Stuff I Forgot Flashcards
1
Q
Static Website with S3 has what two major requirements
A
Must have a registered domain name and the S3 bucket has to be same as the domain
2
Q
What is an MX DNS record?
A
Mail server responsible for accepting eMail on behalf of domain.
3
Q
In a static website, does the S3 bucket need to be in same region as trusted zone?
A
No.
4
Q
In what case is the CORS (Cross-Account Resource Sharing) option valid for S3 static websites?
A
Only if the web application interacts with resources in a different domain.
5
Q
What is the function/purpose of Lambda@Edge?
A
Allows lambda functions to modify HTTP headers, generate dynamic responses and customize content based on user preference.
6
Q
What is AWS Glue?
A
Fully managed Extract, Transform, Load (ETL) service.
7
Q
What service is the Apache Parquet format associated with?
A
AWS Glue
8
Q
What need does Amazon EMR serve?
A
Formerly Amazon Elastic MapReduce; big data frameworks.
9
Q
What is geolocation routing?
A
Choose resources that serve traffic based on geographic location of users (meaning where the DNS query originates from).
10
Q
What is geoproximity routing?
A
Let Route 53 determine route based on location of user and resource. You can identify a bias which determines if more or less traffic is routed.
11
Q
Are you able to store access keys in ACM?
A
No.
12
Q
What is ACM and its purpose?
A
AWS Certificate Manager; let’s you provision, manage, and deploy pub/private SSL/TLS certs.
13
Q
What are some examples of things stored in AWS Secrets Manager?
A
DB credentials, passwords, third-party API keys, or even text.
14
Q
Does Systems Manager Parameter Store automatically rotate credentials?
A
No
15
Q
If a webservice client wanted to access only trusted IP address whitelisted, what service should be used?
A
Associate an EIP to an NLB.
16
Q
What layer of the OSI model does an NLB function at?
A
Fourth (TCP).
17
Q
Can you assign an EIP to an ALB?
A
No.
18
Q
What is the retention period range for SQS and what is the default?
A
1 minute to 14 days. Default is 4 days.
19
Q
What is the limit of inflight messages for a standard SQS queue?
A
120,000
20
Q
What is the limit for a FIFO SQS queue?
A
20,000
21
Q
In what scenario for transferring data is an AWS Snowmobile reasonable?
A
Exabyte and/or petabytes of data from onprem to S3.
22
Q
If you needed to transfer < 100T from onprem to AWS, what is a reasonable solution?
A
AWS Snowball (Edge)
23
Q
What would Kinesis Video Streams be used for?
A
Processing of video data streams at AWS
24
Q
What is the purpose of AWS Rekognition?
A
To detect faces, scenes, text, and inappropriate content in videos.
25
What is AWS Elastic Transcoder?
Convert Media Files from one format to another.
26
What is AWS Kendra?
Intelligent Enterprise Search service (via Machine Learning)
27
If you needed to search Text, PDF, HTML, Powerpoint, and other documents, what service might you leverage?
AWS Kendra
28
Which AES encryption option does S3 offer?
AES-256
29
In Route 53 with Evaluate Target Health enabled, what functionality will this provide?
Route 53 will automatically route traffic to only healthy resources. If it is not available/down, secondary address is used.
30
Can weighted routing be used as a DR / failover configuration?
No. Should only be used to route traffic for load balancing and/or testing different software versions
31
Can CloudWatch events be used to monitor Route53 endpoints?
No; use a failover config in Route53 instead.
32
If multi-AZ RDS primary fails, what happens to ensure connections get to the standby instance?
CNAME is switched from primary to secondary.
33
What is the function of AWS WAF?
Web Application Firewall; for monitoring HTTP/HTTPS requests and blocking based on IP address or querys and you can return 403s or custom pages.
34
What is the purpose of GuardDuty?
Threat detection service that monitors for malicious activity and unauthorized behavior
35
What is the purpose of a gateway endpoint?
Provide connectivity to S3/DynamoDB without requiring internet gateway or a NAT.
36
When would you want to use a gateway endpoint policy for S3 buckets?
When you want to trust several buckets instead of having to put a policy on each individual bucket.
37
What is the main function of Cognito?
Single Signon for Web/Mobile; or integrating with Social Media Identities (FB, Google, etc.)
38
What is Amazon Macie?
Detect usage patterns on S3 data. Evaluate S3 for data patterns (e.g. PII) vi Machine Learning
39
What is Amazon Inspector?
Automated security assessment service for security/compliance of applications.
40
What is the correct header request required for server side encryption (SSE-S3)?
x-amz-server-side-encryption
41
These headers fall into what category for encryption: x-amz-server-side-encryption-customer-algorithm, x-amz-server-side-encryption-customer-key, x-amz-server-side-encryption-customer-key-MD5?
SSE-C
42
EFS only supports this type of locking:
File
43
Which Amazon service is capable of locking objects and preventing them from deletion/being overwritten?
S3
44
Which protocol is required on a VPC?
IPv4
45
What is SageMaker?
AWS managed service to build ML models
46
What is AWS Detective?
Analyze, investigate, and identify security issues.
