SysOps Administrator Flashcards

Question 1

Q

When configuring an Elastic Load Balancer, it is possible to register targets using…

Answer

A

Instance ID and a Private IP address.

Question 2

Q

How can you protect mission-critical resources deployed as a CloudFormation stack from being unintentionally updated or deleted during a stack update?

Answer

A

Use a Stack Policy

Question 3

Q

Load balancer best suited for load balancing of HTTP and HTTPS traffic and routing traffic based on the content of the request.

Answer

A

Application Load Balancer

Question 4

Q

Load Balancer designed for extreme performance and is capable of handling millions of requests per second while maintaining ultra-low latencies.

Answer

A

Network Load Balancer

Question 5

Q

Which EBS volume types are suitable for use as a boot volume?

Answer

A

Provisioned IOPS SSD (io2) and General Purpose SSD (gp2)

Question 6

Q

Which deployment strategy involves the creation of another environment to safely deploy a new version of your application without impacting your production environment?

Answer

A

The blue/green deployment strategy is a type of immutable deployment which also requires creation of another environment. Once the new environment is up and passed all tests, traffic is shifted to this new deployment. Crucially the old environment, that is, the “blue” environment, is kept idle in case a rollback is needed.” Reference Documentation: Immutable and Blue/Green Deployment (https://docs.aws.amazon.com/whitepapers/latest/practicing-continuous-integration-continuous-delivery/immutable-and-bluegreen-deployment.html)

Question 7

Q

Which deployment strategy allows you to deploy a new version of your application in batches?

Answer

A

“With rolling deployment, the fleet is divided into batches so that all of the fleet isn’t upgraded at once. During the deployment process two software versions, new and old, are running on the same fleet. This method allows a zero-downtime update. If the deployment fails, only the updated portion of the fleet will be affected.” Reference Documentation: Rolling Deployment (https://docs.aws.amazon.com/whitepapers/latest/practicing-continuous-integration-continuous-delivery/rolling-deployment.html)

Question 8

Q

You are a SysOps Administrator supporting 1000s of Linux servers. Your manager asks you to install the latest operating system and security-related patches on each server. What is the best approach to complete this task as quickly and efficiently as possible?

Answer

A

Use Systems Manager Patch Manager to patch the instances.

Question 9

Q

You would like to load balance traffic to your application that is running on multiple EC2 instances. Each instance has multiple private IP addresses associated with it, and you would like to load balance traffic to different IP addresses on the same instance, using the same port. How can you do this using an Application Load Balancer?

Answer

A

You can register the target using the private IP address that you would like to route the traffic to.

Question 10

Q

Which AWS service would you use to automate the process of creating and maintaining AMI Images?

Answer

A

EC2 Image Builder automates and simplifies the creation, maintenance, validation, sharing, and deployment of Linux or Windows images for use with EC2 and on-premises. Reference Documentation: EC2 Image Builder (https://aws.amazon.com/image-builder/)

Question 11

Q

You are planning to deploy a production database to EC2 and need to choose the best storage type. You anticipate that you will need a maximum of 20,000 IOPS during peak times, but an average of 8,000 - 10,000 IOPS. Which of the following storage options should you choose?

Answer

A

Provisioned IOPS provides high performance for mission-critical, low-latency, or high-throughput workloads, delivering a maximum of 64,000 IOPS per volume. Reference Documentation: Amazon EBS Volume Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html)

Question 12

Q

Which AWS service can you use to manage, configure, and provision AWS infrastructure as YAML or JSON code?

Answer

A

CloudFormation

Question 13

Q

Which EBS volume types CANNOT be used as a boot volume?

Answer

A

Cold HDD (sc1) is suitable for less frequently accessed data and Throughput Optimized HDD (st1) is suitable for Big data, data warehouses, and ETL (Extract, Transform, and Load) workloads. Both of these cannot be used as a boot volume.

Question 14

Q

Which Elastic Load Balancer status codes indicates a server-side error?

Question 15

Q

Which EBS volume type is most suitable for boot disks and general applications, e.g., web server or application server?

Answer

A

General Purpose SSD (gp2) is suitable for boot disks and general applications.

Question 16

Q

You are supporting a website consisting of a number of EC2 instances behind an Elastic Load Balancer. You would like to capture detailed information relating to incoming HTTP and HTTPS requests to your Elastic Load Balancer. All of this data is highly sensitive and will need to be encrypted. Which of the following should you do?

Answer

A

Enable Elastic Load Balancer access logs, it capture information relating to incoming requests to your Elastic Load Balancer. Access logging is not enabled by default and you will need to enable it yourself. When you enable logging, the logs are encrypted and stored in an S3 bucket and decrypted when you access them.

Question 17

Q

You would like to find a solution to connect to private instances in your VPC from an untrusted network using SSH or RDP. Which of the following options is the best approach?

Answer

A

You should configure a bastion in the public subnet so that it is reachable from the internet. Then allow the bastion to SSH / RDP to your private instances. You should then be able to connect to the bastion from the untrusted network and from there, SSH / RDP to your private instances.

Question 18

Q

You are planning to deploy a big data solution that will run on EC2. You expect that the workload will be highly throughput-intensive and the data will be accessed on a daily basis by a team of data analysts. Which of the following EBS options should you choose for this solution?

Answer

A

Throughput Optimized HDD volumes are suitable for throughput-intensive workloads like big data, data warehouses, and log processing. These volumes are throughput-focused and are optimized for this use case. Reference Documentation: Amazon EBS Volume Types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volume-types.html#hard-disk-drives)

Question 19

Q

Which of the following can you use to protect critical CloudFormation stack resources from unintentional updates and mistakes caused by human error?

Answer

A

A Stack policy

Question 20

Q

You are using CloudFormation to deploy 5 new EC2 instances in us-east-1. Your stack deployment has failed with a “Resource limit exceeded” error. Which of the following options will help enable your stack to successfully deploy?

