Tutorial Dojo Flashcards
AWS Transit Gateway provides ___ design for connecting VPCs and on-premise networks.
Hub and Spoke
Hybrid Connectivity (VPN/Direct Connect) to a single ____ to control organization’s entire AWS routing.
Transit Gateway
Hub and spoke simplifies management and cost because ____ only connect to ____ to gain access to networks
Transit Gateways/VPCs
AWS TG and AWS _____ solution simplify management of connections between AVPC and your network over a _____. It also minimizes network costs, improves bandwidth and provides more reliable network experience
Direct Connect/private connection
True/False: VPC peering is supported in a Direct Connect connection.
False. VPC Peering does not support transitive peering relationships.
What are the three “free” data transfers for S3?
1) In from Internet
2) Out to EC2 instance when in same region as S3 bucket
3) Out to CloudFront
GP2 and Provisioned IOPS (io1) are backed by
SSD
Throughput Optimized (st1) and Cold (sc1) are backed by
HDD/Magnetic
SDD-backed provide better performance when IO is
random or sequential
HDD-backed provide better performance when IO is __________ and ________
large AND sequential
Provisioned IOPS (io1) are best for I/O intensive workloads such as ____ (3 examples). Therefore, io1 is a better solution for these platforms than [other storage option]_____.
Databases [MongoDB, Oracle, MySQL] / GP2
What is Amazon Fargate?
Compute engine for containers w/ECS and Elastic Kubernetes Service (EKS). No over-provisioning.
What is Amazon EMR?
Cloud big data platform for processing vast amounts of data using open source tools.
True/False: ELB Access logging is enabled by default.
False. It is disabled. Once we turn it on it will store the logs to S3 as compressed files.
What is the backing framework for Amazon EMR?
Hadoop.
The combined use of IAM _______ and AWS ________ will support autonomy of corporate divisions while enabling governance and oversight.
Cross-Account access and consolidated billing w/ AWS organizations (linking accounts up to parent)
Week after a Kinesis Data Stream and Lambda is deployed, users have noticed slowness as data rate increases. There’s a performance issue with Kinesis. What should be done?
Increase shards with UpdateSharedCount command.
What are the two types of Kinesis resharding operations?
Split and Merge
True/False: you are charged on a per-shard basis for Kinesis.
True. Therefore increasing # of shards increases cost (and vice versa).
True/False. There is step scaling in Kinesis.
False. This is only applicable to EC2.
What would three pieces of an elastic, scalable web tier solution be?
Elastic Load Balancing, Amazon EC2, and Auto Scaling
Which DB solution is best for OLTP
Amazon RDS (not scalable)/Aurora (fully managed)
You get a ‘insufficient capacity error’ for a Placement group. What is the correct action to take?
Stop and restart the instances in the placement group and try the launch again.
What are the four metrics that CloudWatch monitors by default?
CPU Util
Network Util
Disk performance
Disk Read/Write
Enhanced Monitoring metrics are stored for ___ days in CW logs.
30
Session State data is best stored in (two items)?
DynamoDB
ElastiCache
True/False: DynamoDB is best to store key-value pairs
True.
Which database at AWS is best for OLAP?
Redshift
What is AWS OpsWorks?
Configuration management service that provides managed instances of Chef and Puppet.
What is DynamoDB?
Fast and Flexible NoSQL, fully managed relational DB service.
NACLs can be used to control what?
Traffic coming in and out of VPC network
NACLs are stateful or stateless [what does that mean]?
Stateless
Stateless means you have to have matching inbound/outbound rules.
What is the Amazon service that provides temporary elevated access.
AWS Security Token Service (STS)
Which of these subnets provides a range and which provides a specific IP address; /32 /0
/0 is a range of IPs/entire network
/32 is a specific IP
Ture or false: Traffic between VPC and other Amazon services do not leave Amazon Network
True.
What is an interface endpoint?
ENI w/ private IP; entry point for traffic.
What is a gateway endpoint?
Target for specified route in route table; used for traffic to a supported AWS service [S3 / DynamoDB].
