TJ - Review mode set 4

Question 1

You pay for all bandwidth in/out of S3, except for 3 cases. List the 3 cases where you do NOT pay for bandwidth in/out of S3.

Answer 1

– Data transferred in from the Internet.

– Data transferred out to an Amazon EC2 instance, when the instance is in the same AWS Region as the S3 bucket (including to a different account in the same AWS region).

– Data transferred out to Amazon CloudFront.

Question 2

What is Lambda@Edge?

Answer 2

a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency.

Question 3

What is AWS Health?

Answer 3

provides ongoing visibility into your resource performance and the availability of your AWS services and accounts

Question 4

In AWS Health, What is the difference between AWS PERSONAL Health Dashboard and AWS SERVICE Health Dashboard?

Answer 4

-Personal health is tailored to a specific AWS account.
-Service health provides a high-level overview of the health and status of AWS services across all regions. Has nothing to do with a specific AWS customer but alerts to anyone in the affected region

Question 5

What service is most “tightly coupled” with AWS Health?

Answer 5

AWS EventBridge

Health calls out issues, EventBridge acts on them.

Question 6

What is Eventbridge?

Answer 6

EventBridge is a versatile event bus service designed to integrate with numerous AWS services, such as Lambda, Step Functions, SNS, SQS, and more (cloudwatch, AWS health)

Question 7

In S3, how do you protect data in a bucket from an AZ wide or region wide failure?

Answer 7

Enable cross-region replication

Question 8

What is the charge for a stopped On-Demand EC2 instance?

Answer 8

there is no charge for a stopped EC2 instance that you have shut down.

Question 9

What is the behavior of EBS volumes on a stopped instance?

Answer 9

Information is saved and you are still billed

Question 10

which SSE provides an audit trail that shows when your key was used and by whom?

-Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
-Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)

Answer 10

• Server-Side Encryption with Customer Master Keys (CMKs) Stored in AWS Key Management Service (SSE-KMS)

Question 11

How do you collect logs from your Amazon EC2 instances and on-premises servers into CloudWatch?

Answer 11

unified CloudWatch agent, or the old CloudWatch Logs agent.

Question 12

what is the difference in SSM Agent and cloudwatch agent?

Answer 12

The SSM Agent is used for securely managing and configuring AWS resources, whereas the CloudWatch Agent is used for collecting and tracking metrics and logs from AWS resources.

Question 13

What is the behavior for standard SQS queues (The default) ?

Answer 13

SQS Standard Queues do not guarantee message order and may deliver duplicates.

Question 14

What is the behavior for FIFO SQS queues?

Answer 14

SQS FIFO Queues guarantee message order and ensure no duplicates are sent, making them suitable for scenarios where the order of processing and exactly-once delivery are crucial.

Question 15

List Example Use Cases for FIFO SQS:

Answer 15

-Order processing systems where the order of transactions must be preserved.
-Financial transactions that require exactly-once processing without duplicates.
-Task queues where tasks must be executed in the order they are received.

Question 16

List Example Use Cases for KDS:

Answer 16

-Real-time log and event data collection and analysis.
-Real-time data processing for analytics dashboards.
-Streaming data ingestion for IoT devices.
-AI training involving processing large volumes of data in real-time and requires high-throughput data ingestion

Question 17

If you need an RDS db for certain times only (ex. testing twice a week),
what is the best way to save money by running it only when needed?

Answer 17

Run the database (jobs, testing, etc), and then take a snapshot of the DB. Then terminate it. Restore the DB when needed again.

Question 18

Does a stopped RDS DB incur costs?

Answer 18

Yes, stopped RDS dbs will incur costs on provisioned storage.

Question 19

Does a stopped On-Demand EC2 instance incur costs?
What about EBS volumes attached to a stopped EC2?

Answer 19

No, there is no charge for a stopped EC2 instance.
Yes, EBS volumes attached to a stopped EC2 will incur costs.

Question 20

For S3 encryption where you need an audit trail (who used a key and when), what is the best encryption option?

Answer 20

Server-Side Encryption with KMS Key Stored in AWS Key Management Service

(SSE-KMS) will provide necessary audit capabilities for keys.

Question 21

what is the cheaper but less durable option for S3 storage,
S3-One Zone IA or S3-IA?

Answer 21

S3-One Zone IA is cheaper than S3-IA but less “durable” as it only stores data copies in one AZ.

Question 22

What is the best way to collect logs from your Amazon EC2 instances and on-premises servers into CloudWatch Logs?

Answer 22

Install the unified CloudWatch Logs agent in each instance which will automatically collect and push data to CloudWatch Logs. Analyze the log data with CloudWatch Logs Insights.

Question 23

When would you choose KDS over SQS?

Answer 23

When data needs to be delivered in sequence of arrival and ensure no duplicates are produced.

Question 24

what is Amazon Forecast?

Answer 24

Amazon Forecast is a time-series forecasting service based on machine learning (ML) and built for business metrics analysis

Question 25

What do you need to do to monitor CPU memory on an EC2?

Answer 25

Install Cloudwatch agent in your EC2 and create a custom metric for memory usage.

Question 26

Which type of EBS volume is ideal for infrequently used data, lowest storage cost? ($ per GB)

Answer 26

Magnetic volumes

Question 27

Which EBS type is best for consistent, low-latency performance, and I/O intensive apps (such as NoSQL)?

Answer 27

Provisioned IOPS volumes

Question 28

What are the three types of EBS volumes?

Answer 28

-General Purpose (SSD)
-Provisioned IOPS (SSD)
-Magnetic

Question 29

For an app hosted on EC2s that is having high load on the site (latency and slow response for users), what are some ways to improve performance?

