SAA Flashcards

Question

CloudTrail trail

Answer 1

- Lets you configure what to log - What regions - Global events - Global trail - Where -> S3 / CloudWatch Logs

Answer 2

- Kinesis for streaming (ingestion) - Multiple consumers, rolling window, no removals - SQS decoupling, work queue, one consumer per message

Answer 3

- No | - Can be added, public VIF + IPSec VPN

Answer 4

When utilizing AWS Organizations, you can create a service control policy and attach it to the account OU restricting access.

Answer 5

- It's HA by design - You can't make two for one VPC - You don't need to make two for one VPC - One IGW covers all public subnets in the VPC - Works with IPv4 and IPv6

Answer 6

- Represents all IPv6 addresses | - Generally used for the IPv6 default route

Answer 7

- Regional: No capacity reservation, just discount | - Zonal: Discount and capacity reservation

Answer 8

- Ordered record of change to a DynamoDB table; four different view types - KEYS_ONLY - NEW_IMAGE - OLD_IMAGE - NEW_AND_OLD_IMAGE

Answer 9

An extension of CNAME. Can be used like an A record with the functionality of a CNAME and none of the limitations. Can refer to AWS local services, and AWS doesn't charge for queries of alias records against AWS resources.

Answer 10

Availability Zones provide isolated infrastructure and services that allow for building highly available, fault-tolerant solutions within the same region.

Answer 11

- VPC - Subnet - ENI

Answer 12

- Log group: Related data (/var/log/secure) settings, filters, retention - Log stream: Data for a specific instance or thing - Filled with log events (date and time; message)

Answer 13

- Flat structure - Can't be mounted as a file system (natively) - Can be accessed at scale, high performance - Media/large objects/secure

Answer 14

- IAM users - AWS services - External accounts - Web identities

Answer 15

- IPv4 internal (inside VPC CIDR) - IPv4 public (dynamic, it changes when EC2 is stopped and started) - IPv4 Elastic IP: Static, created and associated with ENI (no change if allocated) - IPv6: All addresses are public

Answer 16

- One record set - www -> IP - www -> another name - domain -> MX

Answer 17

- Compute Optimized - Memory Optimized - Storage Optimized - General Purpose - Accelerated Computing

Answer 18

- Allocate public IP set to false | - No default route to IGW

Answer 19

15 minutes

Answer 20

- Global content delivery network for static and dynamic content - Accesses one or more origins (S3/custom) - Caches on edge locations and regional caches

Answer 21

- Projection: What attributes are in the index - ALL = same as table - KEYS = just keys - Selected: Whatever you want

Answer 22

- Per region - Unique ARN - PK and (optionally) SK - Local secondary indexes - Global secondary Indexes - Streams

Answer 23

- Log ingestions and management - Log search - Metric filter - App and OS logs via agent

Answer 24

- Persistently store data on S3 - Send to other services (Redshift) - Modify in flight using SQL

Answer 25

- Used for everything except DDB and S3 - ENIs in VPC - DNS names for services resolving to endpoints - Private DNS overrides service default - No route table changes

Answer 26

- Identity policies on USERS (same account only) - ACL on objects and bucket (old style) - Bucket policy: Applies to anyone accessing bucket (cross-account/public access)

Answer 27

- /32 = 1 IP - /31 = 2 total addresses: point-to-point links - /30 = 4 total: 2 usable, 1 network, 1 broadcast - /29 = 8 total: 6 usable, 1 network, 1 broadcast - /28 = 16 total: 14 usable, 1 network, 1 broadcast - /24 = 256 total - /22 = 1024 total

Answer 28

- gp2: General purpose SSD - io1: High IO SSD - st1: Throughput magnetic/mechanical - sc2: Cold storage, cheap, archival - Network-attached BLOCK storage - ONE INSTANCE AT A TIME - BELONGS TO ONE AZ

Answer 29

- Elastic Container Service - EC2 container service - Or using Fargate (managed server) container service - Docker containers

Answer 30

- A permissions boundary for a MEMBER account - What services an account _can_ use - What services an account _can't_ use

Answer 31

200. If additional resources are needed, you can nest and reference other stacks.

Answer 32

Choosing the right products/services that have the minimum upfront and ongoing costs

Answer 33

- An architecture where compute isn't running 24/7/365. Instead, it runs in response to an event. - S3 upload -> Lambda - SQS message on queue -> Lambda - Change to AWS Account -> CloudWatch Events -> Lambda

Answer 34

With a single letter following the region's code

Answer 35

Recovery Point Objective: The time between a failure and the last successful backup. How much data you will lose.

