Route 53, Cloud Front, DNS, SSL Flashcards
S3 bucket uses CF using signed URL.
Access is allowed even without sighned URL
To utilise signedURL’s on a CloudFront distribution you need to configure it to be private - in doing so it become 100% private. To fix this issue you need to create an Origin Access identity (OAI) (C) and then configure the bucket policy
to ONLY allow this OAI to access the bucket.
Which DNS Record type is used to commonly verify domain ownership?
TXT records (E) are generally used to verify domain ownership by storing a unique code which can
be verified via DNS resolution
The trycatsinstead.doggogram.io application has become really popular and you are noticing with billions of visits per day, there are some DNS costs which are becoming a concern. The application is currently using an application load balancer and you have the trycatsinstead record within the doggogram.io hosted zone using a CNAME record and pointing at the ALB A record. Which of the following is a good option to reduce the costs, without risking disruption to the application and staying compliant with the DNS standards (choose one)
Delete and recreate the app using Alias record
Aliases can be used at a domain apex
and are cheaper to use vs CNAMES
plan the deployment of SSL certificates using ACM across multiple regions
1 SSL certificate per region
You have arranged the registration of a domain using another provider. You want to use R53 to host the records for this domain. What steps should you take to make the domain records configurable within Route 53 (Choose 3)
Create a public hosted zone in R53
Get the NS records for the hosted zone
Update the NS values on the domain record
You have created a custom VPC and have launched 50 EC2 instances using an auto scaling group. You notice that none of the instance receives a public IPv4 DNS name and instances within the ASG cannot resolve any DNS names. Which of the following you should do to resolve the issue (choose one)
Set the enableDNSHostNames to true and the
enableDnsSupport to true on the VPC
What process occurs when the primary node of an RDS deployment fails (choose one)
The CNAME changes to the secondary node
A leading US-based 24/7 online news network is planning to expand its reach and launch its paid news subscription in Europe, Asia and Oceania regions. You are instructed to implement multi-region AWS deployments for all their cloud infrastructure where their online platform is hosted.
In this scenario, which Amazon Route 53 feature would minimize response time of their platform for its subscribers?
Latency-based routing
A microservice application is being hosted in the ap-southeast-1 and ap-northeast-1 regions. The ap-southeast-1 region accounts for 80% of traffic, with the rest from ap-northeast-1. As part of the company’s business continuity plan, all traffic must be rerouted to the other region if one of the regions’ servers fails.
Which solution can comply with the requirement?
Set up an 80/20 weighted routing policy in AWS Route 53 and enable health checks
A real-estate company is leveraging an Elastic Load Balancer that uses a TLS certificate to provide HTTPS security to its website visitors. Users reported outages because of the TLS certificate expiry, and the SysOps administrator needs to find a solution that automates the renewal of the certificate.
What is the MOST operationally efficient approach to perform the automation required?
Register a public certificate via AWS Certificate Manager (ACM). Associate the newly registered certificate from ACM to the ELB. ACM automatically handles certificate renewal so there’s no need for further configuration.
A real-estate company is hosting a website on a set of Amazon EC2 instances behind an Application Load Balancer. The SysOps administrator used CloudFront for its content distribution and set the ALB as the origin. He also created a CNAME record in Route 53 that sends all traffic through the CloudFront distribution. Users started to report that they are being served with the desktop version of the website when using mobile phones.
Which action can help the SysOps administrator resolve the issue?
Update the CloudFront distribution origin settings. Add a User-Agent header to the list of origin custom headers.
NOT Set the cache behavior of the CloudFront distribution to forward the User-Agent header is incorrect because you can’t set the cache behavior of a CloudFront distribution to forward the User-Agent header. This is configured in the Origin Custom Headers setting.
A leading national bank migrated its on-premises infrastructure to AWS. The SysOps Administrator noticed that the cache hit ratio of the CloudFront web distribution is less than 15%.
Which combination of actions should he do to increase the cache hit ratio for the distribution? (Select TWO.)
– In the Cache Behavior settings of your distribution, configure to forward only the query string parameters for which your origin will return unique objects.
– Configure your origin to add a Cache-Control max-age directive to your objects, and specify the longest practical value for max-age to increase your TTL.
A SysOps Administrator needs to set up a PostgreSQL database server that runs on a Reserved EC2 instance which will be used by various internal applications within a VPC. To simplify the naming convention of the database server, the Administrator is planning to allocate a custom domain name for the database.
Which of the following should the Administrator do to complete this task?
Set up a private hosted zone in Route 53. Create an A or AAAA record, such as db.tutorialsdojo.com, and specify the IP address of the database server.
NOT Set up a private hosted zone in Route 53. Create a CNAME record, such as db.tutorialsdojo.com, and specify the IP address of the database server is incorrect because it suggests using a CNAME record, which is not recommended for use with database servers. CNAME records are alias records and they can cause additional DNS lookups and result in performance issues.
A crowdfunding company has hired you for consultation services. They have set up many crowdfunding projects on their website using Lambda, CloudFront, and S3, and they have asked you to evaluate them. They want to add new features, such as logging statistical data on how much their website is being accessed, how successful their crowdfunding projects are, and a way to check if people within their company are maliciously modifying website content.
Which of the following will you recommend to address these requests in a cost-effective way? (Select TWO.)
– Use CloudFront monitoring and usage reporting features to analyze access data and viewer data.
– Use CloudTrail to log all activity within the AWS account.|
NOT Associate a security group in the S3 bucket to secure and monitor all requests is incorrect because you can’t associate a security group in Amazon S3. This will not help you monitor and log user activities.
A company is hosting a multi-tiered web application that consists of an e-commerce module as well as a blogging site that fetches data from a database. Some articles, which are static web pages, have lots of page hits and sometimes cause the application to behave slowly.
Which of the following can be used to alleviate the issue of slow loading times when many users are visiting the application for such pages, in the MOST cost-effective way?
Consider hosting the web pages using static web site hosting in S3.
NOT Consider using the latency policy in Route 53 is incorrect since this is used for routing of traffic between multiple sites.