SAA Flashcards

Question 1

Q

What are the rules concerning S3 bucket names?

Answer

A

They have to be globally unique (no two buckets can have the same name, even if they are created within two different regions, or AWS accounts).
They have to use DNS name-like rules (only lowercase, can’t have a - in the name, may start with a digit or character).
Have to be 3-63 characters long.
Cannot be IP address-like.

Question 2

Q

EC2 health checks vs. ELB for ASG

Answer

A

EC2 health checks deal with HOST/INSTANCE issues
ELB can monitor app health
ASG using ELB checks detect and replace failed apps/instances

Question 3

Q

Serverless in AWS

Answer

A

Lambda
API Gateway
DynamoDB
Step Functions
S3
SQS/SNS

Question 4

Q

Max managed IAM policies per group

Question 5

Q

Role permissions policy

Answer

A

Defines what permissions STS gives the identity who assumes a role

Question 6

Q

What is split view in DNS?

Answer

A

When there are two zones, a private and a public, and they have the same DNS record

Question 7

Q

Define what a logical resource and a physical resource is within CloudFormation.

Answer

A

A logical resource is the resource defined in code format while the physical resource is the real resource that is actually created in AWS by the logical resource.

Question 8

Q

Route targets

Answer

A

Can be IPs

- Can be gateway objects such as IGW, VGW, VPC endpoints, VPC peers, NAT gateways, etc.

Question 9

Q

How many objects and how much data can S3 store?

Answer

A

S3 can store an unlimited number of objects and an unlimited amount of data.

Question 10

Q

SQS security

Answer

A

Public service
Queue policy (resource policy)

Question 11

Q

RTO

Answer

A

Recovery Time Objective: How long from the point of failure it will take to recover the system to an operational state

Question 12

Q

What is RTMP?

Answer

A

Real-Time Messaging Protocol, owned by Adobe. CloudFront has an option to distribute this type of content.

Question 13

Q

Snowball/Edge/Mobile

Answer

A

Migrate data to or from S3 faster than you could with an internet connection (high-capacity, suitcase-sized storage).
Consider when you have high data volume and a bad internet connection.

Question 14

Q

Bootstrap

Answer

A

Giving startup commands to an instance
Configure OS
Install apps
Configure apps
Steps occur after base AMI is installed
Done via user data for EC2

Question 15

Q

Route 53 latency

Answer

A

Resolves to record that provides the lowest latency and so ideally best performance

Question 16

Q

What is the maximum retention period for RDS automatic backups?

Question 17

Q

SQS

Answer

A

Standard or FIFO queues
256 KB messages
Short poll: Queue messages or nothing
Long poll: Wait for messages (fewer API calls)

Question 18

Q

Bucket — object versioning

Answer

A

Can be enabled and paused, not disabled
Every object gets a version ID
Deleted objects just have a delete marker added
Required for CRR

Question 19

Q

Improving RTO

Answer

A

Automated recovery
Automated healing
Efficient restore processes

Question 20

Q

VPC Flow Logs

Answer

A

Monitors IP traffic metadata -> S3 or CloudWatch Logs

Question 21

Q

EMR

Answer

A

Elastic MapReduce
Analysis of “big data” (unstructured and semi-structured)
Cluster (master, core, task)
HDFS cluster file system
EMRFS: S3-based cluster file system

Question 22

Q

What are the types of CloudWatch Events sources?

Answer

A

Pattern

- Scheduled

Question 23

Q

Access keys

Answer

A

Long-term credentials associated with an IAM user
Give permissions the user has
Don’t expire

Question 24

Q

S3 CRR

Answer

A

Cross-region replication
Object replication from source bucket to destination bucket in a different region
Not retroactive; one way only
DR or read in different region for performance reasons

Question 25

Q

CloudTrail trail

Answer

A

Lets you configure what to log
What regions
Global events
Global trail
Where -> S3 / CloudWatch Logs

Question 26

Q

Kinesis vs. SQS

Answer

A

Kinesis for streaming (ingestion)
Multiple consumers, rolling window, no removals
SQS decoupling, work queue, one consumer per message

Question 27

Q

Direct Connect encryption

Answer

A

No

- Can be added, public VIF + IPSec VPN

Question 28

Q

What is the only way to restrict the root user?

Answer

A

When utilizing AWS Organizations, you can create a service control policy and attach it to the account OU restricting access.

