Rapid Fire Exam Questions Flashcards

Question 1

Q

What is the ReplaceUnhealthy process used for in auto-scaling groups?

Answer

A

The ReplaceUnhealthy process is used to terminate/replace EC2 instances which have been marked as unhealthy during a health check performed by a load balancer or the EC2 service.

Processes in auto-scaling groups can be suspended/resumed at any time. This can be useful when performing maintenance on EC2 instances which are part of the ASG without triggering undesired actions.

Question 2

Q

What happens when an EC2 instance’s status is modified from InService to Standby?

Answer

A

The Standby status is mainly used for updating + troubleshooting EC2 instances which are part of an auto-scaling group. Instances which are on Standby are still part of the Auto Scaling group, but they do not actively handle load balancer traffic.

When you put an instance on Standby, you can either decrement the desired capacity through this operation, or keep it at the same value. If you choose to decrement the desired capacity of the Auto Scaling group, this prevents the launch of an instance to replace the one on Standby. If you choose not to decrement the desired capacity of the Auto Scaling group, Amazon EC2 Auto Scaling launches an instance to replace the one on Standby.

Question 3

Q

What is Kinesis Data Streams?

Answer

A

Amazon Kinesis Data Streams is a service which enables real-time processing of streaming big data. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications.

Question 4

Q

List 4 advantages/applications of Kinesis Data Streams.

Answer

A

1) Routing related records to the same record consumer (as in streaming MapReduce). For example, counting and aggregation are simpler when all records for a given key are routed to the same record processor.

2) Ordering of records. For example, you want to transfer log data from the application host to the processing/archival host while maintaining the order of log statements.

3) Ability for multiple applications to consume the same stream concurrently. For example, you have one application that updates a real-time dashboard and another that archives data to Amazon Redshift. You want both applications to consume data from the same stream concurrently and independently.

4) Ability to consume records in the same order a few hours later. For example, you have a billing application and an audit application that runs a few hours behind the billing application. Because Amazon Kinesis Data Streams stores data for up to 365 days, you can run the audit application up to 365 days behind the billing application.

Question 5

Q

What software tools can be used to create or retrieve records from a shard in a Kinesis Data Stream?

Answer

A

The Amazon Kinesis Producer Library (KPL) can be used for creating/delivering records to a particular shard in a data stream.

The Amazon Kinesis Client Library (KCL) can be used for retrieving records stored in a particular shard.

Both the KPL/KCL are high-level libraries built on top of the AWS SDK.

Question 6

Q

What are the min/max retention periods for records stored in a Kinesis Data Stream?

Answer

A

Between 1-365 days.

Question 7

Q

List 3 different AWS services which can be set as a shard consumer in a Kinesis Data Stream.

Answer

A

1) AWS Lambda
2) Kinesis Data Firehose
3) Kinesis Data Analytics

Question 8

Q

What is an Amazon S3 event notification? List 4 different AWS services which can be used as target destinations.

Answer

A

The Amazon S3 event notification feature enables AWS services to receive notifications when certain API calls are made and events are triggered in an S3 bucket (Ex: object creation). To enable notifications, you must first add a notification configuration which identifies the events you want Amazon S3 to publish and the destination where you want Amazon S3 to send the notifications. To send S3 event notifications from a single bucket to multiple destinations, a separate event notification must be configured for each destination.

Amazon S3 supports the following event destinations:

SNS Topics (not FIFO)
SQS Queues (not FIFO)
AWS Lambda Functions
Amazon EventBridge

-Note that each AWS service which receives S3 event notifications must have a resource policy attached allowing access from the S3 bucket.

Question 9

Q

What is object key name filtering and how is it used when configuring S3 event notifications?

Answer

A

Object key name filtering allows S3 event notifications to be configured which only send event notifications related to objects whose key names (prefix or suffix) match a particular filtering condition. Ex: only sending notifications originating from objects with a particular file extension (*.jpg).

Note that when configuring an S3 bucket to send event notifications to Amazon EventBridge, any/all events generated will be delivered to EventBridge. It is not possible to limit or filter which events are sent by either event type (Ex: S3:ObjectCreated) or using object key name filtering.

Question 10

Q

Describe the AWS Glue service.

Answer

A

AWS Glue is a managed service for performing extract, transform, and load (ETL) operations using a serverless architecture and is commonly used to transform data in preparation for data analytics.

Ex: a Glue job could involve loading data from an S3 bucket or RDS DB, transforming it using a Lambda function, then loading into a RedShift Data Warehouse.

Question 11

Q

Which AWS service can be used to convert data into the Apach Parquet or ORC file formats and why is this beneficial?

