Stuff I Forgot Flashcards
Static Website with S3 has what two major requirements
Must have a registered domain name and the S3 bucket has to be same as the domain
What is an MX DNS record?
Mail server responsible for accepting eMail on behalf of domain.
In a static website, does the S3 bucket need to be in same region as trusted zone?
No.
In what case is the CORS (Cross-Account Resource Sharing) option valid for S3 static websites?
Only if the web application interacts with resources in a different domain.
What is the function/purpose of Lambda@Edge?
Allows lambda functions to modify HTTP headers, generate dynamic responses and customize content based on user preference.
What is AWS Glue?
Fully managed Extract, Transform, Load (ETL) service.
What service is the Apache Parquet format associated with?
AWS Glue
What need does Amazon EMR serve?
Formerly Amazon Elastic MapReduce; big data frameworks.
What is geolocation routing?
Choose resources that serve traffic based on geographic location of users (meaning where the DNS query originates from).
What is geoproximity routing?
Let Route 53 determine route based on location of user and resource. You can identify a bias which determines if more or less traffic is routed.
Are you able to store access keys in ACM?
No.
What is ACM and its purpose?
AWS Certificate Manager; let’s you provision, manage, and deploy pub/private SSL/TLS certs.
What are some examples of things stored in AWS Secrets Manager?
DB credentials, passwords, third-party API keys, or even text.
Does Systems Manager Parameter Store automatically rotate credentials?
No
If a webservice client wanted to access only trusted IP address whitelisted, what service should be used?
Associate an EIP to an NLB.
What layer of the OSI model does an NLB function at?
Fourth (TCP).
Can you assign an EIP to an ALB?
No.
What is the retention period range for SQS and what is the default?
1 minute to 14 days. Default is 4 days.
What is the limit of inflight messages for a standard SQS queue?
120,000
What is the limit for a FIFO SQS queue?
20,000
In what scenario for transferring data is an AWS Snowmobile reasonable?
Exabyte and/or petabytes of data from onprem to S3.
If you needed to transfer < 100T from onprem to AWS, what is a reasonable solution?
AWS Snowball (Edge)
What would Kinesis Video Streams be used for?
Processing of video data streams at AWS
What is the purpose of AWS Rekognition?
To detect faces, scenes, text, and inappropriate content in videos.
What is AWS Elastic Transcoder?
Convert Media Files from one format to another.
What is AWS Kendra?
Intelligent Enterprise Search service (via Machine Learning)
If you needed to search Text, PDF, HTML, Powerpoint, and other documents, what service might you leverage?
AWS Kendra
Which AES encryption option does S3 offer?
AES-256
In Route 53 with Evaluate Target Health enabled, what functionality will this provide?
Route 53 will automatically route traffic to only healthy resources. If it is not available/down, secondary address is used.
Can weighted routing be used as a DR / failover configuration?
No. Should only be used to route traffic for load balancing and/or testing different software versions
Can CloudWatch events be used to monitor Route53 endpoints?
No; use a failover config in Route53 instead.
If multi-AZ RDS primary fails, what happens to ensure connections get to the standby instance?
CNAME is switched from primary to secondary.
What is the function of AWS WAF?
Web Application Firewall; for monitoring HTTP/HTTPS requests and blocking based on IP address or querys and you can return 403s or custom pages.
What is the purpose of GuardDuty?
Threat detection service that monitors for malicious activity and unauthorized behavior
What is the purpose of a gateway endpoint?
Provide connectivity to S3/DynamoDB without requiring internet gateway or a NAT.
When would you want to use a gateway endpoint policy for S3 buckets?
When you want to trust several buckets instead of having to put a policy on each individual bucket.
What is the main function of Cognito?
Single Signon for Web/Mobile; or integrating with Social Media Identities (FB, Google, etc.)
What is Amazon Macie?
Detect usage patterns on S3 data. Evaluate S3 for data patterns (e.g. PII) vi Machine Learning
What is Amazon Inspector?
Automated security assessment service for security/compliance of applications.
What is the correct header request required for server side encryption (SSE-S3)?
x-amz-server-side-encryption
These headers fall into what category for encryption: x-amz-server-side-encryption-customer-algorithm, x-amz-server-side-encryption-customer-key, x-amz-server-side-encryption-customer-key-MD5?
SSE-C
EFS only supports this type of locking:
File
Which Amazon service is capable of locking objects and preventing them from deletion/being overwritten?
S3
Which protocol is required on a VPC?
IPv4
What is SageMaker?
AWS managed service to build ML models
What is AWS Detective?
Analyze, investigate, and identify security issues.
What is Monitron?
Detects abnormal condition in industrial equipment.
DynamoDB tables are ____________ resources.
Public
How can you secure a DynamoDB table so it won’t have exposure to public internet?