Question 29

Q

Internet gateway HA

Answer

A

It’s HA by design
You can’t make two for one VPC
You don’t need to make two for one VPC
One IGW covers all public subnets in the VPC
Works with IPv4 and IPv6

Question 30

Q

What is ::/0?

Answer

A

Represents all IPv6 addresses

- Generally used for the IPv6 default route

Question 31

Q

Reserved Instances

Answer

A

Regional: No capacity reservation, just discount

- Zonal: Discount and capacity reservation

Question 32

Q

DynamoDB streams

Answer

A

Ordered record of change to a DynamoDB table; four different view types
KEYS_ONLY
NEW_IMAGE
OLD_IMAGE
NEW_AND_OLD_IMAGE

Question 33

Q

Describe alias records.

Answer

A

An extension of CNAME. Can be used like an A record with the functionality of a CNAME and none of the limitations. Can refer to AWS local services, and AWS doesn’t charge for queries of alias records against AWS resources.

Question 34

Q

What is the benefit of having multiple Availability Zones within a region?

Answer

A

Availability Zones provide isolated infrastructure and services that allow for building highly available, fault-tolerant solutions within the same region.

Question 35

Q

VPC Flow Logs monitoring points

Answer

A

VPC
Subnet
ENI

Question 36

Q

CloudWatch Logs components

Answer

A

Log group: Related data (/var/log/secure) settings, filters, retention
Log stream: Data for a specific instance or thing
Filled with log events (date and time; message)

Question 37

Q

S3 object storage

Answer

A

Flat structure
Can’t be mounted as a file system (natively)
Can be accessed at scale, high performance
Media/large objects/secure

Question 38

Q

What can assume roles in IAM?

Answer

A

IAM users
AWS services
External accounts
Web identities

Question 39

Q

Types of IP in VPC

Answer

A

IPv4 internal (inside VPC CIDR)
IPv4 public (dynamic, it changes when EC2 is stopped and started)
IPv4 Elastic IP: Static, created and associated with ENI (no change if allocated)
IPv6: All addresses are public

Question 40

Q

Route 53 simple

Answer

A

One record set
www -> IP
www -> another name
domain -> MX

Question 41

Q

Instance families

Answer

A

Compute Optimized
Memory Optimized
Storage Optimized
General Purpose
Accelerated Computing

Question 42

Q

Private subnet

Answer

A

Allocate public IP set to false

- No default route to IGW

Question 43

Q

Groups an IAM user can be a member of

Question 44

Q

What is the maximum time a Lambda function can run?

Answer

A

15 minutes

Question 45

Q

CloudFront

Answer

A

Global content delivery network for static and dynamic content
Accesses one or more origins (S3/custom)
Caches on edge locations and regional caches

Question 46

Q

DynamoDB indexes

Answer

A

Projection: What attributes are in the index
ALL = same as table
KEYS = just keys
Selected: Whatever you want

Question 47

Q

DynamoDB table

Answer

A

Per region
Unique ARN
PK and (optionally) SK
Local secondary indexes
Global secondary Indexes
Streams

Question 48

Q

What does CloudWatch Logs do?

Answer

A

Log ingestions and management
Log search
Metric filter
App and OS logs via agent

Question 49

Q

Kinesis Data Firehose

Answer

A

Persistently store data on S3
Send to other services (Redshift)
Modify in flight using SQL

Question 50

Q

VPC interface endpoint

Answer

A

Used for everything except DDB and S3
ENIs in VPC
DNS names for services resolving to endpoints
Private DNS overrides service default
No route table changes

Question 51

Q

S3 permissions

Answer

A

Identity policies on USERS (same account only)
ACL on objects and bucket (old style)
Bucket policy: Applies to anyone accessing bucket (cross-account/public access)

Question 52

Q

Network sizes

Answer

A

/32 = 1 IP
/31 = 2 total addresses: point-to-point links
/30 = 4 total: 2 usable, 1 network, 1 broadcast
/29 = 8 total: 6 usable, 1 network, 1 broadcast
/28 = 16 total: 14 usable, 1 network, 1 broadcast
/24 = 256 total
/22 = 1024 total

Question 53

Q

EBS volume

Answer

A

gp2: General purpose SSD
io1: High IO SSD
st1: Throughput magnetic/mechanical
sc2: Cold storage, cheap, archival
Network-attached BLOCK storage
ONE INSTANCE AT A TIME
BELONGS TO ONE AZ

Question 54

Q

ECS

Answer

A

Elastic Container Service
EC2 container service
Or using Fargate (managed server) container service
Docker containers

Question 55

Q

True or False: By default, S3 content is stored encrypted.