Answer

A

Delete any unnecessary EC2 instances in us-east-1 that are no longer required and request a limit/quota increase.

Question 21

Q

Which deployment strategy allows you to test a new version of your application with a small proportion of real customers before you roll it out to everybody, and acts as an early warning system to help surface issues with your new deployment?

Answer

A

Canary deployment

Question 22

Q

You are using CloudFormation to provision some new EC2 instances. Which section of the CloudFormation template enables you to input custom values like the name of an existing EC2 key pair to enable SSH access to your new EC2 instances?

Answer

A

The Parameters section of the CloudFormation template enables you to input custom values like the name of an existing EC2 key pair to enable SSH access to new EC2 instances.

Question 23

Q

You are the team lead for a Linux SysOps Support team. Your CTO has asked you to suggest a solution to automate the configuration management of all of your production and development EC2 instances, which are all running Amazon Linux 2. The solution needs to be compatible with Puppet because your team is already familiar with using Puppet. Which of the following would you suggest?

Answer

A

OpsWorks is an automated configuration management service compatible with Puppet and Chef.

Question 24

Q

What describes a bastion host?

Answer

A

It provides access to a private network from an external network.
It is used to mitigate the risk of allowing connections from external networks to instances launched in private subnets of your VPC.
It allows you to safely administer EC2 instances without exposing them to the internet.

Question 25

Q

Which section of a CloudFormation template is mandatory?

Answer

A

Resources are the stack resources and their properties, such as an EC2 instance or an S3 bucket. The resources section of the template is mandatory.

Question 26

Q

You have been tasked with creating a number of new EC2 and RDS instances. Some of the new instances need to be created in your Production account and must be in the us-east-1 Region, and some instances need to be in your Development account and should be created in the eu-west-1 Region. How can you create these stacks using a single operation?

Answer

A

CloudFormation StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and Regions with a single operation.

Question 27

Q

How can you create multiple CloudFormation stacks across multiple AWS accounts and Regions using a single operation?

Answer

A

CloudFormation StackSets enable you to create, update, or delete stacks across multiple accounts and Regions with a single operation. Reference Documentation: Working with AWS CloudFormation StackSets (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)

Question 28

Q

Which feature let’s an IPv4 address of an end user connecting to your website which is behind an Elastic Load balancer?

Answer

A

X-Forwarded-For HTTP request header

Question 29

Q

Which feature let’s you get the IPv4 address of your end user?

Answer

A

X-Forwarded-For header.

Question 30

Q

You have been asked to suggest a solution to automate the configuration management of all production and development EC2 instances, which are running Amazon Linux 2. The solution must be compatible with Chef, which is widely used in your organization, and there has already been a lot of investment in Chef training for your engineering team. Which of the following options would you suggest?

Question 31

Q

Which ELB feature captures detailed information relating to incoming requests to your Elastic Load Balancer, enabling you to analyze traffic patterns?

Answer

A

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues

Question 32

Q

You are a SysOps Administrator supporting 100s of servers. Your manager asks you to run a command to check the network configuration on each server. Which of the following is the best approach to complete this task as quickly, easily, and securely as possible?

Answer

A

Use Systems Manager Run Command to query the network configuration on each instance simultaneously.

Question 33

Q

In a CloudFormation template, which section is used to define input values?

Answer

A

The Parameters section is used to define input values to pass to your template at runtime when you create or update a stack.

Question 34

Q

What function has the section Conditions from the CloudFormation template?

Answer

A

Conditions are used to “control whether certain resources are created or whether certain resource properties are assigned a value during stack creation or update. For example, you could conditionally create a resource that depends on whether the stack is for a production or test environment.

Question 35

Q

Which of the following CloudWatch metrics enables you to determine the time elapsed, in seconds, after the request leaves the load balancer until a response from the target is received?

Answer

A

TargetResponseTime is the time elapsed, in seconds, after the request leaves the load balancer until a response from the target is received.

Question 36

Q

Which aws service is compatible with Puppet and Chef, enables you to manage your application configuration, and models your application as a stack consisting of multiple layers (e.g., database, web server, application, load balancer, etc.)?

Answer

A

OpsWorks Stacks

Question 37

Q

Which Elastic Load Balancer CloudWatch metric would you use to determine the number of targets that are considered unhealthy?

Answer

A

UnHealthyHostCount

Question 38

Q

Which setup is required to the CloudWatch Agent in order to be able to monitor the specified metric?

Answer

A

Disk usage percentage of an Elastic Block Store volume.

This would require the installation of the CloudWatch Agent, which can collect the metric.

Question 39

Q

A fellow administrator had created a CloudTrail for your company’s AWS account. Your company now would like to store all CloudTrail logs indefinitely and your head of security has asked if there is a way to verify that the CloudTrail logs have not been modified or deleted. Which of the following could you do to help you determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it?

Answer

A

Enable log file integrity validation in CloudTrail

You can use CloudTrail log file integrity validation to determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it.

Question 40

Q

Which AWS service continuously monitors the configuration of your AWS resources for compliance with a desired state that you define?

Answer

A

AWS Config is a fully managed service that provides you with a resource inventory, configuration history, and configuration change notifications to assist with security and governance.

Question 41

Q

Which AWS service is designed to allow you to easily configure event-driven systems and define tasks that can be run on a predefined schedule?

Answer

A

EventBridge allows you to easily configure event-driven systems and define tasks that can be run on a predefined schedule. EventBridge uses the same underlying technology as CloudWatch Events.

Question 42

Q

A log event consists of an event message and a timestamp. A log stream is a sequence of log events from the same source. A log group is a group of log streams that share the same retention and access control settings. This statement belongs to which AWS Service?

Answer

A

Amazon CloudWatch

Question 43

Q

Which of the following is NOT sent to CloudWatch by all EC2 instances by default?
CPU utilization
Status check
Memory usage
Disk read operations

Answer

A

Memory usage metrics are operating system-level metrics and are NOT collected by default. Operating system-level metrics require the CloudWatch agent to be installed on your EC2 instance.

