TD Exam 1

Question 1

What are the four reasons to use CLoudHsm

Answer 1

• Have keys that are explicitly required to be protected in single-tenant HSM
• Keys that need to be stored in an HSM that is compliant with FIPS 140-2 Level 3
• Need ability to immediately remove key material from aws KMW and prove you have done so by independent means
• Requirement to be able to audit all use of keys independently of KMS and CloudTrail

Question 2

What should you use if you need to comply to FIPS 140-2 Level3?

Answer 2

Use CloudHSM

Question 3

What should you use if you need the ability to remove immediately key material from KMS

Answer 3

CloudHSM

Question 4

What should you use if you need to be able to audit key usage independently from KMS and CloudTrail

Answer 4

CloudHSM

Question 5

What should you do if you have an Amazon Aurora db for which the read replica struggles to keep up with increasing read traffic

Answer 5

Use Aurora Auto Scaling

Question 6

What is the difference between Canary deployment and Blue/Green?

Answer 6

Canary starts with a small subset of nodes/servers while Blue/Green is half/half of env

Question 7

Which is more complex with API Gateway: Canary deployment or Blue/Green

Answer 7

Blue/Green is more complex since you need to configure a new Environment. Canary is very simple to do with API Gateway

Question 8

What are some services with which AWS WAF is tightly integrated?

Answer 8

Cloudfront, ALB, API Gateway, AWS AppSync

Question 9

Where do AWS WAF rules run if you configured them for CloudFront

Answer 9

Edge location

Question 10

What should you do if you have a large number of illegitimate requests from constantly changing IPs

Answer 10

Rate-based rule in AWS WAF

Question 11

What should you use if you need a POSIX-compliant filesystem

Answer 11

EFS

Question 12

Why would using many instances acccessing EBS be slow

Answer 12

Does not allow parallel access (or do up to provisioned capacity for aggregate)

Question 13

What is a limitation of attaching an EBS volume to multiple EC2 instances

Answer 13

They have to be in the same AZ

Question 14

What is best for file storage: EFS or S3

Answer 14

EFS, S3 is object storage

Question 15

What are advantages of EFS

Answer 15

POSIX-Compliant
HA
Scalable

Question 16

What should be a first choice when Schema Change is mentioned

Answer 16

DynamoDB

Question 17

What is Amazon Redshift used for mostly

Answer 17

Online Analytical Processing (OLAP)

Question 18

What is Amazon Redshift

Answer 18

A Cloud-based data warehouse service

Question 19

What should you do to prevent accidental deletion of S3 objects

Answer 19

Enable versioning\Enable MFA Delete

Question 20

When is Web Identity Federation used

Answer 20

To let users sign in using a well-known external idp

Question 21

What can be used to allow devs to log into AWS with onprem AD

Answer 21

SAML 2.0 Federation by using Microsoft AD Federation Service

Question 22

What is the default termination policy algorithm for an auto-scaling group

Answer 22

1) Pick AZ with most instances and at least one instance not protected from scaling. If multiple, pick the one with instances that use the oldest template
2) Pick unprotected instance with the oldest launch template
3) If many based on above criteria, pick the one closest to the next billing hour
4) If many based on above criteria, pick one at random

Question 23

How can you protect Lambda/API Gateway based system from traffic surges

Answer 23

Enable throttling limits and result caching in API Gateway

Question 24

What are the 2 levels you can set API Gateway throttling

Answer 24

Global and by service call

Question 25

What are the 2 types of throttling you can set for API Gateway

Answer 25

Standard rates and burst

Question 26

What is the response given by API Gateway if you go over the throttling limit

Answer 26

429

Question 27

Can you set a cache for API Gateway

Answer 27

Yes

Question 28

Which AWS DB service can fulfill a requirement of Recovery Point Objective of 1 second and a Recovery Time Objective of less than 1 minute in case of multi-region failure?

Answer 28

Aurora Global Databse

Question 29

What is Recovery Point Objective

Answer 29

Maximum of data (in terms of time) loss that is acceptable in case of failure (so time since last backup)

Question 30

What is Recovery Time Objective

Answer 30

The amount of time the system can be down

Question 31

What is Amazon Aurora Global Database

Answer 31

It allows a single Aurora DB to span multiple AWS regions

Question 32

What are some advantages of Aurora Global Database

Answer 32

• It replicates data with no impact of performance
• It enables fast local reads with low latency in each region
• It provides disaster recovery from region-wide outages

Question 33

What is the latency of the storage-based replication in Aurora Global Database?

