Solutions Architect Flashcards

Question 1

Q

IAM users

Answer

A

identity used for anything requiring long-term aws access

Question 2

Q

Principal

Answer

A

Person or Application that interacts with an IAM through a Request

Question 3

Q

ARNs(Amazon resource name)

Answer

A

Uniquely identify resources within any AWS accounts

Question 4

Q

IAM user account limits

Answer

A

5,000 users per account

Question 5

Q

IAM member limits

Answer

A

Up to 10 groups

Question 6

Q

IAM groups

Answer

A

containers for users

Question 7

Q

Groups are not what?

Answer

A

True identities

Can’t be referenced as principal in policy

Question 8

Q

IAM user

Answer

A

Single principal

Question 9

Q

IAM role

Answer

A

multiple users. represents a level of access

Question 10

Q

sts:AssumeRole

Answer

A

IAM Role is involved

Question 11

Q

Function as a service product

Answer

A

AWS Lambda

Question 12

Q

Lambda execution role

Answer

A

Lambda service that trusts AWS Lambda

-assumes the sts:AssumeRole and gets tokens for CloudWatch and S3

Question 13

Q

Break Glass For Key

Answer

A

Emergency Role situation in AWS

Question 14

Q

Single Sign-on or > 5000 identities

Answer

A

On-premise:

Existing Identities, Active Directory

Off-premise:

external accounts can’t be used directly w/S3

Question 15

Q

ID Federation

Answer

A

Having a small number of roles to manage and external identities can use these roles to access the AWS resources

Question 16

Q

Web Identity Federation

Answer

A

Needing millions of users to be authenticated into DynamoDB

Question 17

Q

Web Identities

Answer

A

No was credentials on the app

Uses existing customer logins

Scales to 100,000,000’s of accounts

Question 18

Q

Cross-Account Access

Answer

A

Allows an IAM user in one account access resources in another account

i.e.: 1,000’s identities to assume role to get to S3 bucket

Question 19

Q

AWS Organization

Answer

A

Management Account

Question 20

Q

SCPs

Answer

A

Service Control Policies:

They don’t give permissions, are boundaries
Control what an account CAN/CANNOT do via identity policies
Appliable to organizations, OU’s, or individual
Members can be effect, Management accounts can’t

Question 21

Q

What two policies are assigned to an IAM Role?

Answer

A

Permissions, Trust

Question 22

Q

Within AWS policies, what is always priority?

Answer

A

Explicit Deny

Question 23

Q

Which are features of IAM groups?

Answer

A

Admin groupings of IAM users, Can hold identity permissions

Question 24

Q

Which are true for IAM roles?

Answer

A

Roles can be assumed, When assumed - temporary credentials are generated

Question 25

Q

What 3 features are provided by AWS organizations?

Answer

A

Consolidated billing

AWS account restrictions using SCP

Account organizations via OU’s

Question 26

Q

What is CloudTrails functionality?

Answer

A

Account wide auditing and API logging

Question 27

Q

Is it possible to restrict what account root user can do?

Answer

A

If AWS organizations are used.. but not the management account

Question 28

Q

Role switching

Answer

A

Assuming role in another AWS account to access the account via console UI

Question 29

Q

Valid IAM policy types

Question 30

Q

S3

Answer

A

Private by DEFAULT

Question 31

Q

S3 Bucket policies

Answer

A

form of resource policy
like identity policies, but attached to bucket
resource perspective permissions
ALLOW/DENY same or diff accounts
ALLOW/DENY anonymous principles

Question 32

Q

Access Control Lists(ACLs)

Answer

A

In objects and buckets
subresource
legacy
inflexible and simple permissions

Question 33

Q

Identity

Answer

A

Controlling different resources
You have preference for IAM
Same account

Question 34

Q

Bucket

Answer

A

Just controlling S3
Anonymous OR Cross-Account

Question 35

Q

ACLs

Answer

A

NEVER, unless you MUST

Question 36

Q

Normal access for Static Website Hosting

Answer

A

via AWS APIs

Question 37

Q

Static Website Hosting allows access via

Answer

A

HTTP; blogs

Question 38

Q

Documents in Static Website Hosting

Answer

A

Index and Error documents are set

Question 39

Q

Website endpoints created in

Answer

A

Static Web Hosting

Question 40

Q

Bucketname Matters

Answer

A

Custom Domain via R53 MUST match

Question 41

Q

S3 offloading hosting

Answer

A

Take all media to static hosting in S3

Question 42

Q

S3 out-of-band page hosting

Answer

A

Can be accessed via cellular network

-can be used as a backup page in case a web app is down

Question 43

Q

” * “

Answer

A

Applies to all policies within “Principal”

Question 44

Q

Object versioning

Answer

A

Default is Disabled

Once enabled, cannot be Disabled, but can be suspended

Question 45

Q

id = null

Answer

A

Once changed, version id will be updated.

