AWSexam_1 Flashcards Preview

Don't delete this > AWSexam_1 > Flashcards

Flashcards in AWSexam_1 Deck (796)
Loading flashcards...
1
Q

Invention requires two things

A
  1. The ability to try a lot of experiments, and
  2. Not having to live with the collateral damage of failed experiments
2
Q

What is a region?

A

A physical location in the world which consists of 2 or more availability zones.

3
Q

What is an availability zone?

A

An availability zone is one or more discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities.

4
Q

What are edge locations?

A

Edge locations are endpoints for AWS which are used for catching content. Typically this consists of CloudFront which is Amazon’s CDN.

5
Q

What is IAM and what is it for?

A

Identity Access Management = Allows you to manage users and their level of access to the AWS console.

6
Q

What are the 4 key terms for IAM?

A
  1. Users
    1. end-users such as employees
  2. Groups
    1. A collection of users (with certain permissions)
  3. Policies
    1. Permission documents
  4. Roles
    1. Some have more power than others
7
Q

Is IAM regional or global?

A

Everything you do in IAM is GLOBAL

This goes for both managing users and managing policies.

8
Q

What is the root account (IAM)?

A

simply the account created when first setting up your AWS account

Important to have two-factor authentication activated for the root account.

9
Q

What permissions do users have when first created?

A

NONE. No permission whatsoever. Needs to be added.

but.. new users are assigned Access Key ID & Secret Access Keys when first created (note you only get to see these once)

10
Q

What does power users access allow?

A

access to all AWS services EXCEPT the management of groups and users within IAM

11
Q

In what language are IAM policy documents written?

A

JSON

12
Q

Using SAML (Security Assertion Markup Language 2.0), you can give your federated users single sign-on (SSO) access to the AWS Management Console (TRUE or FALSE)?

A

TRUE

13
Q

What is S3?

A

Simple Storage Service

S3 provides developer and IT teams a safe place to store files (across multiple devices)

object-based storage

14
Q

How big files can you upload to S3?

A

0 bytes to 5 Terabytes

(unlimited storage but you pay by gigabytes)

15
Q

What does “S3 is a universal namespace” mean?

A

that names must be unique GLOBALLY

16
Q

How are files stored in S3?

A

in Buckets

17
Q

What do you receive from S3 when your upload is successful?

A

a HTTP 200 code

18
Q

How is the data consistency model in S3?

A
  • Read AFTER write consistency for PUTS of new objects
    • can read immediately after write
  • Eventual consistency for overwrite PUTS and DELETES (can take some time to propagate)
    • if updating or deleting updates, you might get different versions if reading it immediately after but eventually it will be consistent
19
Q

What does S3 objects consist of?

A
  • Keys
    • the name of the object
  • Value
    • the data (made up of a sequence of bytes)
  • Version ID
    • important for versioning
  • Metadata
    • Data about data you are storing (tags etc.)
  • Sub-resources
    • Access control lists (permissions to access files)
20
Q

How high availability do you have with S3?

A
  • Built for 99.99 % availability (four 9s)
  • Amazon guarantees 99.9 % availability (three 9s)
    • and Amazon guarantees 99.999999999 % DURABILITY for S3 information (eleven 9s = your files will not disappear)

BUT depending on the storage tier used.

21
Q

What are the S3 storage tiers?

A
  • S3 Standard
    • 99.99 % availability and 99.999999999 durability
    • Stored redundantly across multiple devices in multiple facilities and is designed to sustain the loss of 2 facilities concurrently
  • S3 - Infrequently Accessed
    • (cheaper than S3)
    • For data that is accessed less frequently but requires rapid access when needed
  • S3 One Zone infrequently accessed
    • low-cost option for infrequently accessed data (but relatively fast retrieval)
    • do not require the multiple availability zone data resilience (only in 1 availability zone)
    • Availability 99.50 %
  • S3 - Intelligent Tiering
    • designed for cost-efficiency by automatically moving data to the most cost-effective access tier, without performance impact or operational overhead
  • S3 Glacier
    • Retrieval times from minutes to hours
  • S3 Glacier Deep Archive
    • cheapest storage option but used for archival only
    • retrieval time of 12 hours is acceptable
22
Q

What characterises S3 standard?

A
  • 99.99 % availability and 99.999999999 durability
  • Stored redundantly across multiple devices in multiple facilities and is designed to sustain the loss of 2 facilities concurrently
23
Q

What characterises S3 IA?

A
  • S3 - Infrequently Accessed
    • (cheaper than S3)
    • For data that is accessed less frequently but requires rapid access when needed
24
Q

What characterises S3 One Zone?

A
  • S3 One Zone infrequently accessed
    • low-cost option for infrequently accessed data (but relatively fast retrieval)
    • do not require the multiple availability zone data resilience (only in 1 availability zone)
    • Availability 99.50 %
25
Q

What characterises S3 Intelligent Tiering?

A
  • designed for cost-efficiency by automatically moving data to the most cost-effective access tier, without performance impact or operational overhead
26
Q

What characterises S3 Glacier?

A
  • Retrieval times from minutes to hours
27
Q

What characterises S3 Glacier Deep Archive?

A
  • cheapest storage option but used for archival only
  • retrieval time of 12 hours is acceptable
28
Q

What determines charges in S3?

A
  • Storage
  • Requests
  • Storage Management Pricing (meta-data)
  • Data Transfer Pricing
  • Transfer Acceleration
29
Q

What is transfer acceleration?

A

Amazon S3 Transfer acceleration enables fast, easy, and secure transfer of files over long distances between your end users and an S3 bucket.

=> CloudFront CDN

30
Q

What types of encryption can you make in S3?

A
  • Client Side Encryption
  • Server Side Encryption
    • with Amazon S3 Managed Keys => SSE-S3
    • with KMS => SSE-KMS
    • with Customer Provided Keys => SSE-C
31
Q

What are the default settings for Buckets in S3?

A

Buckets are by default PRIVATE and All objects inside are PRIVATE by default

32
Q

What region does he recommend?

A

US East (N. Virginia) - where all new services come out first - however, goes out more often

33
Q

What are Regions?

A

Distinct geographical areas - and each region always consists of two or more availability zones

A Region is a physical location in the world which consists of two or more Availability Zones (AZ)

34
Q

What is an Availability Zone (AZ)?

A

An Availability Zone (AZ) is one or more discrete data centers, each with redundant power, networking and connectivity, housed in separate facilities.

35
Q

What is an Edge Location?

A

Edge Locations are endpoints for AWS which are used for caching content. Typically this consists of CloudFront, Amazon’s Content Delivery Network (CDN)

Example: someone from Sydney downloads something from New York - the content can be cached in Sydney so someone else from Sydney can download it directly from Sydney instead of NY.

36
Q

What are the differences between the four different AWS plans?

A

Can be typical exam questions!

37
Q

Q1: An AWS VPC is a component of which group of AWS services?

A

Networking Services

A Virtual Private Cloud (VPC) is a virtual network dedicated to a single AWS account. It is logically isolated from other virtual networks in the AWS cloud, providing compute resources with security and robust networking functionality.

38
Q

Q2: Which of the below are storage services in AWS? (Choose 2)

A

S3 and EFS both provide the ability to store files in the cloud. EC2 provides compute, and is often augmented with other storage services. VPC is a networking service. Further information:

https://aws.amazon.com/efs/https://aws.amazon.com/s3/https://aws.amazon.com/ec2/https://aws.amazon.com/vpc/

39
Q

Q3: Which of the following is correct?

A

of Edge Locations > # of Availability Zones > # of Regions

The number of Edge Locations is greater than the number of Availability Zones, which is greater than the number of Regions. Further information: https://aws.amazon.com/about-aws/global-infrastructure/

40
Q

Q4: Which of the below are compute service from AWS? (Choose 2)

A

Both Lambda and EC2 offer computing in the cloud. S3 is a storage offering while VPC is a network service. Further information: https://aws.amazon.com/ec2/https://aws.amazon.com/lambda/https://aws.amazon.com/s3/https://aws.amazon.com/vpc/

41
Q

Q5: Which of the below are database services from AWS? (Choose 2)

A

RDS is a service for relational databases provided by AWS. DynamoDB is AWS’ fast, flexible, no-sql database service. S3 provides the ability to store files in the cloud and is not suitable for databases, while EC2 is part of the compute family of services. Further information: https://aws.amazon.com/dynamodb/https://aws.amazon.com/rds/https://aws.amazon.com/ec2/https://aws.amazon.com/s3/

42
Q

Q6: Which of the following are a part of AWS’ Network and Content Delivery services? (Choose 2)

A

Cloudfront + VPC

VPC allows you to provision a logically isolated section of the AWS where you can launch AWS resources in a virtual network. Cloudfront is a fast, highly secure and programmable content delivery network (CDN). EC2 provides compute resources while RDS is Amazon’s Relational Database System. Further information: https://aws.amazon.com/vpc/https://aws.amazon.com/cloudfront/https://aws.amazon.com/ec2/https://aws.amazon.com/rds/

43
Q

Q7: In which of the following is CloudFront content cached?

A

CloudFront content is cached in Edge Locations.

44
Q

Q8: Which of the below are factors that have helped make public cloud so powerful? (Choose 2)

A

Not having to deal with the collateral damage of failed experiments

The ability to try out new ideas and experiment without an upfront commitment

Public cloud allows organisations to try out new ideas, new approaches and experiment with little upfront commitment. If it doesn’t work out, organisations have the ability to terminate the resources and stop paying for them. Further information: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/six-advantages-of-cloud-computing.html

45
Q

Q9: What is an Amazon VPC?

A

VPC stands for Virtual Private Cloud. Further information: https://aws.amazon.com/vpc/

46
Q

Q10: Which statement best describes Availability Zones?

A

Distinct locations from within an AWS region that are engineered to be isolated from failures.

An Availability Zone (AZ) is a distinct location within an AWS Region. Each Region comprises at least two AZs. Further information: https://aws.amazon.com/about-aws/global-infrastructure/

47
Q

Q11: What does an AWS Region consist of?

A

A distinct location within a geographic area designed to provide high availability to a specific geography.

Each region is a separate geographic area. Each region has multiple, isolated locations known as Availability Zones. Further information: https://aws.amazon.com/about-aws/global-infrastructure/

48
Q

Q12: What is an AWS region?

A

A region is a geographical area divided into Availability Zones. Each region contains at least two Availability Zones.

49
Q

What is IAM and what is it for?

A

Identity Access Management = Allows you to manage users and their level of access to the AWS console.

50
Q

What features does IAM offer?

A
  • Centralised control of your AWS account
  • Shared access to your AWS account
  • Granular permissions
  • Identity Federation (including Active Directory, Facebook, LinkedIn, etc.)
  • Multi Factor Authentication
  • Temporary access for users/deviced and services
  • Set up own password rotation policy
  • Integrates with many AWS services
  • Support PCI DSS Compliance (e.g. when taking credit card details)
51
Q

What are the 4 key terms for IAM?

A
  1. Users
    1. end-users such as employees
  2. Groups
    1. A collection of users (with certain permissions)
    2. Each user of inherit the permissions of the group
  3. Policies
    1. Permission documents
  4. Roles
    1. Some have more power than others
52
Q

What group does IAM belong to in AWS?

A

Security, Identity, and Compliance

53
Q

What is the root account in IAM?

A

The account you can do EVERYTHING with and has unlimited resources.

54
Q

What are the three multi factor authentication (MFA) for IAM?

A

Virtual MFA device, U2F security key, Other hardware MFA device

55
Q

What region does IAM apply to?

A

Global - i.e. ALL regions

56
Q

What access do users have when first created?

A

No access at all

57
Q

What are users assigned when first created in IAM?

A

An Access Key ID and Secret Access Key (these are not those you use to login to the AWS console, but can be used with APIs and command line access). They can only be viewed once.

58
Q

What should you always do with your root account?

A

Use multi factor authentication

59
Q

What group does CloudWatch belong to in AWS?

A

Management & Governance

60
Q

What does S3 stand for?

A

Simple Storage Service

61
Q

What is an object in S3?

A

Simply a file that consist of:

Key (name of file), Value (data of the file), Version ID, Metadata (data about data)

62
Q

What is a bucket in S3?

A

Simply a folder - their name must be unique as this is what appears on the web-address

63
Q

How does data consistency work for S3?

A

Read after Write for PUTS of new Objects

Eventual Consistency for overwrite PUTS and DELETES

64
Q

What are the AWS guarantee of S3?

A

Built for 99.99% availability

Guaranteed 99.9% availability

Guaranteed 11x9s durability

65
Q

What are the different storage classes?

A

S3 Standard (designed to sustain loss of 2 facilities concurrently)

S3 - IA (Infrequently Accessed) but needs rapid access when needed (charged retrieval fee)

S3 One Zone - IA (RRS) (Infrequently Accessed) same as above but just for one zone

S3 Intelligent Tiering (uses AI to intelligently move your files to correct tier)

S3 Glacier (used for archiving but retrieval takes from minutes to hours)

S3 Glacier Deep Archive (cheapest option where retrieval takes 12 hours)

66
Q

How are you charged in S3?

A

Storage, Requests, Storage Management Pricing, Data Transfer Pricing, Transfer Acceleration, Cross Region Replication Pricing

67
Q

How can you protect your S3 objects from being deleted?

A

Turn on multi factor authentication delete

68
Q

What is good to read about the S3 before the exam?

A

The FAQ: https://aws.amazon.com/s3/faqs/

69
Q

What are the types of encryption?

A
  • Encryption in transit = HTTPS
    • Achieved through SSL/TLS
  • Encryption at rest (server side)
    • Achieved by
      • S3 Managed Keys (SSE-S3) (Amazon manages for you)
      • AWS Key Management Service (SSE-KMS) - you manage with Amazon
      • Server Side Encryption with Customer provided keys (SSE-C) - you provide keys to amazon
  • Client Side encryption
    • You just upload an encrypted object
70
Q

What does versioning do?

A
  • Stores all versions of an object (including all writes and even if you delete an object)
  • => GREAT backup tool
71
Q

Can you disable versioning?

A

No… Once enabled, versioning cannot be disabled, only suspended.

72
Q

What is MFA Delete?

A

A feature in S3 versioning, which requires the use of multi-factor authentication to provide an additional layer of security for when you try to delete things.

73
Q

Will the access change when you reupload a file?

A

Yes…

you will return to not being accessible / all blocked and you have to allow access again.

74
Q

If you had versioning enabled, what happens if you delete the file in a bucket?

A

it will still keep the earlier versions in the versioning backup - it just puts a delete marker as the most recent version.

75
Q

What are lifecycle rules for?

A

Automates moving your objects (files) between different storage tiers

E.g. if you want it in S3 standard and later want it in S3 infrequently accessed (IA) depending on time

76
Q

What happens to objects within a bucket when you make cross region replication it?

A

The files will NOT be in the new bucket.

The new bucket will have the same permissions as in the other region but the objects/files will not be present.

77
Q

What is important about cross region replication?

A

Versioning must be enabled on both the source and destination buckets

78
Q

What happens to new files added to cross-region replication buckets?

A

NEW files will be automatically replicated across the two region buckets but existing files at creation will not appear.

79
Q

Will deletes be replicated in cross region replication?

A

No - neither individual deletes nor delete markers

80
Q

What is S3 transfer acceleration?

A

S3 transfer acceleration utilises the CloudFront Edge Network to accelerate your upload to S3 (CDN)

….so from edge location to S3 bucket in availability zone

81
Q

How does S3 transfer acceleration work?

A

You simply upload to an edge location that then uploads to the main bucket instead of you uploading directly to the main bucket, which can be slower.

82
Q

What is CloudFront, Edge Location, Origin and Distribution?

A
  • CloudFront
    • Amazon’s Content Delivery Network (CDN)
  • Edge Location
    • Location where content will be cached
  • Origin
    • Origin of all the files that the CDN will distribute. This can be an S3 Bucket, an EC2 instance, an Elastic Load Balancer or Route52
  • Distribution
    • Name given to the CDN which consists of a collection of edge locations (Web Distributions and RTMP distributions)
83
Q

What is Web Distribution used for?

A

websites (part of cloudfront)

84
Q

What is RTMP used for?

A

Media Streaming (part of cloudfront)

85
Q

Are edge locations read or write?

A

Both - you can certainly read from them but you can also write = put an object in them (which should be more or less the same as transfer acceleration)

86
Q

What is TTL?

A

Time To Live = the time objects are cached for in the cdn distribution. up to the user to set TTL

87
Q

What happens if you delete cached objects from edge locations?

A

they will be deleted BUT you will be charged.

88
Q

What does restricting viewer access in CloudFront do?

A

E.g. if only paying customers can access the content they need to have a signed URL to access the content (e.g. Netflix)

89
Q

What is a CloudFront Invalidation?

A

A way to quickly remove/invalidate content from the CloudFront, e.g. if you uploaded the wrong media or there is an error (but you’ll be charged).

90
Q

What is Snowball?

A

Petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data in and out of S3 AWS = a big desk.

50TB or 80TB

91
Q

What is Snowball Edge?

A

up to 100TB data WITH on-board storage and compute capabilities

useful to support local workloads in remote or offline locations (such as on an airplane)

= a portable version of AWS essentially

92
Q

What is Snowmobile?

A

An EXABYTE-scale data transfer service. Up to 100 PB per snowmobile, which is a 45-foot long shipping container.

93
Q

What is Storage Gateway?

A

Service that connects on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and AWS’s storage infrastructure.

94
Q

What are the 3 types of Storage Gateway?

A
  • File Gateway (NFS & SMB)
    • files are stored in your S3 bucket
  • Volume Gateway (iSCSI)
    • Stored Volumes
      • store your ENTIRE primary data locally and backed up in AWS
    • Cached Volumes
      • only has the most frequently used data locally (NOT entire data)
  • Tape Gateway (VTL)
    • way to archive your data in the AWS cloud = good to move your backup to the cloud
95
Q

Q1: Power User Access allows ________.

A

Access to all AWS services except the management of groups and users within IAM.

96
Q

Q2: You have been asked by your company to create an S3 bucket with the name “acloudguru1234” in the EU West region. What would the URL for this bucket be?

A

https://s3-eu-west-1.amazonaws.com/acloudguru1234

97
Q

Q3: You work for a health insurance company that amasses a large number of patients’ health records. Each record will be used once when assessing a customer, and will then need to be securely stored for a period of 7 years. In some rare cases, you may need to retrieve this data within 24 hours of a claim being lodged. Given these requirements, which type of AWS storage would deliver the least expensive solution?

A

Glacier: The recovery rate is a key decider. The record shortage must be; safe, durable, low cost, and the recovery can be slow.

98
Q

Q4: What is the default level of access a newly created IAM User is granted?

A

No access to any AWS services.

99
Q

Q5: Which of the following is not a component of IAM?

A

Organizational Units

100
Q

Q6: What is the availability of S3-OneZone-IA?

A

99.50% OneZone-IA is only stored in one Zone. While it has the same Durability, it may be less Available than normal S3 or S3-IA.

101
Q

Q7: What is the availability of objects stored in S3?

A

99.99%

102
Q

Q8: A new employee has just started work, and it is your job to give her administrator access to the AWS console. You have given her a user name, an access key ID, a secret access key, and you have generated a password for her. She is now able to log in to the AWS console, but she is unable to interact with any AWS services. What should you do next?

A

Grant her Administrator access by adding her to the Administrators’ group.

103
Q

Q9: Which statement best describes IAM?

A

IAM allows you to manage users, groups, roles, and their corresponding level of access to the AWS Platform.

104
Q

Q10: Which of the following options allows users to have secure access to private files located in S3? (Choose 3)

A

CloudFront Signed Cookies

CloudFront Signed URLs

CloudFront Origin Access Identity

105
Q

Q11: What is Amazon Glacier?

A

An AWS service designed for long term data archival.

106
Q

Q12: In what language are policy documents written?

A

JSON

107
Q

Q13: When you create a new user, that user ________.

A

Will be able to interact with AWS using their access key ID and secret access key using the API, CLI, or the AWS SDKs.

108
Q

Q14: You run a popular photo-sharing website that depends on S3 to store content. Paid advertising is your primary source of revenue. However, you have discovered that other websites are linking directly to the images in your buckets, not to the HTML pages that serve the content. This means that people are not seeing the paid advertising, and you are paying AWS unnecessarily to serve content directly from S3. How might you resolve this issue?

A

Remove the ability for images to be served publicly to the site and then use signed URLs with expiry dates.

109
Q

Q15: The difference between S3 and EBS is that EBS is object-based where as S3 is block-based.

A

False

110
Q

Q16: A __________ is a document that provides a formal statement of one or more permissions.

A

Policy

111
Q

Q17: What level of access does the “root” account have?

A

Administrator Access

112
Q

Q18: One of your users is trying to upload a 7.5GB file to S3. However, they keep getting the following error message: “Your proposed upload exceeds the maximum allowed object size.”. What solution to this problem does AWS recommend?

A

Design your application to use the Multipart Upload API for all objects.

113
Q

Q19: You are a solutions architect working for a large engineering company that are moving from a legacy infrastructure to AWS. You have configured the company’s first AWS account and you have set up IAM. Your company is based in Andorra, but there will be a small subsidiary operating out of South Korea, so that office will need its own AWS environment. Which of the following statements is true?

A

You will need to configure Users and Policy Documents only once, as these are applied globally.

114
Q

Q20: How many S3 buckets can I have per account by default?

A

100

115
Q

Q21: You work for a major news network in Europe. They have just released a new mobile app that allows users to post their photos of newsworthy events in real-time, which are then reviewed by your editors before being copied to your website and made public. Your organization expects this app to grow very quickly, essentially doubling its user base each month. The app uses S3 to store the images, and you are expecting sudden and sizable increases in traffic to S3 when a major news event takes place (as users will be uploading large amounts of content.) You need to keep your storage costs to a minimum, and it does not matter if some objects are lost. With these factors in mind, which storage media should you use to keep costs as low as possible?

A

S3 - One Zone-Infrequent Access

116
Q

Q22: You have uploaded a file to S3. Which HTTP code would indicate that the upload was successful?

A

HTTP 200

117
Q

Q23: What is the minimum file size that I can store on S3?

A

0 bytes

118
Q

Q24: You are a developer at a fast-growing startup. Until now, you have used the root account to log in to the AWS console. However, as you have taken on more staff, you will need to stop sharing the root account to prevent accidental damage to your AWS infrastructure. What should you do so that everyone can access the AWS resources they need to do their jobs? (Choose 2)

A

Create individual user accounts with minimum necessary rights and tell the staff to log in to the console using the credentials provided.

Create a customized sign-in link such as “yourcompany.signin.aws.amazon.com/console” for your new users to use to sign in with.

119
Q

Q25: What does S3 stand for?

A

Simple Storage Service

120
Q

Q26: S3 has eventual consistency for which HTTP Methods?

A

overwrite PUTS and DELETES

121
Q

Q27: S3 has what consistency model for PUTS of new objects

A

Read After Write Consistency

122
Q

Q28: You are a security administrator working for a hotel chain. You have a new member of staff who has started as a systems administrator, and she will need full access to the AWS console. You have created the user account and generated the access key id and the secret access key. You have moved this user into the group where the other administrators are, and you have provided the new user with their secret access key and their access key id. However, when she tries to log in to the AWS console, she cannot. Why might that be?

A

You cannot log in to the AWS console using the Access Key ID / Secret Access Key pair. Instead, you must generate a password for the user, and supply the user with this password and your organization’s unique AWS console login URL.

123
Q

Q29: What is an additional way to secure the AWS accounts of both the root account and new users alike?

A

Implement Multi-Factor Authentication for all accounts.

124
Q

Q30: You are a solutions architect who works with a large digital media company. The company has decided that they want to operate within the Japanese region and they need a bucket called “testbucket” set up immediately to test their web application on. You log in to the AWS console and try to create this bucket in the Japanese region however you are told that the bucket name is already taken. What should you do to resolve this?

A

Bucket names are global, not regional. This is a popular bucket name and is already taken. You should choose another bucket name.

125
Q

Q31: What is AWS Storage Gateway?

A

It is a physical or virtual appliance that can be used to cache S3 locally at a customer’s site.

126
Q

Q32: Every user you create in the IAM systems starts with ________.

A

No Permissions

127
Q

Q33: Which of the following is not a feature of IAM?

A

IAM allows you to set up biometric authentication, so that no passwords are required.

128
Q

Q34: You have a client who is considering a move to AWS. In establishing a new account, what is the first thing the company should do?

A

Set up an account using their company email address.

129
Q

Q35: You run a meme creation website where users can create memes and then download them for use on their own sites. The original images are stored in S3 and each meme’s metadata in DynamoDB. You need to decide upon a low-cost storage option for the memes, themselves. If a meme object is unavailable or lost, a Lambda function will automatically recreate it using the original file from S3 and the metadata from DynamoDB. Which storage solution should you use to store the non-critical, easily reproducible memes in the most cost-effective way?

A

S3 - OneZone-IA is the recommended storage for when you want cheaper storage for infrequently accessed objects.

130
Q

Q36: You work for a busy digital marketing company who currently store their data on-premise. They are looking to migrate to AWS S3 and to store their data in buckets. Each bucket will be named after their individual customers, followed by a random series of letters and numbers. Once written to S3 the data is rarely changed, as it has already been sent to the end customer for them to use as they see fit. However, on some occasions, customers may need certain files updated quickly, and this may be for work that has been done months or even years ago. You would need to be able to access this data immediately to make changes in that case, but you must also keep your storage costs extremely low. The data is not easily reproducible if lost. Which S3 storage class should you choose to minimize costs and to maximize retrieval times?

A

S3 - IA Glacier has a long recovery time at a low cost or a shorter recovery time at a high cost, and 1Zone-IA has a lower Availability level which means that it may not be available when needed.

131
Q

Q37: You have created a new AWS account for your company, and you have also configured multi-factor authentication on the root account. You are about to create your new users. What strategy should you consider in order to ensure that there is good security on this account.

A

Enact a strong password policy: user passwords must be changed every 45 days, with each password containing a combination of capital letters, lower case letters, numbers, and special symbols.

132
Q

Q38: Using SAML (Security Assertion Markup Language 2.0), you can give your federated users single sign-on (SSO) access to the AWS Management Console.

A

True

133
Q

Q39: You have been asked to advise on a scaling concern. The client has an elegant solution that works well. As the information base grows they use CloudFormation to spin up another stack made up of an S3 bucket and supporting compute instances. The trigger for creating a new stack is when the PUT rate approaches 100 PUTs per second. The problem is that as the business grows that number of buckets is growing into the hundreds and will soon be in the thousands. You have been asked what can be done to reduce the number of buckets without changing the basic architecture.

A

Change the trigger level to around 3000 as S3 can now accommodate much higher PUT and GET levels.

134
Q

What is EC2?

A

a web service that provides resizable compute capacity in the cloud

  • reduces the time required to obtain and boot new server instances to minutes, allowing you to quickly scale capacity, both up and down, as your computing requirements change.
135
Q

How do you pay for EC2?

A

As you go, for what you use, less as you use more, and even less when you reserve capacity

4 overall options:

  1. On Demand = fixed rate by the hour (or by the second) with no commitment
  2. Reserved = capacity reservation (contracts of 1-3 years but significant discounts)
  3. Spot = when Amazon has excess capacity, you can bid whatever price you want for instance capacity. Great if you have flexible start and end times for your needs
  4. Dedicated Hosts = physical EC2 servers dedicated for your use
136
Q

When is On-Demand pricing useful?

A
  • Low cost and flexible with no up-front payment or long-term commitment
  • applications with short term, spiku, or unpredictable workloads that cannot be interrupted
  • New tests on EC2
137
Q

When Reserved pricing useful?

A
  • Steady state or predictable usage
  • Applications that require reserved capacity
  • when you can afford making up-front payments
  1. Standard reserved instances (up to 75 % off)
  2. Convertible Reserved instances (up to 54 % off)
  3. Scheduled Reserved Instances (specific time windows)
138
Q

When is Spot pricing useful?

