TD Exam 1 Flashcards
What are the four reasons to use CLoudHsm
- Have keys that are explicitly required to be protected in single-tenant HSM
- Keys that need to be stored in an HSM that is compliant with FIPS 140-2 Level 3
- Need ability to immediately remove key material from aws KMW and prove you have done so by independent means
- Requirement to be able to audit all use of keys independently of KMS and CloudTrail
What should you use if you need to comply to FIPS 140-2 Level3?
Use CloudHSM
What should you use if you need the ability to remove immediately key material from KMS
CloudHSM
What should you use if you need to be able to audit key usage independently from KMS and CloudTrail
CloudHSM
What should you do if you have an Amazon Aurora db for which the read replica struggles to keep up with increasing read traffic
Use Aurora Auto Scaling
What is the difference between Canary deployment and Blue/Green?
Canary starts with a small subset of nodes/servers while Blue/Green is half/half of env
Which is more complex with API Gateway: Canary deployment or Blue/Green
Blue/Green is more complex since you need to configure a new Environment. Canary is very simple to do with API Gateway
What are some services with which AWS WAF is tightly integrated?
Cloudfront, ALB, API Gateway, AWS AppSync
Where do AWS WAF rules run if you configured them for CloudFront
Edge location
What should you do if you have a large number of illegitimate requests from constantly changing IPs
Rate-based rule in AWS WAF
What should you use if you need a POSIX-compliant filesystem
EFS
Why would using many instances acccessing EBS be slow
Does not allow parallel access (or do up to provisioned capacity for aggregate)
What is a limitation of attaching an EBS volume to multiple EC2 instances
They have to be in the same AZ
What is best for file storage: EFS or S3
EFS, S3 is object storage
What are advantages of EFS
POSIX-Compliant
HA
Scalable
What should be a first choice when Schema Change is mentioned
DynamoDB
What is Amazon Redshift used for mostly
Online Analytical Processing (OLAP)
What is Amazon Redshift
A Cloud-based data warehouse service
What should you do to prevent accidental deletion of S3 objects
Enable versioning\Enable MFA Delete
When is Web Identity Federation used
To let users sign in using a well-known external idp
What can be used to allow devs to log into AWS with onprem AD
SAML 2.0 Federation by using Microsoft AD Federation Service
What is the default termination policy algorithm for an auto-scaling group
1) Pick AZ with most instances and at least one instance not protected from scaling. If multiple, pick the one with instances that use the oldest template
2) Pick unprotected instance with the oldest launch template
3) If many based on above criteria, pick the one closest to the next billing hour
4) If many based on above criteria, pick one at random
How can you protect Lambda/API Gateway based system from traffic surges
Enable throttling limits and result caching in API Gateway
What are the 2 levels you can set API Gateway throttling
Global and by service call
What are the 2 types of throttling you can set for API Gateway
Standard rates and burst
What is the response given by API Gateway if you go over the throttling limit
429
Can you set a cache for API Gateway
Yes
Which AWS DB service can fulfill a requirement of Recovery Point Objective of 1 second and a Recovery Time Objective of less than 1 minute in case of multi-region failure?
Aurora Global Databse
What is Recovery Point Objective
Maximum of data (in terms of time) loss that is acceptable in case of failure (so time since last backup)
What is Recovery Time Objective
The amount of time the system can be down
What is Amazon Aurora Global Database
It allows a single Aurora DB to span multiple AWS regions
What are some advantages of Aurora Global Database
- It replicates data with no impact of performance
- It enables fast local reads with low latency in each region
- It provides disaster recovery from region-wide outages
What is the latency of the storage-based replication in Aurora Global Database?
Less than one second
How long does it take to promote a read replica to read/write in Amazon Aurora Global Database?
Less than one minute
What is Amazon Quantum Ledger Database
A ledger database (not relational), fully-managed, transparent, immutable and cryptographically verifiable.
What is a difference between Multi-AZ RDS database with cross-region read replicas and Aurora Global Database
Multi-AZ is only applicable inside a single region
Also, no RPO of 1s and RTO of 1 min
Also cross-region RDS replication is less fast than Aurora
What is Amazon Timestream
A Serverless time series database service
What should you do to migrate Microsoft SharePoint server to have something HA and that can be integrated with AD for acess control and auth
Create file system using Amazon FSx for Windows File Server and join it to an AD domain in AWS
What protocol is used to access files from Amazon FSx for Windows File Server
Service Message Block (SMB)
What OS instances can access Amazon FSx
Windows, Linux and MaxOS
Can multiple devices access FSx concurrently
Yes, thousands
What are some characteristics of Amazon FSx Windows File Server
Fully managed
Highly reliable
Scalable
How can you change the config of AD for a FSx file system
You can’t, you have to create a new file system from a backup and change the AD config there.