Answer 33

Less than one second

Question 34

How long does it take to promote a read replica to read/write in Amazon Aurora Global Database?

Answer 34

Less than one minute

Question 35

What is Amazon Quantum Ledger Database

Answer 35

A ledger database (not relational), fully-managed, transparent, immutable and cryptographically verifiable.

Question 36

What is a difference between Multi-AZ RDS database with cross-region read replicas and Aurora Global Database

Answer 36

Multi-AZ is only applicable inside a single region
Also, no RPO of 1s and RTO of 1 min
Also cross-region RDS replication is less fast than Aurora

Question 37

What is Amazon Timestream

Answer 37

A Serverless time series database service

Question 38

What should you do to migrate Microsoft SharePoint server to have something HA and that can be integrated with AD for acess control and auth

Answer 38

Create file system using Amazon FSx for Windows File Server and join it to an AD domain in AWS

Question 39

What protocol is used to access files from Amazon FSx for Windows File Server

Answer 39

Service Message Block (SMB)

Question 40

What OS instances can access Amazon FSx

Answer 40

Windows, Linux and MaxOS

Question 41

Can multiple devices access FSx concurrently

Answer 41

Yes, thousands

Question 42

What are some characteristics of Amazon FSx Windows File Server

Answer 42

Fully managed
Highly reliable
Scalable

Question 43

How can you change the config of AD for a FSx file system

Answer 43

You can’t, you have to create a new file system from a backup and change the AD config there.

Question 44

What OS is supported by EFS

Answer 44

Linux only , not windows

Question 45

What is NFS (Network File System) mostly used with

Answer 45

Linux systems

Question 46

How do you secure an ElastiCache cluster with Redis to require other devs to enter a password before being able to enter Redis commands

Answer 46

Authenticate the users using Redis AUTH by creating a new Redis Cluster with both the –transit-encryption-enabled and –auth-token parameters enabled

Question 47

How do you do synchronous data replication for RDS

Answer 47

RDS DB instance running as a Multi-AZ deployment

Question 48

What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of replication

Answer 48

Multi-AZ: Synchronous - highly durable
Read Replica: Asynchronous replication - highly scalable

Question 49

What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of which instance can be accessed

Answer 49

Multi-AZ: Only db engine on primary instance is active
Read Replica: All read replicas are accessible and can be used for read scaling

Question 50

What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of backups

Answer 50

Multi-AZ: Automated backups are taken from standby
Read Replica: No backups configured by default

Question 51

What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of AZ

Answer 51

Multi-AZ: Always spans 2 AZs within a single region
Read Replica: Can be within an AZ, cross-AZ or cross-region

Question 52

What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of db upgrades

Answer 52

Multi-AZ: Db engine version upgrade happens on primary
Read Replica: Db engine version upgrade is independent from source instance

Question 53

What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of failover

Answer 53

Multi-AZ: Automatic failover to standby when a problem is detectedy
Read Replica: Can be manually promoted to a standalone database instance

Question 54

What is a NAT Gateway

Answer 54

HA, managed NAT service

Question 55

What is a NAT Gateway used for

Answer 55

Is is created in a public subnet to enable instances in a private subnet to connect to the internet, but prevent the internet from initiating connections to them

Question 56

What does Elastic Beanstalk provide

Answer 56

You upload it and then it automatically handles capacity provisioning, load balancing, scaling and application health monitoring

Question 57

How can you use SFTP to upload files to S3

Answer 57

Use AWS Transfer for SFTP endpoint

Question 58

What are the 2 types of actions you can define in S3 Lifecycle

Answer 58

Transition actions
Expiration actions

Question 59

What can you do with EFS Lifecycle management

Answer 59

Transition files in and out of Infrequent Access tier

Question 60

What is a characteristic of an API Gateway-generated SDK

Answer 60

If it gets 429 because of throttling, it will retry the call automatically

Question 61

What can you do to get all compliance-related documents

Answer 61

Use AWS Artifact

Question 62

Do you need special permissions to use AWS Artifact

Answer 62

Yes

Question 63

What is Amazon Inspector used for

Answer 63

To detect vulnerabilities in AWS workloads.