Question 44

Q

You would like to query and analyze application log data stored in CloudWatch Logs. Which of the following services can be used to do this?
CloudWatch Logs Insights
CloudWatch metric filter
CloudWatch agent

Answer

A

CloudWatch Logs Insights is designed to allow you to interactively query and analyze data stored in CloudWatch Logs.

Question 45

Q

Which of the following can be used to automatically detect warnings, errors, or HTTP status codes in your application log files?
CloudWatch Logs Insights
CloudWatch metric filter
CloudWatch agent

Answer

A

You can search and filter the log data coming into CloudWatch Logs by creating metric filters. Metric filters define the terms and patterns to look for in log data as it is sent to CloudWatch Logs. CloudWatch Logs then uses these metric filters to transform log data into numerical CloudWatch metrics that you can graph or set an alarm on.

Question 46

Q

Which of the following can be installed on your EC2 instances to enable you to collect internal system-level metrics and logs and send them to CloudWatch?
CloudWatch Logs Insights
CloudWatch metric filter
CloudWatch agent

Answer

A

The CloudWatch agent enables you to collect internal system-level metrics from EC2 and on-premises systems, as well as collect logs from Amazon EC2 instances and on-premises servers, running either Linux or Windows Server. Reference: Collecting Metrics and Logs from Amazon EC2 Instances and On-Premises Servers with the CloudWatch Agent

Question 47

Q

Which AWS service can be configured to respond to state changes generated by AWS Config by sending an SNS notification?

Answer

A

EventBridge is an event bus that receives an event, an indicator of a change in environment, and applies a rule to route the event to a target. For example, it can receive events from Config and route the events to SNS to send out notifications.

Question 48

Q

AWS Config integrates with which service to perform automatic remediation of non-compliant resources?

Answer

A

Systems Manager is the operations hub for AWS, allowing you to centralize operational data from multiple AWS services and automate tasks across your AWS resources. It is used by AWS Config to automate tasks that are triggered during a remediation action.

Question 49

Q

Which feature of CloudWatch allows you to create a cross-Regional, custom view of the metrics and alarms that are meaningful to you?

Answer

A

CloudWatch dashboards let you monitor your resources in a single view, even those resources that are spread across different Regions. You can use CloudWatch dashboards to create customized views of the metrics and alarms for your AWS resources.

Question 50

Q

You are supporting a simple Lambda function and would like to be automatically alerted every time there is an error with your function. How could you configure this?

Answer

A

You can search and filter the log data coming into CloudWatch Logs by creating metric filters. Metric filters define the terms and patterns to look for in log data as it is sent to CloudWatch Logs. CloudWatch Logs uses these metric filters to turn log data into numerical CloudWatch metrics that you can graph or set an alarm on.

Question 51

Q

Which AWS service provides a detailed audit trail of user activity in your AWS account, including who, when, what, where, source IP, request parameters, and response?

Answer

A

CloudTrail records user activity in your account and delivers log files to an S3 bucket.

Question 52

Q

Which AWS service provides a dashboard view of the service availability status of all AWS services per Region?

Answer

A

The AWS Health Dashboard publishes up-to-the-minute information on service availability for all AWS services on a per-Region basis.

Question 53

Q

You would like to monitor the Apache logs from several different EC2 instances so that you can be aware of any error messages that appear in the logs. Which component will give you this functionality?

Answer

A

The CloudWatch agent enables you to collect internal system-level metrics from EC2 and on-premises systems, as well as collect system and application logs from Amazon EC2 instances and on-premises servers.

Question 54

Q

By default, how many days of event history are stored in CloudTrail?

Answer

A

90 days.
CloudTrail will only show the results of the CloudTrail Event history for the current Region you are viewing for the last 90 days. To record the data for longer than 90 days, you will need to configure a CloudTrail trail.

Question 55

Q

You work in IT support, supporting a busy e-commerce website. You would like to be alerted if you are approaching the service limit/quota for any AWS services so that you can request an increase before the limit is reached. Which combination of AWS services can you use to configure automatic alerts and notifications to your team?

Answer

A

CloudWatch can be used to monitor your service quotas/limits, alert you in the dashboard, and notify you using Amazon Simple Notification Service (Amazon SNS) if the CloudWatch alarm is triggered.

Question 56

Q

You would like to view only the CPU utilization data for your production EC2 instances, and you want the metrics to be collected at 1-minute intervals and displayed in a single view. How should you configure this?

Answer

A

By default, EC2 instances are configured with basic monitoring enabled, which sends data to CloudWatch at 5-minute intervals. To collect data at 1-minute intervals, you will need to enable detailed monitoring.

Question 57

Q

Which of the following features of CloudWatch can be used to centralize operating system and application logs from your EC2 instances?

Answer

A

CloudWatch Logs enables you to centralize the logs from all of your systems, applications, and AWS services that you use, in a single, highly scalable service.

Question 58

Q

Which AWS service can receive events and respond by triggering a CloudWatch alarm to send you an SNS notification?

Answer

A

EventBridge receives an event, an indicator of a change in environment, and applies a rule to route the event to a target. It can receive events from CloudWatch and route the events to SNS to send out notifications. EventBridge was formerly known as CloudWatch Events.

Question 59

Q

Log events

Answer

A

Event message and timestamp

Question 60

Q

Log stream

Answer

A

Sequence of log events, e.g. an Apache log from a specific host.
Must belong to log group.

Question 61

Q

Log group

Answer

A

Group log streams together, centrally manage retention, monitoring and access control settings.
No limit on the number of log streams in a log group.

Question 62

Q

Filter for specific phrases in your logs, e.g. warnings, errors, or HTTP status codes.

Answer

A

Metric filters

Question 63

Q

Use Case

Answer

A

Receive CloudWatch alerts for specific errors, warnings, or messages in your log files.

Question 64

Q

This can include EC2 CPU utilization, Elastic Load Balancer latency, or even the changes on your AWS bill.