Answer

A

The AWS Glue service can be used to convert file formats (Ex: csv) into the ORC/Parquet formats. These are both columnar file formats for efficient data storage and retrieval. This is useful when employing AWS services such as Amazon Athena, which improves performance and saves costs by reducing the amount of data scanned during an SQL query.

Question 12

Q

Describe an AWS architecture which can be used to automatically trigger a Glue job after uploading a file to an S3 bucket.

Answer

A

One architecture could involve using S3 event notifications triggered on object creation events and attached to either a Lambda function or Amazon EventBridge. This in turn could be used to trigger a Glue job on the S3 object which might transform the file and push it to another destination.

Question 13

Q

What are Glue job bookmarks?

Answer

A

AWS Glue tracks data which has already been processed during a previous run of an ETL job by persisting information from the job run, known as a job bookmark. This helps AWS Glue maintain state information and prevent the reprocessing of old data.

With job bookmarks, you can process new data when rerunning on a scheduled interval. Ex: an ETL job might read only new partitions in an Amazon S3 file. AWS Glue tracks which partitions the job has processed successfully to prevent duplicate processing and duplicate data in the job’s target data store.

Question 14

Q

List 3 types of data sources which can be tracked using a Glue job bookmark.

Answer

A

Glue job bookmarks are implemented for: JDBC data sources, the Relationalize transform, and S3 buckets.

Question 15

Q

Describe the Amazon SageMaker service.

Answer

A

Amazon SageMaker is a managed service used to simplify the process of building and training machine-learning models for data scientists in a serverless fashion.

SageMaker can automate many common ML tasks, including: data labeling, ML model building, training, and deployment. This is all done using training data provided by the data scientist.

Question 16

Q

What AWS service should be used when you’d like to analyze data stored in an S3 bucket using serverless SQL?

Answer

A

Amazon Athena.

Question 17

Q

What are the advantages of launching EC2 instances using dedicated hardware?

Answer

A

Dedicated hosts and dedicated instances are EC2 purchasing options which are useful for companies which have strict regulatory/compliance requirements or software licenses which demand dedicated hardware. This can include legal requirements such as HIPPA which require dedicated infrastructure for storing patient information. EC2 instances launched using dedicated hardware do not share their physical resources with any other AWS accounts.

Dedicated purchasing options are also useful for software with complicated licensing models (BYOL - Bring Your Own License).

Question 18

Q

What are the differences between the dedicated host and dedicated instance options when launching an EC2 instance?

Answer

A

Dedicated Instances are Amazon EC2 instances which run on hardware dedicated to a single customer. Dedicated Instances may share hardware with other instances from the same AWS account that are not Dedicated Instances.

With Dedicated Hosts, the entire physical server is reserved for a single AWS account. It does not change, it’s always the same physical machine for as long as you are paying. As soon as you ‘allocate’ a Dedicated Host, you start paying for the entire host.

A host computer is very large. In fact, it is the size of the largest instance of the selected family, but can be divided-up into smaller instances of the same family. (“You can run any number of instances up to the core capacity associated with the host.”)

Any instances that run on that Host are not charged, since you are already being billed for the Host. That is why a Dedicated Host is more expensive than a Dedicated Instance – the charge is for the whole host.

Question 19

Q

What are the minimum and maximum retention periods for messages stored in an SQS queue? What is the default retention period?

Answer

A

The default retention period for messages stored in an SQS queue is 4 days. The min/max ranges are between 1 min. and 14 days.

Question 20

Q

What are the minimum and maximum sizes (in KB) allowed when submitting messages to an SQS queue?

Answer

A

1-256 KB.

Question 21

Q

How many messages can be stored simultaneously in an SQS message queue?

Answer

A

A single SQS message queue can contain an unlimited number of messages. However, there is a limit on the # of in-flight messages allowed for both standard and FIFO queues.

Messages are in-flight after they have been received from the queue by a consuming component, but have not yet been deleted from the queue. However, there is a limit of 120,000 messages for the number of in-flight messages for a standard queue and 20,000 messages for a FIFO queue.

Question 22

Q

An IAM user successfully creates a Route 53 CNAME record for a domain called ‘www.example.com’ but when trying to create a similar record for ‘example.com’, the request failed. Why is this?

Answer

A

‘example.com’ is an example of a second-level domain (SLD) also known as a Zone Apex. It is not possible to create CNAME records for either TLD’s or SLD’s.

Question 23

Q

What is a Route 53 hosted zone? What are the two types of hosted zones available in AWS?

Answer

A

A Route 53 hosted zone is a container for records which define how to route traffic for a particular domain and any of its subdomains. Hosted zones come in two varieties: public and private.

