aws Flashcards
(123 cards)
1
Q
Whats the most efficient way to setup a DB that is repeatedly cloned?
A
Setup an Aurora Cluster with multi AZ replicas. Then use aurora cloning.
2
Q
How do you encrypt inflight data coming from/to a DB?
A
Import the RDS root CA cert. Import the Cert to your servers. Then setup your app to use SSL to encrypt connections to DB. Then force all connections to use SSL.
3
Q
Whats the most efficient way to implement disaster recovery for an on-premises DB?
A
use elastic disaster recovery service (DRS) to replicate the changes of the on-premises app to AWS.
4
Q
What service would you use to create an SMS service that is interactive?
A
Pinpoint journey
5
Q
How do you reduce the number of IP addresses a client needs to whitelist?
A
Global accelerator allows you to create 2 endpoint groups as an entry point into you applications. Then you can use load balancers to distribute traffic.
6
Q
Which is multithreaded memcached or redis?
A
memcached
7
Q
what is memcached auto discovery?
A
allows you app to connect to one node which then retrieves the rest of the nodes which then allows the application to connect to the most appropriate node.
8
Q
What is Redis global datastore
A
Allows writing to 1 cluster and reading from two cross-region replica clusters.
9
Q
How would you allow company division but allow 1 entity to enforce IT governance and cost oversight of those divisions?
A
Use consolidated billing by creating an AWS org and link the accounts to a parent acount. then enable IAM cross-account access for all corperate IT admins in each child account.
10
Q
How do you allow and IAM user to make API calls?
A
create a set of access keys for the user and attach the necessary permissions.
11
Q
Why would you get an insufficient capacity error when attempting to add instances to an already running cluster placement group? How could you still add instances?
A
There is no more room on the hardware to fit more instances. Stop and start the cluster placement group.
12
Q
How would you create a conversational bot?
A
Amazon Lex
13
Q
Whats the easiest way to allow a lambda function to be called by a third party?
A
generate a lambda function URL and use it as a webhook for third parties.
14
Q
how can you allow yourself to be notified when your certificates are going to expire?
A
create an eventbridge rule to check if certificates are set to expire. then send a notification though SNS.
15
Q
When does amazon certificate manager (ACM) start sending expiration events?
A
45 days prior to expiration.
16
Q
how can you know if a certificate is about to expire?
A
ACM sends events that can be listed for. You can also check the daystoexpiry metric on the cert.
17
Q
how would you migrate a 3 tier containerized application into AWS so that it has high availability?
A
Move static assets and web pages to S3. host the app on ECS with auto scaling. The migrate the DB to RDS with multi-AZ deployment.
18
Q
How do you allow cross region replication of an S3 bucket?
A
- enable versioning on source and destination bucket.
- Source bucket must have the permissions to create objects in the destination bucket.
19
Q
how do you allow an instance to establish connections to the internet using IPv4 but disallow connections to the instance?
A
NAT gateway/ instance
20
Q
If you suspect servers are slow due to not being able to handle traffic how would you verify?
A
use Computer Optimizer to see recommendations for the optimal size of computer-related resources.
21
Q
whats cheaper storing images along keys in a DB or storing locations of images in a DB then storing images in S3?
A
storing images in S3.
22
Q
How do you manager and monitor your containers in AWS.
A
Create a workspace on AWS manage Service for prometheous to collect container metrics. Set this workspace as the data source in AWS managed grafana for monitoring and data visualization.
23
Q
Whats the most cost efficient way to to run a critical work load along with non critical work on a EMR cluster?
A
implement a transient EMR cluster with the primary and core nodes on on-demand instances and task nodes on spot instances.
24
Q
what order are instances terminated during auto-scaling?
A
in the availability zone with most instances. Then instances with the oldest launch template. then instances that are closest to the next billing hour.
25
how do you share lake formation data with the least amount of effort?
Use lake formation tag based access control to enable authorization and cross-account permissions. Integrate with Security Hub to enhance monitoring and compliant oversight.
26
how can you monitor the logs in an EKS cluster with the least effort?
Use Cloudwatch container insights and the cloudwatch dashboard to view application's logs and metrics.
27
How do you automatically start and stop instances (not terminate) instances automatically on a schedule?
Create a Lambda function to start and stop instances. Then setup an eventbridge event to trigger the lambda function.
28
Which file systems are multi protocol? Which are single and what are those protocols?