Question 56

Q

Service control policy

Answer

A

A permissions boundary for a MEMBER account
What services an account can use
What services an account can’t use

Question 57

Q

How many resources can a CloudFormation template have?

Answer

A

If additional resources are needed, you can nest and reference other stacks.

Question 58

Q

Number of access keys per IAM user

Question 59

Q

True or False: Edge locations check the regional cache first before hitting the origin to get an object.

Question 60

Q

What is cost-effectiveness/efficiency?

Answer

A

Choosing the right products/services that have the minimum upfront and ongoing costs

Question 61

Q

Event-driven

Answer

A

An architecture where compute isn’t running 24/7/365. Instead, it runs in response to an event.
S3 upload -> Lambda
SQS message on queue -> Lambda
Change to AWS Account -> CloudWatch Events -> Lambda

Question 62

Q

How are Availability Zones identified?

Answer

A

With a single letter following the region’s code

Question 63

Q

RPO

Answer

A

Recovery Point Objective: The time between a failure and the last successful backup. How much data you will lose.

Question 64

Q

Public subnet

Answer

A

Allocate public IP set to on
Route table with default route at IGW
VPC needs an attached IGW

Answer 59

A

Poll
Process
Delete

OR

Poll
Process
Message reappear (visibility timeout)

Answer 60

A

Default 3,000 messages per second; 300 non-batching
Guaranteed once only
Guaranteed order

Answer 61

A

Corporate identity store (MS/ADFS)
Need to get access to AWS resources using those identities
SAML assertion swapped by STS for temp credentials via AssumeRoleWithSAML

Answer 62

A

Bucket accessible with HTTP/S
Requires world-readable permissions
Can set index/error.html
Useful to offload static content away from expensive compute servers

Answer 63

A

Presents via iSCSI; block storage (network hard drive like EBS)
Volume stored: Data is on gateway; snapshots to S3
Volume cached: Data is on S3; local cache on virtual appliance
Data is stored in volumes; not accessible directly via S3

Answer 64

A

More regular backups

- Constant backups

Answer 65

A

Gateway objects created within a VPC. They can be used to connect to AWS public services without the need for the VPC to have an attached internet gateway and be public.

Answer 66

A

Stateful (stored on the server)

- Stateless (stored outside of the server)

Answer 67

A

Used for descriptive text in a domain. Often used to verify domain ownership.

Answer 68

A

Elastic Beanstalk

Answer 69

A

Doesn’t require sharing a common secret; the key holder holds the private key that needs to be kept secret and safe while anyone can have and use the public key to encrypt text that is only intended for the key holder or decrypt text that is created by the key holder
Therefore, not easy to impersonate the key holder (unless private key is itself compromised)

Answer 70

A

Send incoming connections to the same instance for the duration of the session (LB generates a cookie).

Answer 71

A

Infrastructure as a Service (e.g., EC2)

- You purchase a VM or an operating system.

Answer 72

A

Automation of the provisioning and un-provisioning of resources
Horizontal scaling

Answer 73

A

Key-value = DDB
Wide column key-value = DDB
Document DB = DocumentDB
Columnar DB = Redshift
Relational = Aurora/RDS
Ad-hoc = Athena

Answer 74

A

Not login
You become the role temporarily
STS gives you short-term credentials

Answer 75

A

Handle long-running tasks involving AWS services and humans
Can coordinate Lambda
Decisions/parallel flows
Serverless via “state machines”
Like Simple Workflow service (without servers)
Use it if you need serverless flows longer than 15 minutes

Answer 76

A

Physical 1 or 10 Gbps connection
Requires BGP
Public VIF (public services) and private VIF (VPC) run on top
NOT ENCRYPTED

Answer 77

A

T3
T2
M5
C3, etc.
Governs the capabilities (CPU type, mem type, GPU, burst, etc.)

Answer 78

A

Allows resolution to occur to a local area-based record
Country
Continent
Global default

Answer 79

A

Company merger
Grant access to an AWS service
Cross-account access
Web identity federation
Break-glass–style extra access

Answer 80

A

Amazon Machine Image
Config container + EBS snapshot(s)
Base system install
Custom AMI with prebakes config/applications
Can be shared and copied between regions

Answer 81

A

EBS encryption uses an AWS/EBS KMS CMK
EC2 host performs encryption and decryption on data to and from EBS (at-rest encryption)
Any snapshots are encrypted
OS is unaware

Answer 82

A

No. You will need to create a new access key.