Question 46

Q

Delete Marker

Answer

A

Hides past versions of an object

Question 47

Q

MFA Delete

Answer

A

Enabled in versioning configuration

MFA required to change bucket versioning state

Required to delete versions

Serial number (mfa) + code passed w/API calls

Question 48

Q

Single PUT Upload

Answer

A

Single data streeam to S3

If stream fails, upload fails, and requires full restart

Speed & reliability = limit of 1 stream

Question 49

Q

Multipart Upload

Answer

A

Data is broken up

Min data size = 100MB for multipart

10,000 max parts, 5mb -> 5gb

Last part can be smaller than 5mb

Parts can fail and be restarted

Transfer rate = speeds of all parts

Question 50

Q

S3 Transfer Acceleration

Answer

A

When Edge Locations support S3 buckets in remote regions

Question 51

Q

Encryption at rest

Answer

A

To deter from physical tampering

e.g; password. ‘a very expensive paperweight’

Question 52

Q

Encryption in transit

Answer

A

Data is encrypted before leaving laptop and upon arrival

Question 53

Q

Ciphertext

Answer

A

encrypted data

Question 54

Q

KMS

Answer

A

Keys never leave KMS - Provides FIPS 140-2 (L2)

Regional & Public Service; separate product in each region

Create, store, manage cryptographic keys

Symmetric & Asymmetric keys

Cryptographic operations

Backing Key ( and previous backing keys)
Aliases

Question 55

Q

CMK

Answer

A

Customer Master Key managed by KMS

Logical - ID, date, policy, desc & state

Backed by physical key material; generated or imported

Up to 4kb of data

Isolated to a region & never leave

Support rotation

Question 56

Q

DEKs (Data Encryption Key)

Answer

A

GenerateDataKey through KMS, works on > 4kb

KMS does not store the DEK beyond generating them

Plaintext version
Ciphertext version
Discard
Store encrypted key w/data

Question 57

Q

Key Policies

Answer

A

Key policies ( resource )

Every CMK has one

Key Policies + IAM policies

Question 58

Q

S3 encryption

Answer

A

Buckets aren’t encrypted, objects are

Client-side encryption

server-side encryption

Question 59

Q

SSE-C

Answer

A

Server side encryption with customer-provided keys

Question 60

Q

SSE-S3

Answer

A

Server side encryption with amazon S3-managed keys

AES256
Stored persistently, data is at rest

Question 61

Q

SSE-KMS

Answer

A

Server side encryption w/customer master keys (CMKs) stored in was key management service

Question 62

Q

Method: Client-Side

Answer

A

Key Management: YOU

Encryption Processing: YOU

Question 63

Q

Method: SSE-C

Answer

A

Key Management: YOU

Encryption Processing: YOU

Question 64

Q

Method: SSE-S3

Answer

A

Key Management: S3

Encryption Processing: S3

Answer 64

A

Key Management: S3 & KMS

Encryption Processing: S3

Extras: Rotation Control, Role Separation

Answer 65

A

Bucket header: x-amz-server-side-encryption

Answer 66

A

S3 storage class

Objects are replicated across 3+ AZs in the AWS region

AZ-A: 99.9% durability for 10mil objects, 1 object loss per 10k years

AZ-B: replication over 3 AZ’s & content-md5 checksums & cyclic redundancy checks (CRCs) used to detect & fix data corruption

Answer 67

A

Stored in HTTP/1.1 200 OK response by S3 API endpoint

Answer 68

A

Billed for data stored. No specific retrieval fee, no minimum duration, no minimum size

Answer 69

A

S3 storage class

Objects are replicated across 3+ AZs in the AWS region

AZ-A: 99.9% durability for 10mil objects, 1 object loss per 10k years

AZ-B: replication over 3 AZ’s & content-md5 checksums & cyclic redundancy checks (CRCs) used to detect & fix data corruption

Answer 70

A

per gig data retrieval fee, overall cost increases

Answer 71

A

should be used for long-lived data which is important or irreplaceable or data access is infrequent.