A

Applications that have flexible start and end times as Amazon can buy them back

Applications that are only feasible at very low compute prices

Users with urgent computing needs for large amounts of additional capacity

139
Q

When is Dedicated host pricing useful?

A
  • For regulatory requirements
  • Great for licensing which does not support multi-tenant or cloud deployments (like licenses with Oracle)
  • Can be purchased on-demand (hourly)
  • Can be purchased as a reservation for up to 70 % off standard price
140
Q

How are you charged for EC2 Spot Instances?

A

If the Spot instance is terminated by Amazon EC2, you’ll not be charged for a partial hour of usage. However, if you terminate the instance yourself, you’ll be charged for any hour in which the instance ran.

141
Q

What are T3s?

A

low cost, general purpose instances (used for web servers and small databases)

142
Q

What happens if a Spot instance is terminated?

A

If terminated by Amazon, you will not be charged for a partial hour of usage.

However, if you terminate the instance yourself, you will be charged for any hour in which the instance ran.

143
Q

What is IOPS?

A

Instance Output Per second = how fast your harddisk drive is

144
Q

Can you encrypt your root device volumes?

A

yes… Even from the beginning when you create it

can also be encrypted using third party tools such as bit locker

145
Q

Is termination protection on or off by default?

A

It is turned OFF by default so you must turn it on

146
Q

What happens to an EBS backed instance when terminated?

A

On an EBS-backed instance, the default action is for the root EBS volume to be deleted when the instance is terminated

147
Q

How quickly does changes in security group settings take effect?

A

IMMEDIATELY

148
Q

What also happens when you create an inbound security group rule?

A

it also creates an outbound rule at the same time

149
Q

What is the default setting for inbound traffic?

A

the security is set to block ALL inbound traffic by default

(all outbound traffic is allowed)

150
Q

How many EC2 instances can you have within a security group?

A

any number

151
Q

Can you only have one security group attached to an EC2 instance?

A

No… you can have multiple security groups attached to one EC2 instance

152
Q

What does it mean that security groups are STATEFUL?

A

if you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again

153
Q

How can you block specific IP addresses?

A

Using Network Access Control Lists

(NOT using security groups)

154
Q

Can you set up deny rules in security groups?

A

NO!

only allow rules (no deny rules)

(deny rules can be made in Network Access Control Lists but that is different)

155
Q

What is EBS?

A

Elastic Block Store

= virtual hard disk in the cloud that provides persistent block storage volumes for use with Amazon EC2 instances.

156
Q

What are the 5 types of EBS Storage and what are they useful for?

A
  • General Purpose SSD
    • Most workloads
  • Provisioned IOPS SSD
    • Databases
  • Throughput Optimised HDD
    • Big data and data warehouses
  • Cold HDD (also magnetic)
    • File servers
  • EBS Magnetic
    • workloads where data is infrequently accessed
157
Q

Where will the EBS volume be located?

A

EBS volumes will always be in the same availability zone as your EC2 instance

158
Q

Are volumes terminated as you terminate the EC2 instance?

A

By default, the ROOT volume is terminated together with the EC2 instance.

However, additional volumes are not deleted unless specified.

159
Q

What are snapshots?

A

photographs of the hard disk

(point in time copies of volumes)

160
Q

What does it mean that snapshots are incremental?

A

only the blocks that have changed since your last snapshot are moved/replicated to S3

161
Q

What is best practice when creating a snapshot for Amazon EBS volumes that serve as root devices?

A

you should stop the instance before taking the snapshot when trying to create a snapshot for Amazon EBS volumes that serve as root devices

but… you can also take a snapshot while the instance is running.

162
Q

Can you create AMIs from volumes or snapshots?

A

both…

163
Q

When can you change EBS volume sizes?

A

on the fly

both size and storage types can be changed any time.

164
Q

How do you move an EC2 volume from one availability zone to another?

A

take a snapshot of it, create an AMI from the snapshot and then use the AMI to launch the EC2 instance in a new availability zone.

165
Q

How do you move an EC2 volume from one REGION to another?

A

take a snapshot of it, create an AMI from the snapshot and then COPY the AMI from one region to the other

Next, use the copied AMI to launch the new EC2 instance in the new region

166
Q

What are the two different types of AMIs?

A
  • EBS Volumes
    • root device for an instance launched from the AMI is an Amazon EBS Volume created from an Amazon EBS snapshot
  • Instance Store Volumes (Ephemeral Storage)
    • root device for an instance launched from the AMI is an instance store volume created from a template stored in Amazon S3.
167
Q

What can you select AMI based on?

A
  1. Region
  2. Operating system
  3. Architecture (32bit or 64bit)
  4. Launch permissions
  5. Storage for the root device
    1. Instance Store Volumes
    2. EBS Backed Volumes
168
Q

What is important to note about instance store volumes?

A
  • CANNOT be stopped.
    • If the underlying host fails, you will lose your data
  • can reboot
169
Q

What is important to note about EBS backed instances?

A
  • CAN be stopped
    • will not lose your data if it is stopped
  • can reboot
  • can tell AWS to keep the root volume when terminating the EBS volume if you want
170
Q

What are Encrypted root device volumes?

A

The hard disk that has the operating system on it.

back in the days you could not encrypt this when you created it, but now you can encrypt it immediately at creation

if you have not done it from the beginning

  • Create a snapshot of the unencrypted root device volume
  • Create a copy of the snapshot and select the encrypt option
  • Create an AMI from the encrypted snapshot
  • Use that AMI to launch new encrypted instances
171
Q

How do you encrypt your root device volume?

A

back in the days you could not encrypt this when you created it, but now you can encrypt it immediately at creation

if you have not done it from the beginning

  • Create a snapshot of the unencrypted root device volume
  • Create a copy of the snapshot and select the encrypt option
  • Create an AMI from the encrypted snapshot
  • Use that AMI to launch new encrypted instances
172
Q

What is CloudWatch?

A

Amazon CloudWatch is a monitoring service to monitor your AWS resources as well as the applications you run within AWS

= PERFORMANCE MONITORING

Monitor

  • Computed
    • EC2 instances, autoscaling groups, elastic load balances, route53 health checks
  • Storage and content delivery
    • EBS Volumes
    • Storage Gateways
    • CloudFront
173
Q

What are the host level metrics of CloudWatch?

A
  • CPU
  • Network
  • Disk
  • Status Check
174
Q

What is AWS CloudTrail?

A

think of CloudTrail as a CCTV (camera) that increases visibility into your user and resource activity by recording AWS Management Console actions and API calls.

Using CloudTrail, you can identify which users and accounts that called AWS, the source IP Address from which the calls were made and when the calls occurred.

(DO NOT confuse with CloudWatch which is for performance monitoring)

175
Q

How frequent will CloudWatch monitor?

A

every 5 minutes by default but can be turned even longer down to 1 minute (detailed monitoring) intervals for example

176
Q

What are the 4 main features of CloudWatch?

A
  • Dashboards
    • awesome dashboards to see what is happening with your AWS environment
  • Alarms
    • alarms to notify when you reach specified thresholds
  • Events
    • helps you respond to state changes in your AWS resources
  • Logs
    • helps you aggregate, monitor and store logs
177
Q

What is the AWS Command Line (CLI)?

A

Can be used through terminal after connecting with key pair and setting up the access through IAM.

then AWS can be accessed from anywhere in the world

178
Q

What is smart about Roles?

A
  • Roles are more secure than storing your access key and secret access key on individual EC2 instances
  • Roles are also easier to manage
  • Roles can be assigned to an EC2 instance after it is created using the console & command line
  • Roles are universal - you can use them in any region
179
Q

What are boot strap scripts?

A

A way of automating your AWS EC2 deployment.

running it at the command line => can run individual command line commands as scripts (updates, installations, httpd starts, opening of web page, make buckets, create files etc.)

(set up when configuring instances from the AMI creation panel)

180
Q

What is Instance Metadata for?

A

used to get information about an instance (fx public IP)

get by something like.…

curl http://169.254.169.254/latest/meta-data/

curl http://169.254.169.254/latest/user-data/

181
Q

What is EFS?

A

Elastic File System = a file storage service for Amazon Elastic Compute Cloud (EC2) instances.

=> With amazon EFS, storage capacity is ELASTIC, growing and shrinking automatically as you add and remove files, so your applications have the storage they need, when they need it

182
Q

What are the 3 types of Placement Groups?

A
  • Cluster Placement Group
  • Spread Placement Group
  • Partitioned Placement Group
183
Q

What are Cluster Placement Groups?

A

A grouping of instances within a single availability zone.

Recommended for applications that need

low network latency,

high network throughput,

or both.

putting instances as close as possible

184
Q

What are Spread Placement Groups?

A
  • group of instances each placed on DISTINCT underlying hardware
  • Spread placement groups are recommended for applications that have a small number of critical EC2 instances that should be kept separate from each other
  • can only have 7 running instances per availability zone

think of individual instances

(opposite of clustered placement group)

185
Q

What are Partitioned Placement Groups?

A
  • Similar to spread placement groups BUT you can have multiple EC2 instances within a partition.
    • each partition is on each own set of racks where each rack has its own network and power source
      • this allows you to isolate the impact of hardware failure within your application
    • for multiple EC2 instances: HDFS, HBase, Cassandra

think of multiple instances

186
Q

How can the 3 different Placement Groups span across availability zones and regions?

A
  • Clustered
    • only within one availability zone
  • Spread and Partitioned
    • within MULTIPLE availability zones BUT still the same region
187
Q

How should the naming of placement groups be?

A

unique within your own AWS account

188
Q

What does AWS recommend for clustered placement groups?

A

homogenous instances = same type of hardware and so on in the horizontal scaling

189
Q

Can you merge placement groups?

A

no…

190
Q

Can you move existing instances into a placement group?

A

no…

but…. you can create an AMI from your existing instance, then launch a new instance from the AMI into a placement group.

191
Q

Which AWS CLI command should I use to create a snapshot of an EBS volume?

A

aws ec2 create-snapshot

192
Q

Individual instances are provisioned in ….

A

availability zones

193
Q

What is the underlying Hypervisor for EC2? (choose 2)

A

Nitro and Xen

194
Q

Can you attach an EBS volume to more than one EC2 instance at the same time?

A

no..

195
Q

What type of storage are EBS volumes?

A

block based storage

196
Q

In order to enable encryption at rest using EC2 and Elastic Block Store, you must ________

A

configure encryption when creating the EBS volume

197
Q

Which of the following provide the lowest cost EBS options? (choose 2)

  • Throughput optimized (st1)
  • Cold (sc1)
  • Provisioned IOPS (io1)
  • General purpose (gp2)
A

cold (sc1)

throughput optimised (st1)

198
Q

Is it possible to perform actions on an existing Amazon EBS Snapshot?

A

Yes, though the AWS APIs, CLI, and AWS Console

199
Q

EBS Snapshots are backed up to S3 in what manner?

A

incrementally

200
Q

Q1: EBS Snapshots are backed up to S3 in what manner?

A

Incrementally

201
Q

Q2: You have developed a new web application in the US-West-2 Region that requires six Amazon Elastic Compute Cloud (EC2) instances to be running at all times. US-West-2 comprises three Availability Zones (us-west-2a, us-west-2b, and us-west-2c). You need 100 percent fault tolerance: should any single Availability Zone in us-west-2 become unavailable, the application must continue to run. How would you make sure 6 servers are ALWAYS available? NOTE: each answer has 2 possible deployment configurations. Select the answer that gives TWO satisfactory solutions to this scenario.

A

Solution 1: us-west-2a with six EC2 instances, us-west-2b with six EC2 instances, and us-west-2c with no EC2 instances. Solution 2: us-west-2a with three EC2 instances, us-west-2b with three EC2 instances, and us-west-2c with three EC2 instances.

You need to work through each case to find which will provide you with the required number of running instances even if one AZ is lost. Hint: always assume that the AZ you lose is the one with the most instances. Remember that the client has stipulated that they MUST have 100% fault tolerance.

202
Q

Q3: In order to enable encryption at rest using EC2 and Elastic Block Store, you must ________.

A

Configure encryption when creating the EBS volume

The use of encryption at rest is default requirement for many industry compliance certifications. Using AWS managed keys to provide EBS encryption at rest is a relatively painless and reliable way to protect assets and demonstrate your professionalism in any commercial situation.

203
Q

Q4: When creating a new security group, all inbound traffic is allowed by default.

False

There are slight differences between a normal ‘new’ Security Group and a ‘default’ security group in the default VPC. For an ‘new’ security group nothing is allowed in by default.

A

False

There are slight differences between a normal ‘new’ Security Group and a ‘default’ security group in the default VPC. For an ‘new’ security group nothing is allowed in by default.

204
Q

Q5: You are consulting to a mid-sized company with a predominantly Mac & Linux desktop environment. In passing they comment that they have over 30TB of unstructured Word and spreadsheet documents of which 85% of these documents don’t get accessed again after about 35 days. They wish that they could find a quick and easy solution to have tiered storage to store these documents in a more cost-effective manner without impacting staff access. What options can you offer them? (Choose 2)

A

Migrate documents to File Gateway presented as NFS and make use of life-cycle using Infrequent Access storage.

Migrate documents to EFS storage and make use of life-cycle using Infrequent Access storage.

Trying to use S3 without File Gateway in front would be a major impact to the user environment. Using File Gateway is the recommended way to use S3 with shared document pools. Life-cycle management and Infrequent Access storage is available for both S3 and EFS. A restriction however is that ‘Using Amazon EFS with Microsoft Windows is not supported’. File Gateway does not support iSCSI in the client side.

205
Q

Q6: You need to know both the private IP address and public IP address of your EC2 instance. You should ________.

A

Retrieve the instance Metadata from http://169.254.169.254/latest/meta-data/.

Instance Metadata and User Data can be retrieved from within the instance via a special URL. Similar information can be extracted by using the API via the CLI or an SDK.

206
Q

Q7: Spread Placement Groups can be deployed across multiple Availability Zones

A

True

Spread Placement Groups can be deployed across availability zones since they spread the instances further apart. Cluster Placement Groups can only exist in one Availabiity Zone since they are focused on keeping instances together, which you cannot do across Availability Zones

207
Q

Q8: Can you attach an EBS volume to more than one EC2 instance at the same time?

A

No

208
Q

Q9: Which of the following features only relate to Spread Placement Groups?

A

The placement group can only have 7 running instances per Availability Zone

Spread placement groups have a specific limitation that you can only have a maximum of 7 running instances per Availability Zone and therefore this is the only correct option. Deploying instances in a single Availability Zone is unique to Cluster Placement Groups only and therefore is not correct. The last two remaining options are common to all placement group types and so are not specific to Spread Placement Groups.

209
Q

Q10: The use of a cluster placement group is ideal _______

A

Your fleet of EC2 instances requires high network throughput and low latency within a single availability zone.

Cluster Placement Groups are primarily about keeping you compute resources within one network hop of each other on high speed rack switches. This is only helpful when you have compute loads with network loads that are either very high or very sensitive to latency.

210
Q

Q11: Can I delete a snapshot of an EBS Volume that is used as the root device of a registered AMI?

A

No

211
Q

Q12: Standard Reserved Instances can be moved between regions

A

False

Standard Reserved Instances cannot be moved between regions. You can choose if a Reserved Instance applies to either a specific Availability Zone, or an Entire Region, but you cannot change the region.

212
Q

Q13: Can Spread Placement Groups be deployed across multiple Availability Zones?

A

Spread Placement Groups can be deployed across availability zones since they spread the instances further apart. Cluster Placement Groups can only exist in one Availability Zone since they are focused on keeping instances together, which you cannot do across Availability Zones.

213
Q

Q14: To retrieve instance metadata or user data you will need to use the following IP Address:

A

http://169.254.169.254

214
Q

Q15: In addition to choosing the correct EBS volume type for your specific task, what else can be done to increase the performance of your volume? (Choose 3)

A

Schedule snapshots of HDD based volumes for periods of low use

Stripe volumes together in a RAID 0 configuration.

Ensure that your EC2 instances are types that can be optimized for use with EBS

There are a number of ways you can optimise performance above that of choosing the correct EBS type. One of the easiest options is to drive more I/O throughput than you can provision for a single EBS volume, by striping using RAID 0. You can join multiple gp2, io1, st1, or sc1 volumes together in a RAID 0 configuration to use the available bandwidth for these instances. You can also choose an EC2 instance type that supports EBS optimisation. This ensures that network traffic cannot contend with traffic between your instance and your EBS volumes. The final option is to manage your snapshot times, and this only applies to HDD based EBS volumes. When you create a snapshot of a Throughput Optimized HDD (st1) or Cold HDD (sc1) volume, performance may drop as far as the volume’s baseline value while the snapshot is in progress. This behaviour is specific to these volume types. Therefore you should ensure that scheduled snapshots are carried at times of low usage. The one option on the list which is entirely incorrect is the option that states “Never use HDD volumes, always ensure that SSDs are used” as the question first states “In addition to choosing the correct EBS volume type for your specific task”. HDDs may well be suitable to certain tasks and therefore they shouldn’t be discounted because they may not have the highest specification on paper.

215
Q

Q16: Amazon’s EBS volumes are ________.

A

Block based storage

EBS, EFS, and FSx are all storage services base on Block storage.

216
Q

Q17: What is the underlying Hypervisor for EC2 ? (Choose 2)

A

ESX

Xen

Until very recently AWS exclusively used Xen Hypervisors, Recently they started making use of Nitro Hypervisors.

217
Q

Q18: If an Amazon EBS volume is an additional partition (not the root volume), can I detach it without stopping the instance?

A

Yes, although it may take some time.

218
Q

Q19: Is it possible to perform actions on an existing Amazon EBS Snapshot?

A

Yes, through the AWS APIs, CLI, and AWS Console.

219
Q

Q20: I can use the AWS Console to add a role to an EC2 instance after that instance has been created and powered-up.

A

True

220
Q

Q21: To help you manage your Amazon EC2 instances, you can assign your own metadata in the form of ________.

A

Tags

Tagging is a key part of managing an environment. Even in a lab, it is easy to lose track of the purpose of a resources, and tricky determine why it was created and if it is still needed. This can rapidly translate into lost time and lost money.

221
Q

Q22: I can change the permissions to a role, even if that role is already assigned to an existing EC2 instance, and these changes will take effect immediately.

A

True

222
Q

Q23: Will an Amazon EBS root volume persist independently from the life of the terminated EC2 instance to which it was previously attached? In other words, if I terminated an EC2 instance, would that EBS root volume persist?

A

Only if I specify (using either the AWS Console or the CLI) that it should do so.

You can control whether an EBS root volume is deleted when its associated instance is terminated. The default delete-on-termination behaviour depends on whether the volume is a root volume, or an additional volume. By default, the DeleteOnTermination attribute for root volumes is set to ‘true.’ However, this attribute may be changed at launch by using either the AWS Console or the command line. For an instance that is already running, the DeleteOnTermination attribute must be changed using the CLI.

223
Q

Q24: Which of the following provide the lowest cost EBS options? (Choose 2)

A

Cold (sc1)

Throughput Optimized (st1)

Of all the EBS types, both current and of the previous generation, HDD based volumes will always be less expensive than SSD types. Therefore, of the options available in the question, the Cold (sc1) and Throughout Optimized (st1) types are HDD based and will be the lowest cost options.

224
Q

Q25: You can add multiple volumes to an EC2 instance and then create your own

True

A

5/RAID 10/RAID 0 configurations using those volumes.

True

225
Q

Q26: Which AWS CLI command should I use to create a snapshot of an EBS volume?

A

aws ec2 create-snapshot

226
Q

Q27: Individual instances are provisioned ________.

A

In Availability Zones

227
Q

What are the two most important features of relational databases in regards to AWS?

A
  • Multi-Availability Zones = for disaster recovery
  • Read replicas = for performance
    • can send some of the traffic to the read replicas to your site does not crash
228
Q

What is data warehousing used for?

A

used to pull in very large and complex data sets… usually used by management to do queries on data

229
Q

What is OLTP and OLAP?

A

Online Transaction Processing (OLTP) = for relational databases

and…

Online Analytical Processing (OLAP) (a lot of queries, more complicated) = for non-relational databases

these two differ widely

230
Q

What is Redshift?

A

Redshift is for OLAP (online analytical processing) by Amazon. Data warehouse solution by Amazon.

Redshift is used for business intelligence.

231
Q

What is RDS for?

A

OLTP: Online Transaction Processing (OLTP) = for relational databases

  • SQL
  • MySQL
  • PostgreSQL
  • Oracle
  • Aurora
  • MariaDB
232
Q

What does RDS run on?

A

virtual machines and you have no access to those virtual assistance (you cannot log in to these operating systems)

Patching of the RDS operating system and DB is Amazon’s responsibility

233
Q

Is RDS serverless?

A

no…

(with the exception of Aurora Serverless)

234
Q

What are the types of backups for RDS?

A
  • Automatic backups
    • recover your database to any point in time within a “retention period”.
    • Automated backups take full daily snapshots
    • Automated backups are enabled by default
    • Backups are stored in S3
    • You Get free storage space equal to the size of your database (10gb RDS Instance = 10gb worth of storage)
  • Database Snapshots
    • Are user-initiated / done manually
    • Stored even after you delete the original RDS instance (unlike automated backups
235
Q

what happens when you restore a RDS backup?

A

When you restore a backup, the restored version will be a new RDS instance with a new DNS endpoint.

236
Q

How does encryption work with RDS backups?

A

As soon as your RDS instance is encrypted, the data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas and snapshots.

237
Q

What is smart about Multi-AZ?

A

in the event of planned database maintenance, DB instance failure or an Availability Zone failure, Amazon RDS will automatically failover to the standby so that database operations can resume quickly without administrative intervention

the backup/copy of your production database is automated when it has been enabled

238
Q

What databases is Multi-AZ available for?

A
  • SQL Server
  • Oracle
  • MySQL Server
  • PostgreSQL
  • MariaDB

(NOT Aurora as it has its own different architecture)

239
Q

What are read replicas for?

A

Read replicas allow you to have a read-only copy of your production database.

You use read-replicas primarily for very read-heavy database workloads

Used for scaling / to increase performance

240
Q

What databases are read replicas available for?

A
  • Oracle
  • MySQL Server
  • PostgreSQL
  • MariaDB
  • Aurora

(NOT for SQL Server)

241
Q

What databases is encryption at rest supported for?

A

all 6 database systems. Set up using KMS (Key Management Service)

  • SQL Server
  • Oracle
  • MySQL Server
  • PostgreSQL
  • MariaDB
  • Aurora
242
Q

How many read replicas can you have of a single database?

A

5

and you can have read replicas of read replicas (which may give latency)

243
Q

How does read replicas work multi-AZ?

A

You can have read replicas that have multi-AZ

and… you can create read replicas of multi-AZ source databases

(you have even have a read replica in a second region)

244
Q

what must be remembered for replicas in regards to end points?

A

each read replica will have its own DNS endpoint

245
Q

What happens if you promote a read replica to master?

A

it will break the other read replicas

246
Q

What is DynamoDB?

A

Amazon’s noSQL database solutions (opposite of RDS)

when need consistent, single-digit millisecond latency at any scale

DynamoDB = SERVERLESS

247
Q

What should be remembered about DynamoDB?

A
  • Stored on SSD Storage
  • Spread across 3 geographically distinct data centres
  • Eventual consistent read (default) (1 second)
  • Strongly consistent read (optional = less than 1 second)
248
Q

What is the difference between eventual and strongly consistent read?

A
  • Eventual consistent read
    • Consistency across all copies of data is usually reached within a second
  • Strongly consistent read
    • a strongly consistent read returns a result that reflects all writes that received a successful response prior to the read = this is basically immediate (in less than 1 second)
249
Q

How is Redshift configured?

A
  • Single-node (160gb)
  • or… Multi Node
    • Leader node (client connections and receives queries)
    • Compute node (store data and perform queries and computations) can have up to 128 compute nodes behind the leqder node
250
Q

How is Redshift able to compress?

A

as non-relational database system you can compress the data much more and thus uses much less space

251
Q

What is MPP?

A

Massively Parallel Processing

a part of Amazon Redshift that automatically distributes data and query load across all nodes.

for fast query performance as data warehouse grows

252
Q

How is backups with Redshift?

A
  • Enabled by default with a 1 day retention period
  • Maximum retention period is 35 days
  • Always attempts to maintain at least 3 copies of your data (original, replica and backup in S3)
  • can also replicate snapshots to S3 in another region for disaster recovery
253
Q

How is redshift priced?

A
  • Compute node Hours = total number of hours you run across all your compute nodes for the billing period
    • not charged for leader node hours
  • backups
  • Data transfer
254
Q

How is the availability of Redshift?

A

Only available in 1 availability zone at a time

255
Q

What is Amazon Aurora?

A

a MySQL compatible, relational database engine that combines the speed and availability of high-end commercial databases.

256
Q

what should you know about Aurora?

A

Starts at 10gb (scales in 10gb increments to 64 TB)

computer resources can scale up to 32vCPUs and 244GB memory

2 copies of your data in contained in each availability zone, with minimum of 3 availability zones (6 copies of your data)

257
Q

What are the two types of read replicas with Aurora?

A
  • Aurora replicas (up to 15 available)
    • automated failover only available with Aurora replicas
  • MySQL Read replicas (up to 5 available)
258
Q

How is backups with Aurora?

A
  • Automated backups are enabled on Amazon Aurora DB instances
  • Snapshots are also possible
    • and these can be shared with other AWS accounts
259
Q

What is ElastiCache for?

A

used to improve the performance of web applications by allowing you to retrieve information from fast, managed, in-memory caches, instead of relying entirely on slower disk-based databases.

used to speed up performance of existing databases (frequent identical queries)

260
Q

Which open-source in-memory caching engines does ElastiCache support?

A
  • Memcached
    • for very simple things
  • Redis
    • multi-AZ and backup and restores possible
261
Q

Q1: When you add a rule to an RDS DB security group, you must specify a port number or protocol.

A

False

Technically a destination port number is needed, however with a DB security group the RDS instance port number is automatically applied to the RDS DB Security Group.

262
Q

Q2: If I wanted to run a database on an EC2 instance, which of the following storage options would Amazon recommend?

A

EBS

263
Q

Q3: What data transfer charge is incurred when replicating data from your primary RDS instance to your secondary RDS instance?

A

There is no charge associated with this action.

264
Q

Q4: How many copies of my data does RDS - Aurora store by default?

A

6

265
Q

Q5: RDS Reserved instances are available for multi-AZ deployments.

A

True

266
Q

Q6: Which of the following AWS services is a non-relational database?

A

DynamoDB

267
Q

Q7: MySQL installations default to port number ________.

A

3306

268
Q

Q8: Which of the following is most suitable for OLAP?

A

Redshift would be the most suitable for online analytics processing.

269
Q

Q9: Which of the following data formats does Amazon Athena support? (Choose 3)

A

Apache Parquet

JSON

Apache ORC

Amazon Athena is an interactive query service that makes it easy to analyse data in Amazon S3, using standard SQL commands. It will work with a number of data formats including “JSON”, “Apache Parquet”, “Apache ORC” amongst others, but “XML” is not a format that is supported.

270
Q

Q10: In RDS, what is the maximum value I can set for my backup retention period?

A

35 Days

271
Q

Q11: What happens to the I/O operations of a single-AZ RDS instance during a database snapshot or backup?

A

I/O may be briefly suspended while the backup process initializes (typically under a few seconds), and you may experience a brief period of elevated latency.

272
Q

Q12: Which set of RDS database engines is currently available?

A

Oracle, SQL Server, MySQL, PostgreSQL

273
Q

Q13: If you want your application to check RDS for an error, have it look for an ______ node in the response from the Amazon RDS API.

A

Error

274
Q

Q14: Which AWS DB platform is most suitable for OLTP?

A

RDS

275
Q

Q15: When creating an RDS instance, you can select the Availability Zone into which you deploy it.

A

True

276
Q

Q16: You can RDP or SSH into an RDS instance to see what is going on with the operating system.

A

False

277
Q

Q17: AWS’s NoSQL product offering is known as ________.

A

DynamoDB

278
Q

Q18: Under what circumstances would I choose provisioned IOPS over standard storage when creating an RDS instance?

