Solution Arch - Associate Prep

Question 1

AWS Shield

Answer 1

Distributed Denial of Service (DDoS) protection service

Question 2

AWS Global Accelerator

Answer 2

Networking service. Sends your user’s traffic Through Amazon Web Service’s global network infrastructure

Question 3

Amazon SNS

Answer 3

Simple Notification Service

Question 4

AWS Storage Gateway

Answer 4

On premises access to cloud storage. File gateway includes Server Message Block (SMB), Network File Share (NFS) interfaces to S3

Question 5

AWS Private Link

Answer 5

Connect AWS services directly to each other without accessing the public internet. Gateway endpoints for S3, Dynamo DB. Interface endpoints for …

Question 6

How many 9’s of durability does S3 provide?

Answer 6

11 9’s of durability

Question 7

How can I encrypt an unencrypted Elastic Block Storage (EBS) volume?

Answer 7

1. Take a snapshot of the unencrypted volume you want to encrypt
2. Create a copy of the snapshot
3. Adjust the encryption options during the copy of the snapshot
4. Create a volume from the snapshot (encryption can also be enabled here instead of during the snapshot copy)

Question 8

How can I move an Elastic Block Storage (EBS) volume from one availability zone (AZ) to another?

Answer 8

1. Take a snapshot of the volume
2. Create an Azure Machine Image (AMI) from the snapshot
3. Launch a new EC2 instance in the desired AZ

Question 9

How can I move an Elastic Block Storage (EBS) volume from one region to another?

Answer 9

1. Take a snapshot of the volume
2. Create an Azure Machine Image (AMI) from the snapshot
3. Copy the AMI to another region
4. Launch a new EC2 instance from the copied AMI

Question 10

ECS

Answer 10

Elastic Container Service

Question 11

Ephemeral

Answer 11

Lasting for a very short time

Question 12

EC2 Status

Answer 12

NA

Question 13

What is the difference between a NAT gateway and instance?

Answer 13

NAT gateway is a managed service which launches in a redundant way within an AZ. You can only have 1 NAT gateway inside 1 availability zone

NAT instances are individual EC2 instances launched via. community AMIs on on a EC2 instance you must manage

Question 14

DNS (Route 53) record types

Answer 14

Address Records (A Records). A records converts the name of a domain directly into an IP address.

Canonical Names Records (CNAME Records) - Resolve one domain name to another. Example Chris.com to www.Chris.com

Question 15

Is encryption on all EBS volume types supported?

Answer 15

All EBS volume type support encryption. Not all EC2 instance types support encryption

Question 16

What are the differences between ElastiCache Memcached and ElastiCache Redis (w + w/o cluster mode enabled)

Answer 16

See image

Question 17

Is data between an instance and an encrypted volume also encrypted?

Answer 17

Yes it is

Question 18

What is AWS SAM (Serverless Application Model)?

Answer 18

SAM is an extension of AWS CloudFormation. It is used to package, test and deploy serverless applications

Question 19

What / when would you use a Network Address Translation (NAT)?

Answer 19

If you have a private network and you need to help gain outbound access to the internet you would need to use a NAT gateway to remap the private IP addresses. For this use the NAT would need to be launched in a public subnet.

If you have two networks which have conflicting network addresses you can use a NAT to make the addresses more agreeable.

Question 20

What are the RDS engine types offered as part of Amazon RDS?

Answer 20

1. Amazon Aurora
2. MySQL
3. MariaDB
4. PostgreSQL
5. Oracle
6. Microsoft SQL Server

Question 21

Do all RDS engine types support encryption?

Answer 21

Yes. Encryption at rest can be turned on for all RDS engine. Encryption is handled using AWS KMS. Turning on encryption will also encrypt automated backups, snapshots and read replicas.

Question 22

What back up options are available for RDS?

Answer 22

• Automated backups and manual snapshots.
• For automated backups you choose a retention period between 1 - 35 days. transaction logs are stored S3
• Manual snapshot are manually taken by a user

Question 23

When you restore a RDS back up will it over write the existing database?

Answer 23

No. Restoring to a point in time never restores over top of an existing database. When you restore a new RDS instance it will be created with a new DNS endpoint.