NetApp ONTAP supports NFS, SMB, iSCSI. Open ZFS supports NFS. Windows file server supports SMB. Lustre is its own file system.
29
If you already have cloudtrail enabled what would be the easiest way to monitor IAM-related errors along with unauthorized errors?
Query cloudtrail lake to find specific errors from the cloudtrail logs.
30
how can you host an application and DB cheaply given it has spiky traffic. It still needs to be available during idle periods.
containerize the app and use fargate with aurora serverless
31
can a NLB do http health checks?
yes
32
If you need an autoscaling DB whats the best choice?
Aurora serverless
33
in route 53 how do you point your domain name to a Application load balancer?
Alias with a type "AAAA"(IPV6) or "A"(IpV4) record
34
How would you implement DR for a file system with the least amount of effort?
Create FSx systems in a source and destination region then establish VPC peering. The configure replication between the instances.
35
how do you monitor traffic into and out of a vpc? and potentially block traffic?
use custom security rules in AWS network firewall to detect and filter traffic passing to and from the VPC
36
How do you monitor every request to an S3 bucket?
enable server access logging for the S3 bucket.
37
how do you monitor the API calls into a redshift instance?
cloudtrail
38
what is redshift spectrum?
a feature that allows one to query and analyze data in redshift.
39
how long must objects be in their current storage class before moving to infrequent access?
30 days
40
how do you geographically restrict users from accessing content?
apply geographic restrictions using an allow list. then return custom error responses.
41
How do you centrally manage allowed and disallowed CIDR ranges for multiple accounts?
Create a VPC customer-manager prefix list then add the cidr blocks. Shre the prefix list ID with the other aws accounts using RAM resource access manager. Then add the prefix list to the security groups.
42
How do you ensure only certain services can access a data base or S3 bucket?
Create a VPC endpoint(gateway endpoint) for the DB. Then allow a rule for the DB security group granting access to the service that will use it. FOr the S3 bucket deny access through the bucket policy where the source is anything other than what is allowed.
43
if you are constantly over-provisioning resources what scaling policy should you use?
target tracking
44
How do you ensure that a dynamoDB table is distributing its work efficiently?
Use partition keys with high cardinality attributes (a large amount of distinct values)
45
whats the easiest way to transform data entering an S3 bucket.
Create S3 events for put calls -> integrate with SNS -> invoke a glue job to transform the data
45
How would you send out emails in response to changes to a dynamoDB table?
enable dynamoDB stream along with a lambda trigger and give the lambda function the appropriate role to send emails.
46
what is a 504 error and what should you do if users receive them?
504 is a gateway timeout. If this occurs setup origin failover in cloudfront.
47
how do you connect to DynamoDB and S3 without passing through the public internet?
use a VPC endpoint to route traffic through private endpoints.
48
How do you prevent accidental deletion of object in an S3 bucket?
enable versioning and multifactor authentication for deletion.
49
How do you release a new version of an API that could have possible bugs?
Release the new version into a canary stage then slowly increase traffic to it before promoting to production.
50
How do you route specific queries to specific instance in Aurora?
create a custom endpoint in aurora
51
How do you ensure a DB is accessible using an authentication token?
enable IAM db authentication
52
how do you ensure that a ensure a password is required before commands are entered into a redis cluster?
require redis Auth by creating a new cluster then enable both --auth-token and --transit-encryption-enabled parameters
53
How do you setup an S3 bucket that used active directory AD and restricts users to specific folders
Configure an IAM policy and role to access the bucket. Then setup a federated proxy or identity provider and use AWS security token service to provide to generate temporary tokens.
54
How do you get all compliance related documents for an account?
Use AWS artifact to view security related documents along with compliance related documents.
55
How do you ensure only members of your website can view your content?
remove public read access then use pre-signed urls to grant access to the requested resources.
56
How do you block SQL attacks across your entire organization?
Setup a web application firewall then setup a managed rule to block request patterns associated with the attack. Then integrate the WAF with firewall manager to reuse the rules.
57
How do you prevent an S3 object from being deleted or overwritten?
enable object lock then enable the legal hold option on the bucket.
58
how do you restrict access to an S3 object from a particular vpc?
Use an access point
59
how do you distribute files globally in a scalable way?
Store the files in S3 then use cloudfront for distribution.
60
How do you backup tape data to S3?