Answer 83

A

Larger cache that can hold objects for longer. Can deliver to edge location rather than origin fetch.

Answer 84

A

S3 handles keys and encryption/decryption
S3 admin can always decrypt objects
AES-256

Answer 85

A

Primary and secondary
Primary passes health check = used
Primary fails health check = secondary used
Used for HA/maintenance
S3 backup for website

Answer 86

A

Nodes in each subnet
Nodes have public IP (internet facing) or private (internal)
Each node gets one/number of nodes percentage of traffic
Nodes distribute to back-end instances (or just in AZ if cross-zone is disabled)

Answer 87

A

http://169.254.169.254/latest/meta-data/
It’s where role credentials are taken from
It’s where cloud-init gets the bootstrap comments from
It’s where an instance can find out its public IP/DNS

Answer 88

A

Lambda function being invoked when records are added to the stream

Answer 89

A

Stored in S3
Incremental: First = full; second = change from first
If volume is encrypted, the SNAP is encrypted
Can be copied between regions
Can be used to create new volumes

Answer 90

A

Serverless querying
Ad-hoc querying
Billed for data scanned
Great for a wide range of data formats
No modification to source data

Answer 91

A

Platform as a Service (e.g., Elastic Beanstalk)

- You provide code/application; the vendor supplies the environment.

Answer 92

A

Services can assume to get permissions
External identities can assume to get permissions
IAM users can assume to get different permissions
ALL ARE TEMP CREDENTIALS

Answer 93

A

Splits object into X parts; uploads in parallel
Speed benefit, reliability benefits
Recommended for 100 MB+
Required for 5 GB+
If a part fails, just that part is retried

Answer 94

A

Defines what can assume a role

Answer 95

A

EC2 instance in a public subnet configured to accept connections (usually RDP or SSH). Once connected, can “jump” and access private resources.

Answer 96

A

An architecture in which all the application layers are coupled within the same application

Answer 97

A

Locate EC2 instances close
Full bandwidth between all instances in placement group
AZ locked when first instance launched
Ideally, launch all instances at once and same type. Otherwise, you may have capacity issues.

Answer 98

A

No. An EC2 instance’s OS never sees its IPv4 public IP. The internet gateway converts the private IPv4 to public IPv4 or elastic when traffic leaves.

Answer 99

A

Principal: The account or system requesting access or authorization
Authorization: Verifying the principal against the identity
Identity: Objects that are authorized and require authentication to access resources
Authentication: Checking if the identity is allowed or denied access to a resource

Answer 100

A

Represents all IPs

- Usually used for the default IPv4 route

Answer 101

A

S3 handles encryption and decryption
KMS handles keys
S3 admin can’t by default access objects; needs KMS - CMK permissions too

Answer 102

A

IAM role
Instance profile
STS temp credentials available from metadata
http://169.254.169.254/latest/meta-data/

Answer 103

A

MASTER ACCOUNT
MEMBER ACCOUNTS
Consolidated billing
Account restrictions

Answer 104

A

Data points: CPU usage at this time
Metrics: Data points (CPU) over time
Alarm: If metric = this, more than this, less than this -> ALARM
Alarm state = OK, ALARM, INSUFFICIENT DATA
Alarm can notify (SNS) take action ASG/EC2

Answer 105

A

Publisher/subscriber
Messages 256 K -> Topics
Topics send all to subscribers
Can have filters for subscribers
Subscribers can be email, Lambda, queues, mobile push, HTTPS

Answer 106

A

Elastic Beanstalk

Answer 107

A

SCALE-UP
SCALE-DOWN
Increasing or decreasing the size of a compute resource

Answer 108

A

Captures account events (APIs/logins)
Management events
Optionally data events (S3 and Lambda)

Answer 109

A

It is a JSON document that defines whether requests are allowed or denied. On its own, it does nothing. Needs to be associated.

Answer 110

A

Moves between Standard and IA
No movement fee
No retrieval fee
Just an object-based admin fee
Use for uncertain access patterns

Answer 111

A

Used for IPv6 to allow outgoing only
IPv6 are all public IPs
An internet gateway allows incoming and outgoing for IPv6
Otherwise the same

Answer 112

A

A public key can be used to encrypt data that only a corresponding private key can decrypt.

A private key can sign data that can be confirmed as valid using a public key.