Do not: use for small files or temporary data, data that is constantly accessed,

Answer 72

A

Used for long-lived data (non-critical & replaceable) and where access is infrequent
Doesn’t provide multi-AZ resilience model of Standard or Standard-IA. 1 used w/in region
Min duration of 30 days
Min capacity of 128kb/object

Answer 73

A

Objects cannot be made publicily accessible, requires retrieval process

Data is retrieved to S3 standard-IA temporarily

Expedited(1-5 minutes)

Standard(3-5 hours)

bulk(5-12 hours)

First byte latency = minutes or hours

Answer 74

A

40kb min size

180 Day min Duration

Requires retrieval process

Restore time longer than Glacier

Standard(12 hours)

Bulk(up to 48 hours)

Answer 75

A

Tiers: Frequent Access, Infrequent Access, Archive, Deep Archive

(Monitoring & Automated Migration)

automatically moves objects not accessed for 30 days to low cost infrequent access tier, archive, deep archive
used for long-lived data, w/changing or unknown patterns
cost per 1k objects. frequent access tier costs same as S3 standard, infreqent same as Standard-IA.
Archive/Deep Archive comparable to glacier equivalents

Answer 76

A

Set of Rules

For Bucket or groups of objects

Transaction Actions & Expiration Actions

Answer 77

A

S3 Standard

> S3 STandard-IA
> S3 Intelligent Tiering
> S3 One Zone-IA
> S3 Glacier
> S3 Glacier Deep Archive

For exam: small object has to remain for min 30 days on S3 standard before to S3 Standard-IA or S3 One Zone-IA

Answer 78

A

Source bucket & desination bucket are different regions

Answer 79

A

Source bucket & destination bucket are same regions

Answer 80

A

All objects or subset
Storage class - default is to maintain
Ownership - default is that they will be owned by the source account
Replication Time control (RTC): SLA for buckets to be in sync

Answer 81

A

Replication is NOT retroactive & versioning needs to be ON
One-way replication from source -> destination
Unencrypted, SSE-S3 & SSE-KMS (w/extra config)
Source bucket owner needs permissions to objects
Won’t replicate system events, Glacier or Glacier Deep Archive
DELETES are NOT replicated (to prevent against malicious deletions)

Answer 82

A

SRR (log aggregation
SRR (PROD and TEST sync)
SRR (Resilience w/strict sovereignty)
CRR (Global resilience improvements)
CRR (latency reduction)

Answer 83

A

iamadmin -> 1. Generate presignedURL from Bucket, 2. Bucket sends presignedURL

GET & PUT operations
whoever uses presignedURL is using as if they were iamadmin

Answer 84

A

You can create URL for object you have NO ACCESS TO
When using URL, permissions match identity that generated it
Access denied could mean the generating id NEVER had access, or doesn’t know
Don’t generate w/a role, URL stops working when temporary credentials expire

Answer 85

A

can store objects (up to 5TB)
You often want to retrieve ENTIRE object
Retrieving 5TB, takes time, uses %TB
Filtering at client side doesn’t reduce this
Service lets you use SQL-like statements
to select part of object, pre-filtered by S3
CSV, JSON, Parquet, BZIP2 compression for CSV & JSON

Answer 86

A

Notification generated when events occur in bucket
can be delivered to SNS, SQS, & Lambda functions
Object created (Put, Post, Copy, CompleteMultiPartUpload)
Object delete (*, Delete, DeleteMarkerCreated)
Object restore (Post (Initiated), Completed)
Replication (OperationMissedThreshold, OperationReplicatedAfterThreshold,OperationNotTracked,OperationFailedReplication)

Answer 87

A

CREATE, DELETE, RESTORE, REPLICATE

Answer 88

A

Public Service - usable from AWS or on-premises
Store, Monitor, & access logging data
AWS Integrations - EC2 VPC flow logs, lambda, ClouTrail, R53, more
Can generate metric logs based on metric filter

Answer 89

A

Log events from the same source

-Log event format: YYYYMMDDHHMMSS message

Answer 90

A

Logs API calls & activities

Answer 91

A

Stored for 90 days by default

Answer 92

A

Enabled by default - no cost for 90 days

Answer 93

A

Create 1 or more trails

Answer 94

A

Management of Events & Data Events

Answer 95

A

Global Services - one region or all regions

Answer 96

A

Manage CloudTrail events through CloudWatch logs

Answer 97

A

Enabled by default, for 90 days, no s3
Trails are how you configure S3 & CWLogs
Management events only by default
IAM, STS, CloudFront => Global Service Events
NOT REAL TIME - there is a delay, ~15 minutes

Answer 98

A

Size of VPC
Are there Networks we can’t use…
Avoid ranges that other services use
VPC structure - tiers & resiliency zones

Answer 99

A

VPC minimum /28 (16 IP’s), maximum /16 (65456 IP’s)
Avoid common ranges - avoid future issues
Reserve 2+ networks per region being used per account

Answer 100

A

Regional service - all AZs in the region
Isolated network
Nothing IN or OUT w/out explicit configuration
Flexible configuration - simple or multi-tier
Hybrid networking - other cloud & on premises
Default or dedicated tenancy!

