Review Flashcards
S3 offers 256-bit encryption for data-at-rest.
S3 offers 256-bit encryption for data-at-rest, which is an option you an turn on/off. AWS manages the keys and will decrypt the data when you request to download it.
What feature should you utilize for redundancy if auto scaling and load balancing are not available?
Setting up an Elastic IP address and having it ready for failover is a great solution when other services that provide high availability and fault tolerance are not available.
The AMI ID used in an Auto Scaling policy is configured in the
Launch configuration
Which of the following is not a benefit of a decoupled architecture using EC2, Auto Scaling, and SQS?
An application does not become unavailable due to the deletion of a single SQS queue
Deletion of an SQS queue used in an application will cause the application to fail.
you recently purchased and deployed four reserved EC2 instances in the US-East-1 region’s Availability Zone 1 for a new project. Your supervisor just informed you that this project only requires two EC2 instances. Rather than selling the reserved instances, she asked you to terminate the extra instances and convert two of the on-demand instances already running in Availability Zone 1 to reserved instances. Can this be done?
Yes, you can terminate the reserved instances and AWS will automatically begin billing the two on-demand instances as reserved instances
Data stored on EBS volumes are automatically and redundantly stored in multiple physical volumes in the same Availability Zone as part of the normal operations of the EBS service and at no additional charge.
true
Which of the following AWS services allow you access to the underlying operating system?
Amazon EMR, Amazon Elastic Beanstalk
You are building a system to distribute confidential training videos to employees. Using CloudFront, what method would be used to serve content that is stored in S3 but not publicly accessible from S3 directly?
Create an Origin Access Identify (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI
You have 8 instances running on your VPC and all 10 of your users (5 production and 5 development) currently have access to all the instances. However, you have been told that because 4 of the instances are used for production and 4 are used for development, you will need to set up access so that the 5 production people can only access the production server and the 5 development people can only access the development server. Using policies, which of the following would be the best way to accomplish this?
Define the tags on the test and production servers, and add a condition to the IAM policy which allows access to specific tags
Amazon Auto Scaling is not meant to handle instant load spikes but is built to grow with a gradual increase in usage over a short time period.
true
You recently purchased hardware to run a decoupled application in your on-premises datacenter. The application is working great but has seen an increased workload in recent weeks that makes you concerned that your hardware cannot handle the load. Your supervisor asks you to analyze the possibility of expanding the application using cloud resources. You cannot completely migrate the application to AWS because of the investment you have already made in on-premises hardware. What items will most likely be included in your analysis?
You can leverage SQS to utilize both on-premises servers and EC2 instances for your decoupled application, You can leverage SWF to utilize both on-premises servers and EC2 instances for your decoupled application
When designing an application architecture utilizing EC2 instances and the ELB, to determine the instance size required for your application, what questions might be important?
Determining the minimum memory requirements for an application, Determining the required I/O operations
Stripping Options
Raid 0 and 1(common type); Raid 5 and 6(not recommended because of the extended stipe
Raid 0 Disadvantage
Performance of the stripe is limited to the worst performing volume in the set.. Loss of a single volume results in a complete data loss of the array
Raid 1 Disadvantage
Does not provide a write performance improvement; requires more Amazon RC2 to Amazon EBS bandwidth than non-RAID configurations because the data is written to multiple volumes simultaneously.
Raid 5 and Raid 6
are not recommedned for amazon EBS because the parity write operations of these RAID modes consume some of the IOPS available to your volumes.. Increased cost.
Is creating a Read replica of another read replica supported?
only with MySQL based RDS
If I want my instance to run on a single-tenant hardware, which value do I have to set the instance’s tenancy attribute to?
Dedicated.
maximum response time for a Business level Premium Support case?
1 hour
Sharding
Sharding embodies the “share-nothing” architecture and essentially just involves breaking a
larger database up into smaller databases. Common ways to split a database are:
Splitting tables that are not joined in the same query onto different hosts Duplicating a table across multiple hosts and then splitting where a row goes.