What are two services that need a gateway endpoint?
S3
DynamoDB
True or False. EBS volumes are restricted while snapshots are taken.
False. EBS can be used while snapshots are in progress.
When transitioning from STANDARD to STANDARD_IA or ONEZONE_IA what are the constraints (three of them)?
1) Objects smaller than 128k are not transitioned
2) Objects have to be stored 30 days in current storage class before you can transition them.
3) Only objects that are at least 30 days noncurrent can be transferred
Limitations on changing storage class do not apply for which classes (three of them)?
INTELLIGENT_TIERING, GLACIER, and DEEP_ARCHIVE
What are three things required to access an EC2 instance from the INTERNET?
1) IGW
2) Route to the IGW in the route table of the VPC
3) Public IP address attached to the instance
S3 log files are encrypted by either: ____ or you can encrypt with this service
Default Server Side Encryption (SSE) AWS KMS (Key Management Service)
What is the encryption algorithm used by S3?
AES-256
How does Aurora handle failure of primary instance?
1) How are replicas/CNAME handled?
2) What if AZ becomes unavailable?
3) What if no replica, and not serverless?
Failover is automatic.
1) If you have a replica, the CNAME is flipped to point to healthy replica (and then that is promoted).
2) Amazon recreates DB in different AZ
3) If you don’t have a replica (and are running serverless), It will attempt to create new DB instance in same AZ.
How can you enable DR for Redshift in the event of an AWS region outage
Enable Cross-Region Snapshots
NLBs function at what OSI layer?
Layer 4
What is BYOIP, which LB is it associated with and what might it be used for?
Bring Your Own IP. You can use it to put an IP onto an Elastic IP that is assigned to an NLB. This can be useful if your IP is already whitelisted to clients.
True or False: NAT Instances and NAT Gateways support IPv6.
False. Only IPv4.
UDP is at Layer ___ of the OSI and therefore a ____ is the best way to route traffic to multiple targets.
4
Network Load Balancer
What is the EC2 CLI way to get a “StateReason”. Why might it be used?
aws ec2 describe-instances
This would show status of EC2 instances, with the reason the state was changed.
When using a static webpage, using ____ [for caching] and ____ [for storage] will ensure ideal hosting as it can support html, css, java, and images.
CloudFront
S3
What would be used to trace and analyze RESTful API requests?
AWS X-Ray
If you want new EBS volumes in a region to be automatically encrypted what step should you take?
Turn on EBS Encryption by Default Feature for the Region.
By default, records of a stream in Amazon Kinesis are accessible for up to _____ from the time they are added to the stream. You can raise this limit to up to ____ by enabling extended data retention.
24 hours
7 days
NACLS are used to control traffic to an entire VPC, what vehicle can be used to control access to a single EC2 instance?
Security Group
If you need to create an AutoScaling fleet of EC2 instances with a new AMI, what step should be taken? Why?
Create a new launch configuration.
You can only specify one launch configuration for an Auto Scaling group at a time, and you can’t modify a launch configuration after you’ve created it. Therefore, if you want to change the launch configuration for an Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration.
What is the purpose of Lambda@Edge
Run lambda functions to customize content that cloudfront delivers (functions are executed at edge locations)
What is HTTP 504?
Gateway timeout
With CloudFront, why would you setup an origin group with two origins?
CloudFront would automatically switch over if one origin fails.
Which of these two is better for large sets of data? AWS Storage Gateway or AWS DataSync
AWS DataSync
The largest object that can be uploaded to S3 is:
5G
Real time analytics for lots of records in small sizes batches is best done by what two services? [one to send, one to process]
Kinesis Data Stream
AWS Lambda
Non-relational DB In-memory cache that delivers up to 10x performance improvement from milliseconds to microseconds or even at millions of requests per second.
Amazon DynamoDB Accelerator
________ improves the performance of your database through caching query results.
ElastiCache
True/False. ENI is detached if you stop an EC2 instance.
False
True/False. EIP attached to an EC2 instance is ephemeral.