Answer 36

- Allocate public IP set to on - Route table with default route at IGW - VPC needs an attached IGW

Answer 37

- Poll - Process - Delete OR - Poll - Process - Message reappear (visibility timeout)

Answer 38

- Default 3,000 messages per second; 300 non-batching - Guaranteed once only - Guaranteed order

Answer 39

- Corporate identity store (MS/ADFS) - Need to get access to AWS resources using those identities - SAML assertion swapped by STS for temp credentials via `AssumeRoleWithSAML`

Answer 40

- Bucket accessible with HTTP/S - Requires world-readable permissions - Can set index/error.html - Useful to offload static content away from expensive compute servers

Answer 41

- Presents via iSCSI; block storage (network hard drive like EBS) - Volume stored: Data is on gateway; snapshots to S3 - Volume cached: Data is on S3; local cache on virtual appliance - Data is stored in volumes; not accessible directly via S3

Answer 42

- More regular backups | - Constant backups

Answer 43

Gateway objects created within a VPC. They can be used to connect to AWS public services without the need for the VPC to have an attached internet gateway and be public.

Answer 44

- Stateful (stored on the server) | - Stateless (stored outside of the server)

Answer 45

Used for descriptive text in a domain. Often used to verify domain ownership.

Answer 46

Elastic Beanstalk

Answer 47

- Doesn't require sharing a common secret; the key holder holds the private key that needs to be kept secret and safe while anyone can have and use the public key to encrypt text that is only intended for the key holder or decrypt text that is created by the key holder - Therefore, not easy to impersonate the key holder (unless private key is itself compromised)

Answer 48

Send incoming connections to the same instance for the duration of the session (LB generates a cookie).

Answer 49

- Infrastructure as a Service (e.g., EC2) | - You purchase a VM or an operating system.

Answer 50

- Automation of the provisioning and un-provisioning of resources - Horizontal scaling

Answer 51

- Key-value = DDB - Wide column key-value = DDB - Document DB = DocumentDB - Columnar DB = Redshift - Relational = Aurora/RDS - Ad-hoc = Athena

Answer 52

- _Not_ login - You become the role temporarily - STS gives you short-term credentials

Answer 53

- Handle long-running tasks involving AWS services and humans - Can coordinate Lambda - Decisions/parallel flows - Serverless via "state machines" - Like Simple Workflow service (without servers) - Use it if you need serverless flows longer than 15 minutes

Answer 54

- Physical 1 or 10 Gbps connection - Requires BGP - Public VIF (public services) and private VIF (VPC) run on top - NOT ENCRYPTED

Answer 55

- T3 - T2 - M5 - C3, etc. - Governs the capabilities (CPU type, mem type, GPU, burst, etc.)

Answer 56

- Allows resolution to occur to a local area-based record - Country - Continent - Global default

Answer 57

1. Company merger 2. Grant access to an AWS service 3. Cross-account access 4. Web identity federation 5. Break-glass–style extra access

Answer 58

- Amazon Machine Image - Config container + EBS snapshot(s) - Base system install - Custom AMI with prebakes config/applications - Can be shared and copied between regions

Answer 59

- EBS encryption uses an AWS/EBS KMS CMK - EC2 host performs encryption and decryption on data _to_ and _from_ EBS (at-rest encryption) - Any snapshots are encrypted - OS is unaware

Answer 60

No. You will need to create a new access key.

Answer 61

Larger cache that can hold objects for longer. Can deliver to edge location rather than origin fetch.