Via a gateway endpoint.
DynamoDB does not support what time of endpoint?
Interface
What is Timestream?
Time series DB service for use with IoT
How can you ensure a specific message in an SNS topic gets to a designated SQS queue?
Create the topic, configure the queues to subscribe, set filter policies on the SNS to publish based on type.
What type of Database is Dynamo?
NoSQL
Bastion hosts should reside where in the VPC
Public Subnet
What is a primary function of Redshift?
Data Warehousing
What is SWF?
Simple WorkFlow Service
What are the two main services that are used to decouple applications in AWS?
SQS and SWF
What is a MEAN stack?
JavaScript-based framework for developing scalable web applications; MongoDB, Express, Angular, and Node
What service(s) would be employed to stop/block DDoS attacks?
WAF and Shield
If you had a service that was processing SQS queues and you wanted something to process at a higher priority (e.g. premium); how should that be accomplished?
By creating two different SQS queues and configuring the processing to ensure the premium queue is emptied before doing the standard queue.
Can you set a processing priority on items in an SQS queue.
No.
When would you want to use a Geoproximity routing in Route53
When you want a larger portion of traffic from specific geographic regions to go to a specific region in AWS.
What differentiates Geoproximity from Geolocation?
Size of the area; Geolocation lets you choose instances based on location.
Which loadbalancer type handles gRPC traffic?
ALB
What layer OSI is gRPC?
7
Which loadbalancer type functions at Layer 7 of the OSI model?
ALB
Which loadbalancer type functions at Layer 3 of the OSI Model?
NLB
If you are getting “Too Many Connections” connecting to a MySQL database, which is one way to handle that?
RDS proxy. This would handle connection pooling. NOTE: Another way would be to upgrade the DB/increase memory.
What DB solution is associated with key-value store?
DynamoDB
Can you attach EBS volumes in any availability zone?
No, EBS must be in same zone as instance.
What is the purpose of a placement group?
Low-latency network performance
For API Gateway, what do you pay for?
API calls received and data transferred out
What service provides a static anycast IP?
Global Accelerator
What is the default autoscaling cooldown period?
300 seconds
Is a NAT required to create a VPN connection?
No
AWS Global Accelerator is appropriate for which protocols?
UDP, MQTT, VoIP, or HTTP with static IP
Apache _____ is associated with big data frameworks.
Spark
What service would you use to query an S3 bucket?
Athena
Which is the correct field for a Task IAM role?
taskRoleArn
What is the purpose of a rate-based WAF rule?
Stop requests from going over a limit in a five minute span.
Can security groups be used to deny traffic?
No
What are two main ways to prevent object deletion at S3?
MFA for delete; versioning
File Gateway is used for what pupose?
To allow for outside resources to interface with S3 via NFS or SMB.
What is necessary to connect a private subnet to connect to the internet?
A NAT gateway on a public subnet.
If only single AZ, a scale-in policy is triggered on an ALB/ASG due to low number of incoming traffic, which instance is terminated?
The one with the oldest launch template.
If there are multiple AZs in an ASG, which one is picked if a scale-in policy is triggered?
The one with the most number of instances
What does the service AWS Transfer for SFTP provide?
Managed solution for SFTP that interfaces with identies and stores items in S3.
What would be a method to have member-only access to S3 files?
Use Signed Cookies
In what case would you use a signed URL?
For accessing individual files.
What is the maximum days for an EFS lifecycle policy?
90 days
What is the Aurora endpoint purpose?
To provide different points for different functions (e.g. reader/writer) and/or capacity directions (e.g. point production traffic to a specific endpoint
What kind of file system is Amazon FSx for Lustre?
High-performance, parallel file system (hot data)
Which AWS Service helps prevent against DDoS attacks
Shield
Which service helps protect against SQL injection or cross-site scripting attacks?
WAF
What is the default retention for RDS enhanced logs?
30 days
What is the method to improve database performance on DynamoDB with provisioned throughput?
Partition keys with high-cardinality attributes (large number of distinct values)
Does RDS events capture data-modifying events (INSERT, DELETE, UPDATE)?
No; it only captures operational events.
Can S3 and WorkDocs be integrated?
No
Does Lambda automatically encrypt environment variables?
Yes
Since the KMS for Lambda is available to all, what is a way to better secure encrypted environment variables?
Create a new KMS key and enable encryption helpers.
What would a reason for slow eMail processing in an SQS queue (e.g. get 5 messages and then in a few hours get 20)
Web application not deleting messages in SQS queue
What would long polling in an SQS queue do?
Reduce empty responses.
If you want to connect to an RDS via an authentication token, what should you do?
Enable IAM DB authentication
What relational database mitigates multi-region failures and has RPO of 1 second and RTO of 1 minute?