Answer 113

A

Virtual Tape Library
Presents via iSCSI
Virtual Tape Drive / Library -> S3
Virtual Tape Shelf -> Glacier
Migrate backups to AWS or reduce backup overhead.

Answer 114

A

Replicated in only one AZ, not three
Cheaper, better value
Less important data or reproducible

Answer 115

A

Uploads from a local endpoint through to the bucket
Uses AWS global network
Speed improvements

Answer 116

A

Column based
Not for transactions
For reporting
Petabyte
Can be copied and have snapshots taken

Answer 117

A

Network address translation
Allowing multiple private IPs to access the internet in an outgoing way via one public IP
It’s what your home internet router does

Answer 118

A

Created with table
Share RCU and WCU with table
Alternative SK; must already have an SK on table

Answer 119

A

Cluster
Partition
Spread

Answer 120

A

Physical
Data Link
Network
Transport
Session
Presentation
Application

Answer 121

A

Database as a Service (e.g., DynamoDB/RDS — RDS is between DBaaS and IaaS)
You purchase a “database” or “table.”

Answer 122

A

Username and password

- Access keys

Answer 123

A

Container/organizing users

Answer 124

A

Generates a URL for an object with security included
Can be used for reads and writes
The URL has the permissions of the person generating it
Can generate URLs for objects you can’t access

Answer 125

A

S3 is a flat file structure. It cannot contain folders. When you create a “folder” within S3, it is actually not a folder — it is an object.

Answer 126

A

Provide the performance of DDB
1,000 WCU
3,000 RCU
10 GB data

Answer 127

A

When you have a known event
Busy periods of the month/week
Busy times of the day
Non-busy times
Can pre-launch so things are ready before

Answer 128

A

IAM is a global service.

Answer 129

A

EBS: One EC2 instance
EFS: Many Linux instances
Storage Gateway: Edge case, iSCSI
Not S3

Answer 130

A

Origin access identity
Virtual identity that can be associated with a CloudFront distribution and then used to restrict a bucket to that distribution

Answer 131

A

One partition key (PK)
And optionally one sort key (SK)
Up to 400 KB of data per ITEM
Attribute length + attribute names + keys

Answer 132

A

Endpoint
Status of other health checks
State of CloudWatch alarms

Answer 133

A

PUBLISHER -> SNS -> QUEUE1/2/3 … SUBSCRIBERS
Message duplication
Parallel processing
Different bit rates

Answer 134

A

Database Migration Service
Replication instance
Source -> target
Allows gradual migration; no admin overhead
Schema Conversion Tool (SCT)

Answer 135

A

Inline: User or groups they are a member of

- Managed: Associated with user or groups they are a member of

Answer 136

A

Normally username, password, and optionally MFA

Answer 137

A

SR-IOV
Lower CPU usage for higher speeds
Higher speeds
Lower, more consistent latency
Less jitter (latency variance)

Answer 138

A

Move objects between tiers
Remove objects after a period
Works with versioning

Answer 139

A

The ability of a system to dynamically scale up or down to manage the increase or decrease in demand

Answer 140

A

EC2 occupies one subnet, one AZ, uses EBS, one AZ. If the AZ fails, the instance fails.

Answer 141

A

The default storage tier

- High availability, high durability

Answer 142

A

Created at any time
Own RCU and WCU
Alternative PK and SK
Data is replicated from table; always eventually consistent

Answer 143

A

VPC has a CIDR
Subnets have a range
In every subnet
Normally .0 (or whatever the network IP is) is reserved
Network+1 is the VPC router in each subnet
Network+2 is the DNS in the subnet
Network+3 is reserved
Broadcast (subnet last IP) is reserved

Answer 144

A

Snowball Edge: 10 TB -> 10 PB

- Snowmobile: Single location, 10 PB+, max 100 PB

Answer 145

A

Assuming a role in another AWS account via the console UI — you become the role in the other account and have its permissions via the console

Answer 146

A

Short term
Unknown usage
Can’t tolerate interruption
Bridge the gap between reserved and spot

Answer 147

A

Container
Runs on top of a base OS and Docker host
Lightweight
Contains only the differences made from the base image, apps, dependencies, etc.