Answer 62

- S3 handles keys _and_ encryption/decryption - S3 admin can always decrypt objects - AES-256

Answer 63

- Primary and secondary - Primary passes health check = used - Primary fails health check = secondary used - Used for HA/maintenance - S3 backup for website

Answer 64

- Nodes in each subnet - Nodes have public IP (internet facing) or private (internal) - Each node gets one/number of nodes percentage of traffic - Nodes distribute to back-end instances (or _just_ in AZ if cross-zone is disabled)

Answer 65

- http://169.254.169.254/latest/meta-data/ - It's where role credentials are taken from - It's where cloud-init gets the bootstrap comments from - It's where an instance can find out its public IP/DNS

Answer 66

Lambda function being invoked when records are added to the stream

Answer 67

- Stored in S3 - Incremental: First = full; second = change from first - If volume is encrypted, the SNAP is encrypted - Can be copied between regions - Can be used to create new volumes

Answer 68

- Serverless querying - Ad-hoc querying - Billed for data scanned - Great for a wide range of data formats - No modification to source data

Answer 69

- Platform as a Service (e.g., Elastic Beanstalk) | - You provide code/application; the vendor supplies the environment.

Answer 70

- Services can assume to get permissions - External identities can assume to get permissions - IAM users can assume to get different permissions - ALL ARE TEMP CREDENTIALS

Answer 71

- Splits object into X parts; uploads in parallel - Speed benefit, reliability benefits - Recommended for 100 MB+ - Required for 5 GB+ - If a part fails, _just_ that part is retried

Answer 72

Defines what can assume a role

Answer 73

EC2 instance in a public subnet configured to accept connections (usually RDP or SSH). Once connected, can "jump" and access private resources.

Answer 74

An architecture in which all the application layers are coupled within the same application

Answer 75

- Locate EC2 instances close - Full bandwidth between all instances in placement group - AZ locked when first instance launched - Ideally, launch all instances at once and same type. Otherwise, you may have capacity issues.

Answer 76

No. An EC2 instance's OS _never_ sees its IPv4 public IP. The internet gateway converts the private IPv4 to public IPv4 or elastic when traffic leaves.

Answer 77

- Principal: The account or system requesting access or authorization - Authorization: Verifying the principal against the identity - Identity: Objects that are authorized and require authentication to access resources - Authentication: Checking if the identity is allowed or denied access to a resource

Answer 78

- Represents _all_ IPs | - Usually used for the default IPv4 route

Answer 79

- S3 handles encryption and decryption - KMS handles keys - S3 admin can't by default access objects; needs KMS - CMK permissions too

Answer 80

- IAM role - Instance profile - STS temp credentials available from metadata - http://169.254.169.254/latest/meta-data/

Answer 81

- MASTER ACCOUNT - MEMBER ACCOUNTS - Consolidated billing - Account restrictions

Answer 82

- Data points: CPU usage at this time - Metrics: Data points (CPU) over time - Alarm: If metric = this, more than this, less than this -> ALARM - Alarm state = OK, ALARM, INSUFFICIENT DATA - Alarm can notify (SNS) take action ASG/EC2

Answer 83

- Publisher/subscriber - Messages 256 K -> Topics - Topics send _all_ to subscribers - Can have filters for subscribers - Subscribers can be email, Lambda, queues, mobile push, HTTPS

Answer 84

Elastic Beanstalk

Answer 85

- SCALE-UP - SCALE-DOWN - Increasing or decreasing the size of a compute resource

Answer 86

- Captures account events (APIs/logins) - Management events - Optionally data events (S3 and Lambda)

Answer 87

It is a JSON document that defines whether requests are allowed or denied. On its own, it does nothing. Needs to be associated.

Answer 88

- Moves between Standard and IA - No movement fee - No retrieval fee - Just an object-based admin fee - Use for uncertain access patterns

Answer 89

- Used for IPv6 to allow outgoing _only_ - IPv6 are all public IPs - An internet gateway allows incoming and outgoing for IPv6 - Otherwise the same

Answer 90

A public key can be used to encrypt data that only a corresponding private key can decrypt. A private key can _sign_ data that can be confirmed as valid using a public key.

Answer 91

- Virtual Tape Library - Presents via iSCSI - Virtual Tape Drive / Library -> S3 - Virtual Tape Shelf -> Glacier - Migrate backups to AWS or reduce backup overhead.