Answer 62

A

Thresholds

Answer 63

A

AWS Health

Answer 64

A

Eventbridge

Answer 65

A

AWS Cloudtrail

Answer 66

A

Config rule

Answer 67

A

Managed rules

Answer 68

A

AWS Config

Answer 69

A

Configuration Monitoring

Answer 70

A

Dashboard

Answer 71

A

Conformance packs

Answer 72

A

Automatic Remediation

Answer 73

A

Eventbridge

Answer 74

A

AWS Health

Answer 75

A

CloudWatch Logs Insights

Answer 76

A

EventBridge

Answer 77

A

Amazon S3 Objects size

Answer 78

A

S3 buckets: Universal Namespace

Answer 79

A

Amazon S3: Uploading files

Answer 80

A

S3 Version ID

Answer 81

A

S3 Metadata

Answer 82

A

Secure your data with Server-side encryption

Answer 83

A

Secure your data with Access Control Lists (ACLs)

Answer 84

A

Secure your data with Bucket Policies

Answer 85

A

GetObject
GetObjectVersion

Answer 86

A

S3 Versioning

Answer 87

A

S3: MFA Delete

Answer 88

A

ENCRYPTION IN TRANSIT

Answer 89

A

ENCRYPTION AT REST: Server-side Encryption

Answer 90

A

ENCRYPTION AT REST: Client-side Encryption

Answer 91

A

Amazon EFS

Answer 92

A

Provisioned Throughput

Answer 93

A

Metered Throughput

Answer 94

A

Mount target

Answer 95

A

Advanced EFS

Answer 96

A

Amazon Athena

Answer 97

A

ElasticSearch

Answer 98

A

Amazon OpenSearch Service

Answer 99

A

Amazon OpenSearch Service

Answer 100

A

3 Dedicated Master Nodes

Answer 101

A

Data Nodes Deployed in Multiple of 3

Answer 102

A

Deploy Across 3 AZs

Answer 103

A

S3 Inventory

Answer 104

A

S3 Inventory

Answer 105

A

An on-premises appliance installed in your own data center, allowing you to integrate your on-premises IT environment with AWS-based storage.

Answer 106

A

Volume Gateway - Stored Mode

Answer 107

A

Tape Gateway

Answer 108

A

File Gateway

Answer 109

A

FSx Gateway

Answer 110

A

Volume Gateway - Cached Mode

Answer 111

A

AWS backup

Answer 112

A

Allows you to store multiple versions of the same object.

Answer 113

A

Amazon S3

Answer 114

A

Is a URL with temporary access to S3 objects that are private.
Anyone with the pre-signed URL will be able to access the object.
It can only be created using the AWS CLI or SDK.
By defualt, expires after 1 hour, but it’s configurable (–expires-in 300).

Answer 115

A

You can use Access Control Lists (ACLs) and Bucket policies to selectively grant permissions to users and groups of users. ACLs allow you to manage access to buckets and objects. Bucket policies are used to grant other AWS accounts or IAM users access permissions for the bucket and the objects in it.

Answer 116

A

Configure MFA delete.
With MFA (multi-factor authentication) delete enabled, a valid code from your MFA device is required to permanently delete an S3 object. This helps to protect against accidental or malicious deletion of data stored in S3.

Answer 117

A

A delete marker is applied, instead of permanently deleting the object.
S3 inserts a delete marker in the bucket, and that marker becomes the current version of the object with a new version ID.

Answer 118

A

3 dedicated master nodes and 3 data nodes distributed across 3 Availability Zones.

Answer 119

A

Bucket policy

Answer 120

A

S3 Inventory can produce reports in CSV, Apache Parquet, and Apache ORC formats.

Answer 121

A

It’s Option A. Explanation: If you create a domain with a public endpoint, you can’t later place it within a VPC. Therefore, you will need to create a new Amazon Elasticsearch domain in a private VPC. Migrate the data from the original cluster and delete the original cluster.

Answer 122

A

With MFA delete, a valid code from your MFA device is required in order to permanently delete an object in S3. This provides an additional layer of security against accidental deletions.

Answer 123

A

It’s Option B. It is recommended that you access an EFS file system using a mount target within the same Availability Zone for performance and cost reasons. Therefore, you should create a mount target for each of the Availability Zones where your application servers are located.

Answer 124

A

S3 inventory is used to generate a flat file that consists of an inventory of all the objects stored in your bucket, including object metadata like object size, last modified, multipart upload, replication status, and encryption status.

Answer 125

A

Athena is a query service that supports standard SQL (Structured Query Language). It is very easy to use. Simply point Athena to the data you want to query in S3, define a table schema, and query your data using standard SQL.

Answer 126

A

S3 URLs use the following format: In this S3 URL: the bucket name is fayecloudguru and the object name, or key-name, is Ralphie.jpg.

Answer 127

A

AWS Config provides managed rules which can be enabled to monitor the configuration of your S3 buckets and check that public read and write access is prohibited.

Answer 128

A

If you want to enable static web hosting, you will need to enable static web hosting in your bucket properties, enable public read access in the bucket permissions, and update the object ACL to grant public read access for the objects in your bucket.

Answer 129

A

You can use S3 to host a static website, including static content and client-side scripts.

Answer 130

A

You can use S3 lifecycle rules to manage your objects so that they are stored cost effectively throughout their lifecycle. An S3 Lifecycle configuration is a set of rules that define actions that Amazon S3 applies to a group of objects based on the object creation date.

Answer 131

A

It is possible to perform on-demand backups with AWS Backup.

It is possible to perform daily backups with AWS Backup.

It is possible to perform monthly backups with AWS Backup.

Answer 132

A

AWS Backup stores backups in an AWS hosted vault.

Answer 133

A

Metadata is a set of name-value pairs with which you can store information regarding the object. You can assign metadata, for example, Content-Type, when you upload the object.