Answer 148

A

Security group associated with the instance

- NACL on the subnets

Answer 149

A

An appliance that can filter incoming or outgoing IP traffic
Allowing it, blocking it
NACLs and security groups are similar to firewalls

Answer 150

A

Real-time streaming (IoT/sensor)
Stores 24 hours of rolling data; can be seven days
Shards allow scaling
1 shard = 1,000 records/s, 1 MB in, 2 MB out

Answer 151

A

Generated by STS
Time limited
IAM role

Answer 152

A

AWS-allocated IPv6 range
Allocate subsets to subnets
Configure instance/other service to use
Needs IPv6 routes
IGW or egress-only internet gateway

Answer 153

A

Function as a Service
Runtime up to 15 minutes
Pay only for time running
Execution role (IAM role) provides permissions
Can be invoked by CloudWatch Events, S3, SNS, and much more
Can integrate with ALB/API Gateway
Public or private (VPC)

Answer 154

A

API hosting endpoints as a service
HA/scalable
Can invoke Lambda, and store directly into DDB
Public service
Avoids the need to self-host APIs

Answer 155

A

Key Management Service
Manages CMKs (customer master keys)
Encrypt and decrypt

Answer 156

A

The IAM role a Lambda function assumes when it invokes

Answer 157

A

NAT as a service
Occupies a public subnet, uses an Elastic IP, needs an IGW
Not HA — you need one per AZ for true HA
Private subnets need default route pointing at NATGW

Answer 158

A

Using multiple keys to encrypt
Data -> Key A -> Encrypted Data
Encrypted Data -> Key B -> Encrypted Encrypted Data

Answer 159

A

Quick way of doing HA
Min 1, Max 1, Desired 1
Failed instances are instantly rebuilt
Good for smaller sites

Answer 160

A

Identity and Access Management
Trusted by the account
IAM can create and trust identities

Answer 161

A

100 buckets per account
No limit on number of objects
Objects = 0 bytes to 5 TB per object
GLOBALLY UNIQUE BUCKET NAME

Answer 162

A

Unique identifier for any AWS thing

- arn:::::

Answer 163

A

Contains the WHAT
What you want to launch (AMI, keys, size, config)
Used by ASGs

Answer 164

A

Data archiving
Not immediate access; retrieval time takes
minutes to hours

Answer 165

A

Highly available IPSec VPN
VGW (one per VPC) -> Customer Gateway (CGW) via one VPN connection (two tunnels)
HA = two CGWs and two VPNs

Answer 166

A

http://169.254.169.254/latest/meta-data/

Answer 167

A

Default to apply if object PUT doesn’t specify anything

- Can be overridden

Answer 168

A

Elastic network interface
VPC network interface
SGs are attached to ENIs, not instances
Instance has a default ENI
Can have others — each with its own set of SGs
ENIs have private IPs

Answer 169

A

Attaching policies to groups is, in effect, attaching the policy to the users who are members of the group.

Answer 170

A

Up to 35 days automatic backup
Manual snapshots (last until deleted)
Point in time

Answer 171

A

Decoupling

- Scaling working group (using ASG + CW + SQS)

Answer 172

A

Serverless transcoding of media
SRC -> DESTINATION
Can be manual; can be automatic using S3 events + Lambda

Answer 173

A

SCALE-OUT
SCALE-IN
Adding or removing compute resources

Answer 174

A

Stateless: All traffic consists of initiating and return
Accessing EC2 on port 80 incoming = return traffic on a high random port outgoing
NACL needs two rules (in and out) for everything
NACL can explicitly DENY
NACLs apply to subnets; only affect traffic crossing subnet
Cannot reference logical objects
Cannot apply to instances

Answer 175

A

EC2 if heavy CPU and constant need
Lambda for event-based, less than 15 minutes, serverless
Step Functions for longer multi-Lambda flows

Answer 176

A

Equal to max IAM users in an account

Answer 177

A

Designed for less frequently accessed data — same levels of durability and availability. Retrieval fee.
Important data but not commonly accessed

Answer 178

A

Global DNS service
Public and private (inside one or more VPCs)
Globally resilient

Answer 179

A

Network file system (Elastic File System)
Uses S3 — Standard and IA
Accessible from Linux EC2 or Linux on-prem
Can be mounted as a file system; good for shared storage
Not public

Answer 180

A

Data is encrypted before being written to disk and decrypted when read from disk.