Storage gateway
61
If a database is throwing a "too many connections error" how do you resolve it?
put an AWS proxy instance in front of your database.
62
How do you track AWS costs by department?
tag resources with the department name. enable cost allocation tags.
63
how do you move large amounts of data from on premises to AWS if transfer speeds are not a problem?
Datasync
64
How would you filter messages so they are sorted into appropriate queues?
Have the messages go into a SNS topic then have the SQS subscribe the the SNS topic. Finally, enable filter policies in SNS so the appropriate messages are published to the appropriate queues.
65
How would you add custom headers to responses for static assets?
use lambda@edge
66
how would you send a file in different formats based on a users browser?
configure cloudfront behaviors to respond based on User-Agent header
67
How would you host a site with both on-premises servers and cloud servers?
use either SQS or SWF(simple workflow)
68
should a bastion host best deployed to a private or public subnet?
public
69
How do you copy a Database and stream the changes to the database as the copy is occurring?
How do you ensure this process occurs securely?
create a full load and change data capture CDC replication task within database migration service. Import a new certificate then create a new DMS endpoint with SSL enabled.
70
A company can only access whitelisted IPs how do you ensure an ALB will be accessible to them?
Associate an elastic IP with the ALB
71
How does a DB deployed in multiAZ mode promote an instance?
by changing the cname record
72
if an instances domain name maps to the private IPv4 address of the instance’s network interface how would you increase availability?
create and attach a secondary network interface who points at the application domain name. Then when the instance goes down attach the secondary interface to the standby instance.
73
name 2 ways to increase website availability without using an auto scaling group.
setup multiple instance behind an elastic load balancer. use route 53 to direct traffic to multiple instances.
74
for the cool down period of auto scaling
1. what is the default period
2. why is it useful?
1. its default time is 300 seconds
2. it ensures more instances aren't added/deleted before the previous scaling even can have an affect.
75
if you want a larger portion of traffic from india and the phillipines to be direct to a specific instance what do you use?
geoproximital routing.
76
name 2 ways to increase the fault tolerance of a direct connect connection between an on premises network and a vpc.
establish a second direct connect connection. establish a hardware vpn called a site-to-site vpn in aws.
77
how do you provide temporary credentials to access aws resources.
security token service STS
78
How would you create a centralized corporate directory service for authentication purposes?
How would you then consolidate many accounts so they can be managed from 1 location.
Integrate Identity center with the corporate directory service for central authentication. Then configure a service control policy SCP to manage the accounts.
79
how would you access and forecast usage costs for you aws services?
with the cost explorer API
80
How would you lower the costs of accessing an S3 bucket from a private subnet?
use an S3 gateway endpoint.
81
what are 3 ways you can mitigate ddos attacks on an application?
use cloudfront for distributing static and dynamic content. Use shield and WAF. use an application load balancer along with an auto scaling group. Keep your databases in a private subnet.
82
if you a building an API that uses a lambda function to fetch data from a dynamoDB table how would you improve the performance?
in the Gateway API turn on caching. For the dynamoDB table use DAX, enable auto scaling, and increase the max provisioned read and write capacity.
83
How do you extend on premises storage capacity?
storage gateway
84
how would you track all the activity in an S3 bucket?
add an S3 event notification configuration to publish events to SNS and SQS topics.
85
how do you ensure an instance has all necessary software installed before moving to the ready status?
configure a CreationPolicy attribute in the CloudFOrmation template. Use cfn-signal to send a success signal.
86
how many regions can an elastic load balancer route traffic to?
1
87
how do you implement a retention policy on an Aurora DB?
use automatic backup if the retention period is less than 35 days else use aws backup. A non automatic approach is to take snapshots and export it to an S3 bucket.
88
whats the maximum number of vCPU-based on-demand instances per region? How do you increase it?
20, submit a support ticket
89
when should you use parameter store vs secrets manager?
use parameter store when you want to store custom environmental variables, product keys, and credentials. Use secrets manager if you want to automate the rotation of those values.
90
if a client want to encrypt data before sending it to S3 but they do not want to store the master key. How can they achieve this?
set up Client-Side encryption using a customer master key store in AWS KMS
91
if a global site is running slowly what are 2 possible ways to increase performance?
1. Cloudfront with website as the custom origin
2. elasticache for in-memory data store/ cache
92
how would you migrate a system of VM to the cloud?
install the aws replication agent on each VM to continouslt replicate the servers to AWS. Use migration service to launch test instance to perform cutover once testing is completed.