Answer 134

A

Option A. To configure a scheduled backup, you must create a backup plan and then assign the resource you want to back up. The backups will appear in the backup vault..

Answer 135

A

S3 versioning

Answer 136

A

Configure the EFS file system to use Provisioned Throughput.
As a rule of thumb, if you need more throughput than you are getting with the default Bursting Throughput, then switch to Provisioned Throughput.

Answer 137

A

SSL/TLS is supported by S3. It is encryption in transit — it is not encryption at rest. Therefore, this is the correct answer.

Answer 138

A

Provisioned Throughput

Answer 139

A

Amazon S3 Glacier Flexible Retrieval is the ideal storage class for data that needs to be accessed a few times a month and retrieved within a few hours or minutes. This storage class offers a secure, durable, and low-cost solution for data archiving and long-term backup, with flexible retrieval options to balance speed and cost effectively. It’s designed for data that doesn’t require immediate access but needs the flexibility to retrieve large sets of data at no cost, supporting retrieval in minutes or free bulk retrievals in 5-12 hours.

Answer 140

A

Configure MFA delete and enable S3 versioning.

Answer 141

A

For production workloads, it is best practice to use 3 dedicated master nodes. Reference

Answer 142

A

Amazon OpenSearch Service (previously called Amazon Elasticsearch Service) is a fully managed service that enables interactive log analytics, real-time application monitoring, website search, and more.

Answer 143

A

With Server-Side Encryption with Customer-Provided Keys (SSE-C), you manage the encryption keys yourself and S3 manages the encryption process.

Answer 144

A

S3 is object-based storage. You can store virtually any kind of data in any format, as long as it can be managed as an object. This includes HTML files and JPEG files.

Answer 145

A

Configure a bucket policy to restrict access to only the specific IP address range used by the Finance Team.

Answer 146

A

“With S3 versioning enabled, a valid code from your registered MFA device is required in order to permanently delete an S3 object.”
With S3 versioning enabled, it is possible to permanently delete an S3 object by specifying the object version ID in the DELETE request. Therefore, this statement is not correct.

Answer 147

A

Amazon OpenSearch Service helps perform such things as: interactive log analytics, real-time application monitoring, website search. OpenSearch is an open source, distributed search and analytics suite derived from Elasticsearch. Amazon OpenSearch support for 19 versions of Elasticsearch and visualizations via OpenSearch Dashboards and many Kibana versions.

Answer 148

A

You can use Access Control Lists (ACLs) to selectively grant permissions to users and groups of users.

Answer 149

A

S3 Glacier Deep Archive is designed for long-term retention of data that may be accessed once or twice in a year. “It is designed for customers — particularly those in highly-regulated industries, such as the Financial Services, Healthcare, and Public Sectors — that retain data sets for 7-10 years or longer to meet regulatory compliance requirements.” Retrieval time is within 12 hours, and Glacier Deep Archive is the most cost effective option.

Answer 150

A

Pre-signed URL

Answer 151

A

You can only configure the public endpoint, or configure the domain in a VPC, when you first create an Amazon Elasticsearch domain. You cannot change these network configuration settings later.

Answer 152

A

User-Defined CATs

Answer 153

A

AWS-Generated CATs

Answer 154

A

Cost Explorer

Answer 155

A

Reporting: Cost and Usage

Answer 156

A

Reporting: Saving Plans

Answer 157

A

Reporting: Reservations

Answer 158

A

Saving Plans

Answer 159

A

Reservation

Answer 160

A

Usage Type Groups

Answer 161

A

Measures unused and under-utilized saving plans.

Answer 162

A

Measures how much instance usage is covered by saving plans.

Answer 163

A

AWS Budgets

Answer 164

A

Managed Services

Answer 165

A

AWS Compute Optimizer

Answer 166

A

CloudWatch Metrics

Answer 167

A

Metrics Explorer

Answer 168

A

Metrics Streams

Answer 169

A

S3 Transfer Acceleration

Answer 170

A

CloudFront - Edge Location - Distinct URL

Answer 171

A

CloudFront

Answer 172

A

Edge Location

Answer 173

A

Distinct URL

Answer 174

A

Recommended for files over 100 mb
Ideal for moving data objects can be cumbersome and expensive.
Increase performance when uploading files to S3

Answer 175

A

Prepare the data
Move the pieces
S3 Puts it together

Answer 176

A

Across multiple services it recommends about:
- Security
- Performance
- Service Limits
- Fault Tolerance
- Cost Optimization

Answer 177

A

Placement Groups

Answer 178

A

Partition

Answer 179

A

RDS Proxy

Answer 180

A

Increase Application Availability

Answer 181

A

File Storage (Amazon S3, Amazon EFS)
lock Level Storage (Ec2 Instance Store, Amazon EBS)

Answer 182

A

EC2 Instance Store

Answer 183

A

Cost Explorer would be the ideal service to visualize, view, and analyze your AWS usage costs. AWS Budget allows us to fiscally and proactively track our usage costs.

Answer 184

A

Purchase Reserved Instances for the minimum amount of instances and then use On-Demand Instances for instances launched by Auto Scaling beyond the minimum requirement.
This is the best option to both meet the requirements (elasticity and no downtime) and lower costs over time.

Answer 185

A

Migrate the media to AWS S3 and configure CloudFront to use S3 as the origin.
S3 is a very economical storage system and has several features, such as lifecycle configuration, that can be leveraged to take advantage of cost savings. This is the best option for cost and for user experience.

Answer 186

A

AWS Cost and Usage Reports publishes billing reports to an S3 bucket. You automatically receive reports that break down your costs for each unique combination of AWS products, usage type, and operation in your AWS account.

Answer 187

A

Disassociating any Elastic IP that is not needed by your EC2 instances.
Disassociating unused Elastic IPs alone does not provide cost savings. The unused Elastic IP should be deleted if it is not going to be used in the future.

Answer 188

A

Apply user-defined tags to the instances through Tag Editor. Activate these tags for cost allocation.