False
True/False. Data stored in instance-store devices is ephemeral.
True
Relational Databases have rigid schema which means what in relationship to flexibility?
That you have constraints and limits to what can be inserted. Therefore, Relational Databases are no good if you are going to have frequent schema changes.
Generally, do relational databases scale well? What is the relational Amazon DB service that does scale well.
No. DynamoDB.
Scale-In Operation has three things it will do in determining which instance to terminate. What are they?
AZ with most instances
Instances with oldest launch config
Instance that is closest in next billing hour.
SNI _____ relies on the SNI extension of the Transport Layer Security protocol.
Custom SSL
What allows multiple domains to serve SSL traffic over the same IP address by including the hostname which the viewers are trying to connect to?
SNI extension of Transport Layer Security Protocol
In regard to certificates, CloudFront web distribution with dedicated IP is not cost effective. Why?
Charge begins when you associate your SSL/TLS certificate with your CloudFront distribution. Additionally, dedicated IP is a monthly charge.
Read-after-write consistency, low-latency file operations, and multi-system connectivity are associated with what storage solution?
EFS
If a shard iterator in Kinesis data stream is expiring, what is a possible solution?
Increase the write capacity assigned to the shard table
Regarding size, storage capacity for Dynamo DB is automatically _____ for storage.
Scaled
What type of messing service is Amazon SNS?
Pub/Sub
Amazon SNS can push to what endpoints (5)?
SQS Queue Lambda HTTP Endpoint eMail Mobile Device
What is the ability to only send certain SNS topics to an endpoint?
Filtering
A decoupled application architecture would use what two services at AWS?
Simple Queue Service [SQS]
Simple Workflow Service [SWS]
True or False. DynamoDB can be used for real-time tabulations
True.
What is the service that keeps collaborative apps with shared data updated in real time and what is the backing DB?
AppSync
DynamoDB
Kinesis Data Stream enables [how fast] _________ processing of streaming ______.
Real-time
Big Data
True/False. SQS allows for duplicates to be sent.
True.
[vocab word] AWS Step Functions allows for serverless ______ for modern applications.
Orchestrations
What is Orchestrtation in regard to AWS Step Functions?
Centrally manage workflow by breaking it into steps with flow logic and tracking inputs/outputs between steps.
What is AmazonMQ?
Managed message broker service that supports multiple protocols.
What service can collect, process, and analyze data in real-time?
Amazon Kinesis
What are the three types of storage solutions provided by Storage Gateway?
File, Volume and Tape
Which of the AWS storage gateway options provides ability to use NFS/SMB?
File
By default RDS does not monitor certain things, in order to facilitate better monitoring of RDS, what should be done?
Enable Enhanced RDS monitoring.
It is expected that the database read queries will significantly increase in the coming weeks ahead. A Solutions Architect recently launched two Read Replicas to the database cluster to improve the platform’s scalability. How should this be done with Aurora?
Use the built-in Reader endpoint of Aurora.
NLBs is primarily used to distribute traffic to servers not this piece of RDS technology ______ [regarding database]
Read Replicas
What is the most likely reason a Lambda function with over 15 minutes runtime would terminate?
Maximum Execution time setting
One way to secure private content on Cloudfront is to require signed _____ or signed ______.
URLs
Cookies
Origin Access Identity (OAI) can be used to require users access S3 content by using only
CloudFront URLs
True/False. IAM Policy can be applied to a conditional tag.
True
What is a good way to restrict users to only a certain environment at AWS (e.g. UAT)
IAM policies that allow access to specific tags
To handle bursts in API gateway (e.g. massive amount of requests expected), you should setup:
Throttling limits in API gateway
HTTP requests through a public-facing ALB every five minutes can be tracked with what function? Bonus: is this feature enabled by default?
Access logs
No.
For an S3 API Call, on a successful upload there are two results. What are they?
HTTP 200 result code and MD5 checksum
If you have an identity store that is not compatible with SAML, one option is to:
Build a custom identity broker application. This would use STS to give short-lived AWS creds.