Enhanced Networking – launch HVM AMI in VPC.
Enhanced Networking enables you to get significantly higher packet per second (PPS) performance, lower network jitter and lower latencies. This feature uses a new network virtualization stack that provides higher I/O performance and lower CPU utilization compared to traditional implementations. In order to take advantage of Enhanced Networking, you should launch an HVM AMI in VPC, and install the appropriate driver.
Improve Application Throughput
You can run and scale applications such as stateless web services, image rendering, big data analytics and massively parallel computations on Spot instances. Since it costs less , you can increase your compute capacity by 2-10x within the same budget.
I2
Optimized to deliver tens of thousands of low-latency, randon I.O operations per second to applications.
NoSQl, Clustered databases, Online transaction processing(OLTP) systems
Billing dashboard elements
Bills; cost Explorer; Budgets; Reports; Cost Allocation Tags; Payment Methods; Payment History; Consolidated Billing; Preferences; Credits; Tax Settings; DevPay
Read replicas
MySQL, MariaDB, PostgreSQL, Amazon Aurora.
VM Import/Export
VM Import/Export enables customers to import Virtual Machine (VM) images in order to create Amazon EC2 instances. Customers can also export previously imported EC2 instances to create VMs. Customers can use VM Import/Export to leverage their previous investments in building VMs by migrating their VMs to Amazon EC2
What is the service used by AWS to segregate control over the various AWS services ?
AWS Identity and Access Management (IAM).
Instance Family
T2/M4/C4 – HVM EBS-Backed;
M3/C3– HVM and PV; EBS and Instance store;
Maximum ratio of IOPS to Volume size
50:1
http://169.254.169.254/latest/meta-data/public-ipv4
latest, then meta-data
Routed 53 features
- Register domain names– Your website needs a name, such as example.com. Amazon Route53 lets you register a name for your website or web application, known as adomain name.
- Route internet traffic to the resources for your domain– When a user opens a web browser and enters your domain name in the address bar, Amazon Route53 helps the Domain Name System (DNS) connect the browser with your website or web application.
- Check the health of your resources– Amazon Route53 sends automated requests over the internet to a resource, such as a web server, to verify that it’s reachable, available, and functional. You also can choose to receive notifications when a resource becomes unavailable and choose to route internet traffic away from unhealthy resources.
Golden Image
an AMI that has been constructed from a customized image.
if DNS hostnames option of the VPC is not set to “YES”
then instances launched in the subnet will not get DNS Names.
Requirement for cross-region replication
• The source and destination buckets must be versioning-enabled.
• The source and destination buckets must be in different AWS regions.
• You can replicate objects from a source bucket to only one destination bucket.
• Amazon S3 must have permission to replicate objects from that source bucket to the destination bucket on your behalf.
• If the source bucket owner also owns the object, the bucket owner has full permissions to replicate the object. If not, the source bucket owner must have permission for the Amazon S3 actionss3:GetObjectVersionands3:GetObjectVersionACLto read the object and object ACL.
• If you are setting up cross-region replication in a cross-account scenario (where the source and destination buckets are owned by different AWS accounts), the source bucket owner must have permission to replicate objects in the destination bucket.
The destination bucket needs to grant these permissions via a bucket policy.
Lambda Resource Limits per Invocation limit
512 MB temp space; payload size -- 6MB/128k number of file descriptors -- 1024 number of processes and threads -- 1024 memory allocation range -- 128MB -- 3008 MB max execution time per request -- 5 min
VPC and Subnet Sizing for IPv4
When you create a VPC, you must specify an IPv4 CIDR block for the VPC. The allowed block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses).