47
What is Monitron?
Detects abnormal condition in industrial equipment.
48
DynamoDB tables are ____________ resources.
Public
49
How can you secure a DynamoDB table so it won't have exposure to public internet?
Via a gateway endpoint.
50
DynamoDB does not support what time of endpoint?
Interface
51
What is Timestream?
Time series DB service for use with IoT
52
How can you ensure a specific message in an SNS topic gets to a designated SQS queue?
Create the topic, configure the queues to subscribe, set filter policies on the SNS to publish based on type.
53
What type of Database is Dynamo?
NoSQL
54
Bastion hosts should reside where in the VPC
Public Subnet
55
What is a primary function of Redshift?
Data Warehousing
56
What is SWF?
Simple WorkFlow Service
57
What are the two main services that are used to decouple applications in AWS?
SQS and SWF
58
What is a MEAN stack?
JavaScript-based framework for developing scalable web applications; MongoDB, Express, Angular, and Node
59
What service(s) would be employed to stop/block DDoS attacks?
WAF and Shield
60
If you had a service that was processing SQS queues and you wanted something to process at a higher priority (e.g. premium); how should that be accomplished?
By creating two different SQS queues and configuring the processing to ensure the premium queue is emptied before doing the standard queue.
61
Can you set a processing priority on items in an SQS queue.
No.
62
When would you want to use a Geoproximity routing in Route53
When you want a larger portion of traffic from specific geographic regions to go to a specific region in AWS.
63
What differentiates Geoproximity from Geolocation?
Size of the area; Geolocation lets you choose instances based on location.
64
Which loadbalancer type handles gRPC traffic?
ALB
65
What layer OSI is gRPC?
7
66
Which loadbalancer type functions at Layer 7 of the OSI model?
ALB
67
Which loadbalancer type functions at Layer 3 of the OSI Model?
NLB
68
If you are getting "Too Many Connections" connecting to a MySQL database, which is one way to handle that?
RDS proxy. This would handle connection pooling. NOTE: Another way would be to upgrade the DB/increase memory.
69
What DB solution is associated with key-value store?
DynamoDB
70
Can you attach EBS volumes in any availability zone?
No, EBS must be in same zone as instance.
71
What is the purpose of a placement group?
Low-latency network performance
72
For API Gateway, what do you pay for?
API calls received and data transferred out
73
What service provides a static anycast IP?
Global Accelerator
74
What is the default autoscaling cooldown period?
300 seconds
75
Is a NAT required to create a VPN connection?
No
76
AWS Global Accelerator is appropriate for which protocols?
UDP, MQTT, VoIP, or HTTP with static IP
77
Apache _____ is associated with big data frameworks.
Spark
78
What service would you use to query an S3 bucket?
Athena
79
Which is the correct field for a Task IAM role?
taskRoleArn
80
What is the purpose of a rate-based WAF rule?
Stop requests from going over a limit in a five minute span.
81
Can security groups be used to deny traffic?
No
82
What are two main ways to prevent object deletion at S3?
MFA for delete; versioning
83
File Gateway is used for what pupose?
To allow for outside resources to interface with S3 via NFS or SMB.
84
What is necessary to connect a private subnet to connect to the internet?
A NAT gateway on a public subnet.
85
If only single AZ, a scale-in policy is triggered on an ALB/ASG due to low number of incoming traffic, which instance is terminated?
The one with the oldest launch template.
86
If there are multiple AZs in an ASG, which one is picked if a scale-in policy is triggered?
The one with the most number of instances
87
What does the service AWS Transfer for SFTP provide?
Managed solution for SFTP that interfaces with identies and stores items in S3.
88
What would be a method to have member-only access to S3 files?
Use Signed Cookies
89
In what case would you use a signed URL?
For accessing individual files.
90
What is the maximum days for an EFS lifecycle policy?
90 days
91
What is the Aurora endpoint purpose?
To provide different points for different functions (e.g. reader/writer) and/or capacity directions (e.g. point production traffic to a specific endpoint
92
What kind of file system is Amazon FSx for Lustre?
High-performance, parallel file system (hot data)
93
Which AWS Service helps prevent against DDoS attacks
Shield
94
Which service helps protect against SQL injection or cross-site scripting attacks?
WAF
95
What is the default retention for RDS enhanced logs?
30 days
96
What is the method to improve database performance on DynamoDB with provisioned throughput?
Partition keys with high-cardinality attributes (large number of distinct values)
97
Does RDS events capture data-modifying events (INSERT, DELETE, UPDATE)?
No; it only captures operational events.
98
Can S3 and WorkDocs be integrated?
No
99
Does Lambda automatically encrypt environment variables?
Yes
100
Since the KMS for Lambda is available to all, what is a way to better secure encrypted environment variables?
Create a new KMS key and enable encryption helpers.
101
What would a reason for slow eMail processing in an SQS queue (e.g. get 5 messages and then in a few hours get 20)
Web application not deleting messages in SQS queue
102
What would long polling in an SQS queue do?
Reduce empty responses.
103
If you want to connect to an RDS via an authentication token, what should you do?