Question 64

What is AWS Security Hub

Answer 64

It provides you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts

Question 65

How do you secure access to RDS from an app running on EC2

Answer 65

Enable IAM DB Authentication

Question 66

With what does IAM DB Authentication work in RDS

Answer 66

MySQL and PostgreSQL

Question 67

What is the lifetime of an auth token for RDS

Answer 67

15 minutes

Question 68

What are some benefits of IAM DB auth

Answer 68

Traffic encrypted with SSL
Can use IAM to centrally manage access
Can use profile credentials of EC2 instance instead of password

Question 69

What are the metrics from EC2 not available by default to cloudWatch

Answer 69

Memory utilization
Disk swap utilisation
Disk space utilization
Page file utilization
Log collection

Question 70

What metrics are available for EC2 by default in CLoudWatch

Answer 70

CPU Utilization
Network utilization
Disk performance
Disk Read/Write

Question 71

What do you do to gain access to unavailable EC2 metrics in cloudwatch

Answer 71

Install a CloudWatch Agemt

Question 72

Can you use a CloudWatch agent elsewhere than EC2

Answer 72

Yes, onprem servers

Question 73

What OS are supported by CloudWatch agent

Answer 73

Windows and Linux

Question 74

What is Enhanced Monitoring for

Answer 74

RDS

Question 75

What is Amazon Kinesis

Answer 75

A massively scalable and durable real-time data streaming service

Question 76

What is Amazon Redshift

Answer 76

A Data warehousing solution build on a relational database model

Question 77

How do you restrict access to an S3 bucket from a VPC only

Answer 77

S3 Access Point

Question 78

Can you do a multi-region S3 access point

Answer 78

Yes

Question 79

What is a characteristic of requests made to a Multi-region S3 endpoint

Answer 79

They use the global accelerator

Question 80

Can you integrate S3 with a firewall

Answer 80

No, not directly

Question 81

What is a requirement for Object Lock

Answer 81

Versioning. You cannot disable it when you have object lock on

Question 82

How do you prevent accidental deletion of s3 files

Answer 82

Enable S3 versioning and MFA Delete on the bucket

Question 83

What do you need to create to use step and simple scaling policies

Answer 83

CloudWatch alarms

Question 84

What is a difference between simple and step scaling

Answer 84

Simple scaling has a cooldown

Question 85

What is a way of preventing SQL injection attacks

Answer 85

WAF with a managed rule

Question 86

When are messages removed from an SQS queue

Answer 86

When they are explicitly deleted

Question 87

Is there polling in SNS

Answer 87

No, it is for SQS

Question 88

What is Amazon EventBridge (Amazon CloudWatch Events)

Answer 88

It is a serverless event bus

Question 89

What is the difference between compliance mode and governance mode?

Answer 89

Governance can be overwritten

Question 90

What is legal hold

Answer 90

It prevents objects from being deleted until it is removed

Question 91

What is retention period in compliance mode

Answer 91

It completely prevents deletion until the delay has passed

Question 92

Does legal hold expire

Answer 92

No, it is disabled manually by someone with the proper permission

Question 93

What should you do to prevent losing access to RDS db in case of AZ failure

Answer 93

Enable Multi-AZ failover

Question 94

Why not use a read replica to prevent losing access to RDS db in case of AZ failure

Answer 94

This is meant to enhance performance for read-heavy workload. You can promote it, but it has asynchronous replication so you might not get the latest version of the db

Question 95

What EC2 scaling policy should you use when you have regular, predictable traffic?

Answer 95

Scheduled policy

Question 96

What is the most appropriate service to handle large bursts of traffic within seconds

Answer 96

Lambda

Question 97

What does S3 Acelerated Transfer do

Answer 97

It can speed up data transfer over long distances to S3 by 50%-500%

Question 98

What is MultiPart Upload

Answer 98

It allows you to upload an object as multiple parts

Question 99

What is DynamoDB Streams

Answer 99

It is an ordered flow of information about changes to items in a DynamoDB Table

Question 100

How should you implement something that triggers a Lambda every time an object is modified in DynamoDB

Answer 100

Use DynamoDB Stream

Question 101

What does DynamoDB Accelerator do

Answer 101

It significantly improves the in-memory performance of the database

Question 102

What is an endpoint in Amazon Aurora

Answer 102

It is an intermediate used to connect to Aurora instances. It makes it so you don’t have to hard-code host names and handle load-balancing

Question 103

What can Aurora Replicas handle

Answer 103

Read-Only

Question 104

What is the maximum number of Aurora Replicas

Answer 104

15

Question 105

What can you configure with custom Aurora endpoints

Answer 105

Connections to specific instances or subsets of instances

Question 106

What do Aurora custom endpoints provide

Answer 106

Load-balanced DB connexions based on other criteria than read-only and read-write capability

Question 107

What is a clusterEndpoint in Aurora

Answer 107

It connects to primary instance, aka writer endpoint

Question 108

How do you allow private communication with S3 or Dynamodb

Answer 108

Use VPC endpoints

Question 109

What do VPC endpoints do

Answer 109

They allow you to connect your VPC to supported services without needing all the infrastructure required to connect to the public internet.

