Tut Dojo Test 3

Question 1

What kind of backup service does RDS provide?

Answer 1

RDS creates a storage volume snapshot of your DB instance, backing up the entire DB instance and not just individual databases.

RDS saves the automated backups of your DB instance according to the backup retention period that you specify. By default, an RDS created from the

AWS console has a backup retention of 7 days. You can further modify this backup retention period between 0-35 days.

Question 2

Amazon Aurora Backup Solution

Answer 2

For Amazon Aurora, it backs up your cluster volume automatically and retains restore data for the length of the backup retention period.

Aurora backups are continuous and incremental so you can quickly restore to any point within the backup retention period.

No performance impact or interruption of database service occurs as backup data is being written. You can specify a backup retention period, from 1 to 35 days, when you create or modify a DB cluster.

Question 3

Amazon S3 Backup Solution

Answer 3

S3 has a lifecycle policy but not a backup policy. Standard S3 is already very durable and AWS has no options for automatic backup on S3.

Question 4

Amazon EFS Backup Solution

Answer 4

EFS is already a highly available and durable file storage service and AWS does not provide out-of-the-box automated backup for EFS.

Question 5

Amazon EC2 Backup Solution

Answer 5

EC2 does not offer automatic backups for your instances. You need to manually create AMI’s of your images if you want to make a backup or copy to other regions.

Question 6

Set up a cloud-based single sign-on (SSO) service to centrally manage SSO access to all of the company’s AWS accounts and cloud applications.

Full access has also been configured by the Engineer in AWS Organizations.

Which of the following should the Engineer configure to complete the setup?

Answer 6

Set up permission sets in AWS SSO. Associate the permission sets with AWS Directory Service users and groups

Question 7

Where does account store by default with AWS SSO?

Answer 7

AWS SSO automatically provides you with a store by default, which you can use to manage your users and groups within AWS SSO. If you choose to store them in AWS SSO, create your users and groups and assign their level of access to your AWS accounts and applications.

Alternatively, you can choose to Connect to Your External Identity Provider using Azure Active Directory or connect to your Microsoft AD Directory using AWS Directory Service.

Question 8

What is a permission set?

Answer 8

A collection of administrator-defined policies that AWS SSO uses to determine a user’s effective permissions to access a given AWS account. Permission sets can contain either AWS managed policies or custom policies that are stored in AWS SSO.

Policies are essentially documents that act as containers for one or more permission statements.

These statements represent individual access controls (allow or deny) for various tasks that determine what tasks users can or cannot perform within the AWS account.

Question 9

SCPs Characteristics

Answer 9

In SCPs, you can restrict which AWS services, resources, and individual API actions the users and roles in each member account can access. You can also define conditions for when to restrict access to AWS services, resources, and API actions.

These restrictions even override the administrators of member accounts in the organization. When AWS Organizations blocks access to a service, resource, or API action for a member account, a user or role in that account can’t access it

Question 10

Difference of Permission Sets VS SCP

Answer 10

Permission sets are stored in AWS SSO and are only used for AWS accounts. They are not used to manage access to cloud applications. Permission sets ultimately get created as IAM roles in a given AWS account, with trust policies that allow users to assume the role through AWS SSO.

SCP is used to manage access with AWS accounts.

Permission Sets are used with AWS SSO

SCP is used with AWS Organization

Question 11

aws:PrincipalOrgID

Answer 11

Use this key to compare the identifier of the organization in AWS Organizations to which the requesting principal belongs with the identifier specified in the policy.

Question 12

Principal

Answer 12

An entity that can make a request for an action or operation on an AWS resource.

Users, roles, federated users, and applications are all AWS principals.

Your AWS account root user is your first principal.

Question 13

Request

Answer 13

When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI, that principal sends a request to AWS.

Question 14

Actions or operations

Answer 14

the actions or operations that the principal wants to perform.

Question 15

Resources

Answer 15

the AWS resource object upon which the actions or operations are performed.

Question 16

Environment data

Answer 16

information about the IP address, user agent, SSL enabled status, or the time of day.

Question 17

Resource data

Answer 17

data related to the resource that is being requested.

Question 18

Trusted Advisor

Answer 18

Trusted Advisor analyzes your AWS environment and provides best practice recommendations in five categories:

Cost Optimization
Performance
Security
Fault Tolerance
Service Limits

Access to the seven core Trusted Advisor checks are available to all AWS users.

Access to the full set of Trusted Advisor checks are available to Business and Enterprise Support plans.

It provides alerts on several of the most common security misconfigurations that can occur, including leaving certain ports open that make you vulnerable to hacking and unauthorized access, neglecting to create IAM accounts for your internal users, allowing public access to Amazon S3 buckets, not turning on user activity logging (AWS CloudTrail), or not using MFA on your root AWS Account.

Question 19

Detailed Monitoring

Answer 19

You can aggregate the metrics for AWS resources across multiple accounts and Regions like aggregate statistics for your EC2 instances that have detailed monitoring enabled.

This charge is additional and can monitor instance with. a one second interval.

Question 20

Metric math/Metric Math

Answer 20

AWS allows you to use CloudWatch metric math to aggregate and transform metrics from multiple accounts and Regions.

Metric math enables you to query multiple CloudWatch metrics and use math expressions to create new time series based on these metrics. You can visualize the resulting time series on the CloudWatch console and add them to dashboards. You can add a math expression to a graph on your CloudWatch dashboard.

Question 21

Evaluate Target Health

Answer 21

Ensure Health Checks behind ELB are passing before sending traffic to ELB.

Question 22

Systems Manager automation capabilities

Answer 22

Build automations to configure and manage instances and AWS resources.

Create custom runbooks or use pre-defined runbooks maintained by AWS.

Receive notifications about Automation tasks and runbooks by using Amazon EventBridge.

Monitor Automation progress and details by using the AWS Systems Manager console.

** Note: Systems Manager requires credentials.

Question 23

AWS Shield keywords

Answer 23

protection against DDoS attacks

UDP reflection attacks and TCP SYN floods

Question 24

Amazon EBS–optimized instances

Answer 24

An Amazon EBS–optimized instance uses an optimized configuration stack and provides additional, dedicated capacity for Amazon EBS I/O. This optimization provides the best performance for your EBS volumes by minimizing contention between Amazon EBS I/O and other traffic from your instance.

EBS–optimized instances deliver dedicated bandwidth to Amazon EBS. When attached to an EBS–optimized instance, General Purpose SSD (gp2 and gp3) volumes are designed to deliver at least 90% of their provisioned IOPS performance 99% of the time in a given year

Question 25

Amazon RDS Proxy

Answer 25

a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that makes applications more scalable, more resilient to database failures, and more secure.

Amazon RDS Proxy allows applications to pool and share connections established with the database, improving database efficiency and application scalability.

Question 26

Amazon S3 Transfer Acceleration

Answer 26

a bucket-level feature that enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of the globally distributed edge locations in Amazon CloudFront. As the data arrives at an edge location, the data is routed to Amazon S3 over an optimized network path.

Question 27

AWS Global Accelerator

Answer 27

Global Accelerator service does not work with S3. It only supports endpoints like application load balancers, network load balancers, EC2 instances, or elastic IP addresses.