Answer 189

A

Use AWS Compute Optimizer to analyze the configuration and resource utilization of your workload.
Compute Optimizer analyzes the configuration and resource utilization of your workload to identify defining characteristics. For example, if a workload is CPU or network bandwidth-intensive, if it exhibits a daily pattern, or if a workload accesses local storage frequently.

Answer 190

A

Amazon S3 Standard-IA (infrequent access) is appropriate in this case. Real-time access is available, at a low cost, and the class maintains the full S3 resilience.

Answer 191

A

EBS volumes have a per-GB month charge. EBS volumes remain even while the instances are stopped.
Stopped instances incur no costs. Only running instances do.

Answer 192

A

Reserved Instances (RIs) provide you with a significant discount (up to 75%) compared to On-Demand Instance pricing. You have the flexibility to change families, OS types, and tenancies while benefiting from Reserved Instance pricing when you use Convertible Reserved Instances. To maintain a fleet of Spot Instances, you would need to be bidding fairly high, so it is likely the RIs will give you a better price point. But you would need to check.

Answer 193

A

AWS Cost Explorer provides rightsizing recommendations.

Answer 194

A

AWS Compute Optimizer uses machine learning to analyze historical utilization metrics and provides recommendations aligning with right sizing best practices.

Answer 195

A

DynamoDB has no dedicated infrastructure footprint, and its cost is based on usage, performance, and storage. Since the data doesn’t require a structured format, this is a viable solution.

Answer 196

A

Enable encryption of data at rest when creating an Amazon EFS file system. Attach a file system policy with a condition granting permissions to only clients using the TLS encryption protocol.

Amazon EFS supports two forms of encryption for file systems: encryption of data in transit and encryption at rest. You can enable encryption of data at rest when creating an Amazon EFS file system. You can enable encryption of data in transit when you mount the file system. Using file system policies to require encryption in flight along with the tls flag in the efs-mount-helper are an incredibly easy option to require encryption in flight.

Answer 197

A

FALSE. Lifecycle policies can’t work backwards. You can use a lifecycle policy to migrate objects from the more frequently accessed storage classes to the longer-term options, but not the other way around.

Answer 198

A

Convert your existing Single-AZ DB instance to a Multi-AZ deployment. This way, when the backups are taken, they will be taken from the secondary, not the primary.

Multi-AZ deployment eliminates the performance degradation associated with backups as the backup is taken from the Multi-AZ Standby instance.

Answer 199

A

Increase the size of your Aurora instances.
Adding a read replica or configuring Multi-AZ will not help because the workload is write-heavy rather than read-heavy. Increasing the size of application servers will not help as the bottleneck is with the database. Increasing the size of the Aurora servers is the best option because it will increase the write capacity of the database.

Answer 200

A

S3 cross-region replication is a great way to lower latency by moving objects closer to the requestor, along with leveraging services like CloudFront.

Answer 201

A

By adding or removing EC2 instances from your EC2 fleet based on conditions you specify.

These can include such things as at a specific time, or depending on how busy your application is. Auto Scaling cannot change the size of existing instances, nor can it add or change storage on an instance.

Answer 202

A

Launch templates are the best way to define what your instances will look like.

Answer 203

A

SurgeQueueLength and SpilloverCount.
The Classic Load Balancer metric SurgeQueueLength measures the total number of requests queued by your Classic Load Balancer. An increased maximum statistic for SurgeQueueLength indicates that backend systems aren’t able to process incoming requests as fast as the requests are received. When requests exceed the maximum SurgeQueueLength, the SpilloverCount metric starts to measure rejected requests.

Answer 204

A

It’s not possible since versioning was suspended. The object is gone.
If versioning is suspended for a bucket, a DELETE request only removes an object whose version ID is null and inserts a delete marker into the bucket. Remember that a delete marker doesn’t have content, so you lose the content of the null version when a delete marker replaces it.

Answer 205

A

You have hit the default limit for the number of times you can use the key pair.

There is no limit for key pair use. All objects associated with the launch template must exist for EC2 Auto Scaling to successfully launch a new EC2 instance. The requested instance type must also be supported in your Availability Zone.

Answer 206

A

memcached_connections_overhead
Increasing the value of the memcached_connections_overhead parameter will reduce the amount of memory available for storing items and provide a larger buffer for connection overhead, according to the AWS Elasticache documentation.

Answer 207

A

Update the EBS volume where the MySQL database is running to change its volume type from gp2 to io1. The changes will take place behind the scenes, and requires no further intervention from an administrator.

Since 2017, AWS customers have been able to modify the type of EBS volume without needing to snapshot the volume. This allows you to transition between volume types, such as gp2 and io1, transparently to the underlying operating system on the EC2 instance. Prior to this, the correct procedure would have been to arrange downtime, and manually snapshot and restore the volume in the correct volume type.

Answer 208

A

Define multiple AZs in your Auto Scaling group.

Answer 209

A

UnHealthyHostCount is a valid metric. This metric reports how many targets are in an unhealthy state.

Answer 210

A

Failover is handled by AWS, and the failover mechanism automatically changes the DNS record of the DB instance to point to the standby DB instance.
When RDS undergoes a failover, the managed services do an update to the associated Route 53 record to ensure the RDS DNS endpoint points to the new primary host after the failover. The old host becomes a standby while the issue is addressed, and if it’s not easily fixable, the standby instance is replaced.

Answer 211

A

True. Elastic IP addresses provide a static IPv4 address. We can mask the failure of instances as the EIP is rapidly remapped to the new healthy host.

Answer 212

A

Create an Auto Scaling policy to add Aurora replicas. The policy should use a target tracking metric based on the average number of connections to your replicas.

Aurora Auto Scaling allows your Aurora DB cluster to handle a sudden increase in read workload by adding Aurora replicas. A target metric of average number of connections to your Aurora replicas can be used as the metric to base scaling decisions on.

