TD Exam 1 Flashcards
1
Q
What are the four reasons to use CLoudHsm
A
- Have keys that are explicitly required to be protected in single-tenant HSM
- Keys that need to be stored in an HSM that is compliant with FIPS 140-2 Level 3
- Need ability to immediately remove key material from aws KMW and prove you have done so by independent means
- Requirement to be able to audit all use of keys independently of KMS and CloudTrail
2
Q
What should you use if you need to comply to FIPS 140-2 Level3?
A
Use CloudHSM
3
Q
What should you use if you need the ability to remove immediately key material from KMS
A
CloudHSM
4
Q
What should you use if you need to be able to audit key usage independently from KMS and CloudTrail
A
CloudHSM
5
Q
What should you do if you have an Amazon Aurora db for which the read replica struggles to keep up with increasing read traffic
A
Use Aurora Auto Scaling
6
Q
What is the difference between Canary deployment and Blue/Green?
A
Canary starts with a small subset of nodes/servers while Blue/Green is half/half of env
7
Q
Which is more complex with API Gateway: Canary deployment or Blue/Green
A
Blue/Green is more complex since you need to configure a new Environment. Canary is very simple to do with API Gateway
8
Q
What are some services with which AWS WAF is tightly integrated?
A
Cloudfront, ALB, API Gateway, AWS AppSync
9
Q
Where do AWS WAF rules run if you configured them for CloudFront
A
Edge location
10
Q
What should you do if you have a large number of illegitimate requests from constantly changing IPs
A
Rate-based rule in AWS WAF
11
Q
What should you use if you need a POSIX-compliant filesystem
A
EFS
12
Q
Why would using many instances acccessing EBS be slow
A
Does not allow parallel access (or do up to provisioned capacity for aggregate)
13
Q
What is a limitation of attaching an EBS volume to multiple EC2 instances
A
They have to be in the same AZ
14
Q
What is best for file storage: EFS or S3
A
EFS, S3 is object storage
15
Q
What are advantages of EFS
A
POSIX-Compliant
HA
Scalable
16
Q
What should be a first choice when Schema Change is mentioned
A
DynamoDB
17
Q
What is Amazon Redshift used for mostly
A
Online Analytical Processing (OLAP)
18
Q
What is Amazon Redshift
A
A Cloud-based data warehouse service
19
Q
What should you do to prevent accidental deletion of S3 objects
A
Enable versioning\Enable MFA Delete
20
Q
When is Web Identity Federation used
A
To let users sign in using a well-known external idp
21
Q
What can be used to allow devs to log into AWS with onprem AD
A
SAML 2.0 Federation by using Microsoft AD Federation Service
22
Q
What is the default termination policy algorithm for an auto-scaling group
A
1) Pick AZ with most instances and at least one instance not protected from scaling. If multiple, pick the one with instances that use the oldest template
2) Pick unprotected instance with the oldest launch template
3) If many based on above criteria, pick the one closest to the next billing hour
4) If many based on above criteria, pick one at random
23
Q
How can you protect Lambda/API Gateway based system from traffic surges
A
Enable throttling limits and result caching in API Gateway
24
Q
What are the 2 levels you can set API Gateway throttling
A
Global and by service call
25
What are the 2 types of throttling you can set for API Gateway
Standard rates and burst
26
What is the response given by API Gateway if you go over the throttling limit
429
27
Can you set a cache for API Gateway
Yes
28
Which AWS DB service can fulfill a requirement of Recovery Point Objective of 1 second and a Recovery Time Objective of less than 1 minute in case of multi-region failure?
Aurora Global Databse
29
What is Recovery Point Objective
Maximum of data (in terms of time) loss that is acceptable in case of failure (so time since last backup)
30
What is Recovery Time Objective
The amount of time the system can be down
31
What is Amazon Aurora Global Database
It allows a single Aurora DB to span multiple AWS regions
32
What are some advantages of Aurora Global Database
- It replicates data with no impact of performance
- It enables fast local reads with low latency in each region
- It provides disaster recovery from region-wide outages
33
What is the latency of the storage-based replication in Aurora Global Database?
Less than one second
34
How long does it take to promote a read replica to read/write in Amazon Aurora Global Database?
Less than one minute
35
What is Amazon Quantum Ledger Database
A ledger database (not relational), fully-managed, transparent, immutable and cryptographically verifiable.