A

If you use online transaction processing in your production environment.

Provisioned IOPS becomes important when you are running production environments requiring rapid responses, such as those which run e-commerce websites. Without high performant responses from an RDS instance page loads of the website could suffer resulting in loss of business. If your workloads are not latency sensitive or you are running a test environment the additional cost of provisioned IOPS will not be cost beneficial to your project.

279
Q

Q19: You are hosting a MySQL database on the root volume of an EC2 instance. The database is using a large number of IOPS, and you need to increase the number of IOPS available to it. What should you do?

A

Add 4 additional EBS SSD volumes and create a RAID 10 using these volumes.

280
Q

Q20: Which of the following DynamoDB features are chargeable, when using a single region? (Choose 2)

A

Storage of Data

Read and Write Capacity

There will always be a charge for provisioning read and write capacity and the storage of data within DynamoDB, therefore these two answers are correct. There is no charge for the transfer of data into DynamoDB, providing you stay within a single region (if you cross regions, you will be charged at both ends of the transfer.) There is no charge for the actual number of tables you can create in DynamoDB, providing the RCU and WCU are set to 0, however in practice you cannot set this to anything less than 1 so there always be a nominal fee associated with each table.

281
Q

Q21: If you are using Amazon RDS Provisioned IOPS storage with a Microsoft SQL Server database engine, what is the maximum size RDS volume you can have by default?

A

16TB

282
Q

Q22: With new RDS DB instances, automated backups are enabled by default?

A

True

283
Q

Q23: In RDS, changes to the backup window take effect ________.

A

Immediately

284
Q

Q24: Amazon’s ElastiCache uses which two engines?

A

Redis & Memcached

285
Q

Q25: Which of the following is not a feature of DynamoDB?

A

Single availability zone by default

DynamoDB is the AWS managed NoSQL database service. It has many features that are being added to constantly, making it a great service to use for many different requirements. The feature which was incorrect is DynamoDB only being single availability zone by default making this the correct answer. DynamoDB is distributed across three geographically distinct datacentres by default, all of the other options listed are valid features of DynamoDB.

286
Q

Q26: Which AWS service is ideal for Business Intelligence Tools/Data Warehousing?

A

Redshift

287
Q

Why is it called route53?

A

because DNS is on port53

288
Q

What is DNS?

A

just think of a phone book.

DNS is used to convert human friendly domain names into an IPv4 or IPv6.

So from acloud.guru to 82.124.53.1

289
Q

What is the difference between IPv4 and IPv6?

A
  • IPv4 is a 32-bit field with +4 billion different addresses
  • IPv6 has 128-bits which gives 340 undecillion addresses
    • = invented because the 4.3 billion addresses of IPv4 were not enough

Currently both IPv4 and IPv6 are used

290
Q

What are top level domains?

A

.com

.edu

.gov(top-level)

.co(second-level).uk(top-level)

.com(second-level).au(top-level)

291
Q

What is the IANA?

A

Internet Assigned Numbers Authority

those that make the top-level domains

292
Q

What is a Domain Registrar?

A

entities which serve the purpose of organising the distribution of domain names such that they are not duplicated.

all registered domain names end up in WhoIS.

(examples….GoDaddy.com, 123-reg.co.uk, Amazon, DanDomain.dk etc.)

293
Q

What are NS records?

A

Name Server Records

used by Top Level Domain servers to direct traffic to the Content DNS server which contains the authoritative DNS records

294
Q

What is an A record?

A

An “A” record is the fundamental type of DNS record.

A stands for Address.

The A record is used by a computer to translate the name of the domain to an IP address so from www.acloud.guru to 123.10.10.80

295
Q

What is TTL?

A

Time to Live

the length that a DNS record is cached on either the Resolving Server or the users own local PC is equal to the value of the the “time to live” TTL in seconds.

so for example a user could cache your homepage for 48 hours.

296
Q

What’s a CName?

A

A Canonical Name … can be used resolve one domain name to another.

essentially just that you have both..

https: //m.acloud.guru and
https: //mobile.acloud.guru

297
Q

What is alias records for?

A

used to map resource record sets in your hosted zone to Elastic Load Balancers, CloudFront distributions, or S3 buckets that are configured as websites.

Alias Records work like CNAME records BUT….. CNAME can’t be used for naked domain names (= without www in front of it)

298
Q

Do Elastic Load Balances have pre-defined IPv4 addresses?

A

No…

You must resolve to them using a DNS name.

299
Q

What should you choose if you can choose between Alias Record and CNAME?

A

Always Alias Record

300
Q

What are some common DNS types?

A
  • SOA Records (state of authority)
  • NS Records (Name Server)
  • A Records (Address)
  • CNAMES (Canonical Name)
  • MX Records
  • PTR Records
301
Q

What routing policies are available with Route53?

A
  • Simple Routing
  • Weighted routing
  • Latency-based Routing
  • Failover Routing
  • Geolocation Routing
  • GeoProximity Routing
  • Multivalue Answer Routing
302
Q

How does the simple routing policy work?

A

you can only have one record with multiple IP addresses.

if you specify multiple values (IP addresses) in a record, Route53 returns all values to the user in a random order

(it will pick a new place randomly when the TTL expires)

303
Q

How does the weighted routing policy work?

A

allows you to split your traffic based on different weight assigned

fx 10 % to US-EAST-1 and 90% to EU-WEST-1

(remember TTL still determines when you can update and get different results)

304
Q

How does the latency routing policy work?

A

Allows you to route your traffic based on the lowest network latency for your end user (which gives them the fastest response time)

to do this you have to create a latency resource record set for the Amazon EC2 (or ELM) resource in each region that hosts your website.

305
Q

How does the failover routing policy work?

A

used when you want to create an active/passive set up.

= you may want your primary site to be in EU-WEST-2 and your secondary DR site in AP-SOUTHEAST-2

Route 53 will monitor the health of your primary site using a health check => If a failure is detected in the Active region, users will be directed to the passive.

306
Q

How does the Geolocation routing policy work?

A

lets you choose where your traffic will be sent based on the geographic location of your users

= all queries from europe to routed to a fleet of EC2 instances that are specifically configured for European customers (language, prices etc.)

Can be done by country or by continent

(different from latency-based routing)

307
Q

How does the GeoProximity routing policy work? (out of scope for our exam)

A

route traffic to your resources based on the geographic location of your users and your resources.

+you can also insert a bias to route more or less traffic to a resource

(only in Route53 traffic flow mode)

308
Q

How does the Multivalue Answer routing policy work?

A

lets you configure route53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries.

The same as simple routing HOWEVER multivalue answers allows you to put health checks on each record set.

309
Q

What is the limit of number of domain names you can manage using Route53?

A

50 is set by default BUT you can increase this limit by contacting AWS support.

310
Q

You have created a new subdomain for your popular website, and you need this subdomain to point to an Elastic Load Balancer using Route53. Which DNS record set should you create?

A

CNAME

311
Q

Q1: You have created a new subdomain for your popular website, and you need this subdomain to point to an Elastic Load Balancer using Route53. Which DNS record set should you create?

A

CNAME

312
Q

Q2: Which of the following Route 53 policies allow you to a) route data to a second resource if the first is unhealthy, and b) route data to resources that have better performance?

A

Failover Routing and Latency-based Routing

Failover Routing and Latency-based Routing are the only two correct options, as they consider routing data based on whether the resource is healthy or whether one set of resources is more performant than another. Any answer containing location based routing (Geoproximity and Geolocation) cannot be correct in this case, as these types only consider where the client or resources are located before routing the data. They do not take into account whether a resource is online or slow. Simple Routing can also be discounted as it does not take into account the state of the resources.

313
Q

Q3: True or False: There is a limit to the number of domain names that you can manage using Route 53.

A

True and False. With Route 53, there is a default limit of 50 domain names. However, this limit can be increased by contacting AWS support.

314
Q

Q4: Your company hosts 10 web servers all serving the same web content in AWS. They want Route 53 to serve traffic to random web servers. Which routing policy will meet this requirement, and provide the best resiliency?

A

Multivalue answer routing lets you configure Amazon Route 53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries. Route 53 responds to DNS queries with up to eight healthy records and gives different answers to different DNS resolvers. The choice of which to use is left to the requesting service effectively creating a form or randomisation.

315
Q

Q5: In AWS Route 53, which of the following are true? (Choose 2)

Route 53 allows you to create an Alias record at the top node of a DNS namespace (zone apex)

A

Alias Records provide a Route 53–specific extension to DNS functionality

Alias Records have special functions that are not present in other DNS servers. Their main function is to provide special functionality and integration into AWS services. Unlike CNAME records, they can also be used at the Zone Apex, where CNAME records cannot. Alias Records can also point to AWS Resources that are hosted in other accounts by manually entering the ARN.

316
Q

Q6: Route 53 is Amazon’s DNS Service.

A

True

317
Q

Q7: You have an enterprise solution that operates Active-Active with facilities in Regions US-West and India. Due to growth in the Asian market you have been directed by the CTO to ensure that only traffic in Asia (between Turkey and Japan) is directed to the India Region. Which of these will deliver that result? (Choose 2)

A

Route 53 - Geoproximity routing policy

Route 53 - Geolocation routing policy

The instruction from the CTO is clear that that the division is based on geography. Latency based routing will approximate geographic balance only when all routes and traffic evenly supported which is rarely the case due to infrastructure and day night variations. You cannot combine blacklisting and whitelisting in CloudFront. Weighted routing is randomized and will not respect Geo boundaries. Geolocation is based on national boundaries and will meet the needs well. Geoproximity is based on Latitude & Longitude and will also provide a good approximation with potentially less configuration.

318
Q

Q8: You are hosting a website and would like visitors from United Kingdom to see a different site than those in Australia. Which Routing Policy would help you to accomplish this?

A

Geolocation routing policy

Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. For example, you might want all queries from Europe to be routed to an ELB load balancer in the Frankfurt region.

319
Q

Q9: Route 53 is named so because ________.

A

The DNS Port is on Port 53 and Route 53 is a DNS Service.

320
Q

What is a VPC?

A

A virtual data center in the cloud (logical datacenter in AWS)

…so you create your own data center within AWS and then have a ton of opportunities for customisation and management.

321
Q

What does a VPC consist of?

A
  • Internet gateways or Virtual Private gateways
  • Route Tables
  • Network access control lists
  • Subnets
  • Security groups
322
Q

What are the two ways into a VPC?

A
  • Internet Gateway
  • Virtual Private Gateway
323
Q

What are the 3 IP-addresses made for private subnets?

A
  • 10.0.0.0
  • 172.16.0.0
  • 192.168.0.0 (192.168.255.255 for example)
324
Q

What can we with a VPC?

A
  • Launch instances into a subnet of our choosing
    • and Instance security groups
  • Assign custom IP address ranges
  • Configure route tables between subnets
  • Create internet gateway
  • Better security control’
  • Subnet network access control lists (ACLS)
325
Q

What is important about the default VPC?

A
  • Default VPC is
    • super user friendly
    • have a route out to the internet
    • Each EC2 instance has both a public AND private IP address
326
Q

What is VPC peering for?

A

connect one VPC with another via a direct network route using private IP addresses.

you can also peer VPCs with other AWS accounts

Peering is in a star configuration = 1 central VPC peers with 4 others.

  • BUT.. there is no transitive peering (cannot go through A to get to C = has to be direct peering between two)
327
Q

When you build a VPC from scratch in AWS, what will it create when you launch a new VPC?

A
  • The VPC
  • A route table
  • A Network ACL
  • A default Security group

(no subnets, no internet gateway)

328
Q

How many IGW can you connect to a VPC?

A

Only 1 internet gateway

329
Q

How do you create a route a public route?

A

create new route table

then go and edit the routes and add

0.0.0.0/0 to internet gateway and choose your vpc

330
Q

How many IP addresses does Amazon reserve within your subnet?

A

always 5

331
Q

What is important to remember about Security groups in relation to VPCs?

A

security groups cannot span across VPCs.

332
Q

What is NAT instances and NAT gateways?

A

Network Address Translation instances and gateways

to ensure that the subnets are not public BUT that we can still download software from our private subnet. So NAT are to connect to the internet gateways

(NAT instances are on their way out while NAT gateways are what is used today)

333
Q

What is the difference between NAT gateways and NAT instances?

A
  • NAT Gateways = single EC2 instance
  • Nat Instances = Highly available gateway that allows you to communicate with the internet from the private subnet without becoming public
334
Q

What must you remember to do when creating a NAT instance?

A

Disable Source/Destination Check on the instance

335
Q

Should NAT instances be in public or private subnets?

A

Public

336
Q

What is a common issue with NAT instances?

A

that they become bottlenecks = too much traffic = you must increase the instance size

337
Q

How can you increase availability of NAT instances?

A
  • Autoscaling Groups
  • Multiple subnets in different availability zones
  • script to automate failover
338
Q

What must you remember about NAT GATEWAYS?

A
  • They can survive the failure of the EC2 instances that power NAT gateways = redundant inside the AZ
  • NAT Gateways can not span different availability zones
    • so have NAT gateway in each availability zone you use
  • No need to patch operating system (you must for NAT instances)
  • Automatically assigned a public IP address
  • Not associated with security groups
339
Q

What is the traffic rules when creating a new ACL?

A

With new Access Control Lists, all traffic is DENIED / BLOCKED as default

(when you create custom network ACLs)

340
Q

What are ephemeral ports?

A

Ephemeral ports are short-lived transport protocol ports for IP communications.

on servers, Ephemeral ports may also be used as the port assignment on the server end of a communication. This is done to continue communications with a client that initially connected to one of the server’s well-known service listening ports

341
Q

How is the ACL that automatically comes with your VPC?

A

the ACL by default allows all outbound and inbound traffic

342
Q

Does subnets in your VPC need a network Access Control List ACL?

A

Yes… All need one.

Thus, if you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL

343
Q

With what can you block IP addresses?

A

using Network ACLs (Access Control Lists)

(not possible with security groups)

344
Q

How are Network ACL rules evaluated?

A

in order with the lowest numbered rule first

345
Q

what does it mean that ACLs are stateless?

A

That you must both add the same rules in both inbound traffic and outbound traffic

(for security groups it is different as they are stateful)

346
Q

What is a VPC flow log?

A

A feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Flow log data is stored using Amazon CloudWatch Logs. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.

347
Q

What levels can you create VPC flow logs at?

A

3 different

  • VPC
  • Subnet
  • Network Interface Level
348
Q

In which case are you not able to enable flow log?

A

for VPCs that are peered with your VPC unless the VPC is in your account

349
Q

What must you remember about flow logs?

A
  • you cannot tag a flow log
  • After you have created a flow log, you cannot change its configuration
  • You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
350
Q

What traffic is not monitored by VPC flow logs?

A
  • Traffic generated by instances when they contact the Amazon DNS server
  • traffic generated by a Windows instance for Amazon Windows license activation
  • Traffic to and from 169.254.169.254 for instance metadata
  • DHCP traffic
  • Traffic to the reserved IP address for the default VPC router
351
Q

At its core, what do NAT Gateways and NAT instances do?

A

provide internet traffic to EC2 instances in a private subnet

352
Q

What is a Bastion Host?

A

special purpose computer on a network specifically designed and configured to withstand attacks.

A Bastion is used to securely administer EC2 instances (Using SSH or RDP).

The computer usually hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer.

(cannot use a NAT Gateway as a Bastion host)

353
Q

What is Direct Connect?

A

A cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. = a direct connection from your data center to AWS

Useful for high throughput workloads (lots of network traffic) so if you want a stable and reliable and secure connection, use direct connect between your database and AWS

354
Q

What is a VPC Endpoint?

A

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink WITHOUT requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect Connection.

(no need to go outside the AWS network)

355
Q

What are the two types of VPC endpoints?

A
  • Interface Endpoints
    • Elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service
  • Gateway Endpoints
    • supported for Amazon S3 and DynamoDB
356
Q

Within VPC, what is stateless and what is stateful?

A
  • Stateful = Security Groups (creating an inbound rule also creates an outbound rule)
  • Stateless = Network Access Control Lists (must create rules in both inbound and outbound)
357
Q

What must you remember about US-East-1A and US-EAST-1B etc.?

A

they are randomised so 1A is most often not the same place as 1A for another AWS account

358
Q

Should you put allow or deny rules first?

A

the allow rules trump deny rules so….

Put DENY first if you want to deny something

359
Q

A VPN connection consists of which of the following two components?

  • Customer Gateway
  • Cross Connect
  • Direct Connect Gateway
  • Virtual Private Gateway
A

Virtual Private Gateway AND Customer Gateway.

when connecting a VPN between AWS and a third party site, the customer gateway is created within AWS, but it contains information about the third party site, eg. the external IP address and type of routing.

The Virtual Private Gateway has the information regarding the AWS side of the VPN and connects a specified VPC to the VPN.

360
Q

By default, instances in new subnets in a custom VPC can communicate with each other across Availability Zones (TRUE/FALSE)

A

True

In a custom VPC with new subnets in each AZ, there is a Route that supports communication across all subnets/AZs.

361
Q

When I create a new security group, all outbound traffic is allowed by default (TRUE/FALSE).

A

True

362
Q

Which of the following are true for Security Groups? (Choose 3)

  • Security Groups support “allow” rules only.
  • Security Groups process rules in number order when deciding whether to allow traffic.
  • Security Groups operate at the instance level.
  • Security Groups operate at the subnet level.
  • Security Groups evaluate all rules before deciding whether to allow traffic.
  • Security Groups support both “allow” and “deny” rules.
A

Security Groups support “allow” rules only

Security Groups operate at the instance level

Security Groups evaluate all rules before deciding which to allow traffic

363
Q

How many internet gateways can i attach to my custom VPC?

A

1

364
Q

How many subnets must an application load balancer be deployed into?

A

at least 2

365
Q

Having just created a new VPC and launching an instance into its Public Subnet, you realise that you have forgotten to assign a Public IP to the instance during creation. What is the simplest way to make your instance reachable from the outside world?

A

Create an Elastic IP address and associate it with your instance

366
Q

Security groups act like a firewall at the instance level, whereas _________ are an additional layer of security that act at the subnet level

A

Network ACLs

367
Q

How many internet gateways can you have per VPC?

A

1

368
Q

By default, how many VPCs am I allowed in each AWS Region?

A

5

369
Q

Q1: True or False: An Application Load Balancer must be deployed into at least two subnets.

A

True

370
Q

Q2: When I create a new security group, all outbound traffic is allowed by default.

A

True

371
Q

Q3: By default, instances in new subnets in a custom VPC can communicate with each other across Availability Zones.

A

True

In a custom VPC with new subnets in each AZ, there is a Route that supports communication across all subnets/AZs. Plus a Default SG with an allow rule ‘All traffic, All protocols, All ports, from anything using this Default SG’.

372
Q

Q4: Select the incorrect statement.

A

In Amazon VPC, an instance does not retain its private IP.

373
Q

Q5: By default, how many VPCs am I allowed in each AWS Region?

A

5

374
Q

Q6: What is the purpose of an Egress-Only Internet Gateway? (Choose 2)

A

Allows VPC based IPv6 traffic to communicate to the Internet

Prevents IPv6 based Internet resources initiating a connection into a VPC

The purpose of an “Egress-Only Internet Gateway” is to allow IPv6 based traffic within a VPC to access the Internet, whilst denying any Internet based resources the possibility of initiating a connection back into the VPC.

375
Q

Q7: Which of the following is true?

A

Security Groups are stateful and Network Access Control Lists are stateless.

376
Q

Q8: At which of the following levels can VPC Flow Logs be created? (Choose 3)

A

Subnet Level

VPC Level

Network Interface Level

377
Q

Q9: You have five VPCs in a ‘hub and spoke’ configuration, with VPC ‘A’ in the center and individually paired with VPCs ‘B’, ‘C’, ‘D’, and ‘E’, which make up the ‘spokes’. There are no other VPC connections. Which of the following VPCs can VPC ‘B’ communicate with directly?

A

As transitive peering is not allowed, VPC ‘B’ can communicate directly only with VPC ‘A’.

378
Q

Q10: In a default VPC, all Amazon EC2 instances are assigned 2 IP addresses at launch. What are they?

A

A Private IP Address & Public IP Address

379
Q

Q11: Which of the following offers the largest range of internal IP addresses?

A

/16

380
Q

Q12: To save administration headaches, a consultant advises that you leave all security groups in web-facing subnets open on port 22 to 0.0.0.0/0 CIDR. That way, you can connect wherever you are in the world. Is this a good security design?

A

No

0.0.0.0/0 would allow ANYONE from ANYWHERE to connect to your instances. This is generally a bad plan. The phrase ‘web-facing subnets’ does not mean just web servers. It would include any instances in that subnet some of which you may not strangers attacking. You would only allow 0.0.0.0/0 on port 80 or 443 to to connect to your public facing Web Servers, or preferably only to an ELB. Good security starts by limiting public access to only what the customer needs. Please see the AWS Security white paper for complete details.

381
Q

Q13: When peering VPCs, you may peer your VPC only with another VPC in your same AWS account.

A

False

You may peer a VPC to another VPC that’s in your same account, or to any VPC in any other account.

382
Q

Q14: Security groups act like a firewall at the instance level, whereas _________ are an additional layer of security that act at the subnet level

A

Network ACLs

383
Q

Q15: Which of the following are true for Security Groups? (Choose 3)

A

Security Groups support “allow” rules only.

Security Groups operate at the instance level.

Security Groups evaluate all rules before deciding whether to allow traffic.

384
Q

Q16: True or False: A subnet can span multiple Availability Zones.

A

False

Each subnet must reside entirely within one Availability Zone and cannot span zones.

385
Q

Q17: Having just created a new VPC and launching an instance into its Public Subnet, you realise that you have forgotten to assign a Public IP to the instance during creation. What is the simplest way to make your instance reachable from the outside world?

A

Create an Elastic IP address and associate it with your instance

Although creating a new NIC & associating an EIP also results in your instance being accessible from the internet, it leaves your instance with 2 NICs & 2 private IPs as well as the Public Address and is therefore not the simplest solution. By default, any user-created VPC subnet WILL NOT automatically assign Public IPv4 Addresses to instances – the only subnet that does this is the “Default” VPC subnets automatically created by AWS in your account.

386
Q

Q18: Are you permitted to conduct your own vulnerability scans on your own VPC without alerting AWS first?

A

Depends on the type of scan and the service being scanned. Some scans can be performed without alerting AWS, some require you to alert.

Until recently customers were not permitted to conduct Penetration Testing without AWS engagement. However that has changed. There are still conditions however.

387
Q

Q19: How many internet gateways can I attach to my custom VPC

A

1

388
Q

Q20: Which of the following allows you to SSH or RDP into an EC2 instance located in a private subnet?

A

A Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet. Don’t confuse Bastions and NATs, which allow outside traffic to reach an instance in a private subnet.

389
Q

Q21: When you create a custom VPC, which of the following are created automatically? (Choose 3)

A

Access Control List

Route Table

Security Group

When you create a custom VPC, a default Security Group, Access control List, and Route Table are created automatically. You must create your own subnets, Internet Gateway, and NAT Gateway (if you need one.)

390
Q

Q22: VPC stands for

A

Virtual Private Cloud

391
Q

Q23: Which of the following is a chief advantage of using VPC Gateway Endpoints to connect your VPC to services such as S3?

A

VPC Gateway Endpoints ensure traffic between your VPC and the other service does not leave the Amazon network.

In contrast to a NAT Gateway, traffic between your VPC and the other service does not leave the Amazon network when using VPC Gateway Endpoints. There are also VPC Interface Endpoints, which are used by individual services.

392
Q

Q24: A VPN connection consists of which of the following components? (Choose 2)

A

Customer Gateway

Virtual Private Gateway

The correct answers are “Customer Gateway” and “Virtual Private Gateway”. When connecting a VPN between AWS and a third party site, the Customer Gateway is created within AWS, but it contains information about the third party site e.g. the external IP address and type of routing. The Virtual Private Gateway has the information regarding the AWS side of the VPN and connects a specified VPC to the VPN. “Direct Connect Gateway” and “Cross Connect” are both Direct Connect related terminology and have nothing to do with VPNs.

393
Q

Q25: True or False: You can accelerate your application by adding a second Internet Gateway to your VPC.

A

False

You may have only one Internet Gateway per VPC.

394
Q

What is a load balancer?

A

physical or virtual device that is designed to help you balance the network load across multiple web servers

395
Q

What are the 3 types of Load Balancers in AWS?

A
  • Application Load Balancers (intelligent)
  • Network Load Balancers (for extreme performance)
  • Classic Load Balancers (very basic and cost-effective)
396
Q

What are Application Load balancers for?

A

best suited for load balancing of HTTP and HTTPS traffic = websites basically

operate at layer 7 and are application-aware. Quite intelligent

397
Q

What are Network Load balancers for?

A

best suited for load balancing of TCP traffic where extreme performance is required

= can handle millions of requests per second, while maintaining ultra-low latencies

operating at the connection level (layer 4).

398
Q

What are Classic Load balancers for?

A

legacy Elastic Load Balancers.

can load HTTP/HTTPS applications

only use if you don’t care about load balancing

use layer 7-specific features and can also use strict layer 4 load balancing. Not very intelligent

399
Q

What is the X-forwarded for header about?

A

helps ensure that we actually also get the users public IP after going through the elastic load balancer. without getting the public IPs, we do not know where our users are coming from

400
Q

What does a 504 error mean?

A

that the gateway has timed out = that the application is not responding within the idle timeout period

401
Q

What should you do if you get a 504 error?

A

trouble shoots the application and see if the error is coming from the Web Server OR Database server

402
Q

Do you get DNS names or IP addresses for load balances?

A

Always only their own DNS name

(never IP address)

403
Q

What are sticky sessions?

A

Sticky sessions allow you to bind a user’s session to a specific EC2 instance such that all requests from the user during the session are sent to the same instance.

(if not enabled, the classic LB will route each request independently to the registered EC2 instance with the smallest load)

404
Q

What is Cross Zone Load Balancing for?

A

with no cross zone load balancing, our traffic is split evenly across availability zones…

but we may not have the same amount of instances in the different availability zones.

WITH cross zone load balancing, this is taken care of such that all instances get the same load.

= > Cross zone = the instances can send traffic across availability zones

405
Q

What are Path Patterns?

A

path-based routing = you can create a listener with rules to forward requests based on the URL path

example… enabling path patterns here such that we can send traffic regarding www.myurl.com/images to the second availability zone, US-EAST-1B

406
Q

How do you plan a good HA architecture?

A

plan for failure = everything fails = that’s why Netflix created the Simian Army (including Chaos Monkey)

when you have the same setup in two different regions, you can tolerate issues and make failover

use multiple availability zones and multiple regions where you can

407
Q

What is the difference between scaling out and scaling up?

A
  • Scaling out = auto-scaling groups to add additional EC2 instances
  • Scaling up = increasing the power of the existing EC2 instances
408
Q

How would a high-availability / fault-tolerant wordpress site architecture look?

A
409
Q

What is CloudFormation?

A

CloudFormation is a way of completely scripting your cloud environment = automating the architecture setup

410
Q

What is Quick Start?

A

a bunch of CloudFormation templates already built by AWS solutions architects allowing you to create complex environments very quickly.

411
Q

What is Elastic Beanstalk?

A

essentially just a way to deploy applications to the cloud (without knowing anything about AWS)

=>

You can deploy and manage applications in the AWS cloud without worrying about the infrastructure that runs those applications. You simply upload the code for your application, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling and application health monitoring.

412
Q

Q1: You need to use an object-based storage solution to store your critical, non-replaceable data in a cost-effective way. This data will be frequently updated and will need some form of version control enabled on it. Which S3 storage solution should you use?

A

S3

the key point in the questions is that the data is non-replaceable, and is frequently updated. The 1st excludes anything the has reduced Durability, the 2nd excluded anything with long recall, reduced availability, or billing based on infrequent access.

413
Q

Q2: You have a web site with three distinct services each hosted by different web server autoscaling groups. Which AWS service should you use.

A

Application Load Balancers (ALB)

The ALB has functionality to distinguish traffic for different targets (mysite.co/accounts vs. mysite.co/sales vs. mysite.co/support) and distribute traffic based on rules for; target group, condition, and priority.