Answer 92

- Replicated in only one AZ, not three - Cheaper, better value - Less important data or reproducible

Answer 93

- Uploads from a local endpoint through to the bucket - Uses AWS global network - Speed improvements

Answer 94

- Column based - _Not_ for transactions - For reporting - Petabyte - Can be copied and have snapshots taken

Answer 95

- Network address translation - Allowing multiple private IPs to access the internet in an outgoing way via one public IP - It's what your home internet router does

Answer 96

- Created with table - Share RCU and WCU with table - Alternative SK; must already have an SK on table

Answer 97

1. Cluster 2. Partition 3. Spread

Answer 98

1. Physical 2. Data Link 3. Network 4. Transport 5. Session 6. Presentation 7. Application

Answer 99

- Database as a Service (e.g., DynamoDB/RDS — RDS is between DBaaS and IaaS) - You purchase a "database" or "table."

Answer 100

- Username and password | - Access keys

Answer 101

Container/organizing users

Answer 102

- Generates a URL for an object with security included - Can be used for reads and writes - The URL has the permissions of the person generating it - Can generate URLs for objects you can't access

Answer 103

S3 is a flat file structure. It cannot contain folders. When you create a "folder" within S3, it is actually not a folder — it is an object.

Answer 104

- Provide the performance of DDB - 1,000 WCU - 3,000 RCU - 10 GB data

Answer 105

- When you have a known event - Busy periods of the month/week - Busy times of the day - Non-busy times - Can pre-launch so things are ready before

Answer 106

IAM is a global service.

Answer 107

- EBS: One EC2 instance - EFS: Many Linux instances - Storage Gateway: Edge case, iSCSI - _Not_ S3

Answer 108

- Origin access identity - Virtual identity that can be associated with a CloudFront distribution and then used to restrict a bucket to that distribution

Answer 109

- One partition key (PK) - And optionally one sort key (SK) - Up to 400 KB of data per ITEM - Attribute length + attribute names + keys

Answer 110

1. Endpoint 2. Status of other health checks 3. State of CloudWatch alarms

Answer 111

- PUBLISHER -> SNS -> QUEUE1/2/3 ... SUBSCRIBERS - Message duplication - Parallel processing - Different bit rates

Answer 112

- Database Migration Service - Replication instance - Source -> target - Allows gradual migration; no admin overhead - Schema Conversion Tool (SCT)

Answer 113

- Inline: User or groups they are a member of | - Managed: Associated with user or groups they are a member of

Answer 114

Normally username, password, and optionally MFA

Answer 115

- SR-IOV - Lower CPU usage for higher speeds - Higher speeds - Lower, more consistent latency - Less jitter (latency variance)

Answer 116

- Move objects between tiers - Remove objects after a period - Works with versioning

Answer 117

The ability of a system to dynamically scale up or down to manage the increase or decrease in demand

Answer 118

EC2 occupies one subnet, one AZ, uses EBS, one AZ. If the AZ fails, the instance fails.

Answer 119

- The default storage tier | - High availability, high durability

Answer 120

- Created at any time - Own RCU and WCU - Alternative PK and SK - Data is replicated from table; always eventually consistent

Answer 121

- VPC has a CIDR - Subnets have a range - In every subnet - Normally .0 (or whatever the network IP is) is reserved - Network+1 is the VPC router in each subnet - Network+2 is the DNS in the subnet - Network+3 is reserved - Broadcast (subnet last IP) is reserved

Answer 122

- Snowball Edge: 10 TB -> 10 PB | - Snowmobile: Single location, 10 PB+, max 100 PB

Answer 123

Assuming a role in another AWS account via the console UI — you become the role in the other account and have its permissions via the console

Answer 124

- Short term - Unknown usage - Can't tolerate interruption - Bridge the gap between reserved and spot

Answer 125

- Container - Runs on top of a base OS and Docker host - Lightweight - Contains only the differences made from the base image, apps, dependencies, etc.

Answer 126

- Security group associated with the instance | - NACL on the subnets

Answer 127

- An appliance that can filter incoming or outgoing IP traffic - Allowing it, blocking it - NACLs and security groups are similar to firewalls

Answer 128

- Real-time streaming (IoT/sensor) - Stores 24 hours of rolling data; can be seven days - Shards allow scaling - 1 shard = 1,000 records/s, 1 MB in, 2 MB out

Answer 129

- Generated by STS - Time limited - IAM role

Answer 130

- AWS-allocated IPv6 range - Allocate subsets to subnets - Configure instance/other service to use - Needs IPv6 routes - IGW or egress-only internet gateway