What OS is supported by EFS
Linux only , not windows
What is NFS (Network File System) mostly used with
Linux systems
How do you secure an ElastiCache cluster with Redis to require other devs to enter a password before being able to enter Redis commands
Authenticate the users using Redis AUTH by creating a new Redis Cluster with both the –transit-encryption-enabled and –auth-token parameters enabled
How do you do synchronous data replication for RDS
RDS DB instance running as a Multi-AZ deployment
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of replication
Multi-AZ: Synchronous - highly durable
Read Replica: Asynchronous replication - highly scalable
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of which instance can be accessed
Multi-AZ: Only db engine on primary instance is active
Read Replica: All read replicas are accessible and can be used for read scaling
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of backups
Multi-AZ: Automated backups are taken from standby
Read Replica: No backups configured by default
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of AZ
Multi-AZ: Always spans 2 AZs within a single region
Read Replica: Can be within an AZ, cross-AZ or cross-region
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of db upgrades
Multi-AZ: Db engine version upgrade happens on primary
Read Replica: Db engine version upgrade is independent from source instance
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of failover
Multi-AZ: Automatic failover to standby when a problem is detectedy
Read Replica: Can be manually promoted to a standalone database instance
What is a NAT Gateway
HA, managed NAT service
What is a NAT Gateway used for
Is is created in a public subnet to enable instances in a private subnet to connect to the internet, but prevent the internet from initiating connections to them
What does Elastic Beanstalk provide
You upload it and then it automatically handles capacity provisioning, load balancing, scaling and application health monitoring
How can you use SFTP to upload files to S3
Use AWS Transfer for SFTP endpoint
What are the 2 types of actions you can define in S3 Lifecycle
Transition actions
Expiration actions
What can you do with EFS Lifecycle management
Transition files in and out of Infrequent Access tier
What is a characteristic of an API Gateway-generated SDK
If it gets 429 because of throttling, it will retry the call automatically
What can you do to get all compliance-related documents
Use AWS Artifact
Do you need special permissions to use AWS Artifact
Yes
What is Amazon Inspector used for
To detect vulnerabilities in AWS workloads.
What is AWS Security Hub
It provides you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts
How do you secure access to RDS from an app running on EC2
Enable IAM DB Authentication
With what does IAM DB Authentication work in RDS
MySQL and PostgreSQL
What is the lifetime of an auth token for RDS
15 minutes
What are some benefits of IAM DB auth
Traffic encrypted with SSL
Can use IAM to centrally manage access
Can use profile credentials of EC2 instance instead of password
What are the metrics from EC2 not available by default to cloudWatch
Memory utilization
Disk swap utilisation
Disk space utilization
Page file utilization
Log collection
What metrics are available for EC2 by default in CLoudWatch
CPU Utilization
Network utilization
Disk performance
Disk Read/Write
What do you do to gain access to unavailable EC2 metrics in cloudwatch
Install a CloudWatch Agemt
Can you use a CloudWatch agent elsewhere than EC2
Yes, onprem servers
What OS are supported by CloudWatch agent
Windows and Linux
What is Enhanced Monitoring for
RDS
What is Amazon Kinesis
A massively scalable and durable real-time data streaming service
What is Amazon Redshift
A Data warehousing solution build on a relational database model
How do you restrict access to an S3 bucket from a VPC only
S3 Access Point
Can you do a multi-region S3 access point
Yes
What is a characteristic of requests made to a Multi-region S3 endpoint
They use the global accelerator
Can you integrate S3 with a firewall
No, not directly
What is a requirement for Object Lock
Versioning. You cannot disable it when you have object lock on
How do you prevent accidental deletion of s3 files
Enable S3 versioning and MFA Delete on the bucket
What do you need to create to use step and simple scaling policies
CloudWatch alarms
What is a difference between simple and step scaling
Simple scaling has a cooldown
What is a way of preventing SQL injection attacks
WAF with a managed rule
When are messages removed from an SQS queue
When they are explicitly deleted
Is there polling in SNS
No, it is for SQS
What is Amazon EventBridge (Amazon CloudWatch Events)
It is a serverless event bus
What is the difference between compliance mode and governance mode?