Redshift’s columnar storage size
1MB(1024KB)
Server access log
In order to track requests for access to your bucket, you can enable access logging. Each access log record provides details about a single access request, such as the requester, bucket name, request time, request action, response status, and error code, if any. Access log information can be useful in security and access audits.
snapshot for EBS Volumes in a RAID configuration
it is critical that there is no data I/O to or from the volumes when the snapshots are created. RAID arrays introduce data interdependencies and a level of complexity not present in a single EBS volume configuration.
1. Suspend disk I/O, 2. Start EBS snapshot of volumes, 3. Wait for snapshots to complete, 4. Resume disk
Business support plan
1) 24x7 access to customer service, documentation, whitepapers, and support forums
2) Access to full set of Trusted Advisor checks
3) 24x7 access to Cloud Support Engineers via email, chat & phone
EC2 classic vs VPC
For instances launched in a VPC, a private IPv4 address remains associated with the network interface when the instance is stopped and restarted, and is released when the instance is terminated.
For instances launched in EC2-Classic, we release the private IPv4 address when the instance is stopped or terminated. If you restart your stopped instance, it receives a new private IPv4 address
Best Practice to monitor EC2 Instance
• Make monitoring a priority to head off small problems before they become big ones.
• Create and implement a monitoring plan that collects monitoring data from all of the parts in your AWS solution so that you can more easily debug a multi-point failure if one occurs. Your monitoring plan should address, at a minimum, the following questions:
◦ What are your goals for monitoring?
◦ What resources you will monitor?
◦ How often you will monitor these resources?
◦ What monitoring tools will you use?
◦ Who will perform the monitoring tasks?
◦ Who should be notified when something goes wrong?
• Automate monitoring tasks as much as possible.
• Check the log files on your EC2 instances.
Instance States
rebooting; pending; running; shutting-down; terminated; stopping; stopped
types of distributions Cloudfront supports
S3 Buckets;
Custom Origin
You have written a CloudFormation template that creates 1 elastic load balancer fronting 2 EC2 instances. Which section of the template should you edit so that the DNS of the load balancer is returned upon creation of the stack?
Outputs
What is the basic requirement to login into an EC2 instance on the AWS cloud?
Key pairs
WAF
web application firewall that helps protect your webapplications from common web exploits that could affect applicationavailability, compromise security, or consume excessive resources. AWSWAF gives you control over which traffic to allow or block to your webapplications by defining customizable web security rules. You can use AWSWAF to create custom rules that block common attack patterns, such as SQLinjection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respondquickly to changing traffic patterns. Also, AWS WAF includes a full-featuredAPI that you can use to automate the creation, deployment, and maintenanceof web security rules.
Maintaining a single snapshot provides the lowest cost for Amazon Elastic Block Store snapshots while giving you the ability to fully restore data
Maintain a single snapshot the latest snapshot is both Incremental and complete.
EBS Volume Encryption
has to be done during volume creation.
CloudWatch Metrics now supports the following three retention schedules:
- 1 minute datapoints are available for 15 days
- 5 minute datapoints are available for 63 days
- 1 hour datapoints are available for 455 days
revoke-security-group-ingress
Removes one or more rules from a security groups.
Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which two AWS services?
cloudFront and Elastic Load Balancing.
Event notification of S3
can be sent via SNS, SQS, or Lambda function
AWS IOT
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. AWS IoT can support billions of devices and trillions of messages, and can process and route those messages to AWS endpoints and to other devices reliably and securely. With AWS IoT, your applications can keep track of and communicate with all your devices, all the time, even when they aren’t connected.
Your company is moving their entire 20 TB data warehouse to the cloud. With your current bandwidth, it would take 2 months to transfer the data. Which service would allow you to quickly get your data into AWS?
Amazon import/Export
You are testing an application that uses EC2 instances to poll an SQS queue. At this stage of testing, you have verified that the EC2 instances can retrieve messages from the queue, but your coworkers are complaining about not being able to manually retrieve any messages from the queue from their on-premises workstations. What is the most likely source of this problem?
