience,
* security,
* operational excellence,
* and service limits,
* and recommend actions to remediate any deviations from best practices.

does up to 50 service limit checks for Free

TA does not change settings or configuration. It just alerts you when you are either approaching or crossing a certain threshold.
7 core checks (basic or developer support)
* S3 Bucket Permissions - NOT OBJECTS
* Security Groups - Specific Ports Unrestricted
* IAM Use
* MFA on Root Account
* EBS Public Snapshots
* RDS Public Snapshots

Question 3

Trusted Advisor vs Service Health Dashboard

Answer 3

Service Health Dashboard only provides information about the regional availability of a service. You should use AWS Trusted Advisor to monitor the service limits of the EC2 instance.

However, Personal Health is also available as a resource that details how the service situation affects your account

Question 4

IAM Access Analyzer

Answer 4

Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment.

Access Analyzer helps identify resources in your organization and accounts that are shared with an external entity.
- Access Analyzer validates IAM policies against policy grammar and best practices.
- Access Analyzer generates IAM policies based on access activity in your AWS CloudTrail logs.

Question 5

IAM Policy Simulator

Answer 5

An IAM tool used for simulating all the permissions available to an identity or resource

Question 6

AWS Well-Architected Tool

Answer 6

The AWS Well-Architected Tool is primarily used to review the state of your applications and workloads by comparing it with the architectural best practices and guidance in AWS. This tool is not capable of showing a preview of an upcoming permission change that you are about to implement.

Question 7

S3 inventory vs S3 Analytics

Answer 7

Amazon S3 inventory is one of the tools Amazon S3 provides to help manage your storage. You can use it to audit and report on the replication and encryption status of your objects for business, compliance, and regulatory needs. You can also simplify and speed up business workflows and big data jobs using Amazon S3 inventory, which provides a scheduled alternative to the Amazon S3 synchronous List API operation.
Amazon S3 inventory provides comma-separated values (CSV), Apache optimized row columnar (ORC) or Apache Parquet (Parquet) output files that list your objects and their corresponding metadata on a daily or weekly basis for an S3 bucket or a shared prefix (that is, objects that have names that begin with a common string).

S3 Analytics is primarily used to analyze storage access patterns to help you decide when to transition the right data to the right storage class. It does not provide a report containing the replication and encryption status of your objects.

Question 8

S3 Select

Answer 8

S3 Select is only used to retrieve specific data from the contents of an object using simple SQL expressions without having to retrieve the entire Bucket/object. It does not generate a detailed report, unlike S3 Inventory.

Question 9

IPV6 and EC2 types

Answer 9

EC2 instance is an m3.large instance type, which does not support IPv6. You must resize the instance to a supported instance type, for example, m4.large. Remember that configuring an IPv6 is just an optional step.
If you have an existing VPC that supports IPv4 only, and resources in your subnet that are configured to use IPv4 only, you can enable IPv6 support for your VPC and resources. Your VPC can operate in dual-stack mode — your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 communication are independent of each other. You cannot disable IPv4 support for your VPC and subnets; this is the default IP addressing system for Amazon VPC and Amazon EC2.

Question 10

Enforce EBS Encryption

Answer 10

You can configure your AWS account to enforce the encryption of the new EBS volumes and snapshot copies that you create. For example, Amazon EBS encrypts the EBS volumes created when you launch an instance and the snapshots that you copy from an unencrypted snapshot.

Question 11

Dealing with EFS **PercentIOLimit **

Answer 11

** $~ PercentIOLimit **- Shows how close a file system is to reaching the I/O limit of the General Purpose performance mode.

you can’t change the performance mode configuration of an EFS file system right away. You need to migrate the data to another file system configured with your desired performance mode.

If this metric is at 100 percent more often than not, consider moving your application to a file system using the Max I/O performance mode.
If the PercentIOLimit percentage returned was at or near 100 percent for a significant amount of time during the test, your application should use the Max I/O performance mode. Otherwise, it should use the default General Purpose mode.
o move to a different performance mode, migrate the data to a different file system that was created in the other performance mode. You can use DataSync to transfer files between two EFS file systems. Build a new EFS file system that is configured with Max I/O performance mode. Utilize AWS DataSync to migrate data to the newly created EFS file system.