Answer 101

A

IPv4 cidr blocks & public ips
1 primary private ipv4 cidr block
min /28 (16 IP) max /16 (65,536 IPs)
Optional secondary ipv4 blocks
Optional single assigned ipv6 /56 cidr block

Answer 102

A

Provided by R53
VPC ‘Base IP + 2’ address
enableDnsHostnames - gives instances DNS names
enableDnsSupport - enables DNS resolution in VPC

Answer 103

A

AZ resilient
Subnetwork of a VPC - w/in a particular AZ
1 subnet => 1 AZ, 1 AZ => 0+ subnets (EXAM Q)
IPv4 CIDR is a subset of the VPC CIDR
Cannot overlap w/other subnets
Optional IPv6 CIDR (/64 subset of the /56 VPC - space for 256)
Subnets can communicate w/other subnets in the VPC

Answer 104

A

Reserved IP addresses (5 in total)
10.16.16.0/20(10.16.16.0 => 10.16.31.255)
Network address (10.16.16.0)
‘Network +1’ (10.16.16.1) - VPC Router
‘Network +2’ (10.16.16.2) - reserved (DNS*)
‘Network +3’ (10.16.16.3) - reserved future use
Broadcast address 10.16.31.255 (last IP in subnet)

Answer 105

A

A highly available router - every VPC has one
Every subnet ‘network +1’ address
Routes traffic between subnets
controlled by ‘route tables’ each subnet has one
VPC has Main route table - subnet default

Answer 106

A

Region resilient gateway attached to a VPC
1 VPC = 0 or 1 IGW, 1 IGW =0 or 1 VPC
Runs from w/in AWS public zone
Gateways traffic btw VPC & Internet or AWS public zone (S3…SQS…SNS…etc)
Managed - AWS handles performance

Answer 107

A

Create IGW
Attach IGW to VPC
Create custom RT
Associate RT
Default Routees => IGW
Subnet allocate IPv4

Answer 108

A

Never touches the actual servers inside the VPC

-IGW changes address of packet between instance and server

Answer 109

A

Bastion Host = Jumpbox
Instance in a public subnet
Incoming management connections arrive there
Access internal VPC resources
Often the only way IN to a VPC

Answer 110

A

Intelligent to identify REQUEST & RESPONSE components of connection being related

Answer 111

A

Doesn’t understand the ‘state’ of connections

-Remember the ‘response ephemeral ports’, not well known APP port

Answer 112

A

NACLs filter traffic crossing the subnet boundary INBOUND or OUTBOUND

Connections w/in a subnet aren’t impacted by NACLs
STATELESS; 1 x INBOUND & 1 x OUTBOUND

Answer 113

A

Can be created for a specific VPC & are initially associated w/NO SUBNETS; result -> ALL TRAFFIC IS DENIED
1 INBOUND rule: implicit(*) DENY
1 OUTBOUND rule: implicit(*) DENY

Answer 114

A

STATELESS: REQUEST & RESPONSE seen as different
Only impacts data crossing subnet boundary
NACLs can EXPLICITLY ALLOW & DENY
IPs/CIDR, Ports & Protocols - no logical resources
NACLs cannot be assigned to AWS resources - only subnets
Use w/Security Groups to add explicit DENY(Bad IPs/Nets)
Each subnet can have ONE NACL(Default or custom)
NACL can be associated w/MANY SUBNETS

Answer 115

A

STATEFUL - detect response traffic automatically
ALLOWED (IN/OUT) REQUEST = allowed response
NO EXPLICIT DENY……only ALLOW or implicit DENY
…..can’t block specific bad actors
Supports IP/CIDR & logical resources
Attached to ENI’s, not instances

Answer 116

A

“SG source” is same as “anything with the SG attached”
Using “self reference” means “anything with this SG attached”
Scales w/ ADDS & REMOVES from the SG

Answer 117

A

Set of processes - remapping SRC or DST IPs

IP masquerading - hiding CIDR blocks behind one IP
Public IPv4 addresses are running out
Gives Private CIDR range OUTGOING internet* access

Answer 118

A

(Not publicly routable) Route table => NATE Gateway => VPC router = Internet Gateway/ Public Internet

Answer 119

A

runs from public subnet
uses elastic IPs (static IPv4 public)
AZ resilient service (HA in that AZ)
For region resilience - NATGW in each AZ….
…RT in for each AZ w/NATGW as target
Managed, scales to 45 Gbps, $ duration & data volume

Answer 120

A

NAT isn’t required for IPv6
all IPv6 addresses in AWS are publicly routable
Internet Gateway works w/ALL IPv6 IPs directly
Exam Q: NAT Gateways DON’T WORK WITH IPV6
::/0 Route + IGW for bi-directional connectivity
::/0 + Egress-only internet gateway - outbound only

Answer 121

A

-Private Subnet (Internal Test) a. public part is added an ‘authorised key’ on SSH servers <=> Public Subnet (Bastion) a. no private key <=> Public Internet