Governance can be overwritten
What is legal hold
It prevents objects from being deleted until it is removed
What is retention period in compliance mode
It completely prevents deletion until the delay has passed
Does legal hold expire
No, it is disabled manually by someone with the proper permission
What should you do to prevent losing access to RDS db in case of AZ failure
Enable Multi-AZ failover
Why not use a read replica to prevent losing access to RDS db in case of AZ failure
This is meant to enhance performance for read-heavy workload. You can promote it, but it has asynchronous replication so you might not get the latest version of the db
What EC2 scaling policy should you use when you have regular, predictable traffic?
Scheduled policy
What is the most appropriate service to handle large bursts of traffic within seconds
Lambda
What does S3 Acelerated Transfer do
It can speed up data transfer over long distances to S3 by 50%-500%
What is MultiPart Upload
It allows you to upload an object as multiple parts
What is DynamoDB Streams
It is an ordered flow of information about changes to items in a DynamoDB Table
How should you implement something that triggers a Lambda every time an object is modified in DynamoDB
Use DynamoDB Stream
What does DynamoDB Accelerator do
It significantly improves the in-memory performance of the database
What is an endpoint in Amazon Aurora
It is an intermediate used to connect to Aurora instances. It makes it so you don’t have to hard-code host names and handle load-balancing
What can Aurora Replicas handle
Read-Only
What is the maximum number of Aurora Replicas
15
What can you configure with custom Aurora endpoints
Connections to specific instances or subsets of instances
What do Aurora custom endpoints provide
Load-balanced DB connexions based on other criteria than read-only and read-write capability
What is a clusterEndpoint in Aurora
It connects to primary instance, aka writer endpoint
How do you allow private communication with S3 or Dynamodb
Use VPC endpoints
What do VPC endpoints do
They allow you to connect your VPC to supported services without needing all the infrastructure required to connect to the public internet.
What does Transit Gateway do
It connects your VPC to onprem network through a central hub. It acts as a cloud router that allows you to integrate multiple networks
What does AWS Direct Connect do
It establishes a direct connection between onprem network and AWS
What does VPN CloudHub do
It is used to create secure communication with remote sites
What is etcd
A distributed key-value store used by kubernetes to hold secrets
Where are EKS secrets kept
They are persisted in etcd as base64 encoded strings with etcd nodes using EBS volumes encrypted with EBS encryption
What are external secrets provider you can use for EKS
AWS Secrets Manager or Hashicorp Vault
Is secret encryption with KMS enough to ensure data is encrypted in EKS etcd store?
No, it only adds encryption at rest
How do you prevent other devs from accessing Lambda secrets
Create new KMS key and use it with encryption helpers
Does Lambda encrypt secrets with KMS by default
Yes, but it uses a default service key and people that have access to lambda have access to it
What is AWS Lake Formation
A service that makes it easy to set up a secure data lake
What is used as the storage layer for Lake Formation
S3
Can Lake Formation allow you to set up permissions to access data
Yes
What is Kinesis Firehose
A Fully-Managed service used to load data for data lakes, data stores and archival services
How do you implement events from db events in Aurora
With a native function or stored procedure
What information is provided by RDS events
Only operational events, like db instance events
What are the 2 services that allow you to move files to different storage class
S3 and EFS
What are lmitations of EFS lifecycle policies
It can only move a file to IA up to after 90 days
What is the speed of S3 Glacier expedited retrieval?