What is a visibility timeout in SQS?
Period of time during which SQS prevents other consuming components from receiving and processing a message.
Egress-Only Internet Gateway is only applicable to what AWS component?
VPCs
In order for an EC2 instance to get out to the internet, but not allow anything in, you should use a:
NAT Gateway
Best way to secure S3 from others getting to your items is to:
Configure S3 bucket to remove public read access and use pre-signed URLs with expiry dates.
AWS Directory Service AD Connector provides what?
Allows AWS to integrate with existing AD/LDAP in the cloud.
True/False: You can assign an EIP to an ALB.
False.
What services can you use to import SSL/TLS certificate form a third party CA?
IAM Certificate Store
AWS Certificate Manager
True/False in Route 53, Active-Active failover allows for a ‘primary’ and ‘secondary’ resource.
False. Active-Active uses all available resources.
For accessing Cloud front with these restrictions what is the best option: You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers’ area of a website; You don’t want to change your current URLs.
Signed Cookies
For accessing cloud front with these cases, what is the best option? You want to use an RTMP distribution, You want to restrict access to individual files, for example, an installation download for your application, Your users are using a client (for example, a custom HTTP client) that doesn’t support cookies.
Signed URLs
There are two main types of VPC endpoint. Most AWS services use VPC ______ Endpoint except for S3 and DynamoDB, which use VPC ______ Endpoint.
Interface
Gateway
Patch management, infrastructure selection and data sync can coordinate multiple AWS services into serverless workflows via what AWS Service?
AWS Step Functions.
What is a VPN and its benefit?
Allows connection to on-prem DC using IPSec/TLS.
AWS Direct Connect allows for what between your network and VPC?
Private and dedicated network connetion.
What are the prerequisites when routing traffic using Amazon Route 53 to a website that is hosted in an Amazon S3 Bucket?
S3 Bucket must be the same as domain name
Registered domain name
Which of these is not a default cloudwatch metrics? CPU Util, Memory Util, Network Packets out, Disk read activity?
Memory Util
What is the function that would allow an EC2 instance to access DB instead of password.
AWS IAM [w/DB authentication]
One of the developers was instructed to create the environment variables for the MongoDB database hostname, username, and password as well as the API credentials that will be used by the Lambda function for DEV, SIT, UAT, and PROD environments.
Considering that the Lambda function is storing sensitive database and API credentials, how can this information be secured to prevent other developers in the team, or anyone, from seeing these credentials in plain text?
Create new KMS key and enable encryption helpers to store/encrypt sensitive info.
Which service provide a record of actions taken by a user, role, or an AWS service in Amazon S3?
Which service provides detailed records for the requests that are made to an S3 bucket?
AWS CloudTrail
Amazon S3 server access logs
In what scenario would you use target tracking scaling as opposed to simple scaling?
When you don’t want to wait for a cooldown period to complete before doing additional scaling activities.
You’ve got a group of EC2 instances behind a LB, need to secure the application by allowing multiple domains to serve SSL traffic over same IP. What is the option to use here?
Generate an SSL certificate with AWS Certificate Manager and create a CloudFront web distribution. Associate the certificate with your web distribution and enable the support for Server Name Indication (SNI).
When dealing with an encrypted EBS volume, there are four types of data encrypted. What are they?
Data at rest inside the volume
Data moving between volume and instance
Snapshots created from the volume
All volumes created from the snapshots
In cloud formation, JSON/YAML is used to descript infrastructure. Of these, which is required? – Format Version – Description – Metadata – Parameters – Mappings – Conditions – Transform – Resources – Outputs
Only resources is required, but the rest should be provided in some semblance of order.
When should you consider AWS Snowball based on internet connection speed [size/amount of data]
T3
100M
1000M
2T or more
5T or more
60T or more
To setup private endpoints that don’t pass through public internet, what is the best option: AWS VPN CloudHub, AWS Direct Connect, VPC endpoints or Transit Gateway
VPC Endpoints
What is a stream record in regard to DynamoDB?