Answer 122

A

-Private Subnet (Internal Test) a. private key remains on client at all times, authentication requests are forwarded <=> Public Subnet (Bastion) a. SSH client connects agent forwarding) <=> Public Internet a. ssh-agent service (ssh-add)

Answer 123

A

The Hypervisor has knowledge of the virtualization

Answer 124

A

Enhanced networking in EC2

Answer 125

A

Virtual Machines (OS + Resources)
Run on EC2 hosts
Shared Hosts or Dedicated Hosts
Hosts = 1 AZ -AZ fails, Host Fails, Instances fail

Answer 126

A

Look for availability zones in answer

Answer 127

A

Raw cpu, memory, local storage capacity & type
Resource ratios
storage & data network bandwidth
system architecture/vendor
additional features and capabilities

Answer 128

A

General purpose - default- diverse workloads, equal resource ratio

Compute organized - media processing, HPC, scientific modeling, gaming, machine learning

Memory Optimized - processing large in-memory datasets, some database workloads

Accelerated computing - hardware GPU, field programmable gate arrays (FPGAs)

Storage optimized - sequential & random IO - scale-out transactional databases data warehousing, elastic search, analytics workloads

Answer 129

A

Instance family - “R”
Instance generation - “5”
Additional capabilities - “dn”
Instance type - “R5dn.8xlarge”
Instance size - “8xlarge”

Answer 130

A

Direct (local) attache storage - storage on the EC2 host
Network attached storage - volumes delivered over the network (ebs)
Ephemeral storage - temporary storage
Persistent storage - permanent storage - lives on past the lifetime of the instance

Answer 131

A

-Block storage - VOLUME presented to the OS as a collection of blocks…. no structure provided.

MOUNTABLE. BOOTABLE.

-File storage - presented as a file share…. has structure.

MOUNTABLE. NOT BOOTABLE.

-Object storage - collection of objects, flat.

NOT MOUNTABLE. NOT BOOTABLE.

Answer 132

A

IO(block) size X IOPS = Throughput

IO: 16k, 64k, 1MEG
IOPS: revolutions per second
Throughput: Rate of data, XX MB/S, “65 megabits per second”

Answer 133

A

Block storage - raw disk allocations (volume) - can be encrypted using KMS
….instances see block device & create file system on this device (ext3/4, fs)
storage is provisioned in ONE AZ (resilient in that AZ)
Attached to *one EC2 instance(or other service) over a storage network
….DETACHED and REATTACHED, not lifecycle linked to one instance…persistent
Snapshot(backup) into S3. Create volume from snapshot(migrate btw AZs)
Different physical storage types, different sizes, different performance profiles
Bill based on GB-month (some cases for performance)

Answer 134

A

-Volumes: 1GB, up to 16TB

Answer 135

A

st1; cheap, throughput optimized
sc1; cheaper, cold HDD

Answer 136

A

Block storage devices
Physically connected to 1 EC2 host
Instances on that host can access them
Highest storage performance in AWS
Included in instance price….
only ATTACHED AT LAUNCH

Answer 137

A

Instance store volumes are local on a EC2 host
Instance volumes are only added AT LAUNCH
Instance volumes lost on instance move, resize, or hardware failure
High performance
You pay for it anyway - included in instance price
INSTANCE STORE VOLUMES ARE TEMPORARY

Answer 138

A

Persistence .. EBS (avoid instance store)
Resilience .. EBS (avoid instance store)
Storage isolate from instance lifecycle .. EBS
Resilience w/App in-built replication … it depends
High performance needs … it depends
Super high performance needs … instance store
Cost … instance store (often included)
Cheap = ST1 or SC1
Throughput .. streaming … ST1
Boot ……..NOT ST1 or SC1
GP2/3 - up to 16,000 IOPS
IO1/2 - up to 64,000 IOPS (*256,000)
RAID0 + EBS up to 260,000 IOPS (io1/2-BE/GP2/3)
More than 260,000 IOPS - INSTANCE STORE

Answer 139

A

snapshots are incremental volume copies to S3
First is a full copy of ‘data’ on the volume
Future snaps are incremental
Volumes can be created (restored) from snapshots
Snapshots can be copied to another region

Answer 140

A

new EBS volume = full performance immediately
snaps restore lazily - fetched gradually
requested blocks are fetched immediately
force a read of all data immediately
fast snapshot restore (FSR) - immediate restore
up to 50 snaps per region. set on the snap & AZ

Answer 141

A

customer managed;
EC2 instance <=> EC2 host (plaintext stored at rest)
aws/ebs;
EC2 instance <=> EC2 host (customer master key + data encryption key), ciphertext stored at rest, any snapshots created will share DEK

Answer 142

A

Accounts can be set to encrypt by default - default CMK
Otherwise choose a cmk to use
Each volume uses 1 unique DEK
Snapshots & future volumes use the same DEK
Can’t change a volume to NOT be encrypted
OS isn’t aware of encryption….no performance loss