414
Q

Q3: In discussions about Cloud services the words ‘Availability’, ‘Durability’, ‘Reliability’ and ‘Resiliency’ are often used. Which term is used to refer to the likelihood that you can access a resource or service when you need it?

A

Availability

Each word has a specific meaning and your ability to select the correct answer may depend on understanding the difference. Availability can be described as the % of a time period when the service will be able to respond to your request in some fashion.

415
Q

Q4: In discussions about Cloud services the words ‘Availability’, ‘Durability’, ‘Reliability’ and ‘Resiliency’ are often used. Which term is used to refer to the likelihood that a resource will continue to exist until you decide to remove it?

A

Durability

Each word has a specific meaning and your ability to select a correct answer may depend on understanding the difference. Durability refers to the on-going existence of the object or resource. Note that it does not mean you can access it, only that it continues to exist.

416
Q

Q5: When you have deployed an RDS database into multiple availability zones, can you use the secondary database as an independent read node?

A

No

417
Q

Q6: In S3 the durability of my files is ________.

A

99.999999999 percent

418
Q

Q7: If you are told that an EC2 instance is being changed to have more RAM, Is this considered Scaling Up or Scaling Out

A

Scaling Up

Scaling out is where you have more of the same resource separately working in parallel (visualize services sitting side by side). Scaling Up is where you make it bigger and bigger like and ugly tower with more floors being added after the initial design was finished

419
Q

Q8: You work for a major news network in Europe. They have just released a new mobile app that allows users to post their photos of newsworthy events in real-time. Your organization expects this app to grow very quickly, essentially doubling its user base each month. The app uses S3 to store the images, and you are expecting sudden and sizable increases in traffic to S3 when a major news event takes place (as users will be uploading large amounts of content.) You need to keep your storage costs to a minimum, and you are happy to temporally lose access to up to 0.1% of uploads per year. With these factors in mind, which storage media should you use to keep costs as low as possible?

A

S3 Standard-IA
The key drivers here are availability and cost, so an awareness of cost is necessary to answer this. Full S3 is quite expensive at around $0.023 per GB for the lowest band. S3 standard IA is $0.0125 per GB, S3 OneZone-IA is $0.01 per GB, and Legacy S3-RRS is around $0.024 per GB for the lowest band. Of the offered solutions S3 One Zone-IA is the cheapest suitable option. Glacier cannot be considered as it is not intended for direct access, however it comes in at around $0.004 per GB. S3 has an availability of 99.99%, S3-IA has an availability of 99.9% while S3-1Zone-IA only has 99.5%

420
Q

Q9: You manage a high-performance site that collects scientific data using a bespoke protocol over TCP port 1414. The data comes in at high speed and is distributed to an autoscaling group of EC2 compute services spread over three AZs. Which type of AWS Load Balancer would best meet this requirement?

A

Network Load Balancers (NLB)

The Network Load Balancer is specifically designed for high performance traffic that is not conventional Web traffic. The Classic LB might also do the job, but would not offer the same performance.

421
Q

Q10: Following an unplanned outage, you have been called into a planning meeting. You are asked what can be done to reduce the risk of a single bad deployment taking the whole site down. (The selected options do not necessarily need to work together) (Choose 4)

A

Use a Classic Load Balancer to spread the load over several availability zones.

Use Route 53 with health checks to distribute load across multiple ELBs.

Use multiple autoscaling groups and boundaries for a staged or ‘canary’ deployment process.

Use several Target groups or auto scaling groups under each Load Balancers.

Using Route 53 to distribute work direct to compute resources can work, but is hard to manage, and is not a recommended AWS pattern. ELB can spread load across AZs not regions. Deploying updates to all groups simultaneously will not reduce risk. Using Route 53 in combination with ELBs is a good pattern to distribute regionally as well as across AZs. Although the methods vary, you can place multiple autoscaling or target groups behind ELBs.

422
Q

Q11: A product manager walks into your office and advises that the simple single node MySQL RDS instance that has been used for a pilot needs to be upgraded for production. She also advises that they may need to alter the size of the instance once they see how many people use the system during peak periods. The key concern is that there can not be any outages of more than a few seconds during the go-live period. Which of the following might you recommend, (Choose 2)

A

Consider replacing it with Aurora before go live.

Convert the RDS instance to a multi-AZ implementation.

There are two issues to be addressed in this question. Minimizing outages, whether due to required maintenance or unplanned failures. Plus the possibility of needing to scale up or down. Read-replicas can help you with high read loads, but are not intended to be a solution to system outages. Multi-AZ implementations will increase availability because in the event of an instance outage one of the instances in another AZs will pick up the load with minimal delay. Aurora provided the same capability with potentially higher availability and faster response.

423
Q

Q12: In discussions about Cloud services the words ‘Availability’, ‘Durability’, ‘Reliability’ and ‘Resiliency’ are often used. Which term is used to refer to the likelihood that a resource ability to recover from damage or disruption?

A

Resiliency

Each word has a specific meaning and your ability to select the correct answer may depend on understanding the difference. Resiliency can be described as the ability to a system to self heal after damage or an event. Note that this does not mean that it will be available continuously during the event, only that it will self recover.

424
Q

Q13: You work for a manufacturing company that operate a hybrid infrastructure with systems located both in a local data center and in AWS, connected via AWS Direct Connect. Currently, all on-premise servers are backed up to a local NAS, but your CTO wants you to decide on the best way to store copies of these backups in AWS. He has asked you to propose a solution which will provide access to the files within milliseconds should they be needed, but at the same time minimizes cost. As these files will be copies of backups stored on-premise, availability is not as critical as durability. Choose the best option from the following which meets the brief.

A

Copy the files from the NAS to an S3 bucket with the One Zone-IA class

S3 OneZone-IA provides on-line access to files, while offering the same 11 9’s of durability as all other storage classes. The trade-off is in the availability - 99.5% as opposed to 99.9%-99.99%. However in this brief as cost is more important than availability, S3 OneZone-IA is the logical choice . RRS is deprecated and new uses are strongly discouraged by AWS.

425
Q

Q14: Placement Groups can either be of the type ‘Cluster’, ‘Spread’, or ‘Partition’. Choose options from below which are only specific to Spread Placement Groups.

A

A spread placement group is a group of instances that are each placed on distinct underlying hardware

There is only one answer that is specific to Spread Placement Groups, and that is the final option. Whilst some of these answers are correct for either Cluster Placement Groups only, or for both Cluster and Spread Placement Groups, the question stated that only options specific to Spread Placement Groups should be chosen. This would rule out two options as they are true for both Spread & Cluster type placement groups. The Logical grouping of instances within a single Availability Zone is only true of Cluster Placement Groups and is also incorrect.

426
Q

Q15: In discussions about Cloud services the words ‘Availability’, ‘Durability’, ‘Reliability’ and ‘Resiliency’ are often used. Which term is used to refer to the likelihood that a resource will work as designed?

A

Reliability

Each word has a specific meaning and your ability to select a correct answer may depend on understanding the difference. Reliability is closely related to Availability, however a system can be ‘Available’ but not be working properly. Reliability is the probability that a system will work as designed. This term is not used much in AWS, but is still worth understanding.

427
Q

Q16: Can I “force” a failover for any RDS instance that has Multi-AZ configured?

A

Yes.

428
Q

What is SQS?

A

Simple Queue Service… (used to decouple your infrastructure such that not all crash if one thing crashes)

web service that gives you access to a message queue that can be used to store messages while waiting for a computer to process them.

the queue acts as a buffer between the component producing and saving data, and the component receiving the data for processing

SQS is pull based

(btw also the 1st AWS service)

429
Q

How big can messages be in SQS?

A

256 kb in size

430
Q

What are the 2 types of queues?

A
  • SQS Standard (default)
    • high throughput and nearly-unlimited number of transactions per second BUT be aware that one copy of a message might be delivered out of order and there may be duplicates (generally same order as they are sent but not always)
  • FIFO Queues (first-in-first-out)
    • always the same order as sent (ordered) and surely NO duplicates
    • 300 transactions per second
431
Q

What is Visibility Time Out?

A

the amount of time that the message is invisible in the SQS queue after a reader picks up that message. If the job is processed/completed before the visibility time expires, the message will be deleted from the queue (Visibility Timeout Maximum is 12 hours)

However, if the job is not processed within the visibility time-out, it will become visible again and another reader will process it = hence, some messages can be delivered twice.

432
Q

What is SWF?

A

Simple Work Flow Service… = a web service that makes it easy to coordinate work across distributed application components

= a way of coordinating your applications and manual processors (human beings)

(Amazon uses this… you buy a book online. all is based on computers, including payment, but then human labor needs to help in the warehouse to get the package ready)

You use SWF if there is any manual processing involved

433
Q

What is the differences between SWF and SQS?

A
  • SQS (Simple Queue Service)
    • Retention Period of up to 14 days
    • Message-oriented API
    • Tasks may be duplicated
    • need to implement your own application-level tracking
  • SWF (Simple Work Flow Service)
    • Retention period/Workflow execution period up to 1 year
    • Task-oriented API
    • NEVER duplicated. Each task only once
    • Keeps track of all tasks and events in an application
434
Q

What are the different SWF Actors?

A
  • WORKFLOW STARTERS
    • application that can initiate (start) a workflow
    • example: your e-commerce website following the placement of an order
  • DECIDERS
    • control the flow of activity tasks in a workflow execution = if something has finished (or failed) in a workflow, a Decider decides what to do next
  • ACTIVITY WORKERS
    • Carry out the activity tasks
435
Q

What is Amazon SNS?

A

Simple Notification Service…. a web service that makes it easy to set up, operate, and send notifications from the cloud

SNS is PUSH-based

Allows you to make push notifications to Apple, Google, Fire OS, Windows devices, Android Devices in China with Baidu Cloud Push + can also deliver notifcations by SMS and email

436
Q

What is an SNS topic?

A

Topics in SNS allows you to group multiple recipients = you can group together iOS, Android and SMS recipients for example and all subscribers within this group will receive the same messages from SNS (Simple Notifications Service)

437
Q

What are the key benefits of SNS?

A
  • Instantaneous PUSH-based delivery
  • Simple APIs and easy integration with applications
  • Flexible message delivery over multiple transport protocols
438
Q

What is the difference between SNS and SQS?

A
  • SNS (Simple Notifications Service)
    • PUSH-based
  • SQS (Simple Queue Service)
    • Pull-based (poll)

(both are messaging services in AWS)

439
Q

What is Elastic Transcoder?

A

A media transcoder in the cloud = a way to convert media files from their original source format into different formats that will play on different devices (smartphones, tablets, pc)

440
Q

What is API Gateway?

A

a fully managed service that makes it easy for developers to publish, maintain, monitor and secure APIs at any scale = you can make a “front door” for applications to access stuff from your back-end services

API Gateway scales automatically

441
Q

What is API Caching?

A

with caching, you can reduce the number of calls made to your endpoint and also improve the latency of the requests to your API (API caching can be enabled in Amazon API Gateway)

used to increase performance

442
Q

What is the essential of Same Origin Policy?

A

that web page A can access data in web page B, IF both web pages have the same origin (= the same domain name)

(but when using AWS, we use different domain names all the time so we need to use CORS)

443
Q

What is CORS?

A

Cross-Origin Resource Sharing = a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the first resource was served

444
Q

What is the solution of “origin policy cannot be read at the remote resource”?

A

the problem here is that CORS is not enabled on the API Gateway

445
Q

What is Streaming Data?

A

data that is generated continuously by thousands of data sources

Examples:

  • Stock prices
  • Gaming Data (as the gamer plays)
  • Social network data (twitter for example)
  • Geospatial data (fx uber)
  • iOT sensor data (say from AgTech sensors)
  • Purchases from online stores (amazon.com)
446
Q

What is Kinesis?

A

a platform on AWS to send your streaming data to

Kinesis makes it easy to load and analyze streaming data

447
Q

What are the 3 types of Kinesis?

A
  • Kinesis Streams
  • Kinesis Firehose
  • Kinesis Analytics
448
Q

What is Kinesis Streams?

A

a place to store streaming data

within a Kinesis stream, you have SHARDS

449
Q

What is Kinesis Firehose?

A

with Kinesis Firehose, the streaming data is not stored, it must instead be analyzed as it comes in and then sent out again

450
Q

What is Kinesis Analytics?

A

Kinesis Analytics help analyze the streaming data inside Kinesis (inside both Kinesis Firehose and Kinesis Streams)

451
Q

What is Web Identity Federation about?

A

it lets you give your users access to AWS resources AFTER they have successfully authenticated with a web-based identity provider like Amazon, Facebook, Google etc.

= you get access after you have “login using Facebook”

452
Q

what is Amazon Cognito?

A

a web identity federation service for sign-up and sign-ins to your apps.

Cognito brokers between the app and Facebook/Google to provide temporary credentials which map to an IAM role allowing access to the required resources

453
Q

What are Cognito USER pools?

A

used to manage sign-in and sign-up for mobile and web applications

focused on users and thus handles things like user registration, authentication, and account recovery

454
Q

What are Cognito IDENTITY pools?

A

provide temporary AWS credentials to access AWS services like S3 or DynamoDB

identity pools authorise access to your AWS resources

455
Q

Q1: What is the difference between SNS and SQS?

A

SNS is a push notification service, whereas SQS is message system that requires worker nodes to poll a queue.

SNS is a Notification service for sending text based communication of different types to different destinations. SQS is a Queue system for asynchronously manages tasks (called messages)

456
Q

Q2: What happens when you create a topic on Amazon SNS?

A

An Amazon Resource Name is created.

457
Q

Q3: What application service allows you to decouple your infrastructure using messaged based queues?

A

SQS

In IT the term ‘message’ can be used in the common sense, or to describe a piece of data of Task in an asynchronous queueing system such as MQseries, RabbitMQ or SQS.

458
Q

Q4: What does Amazon SES stand for?

A

Simple Email Service

459
Q

Q5: By default, EC2 instances pull SQS messages from a standard SQS queue on a FIFO (First In First out) basis.

A

False

460
Q

Q6: Amazon SWF is designed to help users ________.

A

Coordinate synchronous and asynchronous tasks

Similar to SQS SWF manages queues of work, however unlike SQS it can have out-of-band parallel and sequential task to be completed by humans and non AWS services.

461
Q

Q7: Amazon SWF restricts me to the use of specific programming languages.

A

False

While there are a limited range of SDKs available for SWF, AWS provides an HTTP based API which allows you to interact using any language as long as you phrase the interactions in HTTP requests.

462
Q

Q8: Amazon SWF ensures that a task is assigned only once and is never duplicated.

A

True

One time only completion is a key feature of SWF. At one time this was a key distinction from SQS, however with SQS FiFo queues, this is no longer a distinguishing feature.

463
Q

Q9: In SWF, what does a “domain” refer to?

A

A collection of related workflows

464
Q

Q10: Amazon’s SQS service guarantees a message will be delivered at least once.

A

True

465
Q

Q11: What does Amazon SWF stand for?

A

Simple Work Flow

466
Q

What is the implication of serverless?

A

you don’t worry about your infrastructure as such. you only worry about your code and pay for the amount of time your code runs

467
Q

What is AWS Lambda?

A

a compute service where you can upload your code and create a Lambda function.

the ultimate abstraction layer = AWS Lambda is on top of data center, hardware, assembly code/protocols, operating systems, APIs/application layer etc.

468
Q

In which ways can you use AWS Lambda?

A
  • An an event-driven computer service where AWS Lambda runs your code in response to events such as changes in an Amazon S3 bucket
  • As a compute service to run your code in response to HTTP requests using Amazon API Gateway or API calls made using AWS SDKs
469
Q

what is the difference between traditional architecture and serverless?

A

Traditional = user - root53 to ELB - web server - RDS/Database

Serverless = user - API Gateway - Lambda - DynamoDB/AuroraServerless

With serverless you do not have to worry about auto-scaling

470
Q

How is Lambda priced?

A
  1. Number of requests and
  2. Duration of time your code runs
471
Q

How does Lambda scale?

A

continuously/automatically but remember that it scales OUT (not up)

472
Q

What does it mean that Lambda functions are independent?

A

1 event = 1 function

but… one Lambda function can trigger other Lambda functions so 1 event can = x functions if functions trigger other functions

473
Q

What is X-ray?

A

a service that helps you see and debug what is happening inside your architecture (useful as architecture turns complicated)

474
Q

Is Lambda global?

A

Yes… Lambda can do things globally so you can fx use it to backup S3 buckets to other S3 buckets

475
Q

Q1: In which direction(s) does Lambda scale automatically?

A

Out

Lambda scales out automatically - each time your function is triggered, a new, separate instance of that function is started. There are limits, but these can be adjusted on request.

476
Q

Q2: You have created a serverless application to add metadata to images that are uploaded to a specific S3 bucket. To do this, your lambda function is configured to trigger whenever a new image is created in the bucket. What will happen when multiple users upload multiple different images at the same time?

A

Multiple instances of the Lambda function will be triggered, one for each image

Each time a Lambda function is triggered, an isolated instance of that function is invoked. Multiple triggers result in multiple concurrent invocations, one for each time it is triggered.

477
Q

Q3: Lambda pricing is based on which of these measurements? (Choose 2)

A

Duration of execution billed in fractions of seconds.

The amount of memory assigned.

Lambda billing is based on both The MB of RAM reserved and the execution duration in 100ms units.

478
Q

Q4: Which of the following services can invoke Lambda function directly? (Choose 3)

A

API Gateway

S3

DynamoDB

API-Gateway Events, S3 Events and DynamoDB Events are all valid triggers for Lambda functions

479
Q

Q5: On Friday morning your marketing manager calls an urgent meeting to celebrate that they have secured a deal to run a coordinated national promotion on TV, radio, and social media over the next 10 days. They anticipate a 500x increase on site visits and trial registrations. After the meeting you throw some ideas around with your team about how to ensure that your current 1 server web site will survive. Which of these best embody the AWS design strategy for this situation. (Choose 2)

A

Create a duplicate sign up page that stores registration details in DynamoDB for asynchronous processing using SQS & Lambda.

Work with your web design team to create some web pages with embedded JavaScript to emulate your 5 most popular information web pages and sign up web pages.

A 500x increase is beyond the scope of a well designed single server system to absorb unless it is already hugely overspecialised to accommodate this sort of burst load. An AWS solution for this situation might include S3 static web pages with client side scripting to meet high demand of information pages. Plus use of a noSQL database to collect customer registration for asynchronous processing, and SQS backed by scalable compute to keep up with the requests. Lightsail does provide a scalable provisioned service solutions, but these still need to be designed an planned by you and so offer no significant advantage in this situation. A standby server is a good idea, but will not help with the anticipated 500x load increase.

480
Q

Q6: As a DevOps engineer you are told to prepare complete solution to run a piece of code that required multi-threaded processing, The code has been running on an old custom built server based around a 4 core Intel Xeon processor. Which of these best describe the AWS compute services that could be used?

A

EC2, ECS, & Lambda.

The exact ratio of cores to memory has varied over time for Lambda instances, however Lambda like EC2 and ECS supports hyper-threading on one or more virtual CPUs (if your code supports hyper-threading).

481
Q

Q7: What AWS service can be used to help resolve an issue with a Lambda function?

A

AWS X-Ray

AWS X-Ray helps developers analyze and debug production, distributed applications, such as those built using a microservices & serverless architectures

482
Q

Q8: What does the common term ‘Serverless’ mean according to AWS (Choose 2)

A

A native Cloud Architecture that allows customers to shift more operational responsibility to AWS.

The ability to run applications and services without thinking about servers or capacity provisioning.

‘Serverless’ computing is not about eliminating servers, but shifting most of the responsibility for infrastructure and operation of the infrastructure to a vendor so that you can focus more on the business services, not how to manage the infrastructure that they run on. Billing does tend to be based on simple units, but the choice of services, intended usage pattern (RIs), and amount of capacity needed also influences the pricing.

483
Q

Q9: You have created a simple serverless website using S3, Lambda, API Gateway and DynamoDB. Your website will process the contact details of your customers, predict an expected delivery date of their order and store their order in DynamoDB. You test the website before deploying it into production and you notice that although the page executes, and the lambda function is triggered, it is unable to write to DynamoDB. What could be the cause of this issue?

A

Your lambda function does not have sufficient Identity Access Management (IAM) permissions to write to DynamoDB.

Like any services in AWS, Lambda needs to have a Role associated with it that provide credentials with rights to other services. This is exactly the same as needing a Role on an EC2 instance to access S3 or DDB.

484
Q

How is Lambda priced?

A
  1. Number of requests and
  2. Duration of time your code runs

it is dirt cheap!

485
Q

How does Lambda scale?

A

continuously/automatically but remember that it scales OUT (not up)

486
Q

What does it mean that Lambda functions are independent?

A

1 event = 1 function

but… one Lambda function can trigger other Lambda functions so 1 event can = x functions if functions trigger other functions

487
Q

What is X-ray?

A

a service that helps you see and debug what is happening inside your architecture (useful as architecture turns complicated)

488
Q

Is Lambda global?

A

Yes… Lambda can do things globally so you can fx use it to backup S3 buckets to other S3 buckets

489
Q

What are the different types of encryption?

A
  • Encryption in S3
    • Client-side
      • uploading an encrypted object
    • Server-side
      • S3 managed keys, SSE-S3
        • amazon manages encryption keys for you
      • AWS Key Management Service, SSE-KMS
        • you manage keys with amazon
      • Server side encryption with customer provided keys (SSE-C)
        • you provide keys to amazon
    • Encryption in transit = HTTPS
      • achieved through SSL/TLS. when you browse using HTTPS
490
Q

What is required for Cross-region replication?

A
  • requires that versioning is enabled on both the source and destination buckets
  • only replicates NEW objects, NOT deletes nor existing files
491
Q

What is Cloudfront?

A

= Amazon’s CDN… distributed servers that delivers web content based on the geographic locations of users

492
Q

What are the 2 different Distributions within CloudFront?

A
  • Web Distribution (part of cloudfront) = for websites
  • RTMP (part of cloudfront) = for media streaming
493
Q

What does it mean to invalidate data on a CloudFront Distribution?

A

Can invalidate data/files on the distribution = taking it away from the edge locations. you will be charged for this.

494
Q

What is the Storage Gateway?

A

a service that connects an on-premise software appliance with cloud-based storage to provide seamless and secure integration.

495
Q

What is EFS?

A

= Elastic File System for EC2

  • very similar to EBS. Difference is that EBS can only be mounted to 1 EC2 instance.
  • EFS automatically grow and shrink based on the files you have in your EFS
496
Q

What are the 3 types of storage gateway?

A
  • File Gateway (NFS & SMB)
    • files stored in your S3 bucket
  • Volume Gateway (iSCSI) - to store Hard disk drive in AWS
    • Stored Volumes
      • store ENTIRE primary data locally and backed up in AWS
    • Cached Volumes
      • stores the most frequently used data locally (NOT entire data) and the rest of the data in S3
  • Tape Gateway (VLT)
    • way to archive your data in the AWS cloud = good to move your backup to the cloud
497
Q

What is EBS?

A

EBS, virtual hard disk in the cloud for use with EC2, Elastic Block Store, used with EC2,

498
Q

What are the 5 types of EBS storage?

A
  • General Purpose SSD = gp2
    • most workloads
  • Provisioned IOPS SSD = io1
    • databases
  • Throughput optimised HDD = st1
    • big data & data warehouses
  • Cold HDD = sc1
    • file servers
  • EBS Magnetic = standard
    • where data is infrequently accessed
499
Q

What are Snapshots?

A

= backup of EBS volumes

500
Q

what should you do if you want to take a Snapshot of Root EBS Volume?

A

= stop the ebs volume instance and then take snapshot

501
Q

what are the Backups for RDS?

A
  • Automatic Backups
    • enabled by default and take full daily snapshots
    • stored in S3
  • Database Snapshots
    • user-initiated
    • stored even after you delete the original RDS instance
502
Q

what happens when you are restoring a RDS backup?

A

the restored version will be a new RDS instance with a new DNS endpoint

503
Q

what should you remember about Aurora Replicas?

A
  • Aurora replicas (up to 15), automated failover
  • MySQL read replicas (up to 5)
504
Q

What can you Select AMI based on?

A

Region ,operating system, architecture (32 vs 64 bit), launch permissions, storage for the root (EBS volumes vs. Instance store volumes)

505
Q

what are the 2 types of AMI, Amazon Machine Image?

A
  • EBS Volumes
    • created from the snapshot of an EBS
  • Instance Store Volumes (Ephemeral Storage = if stops, you’ll lose your data)
    • created from template stored in Amazon S3
506
Q

what are the Host-level metrics of cloudWatch?

A
  • CPU
  • Network
  • Disk
  • Status check
507
Q

what can a VPC consist of?

A
  • Internet Gateway or Virtual Private Gateway
  • Router
  • route table
  • access control lists
  • subnets
    • NAT instances, network address translation
      • NAT instances, NAT gateways
    • security groups
    • instances
      • EC2
      • Bastion
  • VPC Endpoint
    • interface endpoint
    • gateway endpoint
508
Q

What are the different DNS Types?

A
  • A record = Address Record
    • point a logical domain name, such as “google.com”, to the IP address of Google’s hosting server, “74.125. 224.147”.
  • CName = Canonical Name
    • A Canonical Name or CNAME record is a type of DNS record that maps an alias name to a true or canonical domain name. … For example, a CNAME record can map the web address www.example.com to the actual web site for the domain example.com
    • CName can’t be used for naked domain names = without www,. you will need an A-record or an Alias record then
  • SOA = state of authority
    • the name of the server that supplied the data for the zone, the administrator of the zone, the current version of the data file and the default number of second for the TTL file on resource records
  • NS records = Name Server records
    • used by Top Level Domain servers to direct traffic to the Content DNS server which contains the authoritative DNS records
    • gives us access to the SOA which contains the other DNS records such as the A-Record,
  • MX Records
    • used for mail
  • PTR records
    • opposite of an A-record = you find the hyperlink from an IP-address
  • Alias record
    • used to map resource record sets to elastic load balancers, very similar to CName. Same thing but cannot be used for naked domain names
509
Q

What is a CName?

A
  • A Canonical Name or CNAME record is a type of DNS record that maps an alias name to a true or canonical domain name. … For example, a CNAME record can map the web address www.example.com to the actual web site for the domain example.com
  • CName can’t be used for naked domain names = without www,. you will need an A-record or an Alias record then
510
Q

What is an A Record?

A
  • Address Record
  • point a logical domain name, such as “google.com”, to the IP address of Google’s hosting server, “74.125. 224.147”.
511
Q

What is an alias record?

A

used to map resource record sets to elastic load balancers, very similar to CName. Same thing but cannot be used for naked domain names

512
Q

what is Streaming data?

A

data that is generated continuously by thousands of data sources,kb-size data

513
Q

what is Kinesis?

A
  • a platform to send your streaming data to
    • Kinesis Streams for storage, consist of SHARDS (24h-7days),
    • Kinesis Firehose for analyzing on the go,
    • Kinesis Analytics can analyze inside both Kinesis Firehose and Kinesis Streams
514
Q

what is Web Identity Federation in short?

A

= access to AWS resources after “login with Facebook”

515
Q

What is Amazon Cognito?

A
  • Amazon’s web identity federation service
    • User pools: user directories to manage sign-up and sign-in functionality, users can sign in directly or with facebook, amazon, google etc, This is about USERS (emails, passwords, user registration, account recovery etc.)
    • Identity pools: enable temporary AWS credentials to access AWS services like S3 or DynamoDB. This is about GRANTING/AUTHORISING access
516
Q

what is the difference between user pools and identity pools? Amazon Cognito

A
  • User pools: user directories to manage sign-up and sign-in functionality, users can sign in directly or with facebook, amazon, google etc, This is about USERS (emails, passwords, user registration, account recovery etc.)
  • Identity pools: enable temporary AWS credentials to access AWS services like S3 or DynamoDB. This is about GRANTING/AUTHORISING access
517
Q

Who should use CloudFormation vs. Elastic Beanstalk?