Question 24

Explain the architecture of Multi-AZ deployment for RDS?

Answer 24

• RDS makes an exact copy of the data base in another AZ
• Data is automatically and synchronizes replicated to the data base in the other AZ
• If the AZ of the primary goes down fail over will occur (automatic fail over protection). The stand by slave data base will be promoted to the master.

Question 25

What is a launch configuration?

Answer 25

Launch configurations are used with the auto scaling groups

Question 26

What is a EC2 launch template?

Answer 26

• Allows you to launch an EC2 instance from a template. You can create launch templates from the EC2 section of the AWS console.
• Launch templates are version controlled. If you make some changes it will be a new version.

Question 27

What is Data Lifecycle Manager (DLM)?

Answer 27

• An EC2 feature to manage the creation and deletion of EBS snapshots
• Policies can be set for a specific EBS volume or EC2 instance (all volumes attached to the instance) or for all volumes or instances with a specific tag(s)

Question 28

Where are EBS instance snapshots stored?

Answer 28

They are stored in S3. However the are not accessible via. S3 to a user ie. via. normal methods of access S3 …

Question 29

What is the max IOPS of general purpose SSD?

Answer 29

16,000. Also general purpose SSD provides 3 IOPS per GB up to 16,000 IOPS. Volume size ranges from 1 GB to 16 TB

Question 30

What is the max IOPS of provisioned IOPS SSD?

Answer 30

64,000. Also provisioned IOPS SSD can provide up to 50 IOPS per GB up to 64,000. Volume size ranges from 4 GB to 16TB

Question 31

What are the differences between a Simple Queue Service (SQS) standard and FIFO queue?

Answer 31

FIFO - First in first out. Maintains order, exactly once processing, up to 3000 messages per second. When order is critical and duplicates can’t be tolerated.

Standard - At least once delivery, best effort ordering. Supports nearly unlimited number of messages. Occasionally more than one copy of a message id delivered. Common example is let user upload media for resizing …

Question 32

How many EC2 instances can a EBS volume be attached to at once?

Answer 32

1

Question 33

Can you attached an EBS volume in to a EC2 instance in a different AZ?

Answer 33

No

Question 34

What may be a good way from an IAM perspective to control access for a Development, Test and Production resources?

Answer 34

Tag the resources as development, test or production. Create a IAM policy that grants access based on the tags

Question 35

Can you attach the same EFS to multiple EC2 instances?

Answer 35

Yes. Given they are in the same VPC. Which AZ they are in does not matter.

Question 36

What protocol does EFS use?

Answer 36

NFSv4.1

Question 37

How does EFS allow for connection from EC2 instances in different AZs?

Answer 37

EFS creates multiple mount targets. 1 in each subnet in your VPC

Question 38

What is Dynamo DB Accelerate (DAX)?

Answer 38

Fully managed, highly available in memory cache for Dynamo DB

Question 39

For S3 what is the difference between bucket policies and access control lists (ACLs)

Answer 39

ACLs are legacy and provide simpler controls. Bucket Policies allow for complex rules and are the preferred method

Question 40

You have an S3 bucket with folders. Under a folder you have sub folders. 1 per username. How can you control access so users can only work with the folder created for them?

Answer 40

1. Create an IAM policy that applies folder-level permissions. In the IAM policy you will have to use the {aws:username} variable.
2. Attach the policy to an AWS user or group

Question 41

Which CIDR block size only has a single IP address?

Answer 41

/32

Question 42

Which CIDR block is equivalent to all of the internet?

Answer 42

0.0.0.0/0

Question 43

What is a Virtual Private Gateway (VPG)?

Answer 43

To create a site to site VPN. Common example being on premises to an AWS VPC a customer and target gateway are required. VPG functions as a target gateway associated with a VPC

Question 44

What are the types of EC2 placement groups?

Answer 44

Clustered - packs instances close to each other inside an availability zone. Minimizes latency often required by HPC. Also for HPC in the configuration enabling enhanced networking or elastic fabric adapter is recommended

Partition - spared instances across different partitions. Each partition is isolated from another (different racks). Commons for Hadoop, Cassandra, Kafka)

Spread - strictly place a group of instances across distinct underlying hardware to reduce correlated failures. Up to 7 instances per AZ per group

Question 45

What is enhanced networking?