Answer 143

A

Primary ENI:

MAC address
Primary IPv4 Private IP
0 or more secondary IPs
0 or 1 Public IPv4 Address
1 elastic IP per private IPv4 address
0 or more IPv6 addresses
Security groups
Source/destination check

Secondary ENI:

-^^

Answer 144

A

Secondary ENI + MAC = licensing
Multi-homed (subnets) management & data
Different security groups - multiple interfaces
OS - DOESN’T SEE PUBLIC IPV4
IPv4 Public IPs are dynamic … stop/start = CHANGE
Public DNS = private IP in VPC, public IP everywhere else

Answer 145

A

LAUNCH : AMI -> Instance; BOOT /dev/xvda DATA /dev/xvdf
CONFIGURE : Instance BOOT /dev/xvda DATA /dev/xvdf -> customizations
CREATE IMAGE : Instance BOOT /dev/xvda DATA /dev/xvdf -> AMI (referenced w/ block device mapping)
LAUNCH: AMI -> Instance BOOT /dev/xvda DATA /dev/xvdf

Answer 146

A

AMI =One region, only works in that one region
AMI baking …. creating an AMI from a configured instance + application
An AMI can’t be edited …launch instance, update configuration & make new AMI
Can be copied btw regions ( includes its snapshots)
Remember permissions .. default = your account

Answer 147

A

On-Demand instances are isolated
Multiple customer instances run on shared hardware
Instances of different sizes run on same EC2 hosts (consuming defined allocation of resources)
Per-second billing while instance is running.
Associated resources such as storage consume capacity; all are billable, regardless of instance state

Answer 148

A

Default purchase option
No interruption
No capacity reservation
Predictable pricing
No upfront cost
No discount
Short term workloads
Unknown workloads
apps which can’t be interrupted

Answer 149

A

-When AWS sells unused EC2 host capacity for up to 90% discount; spot price is based on spare capacity at a given time

Answer 150

A

Never use SPOT for workloads which can’t tolerate interruptions

Answer 151

A

Non time critical
Anything which can be rerun
Burst capacity needs
Cost sensitive workloads
Anything which is stateless

Answer 152

A

Reservations are for 1 year or 3 year terms, you pay for the entire term

No reservation; full per/s price
Matching instance; reduced or no p/s price
Unused reservation; still billed
Partial coverage of larger instance

Answer 153

A

Customer pays for the host

Software licensing based on sockets/cores
Software host affinity links instances to hosts

Answer 154

A

Shared; on-demand, no host exposure, per sec charges
Host; Pay for the host, no instance charges, capacity management required
Instance; you don’t own, or share host,…..extra charges for instances, but dedicated hardware

Answer 155

A

Ideal for long term usage which doesn’t run constantly
Batch processing daily for 5 hours starting @ 23:00
Weekly data, sales analysis, every Friday for 24 hrs
Doesn’t support all instance types or regions. 1,200 hours per year & 1 year term minimums
100 hours of EC2 per month

Answer 156

A

Regional reservation provides billing discounts for valid instances launched in any AZ in that region
Zonal reservations only apply to one AZ providing billing discounts and capacity reservation in that AZ
Flexible but, don’t reserve capacity w/in AZ - risk during major faults w/limited capacity
Full price & no capacity reservation
On-demand capacity reservations can be booked to ensure you always have access to capacity in AZ when you need it - but at full on-demand price. No term limits - but you pay regardless of if you consume it.

Answer 157

A

Hourly commitment for 1 or 3 year term
Reservation of general compute $ amounts ($20 per hour for 3 years)
Specific EC2 savings plan - flexibility on size & OS
Compute products, currently Ec2, fargate, & lambda
Products have an on-demand rate & savings plan rate
Resource usage consumes savings plan commitment @ reduced savings plan rate
Beyond your commitment … on-demand is used

Answer 158

A

Each resize requires a reboot - DISRUPTION
Larger instances often carry a $ PREMIUM
Upper cap on performance - instance size
No application modification required
Works for all applications - even monoliths

Answer 159

A

Sessions, sessions, sessions
Requires application support OR off-host sessions
No disruption when scaling
No real limits to scaling
Less expensive - no large instance premium
able to be more granular

Answer 160

A

Horizontal: 1 BOB 2 BOB 4 BOB
Vertical: bob.small bob.medium bob.large

Answer 161

A

EC2 service provides data to instances
Accessible inside all instances
http://169.254.169.254, always want the ‘latest’ ‘meta-data’
http://169.254.169.254/latest/meta-data/
Environment
Networking
Authentication
User-Data
NOT AUTHENTICATED or ENCRYPTED