Question 12

ELB Access Logs

Answer 12

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as
the time the request was received,
the client’s IP address,
latencies,
request paths,
and server responses.
You can use these access logs to analyze traffic patterns and troubleshoot issues. Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your application load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time.

Question 13

VPC Flowlogs

Answer 13

format

** [ENI, FROM iP, TO iP, FROM Port, TO Port, 1,2, BYTES, x#*###, xx####x, CONDITION, OK]**

** Acronyms**
Eni
From
To
From
To
Bytes
Ok

Question 14

NACL Use case

Answer 14

NACL should only be used in Specific cases where a Particular IP Address needs to be whitelisted, or blocked, or in other fine grain Specific situations.

Question 15

VPC peering

Answer 15

one to one peering Happens over apeering connection.
* Gets complicated over many VPCs
* VPC peering Limit - 125 VPCs

Question 16

VPC Peering over transit gateway

Answer 16

Deployed into a Region, it allows for Any to Any vpc networking using Transit Gateway

Question 17

Direct Connect

Answer 17

Direct Connect can connect to two Logical Connections
1. AWS Public Service
2. VPC

Question 18

VPC Sharing Use case

Answer 18

Two Accounts sharing a Single subnet in a VPC for:
1. Extending CIDR quota; if you have exhausted your IP Address, you can create a new VPC and deploy resources into it.
2. Two different teams sharing subnet resources(once security group settings are opened)
3. Minimizing too many Peering connections
4. Separation of power; owner creates VPC and other users cant make changes

Question 19

Cloudwatch Billing Alarm

Answer 19

Can be used to track spending threshold and Alert Admin appropriately

Question 19

Cloudwatch 3rd Party Integration

Answer 19

AWS CloudWatch supports uploading custom metrics from 3rd Party Apps and sources using CLI and SDK.

To publish a single data point using CloudWatch for a new or existing metric, use the put-metric-data command with one value and the time stamp.
~$ aws cloudwatch put-metric-data –metric-name PageViewCount –namespace MyService –value 2 –timestamp 2018-10-10-14T08:00:00.000Z

Question 20

Managing and Tracking Bills

Answer 20

The AWS-generated tag createdBy defines and applies to supported AWS resources for cost allocation purposes. To use the AWS-generated tags, a management account owner must activate it in the Billing and Cost Management console. When a management account owner activates the tag, it is also activated for all member accounts.
After the tag is activated, AWS starts applying the tag to resources that are created after the AWS-generated tag was activated. The AWS-generated tags are available only in the Billing and Cost Management console and reports, and doesn’t appear anywhere else in the AWS console, including the AWS Tag Editor. The createdBy tag does not count towards your tags per resource limit.

Question 21

AWS Cost Explorer

Answer 21

Cost Explorer is a tool that enables you to view and analyze your costs and usage. You can explore your usage and costs using the main graph, the Cost Explorer cost and usage reports, or the Cost Explorer RI reports.
You can view data for up to the last 12 months, forecast how much you’re likely to spend for the next 12 months, and get recommendations for what Reserved Instances to purchase. You can use Cost Explorer to identify areas that need further inquiry and see trends that you can use to understand your costs.

Question 22

AutoScaling LifeCycle Hook

Answer 22

As your Auto Scaling group scale-out or scale-in your EC2 instances, you may want to perform custom actions before they start accepting traffic or before they get terminated. Auto Scaling Lifecycle Hooks allow you to perform custom actions during these stages.

Question 23

ALB Connection Draining

Answer 23

Connection draining only allows instances that are about to be deregistered to finish in-flight requests.

Question 24

Elasticache key points

Answer 24

Resharding - Reddis

Online resharding and shard rebalancing allow you to scale your Redis cluster dynamically with no downtime and serve requests even while scaling or rebalancing.

Read Replica - Reddis

Question 25

IAM Credential Report

Answer 25

The credentials report **lists all your IAM users in this account and the status of their various credentials. **After a report is created, it is stored for up to four hours

Question 26

ELB Monitoring

Answer 26

ELB health checks are used to determine whether the EC2 instances behind the ELB are healthy or not. But it does not help in capturing the monitoring information for the ELB itself.