Answer 131

- Function as a Service - Runtime up to 15 minutes - Pay only for time running - Execution role (IAM role) provides permissions - Can be invoked by CloudWatch Events, S3, SNS, and much more - Can integrate with ALB/API Gateway - Public or private (VPC)

Answer 132

- API hosting endpoints as a service - HA/scalable - Can invoke Lambda, and store directly into DDB - Public service - Avoids the need to self-host APIs

Answer 133

- Key Management Service - Manages CMKs (customer master keys) - Encrypt and decrypt

Answer 134

The IAM role a Lambda function assumes when it invokes

Answer 135

- NAT as a service - Occupies a public subnet, uses an Elastic IP, needs an IGW - _Not_ HA — you need one per AZ for true HA - Private subnets need default route pointing at NATGW

Answer 136

- Using multiple keys to encrypt - Data -> Key A -> Encrypted Data - Encrypted Data -> Key B -> Encrypted Encrypted Data

Answer 137

- Quick way of doing HA - Min 1, Max 1, Desired 1 - Failed instances are instantly rebuilt - Good for smaller sites

Answer 138

- Identity and Access Management - Trusted by the account - IAM can create and trust identities

Answer 139

- 100 buckets per account - No limit on number of objects - Objects = 0 bytes to 5 TB per object - GLOBALLY UNIQUE BUCKET NAME

Answer 140

- Unique identifier for any AWS thing | - arn:::::

Answer 141

- Contains the WHAT - What you want to launch (AMI, keys, size, config) - Used by ASGs

Answer 142

- Data archiving - Not immediate access; retrieval time takes minutes to hours

Answer 143

- Highly available IPSec VPN - VGW (one per VPC) -> Customer Gateway (CGW) via one VPN connection (two tunnels) - HA = two CGWs and two VPNs

Answer 144

http://169.254.169.254/latest/meta-data/

Answer 145

- Default to apply if object PUT doesn't specify anything | - Can be overridden

Answer 146

- Elastic network interface - VPC network interface - SGs are attached to ENIs, not instances - Instance has a default ENI - Can have others — each with its own set of SGs - ENIs have private IPs

Answer 147

Attaching policies to groups is, in effect, attaching the policy to the users who are members of the group.

Answer 148

- Up to 35 days automatic backup - Manual snapshots (last until deleted) - Point in time

Answer 149

- Decoupling | - Scaling working group (using ASG + CW + SQS)

Answer 150

- Serverless transcoding of media - SRC -> DESTINATION - Can be manual; can be automatic using S3 events + Lambda

Answer 151

- SCALE-OUT - SCALE-IN - Adding or removing compute resources

Answer 152

- Stateless: All traffic consists of initiating and return - Accessing EC2 on port 80 incoming = return traffic on a high random port outgoing - NACL needs two rules (in and out) for everything - NACL can explicitly DENY - NACLs apply to subnets; only affect traffic crossing subnet - _Cannot_ reference logical objects - _Cannot_ apply to instances

Answer 153

- EC2 if heavy CPU and constant need - Lambda for event-based, less than 15 minutes, serverless - Step Functions for longer multi-Lambda flows

Answer 154

Equal to max IAM users in an account

Answer 155

- Designed for less frequently accessed data — same levels of durability and availability. Retrieval fee. - Important data but not commonly accessed

Answer 156

- Global DNS service - Public and private (inside one or more VPCs) - Globally resilient

Answer 157

- Network file system (Elastic File System) - Uses S3 — Standard and IA - Accessible from Linux EC2 or Linux on-prem - Can be mounted as a file system; good for shared storage - _Not_ public

Answer 158

- No | - No

Answer 159

Data is encrypted before being written to disk and decrypted when read from disk.