Answer 45

It is a feature of EC2 instances. It can be enabled to provide higher bandwidth, higher packet-per-second (PPS) performance and lower inter-instance latencies

Question 46

What is AWS DataSync?

Answer 46

Uploads data to AWS (S3, FSx for Windows File Server, EFS) via an on premises agent. Upload tasks can be scheduled.

Question 47

What is an EC2 auto scaling cool down?

Answer 47

Scaling cool down helps prevent an auto scaling group from launching or terminating additional instances before the effects of a previous activity are visible

Question 48

When an auto scaling group adds a new instance is it preferred for the the new instance to be created from an EC2 launch template or configuration?

Answer 48

Launch template. Launch templates have versioning. Also the latest features of auto scaling groups support launch templates.

From the doc “If you plan to continue to use launch configurations with Amazon EC2 Auto Scaling, be aware that not all Auto Scaling group features are available”

Question 49

What is an EC2 auto scaling cool down?

Answer 49

Scaling cool down helps prevent an auto scaling group from launching or terminating additional instances before the effects of a previous activity are visible. Temporary suspends the scaling activity. Default cool down period is 300 seconds (5 min)

Question 50

What are the retrieval options and duration for S3 Glacier?

Answer 50

Expedited (usually 1 - 5 min) Standard (usually 3 - 5 hours), Bulk (5 - 12 hours)

Question 51

What are the retrieval options and duration for S3 Glacier deep archive?

Answer 51

Generally data can be restored in 12 hours or less bulk retrieval it can take 48 hours

Question 52

What is the minimum storage duration for S3 Glacier deep archive?

Answer 52

180 days

Question 53

What is the difference between an IAM policy and a SCP?

Answer 53

SCP is a service control policy. IAM policies allow or deny access to AWS services or API actions. They can be applied to IAM identities (users, groups, roles). To allow or deny access to AWS services for organizational unites (including the root user) or more broadly SCPs can be used.

Use SCPs to apply allow / denies more broadly. As an example to an organizational unit.

Question 54

What is AWS inspector?

Answer 54

Automated security assessment service. AWS inspector is used to automate security assessments. Not secure the deployment … of applications.

Question 55

What origin options are there for CloudFront?

Answer 55

S3OriginConfig - S3 bucket (not configured for static web hosting)

CustomOriginConfig - S3 bucket configured for static web hosting, elastic load balancing load balancer, AWS Elemental MediaPackage endpoint or container, HTTP server running on an EC2 instance or other kind of host

Question 56

What is an elastic fabric adapter?

Answer 56

An elastic fabric adapter (EFA) is an Elastic Network Adapter (ENA) with additional capacity

Question 57

In the OSI application model what layer is layer 7?

Answer 57

Layer 7 is the application layer

Question 58

In the OSI application model what layer is layer 4?

Answer 58

Layer 4 is the Transport layer

Question 59

What is viability time out for SQS?

Answer 59

Viability timeout is the amount of time a message is invisible in the queue after a reader picks up the message. This means that messages are not deleted as soon as they are picked up … instead they go invisible for a specified period of time.

If during the visibility timeout a job processes the message it will be deleted. If a job is not processed within the visibility timeout the message will become visible again. This could result in delivering the message twice.

The maximum visibility timeout is 12 hours. The default is 30 seconds

Question 60

What is the default state of a custom security group that is created in an Amazon VPC?

Answer 60

• remember security groups don’t have deny rules this is a question of which allow rules are there or not *
• Inbound rule(s) - NO INBOUND RULES. Traffic will be implicitly denied
• Outbound rule(s) - AN RULE that allows all traffic to all IP addresses

Question 61

What is the state of the default security group that is created in an Amazon VPC?

Answer 61

• Inbound rules(s) - AN RULE that allow rule that allows traffic from within the group
• Outbound rule(s) - AN RULE that allows all traffic to all IP addresses

Question 62

What default permissions are provided to a newly created IAM user?

Answer 62

None. IAM users start with no permissions

Question 63

What can you associate an AWS Direct Connect Gateway with?

Answer 63

• A virtual private gateway

- A transit gateway (if you have multiple VPCs in the same region)