However, the Following are used for that purpose
* ELB Access Logs
* Cloudwatch Metrics
* CloudTrail

Question 27

EC2 Restarting from a Pending State. Reasons

Answer 27

The following are a few reasons why your EC2 instance goes from the pending state to the terminated state immediately after restarting it:

• You’ve reached your EBS volume limit.
• An EBS snapshot is corrupt.
• The root EBS volume is encrypted and you do not have permission to access the KMS key for decryption.
• The instance store-backed AMI that you used to launch the instance is missing a required part (an image.part.xx file).

Question 28

EC2 Region Quota limit Symptoms

Answer 28

If you have reached the maximum number of EC2 instances allowed for your AWS account in a specific region, you would not be able to launch any new EC2 instances until you terminate some existing instances.

Question 29

Corrupt AMI

Answer 29

Instance will not Launch

Question 30

AWS No EC2 Capacity Available

Answer 30

AWS usually provides a message indicating the capacity issue. The message would indicate that the request cannot be fulfilled due to capacity constraints, and you would have to try again later or launch the instance in a different availability zone.

Question 31

Autoscaling Use Case/Integrations

Answer 31

Using AWS Auto Scaling, you can configure automatic scaling for all of the scalable resources powering your application from a single unified interface, including:

• Amazon EC2: Launch or terminate Amazon EC2 instances in an Amazon EC2 Auto Scaling group.
• Amazon EC2 Spot Fleets: Launch or terminate instances from an Amazon EC2 Spot Fleet or automatically replace instances that get interrupted for price or capacity reasons.
• Amazon ECS: Adjust ECS service desired count up or down to respond to load variations.
• Amazon DynamoDB: Enable a DynamoDB table or a global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic without request throttling.
• Amazon Aurora: Dynamically adjust the number of Aurora Read Replicas provisioned for an Aurora DB cluster to handle sudden increases in active connections or workload.

Question 32

Cloudwatch metrics Math

Answer 32

You can also use CloudWatch metric math to aggregate and transform metrics from multiple accounts and Regions. Metric math enables you to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics. You can visualize the resulting time series on the CloudWatch console and add them to dashboards. Using AWS Lambda metrics as an example, you could divide the Errors metric by the Invocations metric to get an error rate. Then add the resulting time series to a graph on your CloudWatch dashboard.

Question 33

Cloudwatch Detailed Monitoring and Cost

Answer 33

CloudWatch **Detailed Monitoring **supports mostly all AWS services including Auto Scaling and sends data every minute. Once enabled, detailed monitoring incurs an additional cost.

Question 34

GetObject vs ListBucket

Answer 34

s3:GetObject = arn:aws:s3:::tutorialsdojo/*
s3:ListBucket = arn:aws:s3:::tutorialsdojo

Question 35

EC2 Placement Group Scope

Answer 35

Placement Groups can only span AZs and not regions

Question 36

Elasticache Redis Scaling

Answer 36

By using online vertical scaling with Amazon ElastiCache for Redis version 3.2.10 or newer, you can scale your Redis clusters dynamically with minimal downtime. This allows your Redis cluster to serve requests even while scaling.
You can do the following:
- Scale up – Increase read and write capacity by adjusting the node type of your Redis cluster to use a larger node type.
ElastiCache dynamically resizes your cluster while remaining online and serving requests.
- Scale down – Reduce read and write capacity by adjusting the node type down to use a smaller node. Again, ElastiCache dynamically resizes your cluster while remaining online and serving requests. In this case, you reduce costs by downsizing the node.

Question 37

Shared responsibility effect on ELB-EC2 transit encryption

Answer 37

Encryption between ELB and EC2 is optional; therefore it is a customer responsibility

Question 38

RDS Backup and Downtime

Answer 38

This is stated in the AWS documentation: Amazon RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases. Creating this DB snapshot on a Single-AZ DB instance results in a brief I/O suspension that can last from a few seconds to a few minutes, depending on the size and class of your DB instance. Multi-AZ DB instances are not affected by this I/O suspension since the backup is taken on standby.