36
What is a difference between Multi-AZ RDS database with cross-region read replicas and Aurora Global Database
Multi-AZ is only applicable inside a single region
Also, no RPO of 1s and RTO of 1 min
Also cross-region RDS replication is less fast than Aurora
37
What is Amazon Timestream
A Serverless time series database service
38
What should you do to migrate Microsoft SharePoint server to have something HA and that can be integrated with AD for acess control and auth
Create file system using Amazon FSx for Windows File Server and join it to an AD domain in AWS
39
What protocol is used to access files from Amazon FSx for Windows File Server
Service Message Block (SMB)
40
What OS instances can access Amazon FSx
Windows, Linux and MaxOS
41
Can multiple devices access FSx concurrently
Yes, thousands
42
What are some characteristics of Amazon FSx Windows File Server
Fully managed
Highly reliable
Scalable
43
How can you change the config of AD for a FSx file system
You can't, you have to create a new file system from a backup and change the AD config there.
44
What OS is supported by EFS
Linux only , not windows
45
What is NFS (Network File System) mostly used with
Linux systems
46
How do you secure an ElastiCache cluster with Redis to require other devs to enter a password before being able to enter Redis commands
Authenticate the users using Redis AUTH by creating a new Redis Cluster with both the --transit-encryption-enabled and --auth-token parameters enabled
47
How do you do synchronous data replication for RDS
RDS DB instance running as a Multi-AZ deployment
48
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of replication
Multi-AZ: Synchronous - highly durable
Read Replica: Asynchronous replication - highly scalable
49
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of which instance can be accessed
Multi-AZ: Only db engine on primary instance is active
Read Replica: All read replicas are accessible and can be used for read scaling
50
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of backups
Multi-AZ: Automated backups are taken from standby
Read Replica: No backups configured by default
51
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of AZ
Multi-AZ: Always spans 2 AZs within a single region
Read Replica: Can be within an AZ, cross-AZ or cross-region
52
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of db upgrades
Multi-AZ: Db engine version upgrade happens on primary
Read Replica: Db engine version upgrade is independent from source instance
53
What is the difference between RDS Multi-AZ Deployment and Read Replicas in terms of failover
Multi-AZ: Automatic failover to standby when a problem is detectedy
Read Replica: Can be manually promoted to a standalone database instance
54
What is a NAT Gateway
HA, managed NAT service
55
What is a NAT Gateway used for
Is is created in a public subnet to enable instances in a private subnet to connect to the internet, but prevent the internet from initiating connections to them
56
What does Elastic Beanstalk provide
You upload it and then it automatically handles capacity provisioning, load balancing, scaling and application health monitoring
57
How can you use SFTP to upload files to S3
Use AWS Transfer for SFTP endpoint
58
What are the 2 types of actions you can define in S3 Lifecycle
Transition actions
Expiration actions
59
What can you do with EFS Lifecycle management
Transition files in and out of Infrequent Access tier
60
What is a characteristic of an API Gateway-generated SDK
If it gets 429 because of throttling, it will retry the call automatically
61
What can you do to get all compliance-related documents
Use AWS Artifact
62
Do you need special permissions to use AWS Artifact
Yes
63
What is Amazon Inspector used for
To detect vulnerabilities in AWS workloads.
64
What is AWS Security Hub
It provides you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts
65
How do you secure access to RDS from an app running on EC2
Enable IAM DB Authentication
66
With what does IAM DB Authentication work in RDS
MySQL and PostgreSQL
67
What is the lifetime of an auth token for RDS
15 minutes
68
What are some benefits of IAM DB auth
Traffic encrypted with SSL
Can use IAM to centrally manage access
Can use profile credentials of EC2 instance instead of password
69
What are the metrics from EC2 not available by default to cloudWatch
Memory utilization
Disk swap utilisation
Disk space utilization
Page file utilization
Log collection
70
What metrics are available for EC2 by default in CLoudWatch
CPU Utilization
Network utilization
Disk performance
Disk Read/Write
71
What do you do to gain access to unavailable EC2 metrics in cloudwatch
Install a CloudWatch Agemt
72
Can you use a CloudWatch agent elsewhere than EC2
Yes, onprem servers
73
What OS are supported by CloudWatch agent
Windows and Linux
74
What is Enhanced Monitoring for
RDS
75
What is Amazon Kinesis
A massively scalable and durable real-time data streaming service
76
What is Amazon Redshift
A Data warehousing solution build on a relational database model
77
How do you restrict access to an S3 bucket from a VPC only
S3 Access Point
78
Can you do a multi-region S3 access point
Yes
79
What is a characteristic of requests made to a Multi-region S3 endpoint
They use the global accelerator
80
Can you integrate S3 with a firewall
No, not directly
81
What is a requirement for Object Lock
Versioning. You cannot disable it when you have object lock on
82
How do you prevent accidental deletion of s3 files
Enable S3 versioning and MFA Delete on the bucket
83
What do you need to create to use step and simple scaling policies
CloudWatch alarms
84
What is a difference between simple and step scaling
Simple scaling has a cooldown
85
What is a way of preventing SQL injection attacks
WAF with a managed rule
86
When are messages removed from an SQS queue
When they are explicitly deleted
87
Is there polling in SNS
No, it is for SQS
88
What is Amazon EventBridge (Amazon CloudWatch Events)
It is a serverless event bus
89
What is the difference between compliance mode and governance mode?