Public hosted zones contain records specifying how to route traffic over the internet (Ex: www.google.com). Public hosted zones connect public domain names (which must be purchased) to public IP addresses.

Private hosted zones instead contain records specifying how to route traffic within one or more VPC’s. Private hosted zones connect private domain names to private IP addresses.

Question 24

Q

What is the default TTL for records returned in Route 53 DNS queries?

Answer

A

300 seconds.

Question 25

Q

What is an NS record?

Answer

A

NS stands for ‘nameserver,’ and the nameserver record indicates which DNS server is authoritative for that domain (i.e. which server contains the actual DNS records). Basically, NS records tell the Internet where to go to find out a domain’s IP address.

Question 26

Q

What are the difference between CNAME records and Alias records when resolving DNS queries in Route 53?

Answer

A

CNAME records are used to redirect a hostname to any other hostname (Ex: www.google.com -> google.com). The client will then perform a subsequent DNS query using the value from the CNAME record to obtain the IP address for routing traffic.

Note that a CNAME record cannot be used to route the root domain to a subdomain (Ex: google.com -> www.google.com).

Alias records are unique to the Route 53 service and are used to redirect a hostname to an AWS resource. Unlike CNAME records, alias records can be used to route a root domain to a subdomain. Aliases are also free of charge and have a built-in health check.

Question 27

Q

List 8 valid AWS resource targets which can be set as the value of an Alias record. Which AWS service/resource is a notable exception?

Answer

A

Valid Alias record targets include:
1) Elastic Load Balancers
2) CloudFront Distributions
3) API Gateway
4) Elastic Beanstalk Environments
5) S3 Static Websites
6) VPC Interface Endpoints
7) Global Accelerator
8) Any other Route 53 record in the same hosted zone.

Note that EC2 instances cannot be set as the value of an Alias record in Route 53.

Question 28

Q

List 8 different routing policies which can be applied to a hosted zone in Route 53.

Answer

A

1) Simple
2) Weighted
3) Latency
4) Failover
5) Geolocation
6) Geoproximity
7) IP-based
8) Multi-Value

Question 29

Q

Describe the simple routing policy in Route 53. What happens if there are multiple values attached to the same DNS record?

Answer

A

Most common routing policy employed in Route 53. The simple routing policy is used to route traffic to a single destination. Note that simple routing is not compatible with AWS Health Checks.

It is possible for a DNS record to contain multiple values (Ex: an A-record with multiple IP addresses listed). If this is the case, in simple routing the client machine will randomly select one of the values contained in the record to use as a destination for traffic.

Question 30

Q

Describe the weighted routing policy in Route 53. What are some use cases where it may be employed?

Answer

A

Weighted routing is used to control what % of incoming traffic is routed to a particular destination by assigning relative weights to DNS records with the same record name. The relative weights of Route 53 records with the same name will be used to determine which record is returned to clients in a DNS query. Unlike simple routing policies, weighted routing can be associated with AWS Health Checks.

Use cases for weighted routing include:
load balancing traffic between different AWS regions.
testing new application versions by sending a small % of traffic.

Question 31

Q

Describe the latency-based routing policy in Route 53.

Answer

A

Latency-based routing policies route traffic to destinations which have the lowest possible latency. This is useful when latency is a significant factor impacting user experience/performance. Latency is measured by the amount of traffic between users and destination AWS Regions. Ex: users in Germany might have their traffic directed to a different AWS Region than users in the U.S.

Question 32

Q

Describe the failover routing policy in Route 53.

Answer

A

Failover routing policies associate each destination with a health check defined in Route 53. If the primary destination passes the health check, then Route 53 will return the DNS record associated with the primary destination. If the primary destination fails the health check, then Route 53 will instead return the DNS record for a secondary destination.

Question 33

Q

Describe the geolocation routing policy in Route 53. With what geographic precision can the routing policy be defined?

Answer

A

Geolocation-based routing policies are used to route users to target destinations based on their geophysical location. Geolocation for routing can be specified at the continent, country, or U.S. state levels.

With geolocation-based routing, there is typically a default record set which is returned by Route 53 if the user’s geolocation does not match any of the other records.

Question 34

Q

Describe the geoproximity routing policy in Route 53.

Answer

A

Geoproximity routing policies are used to route users based on the geographic distance between users and destination resources specified in their DNS records. This automatically routes users to the closest geographic location by default. However, a bias value can be applied to each DNS record, either positive (1-99) or negative (-1 to -99), in order to change the weight given to a particular resource/DNS record.

Geoproximity routing can be thought of as a combination of geolocation routing and weighted routing policies. Note that the Route 53 Traffic Flow advanced feature must be enabled to use this routing policy.