A

CloudFormation = advanced AWS users

ElasticBeanstalk = people that have no clue about AWS and just want to get their website up

518
Q

Which instance is first closed during scale-in?

A
  1. First checks if instances are in multi-AZ. If yes, an instance is shut down from the AZ with the most running instances
  2. If even number of instances across AZs, the oldest configured EC2 is terminated first
  3. if all equal, at random
519
Q

What is available metric by default in CloudWatch?

A
  • CPU utilization
  • Network utilization
  • Disk Performance
  • Disk reads/writes
520
Q

What are examples of custom metrics if you can create in CloudWatch?

A
  • Memory utilization
  • Disk-swap
  • Disk-space
  • Page file utilization
  • Log collection
521
Q

How do you calculate the number of IP addresses available in xxx.xxx.xxx.27?

A

32 - 27 = 5

2^5 = 32

522
Q

What should you put at the position of y if you want only 1 ip address available? xxx.xxx.xxx.yy

A

32 because…

32-32 = 0

2^0 = 1 ip address

523
Q

What is SSD good for and what is HDD good for?

A
  • SSD = small, random I/O operations
  • HDD = large, sequential I/O operations
524
Q

What does EC2 give you access to?

A

the operating system of the instance

525
Q

If you had to place a database within your VPC for maximal security, where would you place it?

A

in the private subnet

526
Q

How do autoscaling groups and ELB health checks differ?

A
  • Autoscaling Groups => EC2 Status Check => Replaces unhealthy instances
  • ELB Health checks => stops sending traffic to the unhealthy instance

If ELB on top of auto scaling, the ELB process is dominating

527
Q

What is Amazon Mq?

A

Amazon Message queue

Amazon MQ, Amazon SQS, and Amazon SNS are messaging services that are suitable for anyone from startups to enterprises. If you’re using messaging with existing applications and want to move your messaging service to the cloud quickly and easily, it is recommended that you consider Amazon MQ. It supports industry-standard APIs and protocols so you can switch from any standards-based message broker to Amazon MQ without rewriting the messaging code in your applications.

528
Q

What is S3 Select?

A

S3 Select is a new Amazon S3 capability designed to pull out only the data you need from an object, which can dramatically improve the performance and reduce the cost of applications that need to access data in S3

529
Q

What is Redshift Spectrum?

A

Redshift Spectrum is a feature of Amazon Redshift that allows you to query data stored on Amazon S3 directly and supports nested data types

530
Q

What is the difference between Amazon Redshift and Redshift Spectrum?

A
  • Amazon Redshift is a relational, OLAP-style database. It’s a data warehouse built for the cloud, to run the most complex analytical workloads.
  • Amazon Redshift Spectrum is a feature of Amazon Redshift. Spectrum is a query processing engine that allows to join data that sits in Amazon S3 with data in Amazon Redshift.
531
Q

What is ElasticSearch?

A

Elasticsearch is a highly scalable open-source full-text search and analytics engine. It allows you to store, search, and analyze big volumes of data quickly and in near real time.

532
Q

What is (ES) Elasticsearch service and what is it used for?

A

Amazon Elasticsearch Service (Amazon ES) is a managed service that makes it easy to deploy, operate, and scale Elasticsearch clusters in the AWS Cloud.

You can load streaming data into Elasticsearch Service

533
Q

What is Amazon Athena?

A

Amazon Athena is a service that enables a data analyst to perform interactive queries on data stored in S3.

Because Athena is a serverless query service, an analyst doesn’t need to manage any underlying compute infrastructure to use it.

534
Q

How do you speed up Athena queries?

A

You can speed up your queries dramatically by compressing your data, provided that files are splittable or of an optimal size (optimal S3 file size is between 200MB-1GB). Smaller data sizes mean less network traffic between Amazon S3 to Athena = and thus higher speed

535
Q

What is ROA and what is it for?

A

Route Origin Authorization. A ROA tells the world who is allowed to advertise your IP address range.

= used to give AWS the authorization to advertise your IP address range.

536
Q

What is DAX?

A

DAX = Dynamo DB Accelerator

Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache for DynamoDB that delivers up to a 10x performance improvement – from milliseconds to microseconds – even at millions of requests per second.

= used to speed up queries from your DynamoDB no-sql database

537
Q

What is AWS Device Farm?

A

Device Farm is an app testing service that you can use to test and interact with your Android, iOS, and web apps on real, physical phones and tablets that are hosted by Amazon Web Services (AWS).

There are two main ways to use Device Farm:

  • Automated testing of apps using a variety of testing frameworks.
  • Remote access of devices onto which you can load, run, and interact with apps in real time.
538
Q

What is RAID 0?

A

Stripe set or striped volume.

RAID 0 helps stripe = split data evenly across two or more disks, without parity information, redundancy or fault tolerance.

USED for….. increasing read and write transfer rates = for high performance but with lower reliability (see below)

since there is no fault tolerance or redundancy, the failure of one drive will cause the entire array to fail and thus lose all data in such cases.

539
Q

What is RAID 1?

A

RAID 1 consist of an exact copy MIRROR of a set of data on two or more disks.

USED for… when READ performance or RELIABILITY is more important than write performance

540
Q

What is RAID 0 for and what is RAID 1 for?

A

RAID 0

= split data evenly across two or more disks => to increase read AND write transfer rates => for high performance but with lower reliability

RAID 1

= exact copy/MIRROR of a set of data on two or more disk = used when READ performance or RELIABILITY is more important than write performance

541
Q

What is RAID?

A

Redundant Array of Independent Disks

configurations to create large reliable data stores from multiple HDDs (in relation to RSD)

542
Q

What is SAML federation?

A

Security Assertion Markup Language…. is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).

used… This feature enables federated single sign-on (SSO), so users can log into the AWS Management Console or call the AWS APIs without you having to create an IAM user for everyone in your organization. By using SAML, you can simplify the process of configuring federation with AWS, because you can use the IdP’s service instead of writing custom identity proxy code.

Used = for example with Active directory (by Microsoft)

543
Q

What is STS?

A

Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate

NOTE…. Although STS is used to send temporary tokens for authentication, this is not a compatible use case for RDS

544
Q

What is AD?

A

Active Directory. Active Directory (AD) is a Microsoft technology used to manage computers and other devices on a network. … As a network grows, Active Directory provides a way to organize a large number of users into logical groups and subgroups, while providing access control at each level.

545
Q

What is Directory Service AD Connector?

A

An Amazon service to connect to Microsoft Active directory

546
Q

What is RDS enhanced monitoring?

A

RDS Enhanced Monitoring provides visibility into the health of your Amazon RDS instances

547
Q

What is Amazon EMR?

A

Elastic MapReduce

=> Amazon EMR is the industry leading cloud-native big data platform for processing vast amounts of data quickly and cost-effectively at scale. Using open source tools such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi (Incubating), and Presto, coupled with the dynamic scalability of Amazon EC2 and scalable storage of Amazon S3, EMR gives analytical teams the engines and elasticity to run Petabyte-scale analysis for a fraction of the cost of traditional on-premises clusters.

Used for = big data processing and analysis

548
Q

What is TCP and UDP?

A

in regards to IP addresses….

  • TCP
    • connection-oriented protocol = establishes a connection between sender and receiver before data can be sent
    • Reliable
    • SSH Protocol + HTTPS
  • UDP
    • connection-less protocol = does not establish a connection before data is sent
    • FASTER but less reliable
    • HTTP with UDP + HTTPS
549
Q

What is long polling and short polling?

A

Polling is a technique by which the client asking the server for new data regularly

  • Long Polling
    • Long Polling basically involves making an HTTP request to a server and then holding the connection open to allow the server to respond at a later time (as determined by the server).
  • short polling
    • Short polling is an AJAX-based timer that calls at fixed delays
550
Q

What is the main difference between DynamoDB and Redshift?

A
  • DynamoDB
    • database
    • good for OLTP (online transaction processing)
  • Redshift
    • data warehouse
    • good for OLAP (online analytics processing)
551
Q

What is WLM?

A

Workload Management = (WLM) uses machine learning to dynamically manage memory and concurrency helping maximize query throughput. In addition, you can now easily set the priority of your most important queries, even when hundreds of queries are being submitted.

Part of REDSHIFT

552
Q

What is Enhanced VPC routing?

A

Allows you to direct Redshift COPY and UNLOAD traffic through your VPC

When you use Amazon Redshift Enhanced VPC Routing, Amazon Redshift forces all COPY and UNLOAD traffic between your cluster and your data repositories through your Amazon VPC. By using Enhanced VPC Routing, you can use standard VPC features, such as VPC security groups, network access control lists (ACLs), VPC endpoints, VPC endpoint policies, internet gateways, and Domain Name System (DNS) servers, as described in the Amazon VPC User Guide. You use these features to tightly manage the flow of data between your Amazon Redshift cluster and other resources.

553
Q

What is a Redshift Cluster?

A

An Amazon Redshift data warehouse is a collection of computing resources called nodes, which are organized into a group called a cluster.

Each cluster runs an Amazon Redshift engine and contains one or more databases.

Each cluster consist of:

  • The Leader Node
    • manages communication between the compute nodes and the client applications
    • not billable btw
  • Compute node(s) - has CPU, Memory, Disk storage
    • stores data and execute queries
    • billed by total number of compute node hours
554
Q

What is ECS?

A

Amazon Elastic Container Service (Amazon ECS) is a highly scalable, fast, container management service that makes it easy to run, stop, and manage Docker containers on a cluster. It is comparable to Kubernetes, Docker Swarm, and Azure Container Service.

For example, ECS allows your applications the flexibility to use a mix of Amazon EC2 and AWS Fargate with Spot and On-Demand pricing options.

555
Q

What is ECS clusters and what should you remember about them?

A

a Cluster is a group of ECS Container Instances

  • clusters are REGION-specific
  • may contain a mix of tasks using EITHER the Fargate or EC2 Launch types
  • may contain a mix of both Auto Scaling group capacity providers and Fargate capacity providers
  • IAM policies may be created to allow or restrict user access to clusters
556
Q

What is Fargate?

A

AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS)

557
Q

What is throttling?

A

Throttling is a process that is used to control the usage of APIs by consumers during a given period.

ou can define throttling at the application level and API level. Throttling limit is considered as cumulative at API level. …

For example, you can limit the number of total API requests as 10000/day

USED..

  • to protect your backend systems from traffic spikes by using throttling limits on the API gateway
558
Q

What are signed cookies for?

A
  • Want to provide access to multiple restricted files (subscriber area of a platform)
  • You do not want to change your current URLs

(CloudFront signed URLs and signed cookies provide the same basic functionality: they allow you to control who can access your content.)

559
Q

What should signed URLs and signed Cookies be used for?

A
  • Signed URLs
    • Restrict access to individual files, for example, an installation download for your application
    • Users are using HTTP which does not support cookies
    • RTMP distribution
  • Signed Cookies
    • Want to provide access to multiple restricted files (subscriber area of a platform)
    • You do not want to change your current URLs
560
Q

What is Lambda@Edge?

A

Lambda@Edge is a feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency.

With Lambda@Edge, you don’t have to provision or manage infrastructure in multiple locations around the world.

561
Q

What is AWS Shield?

A

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS

562
Q

A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example, a botnet) flooding the targeted system with traffic.

A

What is DDoS attacks?

563
Q

What is partition key about?

A

The partition key portion of a table’s primary key determines the logical partitions in which a table’s data is stored. (part of DynamoDB)

More partition keys = more data divisions = more division of provisioned I/O capacity = better distribution of workload evenly and less risk of throttling

(DynamoDB stores data as groups of attributes, known as items. Items are similar to rows or records in other database systems. DynamoDB stores and retrieves each item based on the primary key value, which must be unique. Items are distributed across 10-GB storage units, called partitions (physical storage internal to DynamoDB)

564
Q

What is AWS kms API?

A

AWS KMS is a managed service that enables you to easily create and control the keys used for cryptographic operations.

USED

  • You can use it in your applications to create, store and control encryption keys to encrypt your data
  • Want to encrypt data FIRST before writing it to the disk (EBS) for storage use AWS KMS API
565
Q

What is WAF?

A

Amazon Web Application Firewall..

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources

566
Q

What is SES?

A

Amazon Simple E-mail Service

designed to help digital marketers and application developers send marketing, notification, and transactional emails.

567
Q

Your client is an insurance company that utilizes SAP HANA for their day-to-day ERP operations. Since you can’t migrate this database due to customer preferences, you need to integrate it with your current AWS workload in your VPC in which you are required to establish a site-to-site VPN connection.

What needs to be configured outside of the VPC for you to have a successful site-to-site VPN connection?

A

An Internet-routable IP address (statis) of the customer gateway’s external interface for the on-premises network.

Although the term VPN connection is a general term, in the Amazon VPC documentation, a VPN connection refers to the connection between your VPC and your own network. AWS supports Internet Protocol security (IPsec) VPN connections.

A customer gateway is a physical device or software application on your side of the VPN connection.

To create a VPN connection, you must create a customer gateway resource in AWS, which provides information to AWS about your customer gateway device. Next, you have to set up an Internet-routable IP address (static) of the customer gateway’s external interface.

568
Q

A startup company has a serverless architecture that uses AWS Lambda, API Gateway, and DynamoDB. They received an urgent feature request from their client last month and now, it is ready to be pushed to production. The company is using AWS CodeDeploy as their deployment service.

Which of the following configuration types will allow you to specify the percentage of traffic shifted to your updated Lambda function version before the remaining traffic is shifted in the second increment?

A

Canary

569
Q

What is Canary?

A

In software testing, a canary is a push of programming code changes to a small group of end users who are unaware that they are receiving new code. Because the canary is only distributed to a small number of users, its impact is relatively small and changes can be reversed quickly should the new code prove to be buggy.

= to deploy test of new software fx

570
Q

What is blue-green deployment?

A

Blue-green deployment is a technique that reduces downtime and risk by running two identical production environments called Blue and Green. At any time, only one of the environments is live, with the live environment serving all production traffic. For this example, Blue is currently live and Green is idle

571
Q

An accounting application uses an RDS database configured with Multi-AZ deployments to improve availability. What would happen to RDS if the primary database instance fails?

A

The canonical name record (CNAME) is switched form the primary to standby instance

In Amazon RDS, failover is automatically handled so that you can resume database operations as quickly as possible without administrative intervention in the event that your primary database instance went down. When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.

572
Q

You are a Solutions Architect of a multi-national gaming company which develops video games for PS4, Xbox One and Nintendo Switch consoles, plus a number of mobile games for Android and iOS. Due to the wide range of their products and services, you proposed that they use API Gateway.

What are the key features of API Gateway that you can tell your client? (Choose 2)

A
  • you pay only for the API calls you receive and the amount of data transferred out
  • you can run your APIs without any servers
573
Q

You are an IT Consultant for an advertising company that is currently working on a proof of concept project that automatically provides SEO analytics for their clients. Your company has a VPC in AWS that operates in dual-stack mode in which IPv4 and IPv6 communication is allowed. You deployed the application to an Auto Scaling group of EC2 instances with an Application Load Balancer in front that evenly distributes the incoming traffic. You are ready to go live but you need to point your domain name (tutorialsdojo.com) to the Application Load Balancer.

In Route 53, which record types will you use to point the DNS name of the Application Load Balancer? (Choose 2)

A
  • Alias with a type “AAAA” record set
  • Alias with a type “A” record set

Alias with a type “AAAA” record set and Alias with a type “A” record set are correct. To route domain traffic to an ELB load balancer, use Amazon Route 53 to create an alias record that points to your load balancer. An alias record is a Route 53 extension to DNS. It’s similar to a CNAME record, but you can create an alias record both for the root domain, such as tutorialsdojo.com, and for subdomains, such as portal.tutorialsdojo.com. (You can create CNAME records only for subdomains.) To enable IPv6 resolution, you would need to create a second resource record, tutorialsdojo.com ALIAS AAAA -> myelb.us-west-2.elb.amazonnaws.com, this is assuming your Elastic Load Balancer has IPv6 support.

574
Q

TRUE/FALSE: Amazon EBS provides the ability to create snapshots (backups) of any EBS volume and write a copy of the data in the volume to Amazon RDS, where it is stored redundantly in multiple Availability Zones

A

FALSE

almost correct. But instead of storing the volume to Amazon RDS, the EBS Volume snapshots are actually sent to Amazon S3.

575
Q

What supports path-based routing and host-based routing?

A

Network Load Balancer

Host-based routing is what enables virtual servers on web servers. It’s also used by application services like load balancing and ingress controllers to achieve the same thing. One IP address, many hosts

URL Path Based Routing allows you to route traffic to back-end server pools basedon URL Paths of the request

576
Q

A San Francisco-based tech startup is building a cross-platform mobile app that can notify the user with upcoming astronomical events such as eclipses, blue moon, novae or a meteor shower. Your mobile app authenticates with the Identity Provider (IdP) using the provider’s SDK and Amazon Cognito. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token returned from the IdP is passed by your app to Amazon Cognito.

Which of the following is returned for the user to provide a set of temporary, limited-privilege AWS credentials?

A

Cognito ID

You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application so that your users can access AWS resources. Amazon Cognito identity pools support both authenticated and unauthenticated identities. You can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately if you’re allowing unauthenticated users or after you’ve set the login tokens in the credentials provider if you’re authenticating users.

That is why the correct answer for this question is Cognito ID.

577
Q

What are the possible Event Notification destinations available for S3 buckets?

A
  • Lambda Function
  • SQS
  • SNS
578
Q

Your company has a top priority requirement to monitor a few database metrics and then afterwards, send email notifications to the Operations team in case there is an issue. Which AWS services can accomplish this requirement?

A
  • SNS
  • CloudWatch

, you can use Amazon CloudWatch to monitor the database and then Amazon SNS to send the emails to the Operations team. Take note that you should use SNS instead of SES (Simple Email Service) when you want to monitor your EC2 instances.

579
Q

Your company is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage the fleet of Amazon EC2 instances running in both the public and private subnets. You have added a bastion host with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC.

Which of the following bastion host deployment options will meet this requirement?

A

Deploy a Windows Bastion host with an elastic IP address in the public subnet and allow RDP access to bastion only from the corporate IP address

The correct answer is to deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow RDP access to bastion only from the corporate IP addresses.

A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. If you have a bastion host in AWS, it is basically just an EC2 instance. It should be in a public subnet with either a public or Elastic IP address with sufficient RDP or SSH access defined in the security group. Users log on to the bastion host via SSH or RDP and then use that session to manage other hosts in the private subnets.

580
Q

A software company has resources hosted in AWS and on-premises servers. You have been requested to create a decoupled architecture for applications which make use of both resources.

Which of the following options are valid? (Choose 2)

A

Amazon Simple Queue Service (SQS) and Amazon Simple Workflow Service (SWF)are the services that you can use for creating a decoupled architecture in AWS. Decoupled architecture is a type of computing architecture that enables computing components or layers to execute independently while still interfacing with each other.

Amazon SQS offers reliable, highly-scalable hosted queues for storing messages while they travel between applications or microservices. Amazon SQS lets you move data between distributed application components and helps you decouple these components. Amazon SWF is a web service that makes it easy to coordinate work across distributed application components.

581
Q

You are working for a large telecommunications company. They have a requirement to move 83 TB data warehouse to the cloud. It would take 2 months to transfer the data given their current bandwidth allocation.

Which is the most cost-effective service that would allow you to quickly upload their data into AWS?

A

AWS Snowball Edge

Although an AWS Snowball device costs less than AWS Snowball Edge, it cannot store 80 TB of data in one device. Take note that the storage capacity is different from the usable capacity for Snowball and Snowball Edge. Remember that an 80 TB Snowball appliance and 100 TB Snowball Edge appliance only have 72 TB and 83 TB of usable capacity respectively. Hence, it would be costly if you use two Snowball devices compared to using just one AWS Snowball Edge device.

582
Q

What is the shared responsibility model in AWS and who is responsible for what?

A

Security and Compliance is a shared responsibility between AWS and the customer.

583
Q

A media company hosts large volumes of archive data that are about 250 TB in size on their internal servers. They have decided to move these data to S3 because of its durability and redundancy. The company currently has a 100 Mbps dedicated line connecting their head office to the Internet.

What is the FASTEST way to import all these data to Amazon S3?

A

Order multiple AWS Snowball devices to upload the files to amazon S3

584
Q

You are an AWS Network Engineer working for a utilities provider where you are managing a monolithic application with EC2 instance using a Windows AMI. You want to implement a cost-effective and highly available architecture for your application where you have an exact replica of the Windows server that is in a running state. If the primary instance terminates, you can attach the ENI to the standby secondary instance which allows the traffic flow to resume within a few seconds.

When it comes to the ENI attachment to an EC2 instance, what does ‘warm attach’ refer to?

A

Attaching an ENI to an instance when it is stopped.

An elastic network interface (ENI) is a logical networking component in a VPC that represents a virtual network card. You can attach a network interface to an EC2 instance in the following ways:

When it’s running (hot attach)

When it’s stopped (warm attach)

When the instance is being launched (cold attach).

Therefore, attaching an ENI to an instance when it is stopped is the correct answer.

585
Q

A media company has two VPCs: VPC-1 and VPC-2 with peering connection between each other. VPC-1 only contains private subnets while VPC-2 only contains public subnets. The company uses a single AWS Direct Connect connection and a virtual interface to connect their on-premises network with VPC-1. Which of the following options increase the fault tolerance of the connection to VPC-1?

A

Establish another AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1

Establish a hardware VPN over the internet between VPC-1 and the common on-premises network

586
Q

One of your EC2 instances is reporting an unhealthy system status check. The operations team is looking for an easier way to monitor and repair these instances instead of fixing them manually.

How will you automate the monitoring and repair of the system status check failure in an AWS environment?

A

Create CloudWatch alarms that stop and start the instance based on status check alarms.

587
Q

For data privacy, a healthcare company has been asked to comply with the Health Insurance Portability and Accountability Act (HIPAA). They have been told that all of the data being backed up or stored on Amazon S3 must be encrypted. What is the best option to do this? (Choose 2)

A
  • Before sending the data to amazon S3 over HTTPS, encrypt the data locally first using your own encryption keys
  • Enable server-side encryption on an S3 bucket to make use of AES-256 encryption

Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. For example, if you share your objects using a pre-signed URL, that URL works the same way for both encrypted and unencrypted objects.

588
Q

You are working for a University as their AWS Consultant. They want to have a disaster recovery strategy in AWS for mission-critical applications after suffering a disastrous outage wherein they lost student and employee records. They don’t want this to happen again but at the same time want to minimize the monthly costs. You are instructed to set up a minimal version of the application that is always available in case of any outages. The DR site should only run the most critical core elements of your system in AWS to save cost which can be rapidly upgraded to a full-scale production environment in the event of system outages.

Which of the following disaster recovery architectures is the most cost-effective type to use in this scenario?

A

The correct answer is Pilot Light.

The term pilot light is often used to describe a DR scenario in which a minimal version of an environment is always running in the cloud. The idea of the pilot light is an analogy that comes from the gas heater. In a gas heater, a small flame that’s always on can quickly ignite the entire furnace to heat up a house. This scenario is similar to a backup-and-restore scenario.

For example, with AWS you can maintain a pilot light by configuring and running the most critical core elements of your system in AWS. When the time comes for recovery, you can rapidly provision a full-scale production environment around the critical core.

589
Q

What is Warm Standby disaster recovery?

A

Warm standby is a method of redundancy in which the scaled-down secondary system runs in the background of the primary system. Doing so would not optimize your savings as much as running a pilot light recovery since some of your services are always running in the background.

590
Q

You run a website which accepts high-quality photos and turns them into a downloadable video montage. The website offers a free account and a premium account that guarantees faster processing. All requests by both free and premium members go through a single SQS queue and then processed by a group of EC2 instances which generate the videos. You need to ensure that the premium users who paid for the service have higher priority than your free members. How do you redesign your architecture to address this requirement?

A

it is best to create 2 separate SQS queues for each type of members. The SQS queues for the premium members can be polled first by the EC2 Instances and once completed, the messages from the free members can be processed next.

591
Q

You have a new, dynamic web app written in MEAN stack that is going to be launched in the next month. There is a probability that the traffic will be quite high in the first couple of weeks. In the event of a load failure, how can you set up DNS failover to a static website?

A

For this scenario, using Route 53 with the failover option to a static S3 website bucket or CloudFront distribution is correct. You can create a new Route 53 with the failover option to a static S3 website bucket or CloudFront distribution as an alternative.

592
Q

A start-up company has an EC2 instance that is hosting a web application. The volume of users is expected to grow in the coming months and hence, you need to add more elasticity and scalability in your AWS architecture to cope with the demand.

Which of the following options can satisfy the above requirement for the given scenario? (Choose 2)

A

Using an Elastic Load Balancer is an ideal solution for adding elasticity to your application. Alternatively, you can also create a policy in Route 53, such as a Weighted routing policy, to evenly distribute the traffic to 2 or more EC2 instances. Hence, setting up two EC2 instances and then put them behind an Elastic Load balancer (ELB) and setting up two EC2 instances and using Route 53 to route traffic based on a Weighted Routing Policy are the correct answers.

593
Q

As a Network Architect developing a food ordering application, you need to retrieve the instance ID, public keys, and public IP address of the EC2 server you made for tagging and grouping the attributes into your internal application running on-premises. Which EC2 feature will help you achieve your requirements?

A

Instance Metadata

Instance metadata is the data about your instance that you can use to configure or manage the running instance. You can get the instance ID, public keys, public IP address and many other information from the instance metadata by firing a URL command in your instance to this URL:

http://169.254.169.254/latest/meta-data/

594
Q

You are working as a Solutions Architect for a start-up company that has a not-for-profit crowdfunding platform hosted in AWS. Their platform allows people around the globe to raise money for social enterprise projects including challenging circumstances like accidents and illnesses. Since the system handles financial transactions, you have to ensure that your cloud architecture is secure.

Which of the following AWS services encrypts data at rest by default?

A
  • Amazon S3 Glacier
  • AWS Storage Gateway

All data transferred between any type of gateway appliance and AWS storage is encrypted using SSL. By default, all data stored by AWS Storage Gateway in S3 is encrypted server-side with Amazon S3-Managed Encryption Keys (SSE-S3). Also, when using the file gateway, you can optionally configure each file share to have your objects encrypted with AWS KMS-Managed Keys using SSE-KMS. This is the reason why AWS Storage Gateway is correct.

Data stored in Amazon Glacier is protected by default; only vault owners have access to the Amazon Glacier resources they create. Amazon Glacier encrypts your data at rest by default and supports secure data transit with SSL. This is the reason why Amazon S3 Glacier is correct.

595
Q

What is the “grant least privilege” approach?

A

using the principle of least privilege which means granting only the permissions required to perform a task

596
Q

In Elastic Load Balancing, there are various security features that you can use such as Server Order Preference, Predefined Security Policy, Perfect Forward Secrecy and many others. Perfect Forward Secrecy is a feature that provides additional safeguards against the eavesdropping of encrypted data through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised. Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which two AWS services?

A
  • CloudFront and Elastic Load Balancing

Perfect Forward Secrecy is a feature that provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.

CloudFront and Elastic Load Balancing are the two AWS services that support Perfect Forward Secrecy. Hence, the correct answer is: CloudFront and Elastic Load Balancing.

597
Q

What is AWS Trusted Advisor?

A

AWS Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance and reliability, or closing security gaps.

598
Q

What is GovCloud?

A

an isolated Amazon Web Service (AWS) designed to allow customers and the U.S government agencies to move their confidential data into the cloud to address their compliance and specific regulatory requirements. It runs under ITAR, the U.S. International Traffic in Arms Regulations

599
Q

A corporate and investment bank has recently decided to adopt a hybrid cloud architecture for their Trade Finance web application which uses an Oracle database with Oracle Real Application Clusters (RAC) configuration. Since Oracle RAC is not supported in RDS, they decided to launch their database in a large On-Demand EC2 instance instead, with multiple EBS Volumes attached. As a Solutions Architect, you are responsible to ensure the security, availability, scalability, and disaster recovery of the whole architecture. In this scenario, which of the following will enable you to take backups of your EBS volumes that are being used by the Oracle database?