Governance can be overwritten
90
What is legal hold
It prevents objects from being deleted until it is removed
91
What is retention period in compliance mode
It completely prevents deletion until the delay has passed
92
Does legal hold expire
No, it is disabled manually by someone with the proper permission
93
What should you do to prevent losing access to RDS db in case of AZ failure
Enable Multi-AZ failover
94
Why not use a read replica to prevent losing access to RDS db in case of AZ failure
This is meant to enhance performance for read-heavy workload. You can promote it, but it has asynchronous replication so you might not get the latest version of the db
95
What EC2 scaling policy should you use when you have regular, predictable traffic?
Scheduled policy
96
What is the most appropriate service to handle large bursts of traffic within seconds
Lambda
97
What does S3 Acelerated Transfer do
It can speed up data transfer over long distances to S3 by 50%-500%
98
What is MultiPart Upload
It allows you to upload an object as multiple parts
99
What is DynamoDB Streams
It is an ordered flow of information about changes to items in a DynamoDB Table
100
How should you implement something that triggers a Lambda every time an object is modified in DynamoDB
Use DynamoDB Stream
101
What does DynamoDB Accelerator do
It significantly improves the in-memory performance of the database
102
What is an endpoint in Amazon Aurora
It is an intermediate used to connect to Aurora instances. It makes it so you don't have to hard-code host names and handle load-balancing
103
What can Aurora Replicas handle
Read-Only
104
What is the maximum number of Aurora Replicas
15
105
What can you configure with custom Aurora endpoints
Connections to specific instances or subsets of instances
106
What do Aurora custom endpoints provide
Load-balanced DB connexions based on other criteria than read-only and read-write capability
107
What is a clusterEndpoint in Aurora
It connects to primary instance, aka writer endpoint
108
How do you allow private communication with S3 or Dynamodb
Use VPC endpoints
109
What do VPC endpoints do
They allow you to connect your VPC to supported services without needing all the infrastructure required to connect to the public internet.
110
What does Transit Gateway do
It connects your VPC to onprem network through a central hub. It acts as a cloud router that allows you to integrate multiple networks
111
What does AWS Direct Connect do
It establishes a direct connection between onprem network and AWS
112
What does VPN CloudHub do
It is used to create secure communication with remote sites
113
What is etcd
A distributed key-value store used by kubernetes to hold secrets
114
Where are EKS secrets kept
They are persisted in etcd as base64 encoded strings with etcd nodes using EBS volumes encrypted with EBS encryption
115
What are external secrets provider you can use for EKS
AWS Secrets Manager or Hashicorp Vault
116
Is secret encryption with KMS enough to ensure data is encrypted in EKS etcd store?
No, it only adds encryption at rest
117
How do you prevent other devs from accessing Lambda secrets
Create new KMS key and use it with encryption helpers
118
Does Lambda encrypt secrets with KMS by default
Yes, but it uses a default service key and people that have access to lambda have access to it
119
What is AWS Lake Formation
A service that makes it easy to set up a secure data lake
120
What is used as the storage layer for Lake Formation
S3
121
Can Lake Formation allow you to set up permissions to access data
Yes
122
What is Kinesis Firehose
A Fully-Managed service used to load data for data lakes, data stores and archival services
123
How do you implement events from db events in Aurora
With a native function or stored procedure
124
What information is provided by RDS events
Only operational events, like db instance events
125
What are the 2 services that allow you to move files to different storage class
S3 and EFS
126
What are lmitations of EFS lifecycle policies
It can only move a file to IA up to after 90 days
127
What is the speed of S3 Glacier expedited retrieval?