Answer 162

A

ECS cluster; Network O
Service definition(Container definition(Task definition, task role))
Container definition: image & ports
Task definition: security(task role), container(s), resources
Task role: IAM role which the TASK assumes
Service: how many copies, HA, restarts

Answer 163

A

-ASG encompasses AZA & AZB, ECS handles cluster from Registry

Answer 164

A

Serverless option
Container images uses Registry
Containers are hosted on Fargate Shared Infrastructure, no visibility of other customers

Answer 165

A

If you use containers….. ECS
Large workload; price conscious: EC2 mode
Large workload; overhead conscious: Fargate
Small/Burst workloads; Fargate
Batch/Periodic workloads; Fargate

Answer 166

A

Network only (Fargate)

EC2 Linux + Networking

EC2 Windows + Networking

Answer 167

A

Allows EC2 Build automation
User Data - accessed via meta-data IP
http://169[.]254[.]169[.]254/latest/user-data
Anything in user data is executed by the instance OS
ONLY on launch
EC2 doesn’t interpret, OS needs to understand user data

Answer 168

A

-AMI -> Instance

Answer 169

A

Opaque to EC2… its BLOCK DATA
NOT secure - don’t include passwords or long term credentials in it
User data limited to 16KB in size
Can be modified when instance stopped
ONLY EXECUTED ONCE AT LAUNCH

Answer 170

A

IAM Role allows EC2 Service to assume it (IAM Role)
Credentials are inside meta-data
iam/security-credentials/role-name
Automatically rotated - always valid
should always be used rather than adding access keys into instance
CLI tools will use ROLE credentials automatically

Answer 171

A

Storage for configuration & secrets
String, StringList, & SecureString
License codes, Database strings, full configs & passwords
Hierarchies & Versioning
Plaintext & cipher text
Public Parameters - Latest AMIs per region

Answer 172

A

CloudWatch is for metrics
CloudWatch logs is for logging
Neither natively capture data inside an instance
CloudWatch agent is required…
…plus configuration and permissions

Answer 173

A

Cluster: Pack instances close together
Spread: Keep instances separated
Partition: Groups of instances spread apart

Answer 174

A

*When you want to achieve the absolute highest performance possible in EC2

Note: have to be launched into a single AZ
All members have direct connections to each other
Lowest latency and max PPS possible in AWS

Answer 175

A

10Gbps p/ stream
5Gbps normally

Answer 176

A

-Same rack, sometimes additionally the same host

Answer 177

A

Can’t span AZ’s, one only - locked when launching first instance
Can span VPC peers - but impacts performance
Requires a supported instance type
Use the same type of instance(not mandatory)
Launch at the same time(not mandatory, highly recommended)
10Gbps single stream performance

Answer 178

A

Performance, fast speeds, low latency(high performance compute)

Answer 179

A

Provides infrastructure isolation & resilience
…..each instance runs from a different rack
each rack has its own network and power source
7 instances per AZ (HARD LIMIT)
Not supported for dedicated instances or hosts
Use case: small number of critical instances that need to be kept separated from each other

Answer 180

A

*designed for infrastructure that has 7+ instances per AZ but you still need ability to separate those instances into separate fault domains

-Similar architecture to spread placement groups

Answer 181

A

-Each rack has its own rack - no sharing between partitions

Answer 182

A

Instances can be placed in a specific partition, or auto placed

-Only allowed up to 7 partition per AZ

Answer 183

A

Contains impact of failure to part of an application. Is also great for topology-aware applications including;

-HDFS, HBase, Cassandra

Answer 184

A

-An EC2 Host dedicated to you

Specific instance families include a1, c5, m5

Answer 185

A

No instance charges, you pay for the host

-On demand & reserved options are available

Answer 186

A

Host has physical sockets and cores;

it dictates how many instances can be run on that host
licensed software based on physical sockets or cores, can utilize visibility of the hardware

Answer 187

A

Designed for a specific family & instance size.

Answer 188

A

AMI limits - RHEL, SUSE Linux, & Windows AMIs are not supported
Amazon RDS instances are NOT supported.
Placement groups are not supported for dedicated hosts
Hosts can be shared w/other ORG accounts through the RAM(Resource Access Manager)

Answer 189

A

A featured used to improve the overall performance of EC2 networking. Required for any high-end performance features like cluster-placement groups

Answer 190

A

Enhanced networking using SR-IOV (SingleRoot-IOVirtualization).

NIC is virtualization aware.