Question 39

HTTP 503 S3 response

Answer 39

This is caused by an abysmal replication of an S3 Objects.

To determine which S3 objects have millions of versions, use the Amazon S3 inventory tool. The inventory tool generates a report that provides a flat file list of the objects in a bucket.

Question 40

Cloudwatch actions on EC2

Answer 40

You can configure alarm actions to stop, start, or terminate an Amazon EC2 instance when certain criteria are met. In addition, you can create alarms that initiate Amazon EC2 Auto Scaling and Amazon Simple Notification Service (Amazon SNS) actions on your behalf.

Question 41

100s of thousands of IOPS

Answer 41

**Use Instance Store. Switch to an Instance with Larger Storage Capacity.

Also achievable by using Storage optimized instances. eg i3.4.xlarge

Instance store = 100s

io1,io2 = 64,000 IOPS

Question 42

NAT Gateway vs ipv6

Answer 42

NAT gateways are not supported for IPv6 traffic, but you can use an egress-only Internet gateway instead.

Question 43

Cloudformation CLI **~create-stack* command

Answer 43

The create-stack CloudFormation CLI command creates a stack as specified in the template. After the call completes successfully, the stack creation starts. You can check the status of the stack via the DescribeStacks API.
It has an –on-failure optional parameter which determines what action will be taken if stack creation fails. Its default value is ROLLBACK which means that the CloudFormation service will automatically rollback the stack in the event of failures. The value must be one of the following: DO_NOTHING, ROLLBACK, or DELETE.

Question 44

Common Security threats

Answer 44

You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application.

Question 45

AWS Origin Sheld

Answer 45

Origin Shield is a centralized caching layer in Amazon CloudFront that helps increase your cache hit ratio to reduce the load on your origin. This feature is not capable of protecting your application from SQL Injection, XSS, and other web vulnerabilities.

Question 46

AWS Network Firewall

Answer 46

is mainly used to perform deep packet inspection on the inbound traffic of your Amazon VPC. This service is specifically designed to identify potential hacking attempts, but not to actively protect your web applications from SQL Injection or XSS.

Question 47

AWS Shield

Answer 47

Against Ddos attacks

Question 48

AWS Artifact

Answer 48

AWS Artifact is your go-to central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement (NDA

Question 49

IAM Access Analyzer

Answer 49

AWS IAM Access Analyzer identifies the resources in your organization and accounts that are shared with an external entity. This is commonly used in identifying unintended access to your resources and data.

Question 50

EC2 Instance Metadata

Answer 50

this is just data about your instance that you can use to configure or manage the running instance.

Question 51

SCP

Answer 51

Service control policies (SCPs) are simply a feature of AWS Organizations designed to set the maximum permissions that identities (users and roles) in member accounts can have. They cannot be directly associated with Directory Service users.

Question 52

RDS Proxy

Answer 52

RDS Proxy makes applications more resilient to database failures by automatically connecting to a standby DB instance while preserving application connections. By using RDS Proxy, you can also enforce AWS Identity and Access Management (IAM) authentication for databases and securely store credentials in AWS Secrets Manager.

RDS Proxy establishes a database connection pool and reuses connections in this pool without the memory and CPU overhead of opening a new database connection each time.

Question 53

AWS Client VPN vs Site-to-Site VPN

Answer 53

AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.

Question 54

ASG Healthcheck Grace Period

Answer 54

This time period delays the first health check until your instances finish initializing. It doesn’t prevent an instance from terminating when placed into a non-running state.

Question 55

Default Instance Warm-up

Answer 55

Default instance warmup is the amount of time that CloudWatch metrics for new instances do not contribute to the group’s aggregated instance metrics, as their usage data is not reliable yet.

Question 56

Instance scale-in protection

Answer 56

Instance scale-in protection
Scale-in protection prevents newly launched instances from being terminated by scaling activities. Make sure to remove scale-in protection for the group or individual instances when instances are ready to be terminated.