A modification record of the dynamodb table (create/update/delete)
DynamoDB performance can be better distributed evenly by using provisioned throughput by having partition keys with __________; which have a few/great number of distinct values for each item.
High-Cardinality; great
True/False CloudWatch Alarms can update ECS task count.
False.
What is the IOP guarantee for EC2 with io1?
32000
In order to get above 32000 IOPs for EC2, what type of instance is necessary
A Nitro-
If you wanted to split-up read requests to Aurora what is necessary?
Custom Reader Endpoint
What is the primary function of Amazon Macie?
To scan data stored in S3 and detect PII or intellectual property.
What is the primary function of Amazon Rekognition?
Identifies objects, people, text, scenes and activities in images/videos.
What is the easiest way to create NAT gateway high availability?
Have one in each AZ.
DynamoDB Stream and AWS Lambda Triggers can be used to serve what functionality (regarding “follow” actions)?
SNS notification to subscribers
What service should be used to handle minimum number of ECS tasks with Fargate?
CloudWatch Event rules.
True/False: Standard Reserved instances can be later exchanged for other convertible reserved instances.
False.
Which is more cost effective: Lambda with Step Functions or Kinesis Data Streams/SQS?
KDS/SQS.
What are the possible Event Notification destinations available for S3 buckets?
SQS
Lambda
Which Amazon service is most effective for blocking SQL Injection/Cross-Site Scripting attacks?
WAF
You want to evenly distribute incoming traffic to an ALB, in Route 53, which record types will you use to point the DNS name of the Application Load Balancer?
Alias w/ type A
Alias w/ type AAAA
CNAME records in Route 53 can only be used for what?
Subdomains
What is an AAAA type DNS record?
IPv6
What is an MX DNS/Route 53 entry primarily used for?
Mail servers
True/False: DataSync can write directly to S3, Glacier and/or Glacier Deep Archive.
True
Which of the LBs supports support path-based routing, host-based routing, and support for containerized applications?
Application LB
What is the function/purpose of AWS Config?
Assess, audit, and evaluate the configurations of your AWS resources.
By default, EC2 instances use the _____ addressing protocol.
IPv4
RDS automatically performs a failover to standby for what two events?
Storage failure on primary
Loss of AZ
When should AWS Snowmobile be used?
In exabyte/petabyte range.
What Amazon service is cloud-agnostic and open-source for containerized workloads?
Amazon EKS
Which of the DB services gives the Architect the ability to store huge amounts of data and perform quick and flexible queries on it?
Redshift
True/False: a Classic load balancer supports SNI.
False.
Geoproximity can be used to specify a larger ____ known as a ____ for countries/locations
Area/Bias
What needs configured outside the VPC for successful site-to-site VPN?
Internet-routable IP address to customer gateway external interface for the on-prem network
True/False: Every subnet created is auto associated with them main route table for the VPC.
True.
What are the two allowed block size in a VPC (netmask)?
/16 [65,536 IPs]; and /28 [16 IPs]
Which option is cheaper: On-demand or spot?
Spot is much cheaper than On-Demand.
In the following scenario, what actions should be taken:
The instance uses a default security group and has an attached Elastic IP address. The network ACL has been configured to block all traffic to the instance. The Solutions Architect must allow incoming traffic on port 443 to access the application from any source.
Security group to allow TCP on port 443 from source 0.0.0.0/0
NACL allowing TCP connection to ephemeral ports 32768-65535
True/False in Route-53: Active-Active failover includes a primary and secondary source.
False.
When would s3:ObjectRemoved:DeleteMarkerCreated be triggered?
When a delete marker is created for a versioned object.
If you wanted to use S3 Select against a specific object, what two things are needed?
Bucket Name
Object Key
True/False: You will be billed when reserved instance is in terminated state
True
True/False: You will be billed when On-demand is in pending?
False
True/False: You will be billed when spot instance is in stopping state
False
True/False: You will be billed when On-Demand is preparing to hibernate in stopping state.
True
How are NACL rules processed?