A

Create snapshots of the EBS volumes

Creating snapshots of the EBS Volumes is correct. You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved.

This minimizes the time required to create the snapshot and saves on storage costs by not duplicating data. When you delete a snapshot, only the data unique to that snapshot is removed. Each snapshot contains all of the information needed to restore your data (from the moment the snapshot was taken) to a new EBS volume.

600
Q

You developed a web application and deployed it on a fleet of EC2 instances, which is using Amazon SQS. The requests are saved as messages in the SQS queue which is configured with the maximum message retention period. However, after thirteen days of operation, the web application suddenly crashed and there are 10,000 unprocessed messages that are still waiting in the queue. Since you developed the application, you can easily resolve the issue but you need to send a communication to the users on the issue.

What information will you provide and what will happen to the unprocessed messages?

A

In this scenario, it is stated that the SQS queue is configured with the maximum message retention period. The maximum message retention in SQS is 14 days that is why the option that says: Tell the users that the application will be operational shortly and all received requests will be processed after the web application is restarted is the correct answer i.e. there will be no missing messages.

601
Q

What is the default cooldown period in Auto Scaling?

A

300 seconds…

In Auto Scaling, the following statements are correct regarding the cooldown period:

It ensures that the Auto Scaling group does not launch or terminate additional EC2 instances before the previous scaling activity takes effect.

Its default value is 300 seconds.

It is a configurable setting for your Auto Scaling group.

602
Q

As an AWS Cloud Consultant working for a record company, you are building an application that will store both key-value store and document models like band ID, album ID, song ID and composer ID.

Which AWS service will suit your needs for your application?

A

DynamoDB

Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and supports both document and key-value store models. Its flexible data model, reliable performance, and automatic scaling of throughput capacity makes it a great fit for mobile, web, gaming, ad tech, IoT, and many other applications.

The following diagram shows an example of data stored as key-value pairs in DynamoDB:

603
Q

Your customer is building an internal application that serves as a repository for images uploaded by a couple of users. Whenever a user uploads an image, it would be sent to Kinesis for processing before it is stored in an S3 bucket. Afterwards, if the upload was successful, the application will return a prompt telling the user that the upload is successful. The entire processing typically takes about 5 minutes to finish.

Which of the following options will allow you to asynchronously process the request to the application in the most cost-effective manner?

A

Create a Lambda function that will asynchronously process the requests.

AWS Lambda supports synchronous and asynchronous invocation of a Lambda function. You can control the invocation type only when you invoke a Lambda function. When you use an AWS service as a trigger, the invocation type is predetermined for each service. You have no control over the invocation type that these event sources use when they invoke your Lambda function. Since the processing only takes 5 minutes, Lambda is also a cost-effective choice.

604
Q

You work for an Intelligence Agency as its Principal Consultant developing a missile tracking application, which is hosted on both development and production AWS accounts. Alice, the Intelligence agency’s Junior Developer, only has access to the development account. She has received security clearance to access the agency’s production account but the access is only temporary and only write access to EC2 and S3 is allowed.

Which of the following allows you to issue short-lived access tokens that acts as temporary security credentials to allow access to your AWS resources?

A

Security Token Service (STS)

AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.

605
Q

You are a Solutions Architect working with a company that uses Chef Configuration management in their datacenter. Which service is designed to let the customer leverage existing Chef recipes in AWS?

A

AWS OpsWork

AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or on-premises compute environments. OpsWorks has three offerings - AWS Opsworks for Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.

606
Q

You are instructed by your manager to set up a bastion host in your Amazon VPC and it should only be accessed from the corporate data center via SSH. What is the best way for you to achieve this?

A

The best way to implement a bastion host is to create a small EC2 instance which should only have a security group from a particular IP address for maximum security. This will block any SSH Brute Force attacks on your bastion host. It is also recommended to use a small instance rather than a large one because this host will only act as a jump server to connect to other instances in your VPC and nothing else.

607
Q

what is IoT Core?

A

AWS IoT Core is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices.

608
Q

You are working as a Cloud Consultant for a government agency with a mandate of improving traffic planning, maintenance of roadways and preventing accidents. There is a need to manage traffic infrastructure in real time, alert traffic engineers and emergency response teams when problems are detected, and automatically change traffic signals to get emergency personnel to accident scenes faster by using sensors and smart devices.

Which AWS service will allow the developers of the agency to connect the said devices to your cloud-based applications?

A

IoT Core

609
Q

You have a static corporate website hosted in a standard S3 bucket and a new web domain name which was registered using Route 53. You are instructed by your manager to integrate these two services in order to successfully launch their corporate website.

What are the prerequisites when routing traffic using Amazon Route 53 to a website that is hosted in an Amazon S3 Bucket?

A

Here are the prerequisites for routing traffic to a website that is hosted in an Amazon S3 Bucket:

  • An S3 bucket that is configured to host a static website. The bucket must have the same name as your domain or subdomain. For example, if you want to use the subdomain portal.tutorialsdojo.com, the name of the bucket must be portal.tutorialsdojo.com.
  • A registered domain name. You can use Route 53 as your domain registrar, or you can use a different registrar.
  • Route 53 as the DNS service for the domain. If you register your domain name by using Route 53, we automatically configure Route 53 as the DNS service for the domain.
610
Q

As part of the Business Continuity Plan of your company, your IT Director instructed you to set up an automated backup of all of the EBS Volumes for your EC2 instances as soon as possible.

What is the fastest and most cost-effective solution to automatically back up all of your EBS Volumes?

A

Use Amazon Data Licecycle Manager (DLM) to automate the creation of EBS snapshots

You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes. Automating snapshot management helps you to:

  • Protect valuable data by enforcing a regular backup schedule.
  • Retain backups as required by auditors or internal compliance.
  • Reduce storage costs by deleting outdated backups.
611
Q

To protect your enterprise applications against unauthorized access, you configured multiple rules for your Network ACLs in your VPC. How are the access rules evaluated?

A

Network ACL Rules are evaluated by rule number, from lowest to highest, and executed immediately when a matching allow/deny rule is found.

612
Q

You work for a brokerage firm as an AWS Infrastructure Engineer who handles the stocks trading application. You host your database in an EC2 server with two EBS volumes for OS and data storage in ap-southeast-1a. Due to the fault tolerance requirements, there is a need to assess if the EBS volumes will be affected in the event of ap-southeast-1a availability zone outage. Can EBS tolerate an Availability Zone failure each and every time?

A

No, all EBS volumes are stored and replicated in a single AZ only

The option that says: No, all EBS volumes are stored and replicated in a single AZ only is correct because when you create an EBS volume in an Availability Zone, it is automatically replicated within that zone only to prevent data loss due to a failure of any single hardware component. After you create a volume, you can attach it to any EC2 instance in the same Availability Zone.

The option that says: Yes, EBS volume is fault-tolerant and has multiple copies across multiple AZ is incorrect because it is the EBS snapshots, not the EBS volume, that has a copy of the data which is stored redundantly in multiple Availability Zones.

613
Q

You recently launched a new FTP server using an On-Demand EC2 instance in a newly created VPC with default settings. The server should not be accessible publicly but only through your IP address 175.45.116.100 and nowhere else.

Which of the following is the most suitable way to implement this requirement?

A
  • FTP used TCP
  • and we need to allow only one IP address so

Create a new inbound rule in the security group of the EC2 instance with:

Protocol: TCP

Port Range: 20-21

Source: 175.45.116.100/32

The /32 denotes one IP address while /0 refers to the entire network.

614
Q

An application is using a RESTful API hosted in AWS which uses Amazon API Gateway and AWS Lambda. There is a requirement to trace and analyze user requests as they travel through your Amazon API Gateway APIs to the underlying services.

Which of the following is the most suitable service to use to meet this requirement?

A

AWS X-Ray

You can use AWS X-Ray to trace and analyze user requests as they travel through your Amazon API Gateway APIs to the underlying services. API Gateway supports AWS X-Ray tracing for all API Gateway endpoint types: regional, edge-optimized, and private. You can use AWS X-Ray with Amazon API Gateway in all regions where X-Ray is available.

(CloudTrail is incorrect because this is primarily used for API logging of all of your AWS resources.)

615
Q

There are a few, easily reproducible but confidential files that your client wants to store in AWS without worrying about storage capacity. For the first month, all of these files will be accessed frequently but after that, they will rarely be accessed at all. The old files will only be accessed by developers so there is no set retrieval time requirement. However, the files under a specific tutorialsdojo-finance prefix in the S3 bucket will be used for post-processing that requires millisecond retrieval time.

Given these conditions, which of the following options would be the most cost-effective solution for your client’s storage needs?

A

store the files in S3 then after amonth, change the storage class of the tutorialsdojo-finance prefix to One Zone-AI while the remaining go to Glacier using lifecycle policy.

Since the files are easily reproducible and some of them are needed to be retrieved quickly based on a specific prefix filter (tutorialsdojo-finance), S3-One Zone IA would be a good choice for storing them. The other files that do not contain such prefix would then be moved to Glacier for low cost archival. This setup would also be the most cost-effective for the client.

616
Q

You are working for a major financial firm in Wall Street where you are tasked to design an application architecture for their online trading platform which should have high availability and fault tolerance. The application is using an Amazon S3 bucket located in the us-east-1 region to store large amounts of intraday financial data.

To avoid any costly service disruptions, what will you do to ensure that the stored financial data in the S3 bucket would not be affected even if there is an outage in one of the Availability Zones or a regional service failure in us-east-1?

A

Enable Cross-Region Replication

In this scenario, you need to enable Cross-Region Replication to ensure that your S3 bucket would not be affected even if there is an outage in one of the Availability Zones or a regional service failure in us-east-1. When you upload your data in S3, your objects are redundantly stored on multiple devices across multiple facilities within the region only, where you created the bucket. Hence, if there is an outage on the entire region, your S3 bucket will be unavailable if you do not enable Cross-Region Replication, which should make your data available to another region.

Note that an Availability Zone (AZ) is more related with Amazon EC2 instances rather than Amazon S3 so if there is any outage in the AZ, the S3 bucket is usually not affected but only the EC2 instances deployed on that zone.

617
Q

You are working as a Solutions Architect for a startup in which you are tasked to develop a custom messaging service that will also be used to train their AI for an automatic response feature which they plan to implement in the future. Based on their research and tests, the service can receive up to thousands of messages a day, and all of these data are to be sent to Amazon EMR for further processing. It is crucial that none of the messages will be lost, no duplicates will be produced and that they are processed in EMR in the same order as their arrival.

Which of the following options should you implement to meet the startup’s requirements?

A

Create an Amazon Kinesis Stream to collect the messages

=>

Two important requirements that the chosen AWS service should fulfill is that data should not go missing, is durable, and streams data in the sequence of arrival. Kinesis can do the job just fine because of its architecture. A Kinesis data stream is a set of shards that has a sequence of data records, and each data record has a sequence number that is assigned by Kinesis Data Streams. Kinesis can also easily handle the high volume of messages being sent to the service.

618
Q

You are responsible for running a global news website hosted in a fleet of EC2 Instances. Lately, the load on the website has increased which resulted to slower response time for the site visitors. This issue impacts the revenue of the company as some readers tend to leave the site if it does not load after 10 seconds.

Which of the below services in AWS can be used to solve this problem? (Choose 2)

A
  • using Amazon CloudFront with website as the custom origin and
  • using Amazon ElastiCache for the website’s in-memory data store or cache.

The global news website has a problem with latency considering that there are a lot of readers of the site from all parts of the globe. In this scenario, you can use a content delivery network (CDN) which is a geographically distributed group of servers which work together to provide fast delivery of Internet content. And since this is a news website, most of its data are read-only, which can be cached to improve the read throughput and avoid the repetitive requests from the server.

In AWS, Amazon CloudFront is the global content delivery network (CDN) service that you can use and for web caching, Amazon ElastiCache is the suitable service. Hence, the correct answers here are using Amazon CloudFront with website as the custom origin and using Amazon ElastiCache for the website’s in-memory data store or cache.

619
Q

You are working for a media company and you need to configure an Amazon S3 bucket to serve static assets for your public-facing web application. Which methods ensure that all of the objects uploaded to the S3 bucket can be read publicly all over the Internet? (Choose 2)

A
  • Configure the S3 bucket policy to set all objects to public read
  • In S3, set the permissions of the object to public read during upload

By default, all Amazon S3 resources such as buckets, objects, and related subresources are private which means that only the AWS account holder (resource owner) that created it has access to the resource. The resource owner can optionally grant access permissions to others by writing an access policy. In S3, you also set the permissions of the object during upload to make it public.

Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. Access policies you attach to your resources (buckets and objects) are referred to as resource-based policies.

For example, bucket policies and access control lists (ACLs) are resource-based policies. You can also attach access policies to users in your account. These are called user policies. You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources.

Configuring the ACL of the S3 bucket to set all objects to be publicly readable and writeable is incorrect as ACLs are primarily used to grant basic read/write permissions to AWS accounts and not suitable for providing public access over the Internet.

Creating an IAM role to set the objects inside the S3 bucket to public read is incorrect. Although with IAM, you can create a user, group, or role that has certain permissions to the S3 bucket, it does not control the individual objects that are hosted in the bucket.

620
Q

You are a Solutions Architect for a large London-based software company. You are assigned to improve the performance and current processes of supporting the AWS resources in your VPC. Upon checking, you noticed that the Operations team does not have an automated way to monitor and resolve issues with their on-demand EC2 instances.

What can be used to automatically monitor your EC2 instances and notify the Operations team for any incidents?

A

CloudWatch

621
Q

An auto-scaling group of Linux EC2 instances is created with basic monitoring enabled in CloudWatch. You noticed that your application is slow so you asked one of your engineers to check all of your EC2 instances. After checking your instances, you noticed that the auto scaling group is not launching more instances as it should be, even though the servers already have high memory usage.

What is the best solution that will fix this issue?

A

Install CloudWatch monitoring scripts in the instances. Send custom metrics to CloudWatch which will trigger your Auto Scaling group to scale up.

The premise of the scenario is that the EC2 servers have high memory usage, but since this specific metric is not tracked by the Auto Scaling group by default, the scaling up activity is not being triggered. Remember that by default, CloudWatch doesn’t monitor memory usage but only the CPU utilization, Network utilization, Disk performance and Disk Reads/Writes.

This is the reason why you have to install CloudWatch Monitoring Scripts in your EC2 instances to collect and monitor the custom metric (memory usage), which will be used by your Auto Scaling Group as a trigger for scaling activities.

622
Q

A tech startup has recently received a Series A round of funding to continue building their mobile forex trading application. You are hired to set up their cloud architecture in AWS and to implement a highly available, fault tolerant system. For their database, they are using DynamoDB and for authentication, they have chosen to use Cognito. Since the mobile application contains confidential financial transactions, there is a requirement to add a second authentication method that doesn’t rely solely on user name and password.

How can you implement this in AWS?

A

Add Multi-factor authentication MFA to a user pool in Cognito to protect the identity of your users.

You can add multi-factor authentication (MFA) to a user pool to protect the identity of your users. MFA adds a second authentication method that doesn’t rely solely on user name and password. You can choose to use SMS text messages, or time-based one-time (TOTP) passwords as second factors in signing in your users. You can also use adaptive authentication with its risk-based model to predict when you might need another authentication factor. It’s part of the user pool advanced security features, which also include protections against compromised credentials.

623
Q

To save cost, a company decided to change their third-party data analytics tool to a cheaper solution. They sent a full data export on a CSV file which contains all of their analytics information. You then save the CSV file to an S3 bucket for storage. Your manager asked you to do some validation on the provided data export.

In this scenario, what is the most cost-effective and easiest way to analyze export data using a standard SQL?

A

To be able to run SQL queries, use AWS Athena to analyze the export data file in S3

Amazon Athena is an interactive query service that makes it easy to analyze data directly in Amazon Simple Storage Service (Amazon S3) using standard SQL. With a few actions in the AWS Management Console, you can point Athena at your data stored in Amazon S3 and begin using standard SQL to run ad-hoc queries and get results in seconds.

Athena is serverless, so there is no infrastructure to set up or manage, and you pay only for the queries you run. Athena scales automatically—executing queries in parallel—so results are fast, even with large datasets and complex queries.

Athena helps you analyze unstructured, semi-structured, and structured data stored in Amazon S3. Examples include CSV, JSON, or columnar data formats such as Apache Parquet and Apache ORC. You can use Athena to run ad-hoc queries using ANSI SQL, without the need to aggregate or load the data into Athena.

. You can use a cost-effective option (AWS Athena), which is a serverless service that enables you to pay only for the queries you run.

624
Q

A data analytics company has been building its new generation big data and analytics platform on their AWS cloud infrastructure. They need a storage service that provides the scale and performance that their big data applications require such as high throughput to compute nodes coupled with read-after-write consistency and low-latency file operations. In addition, their data needs to be stored redundantly across multiple AZs and allows concurrent connections from multiple EC2 instances hosted on multiple AZs.

Which of the following AWS storage services will you use to meet this requirement?

A

EFS

In this question, you should take note of the two keywords/phrases: “file operation” and “allows concurrent connections from multiple EC2 instances”. There are various AWS storage options that you can choose but whenever these criteria show up, always consider using EFS instead of using EBS Volumes which is mainly used as a “block” storage and can only have one connection to one EC2 instance at a time. Amazon EFS provides the scale and performance required for big data applications that require high throughput to compute nodes coupled with read-after-write consistency and low-latency file operations.

EBS is incorrect because it does not allow concurrent connections from multiple EC2 instances hosted on multiple AZs and it does not store data redundantly across multiple AZs by default, unlike EFS.

S3 is incorrect because although it can handle concurrent connections from multiple EC2 instances, it does not have the ability to provide low-latency file operations, which is required in this scenario.

625
Q

A company has an OLTP (Online Transactional Processing) application that is hosted in an Amazon ECS cluster using the Fargate launch type. It has an Amazon RDS database that stores data of its production website. The Data Analytics team needs to run queries against the database to track and audit all user transactions. These query operations against the production database must not impact application performance in any way.

Which of the following is the MOST suitable and cost-effective solution that you should implement?

A

Set up a new Amazon RDS Read Replica of the production database. Direct the Data Analytics team to query the production data from the replica.

Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.

You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, Oracle and PostgreSQL, as well as Amazon Aurora.

You can reduce the load on your source DB instance by routing read queries from your applications to the read replica. These replicas allow you to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.

Because read replicas can be promoted to master status, they are useful as part of a sharding implementation. To shard your database, add a read replica and promote it to master status, then, from each of the resulting DB Instances, delete the data that belongs to the other shard.

626
Q

A real-time data analytics application is using AWS Lambda to process data and store results in JSON format to an S3 bucket. To speed up the existing workflow, you have to use a service where you can run sophisticated Big Data analytics on your data without moving them into a separate analytics system.

Which of the following group of services can you use to meet this requirement?

A

S3 Select, Amazon Athena, Amazon Redshift Spectrum

Amazon S3 allows you to run sophisticated Big Data analytics on your data without moving the data into a separate analytics system. In AWS, there is a suite of tools that make analyzing and processing large amounts of data in the cloud faster, including ways to optimize and integrate existing workflows with Amazon S3:

  1. S3 Select

Amazon S3 Select is designed to help analyze and process data within an object in Amazon S3 buckets, faster and cheaper. It works by providing the ability to retrieve a subset of data from an object in Amazon S3 using simple SQL expressions. Your applications no longer have to use compute resources to scan and filter the data from an object, potentially increasing query performance by up to 400%, and reducing query costs as much as 80%. You simply change your application to use SELECT instead of GET to take advantage of S3 Select.

  1. Amazon Athena

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL expressions. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries you run. Athena is easy to use. Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL expressions. Most results are delivered within seconds. With Athena, there’s no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.

  1. Amazon Redshift Spectrum

Amazon Redshift also includes Redshift Spectrum, allowing you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, ORC, Parquet, RCFile, RegexSerDe, SequenceFile, TextFile, and TSV. Redshift Spectrum automatically scales query compute capacity based on the data being retrieved, so queries against Amazon S3 run fast, regardless of data set size.

627
Q

What is S3 Select?

A

Amazon S3 Select is designed to help analyze and process data within an object in Amazon S3 buckets, faster and cheaper. It works by providing the ability to retrieve a subset of data from an object in Amazon S3 using simple SQL expressions. Your applications no longer have to use compute resources to scan and filter the data from an object, potentially increasing query performance by up to 400%, and reducing query costs as much as 80%. You simply change your application to use SELECT instead of GET to take advantage of S3 Select.

628
Q

What is Amazon Athena?

A

Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL expressions. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries you run. Athena is easy to use. Simply point to your data in Amazon S3, define the schema, and start querying using standard SQL expressions. Most results are delivered within seconds. With Athena, there’s no need for complex ETL jobs to prepare your data for analysis. This makes it easy for anyone with SQL skills to quickly analyze large-scale datasets.

629
Q

What is Amazon Redshift Spectrum?

A

Amazon Redshift also includes Redshift Spectrum, allowing you to directly run SQL queries against exabytes of unstructured data in Amazon S3. No loading or transformation is required, and you can use open data formats, including Avro, CSV, Grok, ORC, Parquet, RCFile, RegexSerDe, SequenceFile, TextFile, and TSV. Redshift Spectrum automatically scales query compute capacity based on the data being retrieved, so queries against Amazon S3 run fast, regardless of data set size.

630
Q

You are using an On-Demand EC2 instance to host a legacy web application that uses an Amazon Instance Store-Backed AMI. The web application should be decommissioned as soon as possible and hence, you need to terminate the EC2 instance. When the instance is terminated, what happens to the data on the root volume?

A

data is automatically deleted = ephemeral storage

631
Q

You are planning to reduce the amount of data that Amazon S3 transfers to your servers in order to lower your operating costs as well as to lower the latency of retrieving the data. To accomplish this, you need to use simple structured query language (SQL) statements to filter the contents of Amazon S3 objects and retrieve just the subset of data that you need. Which of the following services will help you accomplish this requirement?

A

S3 Select

With Amazon S3 Select, you can use simple structured query language (SQL) statements to filter the contents of Amazon S3 objects and retrieve just the subset of data that you need. By using Amazon S3 Select to filter this data, you can reduce the amount of data that Amazon S3 transfers, which reduces the cost and latency to retrieve this data.

Redshift Spectrum is incorrect because although Amazon Redshift Spectrum provides a similar in-query functionality like S3 Select, this service is more suitable for querying your data from the Redshift external tables hosted in S3. The Redshift queries are run on your cluster resources against local disk. Redshift Spectrum queries run using per-query scale-out resources against data in S3 which can entail additional costs compared with S3 Select.

632
Q

A customer is transitioning their ActiveMQ messaging broker service onto the AWS cloud in which they require an alternative asynchronous service that supports NMS and MQTT messaging protocol. The customer does not have the time and resources needed to recreate their messaging service in the cloud. The service has to be highly available and should require almost no management overhead. Which of the following is the most suitable service to use to meet the above requirement?

A

MQ

Amazon MQ, Amazon SQS, and Amazon SNS are messaging services that are suitable for anyone from startups to enterprises. If you’re using messaging with existing applications and want to move your messaging service to the cloud quickly and easily, it is recommended that you consider Amazon MQ. It supports industry-standard APIs and protocols so you can switch from any standards-based message broker to Amazon MQ without rewriting the messaging code in your applications.

633
Q

You are working as a Solutions Architect for a financial firm which is building an internal application that processes loans, accruals, and interest rates for their clients. They require a storage service that is able to handle future increases in storage capacity of up to 16 TB and can provide the lowest-latency access to their data. Their web application will be hosted in a single m5ad.24xlarge Reserved EC2 instance which will process and store data to the storage service. Which of the following would be the most suitable storage service that you should use to meet this requirement?

A

EBS

Amazon Web Services (AWS) offers cloud storage services to support a wide range of storage workloads such as Amazon S3, EFS and EBS. Amazon EFS is a file storage service for use with Amazon EC2. Amazon EFS provides a file system interface, file system access semantics (such as strong consistency and file locking), and concurrently-accessible storage for up to thousands of Amazon EC2 instances. Amazon S3 is an object storage service. Amazon S3 makes data available through an Internet API that can be accessed anywhere. Amazon EBS is a block-level storage service for use with Amazon EC2. Amazon EBS can deliver performance for workloads that require the lowest-latency access to data from a single EC2 instance. You can also increase EBS storage for up to 16TB or add new volumes for additional storage.

In this scenario, the company is looking for a storage service which can provide the lowest-latency access to their data which will be fetched by a single m5ad.24xlarge Reserved EC2 instance. This type of workloads can be supported better by using either EFS or EBS but in this case, the latter is the most suitable storage service. As mentioned above, EBS provides the lowest-latency access to the data for your EC2 instance since the volume is directly attached to the instance. In addition, the scenario does not require concurrently-accessible storage since they only have one instance.

634
Q

When should you use Instance Stores, EFS, S3 and EBS?

A
635
Q

You are working for a tech company which currently has an on-premises infrastructure. They are currently running low on storage and want to have the ability to extend their storage using AWS cloud.

Which AWS service can help you achieve this requirement?

A

Amazon Storage Gateway

AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the AWS storage infrastructure. You can use the service to store data in the AWS Cloud for scalable and cost-effective storage that helps maintain data security.

636
Q

You are working as a Solutions Architect for a leading financial firm where you are responsible in ensuring that their applications are highly available and safe from common web security vulnerabilities. Which is the most suitable AWS service to use to mitigate Distributed Denial of Service (DDoS) attacks from hitting your back-end EC2 instances?

A

AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

AWS WAF is incorrect because this is a web application firewall service that helps protect your web apps from common exploits that could affect app availability, compromise security, or consume excessive resources. Although this can help you against DDoS attacks, AWS WAF alone is not enough to fully protect your VPC. You still need to use AWS Shield in this scenario.

AWS Firewall Manager is incorrect because this just simplifies your AWS WAF administration and maintenance tasks across multiple accounts and resources.

Amazon GuardDuty is incorrect because this is just an intelligent threat detection service to protect your AWS accounts and workloads. Using this alone will not fully protect your AWS resources against DDoS attacks.

637
Q

What is Amazon Firewall Manager?

A

AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications

638
Q

What is Amazon WAF?

A

Web Application Firewall

this is a web application firewall service that helps protect your web apps from common exploits that could affect app availability, compromise security, or consume excessive resources. Although this can help you against DDoS attacks, AWS WAF alone is not enough to fully protect your VPC. You still need to use AWS Shield in this scenario.

A WAF or Web Application Firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

639
Q

What is Amazon GuardDuty?

A

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. … GuardDuty analyzes tens of billions of events across multiple AWSdata sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs.

= this is just an intelligent threat detection service to protect your AWS accounts and workloads.

640
Q

A popular augmented reality (AR) mobile game is heavily using a RESTful API which is hosted in AWS. The API uses Amazon API Gateway and a DynamoDB table with a preconfigured read and write capacity. Based on your systems monitoring, the DynamoDB table begins to throttle requests during high peak loads which causes the slow performance of the game. Which of the following can you do to improve the performance of your app?

A

Use DynamoDB Auto Scaling

DynamoDB auto scaling uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This enables a table or a global secondary index to increase its provisioned read and write capacity to handle sudden increases in traffic, without throttling. When the workload decreases, Application Auto Scaling decreases the throughput so that you don’t pay for unused provisioned capacity.

“Adding the DynamoDB table to an Auto Scaling Group” is incorrect because you usually put EC2 instances on an Auto Scaling Group, and not a DynamoDB table.

641
Q

You are managing an online platform which allows people to easily buy, sell, spend, and manage their cryptocurrency. To meet the strict IT audit requirements, each of the API calls on all of your AWS resources should be properly captured and recorded. You used CloudTrail in your VPC to help you in the compliance, operational auditing, and risk auditing of your AWS account.

In this scenario, where does CloudTrail store all of the logs that it creates?

A

S3…

CloudTrail is enabled on your AWS account when you create it. When activity occurs in your AWS account, that activity is recorded in a CloudTrail event. A trail is a configuration that enables delivery of events to an Amazon S3 bucket that you specify.