Your coworkers may not have permission to the SQS queue
CloudTrail
AWS Cloudtrail is the defacto service provided by aws for monitoring all API calls to AWS and is used for logging and monitoring purposes for compliance purposes. Amazon cloudtrail detects every call made to aws and creates a log which can then be further used for analysis.
DNS record Type
CloudFront distribution
Select A — IPv4 address.
If IPv6 is enabled for the distribution, create two records, one with a value of A — IPv4 address for Type, and one with a value of AAAA — IPv6 address.
Elastic Beanstalk environment that has regionalized subdomains
Select A — IPv4 address
ELB load balancer
Select A — IPv4 address or AAAA — IPv6 address
Amazon S3 bucket
Select A — IPv4 address
Another record in this hosted zone
Select the type of the record that you’re creating the alias for. All types are supported except NS and SOA.
EMR
In Amazon EMR , you have the ability to work with the underlying instances wherein the EMR service allows you to associate the EC2 Key pair with the launched instances.
VPC configuration Options
VPC with a single Public Subnet
VPC with public and private subnets
VPC with public and private and Hardware VPN access
VPC with a Private subnet Only and Hardware VPN Access
ClassicLInk
within the same region, allows us to link an EC2-CLassic instance to a VPC in our account.
AWS Workspaces
is used for Virtual desktops
CloudWatch Metrics
CPU Utilization Disk Reads Disk Read Operations Network statistics for Data transfer For RDS: DB Connections Free Storage Space; Freeable Memory
Trusted Advisor
Cost Optimization Performance Security Fault Tolerance help you identify underutilized resources in AWS. and monitor service limit.
Error: Server refused our key (or)
Error: No supported authentication methods available
Verify that you are connecting with the appropriate user name for your AMI.
You should also verify that your private key (.pem) file has been correctly converted to the format recognized by PuTTY (.ppk).
User name in Putty COnfiguration
Linux AMI -- ec2-user RHEL-- ec2-user or root Ubuntu AMI -- ubuntu or root Centos AMI -- centos ...
best solution to store session data
ElastiCache
Serverless Platform
Compute – Lambda
API Proxy – API Gateway
Storage – S3
Database – DynamoDB
CloudWatch Logs Agent
provides an automated way to send log data to Cloudwatch Logs from Amazon EC2 instances. The agent is comprised of the following components:
· A plug-in to the AWS CLI that pushes log data to CloudWatch Logs.
· A script (daemon) that initiates the process to push data to CloudWatch Logs.
· A cron job that ensures that the daemon is always running.
S3 Cost
related to number of request and storage.
Auto Scaling cooldown period
a configurable setting for your Auto Scaling group that helps to ensure that Auto Scaling doesn’t launch or terminate additional instances before the previous scaling activity takes effect.
Kinesis limits
retention period – 24 hours by default, max – 7 days
encrypted EBS volume
Data at rest inside the volume
· All data moving between the volume and the instance
· All snapshots created from the volume
Active Directory connector
is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. A small AD Connector is designed for smaller organizations of up to 500 users. A large AD Connector can support larger organizations of up to 5,000 users.
define health check
When defining a health check, in addition to the port number and protocol , you have to also define the page which will be used for the health check. If you don’t have the page defined on the web server then the health check will always fail.
Temporary security credentials.
the temporary security credentials are valid for the duration that you specified when calling AssumeRole, or until the time specified in the SAML authentication response’s SessionNotOnOrAfter value, whichever is shorter. The duration can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
GetSessionToken
must be called by using the long-term AWS security credentials of the AWS account or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify, from 900 seconds (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default of 43200 seconds (12 hours); credentials that are created by using account credentials can range from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1 hour), with a default of 1 hour.
Application Load Balancer vs Classic Load balancer
Application Load Balancer does not support the TCP protocol. When you configure the health check for TCP , you need to configure the protocol and port number
Application Load Balancer Support for path-based routing. You can configure rules for your listener that forward requests based on the URL in the request. This enables you to structure your application as smaller services, and route requests to the correct service based on the content of the URL.