Question 57

EC2 Launch Error messages

Answer 57

When your EC2 instances fail to launch, you might get one or more of the following error messages:
- The requested configuration is currently not supported.
- The security group <name> does not exist. Launching EC2 instance failed.
- The key pair <key> does not exist. Launching EC2 instance failed.
- The requested Availability Zone is no longer supported. Please retry your request...
- Your requested instance type (<instance>) is not supported in your requested Availability Zone (<instance>)...
- Your Spot request price of 0.015 is lower than the minimum required Spot request fulfillment price of 0.0735...
- Invalid device name upload. Launching EC2 instance failed.
Value (<name>) for parameter virtualName is invalid...
- EBS block device mappings not supported for instance-store AMIs.
- Placement groups may not be used with instances of type 'm1.large'. Launching EC2 instance failed.
- Client.InternalError: Client error on launch.
- We currently do not have sufficient <instance> capacity in the Availability Zone you requested... Launching EC2 instance failed.
- There is no Spot capacity available that matches your request. Launching EC2 instance failed.
- <number> instance(s) are already running. Launching EC2 instance failed</number></instance></name></instance></instance></key></name>

Question 58

IDF and SSO

Answer 58

In an enterprise identity federation, you can authenticate users in your organization’s network and then provide those users access to AWS without creating new AWS identities for them and requiring them to sign in with a separate username and password. This is known as the single sign-on (SSO) approach to temporary access. AWS STS supports open standards like Security Assertion Markup Language (SAML) 2.0, with which you can use Microsoft AD FS to leverage your Microsoft Active Directory. You can also use SAML 2.0 to manage your own solution for federating user identities.

Question 59

IP Cidr Calculation

Answer 59

To determine the number of IP addresses in each subnet, you can use the formula
2^32-subnet prefix length

Here’s the calculation for each of the provided subnets:

192.168.1.0/28:
2^32−28 =
2^4 = 16

2 32−28 =
2^4 =16
So, there are16 IP addresses in the subnet 192.168.1.0/28.

192.168.1.0/26
194.193.2:32
−
26
=
2
6
=
64
2
32−26
=2
6
=64
There are
64
64 IP addresses in the subnet 192.168.1.0/26.
192.168.1.0/27:
2
32
−
27
=
2
5
=
32
2
32−27
=2
5
=32
There are
32
32 IP addresses in the subnet 192.168.1.0/27.
192.168.1.0/20:
2
32
−
20
=
2
12
=
4096
2
32−20
=2
12
=4096
There are
4096
4096 IP addresses in the subnet 192.168.1.0/20.
So, the number of IP addresses in each subnet is as follows:

192.168.1.0/28: 16 IP addresses
192.168.1.0/26: 64 IP addresses
192.168.1.0/27: 32 IP addresses
192.168.1.0/20: 4096 IP addresses

Question 60

Aurora AutoScaling

Answer 60

To meet your connectivity and workload requirements, Aurora Auto Scaling dynamically adjusts the number of Aurora Replicas provisioned for an Aurora DB cluster. Aurora Auto Scaling enables your Aurora DB cluster to handle sudden increases in connectivity or workload. When the connectivity or workload decreases, Aurora Auto Scaling removes unnecessary Aurora Replicas so that you don’t pay for unused provisioned DB instances

Question 61

Aurora ReplicaLag

Answer 61

You can use the AuroraReplicaLag metric to measure the lag in milliseconds between primary and reader instances. In the scenario, the application relies on the read replica to update the progress that it shows to users. Because of the increase in AuroraReplicaLag, the data stored in the reader instance will intermittently fall behind the data that’s being written in the primary instance. This will cause the application to display outdated progress to users.

Question 62

Amazon Inspector

Answer 62

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

Question 63

How to Validate Cloudtrail LogFile Integrity

Answer 63

To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. This feature is built using industry-standard algorithms: SHA-256 for hashing and SHA-256 with RSA for digital signing. This makes it computationally infeasible to modify, delete or forge CloudTrail log files without detection. You can use the AWS CLI to validate the files in the location where CloudTrail delivered them.