Question 35

Q

Describe the IP-based routing policy in Route 53.

Answer

A

IP-based routing routes users to different target destinations based on the IP address of the client. Each Route 53 DNS record can be associated with a CIDR Block defining which client IP addresses should be routed to a particular endpoint/destination.

This can be used to, for example, route end users to a particular endpoint based on their Internet Service Provider (ISP).

Question 36

Q

Describe the Multi-Value routing policy in Route 53.

Answer

A

Multi-Value routing is used to return multiple records to a client during a DNS query. Up to 8 healthy records can be returned for each multi-value query. The client will then randomly determine which destination to send subsequent requests to.

Note that, unlike simple routing, Multi-Value routing policies can be associated with Route 53 health checks and are a better solution when multiple desinations should be returned in a DNS query.

Question 37

Q

Describe the Amazon FSx service in AWS. List 4 different types of resources which can be launched using the service.

Answer

A

Amazon FSx is a fully managed service for launching 3rd party high-performance files systems on AWS. Files systems which can be launched on Amazon FSx include:

1) Windows File Server
2) Lustre
3) NetApp ONTAP
4) OpenZFS

Question 38

Q

Describe the Amazon FSx for Lustre file system.

Answer

A

Lustre == ‘Linux Cluster’.

Lustre is a high-performance, parallel distributed file system for large-scale computing. It is used for workloads such as machine learning, high-performance computing (HPC), video processing, and financial modeling. Lustre can be accessed from on-premise servers using either VPN or Direct Connect.

The open-source Lustre file system is designed for applications which require fast storage – where you want your storage to keep up with your compute. FSx for Lustre integrates with Amazon S3, making it easy to process data sets with the Lustre file system. When linked to an S3 bucket, an FSx for Lustre file system transparently presents S3 objects as files and allows you to write changed data back to S3.

Question 39

Q

Describe 3 technical specifications of the Amazon FSx for Lustre file system.

Answer

A

Lustre supports:
up to 100s GB/sec.
millions of IOPS.
sub-ms latencies for read/write operations.

Question 40

Q

Describe the Amazon FSx for Windows File Server file system.

Answer

A

FSx for Windows File Server is a fully managed, Windows file system shared drive. It supports the SMB & Windows NTFS protocols and has Microsoft Active Directory integration. FSx for Windows File Server also supports Microsoft’s Distributed File System (DFS) Namespaces.

FSx for Windows File Server can be accessed from on-premise servers using either VPN or Direct Connect. It also can be configured for Multi-AZ and data is backed up daily to an S3 bucket.

Note that FSx for Windows File Server can be mounted on Linux EC2 instances.

Question 41

Q

Describe 3 technical specifications of the Amazon FSx for Windows File Server file system.

Answer

A

Windows File Server supports:
up to 10s GB/sec.
millions of IOPS.
100s PB’s of data.

Question 42

Q

Describe the AWS Transfer Family service.

Answer

A

AWS Transfer Family is a managed AWS service which is used to read/write files into Amazon S3 or Amazon EFS using the FTP or FTPS protocols rather than the standard AWS API’s for interacting with S3/EFS.

AWS Transfer Family supports integration with authentication systems such as Microsoft Active Directory, LDAP, and Amazon Cognito. Accounts are billed per provisioned endpoint per hour + the amount of data transferred in GB.

Question 43

Q

Describe the AWS Storage Gateway service. List the 4 different types of the Storage Gateway service.

Answer

A

AWS Storage Gateway is an AWS service which is used to enable hybrid cloud architectures where some infrastructure exists in the cloud and other parts of the infrastructure remain on-premises. This can be useful for applications such as: exposing S3 bucket data (or other AWS cloud-native storage options) on-premises.

Different types of AWS Storage Gateways include:
1) S3 File Gateway
2) FSx File Gateway
3) Volume Gateway
4) Tape Gateway

Question 44

Q

Describe the Amazon S3 File Gateway service.

Answer

A

Amazon S3 File Gateway is a service which is used to make S3 bucket objects accessible using the SMB and NFS protocols. Files/objects accessed recently will be cached in the gateway application, for subsequent rapid access.

Amazon S3 File Gateway supports storing/retrieving files in any of the S3 storage tiers except Glacier, although files can be transitioned into S3 Glacier using a Lifecycle Policy.

Additionally, S3 Gateways using the SMB protocol can be integrated with Active Directory (AD) for user authentication.

Question 45

Q

Describe the Amazon FSx File Gateway service.