Answer 160

- When you have a "web scale"/"mobile app" - More than 5,000 users or don't want to make IAM users - Or users have their own IDs (Twitter/FB/Amazon/Google) - Swap ID token for temp credentials via STS `AssumeRoleWithWebIdentity`

Answer 161

- EBS volume = one AZ - AZ fails, EBS volume fails - EBS volume attached to instances in the same AZ only - Snapshots to S3

Answer 162

- Too many users for 5,000 IAM limit | - Same reason you _want_ to use external identities (admin overhead, efficiency, minimize duplication)

Answer 163

- Accepts a connection (e.g., HTTP) - Makes a connection on your behalf and passes the response to you - Corporate web caches are a proxy server - Can filter based on DNS name

Answer 164

- Trusting another IdP to verify someone is who they say they are. Using that trusted identity to allow access to your systems via an ID swap. - SAML 2.0 - Web identity

Answer 165

64,000 for a volume and 80,000 for an instance

Answer 166

- Record weight / total weight = chance of being used - Allows gradual migration - Allows distribution - A/B testing

Answer 167

Security Token Service: It is responsible for creating short-term access keys that can be used by principals who have assumed a role to access the resources that the role has permissions for.

Answer 168

IAM role + instance profile allows an instance to assume a role and STS temp credentials to be available in the metadata

Answer 169

- Subnet belongs to a VPC and an AZ - Subnet has a range of IPs inside the range of the VPC - Subnet ranges cannot overlap in the VPC or be outside of the VPC range - Can have IPv4 or IPv6

Answer 170

The object versions are not actually deleted; S3 adds a marker to indicate the object was deleted.

Answer 171

Availability Zones provide isolated infrastructure and services that allow for building highly available, fault-tolerant solutions within the same region.

Answer 172

- Memory utilization - Process memory utilization - Process CPU utilization

Answer 173

No... 1 physical connection | HA = 2 Direct Connects or 1 Direct Connect and 1+ VPN

Answer 174

MASTER ACCOUNT gets billing for all member accounts. Volume discounts and reservations are pooled.

Answer 175

- Reserved (with capacity reservation) - On-demand - Spot

Answer 176

- Virtual machine running on an EC2 host - Allocation of vCPU and vMem - Attached network (ENI) - Attached storage (EBS)

Answer 177

- Links _two_ VPCs with a private, software-based, HA connection - Is _not_ transitive routing - VPC 1VPC 2VPC 3 does _not_ mean 1 and 3 can connect. - Routes need adding (peer is a gateway object) - Can secure using SG and NACL

Answer 178

- 1:1 relationship between IGW and VPC - IGW is normally the default route for IPv4 and IPv6 - Converts between private IP and public IP - Allows public instances to access the internet

Answer 179

A system designed to work through failure without any user impact. ASG + LB and external session state.

Answer 180

- A private network | - Isolated from other VPCs in your account in your region. Highly available, assuming you make subnets in multiple AZs.

Answer 181

- At least once delivery - Best effort ordering - Scale to nearly infinite levels

Answer 182

- The same key is used to encrypt and decrypt. | - Fast, but you need to worry about how to get the key to the other party.

Answer 183

Data is encrypted before being sent to a server or sent from a server

Answer 184

- Architecture where you manage little to no constantly running compute - Function as a service (FaaS), event-driven and third-party services are used to build a service

Answer 185

- Takes an event source - Delivers to a target - Event-driven actions

Answer 186

- Almost always cheaper - Multiple SSL per ALB - Content rules (DNS name/path) - More services as targets (Lambda, containers, etc.)

Answer 187

- Auto Scaling groups - Support elasticity - Use the _what_ from templates/configs - Control the where/_how_ - Min/Max/Desired/Subnets - Scaling policies: Simple/stepped/target tracking/scheduled

Answer 188

- Enhancement of RDS MySQL/PostgreSQL - Cluster shared storage (no need to allocate upfront) - Replica (writer/reader) in as many AZs as you need - Reader = scaled reads - Much faster, all SSD vs. RDS

Answer 189

- Customer Managed Key: Rotation and key policy - AWS Managed Key: Service default - AWS Owned Key: Not visible, cross-client functions

Answer 190

- Function as a Service (e.g., Lambda) | - You provide a function; the vendor provides a runtime environment and everything else. Huge scalability, low cost.