Answer 213

A

NO. Read replicas are designed to provide enhanced performance and durability for RDS database (DB) instances. Redundancy (high availability) is achieved with Multi-AZ deployments.

But, in Aurora read replicas are used as failover targets and are automatically promoted when the primary instance in a cluster fails health checks.

Answer 214

A

S3 Standard-IA

Answer 215

A

Configure Aurora Auto Scaling.
Manually adding a read replica will improve read performance. However, this will not ensure that Aurora scales elastically. To scale elastically would require the read replica to be terminated when it is no longer required. This answer does not consider removing the replica when it is no longer needed.

Answer 216

A

Scale out your cluster by adding more nodes.
Scaling a Memcached cluster out and in is as easy as adding or removing nodes from the cluster. The Memcached engine supports partitioning your data across multiple nodes. Because of this, Memcached clusters scale horizontally easily. A Memcached cluster can have from 1 to 40 nodes. To horizontally scale your Memcached cluster, merely add or remove nodes.

Answer 217

A

AWS CloudFormation natively supports the Systems Manager Parameter Store. This means you can directly use parameters stored in the Parameter Store in your CloudFormation templates.

Answer 218

A

AWS Shield protects against DDOS and several other types of attacks.

Answer 219

A

Create an IAM role with CloudWatch permissions and a new launch configuration to associate the role with EC2 instances. Update your Auto Scaling group with the launch configuration.
Applications that run on Amazon EC2 instances need credentials to access other Amazon Web Services. To provide these credentials in a secure way, use an IAM role. The role supplies temporary permissions that the application can use when it accesses other AWS resources. The role’s permissions determine what the application is allowed to do. For instances in an Auto Scaling group, you must create a launch template or launch configuration and choose an instance profile to associate with the instances.

Answer 220

A

ElastiCache for Memcached.
Memcached is an in-memory datastore, so there is no data-at-rest to encrypt.

Answer 221

A

Amazon RDS.
Amazon RDS is a managed relational database service, and while it supports secrets manager, it does not have native support for Parameter Store:

Answer 222

A

Dedicated instances create resources on hardware that is dedicated to a single customer, and Dedicated instances that belong to different AWS accounts are isolated at the hardware-level. They are single-tenancy.

Answer 223

A

CloudFormation, Lambda, and EC2 all natively support the Systems Manager Parameter Store. RDS doesn’t have native support for Parameter Store but you can utilize Lambda in association with RDS to fulfill your requirements. Indeed you could utilize Lambda in addition with any service that doesn’t natively support Parameter Store.

Answer 224

A

AWS CloudTrail is the best practice for this scenario, as it provides visibility into API calls, providing streamlined access to an account-level event history.

Answer 225

A

Active Directory Federation, Cross-Account Access, and Federation with Web Identity Providers.
STS uses Active Directory Federation (via the AssumeRoleWithSAML action), Cross-Account Access (via the AssumeRole action), and Federation with Web Identity Providers (via the AssumeRoleWithWebIdentity action) to grant temporary access to AWS resources for authenticated users.

Answer 226

A

Systems Manager Run Command is a service used to manage the configuration of your managed instances and can run commands on a group of systems based on tags

Answer 227

A

AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).

Answer 228

A

You can enforce the use of MFA using Trusted Advisor.
Trusted Advisor is a service used to provide recommendations using a series of evaluations, providing insight into possible performance, cost, or security improvements for your environments. It does not enforce the use of MFA

Answer 229

A

AWS Config can be used to establish baselines and enforce a set of rules against your infrastructure for continuous monitoring, assessment, and change management.

Answer 230

A

Cross-Origin Resource Sharing.
AWS Security Token Service doesn’t have any specific action for cross-origin resource sharing. Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain.

Answer 231

A

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Answer 232

A

“403 - Access Denied” is a client-side error. Objects must exist and be publicly accessible. Reference: I’m using an S3 website endpoint as the origin of my CloudFront distribution. Why am I getting 403 Access Denied errors?

Answer 233

A

You use an A record to route traffic to a resource, such as a web server, using an IPv4 address.

Answer 234

A

The objects will be stored in the cache for longer, potentially increasing the cache hit ratio.
By increasing the TTL for objects in the cache, the objects will remain in the cache for longer. This can increase your cache hit ratio because objects are more likely to be served from the cache instead of needing to be requested from the origin.

Answer 235

A

A Site-to-Site VPN requires a virtual private gateway, which is the VPN concentrator on the AWS side of the connection, and a customer gateway device, which is a physical device or software application on your side of the connection.

Answer 236

A

There is only one possible option on the above list that could assist you in resolving any VPC-based routing issues and that is to enable VPC Flow Logs. You can create a flow log for a VPC, a subnet, or a network interface.

Answer 237

A

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. R

Answer 238

A

Direct Connect is used to provide a private connection between AWS and your data center, office, or colocation environment. A site-to-site VPN can be used to enable instances launched in your VPC to securely connect with your own remote network. Both of these methods can be used to connect systems in your own data center to EC2 instances that only have private IP addresses. Reference Documentation: What is AWS Site-to-Site VPN?

Answer 239

A

You can use an origin request policy to configure CloudFront to include cookies and HTTP request headers in origin requests

Answer 240

A

A Route 53 alias record allows you to map one DNS name (example.com) to another ‘target’ DNS name (https://d111111abcdef8.cloudfront.net/).

Answer 241

A

Latency-based routing allows you to improve performance for your users by serving their requests from the AWS Region that provides the lowest latency.

Answer 242

A

Direct Connect is designed to provide a stable, reliable, consistent and secure connection between AWS and your data center, office, or colocation environment.

Answer 243

A

Amazon Route 53 provides highly available and scalable Domain Name System (DNS), domain name registration, and health-checking web services.

Answer 244

A

Resolving DNS queries for resources in your VPC..
Route 53 Resolver is a regional DNS service that provides recursive DNS lookups for names hosted in EC2. This includes resolving DNS queries for resources in your VPC.