Answer

A

Amazon FSx File Gateway is used to enable native access to Amazon FSx File Server for Windows clients. Clients can communicate through File Gateway using SMB and NTFS protocols and it supports integration with Active Directory.

Amazon FSx File Gateway is useful for group file shares and supports caching of frequently accessed data.

Question 46

Q

Describe the Amazon Volume Gateway service.

Answer

A

Amazon Volume Gateway is a service which stores on-premise data in Amazon S3 using the iCSI protocol to communicate between application servers/Volume Gateway. Data stored in S3 is backed up regularly using EBS snapshots. Amazon Volume Gateway operates in two modes: cached volumes and stored volumes.

In the cached Volume Gateway mode, your primary data is stored in Amazon S3, while retaining your frequently accessed data locally in the cache for low latency access. In the stored Volume Gateway mode, your primary data is stored locally and your entire dataset is available for low latency access on premises while also asynchronously getting backed up to Amazon S3.

Question 47

Q

What URL endpoint can be called from within an EC2 instance to retrieve information about its public IP address?

Answer

A

http://169.254.169.254/latest/meta-data/public-ipv4

Question 48

Q

List 3 different placement group strategies for EC2 instances in AWS.

Answer

A

1) Cluster
2) Spread
3) Partition

Question 49

Q

Describe the spread placement group strategy.

Answer

A

The spread placement group strategy is intended for mission-critical applications where EC2 instances are distributed across as many physical servers as possible.. Within a single placement group, a maximum of 7 instances can be launched per AZ.

Question 50

Q

Describe the cluster placement group strategy.

Answer

A

The cluster placement group strategy is intended for HPC or high-performance applications by placing all EC2 instances in close proximity on the same physical server in the same AZ. This significantly reduces network latency/communication between EC2 instances allowing up to 10 GB/s bandwidth.

Question 51

Q

Describe the partition placement group strategy.

Answer

A

The partition placement group strategy can be thought of as a combination of the cluster and spread placement group strategies.

The user has the ability to specify up to 7 partitions per AZ where each partition represents a separate physical server. Users can then add up to hundreds of EC2 instances to each partition, combining the benefits of high-performance/network throughput among EC2 instances within a single partition with the benefits of maximum availability.

Question 52

Q

How many records can be ingested into a Kinesis Data Stream using a single PutRequest API call? What is th maximum size of each data record?

Answer

A

500 records per request. Each record can be up to 1 MB in size.

Question 53

Q

What is an AWS-owned Customer Master Key (CMK)?

Answer

A

AWS-owned CMKs are a collection of CMKs that an AWS service owns and manages for use in multiple AWS accounts. Although AWS owned CMKs are not in your AWS account, an AWS service can use its AWS owned CMKs to protect the resources in your account.

You do not need to create or manage the AWS owned CMKs. However, you cannot view, use, track, or audit them. You are not charged a monthly fee or usage fee for AWS owned CMKs and they do not count against the AWS KMS quotas for your account.

The key rotation strategy for an AWS owned CMK is determined by the AWS service that creates and manages the CMK.

Question 54

Q

True/False: rebooting an EC2 instance will delete data stored on an instance store volume?

Answer

A

False. Only stopping, hibernating, or terminating an EC2 instance will delete the data stored on an instance store volume.

Question 55

Q

What is a dead letter SQS queue?

Answer

A

Dead-letter queues can be used by other queues (source queues) as a target for messages that can’t be processed (consumed) successfully. Dead-letter queues are useful for debugging your application or messaging system because they let you isolate problematic messages to determine why their processing doesn’t succeed.

The redrive policy specifies the source queue, the dead-letter queue, and the conditions under which Amazon SQS moves messages from the former to the latter if the consumer of the source queue fails to process a message a specified number of times. The maxReceiveCount is the number of times a consumer tries receiving a message from a queue without deleting it before being moved to the dead-letter queue.

Question 56

Q

Describe the Amazon Inspector service.

Answer

A

Amazon Inspector automatically discovers workloads, such as Amazon EC2 instances, containers, and Lambda functions, and scans them for software vulnerabilities and unintended network exposure.

Amazon Inspector is used to test the network accessibility of your Amazon EC2 instances and the security state of your applications running on the instances.

Question 57

Q

Describe the AWS Firewall Manager service.

Answer

A

AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organization.

As new applications are created, AWS Firewall Manager makes it easy to bring new applications and resources into compliance by enforcing a common set of security rules, using a single service to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure.

Question 58

Q

List 5 different services which AWS Firewall Manager can use for enforcing security constraints. List one prominent resource which AWS Firewall Manager cannot configure rules for.