642
Q

You have a distributed application in AWS that periodically processes large volumes of data across multiple instances. You designed the application to recover gracefully from any instance failures. You are required to launch the application in the most cost-effective way. Which type of EC2 instance will meet your requirements?

A

Spot Instances

You require an EC2 instance that is the most cost-effective among other types. In addition, the application it will host is designed to gracefully recover in case of instance failures.

In terms of cost-effectiveness, Spot and Reserved instances are the top options. And since the application can gracefully recover from instance failures, the Spot instance is the best option for this case as it is the cheapest type of EC2 instance. Remember that when you use Spot Instances, there will be interruptions. Amazon EC2 can interrupt your Spot Instance when the Spot price exceeds your maximum price, when the demand for Spot Instances rise, or when the supply of Spot Instances decreases

643
Q

You are managing a global news website which is deployed to AWS and is using MySQL RDS. The website has millions of viewers from all over the world which means that the website has read-heavy database workloads. All database transactions must be ACID compliant to ensure data integrity.

In this scenario, which of the following is the best option to use to increase the read throughput on the MySQL database?

A

Enable Amazon RDS Read Replicas

Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads. You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, Oracle and PostgreSQL as well as Amazon Aurora.

644
Q

You are working for a large global media company with multiple office locations all around the world. You are instructed to build a system to distribute training videos to all employees. Using CloudFront, what method would be used to serve content that is stored in S3, but not publicly accessible from S3 directly?

A

Create an Origin Access Identity OAI for CloudFront and grant access to the objects in your S3 buckets to that OAI

When you create or update a distribution in CloudFront, you can add an origin access identity (OAI) and automatically update the bucket policy to give the origin access identity permission to access your bucket. Alternatively, you can choose to manually change the bucket policy or change ACLs, which control permissions on individual objects in your bucket.

645
Q

You have a set of linux servers running on multiple On-Demand EC2 Instances. The Audit team wants to collect and process the application log files generated from these servers for their report. Which of the following services is the best to use in this case?

A

Amazon S3 for storing the application log files and Amazon Elastic MapReduce for processing the log files

Amazon EMR is a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark, on AWS to process and analyze vast amounts of data. By using these frameworks and related open-source projects such as Apache Hive and Apache Pig, you can process data for analytics purposes and business intelligence workloads. Additionally, you can use Amazon EMR to transform and move large amounts of data into and out of other AWS data stores and databases such as Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB.

646
Q

You are working as a Junior Solutions Architect where you are responsible in enhancing the availability and durability of the database instances in your VPC. Your company has a Multi-AZ RDS instance in the ap-northeast-1 region. If a storage volume on the primary instance fails in a Multi-AZ deployment, Amazon RDS automatically initiates a failover to the up-to-date standby instance.

In case of a failover, which record in Route 53 is changed?

A

CNAME

Failover is automatically handled by Amazon RDS so that you can resume database operations as quickly as possible without administrative intervention. When failing over, Amazon RDS simply flips the canonical name record (CNAME) in Route53 for your DB instance to point at the standby, which in turn is promoted to become the new primary.

647
Q

A web application requires a minimum of six Amazon Elastic Compute Cloud (EC2) instances running at all times. You are tasked to deploy the application to three availability zones in the EU Ireland region (eu-west-1a, eu-west-1b, and eu-west-1c). It is required that the system is fault-tolerant up to the loss of one Availability Zone.

Which of the following setup is the most cost-effective solution which also maintains the fault-tolerance of your system?

A

3 instances in each of the 3 availability zones = 9 instances in total

The option that says: 6 instances in eu-west-1a, 6 instances in eu-west-1b, and no instances in eu-west-1c is incorrect because although it provides fault-tolerance, it is not the most cost-effective solution as compared with the options above. This solution has 12 running instances, unlike the correct answer which only has 9 instances.

648
Q

A data analytics application requires a service that can collect, process, and analyze clickstream data from various websites in real-time. Which of the following is the most suitable service to use for the application?

A

Kinesis

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information

649
Q

You have a web application hosted in AWS cloud where the application logs are sent to Amazon CloudWatch. Lately, the web application has recently been encountering some errors which can be resolved simply by restarting the instance.

What will you do to automatically restart the EC2 instances whenever the same application error occurs?

A

First, look at the existing CloudWatch logs for keywords related to the application error to create a custom metric. Then, create a CloudWatch alarm for that custom metric which invokes an action to restart the EC2 instance.

In this scenario, you can look at the existing CloudWatch logs for keywords related to the application error to create a custom metric. Then, create a CloudWatch alarm for that custom metric which invokes an action to restart the EC2 instance.

You can create alarms that automatically stop, terminate, reboot, or recover your EC2 instances using Amazon CloudWatch alarm actions. You can use the stop or terminate actions to help you save money when you no longer need an instance to be running. You can use the reboot and recover actions to automatically reboot those instances or recover them onto new hardware if a system impairment occurs.

650
Q

You are a Cloud Migration Engineer in a media company which uses EC2, ELB, and S3 for its video-sharing portal for filmmakers. They are using a standard S3 storage class to store all high-quality videos that are frequently accessed only during the first three months of posting. What should you do if the company needs to automatically transfer or archive media data from an S3 bucket to Glacier?

A

Use Lifecycle Policies

651
Q

A Solutions Architect is designing a monitoring application which generates audit logs of all operational activities of the company’s cloud infrastructure. Their IT Security and Compliance team mandates that the application retain the logs for 5 years before the data can be deleted. How can the Architect meet the above requirement?

A

Store the audit logs in a Glacier vault and use the Vault Lock feature

An Amazon S3 Glacier (Glacier) vault can have one resource-based vault access policy and one Vault Lock policy attached to it. A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements. Amazon S3 Glacier provides a set of API operations for you to manage the Vault Lock policies.

652
Q

what is a Vault Lock?

A

Amazon Glacier Vault Lock allows you to easily deploy and enforce compliance controls on individual Glacier vaults via a lockable policy. You can specify controls such as “Write Once Read Many” (WORM) in a Vault Lock policy and lock the policy from future edits

A Vault Lock policy is a vault access policy that you can lock. Using a Vault Lock policy can help you enforce regulatory and compliance requirements.

653
Q

You are working as a Solutions Architect for a leading data analytics company in which you are tasked to process real-time streaming data of your users across the globe. This will enable you to track and analyze globally-distributed user activity on your website and mobile applications, including click stream analysis. Your cloud architecture should process the data in close geographical proximity to your users and to respond to user requests at low latencies. Which of the following options is the most ideal solution that you should implement?

A

By using Lambda@Edge and Kinesis together, you can process real-time streaming data so that you can track and analyze globally-distributed user activity on your website and mobile applications, including clickstream analysis. Hence, the correct answer in this scenario is the option that says: Integrate CloudFront with Lambda@Edge in order to process the data in close geographical proximity to users and respond to user requests at low latencies. Process real-time streaming data using Kinesis and durably store the results to an Amazon S3 bucket.

654
Q

You had recently set up a CloudWatch Alarm that performs status checks on your EBS volume. However, you noticed that the volume check has a status of insufficient-data. What does this status mean?

A

The check on the EBS volume is still in progress

Volume status checks are automated tests that run every 5 minutes and return a pass or fail status. You can view the results of volume status checks to identify any impaired volumes and take any necessary actions.

If all checks pass, the status of the volume is ok. The option that says: All EBS Volume checks have been completed is therefore incorrect.

If a check fails, the status of the volume is impaired. The option that says: All EBS Volume checks have failed is therefore incorrect.

If the volume is severely degraded or the volume performance is well below expectations, then the status is warning. The option that says: The EBS Volume is severely degraded or the volume performance is well below expectations is therefore incorrect.

If the status is insufficient-data, the checks may still be in progress on the volume. The option that says: The check on the EBS volume is still in progress is therefore correct.

655
Q

An online trading platform with thousands of clients across the globe is hosted in AWS. To reduce latency, you have to direct user traffic to the nearest application endpoint to the client. The traffic should be routed to the closest edge location via an Anycast static IP address. AWS Shield should also be integrated into the solution for DDoS protection.

Which of the following is the MOST suitable service that the Solutions Architect should use to satisfy the above requirements?

A

AWS Global Accelerator

AWS Global Accelerator and Amazon CloudFront are separate services that use the AWS global network and its edge locations around the world. CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery). Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover. Both services integrate with AWS Shield for DDoS protection.

656
Q

What is AWS Global Accelerator?

A

AWS Global Accelerator is a service that improves the availability and performance of your applications with local or global users. … AWS Global Accelerator continually monitors the health of your application endpoints and will detect an unhealthy endpoint and redirect traffic to healthy endpoints in less than 1 minute.

657
Q

You have a web-based order processing system which is currently using a queue in Amazon SQS. The support team noticed that there are a lot of cases where an order was processed twice. This issue has caused a lot of trouble in your processing and made your customers very unhappy. Your IT Manager has asked you to ensure that this issue does not happen again.

What can you do to prevent this from happening again in the future?

A

Amazon SWF provides useful guarantees around task assignment. It ensures that a task is never duplicated and is assigned only once. Thus, even though you may have multiple workers for a particular activity type (or a number of instances of a decider), Amazon SWF will give a specific task to only one worker (or one decider instance). Additionally, Amazon SWF keeps at most one decision task outstanding at a time for a workflow execution. Thus, you can run multiple decider instances without worrying about two instances operating on the same execution simultaneously. These facilities enable you to coordinate your workflow without worrying about duplicate, lost, or conflicting tasks.

658
Q

You launched an EC2 instance in your newly created VPC. You have noticed that the generated instance does not have an associated DNS hostname.

Which of the following options could be a valid reason for this issue?

A

The DNS resolution and DNS hostname of the VPC configuration has not been enabled yet.

When you launch an EC2 instance into a default VPC, AWS provides it with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance.

However, when you launch an instance into a non-default VPC, AWS provides the instance with a private DNS hostname only. New instances will only be provided with public DNS hostname depending on these two DNS attributes: the DNS resolutionand DNS hostnames, that you have specified for your VPC, and if your instance has a public IPv4 address.

In this case, the new EC2 instance does not automatically get a DNS hostname because the DNS resolution and DNS hostnames attributes are disabled in the newly created VPC.

659
Q

You have an Auto Scaling group which is configured to launch new t2.micro EC2 instances when there is a significant load increase in the application. To cope with the demand, you now need to replace those instances with a larger t2.2xlarge instance type. How would you implement this change?

A

create a new launch configuration with the new instance type and update the Auto Scaling Group.

You can only specify one launch configuration for an Auto Scaling group at a time, and you can’t modify a launch configuration after you’ve created it. Therefore, if you want to change the launch configuration for an Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration.

660
Q

What is LDAP?

A

Lightweight Directory Access Protocol (LDAP)….

Lightweight Directory Access Protocol (LDAP) is a directory service that is based on Directory Access Protocol (DAP). … … LDAP directory servers are often used as an authentication repository, and are often used to store sensitive information like passwords and other account details. As such, security is an important aspect of most directory servers.

661
Q

A leading IT consulting company has an application which processes a large stream of financial data by an Amazon ECS Cluster then stores the result to a DynamoDB table. You have to design a solution to detect new entries in the DynamoDB table then automatically trigger a Lambda function to run some tests to verify the processed data. What solution can be easily implemented to alert the Lambda function of new entries while requiring minimal configuration change to your architecture?

A

Enable DynamoDB Streams to capture table activity and automatically trigger the Lambda function..

Amazon DynamoDB is integrated with AWS Lambda so that you can create triggers—pieces of code that automatically respond to events in DynamoDB Streams. With triggers, you can build applications that react to data modifications in DynamoDB tables.

If you enable DynamoDB Streams on a table, you can associate the stream ARN with a Lambda function that you write. Immediately after an item in the table is modified, a new record appears in the table’s stream. AWS Lambda polls the stream and invokes your Lambda function synchronously when it detects new stream records.

662
Q

A tech company is currently using Amazon Simple Workflow (SWF) service with a default configuration for their order processing system. The system works fine but you noticed that some of the orders seem to be stuck for almost 4 weeks. What could be the possible reason for this?

A

It is because Simple WorkFlow (SWF) is waiting human input from an activity task

By default, each workflow execution can run for a maximum of 1 year in Amazon SWF. This means that it is possible that in your workflow, there are some tasks which require manual action that renders it idle. As a result, some orders get stuck for almost 4 weeks.

Amazon SWF does not take any special action if a workflow execution is idle for an extended period of time. Idle executions are subject to the timeouts that you configure. For example, if you have set the maximum duration for an execution to be 1 day, then an idle execution will be timed out if it exceeds the 1 day limit. Idle executions are also subject to the Amazon SWF limit on how long an execution can run (1 year).

663
Q

A data analytics company, which uses machine learning to collect and analyze consumer data, is using Redshift cluster as their data warehouse. You are instructed to implement a disaster recovery plan for their systems to ensure business continuity even in the event of an AWS region outage. Which of the following is the best approach to meet this requirement?

A

Enable Cross-Region Snapshots in your Amazon Redshift Cluster

You can configure Amazon Redshift to copy snapshots for a cluster to another region. To configure cross-region snapshot copy, you need to enable this copy feature for each cluster and configure where to copy snapshots and how long to keep copied automated snapshots in the destination region. When cross-region copy is enabled for a cluster, all new manual and automatic snapshots are copied to the specified region

664
Q

The company you are working for has a set of AWS resources hosted in ap-northeast-1 region. You have been asked by your IT Manager to create an AWS CLI shell script that will call an AWS service which could create duplicate resources in another region in the event that ap-northeast-1 region fails. The duplicated resources should also contain the VPC Peering configuration and other networking components from the primary stack. Which of the following AWS services could help fulfill this task?

A

AWS CloudFormation

665
Q

A bank portal application is hosted in an Auto Scaling group of EC2 instances behind a Classic Load Balancer (CLB). You are required to set up the architecture so that any back-end EC2 instances that you de-register should complete the in-progress requests first before the de-registration process takes effect. Conversely, if a back-end instance fails health checks, the load balancer should not send any new requests to the unhealthy instance but should allow existing requests to complete. How will you configure your load balancer to satisfy the above requirement?

A

Configure Connection Draining

To ensure that a Classic Load Balancer stops sending requests to instances that are de-registering or unhealthy while keeping the existing connections open, use connection draining. This enables the load balancer to complete in-flight requests made to instances that are de-registering or unhealthy. Hence, configuring Connection Draining is the correct answer.

666
Q

What is Sticky Sessions?

A

Using sticky sessions (session affinity) configures a load balancer to bind user sessions to a specific instance, so all requests from a user during a session are sent to the same instance

667
Q

What is Connection Draining?

A

When Connection Draining is enabled, Auto Scaling will wait for outstanding requests to complete before terminating instances.

related to load balancers

668
Q

A financial company instructed you to automate the recurring tasks in your department such as patch management, infrastructure selection, and data synchronization to improve their current processes. You need to have a service which can coordinate multiple AWS services into serverless workflows. Which of the following is the most cost-effective service to use in this scenario?

A

AWS Step Functions..

AWS Step Functions provides serverless orchestration for modern applications. Orchestration centrally manages a workflow by breaking it into multiple steps, adding flow logic, and tracking the inputs and outputs between the steps. As your applications execute, Step Functions maintains application state, tracking exactly which workflow step your application is in, and stores an event log of data that is passed between application components. That means that if networks fail or components hang, your application can pick up right where it left off.

(AWS Lambda is incorrect because although Lambda is used for serverless computing, it does not provide a direct way to coordinate multiple AWS services into serverless workflows.)

669
Q

What is AWS Step Functions?

A

AWS Step Functions lets you coordinate multiple AWS services into serverless workflows so you can build and update apps quickly. Using Step Functions, you can design and run workflows that stitch together services such as AWS Lambda and Amazon ECS into feature-rich applications

You can use Step Functions to coordinate all of the steps of a checkout process on an ecommerce site, for example.

670
Q

You are a Big Data Engineer who is assigned to handle the online enrollment system database of a prestigious university, which is hosted in RDS. You are required to monitor the database metrics in Amazon CloudWatch to ensure the availability of the enrollment system.

What are the enhanced monitoring metrics that Amazon CloudWatch gathers from Amazon RDS DB instances which provide a more accurate information? (Choose 2)

A
  • OS Processes
  • RDS child processes

OS processes – Shows a summary of the kernel and system processes, which generally have minimal impact on performance. Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on. You can view the metrics for your DB instance using the console, or consume the Enhanced Monitoring JSON output from CloudWatch Logs in a monitoring system of your choice.

RDS child processes – Shows a summary of the RDS processes that support the DB instance, for example aurora for Amazon Aurora DB clusters and mysqld for MySQL DB instances. Process threads appear nested beneath the parent process. Process threads show CPU utilization only as other metrics are the same for all threads for the process. The console displays a maximum of 100 processes and threads. The results are a combination of the top CPU consuming and memory consuming processes and threads. If there are more than 50 processes and more than 50 threads, the console displays the top 50 consumers in each category. This display helps you identify which processes are having the greatest impact on performance.

RDS processes – Shows a summary of the resources used by the RDS management agent, diagnostics monitoring processes, and other AWS processes that are required to support RDS DB instances.

671
Q

An automotive company is working on an autonomous vehicle development and deployment project using AWS. The solution requires High Performance Computing (HPC) in order to collect, store and manage massive amounts of data as well as to support deep learning frameworks. The Linux EC2 instances that will be used should have a lower latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems. It should also enhance the performance of inter-instance communication and must include an OS-bypass functionality to allow the HPC to communicate directly with the network interface hardware to provide low-latency, reliable transport functionality.

Which of the following is the MOST suitable solution that you should implement to achieve the above requirements?

A

Attach an Elastic Fabric Adapter EFA on each Amazon EC23 instance to accelerate High Performance Computing HPC

An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. EFA enables you to achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by the AWS Cloud.

EFA provides lower and more consistent latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems. It enhances the performance of inter-instance communication that is critical for scaling HPC and machine learning applications. It is optimized to work on the existing AWS network infrastructure and it can scale depending on application requirements.

672
Q

A Solutions Architect is designing the cloud architecture for the enterprise application suite of the company. Both the web and application tiers need to access the Internet to fetch data from public APIs. However, these servers should be inaccessible from the Internet.

Which of the following steps should the Architect implement to meet the above requirements?

A

Deploy a NAT gateway in the public subnet and add a route to it from the private subnet where the web and application tiers are hosted.

673
Q

You have a prototype web application that uses one Spot EC2 instance. What will happen to the instance by default if it gets interrupted by Amazon EC2 for capacity requirements?

A

the instance will be terminated

You can choose to have your Spot instances terminated, stopped, or hibernated upon interruption. Stop and hibernate options are available for persistent Spot requests and Spot Fleets with the maintain option enabled. By default, your instances are terminated hence, the correct answer is the option that says: The instance will be terminated.

674
Q

A web application is hosted in an Auto Scaling group of EC2 instances deployed across multiple Availability Zones in front of an Application Load Balancer. You need to implement an SSL solution for your system to improve its security which is why you requested an SSL/TLS certificate from a third-party certificate authority (CA).

Where can you safely import the SSL/TLS certificate of your application? (Choose 2)

A
  • AWS Certificate Manager
  • IAM Certificate Store

If you got your certificate from a third-party CA, import the certificate into ACM or upload it to the IAM certificate store. Hence, AWS Certificate Manager and IAM certificate store are the correct answers.

675
Q

What is ACM?

A

Amazon Certificate Manager

ACM lets you import third-party certificates from the ACM console, as well as programmatically. If ACM is not available in your region, use AWS CLI to upload your third-party certificate to the IAM certificate store.

676
Q

What is the acronym ACL?

A

= Access Control List

677
Q

What is ALB?

A

= Application Load Balancer

678
Q

What is the acronym AMI?

A

Amazon Machine Image

An AMI is really just a template document that contains information telling EC2 what OS and application software to include on the root data volume of the instance it’s about to launch.

679
Q

What is the acronym?

A

Availability Zone

680
Q

What is the acronym CIDR?

A

= Classless Interdomain Routing

681
Q

What is the acronym CLI?

A

= Command Line Interface

682
Q

What is the acronym CRR?

A

= Cross Region Replication

683
Q

What is the acronym DAX?

A

= DynamoDB Accelerator

684
Q

What is the acronym DLM?

A

= Data Lifecycle Manager

685
Q

What is the acronym DNS?

A

= Domain Name System

686
Q

What is the acronym EBS?

A

Elastic Block Storage

687
Q

What is the acronym EC2?

A

= Elastic Compute Cloud

688
Q

What is the acronym ECS?

A

= Elastic Container Service

689
Q

What is the acronym EFS?

A

= Elastic File System

690
Q

What is the acronym EIP?

A

= Elastic Internet Protocol (IP)

691
Q

What is the acronym EMR?

A

Elastic MapReduce

692
Q

What is the acronym ENI?

A

= Elastic Network Interface

693
Q

What is the acronym FTP?

A

File Transfer Protocol

694
Q

What is the acronym HA?

A

= High Availability

695
Q

What is the acronym HVM?

A

= Hardware Virtual Machine

696
Q

What is the acronym IA?

A

= Infrequently Accessed

697
Q

What is the acronym IAM?

A

= Identity Access Management

698
Q

What is the acronym IOPS?

A

= Input/Output Operations Per Second

699
Q

What is the acronym KMS?

A

= Key Management Service

700
Q

What is the acronym LDAP?

A

= Lightweight Directory Access Protocol

701
Q

What is the acronym MPP?

A

= Massively Parallel Processing

702
Q

What is the acronym NACL?

A

= Network Access Control List

703
Q

What is the acronym NAT?

A

= Network Address Translation

704
Q

What is the acronym NFS?

A

= Network File System

705
Q

What is the acronym NLB?

A

= Network Load Balancer

706
Q

What is the acronym OLAP?

A

= Online Analytical Processing

707
Q

What is the acronym OLTP?

A

= Online Transaction Processing

708
Q

What is the acronym PAT?

A

= Port Address Translation

709
Q

What is the acronym PCU?

A

= Provisioned Capacity Unit

710
Q

What is the acronym RDP?

A

= Remote Desktop Protocol

711
Q

What is the acronym RDS?

A

= Relational Database Service

712
Q

What is the acronym REST?

A

= Representational State Transfer

713
Q

What is the acronym ROA?

A

= Route Origin Authorization

714
Q

What is the acronym RTMP?

A

= Real Time Messaging Protocol

715
Q

What is the acronym S3?

A

= Simple Storage Service

716
Q

What is the acronym SAML?

A

= Security Assertion Markup Language

717
Q

What is the acronym SDK?

A

= Software Development Kit

718
Q

What is the acronym SES?

A

= Simple Email Service

719
Q

What is the acronym SLA?

A

= Service Level Agreement

720
Q

What is the acronym SMB?

A

= Server Message Block

721
Q

What is the acronym SNS?

A

= Simple Notification Service

722
Q

What is the acronym SOA?

A

= Start of Authority

723
Q

What is the acronym SQS?

A

= Simple Queue Service

724
Q

What is the acronym SRR?

A

= Same Region Replication

725
Q

What is the acronym SSE?

A

= Server Side Encryption

726
Q

What is the acronym SSH?

A

= Secure Shell

727
Q

What is the acronym SSO?

A

= Single Sign On

728
Q

What is the acronym SWF?

A

= Simple Workflow Service

729
Q

What is the acronym TCP?

A

= Transmission Control Protocol

730
Q

What is the acronym TTL?

A

= Time To Live

731
Q

What is the acronym VPC?

A

= Virtual Private Cloud

732
Q

What is the acronym VTL?

A

= Virtual Tape Library

733
Q

What is the acronym VTS?

A

= Virtual Tape Shelf

734
Q

What is the acronym WLM?

A

= Workload Management

735
Q

You are working as a Solutions Architect for a global game development company. They have a web application currently running on twenty EC2 instances as part of an Auto Scaling group. All twenty instances have been running at a maximum of 100% CPU Utilization for the past 40 minutes however, the Auto Scaling group has not added any additional EC2 instances to the group.

What could be the root cause of this issue? (Choose 2)

A

You are limited to running up to a total of 20 On-Demand instances across the instance family, purchasing 20 Reserved Instances, and requesting Spot Instances per your dynamic Spot limit per region.

If the maximum size of your Auto Scaling group has already been reached, then it would not create any new EC2 instance.

Hence, the correct answers are:

  • You already have 20 on-demand instances running in your entire VPC.
  • The maximum size of your Auto Scaling group is set to twenty.
736
Q

Your company has an e-commerce application that saves the transaction logs to an S3 bucket. You are instructed by the CTO to configure the application to keep the transaction logs for one month for troubleshooting purposes, and then afterwards, purge the logs. What should you do to accomplish this requirement?

A

Configure the lifecycle configuration rules on the Amazon S3 bucket to purge/delete the transaction logs after a month

737
Q

A large insurance company has an AWS account that contains three VPCs (DEV, UAT and PROD) in the same region. UAT is peered to both PROD and DEV using a VPC peering connection. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market. Which of the following options helps the company accomplish this?

A

Create a new VPC peering connection between PROD and DEV with the appropriate routes.

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.

738
Q

In Amazon EC2, you can manage your instances from the moment you launch them up to their termination. You can flexibly control your computing costs by changing the EC2 instance state. Which of the following statements is true regarding EC2 billing? (choose 2)

  1. you will be billed when your Reserved Instance is in terminated state
  2. you will be billed when you On-Demand instance is in pending state
  3. you will be billed when your on demand instance is preparing to hibernate with a stopping state
  4. you will be billed when your Spot instance is preparing to stop with a stopping state
  5. you will not be billed for any instance usage while an instance is not in the running state
A
  • you will be billed when your Reserved Instance is in terminated state
  • you will be billed when your on demand instance is preparing to hibernate with a stopping state
739
Q

You are working as a Solutions Architect for a multinational financial firm. They have a global online trading platform in which the users from all over the world regularly upload terabytes of transactional data to a centralized S3 bucket. What AWS feature should you use in your present system to improve throughput and ensure consistently fast data transfer to the Amazon S3 bucket, regardless of your user’s location?

A

Amazon S3 Transfer Acceleration

Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket. Transfer Acceleration leverages Amazon CloudFront’s globally distributed AWS Edge Locations. As data arrives at an AWS Edge Location, data is routed to your Amazon S3 bucket over an optimized network path.

740
Q

Your company has recently deployed a new web application which uses a serverless-based architecture in AWS. Your manager instructed you to implement CloudWatch metrics to monitor your systems more effectively. You know that Lambda automatically monitors functions on your behalf and reports metrics through Amazon CloudWatch. In this scenario, what types of data do these metrics monitor? (Choose 2)

  • ApproximateAgeOff0oldestMessage
  • Invocations
  • DeadLetterErrors
  • ReservedConcurrentExecutions
  • IteratorSize
A
  • Invocations
  • DeadLetterErrors

AWS Lambda automatically monitors functions on your behalf, reporting metrics through Amazon CloudWatch. These metrics include total invocation requests, latency, and error rates. The throttles, Dead Letter Queues errors and Iterator age for stream-based invocations are also monitored.

ReservedConcurrentExecutions is incorrect because CloudWatch does not monitor Lambda’s reserved concurrent executions. You can view it through the Lambda console or via CLI manually.

IteratorSize and ApproximateAgeOfOldestMessage are incorrect because these two are not Lambda metrics.

741
Q

What is Invocations?

A

the action of invoking someone or something…An example of invocation is when you turn to an authority for help in proving your point, invoking or relying on the authority.

742
Q

What is ReservedConcurrentExecutions?

A

ReservedConcurrentExecutions. The number of concurrent executions that are reserved for this function.

743
Q

What is Throttle in AWS Lambda?

A

Limits to how often you can submit requests.

Throttling is the process of limiting the number of requests you (or your authorized developer) can submit to a given operation in a given amount of time.

744
Q

You are working for a large telecommunications company where you need to run analytics against all combined log files from your Application Load Balancer as part of the regulatory requirements. Which AWS services can be used together to collect logs and then easily perform log analysis?