1-5 minutes
What is AWS Glue
ETL Service
What is a key advantage of AWS Glue
Automatic Schema Discovery and mapping
What are examples of sources supported by AWS Glue
S3, RDS, Redshift
What are limitations when using lambda to do file conversions
It has a maximum execution time, so large files may result in time out
How can you make AWS Glue be triggered by the upload of a file in S3
By using SQS
What are some metrics you need a CloudWatch Agent for
- Memory Utilization
- Disk swap utilization
- Disk space utilization
- Page file utilization
- Log collection
What metrics are available in CloudWatch by default (without an agent)
CPU Utilization
Network utilization
Disk performance
Disk Read/Write
What are the 3 destinations available for S3 notification
SNS topic
SQS queue
Lambda
What do you do if you want to send a message from S3 notification to multiple places
Use SNS fanout with multiple SQS queues subscribed to the topic
What are possible fanout destinations for SNS
SQS, http endpoints and Lambda functions
How many destinations can S3 event notification deliver to
One only, and message is delivered at least onceC
Can you poll SNS
No
To what can you assign IAM roles in an AD
To users and groups
What is used to integrate a corporate AD with AWS
AD Connector
What is HTTP 504
Gateway timeout
What does cloudfront origin failover do
Makes CloudFront automatically switch to secondary origin when primary fails
What is an egress-only internet gateway
MUST be used with IPv6
Horizontally scaled, redundant, HA
What is AWS Network Firewall
A stateful firewall
What is AWS PrivateLink
Allows your VPC to connect to public AWS Services without going through the public internet
What is a dynamodb partition key
It is a simple primary key, composed of one attribute known as the partition key
What are the 2 options for primary key in dynamodb
Partition key
Partition key and sort key
In DynamoDB, what is a Local Secondary Index
It allows you to create a view using a different sort key
In DynamoDB, what is a Global Secondary Index
It allows you to create a view using a different partition key and sort key
What is Amazon FSx for Windows File Server
It provides fully-managed Microsoft Windows File servers
What protocol is used to access File Share
SMB
What should you use when you need SMB
Amazon FSx for Windows File Server
What is AWS Resource Access Manager
A service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization
What can you share with AWS RAM
AWS Transit Gateways, Subnets, AWS License Manager configurations and Amazon route 53 Resolver rules resources
What are the steps to share resources using RAM
Create a Resource Share
Specify resources
Specify accounts
Why should you not use IAM to set up cross-account access in an orgnaization
IT is tedious and has a lot of operational overhead
Can AWS Control Tower be used to share access to resources
Maybe, but it is not the most suitable
What should you to to monitor percentage CPU bandwidth and total memory consumed for each process/thread in RDS
Use RDS Enhanced Monitoring
Where are RDS Enhanced Monitoring logs
In CloudWatch
Where does RDS Enhanced Monitoring gather it’s information
From an agent on the instance
For RDS, where does CLoudWatch get the metrics about CPU Utilization
From the hypervisor for a DB instance
What are the 2 options for client-side encryption
Use KMS-managed customer master key
Use a client-side master key
What does RDS Multi-AZ Deployment do
IT creates a standby instance in a different AZ to which the primary instance synchronously replicates data
In case of failure, automatic failover
When should Aurora Single-insance be used
For non-critical applications or environment (dev or testing)
What needs to be done to use company AD for everyone to have their own S3 bucket
Set up a Federation proxy or identity provider
Set up AWS Security Token Service to generate temporary tokens
Configure an IAM role and an IAM policy to access the bucket
What is Amazon Macie
It scans data in S3 to check for PII, uses ML
What is Amazon Polly
Text to speech
What is Kendra
Enterprise search service
What protocols are supported by File-mode Storage Gateway
NFS and SMB
What storage service should be used for high-performance workloads
FSx for Lustre
Where does cold data go in FSx for Lustre
S3
What OS is supported for FSx for Lustre
Linux (POSIX-compliant)
What is a security group
A virtual firewall for your instance to control inbound and outbound traffic
Stateful
What is the port and protocol for SSH
TCP and port 22
If your app needs to be HA, and needs 2 instances minimum, how many instances will you need in 2 AZ?
2 in each, so 4 minimum
How do you limit access to files in CloudFront to certain users if you can’t modify the url?
Use signed cookies
Also, it is recommended to require accessing content using CF urls to prevent bypass
Are signed cookies (CloudFront) supported for RTMP distribution
No
What should you use in cloudfront if you want to restrict access to individual files
Signed urls
What are the 3 cases where you should use a signed url to restrict access in CloudFront
- Use RTMP distribution
- Restrict access to individual files
- Users are using a client that does not support cookies
What are the 2 cases where you should use signed cookies to restrict access in CloudFront
- Want to provide access to multiple restricted files
- Don’t want to change current URLs
What is used to protect against DDoS attacks
AWS Shield Advanced
What are some ressources that can be protected by AWS Shield
EC2, ELB, CloudFront, R53 resources
What are some functionalities of base Amazon Shield
Network and transport layer protections
What are some features of AWS Shield Advanced
Additional detection and mitigation against large and sophisticated DDoS attacks
Near RT visibility into attackd
Integration with AWS WAF
24x7 access to AWS DDoS Response Team
Protection from DDoS-related spikes in charges for supported services