Answer

A

1) AWS WAF Rules
2) AWS Shield Advanced Protections
3) VPC Security Groups
4) AWS Network Firewalls
5) Route 53 DNS Firewall Rules

Note that NACL rules cannot be configured using AWS Firewall Manager.

Question 59

Q

List 3 different resources which AWS Firewall Manager rules can be applied to.

Answer

A

1) Application Load Balancers
2) API Gateways
3) CloudFront Distributions

Question 60

Q

Which AWS service is commonly used to block unauthorized activity related to cryptocurrency mining in a user’s AWS account?

Answer

A

Amazon GuardDuty. The service is commonly used to detect Amazon EC2 instances querying IP addresses associated with the cryptocurrency-related activity, informing you whether EC2 instances in your account are querying a domain name that is associated with Bitcoin or other cryptocurrency-related activity.

Question 61

Q

Describe the Amazon GuardDuty service.

Answer

A

Amazon GuardDuty continuously monitors for malicious or unauthorized behavior to help protect your AWS resources, including your AWS accounts and access keys. Amazon GuardDuty identifies any unusual or unauthorized activity, like cryptocurrency mining or infrastructure deployments in a region that has never been used. Powered by threat intelligence and machine learning, GuardDuty is continuously evolving to help you protect your AWS environment.

Question 62

Q

What are the 3 sources of input data which Amazon GuardDuty will use in assessing potential security threats?

Answer

A

1) VPC Flow Logs
2) CloudTrail Event Logs
3) DNS Logs

Question 63

Q

What is a bastion host?

Answer

A

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. The bastion host runs on an Amazon EC2 instance that is typically in a public subnet of your Amazon VPC. Other EC2 instances can be in a subnet that is not publicly accessible, and they are set up with a security group that allows SSH access from the security group attached to the underlying EC2 instance running the bastion host.

Question 64

Q

What is AWS Site-to-Site VPN?

Answer

A

AWS Site-to-Site VPN is a service which is used to enable resources in an AWS VPC to communicate securely with your on-premise network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and configuring routing to pass traffic through the connection. A VPN connection refers to the connection between your VPC and your own on-premises network.

A Site-to-Site VPN connection offers two VPN tunnels between a virtual private gateway or a transit gateway on the AWS side, and a customer gateway (which represents a VPN device) on the remote (on-premises) side.

Answer 65

A

AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services. This uses a private connection to access a VPC from a private network and will be exposed as a AWS PrivateLink interface VPC endpoint.

AWS Direct Connect enables customers to have low latency, secure and private connections to AWS for workloads that require higher speed or lower latency than the internet. A Dedicated Connection is made through a 1 Gbps, 10 Gbps, or 100 Gbps Ethernet port dedicated to a single customer.

Note that AWS Direct Connect takes about a month to provision the connection.

Answer 66

A

Amazon EC2 Auto Scaling helps ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups. You can specify the minimum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes below this size.

Actions such as changing the Availability Zones for your group or explicitly terminating or detaching instances can lead to the Auto Scaling group becoming unbalanced between Availability Zones. Amazon EC2 Auto Scaling compensates by rebalancing the Availability Zones.

When rebalancing, Amazon EC2 Auto Scaling launches new instances before terminating the old ones, so that rebalancing does not compromise the performance or availability of your application.

Answer 67

A

Amazon S3 encrypts your data at the object level as it writes it to disk in its data centers and decrypts it for you when you access it. When you use server-side encryption with Amazon S3 managed keys (SSE-S3), each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a root key that it regularly rotates.

Note: Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. Starting January 5, 2023, all new object uploads to Amazon S3 will be automatically encrypted at no additional cost and with no impact on performance.

Answer 68

A

To securely serve private content for a CloudFront distribution, there are two options:

1) CloudFront-signed URLs
2) CloudFront-signed Cookies

Both methods are commonly used in web applications where administrators would like to restrict content access to only approved users, such as through subscription fees. If the application approves access, then the user will be provided with the URL/cookie in order to access the desired content through their web browser.

Answer 69

A

EFS file systems support two throughput modes:

1) Provisioned Throughput Mode
2) Bursting Throughput Mode

Provisioned Throughput mode is available for applications with high throughput to storage (MiB/s per TiB) ratios. This is useful when the amount of data in your file system is low relative to throughput demands. Your file system can now get the high levels of throughput your applications require without having to pad your file system.

With Bursting Throughput mode, a file system’s throughput scales as the amount of data stored in the standard storage class grows.

Answer 70

A

Set the DeleteOnTermination attribute to False for the target EC2 instance using the command line. Note that this attribute cannot be modified from the AWS Management Console except when the instance is first created.

Answer 71

A

Amazon ElastiCache for Memcached.