A

Amazon S3 for storing ELB log files and Amazon EMR for analyzing the log files…

—-Access logging is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logging for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logging at any time.

Amazon EMR provides a managed Hadoop framework that makes it easy, fast, and cost-effective to process vast amounts of data across dynamically scalable Amazon EC2 instances. It securely and reliably handles a broad set of big data use cases, including log analysis, web indexing, data transformations (ETL), machine learning, financial analysis, scientific simulation, and bioinformatics. You can also run other popular distributed frameworks such as Apache Spark, HBase, Presto, and Flink in Amazon EMR, and interact with data in other AWS data stores such as Amazon S3 and Amazon DynamoDB.

745
Q

A tech company is currently using Auto Scaling for their web application. A new AMI now needs to be used for launching a fleet of EC2 instances. Which of the following changes needs to be done?¨

A

Create a new launch configuration

For this scenario, you have to create a new launch configuration. Remember that you can’t modify a launch configuration after you’ve created it.

A launch configuration is a template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you specify information for the instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one or more security groups, and a block device mapping. You can specify your launch configuration with multiple Auto Scaling groups. However, you can only specify one launch configuration for an Auto Scaling group at a time, and you can’t modify a launch configuration after you’ve created it. Therefore, if you want to change the launch configuration for an Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration.

746
Q

You are working for a large IT consultancy company as a Solutions Architect. One of your clients is launching a file sharing web application in AWS which requires a durable storage service for hosting their static contents such as PDFs, Word Documents, high resolution images and many others. Which type of storage service should you use to meet this requirement?

A

Amazon S3

Objects… Remember that the scenario requires a durable storage for static content. These two keywords are actually referring to S3, since it is highly durable and suitable for storing static content.

747
Q

You are a Solutions Architect for a major TV network. They have a web application running on eight Amazon EC2 instances, consuming about 55% of resources on each instance. You are using Auto Scaling to make sure that eight instances are running at all times. The number of requests that this application processes are consistent and do not experience spikes. Your manager instructed you to ensure high availability of this web application at all times to avoid any loss of revenue. You want the load to be distributed evenly between all instances. You also want to use the same Amazon Machine Image (AMI) for all EC2 instances. How will you be able to achieve this?

A

The best option to take is to deploy four EC2 instances in one Availability Zone and four in another availability zone in the same region behind an Amazon Elastic Load Balancer. In this way, if one availability zone goes down, there is still another available zone that can accommodate traffic.

Take note that Auto Scaling will launch additional EC2 instances to the remaining Availability Zone/s in the event of an Availability Zone outage in the region.

748
Q

You are working for an investment bank as their IT Consultant. You are working with their IT team to handle the launch of their digital wallet system. The applications will run on multiple EBS-backed EC2 instances which will store the logs, transactions, and billing statements of the user in an S3 bucket. Due to tight security and compliance requirements, you are exploring options on how to safely store sensitive data on the EBS volumes and S3. Which of the below options should be carried out when storing sensitive data on AWS? (Choose 2)

  • Use AWS Shiled and WAF
  • Create an EBS snapshot
  • Migrate the EC2 instances from the public to private subnet
  • enable Amazon S3 Server-Side or use Client-Side Encryption
  • enable EBS encryption
A
  • enable Amazon S3 Server-side or use Client-side encryption
  • enable EBS encryption

Enabling EBS Encryption and enabling Amazon S3 Server-Side or use Client-Side Encryption are correct. Amazon EBS encryption offers a simple encryption solution for your EBS volumes without the need to build, maintain, and secure your own key management infrastructure.

749
Q

In your VPC, you have a Classic Load Balancer distributing traffic to 2 running EC2 instances in ap-southeast-1a AZ and 8 EC2 instances in ap-southeast-1b AZ. However, you noticed that half of your incoming traffic goes to ap-southeast-1a AZ which over-utilize its 2 instances but underutilize the other 8 instances in the other AZ. What could be the most likely cause of this problem?

A

Cross-Zone Load Balancing is disabled

750
Q

What is the largest object that can be uploaded to S3 in a single PUT?

A

5 GB

Remember that the upload limit depends on whether you upload an object using a single PUT operation or via Multipart Upload. The largest object that can be uploaded in a single PUT is 5 GB. Please take note the phrase “… in a single PUT”. If you are using the multipart upload API, then the limit is 5 TB.

751
Q

What is the largest object that can be uploaded to S3 in a multipart PUT?

A

5 TB…

Remember that the upload limit depends on whether you upload an object using a single PUT operation or via Multipart Upload. The largest object that can be uploaded in a single PUT is 5 GB. Please take note the phrase “… in a single PUT”. If you are using the multipart upload API, then the limit is 5 TB.

752
Q

You are a new Solutions Architect working for a financial company. Your manager wants to have the ability to automatically transfer obsolete data from their S3 bucket to a low cost storage system in AWS. What is the best solution you can provide to them?

A

Use LifeCycle Policies in S3 to move obsolete data to Glacier

753
Q

A VPC has a non-default public subnet which has four On-Demand EC2 instances that can be accessed over the Internet. Using the AWS CLI, you launched a fifth instance that uses the same subnet, Amazon Machine Image (AMI), and security group which are being used by the other instances. Upon testing, you are not able to access the new instance. Which of the following is the most suitable solution to solve this problem?

A

Associate an Elastic IP address to the fifth EC2 instance.

Associating an Elastic IP address to the fifth EC2 instance is correct because the fifth instance does not have a public IP address since it was deployed on a nondefault subnet. The other 4 instances are accessible over the Internet because they each have an Elastic IP address attached, unlike the last instance which only has a private IP address. An Elastic IP address is a public IPv4 address, which is reachable from the Internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the Internet.

754
Q

You are working as a Solutions Architect for an aerospace manufacturer which heavily uses AWS. They are running a cluster of multi-tier applications that spans multiple servers for your wind simulation model and how it affects your state-of-the-art wing design. Currently, you are experiencing a slowdown in your applications and upon further investigation, it was discovered that it is due to latency issues. Which of the following EC2 features should you use to optimize performance for a compute cluster that requires low network latency?

A

Placement Groups

You can launch EC2 instances in a placement group, which determines how instances are placed on underlying hardware. When you create a placement group, you specify one of the following strategies for the group:

Cluster - clusters instances into a low-latency group in a single Availability Zone

Spread - spreads instances across underlying hardware

755
Q

What is a placement group?

A

Placement Groups are logical groupings or clusters of instances in the selected AWS region. Placement groups are specifically used for launching cluster compute instance types. ( e.g. cc2.8xlarge) Cluster Compute Instances provide a large amount of CPU.

756
Q

What is a spread Placement Group?

A

A Spread Placement group is a group of instances that are each placed on distinct underlying hardware. Reduces the risk of simultaneous failures that might occur when instances share the same underlying hardware.

757
Q

What is cluster placement group?

A

Cluster Placement Group is a logical grouping of instances within a single Availability Zone. don’t span across Availability Zones. recommended for applications that benefits from low network latency, high network throughput, or both

758
Q

You are a new Solutions Architect in your company. Upon checking the existing Inbound Rules of your Network ACL, you saw this configuration:

A
759
Q

If a computer with an IP address of 110.238.109.37 sends a request to your VPC, what will happen?

A

it will be allowed

Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied immediately regardless of any higher-numbered rule that may contradict it.

We have 3 rules here:

  1. Rule 100 permits all traffic from any source.
  2. Rule 101 denies all traffic coming from 110.238.109.37
  3. The Default Rule (*) denies all traffic from any source.

The Rule 100 will first be evaluated. If there is a match, then it will allow the request. Otherwise, it will then go to Rule 101 to repeat the same process until it goes to the default rule. In this case, when there is a request from 110.238.109.37, it will go through Rule 100 first. As Rule 100 says it will permit all traffic from any source, it will allow this request and will not further evaluate Rule 101 (which denies 110.238.109.37) nor the default rule.

760
Q

A tech startup is launching an on-demand food delivery platform using Amazon ECS cluster with an AWS Fargate serverless compute engine and Amazon Aurora. It is expected that the database read queries will significantly increase in the coming weeks ahead. A Solutions Architect recently launched two Read Replicas to the database cluster to improve the platform’s scalability.

Which of the following is the MOST suitable configuration that the Architect should implement to load balance all of the incoming read requests equally to the two Read Replicas?

A

Use the built-in Reader endpoint of the Amazon Aurora database

A reader endpoint for an Aurora DB cluster provides load-balancing support for read-only connections to the DB cluster. Use the reader endpoint for read operations, such as queries. By processing those statements on the read-only Aurora Replicas, this endpoint reduces the overhead on the primary instance. It also helps the cluster to scale the capacity to handle simultaneous SELECT queries, proportional to the number of Aurora Replicas in the cluster. Each Aurora DB cluster has one reader endpoint.

761
Q

You are a Solutions Architect working for an aerospace engineering company which recently adopted a hybrid cloud infrastructure with AWS. One of your tasks is to launch a VPC with both public and private subnets for their EC2 instances as well as their database instances respectively.

Which of the following statements are true regarding Amazon VPC subnets? (Choose 2)

  • Each subnet maps to a single AZ
  • EC2 instances in a private subnet can communicate with the internet only if they have an elastic IP
  • Every subnet that you create is automatically associated with the main route table for the VPC
  • The allowed block size in VPC is between a/16 netmask (65,536 IP addresses) and /27 netmask (16 IP addresses)
  • Each subnet spans to 2 AZs

You are a Solutions Architect working for an aerospace engineering company which recently adopted a hybrid cloud infrastructure with AWS. One of your tasks is to launch a VPC with both public and private subnets for their EC2 instances as well as their database instances respectively.

Which of the following statements are true regarding Amazon VPC subnets? (Choose 2)

A
  • Each subnet maps to a single AZ

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span zones

  • Every subnet that you create is automatically associated with the main route table for the VPC
762
Q

What is the block size in a VPC between?

A

allowed vlock size in VPC is between a/16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses)…

763
Q

A company is using a custom shell script to automate the deployment and management of their EC2 instances. The script is using various AWS CLI commands such as revoke-security-group-ingress, revoke-security-group-egress, run-scheduled-instances and many others. In the shell script, what does the revoke-security-group-ingress command do?

A

Removes one of more ingress rules from a security group…

764
Q

You are the Solutions Architect for your company’s AWS account of approximately 300 IAM users. They have a new company policy that will change the access of 100 of the IAM users to have a particular sort of access to Amazon S3 buckets. What will you do to avoid the time-consuming task of applying the policy at the individual user?

A

Create a new IAM group and then add the users that require access to the S3 bucket. Afterwards, apply the policy to IAM group.

= . This will enable you to easily add, remove, and manage the users instead of manually adding a policy to each and every 100 IAM users.

765
Q

Your customer has clients all across the globe that access product files stored in several S3 buckets, which are behind each of their own CloudFront web distributions. They currently want to deliver their content to a specific client, and they need to make sure that only that client can access the data. Currently, all of their clients can access their S3 buckets directly using an S3 URL or through their CloudFront distribution. Which of the following are possible solutions that you could implement to meet the above requirements?

A

Use S3 pre-signed URLs to ensure that only their client can access the files. Remove permission to use Amazon S3 URLs to read the files for anyone else is correct because using a presigned URL to your S3 bucket will prevent other users from accessing your private data which is intended only for a certain client.

The option that says: Use CloudFront Signed Cookies to ensure that only their client can access the files is incorrect because the signed cookies feature is primarily used if you want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers’ area of website. In addition, this solution is not complete since the users can bypass the restrictions by simply using the direct S3 URLs.

The option that says: Use CloudFront signed URLs to ensure that only their client can access the files is incorrect because although this solution is valid, the users can still bypass the restrictions in CloudFront by simply connecting to the direct S3 URLs.

766
Q

You are working for a tech company that uses a lot of EBS volumes in their EC2 instances. An incident occurred that requires you to delete the EBS volumes and then re-create them again. What step should you do before you delete the EBS volumes?

A

Store a snapshot of the volume..

You can back up the data on your Amazon EBS volumes to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after your most recent snapshot are saved.

When you no longer need an Amazon EBS volume, you can delete it. After deletion, its data is gone and the volume can’t be attached to any instance. However, before deletion, you can store a snapshot of the volume, which you can use to re-create the volume later.

767
Q

You are unable to connect to your new EC2 instance via SSH from your home computer, which you have recently deployed. However, you were able to successfully access other existing instances in your VPC without any issues. Which of the following should you check and possibly correct to restore connectivity?

A

Configure the Security Group of the EC2 instance to permit ingress traffic over port 22 from your IP..

=> When connecting to your EC2 instance via SSH, you need to ensure that port 22 is allowed on the security group of your EC2 instance.

A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

768
Q

You are trying to convince a team to use Amazon RDS Read Replica for your multi-tier web application. What are two benefits of using read replicas? (choose 2)

A
  • It provides elasticity to your Amazon RDS database
  • Improves performance of the primary database by taking workload from it

Amazon RDS Read Replicas provide enhanced performance and durability for database (DB) instances. This feature makes it easy to elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.

You can create one or more replicas of a given source DB Instance and serve high-volume application read traffic from multiple copies of your data, thereby increasing aggregate read throughput. Read replicas can also be promoted when needed to become standalone DB instances. Read replicas are available in Amazon RDS for MySQL, MariaDB, Oracle and PostgreSQL, as well as Amazon Aurora.

769
Q

Your company is in a hurry of deploying their new web application written in NodeJS to AWS. As the Solutions Architect of the company, you were assigned to do the deployment without worrying about the underlying infrastructure that runs the application. Which service will you use to easily deploy and manage your new web application in AWS?

A

AWS Elastic Beanstalk

= With Elastic Beanstalk, you can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications. AWS Elastic Beanstalk reduces management complexity without restricting choice or control. You simply upload your application, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring.

770
Q

You are a new Solutions Architect in your department and you have created 7 CloudFormation templates. Each template has been defined for a specific purpose. What determines the cost of using these new CloudFormation templates?

A

CloudFormation templates are free but you are charged for the underlying resources it builds

771
Q

You are working as a Solutions Architect for a tech company where you are instructed to build a web architecture using On-Demand EC2 instances and a database in AWS. However, due to budget constraints, the company instructed you to choose a database service in which they no longer need to worry about database management tasks such as hardware or software provisioning, setup, configuration, scaling and backups.Which database service in AWS is best to use in this scenario?

A

DynamoDB

Basically, a database service in which you no longer need to worry about database management tasks such as hardware or software provisioning, setup and configuration is called a fully managed database. This means that AWS fully manages all of the database management tasks and the underlying host server. The main differentiator here is the keyword “scaling” in the question. In RDS, you still have to manually scale up your resources and create Read Replicas to improve scalability while in DynamoDB, this is automatically done.

DynamoDB is the best option to use in this scenario. It is a fully managed non-relational database service – you simply create a database table, set your target utilization for Auto Scaling, and let the service handle the rest.

(Redshift is incorrect because although this is fully managed, it is not a database service but a Data Warehouse.)

772
Q

A global online sports betting company has its popular web application hosted in AWS. They are planning to develop a new online portal for their new business venture and they hired you to implement the cloud architecture for a new online portal that will accept bets globally for world sports. You started to design the system with a relational database that runs on a single EC2 instance, which requires a single EBS volume that can support up to 30,000 IOPS. In this scenario, which Amazon EBS volume type can you use that will meet the performance requirements of this new online portal?

A

EBS Provisioned IOPS SSD (io1)

The scenario requires a storage type for a relational database with a high IOPS performance. For these scenarios, SSD volumes are more suitable to use instead of HDD volumes. Remember that the dominant performance attribute of SSD is IOPS while HDD is Throughput.

773
Q

An online stocks trading application that stores financial data in an S3 bucket has a lifecycle policy that moves older data to Glacier every month. There is a strict compliance requirement where a surprise audit can happen at anytime and you should be able to retrieve the required data in under 15 minutes under all circumstances. Your manager instructed you to ensure that retrieval capacity is available when you need it and should handle up to 150 MB/s of retrieval throughput. Which of the following should you do to meet the above requirement? (Choose 2)

A
  • Purchase provisioned retrieval capacity
  • Use Expedited Retrieval to access the financial data

Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it.

Provisioned capacity ensures that your retrieval capacity for expedited retrievals is available when you need it. Each unit of capacity provides that at least three expedited retrievals can be performed every five minutes and provides up to 150 MB/s of retrieval throughput. You should purchase provisioned retrieval capacity if your workload requires highly reliable and predictable access to a subset of your data in minutes.

774
Q

What are Expedited Retrievals for?

A

Expedited retrievals allow you to quickly access your data when occasional urgent requests for a subset of archives are required. For all but the largest archives (250 MB+), data accessed using Expedited retrievals are typically made available within 1–5 minutes. Provisioned Capacity ensures that retrieval capacity for Expedited retrievals is available when you need it.

775
Q

A document sharing website is using AWS as its cloud infrastructure. Free users can upload a total of 5 GB data while premium users can upload as much as 5 TB. Their application uploads the user files, which can have a max file size of 1 TB, to an S3 Bucket. In this scenario, what is the best way for the application to upload the large files in S3?

A

Use Multipart upload

776
Q

You have a VPC that has a CIDR block of 10.31.0.0/27 which is connected to your on-premises data center. There was a requirement to create a Lambda function that will process massive amounts of cryptocurrency transactions every minute and then store the results to EFS. After you set up the serverless architecture and connected Lambda function to your VPC, you noticed that there is an increase in invocation errors with EC2 error types such as EC2ThrottledException on certain times of the day.

Which of the following are the possible causes of this issue? (Choose 2)

A

If your VPC does not have sufficient ENIs or subnet IPs, your Lambda function will not scale as requests increase, and you will see an increase in invocation errors with EC2 error types like EC2ThrottledException.

Hence, the correct answers for this scenario are:

You only specified one subnet in your Lambda function configuration. That single subnet runs out of available IP addresses and there is no other subnet or Availability Zone which can handle the peak load.

Your VPC does not have sufficient subnet ENIs or subnet IPs.

777
Q

A leading media company has an application hosted in an EBS-backed EC2 instance which uses Simple Workflow Service (SWF) to handle its sequential background jobs. The application works well in production and your manager asked you to also implement the same solution to other areas of their business. In which other scenarios can you use both Simple Workflow Service (SWF) and Amazon EC2 as a solution? (Choose 2)

  • for web applications that require content delivery networks
  • Managing a multi-step and multi-decision checkout process of an e-commerce mobile app
  • for applications that require a message queue
  • for a distributed session management for your mobile application
  • Orchestrating the execution of distributed business processes
A
  • Managing a multi-step and multi-decision checkout process of an e-commerce mobile app.
  • Orchestrating the execution of distributed business processes
778
Q

You are working for a data analytics company as a Software Engineer, which has a client that is setting up an innovative checkout-free grocery store. You developed a monitoring application that uses smart sensors to collect the items that your customers are getting from the grocery’s refrigerators and shelves then automatically maps it to their accounts. To know more about the buying behavior of your customers, you want to analyze the items that are constantly being bought and store the results in S3 for durable storage. What service can you use to easily capture, transform, and load streaming data into Amazon S3, Amazon Elasticsearch Service, and Splunk?

A

Amazon Kinesis Data Firehose

Amazon Kinesis Data Firehose is the easiest way to load streaming data into data stores and analytics tools. It can capture, transform, and load streaming data into Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk, enabling near real-time analytics with existing business intelligence tools and dashboards you are already using today.

779
Q

What is the relation of CloudFront and DynamoDB?

A

the relation is that there is no relations as they are incompatible. they cannot work together.

780
Q

You currently have an Augment Reality (AR) mobile game which has a serverless backend. It is using a DynamoDB table which was launched using the AWS CLI to store all the user data and information gathered from the players and a Lambda function to pull the data from DynamoDB. The game is being used by millions of users each day to read and store data. How would you design the application to improve its overall performance and make it more scalable while keeping the costs low? (choose 2)

A
  • Enable DynamoDB Accelerator (DAX) and ensure that the Auto Scaling is enabled and increase the maximum provisioned read and write capacity
  • Use API Gateway in conjunction with Lambda and turn on the cachin on frequently accessed data and enable DynamoDB global replication
781
Q

Your manager has asked you to deploy a mobile application that can collect votes for a popular singing competition. Millions of users from around the world will submit votes using their mobile phones. These votes must be collected and stored in a highly scalable and highly available data store which will be queried for real-time ranking.

Which of the following combination of services should you use to meet this requirement?

A

Amazon DynamoDB and AWS AppSync

DynamoDB is durable, scalable, and highly available data store which can be used for real-time tabulation. You can also use AppSync with DynamoDB to make it easy for you to build collaborative apps that keep shared data updated in real time. You just specify the data for your app with simple code statements and AWS AppSync manages everything needed to keep the app data updated in real time. This will allow your app to access data in Amazon DynamoDB, trigger AWS Lambda functions, or run Amazon Elasticsearch queries and combine data from these services to provide the exact data you need for your app.

782
Q

What is the default retention period in Kinesis?

A

24

The time period from when a record is added to when it is no longer accessible is called the retention period. A Kinesis data stream stores records from 24 hours by default to a maximum of 168 hours.

783
Q

You are working for an insurance firm as their Senior Solutions Architect. The firm has an application which processes thousands of customer data stored in an Amazon MySQL database with Multi-AZ deployments configuration for high availability in case of downtime. For the past few days, you noticed an increasing trend of read and write operations, which is increasing the latency of the queries to your database. You are planning to use the standby database instance to balance the read and write operations from the primary instance. When running your primary Amazon RDS Instance as a Multi-AZ deployment, can you use the standby instance for read and write operations?

A

The answer is No. The standby instance will not perform any read and write operations while the primary instance is running.

784
Q

You are working for a large financial firm and you are instructed to set up a Linux bastion host. It will allow access to the Amazon EC2 instances running in their VPC. For security purposes, only the clients connecting from the corporate external public IP address 175.45.116.100 should have SSH access to the host. Which is the best option that can meet the customer’s requirement?

A

Security Group Inbound Rule; Protocol - TCP, Port Range - 22, Source 175.45.116.100/32

  • SSH = with TCP
  • Security group as security groups act on INSTANCE level
  • When setting up a bastion host in AWS, you should only allow the individual IP of the client and not the entire network. Therefore, in the Source, the proper CIDR notation should be used. The /32 denotes one IP address and the /0 refers to the entire network.
785
Q

You are automating the creation of EC2 instances in your VPC. Hence, you wrote a python script to trigger the Amazon EC2 API to request 50 EC2 instances in a single Availability Zone. However, you noticed that after 20 successful requests, subsequent requests failed. What could be a reason for this issue and how would you resolve it?

A

There is a soft limit of 20 instances per region which is why subsequent requests failed. Just submit the limit increase form to AWS and retry the failed requests once approved.

786
Q

You are working for a startup as its AWS Chief Architect. You are currently assigned on a project that develops an online registration platform for events, which uses Simple Workflow for complete control of your orchestration logic. A decider ingests the customer name, address, contact number, and email address while the activity workers update the customer with the status of their online application status via email. Recently, you were having problems with your online registration platform which was solved by checking the decision task of your workflow. In SWF, what is the purpose of a decision task?

A

It tells the decider the state of the workflow execution

Amazon SWF issues decision tasks whenever a workflow execution has transitions such as an activity task completing or timing out. A decision task contains information on the inputs, outputs, and current state of previously initiated activity tasks. Your decider uses this data to decide the next steps, including any new activity tasks, and returns those to Amazon SWF. Amazon SWF in turn enacts these decisions, initiating new activity tasks where appropriate and monitoring them.

787
Q

What is the purpose of an “activity task” in SWF?

A

it tells the worker to perform a function

788
Q

what llows you to connect your AWS cloud resources to your on-premises data center using secure and private sessions with IP security (IPSec) or Transport Layer Security TLS tunnels?

A

VPN!

789
Q

When should you use an Active-Active Failover configuration?

A

Use this failover configuration when you want all of your resources to be available the majority of the time. When a resource becomes unavailable, Route 53 can detect that it’s unhealthy and stop including it when responding to queries.

In active-active failover, all the records that have the same name, the same type (such as A or AAAA), and the same routing policy (such as weighted or latency) are active unless Route 53 considers them unhealthy. Route 53 can respond to a DNS query using any healthy record.

790
Q

When should you use an Active-Passive Failover configuration?

A

Use an active-passive failover configuration when you want a primary resource or group of resources to be available the majority of the time and you want a secondary resource or group of resources to be on standby in case all the primary resources become unavailable. When responding to queries, Route 53 includes only the healthy primary resources. If all the primary resources are unhealthy, Route 53 begins to include only the healthy secondary resources in response to DNS queries.

791
Q

A new online banking platform has been re-designed to have a microservices architecture in which complex applications are decomposed into smaller, independent services. The new platform is using Docker considering that application containers are optimal for running small, decoupled services. The new solution should remove the need to provision and manage servers, let you specify and pay for resources per application, and improve security through application isolation by design.

Which of the following is the MOST suitable service to use to migrate this new platform to AWS?

A

AWS Fargate

AWS Fargate is a serverless compute engine for containers that works with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS). Fargate makes it easy for you to focus on building your applications. Fargate removes the need to provision and manage servers, lets you specify and pay for resources per application, and improves security through application isolation by design.

792
Q

You are working for a startup company that has resources deployed on the AWS Cloud. Your company is now going through a set of scheduled audits by an external auditing firm for compliance.

Which of the following services available in AWS can be utilized to help ensure the right information are present for auditing purposes?

A

AWS CloudTrail

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure

793
Q

Your IT Manager instructed you to set up a bastion host in the cheapest, most secure way, and that you should be the only person that can access it via SSH.

Which of the following steps would satisfy your IT Manager’s request?

A

Set up a small EC2 instance and a security group which only allows access on port 22 via your IP address

794
Q

You are working as an IT Consultant for a large investment bank that generates large financial datasets with millions of rows. The data must be stored in a columnar fashion to reduce the number of disk I/O requests and reduce the amount of data needed to load from the disk. The bank has an existing third-party business intelligence application which will connect to the storage service and then generate daily and monthly financial reports for its clients around the globe. In this scenario, which is the best storage service to use to meet the requirement?

A

Redshift

In this scenario, there is a requirement to have a storage service which will be used by a business intelligence application and where the data must be stored in a columnar fashion. Business Intelligence reporting systems is a type of Online Analytical Processing (OLAP) which Redshift is known to support. In addition, Redshift also provides columnar storage unlike the other options. Hence, the correct answer in this scenario is Amazon Redshift.

795
Q

You are working for a FinTech startup as their AWS Solutions Architect. You deployed an application on different EC2 instances with Elastic IP addresses attached for easy DNS resolution and configuration. These servers are only accessed from 8 AM to 6 PM and can be stopped from 6 PM to 8 AM for cost efficiency using Lambda with the script that automates this based on tags. Which of the following will occur when an EC2-VPC instance with an associated Elastic IP is stopped and started? (Choose 2)

A
  • All data on the attached instance-store devices will be lost
  • the underlying host for the instance is possibly changed

This question did not mention the specific type of EC2 instance however, it says that it will be stopped and started. Since only EBS-backed instances can be stopped and restarted, it is implied that the instance is EBS-backed. Remember that an instance store-backed instance can only be rebooted or terminated and its data will be erased if the EC2 instance is terminated.

If you stopped an EBS-backed EC2 instance, the volume is preserved but the data in any attached Instance store volumes will be erased. Keep in mind that an EC2 instance has an underlying physical host computer. If the instance is stopped, AWS usually moves the instance to a new host computer. Your instance may stay on the same host computer if there are no problems with the host computer. In addition, its Elastic IP address is disassociated from the instance if it is an EC2-Classic instance. Otherwise, if it is an EC2-VPC instance, the Elastic IP address remains associated.

796
Q

A manufacturing company has EC2 instances running in AWS. The EC2 instances are configured with Auto Scaling. There are a lot of requests being lost because of too much load on the servers. The Auto Scaling is launching new EC2 instances to take the load accordingly yet, there are still some requests that are being lost.

Which of the following is the MOST suitable solution that you should implement to avoid losing recently submitted requests?

A

Use an SQS queue to decouple the application components