Answer 181

A

When you have a “web scale”/”mobile app”
More than 5,000 users or don’t want to make IAM users
Or users have their own IDs (Twitter/FB/Amazon/Google)
Swap ID token for temp credentials via STS AssumeRoleWithWebIdentity

Answer 182

A

EBS volume = one AZ
AZ fails, EBS volume fails
EBS volume attached to instances in the same AZ only
Snapshots to S3

Answer 183

A

Too many users for 5,000 IAM limit

- Same reason you want to use external identities (admin overhead, efficiency, minimize duplication)

Answer 184

A

Accepts a connection (e.g., HTTP)
Makes a connection on your behalf and passes the response to you
Corporate web caches are a proxy server
Can filter based on DNS name

Answer 185

A

Trusting another IdP to verify someone is who they say they are. Using that trusted identity to allow access to your systems via an ID swap.
SAML 2.0
Web identity

Answer 186

A

64,000 for a volume and 80,000 for an instance

Answer 187

A

Record weight / total weight = chance of being used
Allows gradual migration
Allows distribution
A/B testing

Answer 188

A

Security Token Service: It is responsible for creating short-term access keys that can be used by principals who have assumed a role to access the resources that the role has permissions for.

Answer 189

A

IAM role + instance profile allows an instance to assume a role and STS temp credentials to be available in the metadata

Answer 190

A

Subnet belongs to a VPC and an AZ
Subnet has a range of IPs inside the range of the VPC
Subnet ranges cannot overlap in the VPC or be outside of the VPC range
Can have IPv4 or IPv6

Answer 191

A

The object versions are not actually deleted; S3 adds a marker to indicate the object was deleted.

Answer 192

A

Availability Zones provide isolated infrastructure and services that allow for building highly available, fault-tolerant solutions within the same region.

Answer 193

A

Memory utilization
Process memory utilization
Process CPU utilization

Answer 194

A

No… 1 physical connection

HA = 2 Direct Connects or 1 Direct Connect and 1+ VPN

Answer 195

A

MASTER ACCOUNT gets billing for all member accounts. Volume discounts and reservations are pooled.

Answer 196

A

Reserved (with capacity reservation)
On-demand
Spot

Answer 197

A

Virtual machine running on an EC2 host
Allocation of vCPU and vMem
Attached network (ENI)
Attached storage (EBS)

Answer 198

A

Links two VPCs with a private, software-based, HA connection
Is not transitive routing
VPC 1VPC 2VPC 3 does not mean 1 and 3 can connect.
Routes need adding (peer is a gateway object)
Can secure using SG and NACL

Answer 199

A

1:1 relationship between IGW and VPC
IGW is normally the default route for IPv4 and IPv6
Converts between private IP and public IP
Allows public instances to access the internet

Answer 200

A

A system designed to work through failure without any user impact. ASG + LB and external session state.

Answer 201

A

A private network

- Isolated from other VPCs in your account in your region. Highly available, assuming you make subnets in multiple AZs.

Answer 202

A

At least once delivery
Best effort ordering
Scale to nearly infinite levels

Answer 203

A

The same key is used to encrypt and decrypt.

- Fast, but you need to worry about how to get the key to the other party.

Answer 204

A

Data is encrypted before being sent to a server or sent from a server

Answer 205

A

Architecture where you manage little to no constantly running compute
Function as a service (FaaS), event-driven and third-party services are used to build a service

Answer 206

A

Takes an event source
Delivers to a target
Event-driven actions

Answer 207

A

Almost always cheaper
Multiple SSL per ALB
Content rules (DNS name/path)
More services as targets (Lambda, containers, etc.)

Answer 208

A

Auto Scaling groups
Support elasticity
Use the what from templates/configs
Control the where/how
Min/Max/Desired/Subnets
Scaling policies: Simple/stepped/target tracking/scheduled

Answer 209

A

Enhancement of RDS MySQL/PostgreSQL
Cluster shared storage (no need to allocate upfront)
Replica (writer/reader) in as many AZs as you need
Reader = scaled reads
Much faster, all SSD vs. RDS

Answer 210

A

Customer Managed Key: Rotation and key policy
AWS Managed Key: Service default
AWS Owned Key: Not visible, cross-client functions

Answer 211

A

Function as a Service (e.g., Lambda)

- You provide a function; the vendor provides a runtime environment and everything else. Huge scalability, low cost.