Answer 72

A

1) enableDnsHostnames
2) enableDnsSupport

Answer 73

A

Delay queues let you postpone the delivery of new messages to a queue for a number of seconds, for example, when your consumer application needs additional time to process messages. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes.

Answer 74

A

Temporary queues help to save development time and deployment costs when using common message patterns such as request-response. You can use the Temporary Queue Client to create high-throughput, cost-effective, application-managed temporary queues.

Answer 75

A

S3 Byte Range Fetch.

Answer 76

A

Kinesis Data Streams can handle up to 1 MB/sec per shard or 1,000 messages/sec per shard from producers.

Answer 77

A

Kinesis Data Streams can send up to 2 MB/sec per shard across all consumers.

Or alternatively, if running in enhanced mode then each Kinesis Data Stream can send up to 2MB/sec per shard per consumer.

Answer 78

A

Amazon Transcribe is an automatic speech recognition (ASR) service that makes it easy to convert audio to text. One key feature of the service is called speaker identification, which you can use to label each individual speaker when transcribing multi-speaker audio files. You can specify Amazon Transcribe to identify 2–10 speakers in the audio clip.

Answer 79

A

False. Only EC2 instances launched on dedicated hosts are compatible with BYOL.

Answer 80

A

AWS DataSync is an online data transfer service that simplifies, automates, and accelerates copying large amounts of data between on-premises storage systems and AWS Storage services, as well as between AWS Storage services. Using task scheduling in AWS DataSync, you can periodically execute a transfer task at a given interval.

You can use AWS DataSync to migrate data located on-premises, at the edge, or in other clouds to Amazon S3, Amazon EFS, Amazon FSx for Windows File Server, Amazon FSx for Lustre, Amazon FSx for OpenZFS, and Amazon FSx for NetApp ONTAP.

Answer 81

A

AWS Resource Access Manager is a service which enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization.

Sharable resources include: AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM. RAM eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account you own.

You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts in three simple steps: create a Resource Share, specify resources, and specify accounts. RAM is available to you at no additional charge.

Answer 82

A

x-amz-server-side-encryption. This header is required if the S3 bucket has a bucket policy enforcing SSE.

Answer 83

A

False. Only EC2 instances with EBS Root Volumes can be configured for automatic recovery.

Answer 84

A

Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora where the database will automatically start-up, shut down, and scale capacity up or down based on your application’s needs.

It enables you to run your database in the cloud without managing any database instances. It’s a simple, cost-effective option for infrequent, intermittent, or unpredictable workloads. You pay on a per-second basis for the database capacity you use when the database is active and can migrate between standard and serverless configurations with a few clicks in the Amazon RDS Management Console.

Answer 85

A

A CloudFormation template is a JSON or YAML-format, text-based file that describes all the AWS resources you need to deploy to run your application. A template acts as a blueprint for a stack.

Answer 86

A

A CloudFormation stack is a set of AWS resources that are created and managed as a single unit when AWS CloudFormation instantiates a template.

Answer 87

A

A CloudFormation Stack Set lets you create stacks in AWS accounts across regions by using a single AWS CloudFormation template.

Using an administrator account of an AWS Organization, you define and manage an AWS CloudFormation template, and use the template as the basis for provisioning stacks into selected target accounts of an AWS Organization across specified regions.

Answer 88

A

S3 Transfer Acceleration optimizes the TCP protocol and adds additional intelligence between the client and the S3 bucket, making S3 Transfer Acceleration a better choice if a higher throughput is desired.

If you have objects smaller than 1 GB, you should consider using Amazon CloudFront’s PUT/POST commands for optimal performance.

Answer 89

A

1) Default: the EC2 instance runs on shared hardware.
2) Dedicated: the EC2 instance runs on single-tenant hardware.
3) Host: the EC2 instanc runs on an isolated server with configurations you can control.

Note that EC2 instances deployed with dedicated or host tenancy cannot be switched to shared hardware after startup.

Answer 90

A

AWS maps the physical Availability Zones randomly to the Availability Zone names for each AWS account. This approach helps to distribute resources across the Availability Zones in an AWS Region, instead of resources likely being concentrated in Availability Zone “a” for each Region. As a result, the Availability Zone us-east-1a for your AWS account might not represent the same physical location as us-east-1a for a different AWS account.

An AZ ID is a unique and consistent identifier for an Availability Zone across all AWS accounts. For example, use1-az1 is an AZ ID for an Availability Zone in the us-east-1 Region and it represents the same physical location in every AWS account.