1-5 minutes
128
What is AWS Glue
ETL Service
129
What is a key advantage of AWS Glue
Automatic Schema Discovery and mapping
130
What are examples of sources supported by AWS Glue
S3, RDS, Redshift
131
What are limitations when using lambda to do file conversions
It has a maximum execution time, so large files may result in time out
132
How can you make AWS Glue be triggered by the upload of a file in S3
By using SQS
133
What are some metrics you need a CloudWatch Agent for
- Memory Utilization
- Disk swap utilization
- Disk space utilization
- Page file utilization
- Log collection
134
What metrics are available in CloudWatch by default (without an agent)
CPU Utilization
Network utilization
Disk performance
Disk Read/Write
135
What are the 3 destinations available for S3 notification
SNS topic
SQS queue
Lambda
136
What do you do if you want to send a message from S3 notification to multiple places
Use SNS fanout with multiple SQS queues subscribed to the topic
137
What are possible fanout destinations for SNS
SQS, http endpoints and Lambda functions
138
How many destinations can S3 event notification deliver to
One only, and message is delivered at least onceC
139
Can you poll SNS
No
140
To what can you assign IAM roles in an AD
To users and groups
141
What is used to integrate a corporate AD with AWS
AD Connector
142
What is HTTP 504
Gateway timeout
143
What does cloudfront origin failover do
Makes CloudFront automatically switch to secondary origin when primary fails
144
What is an egress-only internet gateway
MUST be used with IPv6
Horizontally scaled, redundant, HA
145
What is AWS Network Firewall
A stateful firewall
146
What is AWS PrivateLink
Allows your VPC to connect to public AWS Services without going through the public internet
147
What is a dynamodb partition key
It is a simple primary key, composed of one attribute known as the partition key
148
What are the 2 options for primary key in dynamodb
Partition key
Partition key and sort key
149
In DynamoDB, what is a Local Secondary Index
It allows you to create a view using a different sort key
150
In DynamoDB, what is a Global Secondary Index
It allows you to create a view using a different partition key and sort key
151
What is Amazon FSx for Windows File Server
It provides fully-managed Microsoft Windows File servers
152
What protocol is used to access File Share
SMB
153
What should you use when you need SMB
Amazon FSx for Windows File Server
154
What is AWS Resource Access Manager
A service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization
155
What can you share with AWS RAM
AWS Transit Gateways, Subnets, AWS License Manager configurations and Amazon route 53 Resolver rules resources
156
What are the steps to share resources using RAM
Create a Resource Share
Specify resources
Specify accounts
157
Why should you not use IAM to set up cross-account access in an orgnaization
IT is tedious and has a lot of operational overhead
158
Can AWS Control Tower be used to share access to resources
Maybe, but it is not the most suitable
159
What should you to to monitor percentage CPU bandwidth and total memory consumed for each process/thread in RDS
Use RDS Enhanced Monitoring
160
Where are RDS Enhanced Monitoring logs
In CloudWatch
161
Where does RDS Enhanced Monitoring gather it’s information
From an agent on the instance
162
For RDS, where does CLoudWatch get the metrics about CPU Utilization
From the hypervisor for a DB instance
163
What are the 2 options for client-side encryption
Use KMS-managed customer master key
Use a client-side master key
164
What does RDS Multi-AZ Deployment do
IT creates a standby instance in a different AZ to which the primary instance synchronously replicates data
In case of failure, automatic failover
165
When should Aurora Single-insance be used
For non-critical applications or environment (dev or testing)
166
What needs to be done to use company AD for everyone to have their own S3 bucket
Set up a Federation proxy or identity provider
Set up AWS Security Token Service to generate temporary tokens
Configure an IAM role and an IAM policy to access the bucket
167
What is Amazon Macie
It scans data in S3 to check for PII, uses ML
168
What is Amazon Polly
Text to speech
169
What is Kendra
Enterprise search service
170
What protocols are supported by File-mode Storage Gateway
NFS and SMB
171
What storage service should be used for high-performance workloads
FSx for Lustre
172
Where does cold data go in FSx for Lustre
S3
173
What OS is supported for FSx for Lustre
Linux (POSIX-compliant)
174
What is a security group
A virtual firewall for your instance to control inbound and outbound traffic
Stateful
175
What is the port and protocol for SSH
TCP and port 22
176
If your app needs to be HA, and needs 2 instances minimum, how many instances will you need in 2 AZ?
2 in each, so 4 minimum
177
How do you limit access to files in CloudFront to certain users if you can't modify the url?
Use signed cookies
Also, it is recommended to require accessing content using CF urls to prevent bypass
178
Are signed cookies (CloudFront) supported for RTMP distribution
No
179
What should you use in cloudfront if you want to restrict access to individual files
Signed urls
180
What are the 3 cases where you should use a signed url to restrict access in CloudFront
- Use RTMP distribution
- Restrict access to individual files
- Users are using a client that does not support cookies
181
What are the 2 cases where you should use signed cookies to restrict access in CloudFront
- Want to provide access to multiple restricted files
- Don’t want to change current URLs
182
What is used to protect against DDoS attacks
AWS Shield Advanced
183
What are some ressources that can be protected by AWS Shield
EC2, ELB, CloudFront, R53 resources
184
What are some functionalities of base Amazon Shield
Network and transport layer protections
185
What are some features of AWS Shield Advanced
Additional detection and mitigation against large and sophisticated DDoS attacks
Near RT visibility into attackd
Integration with AWS WAF
24x7 access to AWS DDoS Response Team
Protection from DDoS-related spikes in charges for supported services
186