Question 64

SSH-EC2 Connection Prerequisite

Answer 64

For you to be able to SSH into your EC2 instances, you must satisfy the following requirements:
- You should have a public IP address or attached an Elastic IP address to your instance.
- Your instances should have passed both system status and instance status checks to know they are working correctly.
- You should have an internet gateway attached to your VPC to allow your instances access to the internet.
- You should have a route table that has the appropriate routes entered for all destinations via Internet Gateway.
- Make sure that there is a default route or a route that specifies your desktop’s IP address to allow communication between instances in the VPC to the Internet or your desktop.

• **Open TCP Port 22

Question 65

Elastic IP Billing

Answer 65

Elastic IPs are not billed when attached to running instances.

Question 66

CF Change Sets vs Stack Sets

Answer 66

StackSets simply extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation.

ChangeSets
When you need to update your stack’s resources, you can modify the stack’s template. You don’t need to create a new stack and delete the old one. To update a stack, you can create a change set by submitting a modified version of the original stack template, different input parameter values, or both.

For example, if you change the name of an Amazon RDS database instance, AWS CloudFormation will create a new database and delete the old one. You will lose the data in the old database unless you’ve already backed it up. If you generate a change set, you will see that your change will cause your database to be replaced, and you will be able to plan accordingly before you update your stack.

A stack set lets you create stacks in AWS accounts across regions by using a single AWS CloudFormation template. All the resources included in each stack are defined by the stack set’s AWS CloudFormation template. As you create the stack set, you specify the template to use, as well as any parameters and capabilities that the template requires.

Question 67

Lambda Concurrency

Answer 67

**One instance of a Lambda function handles one request at a time. When the number of requests increases, Lambda creates more instances of your function to process traffic. To ensure that your Lambda function run at a specific capacity, set a reserved concurrency for the function. Reserved concurrency is the maximum number of concurrent instances for the function. When a function has reserved concurrency, no other function can use that concurrency.

Question 68

RDS Deletion Policy options

Answer 68

DeletionPolicy Options:
- Delete: The AWS CloudFormation service deletes the resource and all its content if applicable during stack deletion. You can add this deletion policy to any resource type.
- Retain: The AWS CloudFormation service keeps the resource without deleting the resource or its contents when its stack is deleted.
- Snapshot: The AWS CloudFormation service creates a snapshot for the resource before deleting it.

Question 69

AWS Service Limit Monitor

Answer 69

AWS Limit Monitor, a solution that automatically provisions the services necessary to proactively track resource usage and send notifications as you approach limits. The solution now allows you to customize the service limits you want to check. The solution also includes an optional configuration to send notifications to an existing Slack channel.

The solution deploys AWS Lambda, Amazon CloudWatch, Amazon SQS, and Amazon DynamoDB. If you enable notifications, Amazon SNS is deployed. If you enable Slack notifications, AWS Systems Manager is deployed.

Question 70

AWS Responsibility (RDS)

Answer 70

1. Periodically, Amazon RDS performs maintenance on Amazon RDS resources. Maintenance most often involves updates to the DB instance’s underlying operating system (OS) or database engine version. Updates to the operating system most often occur for security issues and should be done as soon as possible.
2. You can restore a DB instance to a specific point in time, creating a new DB instance. RDS uploads transaction logs for DB instances to Amazon S3 every 5 minutes.

Question 71

How AWS config works

Answer 71

AWS Config continuously evaluates your AWS resource configurations for desired settings. Depending on the rule, AWS Config will evaluate your resources either in response to configuration changes or periodically. Each rule is associated with an AWS Lambda function, which contains the evaluation logic for the rule. When AWS Config evaluates your resources, it invokes the rule’s AWS Lambda function. The function returns the compliance status of the evaluated resources. If a resource violates the conditions of a rule, AWS Config flags the resource and the rule as noncompliant. When the compliance status of a resource changes, AWS Config sends a notification to your Amazon SNS topic. The following image displays an overview of how AWS Config works.

Question 72

On-Demand in Spot fleets

Answer 72

The request for On-Demand capacity in a Spot Fleet request ensures that there is always instance capacity. However, the question asks for a solution that focuses on cost optimization and not instance capacity.

Question 73

AWS Tag Editor

Answer 73

With Resource Groups, you can create, maintain, and view a collection of resources that share common tags. Tag Editor manages tags across services and AWS Regions. Tag Editor can perform a global search and can edit a large number of tags at one time.