In order of number; lowest is evaluated first and if it matches, it is applied immediately regardless of higher-value rule that may contradict it.
In which Amazon Service is SSE an option (EC2 or S3)?
S3
RDS Metrics that are monitored without Enhanced monitoring (3):
CPU Util
Database Connections
Freeable Memory
RDS Metrics monitored WITH enhanced monitoring (3):
RDS Child Processes
RDS Processes
OS Processes
AnyCast IP is associated with which AWS Service?
AWS Global Accelerator
Which is more efficient: AWS Systems Manager Agent (SSM) or CloudWatch?
CloudWatch
These are the four things that ______ has advantages for:
- collecting logs with metrics
- can run on windows server
- additional system metrics
- better performance
CloudWatch Agent
What is needed to ensure Redshift is highly available/can handle an AWS region outage?
Cross-Region Snapshots
There are two ways to ensure that requests coming in to an SQS queue can be changed/modified to ensure single processing, what are they?
SQS FIFO Queue
Change from SQS to SWF
Amazon RDS w/MySQL can automatically failover when what configuration exists?
Standby replica in another availability zone w/Multi-AZ deployment
In what scenario is FSx for Lustre used?
Compute-intensive HPC/machine learning; works natively with/optimized for S3. HOWEVER, Lustre doesn’t support Windows-based applications only Windows servers.
Security Groups are Stateful or Stateless [what does that mean?]
Stateful; if incoming is granted, outgoing is also granted.
The Outputs section of a CF template defines what and could be used for what function?
Optional section template that describes the values that are returned whenever you view your stack’s properties [such as DNS server hostname]
On-prem sharing of traffic (50% to on-prem, 50% to aws) can be handled with what two functions?
Route 53 w/Weighted Routing
ALB w/Weighted Target Groups
True/False: EFA is supported on Windows Instances.
False. You can attach one but it just functions as a regular ENA.
True/False: It is possible to recover from a CloudHSM via snapshot if it gets zeroed out.
False – you must have your own copy of the keys for solid backup.
Can AWS Secrets Manager generate short-lived authentication tokens?
No. It is used for storing passwords, secrets and other creds.
In SQS, if an EC2 instance is terminated in a parallel asynchronous processing scenario, what happens to the message?
When visibility timeout expires, it becomes available for processing by other EC2 instances.
Long Polling helps reduce cost of SQS by reducing the number of _____ responses and eliminating false _____ responses.
empty
What is the Amazon service that you can use for Virtual Deskops?
Amazon Workspace
In order to point to a DNS zone apex record, how should the Route-53 be configured.
Create an A record aliased to load balancer DNS
What is the ApproximateAgeOfOldestMessage metric useful for?
Application with time sensitive messages; and/or scaling policies.
When tracing detailed information on an ALB for HTTP, what is the best option?
Access logs on the ALB [it is disabled by default]
When real-time processing is needed, what is the service you should immediately think of?
Kinesis
Gateway endpoints are targets for traffic destined to where?
S3
DynamoDB
Which type of scaling uses metrics and threshold values with a set of scaling adjustments?
Step Scaling
Vertical scaling means ___________ your current resource
Upgrading
Horizontal scaling means _________ your current resource
Adding more
What is DNSSEC? Is it supported by Route 53?
Domain Name System Security Extensions. Protocols that add security to DNS lookup. No.
In terms of caching, the best way to control what a user gets from a cloudfront distribution is to use what functionality?
Versioned Objects
AWS Global Accelerator services what function and what can it be used for?
Static IP that acts as point of entry for single or multiple AWS regions (ALB/NLB/EC2). This can reduce number of IPs [e.g. whitelisting]
What is the recommended storage engine for MySQL?
InnoDB
Cross-Region Read Replication latency of less than a second is a feature of what RDS solution?
Aurora
True/False: EFS works natively with S3.
False
True/False: S3 works natively with Amazon FSx for Windows.
False
If you have several EC2 instances in multiple AZs, how can you distribute incoming requests evenly?