Enable IAM DB authentication
104
What relational database mitigates multi-region failures and has RPO of 1 second and RTO of 1 minute?
Aurora
105
Which DB is associated with OLAP systems?
Redshift
106
Is Oracle RMAN (Recover Manager) supported in RDS?
No
107
What solution could be provided for HTTP 504 errors and what is a 504?
Gateway Timeout. Use Lambda @ Edge & setup origin failover via cloudfront.
108
What solution can be used when a web portal is expected to receive massive number of visitors?
API gateway throttling limits
109
What is an HTTP 429
Too many requests
110
How would you manage an EKS etcd key-value store?
Via Secrets Manager and a KMS key
111
What is blue/green in a development structure?
Blue: existing; Green; updated
112
What is the most cost effective way to release a new version of an API?
Canary release strategy
113
Which service handles AWS compliance reporting?
Artifact
114
How long does it take for S3 cross-region replication to happen?
Roughly 15 minutes.
115
What are the two retention modes provided by S3 Object Lock?
Governance and Compliance
116
What is the difference between Governance and Compliance mode in S3
Compliance mode prevents protected objects from ANY user (including root) and the mode can't be changed or shortened.
117
Does a legal hold in S3 Object Lock have a time period?
No
118
What option should be used if an EC2 instance needs to send data to S3/Dynamo that doesn't pass through the internet?
VPC endpoints
119
What function does DynamoDB Stream do and what might you use it for?
Tracks changes to DynamoDB tables. Could be used for a "follow" effect of a new user or something like that.
120
What type of replication does an RDS read replica provide?
Asynchronous
121
If using a CloudFormation template to build several related assets that have interdependencies, what is the attribute you can use to ensure success before moving on?
CreationPolicy / use cfn-signal helper
122
If you are updating an AutoScaling group and you have a new AMI to launch a fleet of instances, what further step(s) must be taken?
Create a new launch template
123
How much ephemeral storage is allocated to a Fargate task?
20G
124
Security groups are stateful, which means what?
When a rule is applied to an incoming rule, it is also automatically applied to the outgoing rule.
125
What is the purpose of allowing ports 32768-65535 on an outbound NACL?
Ephemeral ports on outbound connections to a destination
126
What does DynamoDB Accelerator supply?
In memory cache that changes response time from milliseconds to microseconds.
127
Is DynamoDB compatible with CloudFront?
No
128
Which type of RDS can tolerate frequent schema changes?
DynamoDB as tables are schemaless
129
What does AppFlow provide?
Integration to transfer data between SaaS applications (Salesforce/SAP)
130
What is Amazon MQ?
Message broker for Apache MQ/RabbitMQ
131
What is the best option for an always available (24/7) Route 53 that stops routing to unhealthy targets?
Active-Active Failover with Weighted Routing
132
If you are trying to change a Aurora instance from server to serverless, is it possible to just change the instance class?
No
133
Is VPC peering supported with a Direct Connect connection?
No
134
If you wanted to use KMS with Lambda; where should you put the kms:decrypt permissions
In the functions execution role and also the KMS key policy to allow the function to access it.
135
Can you set Lambda as a destination for Kinesis Data Firehose?
No
136
If a higher valued rule in a NACL DENY's something that is already allowed, what happens?
It's allowed. If higher number rules contradict it doesn't matter because as soon as the rule matches traffic it is applied.
137
What is expedited retrievals in regard to Glacier.
Allows retrievals faster (1-5 minutes)
138
What is provisioned capacity in regard to glacier?
Allows for three expedited retrievals every five minutes and up to 150M of retrieval throughput.
139
What type of IAM can be attached to a group?
IAM Policy
140
Systems Manager Parameter store is a better fit when storing ___________ parameters.
Application
141
Is it possible to change an EC2 instance to hibernation mode after it has been launched?
No
142
Can AWS Config be used to detect non-compliant tags?
Yes
143
What is the maximum retention period for automated backup on Aurora?
35 days
144
What service could be used to create a 90-day retained backup for Aurora?
AWS Backup
145
What service does Comprehend provide?
Natural language processing that can find meaning/insights from text (find sentiments [e.g. if someone liked or disliked something]
146
What is AWS Neptune?
Fully managed graph database service; build and run applications with highly connected datasets.
147
Are ELBs capable of routing traffic over different AZs?
No
148
What is the default an maximum retention for a Kinesis data stream?
24h to 365days
149
Will you be billed for a instance that is preparing to stop?
No; however you will be build if preparing to hibernate
150
What solution can automatically scale storage capacity for RDS?
Storage Autoscaling
151
Can Kinesis Data Firehose function as an ETL?
Yes
152
True/False: Newly created subnets are automatically associated with main route table
True
153
What is the block size for a VPC?
/16 and /28
154
What is job bookmarking in relation to Glue?
Stores state of job's progress in data store so it can resume where it failed or had problem.
155
If you had various web domains but wanted them all to serve SSL traffic, how would that be done with an ALB?
Upload the SSL certs and bind multiple certs to the same listener. ALB chooses optimal TLS cert using Server Name Indication (SNI).
156