Answer 212

A

Stateful (one rule, allows return traffic)
Applied to ENIs (and thus instances)
Can’t explicitly DENY, only ALLOW
Default is to DENY
Can reference other SG, other objects, themselves, and IP/CIDR

Answer 213

A

MySQL/PostgreSQL/MariaDB/Oracle/MSSQL
HA: Single-AZ or Multi-AZ — standby not usable
Read replicas can scale reads
Not cluster-based; each instance has own storage

Answer 214

A

1 operation of 4 KB max p/s strongly consistent

- 2 x eventual consistent

Answer 215

A

Principal: The entity (or type of entities) that can assume the role
Effect: Allow or Deny
Action: STS:AssumeRole

Answer 216

A

Known usage patterns
Constant CPU
Unchanging
One to three years
Cost-conscious
Want to reserve capacity

Answer 217

A

Explicit Deny
Explicit Allow
Implicit Deny (Default)

Answer 218

A

VPN: Quick to set up, cheap, can be moved, supports cheaper non-BGP consumer hardware, uses internet data
Direct Connect: Longer to set up, lower latency, better consistency of latency, better performance

Answer 219

A

Identity
Can have policies
Can be in groups
Can be referenced via ARN
U & P, access keys
Can have MFA
NO TEMP CREDENTIALS

Answer 220

A

S3 handles encryption and decryption

- Customer supplies keys and plaintext data

Answer 221

A

Software as a Service (e.g., Netflix, O365, Spotify)

- An application, end to end, is provided.

Answer 222

A

EC2 hosts that are dedicated to you
Useful for restrictive licensing
Or security concerns/restrictions

Answer 223

A

Dedicated network path for storage
Independent of data networking
High speeds, less contention

Answer 224

A

HA: Allows systems to recover quickly after failures

- FT: Allows systems to operate through a failure with no user impact

Answer 225

A

A system that can automatically and quickly recover from failure; designed to maximize availability.
ASG + LB

Answer 226

A

Serverless relational DB
Uses Aurora Capacity Units (ACUs)
Can scale all the way to zero, and spin up when data access needed (10–20 seconds)
Very good option for variable load relational DB

Answer 227

A

At the AWS side, assuming two tunnels. Not at the customer side (one CGW).
Two VPN connections and two CGWs required for HA

Answer 228

A

Bootstrap: More customizable
AMI bake: Faster and immutable
If software takes 20 mins, and you need new instances up quicker, then AMI bake.
Can do a mixture

Answer 229

A

When you want the cheapest EC2 compute
When you can tolerate failure/restarts/interruptions
Great for ad-hoc scaling, worker pools, analysis with EMR

Answer 230

A

= 1 operation of 1 KB max per second

Answer 231

A

Access keys

- Not username and password

Answer 232

A

A route says, “for traffic to this destination, send it here”
A route table is a group of routes
Traffic matches a route
For multiple matches, the higher the prefix (/XX), the more priority the match
If equal prefix, static routes are preferred, then dynamically learned
Direct Connect is preferred over dynamic VPN

Answer 233

A

In-memory cache for DynamoDB reads
Microsecond response
Specifically designed for DDB

Answer 234

A

Operational excellence
Security
Reliability
Performance efficiency
Cost optimization

Answer 235

A

On-Demand: Per operation charge

- Provisioned: Charge per WCU and RCU

Answer 236

A

Governs memory, CPU, and general speed
nano
micro
small
medium
So on…

Answer 237

A

Default configuration

- 90-day history

Answer 238

A

On-Demand: Default, per second
Spot: Using AWS spare capacity, can be interrupted, ~80% discounts
Reserved: Pay upfront for discounted rate, good for known usage

Answer 239

A

Allows storage migration
Allows storage extension
Uses S3 as backing store
Public service: Public internet connection or DX public VIF
Tape gateway (VTL), file gateway, volume gateway

Answer 240

A

Identities: Human, application, service

Answer 241

A

Used for S3 and DynamoDB
Access to public endpoints for those services without IGW or NATGW
Uses prefix lists with the target of the endpoint
No DNS used

Answer 242

A

Monitoring and metrics for AWS services

- Custom things with agent, including on-premises

Answer 243

A

Storage Gateway
Shares via SMB (Windows sharing)
Files are stored as S3 objects
Capacity extension or back up to S3

Answer 244

A

Cold archive

- Hours retrieval time

Answer 245

A

Provide secure access to public services in a VPC
without needing IGW or NATGW
Used to highly secure private VPCs

Answer 246

A

EC2 instance configured to perform NAT

- SRC/DST Check = off

Answer 247

A

In-memory cache; key-value and simple data types
MemcacheD (simple, fast)
Redis (more fully featured, complex)

Answer 248

A

New features (e.g., T3 unlimited, elastic GPU)
Versions
Inheritance
Can be used to manually launch instances

Brainscape's Knowledge GenomeTM

SAA Flashcards

Brainscape's Knowledge Genome^TM