Answer 191

A

No charge, available on most EC2 types.
Higher I/O & lower host CPU usage
More bandwidth
Higher packets-per-second(PPS)
Consistent lower latency

Answer 192

A

EBS = Block storage over the network
Historically network was shared .. data & EBS
EBS optimized means dedicated capacity for EBS
Most instances support & have enabled by default
Some support, but enabling costs extra

Answer 193

A

R53 Hosted Zone is a DNS DB for a domain
Zones are globally resilient (multiple DNS servers)
Are created w/domain registration via R53, can be created separately
Host DNS records (A, AAAA, MX, etc)
Hosted zones are the DNS system references - Authoritative for domain

Answer 194

A

DNS DB (zone file) hosted by R53(public name servers)
Accessible from public internet & VPCs
Hosted on “4” R53 name servers specific to zone
use “NS records” to point to the NS
Resource records(RR) created w/in hosted zone
Externally registered domains can point at R53 public zone

Answer 195

A

The same as a Public hosted zone…..just not public
Associated w/VPC’s
Only accessible in those VPCs
Use different accounts supported via CLI/API
Split-view(overlapping public & private) for PUBLIC & INTERNAL use w/the same zone name

Answer 196

A

CNAME maps NAME to another NAME
CNAME is invalid for naked/apex
with just CNAME - catagram.io => ELB would be invalid

Answer 197

A

ALIAS records map a NAME to an AWS resource
Can be used for both naked/apex and normal records
For non apex/naked - functions like CNAME
There is no charge for ALIAS requests pointing at AWS resources
For AWS services - default to picking ALIAS
Should be the same “type” as what the record is pointing at
API Gateway, CloudFront, Elastic Beanstalk, ELB, Global Accelerator & S3

Answer 198

A

-If target of health check is healthy the primary record is used

Answer 199

A

Supports multiple records with the same name
Supports up to 8 healthy records, that are returned
Improves availability; NOT a replacement for load balancing
Each record is independent & can have an associated health check
records which fail health checks won’t be returned when queried

Answer 200

A

total weight (100)
‘0’ weight means record is never returned unless all are ‘0’ then all are considered
each record is returned based on its record weight vs total weight
if chosen record is unhealthy, process of selection is repeated until health record is chosen

Answer 201

A

For simple load balancing or testing new software versions

Answer 202

A

When you’re trying to optimize for performance & user experience
AWS maintains a db of latency between users & general location and the regions tagged in records
routing supports one record w/same name in each AWS region
record that is returned is the one which offers the lowest estimated latency & is healthy

Answer 203

A

Similar to latency, only instead of latency the location of customers and location of resources are used to influence resolution decisions
When creating records, you tag the records with the location
Four types: “continent”, “country”, “subdivision”, “default”
when user makes resolution request, IP check verifies location of the user

Resolution request only returns relevant records

Answer 204

A

Geoproximity aims to calculate the distance between the customer & the record, and return an answer with the lowest distance
Similar to latency policy however it works on distance
routing is distance based (including bias)

Answer 205

A

“+” or “-” can be added to rules.
- “+” increases region size & decreases neighboring regions
records can be tagged w/an AWS region or lat & long coordinates

Answer 206

A

2 jobs - Domain registrar & domain hosting
R53 can do both, OR either domain registrar or domain hosting
Accepts your money (domain registration fee)
allocates 4 name servers (NS) (domain hosting)
service creates a zone file (domain hosting) on above NS
service communicates w/registry of the TLD (Domain registrar)
sets NS records for domain to point at the 4 NS above

Answer 207

A

ACID and BASE are DB transaction models
CAP theorem - Consistency, Availability, Partition Tolerant (resilience) - choose 2
ACID = Consistency
BASE = Availability

Answer 208

A

ATOMIC, CONSISTENT, ISOLATED, DURABLE → RDS ….. limits scaling

ALL or NO components of transaction succeeds or fails
Transactions over from db from one valid state to another = nothing in=between is allowed
If multiple transactions occur at once, they don’t interfere w/each other, each executes as if the only one
Once committed, transactions are durable. Stored on non-volatile memory, resilient to power outages or crashes

Answer 209

A

BASICALLY AVAILABLE, SOFT STATE, EVENTUALLY CONSISTENT → DynamoDB* …. consistency

READ & WRITE operations are available ‘as much as possible’ but without any consistency guarantees - kinda, maybe
DB doesn’t enforce consistency, this is offloaded onto the application/user
If we wait long enough, reads from the system will be consistent

Answer 210

A

Access to the DB instance OS
Advanced DB option tuning….(DBROOT)
….. vendor demands
DB or DB version AWS don’t provide…
Specific OS/DB combination AWS don’t provide
Architecture AWS don’t provide (replication/resilience)
Decision makers who ‘just want it’

Answer 211

A

Admin overhead - managing EC2 & DBHost
Backup/ DR Management
EC2 is single AZ
Features - some of AWS DB products are amazing
EC2 is ON or OFF - no serverless, no easy scaling
Replication - skills, setup time, monitoring & effectiveness
Performance…AWS invest time into optimization & features

Brainscape's Knowledge GenomeTM

Solutions Architect Flashcards

Brainscape's Knowledge Genome^TM