Answer 191

- Stateful (one rule, allows return traffic) - Applied to ENIs (and thus instances) - Can't explicitly DENY, only ALLOW - Default is to DENY - Can reference other SG, other objects, themselves, and IP/CIDR

Answer 192

- MySQL/PostgreSQL/MariaDB/Oracle/MSSQL - HA: Single-AZ or Multi-AZ — standby _not_ usable - Read replicas can scale reads - Not cluster-based; each instance has own storage

Answer 193

- 1 operation of 4 KB max p/s strongly consistent | - 2 x eventual consistent

Answer 194

- Principal: The entity (or type of entities) that can assume the role - Effect: Allow or Deny - Action: STS:AssumeRole

Answer 195

- Known usage patterns - Constant CPU - Unchanging - One to three years - Cost-conscious - Want to reserve capacity

Answer 196

1. Explicit Deny 2. Explicit Allow 3. Implicit Deny (Default)

Answer 197

- VPN: Quick to set up, cheap, can be moved, supports cheaper non-BGP consumer hardware, uses internet data - Direct Connect: Longer to set up, lower latency, better consistency of latency, better performance

Answer 198

- Identity - Can have policies - Can be in groups - Can be referenced via ARN - U & P, access keys - Can have MFA - NO TEMP CREDENTIALS

Answer 199

- S3 handles encryption and decryption | - Customer supplies keys and plaintext data

Answer 200

- Software as a Service (e.g., Netflix, O365, Spotify) | - An application, end to end, is provided.

Answer 201

- EC2 hosts that are dedicated to you - Useful for restrictive licensing - Or security concerns/restrictions

Answer 202

- Dedicated network path for storage - Independent of data networking - High speeds, less contention

Answer 203

- HA: Allows systems to recover quickly after failures | - FT: Allows systems to operate through a failure with no user impact

Answer 204

- A system that can automatically and quickly recover from failure; designed to maximize availability. - ASG + LB

Answer 205

- Serverless relational DB - Uses Aurora Capacity Units (ACUs) - Can scale all the way to zero, and spin up when data access needed (10–20 seconds) - Very good option for variable load relational DB

Answer 206

- At the AWS side, assuming two tunnels. Not at the customer side (one CGW). - Two VPN connections and two CGWs required for HA

Answer 207

- Bootstrap: More customizable - AMI bake: Faster and immutable - If software takes 20 mins, and you need new instances up quicker, then AMI bake. - Can do a mixture

Answer 208

- When you want the cheapest EC2 compute - When you can tolerate failure/restarts/interruptions - Great for ad-hoc scaling, worker pools, analysis with EMR

Answer 209

= 1 operation of 1 KB max per second

Answer 210

- Access keys | - _Not_ username and password

Answer 211

- A route says, "for traffic to this destination, send it here" - A route table is a group of routes - Traffic matches a route - For multiple matches, the higher the prefix (/XX), the more priority the match - If equal prefix, static routes are preferred, then dynamically learned - Direct Connect is preferred over dynamic VPN

Answer 212

- In-memory cache for DynamoDB reads - Microsecond response - Specifically designed for DDB

Answer 213

- Operational excellence - Security - Reliability - Performance efficiency - Cost optimization

Answer 214

- On-Demand: Per operation charge | - Provisioned: Charge per WCU and RCU

Answer 215

- Governs memory, CPU, and general speed - nano - micro - small - medium - So on...

Answer 216

- Default configuration | - 90-day history

Answer 217

- On-Demand: Default, per second - Spot: Using AWS spare capacity, can be interrupted, ~80% discounts - Reserved: Pay upfront for discounted rate, good for known usage

Answer 218

- Allows storage migration - Allows storage extension - Uses S3 as backing store - Public service: Public internet connection or DX public VIF - Tape gateway (VTL), file gateway, volume gateway

Answer 219

Identities: Human, application, service

Answer 220

- Used for S3 and DynamoDB - Access to public endpoints for those services without IGW or NATGW - Uses prefix lists with the target of the endpoint - No DNS used

Answer 221

- Monitoring and metrics for AWS services | - Custom things with agent, including on-premises

Answer 222

- Storage Gateway - Shares via SMB (Windows sharing) - Files are stored as S3 objects - Capacity extension or back up to S3

Answer 223

- Cold archive | - Hours retrieval time

Answer 224

- Provide secure access to public services in a VPC without needing IGW or NATGW - Used to highly secure private VPCs

Answer 225

- EC2 instance configured to perform NAT | - SRC/DST Check = off

Answer 226

- In-memory cache; key-value and simple data types - MemcacheD (simple, fast) - Redis (more fully featured, complex)

Answer 227

- New features (e.g., T3 unlimited, elastic GPU) - Versions - Inheritance - Can be used to manually launch instances