Answer 29

• Use Amazon CloudFront with website as the custom origin.
• Use Amazon ElastiCache for the website’s in-memory data store or cache, as most of the data is read-only.

Question 30

What is the best way to deal with slow performance, latency with a DynamoDB table? Specifically for peak times.

Answer 30

Use DynamoDB Auto Scaling to automatically adjust provisioned throughput capacity.

Question 31

How do you create triggers in DynamoDB that will automatically create lambda events?

Answer 31

Enable DynamoDB Streams to capture table activity and automatically trigger the Lambda function.

Question 32

What is the primary migration service recommended for lift-and-shift migrations to AWS?

Answer 32

AWS Application Migration Service (AWS MGN).

Question 33

What service would be best to check if IAM user access keys are not rotated within a certain time frame?

Answer 33

Use the AWS Config managed rule to check if the IAM user access keys are not rotated

Question 34

what is Amazon Elastic MapReduce (EMR)?

Answer 34

managed cluster platform, processes vast amounts of data

Question 35

what service can be used to automatically stop terminate or recover, reboot an EC2?

Answer 35

Cloudwatch Alarm actions.

Question 36

What AWS service has flow logs?

Answer 36

VPC.

Question 37

What is the best way to get an EC2s general information for a shell script? Including the instance public and private IPs?

Answer 37

Use Curl or Get Command to get the latest metadata information from http://169.254.169.254/latest/meta-data/

Question 38

To ensure High availability for an S3 bucket that is fault tolerant beyond an AZ AND region, what should be done?

Answer 38

Enable Cross-Region Replication

Question 39

How do you protect your DDB table against Regional failure?

Answer 39

Create a global table in a secondary region. Use R53 DNS failover.

Question 40

How do you protect your EC2s (In an autoscaling group) that is behind an ALB, from a regional failure?

Answer 40

Replicate the auto-scaling group and application load balancer in a secondary region. Then use R53 DNS failover to route traffic to these resources in the Secondary region.

Question 41

What are the enhanced monitoring metrics that Amazon CloudWatch gathers from Amazon RDS DB?

Answer 41

RDS child processes and OS processes.

Question 42

What are some REGULAR items provided by RDS in Cloudwatch?

Answer 42

CPU Utilization, Database Connections, and Freeable Memory.

Question 43

What is a DR plan for a Redshift Cluster in the event of an AWS region outage?

Answer 43

Enable Cross-Region Snapshots Copy

Question 44

If you need to scale EC2s based on regular patterns of traffic increases and applications that take a long time to initialize, what method is best to solve this issue?

Answer 44

Predictive scaling can help you scale faster by launching capacity in advance of forecasted load.

Question 45

What is the difference between Predictive and dynamic scaling?

Answer 45

Predictive scaling can launch EC2s in advance of a forecasted load. Predictive scaling is proactive.

Dynamic scaling takes action AFTER the load occurs. Dynamic scaling is reactive.

Question 46

What is the difference between AWS Personal Health Dashboard and AWS Service Health Dashboard?

Answer 46

Personal will indicate actions that will effect specific services related to you.

Service will indicate changes made to all services on AWS affecting all users.

Question 47

What is the DNS policy for new EC2s launched into the DEFAULT VPC?

Answer 47

Assigned public and private DNS hostnames. corresponding to IPV4,IPv6

Question 48

What is the DNS policy for new EC2s launched into a non-default VPC?

Answer 48

New EC2s launched into a non-default VPC will get a private DNS hostname ONLY.

Question 49

How do you ensure that EC2s launched into a non-default VPC are provided a public DNS hostname?

Answer 49

DNS resolution and DNS hostname of the VPC configuration should be enabled

Question 50

What is AWS License Manager?

Answer 50

AWS License Manager is a service that makes it easier for you to manage your software licenses from software vendors (for example, Microsoft, SAP, Oracle, and IBM) centrally across AWS and your on-premises environments.

Question 51

What service and feature is best to prevent EC2s being launched when the license limit is exceeded ?

Answer 51

AWS License Manager and enable the “Enforce license limit” option. SNS can then send an alert or notification

Question 52

How do you ensure that an object uploaded to an S3 bucket MUST use AES-256 encryption?

Answer 52

Create an S3 bucket policy that denies permissions to upload an object unless the request includes the below header:

s3:x-amz-server-side-encryption”: “AES256”

Question 53

For S3, what is a way for keys to automatically rotated every year with the LEAST operational overhead?

Answer 53

SSE-S3.

Enable server-side encryption with Amazon S3-managed encryption keys and rely on the built-in key rotation feature of the SSE-S3 encryption keys.

Question 54

Within an AWS environment, how would you set up SSLs for many EC2s in multiple AZs that have their own FQDNs AND the applications must use a publicly trusted SSL cert … with the LEAST operational overhead?

Answer 54

Use the AWS Certificate Manager (ACM) to generate a public SSL/TLS certificate. Associate the new SSL/TLS certificate on the HTTPS listener of the ALBs.

Question 55

What must be done to ensure that all objects of an S3 bucket can be publicly read over the internet?

Answer 55

-Grant public read access to the object when uploading it using the S3 Console.
- Configure the S3 bucket policy to set all objects to public read.

Question 56

If you need to incorporate LDAP in AWS and the current identity store is NOT compatible with SAML, what action needs to be taken?

Answer 56

Develop an on-premises custom identity broker application and use STS to issue short-lived AWS credentials.

Question 57

What is the best aws service to extract text from a PDF file?

Answer 57

Amazon Textract.

Question 58

What AWS service helps to identify and process PHI?

Answer 58

Amazon Comprehend Medical.

Question 59

How would you automatically check if a password is in compliance on a policy in IAM?

Answer 59

Configure AWS Config to trigger an evaluation that will check the compliance for a user’s password periodically.