Aurora
Which DB is associated with OLAP systems?
Redshift
Is Oracle RMAN (Recover Manager) supported in RDS?
No
What solution could be provided for HTTP 504 errors and what is a 504?
Gateway Timeout. Use Lambda @ Edge & setup origin failover via cloudfront.
What solution can be used when a web portal is expected to receive massive number of visitors?
API gateway throttling limits
What is an HTTP 429
Too many requests
How would you manage an EKS etcd key-value store?
Via Secrets Manager and a KMS key
What is blue/green in a development structure?
Blue: existing; Green; updated
What is the most cost effective way to release a new version of an API?
Canary release strategy
Which service handles AWS compliance reporting?
Artifact
How long does it take for S3 cross-region replication to happen?
Roughly 15 minutes.
What are the two retention modes provided by S3 Object Lock?
Governance and Compliance
What is the difference between Governance and Compliance mode in S3
Compliance mode prevents protected objects from ANY user (including root) and the mode can’t be changed or shortened.
Does a legal hold in S3 Object Lock have a time period?
No
What option should be used if an EC2 instance needs to send data to S3/Dynamo that doesn’t pass through the internet?
VPC endpoints
What function does DynamoDB Stream do and what might you use it for?
Tracks changes to DynamoDB tables. Could be used for a “follow” effect of a new user or something like that.
What type of replication does an RDS read replica provide?
Asynchronous
If using a CloudFormation template to build several related assets that have interdependencies, what is the attribute you can use to ensure success before moving on?
CreationPolicy / use cfn-signal helper
If you are updating an AutoScaling group and you have a new AMI to launch a fleet of instances, what further step(s) must be taken?
Create a new launch template
How much ephemeral storage is allocated to a Fargate task?
20G
Security groups are stateful, which means what?
When a rule is applied to an incoming rule, it is also automatically applied to the outgoing rule.
What is the purpose of allowing ports 32768-65535 on an outbound NACL?
Ephemeral ports on outbound connections to a destination
What does DynamoDB Accelerator supply?
In memory cache that changes response time from milliseconds to microseconds.
Is DynamoDB compatible with CloudFront?
No
Which type of RDS can tolerate frequent schema changes?
DynamoDB as tables are schemaless
What does AppFlow provide?
Integration to transfer data between SaaS applications (Salesforce/SAP)
What is Amazon MQ?
Message broker for Apache MQ/RabbitMQ
What is the best option for an always available (24/7) Route 53 that stops routing to unhealthy targets?
Active-Active Failover with Weighted Routing
If you are trying to change a Aurora instance from server to serverless, is it possible to just change the instance class?
No
Is VPC peering supported with a Direct Connect connection?
No
If you wanted to use KMS with Lambda; where should you put the kms:decrypt permissions
In the functions execution role and also the KMS key policy to allow the function to access it.
Can you set Lambda as a destination for Kinesis Data Firehose?
No
If a higher valued rule in a NACL DENY’s something that is already allowed, what happens?
It’s allowed. If higher number rules contradict it doesn’t matter because as soon as the rule matches traffic it is applied.
What is expedited retrievals in regard to Glacier.
Allows retrievals faster (1-5 minutes)
What is provisioned capacity in regard to glacier?
Allows for three expedited retrievals every five minutes and up to 150M of retrieval throughput.
What type of IAM can be attached to a group?
IAM Policy
Systems Manager Parameter store is a better fit when storing ___________ parameters.
Application
Is it possible to change an EC2 instance to hibernation mode after it has been launched?
No
Can AWS Config be used to detect non-compliant tags?
Yes
What is the maximum retention period for automated backup on Aurora?
35 days
What service could be used to create a 90-day retained backup for Aurora?
AWS Backup
What service does Comprehend provide?
Natural language processing that can find meaning/insights from text (find sentiments [e.g. if someone liked or disliked something]
What is AWS Neptune?
Fully managed graph database service; build and run applications with highly connected datasets.
Are ELBs capable of routing traffic over different AZs?
No
What is the default an maximum retention for a Kinesis data stream?
24h to 365days
Will you be billed for a instance that is preparing to stop?
No; however you will be build if preparing to hibernate
What solution can automatically scale storage capacity for RDS?
Storage Autoscaling
Can Kinesis Data Firehose function as an ETL?
Yes
True/False: Newly created subnets are automatically associated with main route table
True
What is the block size for a VPC?
/16 and /28
What is job bookmarking in relation to Glue?
Stores state of job’s progress in data store so it can resume where it failed or had problem.
If you had various web domains but wanted them all to serve SSL traffic, how would that be done with an ALB?
Upload the SSL certs and bind multiple certs to the same listener. ALB chooses optimal TLS cert using Server Name Indication (SNI).