Cross-zone load balancing
If you wanted to group resources together and had a fleet of EC2 instances you wanted to push a new version of code to, what is the best option?
CodeDeploy
In Elastic Beanstalk, where does it store the application files and server log files?
Application files are stored in S3; server logs can also optionally be stored in S3/CloudWatch Logs.
RDS synchronously replicates the data to a standby instance in a different Availability Zone (AZ) that is in what region?
The same as the primary
What are the two options to connect an on-prem infrastucture to AWS?
Direct Connect & IPSec VPN connection
What is the minimum duration charge for S3? S3-Intilligent? S3 Standard-IA? S3 One-zone IA? S3 Glacier? S3 Glacier Deep Archive?
none, 30, 30, 30, 90, 180 days
CloudTrail is used for what purpose
Tracking changes to AWS resources; API and non-API account activity.
True/False. Oracle Real Application Clusters [RAC] are supported in RDS.
False.
If you wanted to automate snapshots of EBS volumes, what product would you use.
Amazon DLM (Data Lifecycle Manager)
True/False - you can set a priority on individual items in a single SQS queue (example: split priority from free)
False; best thing to do here is setup two SQS queues
True/False: Systems Manager parameter store rotates parms by default
False
Perfect Security Secrecy is a SSL/TLS cipher suite used with what two services?
CloudFront & ELB
AWS Trusted Advisor is best used for what function?
Providing “best practice” reccomendations.
What is the default value for the autoscaling cooldown?
300 seconds
To encrypt S3-managed SSE, what is the header request?
x-amz-server-side-encryption
What is needed to be configured outside the VPC to have a successful site-to-site VPN?
Internet-routable static IP address of gateway
External interface for on-prem network
CloudFormation with based on success signals (applications are properly running before stack creation proceeds is done via what attribute?
CreationPolicy w/cfn-signal helper.
What is the limit for regions for On-Demand based on; what must be done to increase it?
vCPU. Request a limit increase from Amazon.
Is EKS good to run docker?
No; Fargate should be used instead.
What benefits does Fargate provide?
Provisioning and managing servers, pay per resources per application. Improves security by isolation by design.
What does Kinesis Data Firehose get you?
Streaming data into analytic tools. Capture, transform and load data into S3/Redshift/Elasticsearch and Splunk.
How are EBS volumes encrypted?
Via AWS KMS
Is SSE an option on EBS?
No; SSE is not used in EC2/EBS.
True/False. RDS Read Replicas can elastically scale out?
True
What kind of synchronization do Read Replicas provide?
Asynchronous
What is provisioned capacity in regard to S3?
Retrieval capacity for expedited retrievals is there when you need it. Three expedited retrievals can be performed every five minutes.
Is a DynamoDB table and CloudFront compatible?
No.
What are the settings in VPC that allow/generate a DNS hostname?
DNS resolution
DNS hostnames
If you have a high throughput DynamoDB table; what is the best way to improve performance of an application using it?
Enable DynamoDB auto scaling
What is Data Pipeline?
Cloud-based data workflow; moves data between different AWS services.
What is the ratio of provisioned IOPS to volume size?
50:1
What is the difference between Volume Gateway cached mode and stored mode?
Cached gives you access to a subset (frequently accessed) of your data; stored is the entire dataset.
What is target tracking scaling?
Capacity is increased/decreased based on target value for specific metric.
True/False: CloudTrail logs are encrypted by default using S3 SSE.
True
To use Long Polling on an SQS queue, what should be done?
Change ReceiveMessageWaitTimeSeconds to a value greater than zero.
EIPs will not be charged under what three conditions?
EIP associated with instance
Instance is running
Only on EIP attached to instance
What is necessary to make API calls to AWS resources?
Set of access keys for the user and necessary permissions
What is a major difference between Elastic Beanstalk and ECS?
Features like load balancing, monitoring and auto scaling are not auto-enabled in ECS.
What is the setting/parm to ensure connections are using SSL for RDS?
rds.force_ssl
What is the requirement to have MicrosoftSQL encrypted [what cert?]
Amazon RDS Root CA