93
How would you maximize I/O input on an ec2 instance.
use a storage optimized instance with instance store volume.
94
how would you automate the deactivation and deleting of user access keys that are over 90- days old?
1. Use Config to check if the access keys are older than 90 days old.
2. use eventbridge to invoke a a lambda function to deactivate and delete the keys.
95
if you need OS bypass capabilities in a HPC Linux solution what should you do?
Use an elastic fabric adapter
96
How many IOPS per gb do you get?
50 per gb
97
If a queue is caused jobs to be processed multiple times what are some possible solutions?
1. Use a FIFO queue
2. replace the queue with step functions.
98
If an instance is receiving errors that are easily resolved by a restart how can you easily set up an automatic restart of the instance?
Use cloudwatch alarm to monitor for the custom metric in the cloud watch logs which will then invoke a restart action.
99
how do you setup autoscaling to predict how many instances you will need in the future due to long setup times
use predictive scaling
100
how would you ensure you are notified of upcoming AWS events that may affect your instances how can you set that up?
use event bridge to check the personal health dashboard. Then use it to send notifications to an SNS topic.
101
how do you ensure that http traffic is redirected to https within the ALB?
Configure the http listener to redirect traffic to port 443
102
how do you both ensure all data uploaded to an S3 bucket is encrypted without having to manage the encryption keys yourself.
create a bucket policy that denies permission to upload an object unless the request includes the
s3:x-amz-server-side-encryption": "AES256" header and enable server side encryption with S3 managed keys.
103
How do you automatically provision and configure new accounts. How do you ensure and monitor compliance?
Set up a Control Tower landing zone then setup preventive and detective guardrails for policy enforcement.
104
Whats the most cost effective way to quickly process a small amount of data every day.
Lambda
105
how do you aggregate data from multiple dynamoDB tables?
Appsync
106
how do you build a serverless Graphql API with https and a custom domain?
Appsync and use the built in custom domain feature. Associate a SSL cert using ACM
107
how can you ensure you are notified if you are about to reach your aws service quotas?
Write a lambda function that refreshed the trusted advisor service limits check periodically then
Use eventbridge with cloudwatch events to send messages to an SNS topic.
108
How would you run a Kubereneters cluster with role-based access control on the edge of a telecommunication carriers' 5g network?
Launch the app into an EKS cluster. Create node groups in wavelength zones for the EKS cluster via wavelength. Apply the authenticator map (aws-auth configMap) to your cluster
109
name 2 ways to scale an EKS cluster
install kubernetes metrics server to the cluster and activate horizontal scaling.
Setup karpenter to automatically adjust the number of nodes in the EKS cluster.
110
what happens if you're using a single aurora instance and it fails?
Aurora will attempt to create a new DB instance in the same AZ in a best-effort basis
111
In route 53 how do you point the zone apex record at an ALB?
create an A record with the load balancer DNS name
112
how do you run commands on many instances without having to log into each one?
System manager run command
113
how do you monitor all traffic going into and out of a VPC?
create a firewall using Network firewall at the VPC level then add custom rules for inspecting traffic.
114
How do you ensure a disaster recover of an on premises system?
Use Elastic disater recovery to replicate your on-premises application. which has a RPO of seconds and RTO of 5-20 minutes
115
can you use an autoscaling group as an origin in cloudfront?
no
116
if there is a 1tb mysql db that need to be cloned several times a month how can you do this without affecting the production DB?
Use Aurora and use the cloning feature. mysqldump will cause the production DB to run slowly.
117
what are some benefits of multi-az deployments?
increases durability in the case of failure. Increases availability in the case of OS patching or instance scaling.
118
how do you ensure a lambda function can be called by a 3rd party?
1. Generate a lmabda function URL
or
2. create a API gateway endpoint
119
What are 2 ways to know if certificates are about to expire?
AWS health or ACM expiration events which start generating events 45 days prior to expiration. check DaysToExpiry metric on the certs in Cloudwatch.
120
How do encrypt data between the application layer and DB layer?
in the DB instances set rds.force_ssl to true then reboot the instance. Then download the cert to your servers and configure your app to use ssl encryption when connecting to the DB
121
how do you create SMS messages that can provide dynamic responses?
pinpoint journey
122