Answer 245

A

You can configure CloudFront to create log files that contain detailed information about every user request that CloudFront receives. These are called standard logs, also known as access logs.

Answer 246

A

Use Route53 with a geolocation routing policy..
Geolocation routing policies route based on the physical location of a user, whereas latency-based routing selects the AWS Region with the lowest latency.

Answer 247

A

Forwarding only the necessary HTTP request headers and cookies to the CloudFront origin, and increasing the TTL of cached objects.
To optimize the cache hit ratio, it is best to only forward necessary HTTP headers and cookies to avoid filling up the cache unnecessarily. Additionally, increasing the TTL for objects in the cache can increase the cache hit ratio as objects will be cached for a longer period of time.

Answer 248

A

A VPC endpoint provides a private connection between your VPC and supported AWS services. The network connection uses AWS PrivateLink to reach services like S3 instead of using the public internet.

Answer 249

A

It is correct to say that Network ACLs are stateless, which means that return traffic must be explicitly allowed by the rules.

Answer 250

A

Direct Connect is used to provide a private connection between AWS and your data center, office, or colocation environment.

Answer 251

A

Failover routing allows you to configure active-passive failover by enabling you to route traffic to a primary resource when the resource is healthy and to a secondary resource when the primary is unhealthy.

Answer 252

A

A virtual private gateway is the VPN concentrator on the AWS side of the Site-to-Site VPN connection. It is an essential component for setting up a Site-to-Site VPN.

Answer 253

A

Systems Manager Session Manager is designed to provide a browser-based interactive session for Windows and Linux hosts. No SSH, RDP, bastion hosts, or SSH keys are required. Sessions are secured using TLS encryption.

Answer 254

A

Session Manager enables you to run an interactive session on your EC2 instances, using Bash, PowerShell, the AWS CLI, or SDK. Session Manager provides support for Windows, Linux, and macOS from a single tool.

Answer 255

A

An edge location is a location where CloudFront content is cached. Objects are cached for a period of time known as the time-to-live (TTL). The origin contains the files that the CloudFront distribution will serve..
It is correct to say that an edge location is the location where CloudFront content is cached. Objects are cached for a period of time known as the time-to-live. The origin contains the files that the CloudFront distribution will serve.

Answer 256

A

You can improve performance by increasing the proportion of your viewer requests that are served directly from the CloudFront cache, instead of going to your origin servers for content. This is known as improving the cache hit ratio. You can increase the cache hit ratio by increasing the TTL (time-to-live) for objects in your cache.

Answer 257

A

Network ACLs are stateless, which means that return traffic must be explicitly allowed by the rules. On the other hand, security groups are stateful, which means that return traffic is automatically allowed, regardless of any rules.

Answer 258

A

The Route 53 Resolver serves as a regional DNS service within AWS, capable of handling DNS queries for resources within your Virtual Private Cloud (VPC). It efficiently resolves these internal queries, maintaining optimal network performance and reliability. For external resources, it performs recursive DNS lookups. The DNS resolvers used for these external lookups can vary based on your VPC’s configuration and may include the Amazon Provided DNS, custom DNS resolvers, on-premises DNS resolvers for hybrid cloud scenarios, or public name servers available on the internet. This flexibility allows the Route 53 Resolver to manage DNS queries, irrespective of whether the resources are located within your VPC or externally.

Answer 259

A

Configure CloudFront to forward only the relevant cookies and headers to the CloudFront origin.
When forwarding headers or cookies, it is best to only forward those that are necessary. This avoids filling up the cache unnecessarily and helps optimize our cache hit ratio. If we forward all cookies and headers indiscriminately, CloudFront can end up caching multiple versions of identical content to cater to all the different header and cookie combinations.

Answer 260

A

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private addresses. Instances in either VPC can communicate with each other as if they are within the same network.

Answer 261

A

The Origin Access Control (OAC) is a special user in Amazon CloudFront that can access files in an Amazon S3 bucket and serve them to users. It is used to restrict access to objects in the bucket so that users must use the CloudFront URL instead of a direct S3 URL. This is achieved by setting up a CloudFront distribution with an S3 bucket origin and configuring the OAC settings. This enables the S3 bucket to only exchange data with CloudFront, ensuring that all access to the content is managed and controlled through CloudFront. This is particularly useful for distributing content securely and globally.

Answer 262

A

You should use a Network ACL for this, because it operates at a subnet level and supports both allow and deny rules

Answer 263

A

Alias records allow you to route queries from one domain name to another. You can also create an alias record for a zone apex, like acloud.guru.

Answer 264

A

If CloudFront requests an object from your origin, and the origin returns an HTTP 4xx status code, there’s a problem with communication between CloudFront and your origin. A 4xx status code indicates the problem is client-side, rather than server-side. “404” means the client requested an object that could not be found, which is a client-side error. Reference Documentation: Troubleshooting Error Responses from Your Origin

Answer 265

A

With mutivalue answer routing, Route 53 will respond with up to 8 healthy records selected at random.

Answer 266

A

Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning from the location that the DNS queries originate. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region.

Answer 267

A

A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWSPrivateLink. AWSPrivateLink is a technology that enables you to privately access services by using private IP addresses. Traffic between your VPC and the other service does not leave the Amazon network.

Answer 268

A

Forwarding all HTTP request headers to the CloudFront origin.
Cache hit ratio is the proportion of requests that are served directly from the CloudFront cache. If we forward all HTTP headers, CloudFront can end up caching multiple versions of identical content to cater to all the different header combinations. This fills up the cache and also causes multiple requests to the origin, rather than serving content from the cache. This will ultimately reduce the cache hit ratio.

Answer 269

A

Geoproximity routing enables you to route traffic to your resources based on the distance between your users and your resources. Route 53 calculates which resource is closer to the source of the query and routes requests accordingly.

Brainscape's Knowledge GenomeTM

SysOps Administrator Flashcards

Brainscape's Knowledge Genome^TM