CloudTrail deliver to
S3, Cloudwatch Logs
trail applies to all region advantage
- -The configuration settings for the trail apply consistently across all regions.
- -You receive CloudTrail events from all regions in a single S3 bucket and optionally in a CloudWatch Logs log group.
- -You manage trail configuration for all regions from one location.
- -You immediately receive events from a new region. When a new region launches, CloudTrail automatically creates a trail for you in the new region with the same settings as your original trail.
- -You can create trails in regions that you don’t use often to monitor for unusual activity
All data moving between the volume and S3
not encrypted
Elastic Beanstalk
can be used to create web server environment and Worker environments.
AWS Certificate Manager
The AWS Certificate manager can be used to generate SSL certificates that can be used to encrypt traffic in transit, but not at rest
API Gateway with STS
used for issuing tokens when using API gateway for traffic in transit.
NGINX
NGINX is an open source software for web serving, reverse proxying, caching, load balancing etc. It complements the load balancing capabilities of Amazon ELB and ALB by adding support for multiple HTTP, HTTP/2, and SSL/TLS services, content-based routing rules, caching, autoscaling support, and traffic management policies.
It can be hosted on an EC2 instance. Launch an EC2 instance through console. SSH into the instance and use the command yum install -y nginx to install nginx and make sure that it is configured to restart automatically after a reboot.
It can also be installed with an Elastic Beanstalk service.
To enable the Nginx proxy server with your Tomcat application, you must add a configuration file to .ebextensions in the application source bundle that you upload to Elastic Beanstalk.
Flow Logs
is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
If you need low-latency access to your entire dataset, first configure your on-premises gateway to store all your data locally. Then asynchronously back up point-in-time snapshots of this data to Amazon S3. This configuration provides durable and inexpensive offsite backups that you can recover to your local data center or Amazon EC2.
Configure Storage gateway stored volume
multivalue answer record
If you want to route traffic approximately randomly to multiple resources, such as web servers, you can create one multivalue answer record for each resource and, optionally, associate an Amazon Route 53 health check with each record. For example, suppose you manage an HTTP web service with a dozen web servers that each have their own IP address. No one web server could handle all of the traffic, but if you create a dozen multivalue answer records, Amazon Route 53 responds to DNS queries with up to eight healthy records in response to each DNS query. Amazon Route 53 gives different answers to different DNS resolvers. If a web server becomes unavailable after a resolver caches a response, client software can try another IP address in the response.
spot instance use case
stateless web services, image rendering, big data analytics and massively parallel computations
Auto scaling options
Scheduled Scaling ;
Dynamic scaling;
manual scaling
Resource Limits
- -Access keys assigned to an IAM user 2
- Access keys assigned to the AWS account root user 2
- Aliases for an AWS account 1
- -Groups an IAM user can be a member of 10
- -Identity providers (IdPs) associated with an IAM SAML provider object 10
- -Keys per SAML provider 10
- -Login profiles for an IAM user 1
- Managed policies attached to an IAM group 10
- Managed policies attached to an IAM role 10
- Managed policies attached to an IAM user 10
- MFA devices in use by an IAM user 1
- MFA devices in use by the AWS account root user 1
- Roles in an instance profile 1
- SAML providers in an AWS account 100
- Signing certificates assigned to an IAM user 2
- SSH public keys assigned to an IAM user 5
- Versions of a managed policy that can be stored 5
What is the command line instruction for running the remote desktop client in Windows?
mstsc
If I want to run a database in an Amazon instance, which is the most recommended Amazon storage option?
EBS
: http://status.aws.amazon.com/?
AWS Service Health Dashboard
can not be tagged
key pairs
B. Elastic IP addresses
C. placement groups
key pairs
B. Elastic IP addresses
C. placement groups
1, 000 to 10, 000
max key length of a tag
128 Unicode Characters
IOP throughputput
1, 000 to 10, 000