Question 110

What does Transit Gateway do

Answer 110

It connects your VPC to onprem network through a central hub. It acts as a cloud router that allows you to integrate multiple networks

Question 111

What does AWS Direct Connect do

Answer 111

It establishes a direct connection between onprem network and AWS

Question 112

What does VPN CloudHub do

Answer 112

It is used to create secure communication with remote sites

Question 113

What is etcd

Answer 113

A distributed key-value store used by kubernetes to hold secrets

Question 114

Where are EKS secrets kept

Answer 114

They are persisted in etcd as base64 encoded strings with etcd nodes using EBS volumes encrypted with EBS encryption

Question 115

What are external secrets provider you can use for EKS

Answer 115

AWS Secrets Manager or Hashicorp Vault

Question 116

Is secret encryption with KMS enough to ensure data is encrypted in EKS etcd store?

Answer 116

No, it only adds encryption at rest

Question 117

How do you prevent other devs from accessing Lambda secrets

Answer 117

Create new KMS key and use it with encryption helpers

Question 118

Does Lambda encrypt secrets with KMS by default

Answer 118

Yes, but it uses a default service key and people that have access to lambda have access to it

Question 119

What is AWS Lake Formation

Answer 119

A service that makes it easy to set up a secure data lake

Question 120

What is used as the storage layer for Lake Formation

Answer 120

S3

Question 121

Can Lake Formation allow you to set up permissions to access data

Answer 121

Yes

Question 122

What is Kinesis Firehose

Answer 122

A Fully-Managed service used to load data for data lakes, data stores and archival services

Question 123

How do you implement events from db events in Aurora

Answer 123

With a native function or stored procedure

Question 124

What information is provided by RDS events

Answer 124

Only operational events, like db instance events

Question 125

What are the 2 services that allow you to move files to different storage class

Answer 125

S3 and EFS

Question 126

What are lmitations of EFS lifecycle policies

Answer 126

It can only move a file to IA up to after 90 days

Question 127

What is the speed of S3 Glacier expedited retrieval?

Answer 127

1-5 minutes

Question 128

What is AWS Glue

Answer 128

ETL Service

Question 129

What is a key advantage of AWS Glue

Answer 129

Automatic Schema Discovery and mapping

Question 130

What are examples of sources supported by AWS Glue

Answer 130

S3, RDS, Redshift

Question 131

What are limitations when using lambda to do file conversions

Answer 131

It has a maximum execution time, so large files may result in time out

Question 132

How can you make AWS Glue be triggered by the upload of a file in S3

Answer 132

By using SQS

Question 133

What are some metrics you need a CloudWatch Agent for

Answer 133

• Memory Utilization
• Disk swap utilization
• Disk space utilization
• Page file utilization
• Log collection

Question 134

What metrics are available in CloudWatch by default (without an agent)

Answer 134

CPU Utilization
Network utilization
Disk performance
Disk Read/Write

Question 135

What are the 3 destinations available for S3 notification

Answer 135

SNS topic
SQS queue
Lambda

Question 136

What do you do if you want to send a message from S3 notification to multiple places

Answer 136

Use SNS fanout with multiple SQS queues subscribed to the topic

Question 137

What are possible fanout destinations for SNS

Answer 137

SQS, http endpoints and Lambda functions

Question 138

How many destinations can S3 event notification deliver to

Answer 138

One only, and message is delivered at least onceC

Question 139

Can you poll SNS

Answer 139

No

Question 140

To what can you assign IAM roles in an AD

Answer 140

To users and groups

Question 141

What is used to integrate a corporate AD with AWS

Answer 141

AD Connector

Question 142

What is HTTP 504

Answer 142

Gateway timeout

Question 143

What does cloudfront origin failover do

Answer 143

Makes CloudFront automatically switch to secondary origin when primary fails

Question 144

What is an egress-only internet gateway

Answer 144

MUST be used with IPv6
Horizontally scaled, redundant, HA

Question 145

What is AWS Network Firewall

Answer 145

A stateful firewall

Question 146

What is AWS PrivateLink

Answer 146

Allows your VPC to connect to public AWS Services without going through the public internet