Answer 91

A

AWS Compute Optimizer recommends optimal AWS Compute resources for your workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics. Over-provisioning compute (Amazon EC2 and ASGs) can lead to unnecessary infrastructure cost and under-provisioning compute can lead to poor application performance. Compute Optimizer helps you choose the optimal Amazon EC2 instance types, including those that are part of an Amazon EC2 Auto Scaling group, based on your utilization data.

Answer 92

A

AWS Cost Explorer is a tool that enables you to view and analyze your costs and usage. You can explore your usage and costs using the main graph, the Cost Explorer cost and usage reports, or the Cost Explorer RI reports. You can view data for up to the last 12 months, forecast how much you’re likely to spend for the next 12 months, and get recommendations for what Reserved Instances to purchase. You can use Cost Explorer to identify areas that need further inquiry and see trends that you can use to understand your costs.

Answer 93

A

False. Data stored on an EC2 instance store will only persist if the instance is rebooted.

Additionally, instance store volumes are attached only at instance launch. You can’t attach instance store volumes after launch. You can’t detach an instance store volume from one instance and attach it to a different instance.

Answer 94

A

True. However, the instance must first be stopped before its size/type can be modified.

Answer 95

A

An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. EFA enables you to achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by the AWS Cloud.

EFAs provide lower and more consistent latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems. It enhances the performance of inter-instance communication that is critical for scaling HPC and machine learning applications. It is optimized to work on the existing AWS network infrastructure and it can scale depending on application requirements.

Answer 96

A

5, maximum.

Answer 97

A

Each VPC may have up to 5 CID Block Ranges defined and each block may contain between 16 - 65,536 IP addresses.

Answer 98

A

AWS reserves the first 4 and last IP address defined within a subnet’s CIDR Block Range. These are used for hosts such as: the VPC router, AWS-provided DNS server, etc.

Answer 99

A

30 seconds.

Answer 100

A

1) Email Address
2) Phone via SMS
3) Lambda Function
4) SQS Queue
5) Kinesis Data Firehose
6) Any custom HTTP (S) Endpoint

Answer 101

A

SQS FIFO Queues.

Answer 102

A

1) API Gateway
2) Application Load Balancers

Answer 103

A

/aws/reference/secretsmanager/secret_ID_in_Secrets_Manager

Answer 104

A

A parameter policy, only available as an advanced/pay for feature in SSM Parameter Store, allows a TTL (expiration date) to be assigned to a parameter stored on AWS which will force users to update/delete the parameter to which the TTL has been assigned.

This in turn can be passed as a notification in EventBridge to let users know that a password/parameter will soon expire and needs to be updated.

Answer 105

A

WAF == ‘Web Application Firewall’. WAF is a service for protecting web-based applications from common exploits performed over HTTP (layer 7) using access control lists (ACL’s).

WAF can be deployed on any of the following resources located in the same region:
-CloudFront (Global)
-API Gateway
-Cognito User Pool
-AWS App Runner
-Application Load Balancrs

Answer 106

A

1) Scans against HTTP headers, bodies, and URI strings to
protect against SQL Injection + Cross-Site Scripting (XSS) attacks.
2) Size constraints for blocking large request packets.
3) Geo-matching constraints for restricting specific countries.
3) Rate-based rules for counting request frequency (DDos Protection).

Answer 107

A

Web ACL == ‘Web Access Control List’ which is a set of rules used to determine what traffic is allowed/blocked for AWS resources on which a WAF has been deployed.

WAF can be configured to either allow or block all incoming traffic for which a rule has not been explicitly defined.

A rule group is a reusable set of pre-defined rules which can be attached to multiple Web ACL’s simultaneously.

Answer 108

A

1) Data transfer between EC2 instances located in the same AZ is free, when using private IP addresses.
2) Data transfer between EC2 instances located in different AZ’s costs $0.01/GB if using private IP addresses.
3) Data transfer between EC2 instances located in different AWS Regions costs $0.02/GB. This is the same cost as sending any outbound traffic from an EC2 instance over the internet.

Answer 109

A

1) AWS Managed Microsoft AD. Supports MFA. Can be used to create an Active Directory (AD) stored on AWS to manage users in the cloude. Can also establish a trust connection with an on-premise AD to proxy authentication requests.
2) AD Connector. Supports MFA. Acts as a proxy, redirecting to an on-premise AD for user authentication.
3) Simple AD. AD managed on AWS which cannot be joined to an on-premise AD.

Answer 110

A

1) http://bucket-name.s3-website-Region.amazonaws.com
2) http://bucket-name.s3-website.Region.amazonaws.com

Brainscape's Knowledge GenomeTM

Rapid Fire Exam Questions Flashcards

Brainscape's Knowledge Genome^TM