Question 147

What is a dynamodb partition key

Answer 147

It is a simple primary key, composed of one attribute known as the partition key

Question 148

What are the 2 options for primary key in dynamodb

Answer 148

Partition key
Partition key and sort key

Question 149

In DynamoDB, what is a Local Secondary Index

Answer 149

It allows you to create a view using a different sort key

Question 150

In DynamoDB, what is a Global Secondary Index

Answer 150

It allows you to create a view using a different partition key and sort key

Question 151

What is Amazon FSx for Windows File Server

Answer 151

It provides fully-managed Microsoft Windows File servers

Question 152

What protocol is used to access File Share

Answer 152

SMB

Question 153

What should you use when you need SMB

Answer 153

Amazon FSx for Windows File Server

Question 154

What is AWS Resource Access Manager

Answer 154

A service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization

Question 155

What can you share with AWS RAM

Answer 155

AWS Transit Gateways, Subnets, AWS License Manager configurations and Amazon route 53 Resolver rules resources

Question 156

What are the steps to share resources using RAM

Answer 156

Create a Resource Share
Specify resources
Specify accounts

Question 157

Why should you not use IAM to set up cross-account access in an orgnaization

Answer 157

IT is tedious and has a lot of operational overhead

Question 158

Can AWS Control Tower be used to share access to resources

Answer 158

Maybe, but it is not the most suitable

Question 159

What should you to to monitor percentage CPU bandwidth and total memory consumed for each process/thread in RDS

Answer 159

Use RDS Enhanced Monitoring

Question 160

Where are RDS Enhanced Monitoring logs

Answer 160

In CloudWatch

Question 161

Where does RDS Enhanced Monitoring gather it’s information

Answer 161

From an agent on the instance

Question 162

For RDS, where does CLoudWatch get the metrics about CPU Utilization

Answer 162

From the hypervisor for a DB instance

Question 163

What are the 2 options for client-side encryption

Answer 163

Use KMS-managed customer master key
Use a client-side master key

Question 164

What does RDS Multi-AZ Deployment do

Answer 164

IT creates a standby instance in a different AZ to which the primary instance synchronously replicates data
In case of failure, automatic failover

Question 165

When should Aurora Single-insance be used

Answer 165

For non-critical applications or environment (dev or testing)

Question 166

What needs to be done to use company AD for everyone to have their own S3 bucket

Answer 166

Set up a Federation proxy or identity provider
Set up AWS Security Token Service to generate temporary tokens
Configure an IAM role and an IAM policy to access the bucket

Question 167

What is Amazon Macie

Answer 167

It scans data in S3 to check for PII, uses ML

Question 168

What is Amazon Polly

Answer 168

Text to speech

Question 169

What is Kendra

Answer 169

Enterprise search service

Question 170

What protocols are supported by File-mode Storage Gateway

Answer 170

NFS and SMB

Question 171

What storage service should be used for high-performance workloads

Answer 171

FSx for Lustre

Question 172

Where does cold data go in FSx for Lustre

Answer 172

S3

Question 173

What OS is supported for FSx for Lustre

Answer 173

Linux (POSIX-compliant)

Question 174

What is a security group

Answer 174

A virtual firewall for your instance to control inbound and outbound traffic
Stateful

Question 175

What is the port and protocol for SSH

Answer 175

TCP and port 22

Question 176

If your app needs to be HA, and needs 2 instances minimum, how many instances will you need in 2 AZ?

Answer 176

2 in each, so 4 minimum

Question 177

How do you limit access to files in CloudFront to certain users if you can’t modify the url?

Answer 177

Use signed cookies
Also, it is recommended to require accessing content using CF urls to prevent bypass

Question 178

Are signed cookies (CloudFront) supported for RTMP distribution

Answer 178

No

Question 179

What should you use in cloudfront if you want to restrict access to individual files

Answer 179

Signed urls

Question 180

What are the 3 cases where you should use a signed url to restrict access in CloudFront

Answer 180

• Use RTMP distribution
• Restrict access to individual files
• Users are using a client that does not support cookies

Question 181

What are the 2 cases where you should use signed cookies to restrict access in CloudFront

Answer 181

• Want to provide access to multiple restricted files
• Don’t want to change current URLs

Question 182

What is used to protect against DDoS attacks

Answer 182

AWS Shield Advanced

Question 183

What are some ressources that can be protected by AWS Shield

Answer 183

EC2, ELB, CloudFront, R53 resources

Question 184

What are some functionalities of base Amazon Shield

Answer 184

Network and transport layer protections

Question 185

What are some features of AWS Shield Advanced

Answer 185

Additional detection and mitigation against large and sophisticated DDoS attacks
Near RT visibility into attackd
Integration with AWS WAF
24x7 access to AWS DDoS Response Team
Protection from DDoS-related spikes in charges for supported services