AWS-SA-2020 Flashcards
(239 cards)
1
Q
What AWS functionality is used to move S3 data from one storage class to another
A
Life cycle policies
2
Q
s3 durability
A
11 x 9
3
Q
For all s3 storage classed how my zones are data stored in?
A
3 except for single zone s3
4
Q
what should you use for hot or fast backup
A
IA standard (infrequent access, fast)
5
Q
srr vs crr
A
same region replication vs cross region
6
Q
when to use crr
A
compliance, latency (users in different locations), ops efficiency (compute clusters in different locations)
7
Q
before setting up cross region replication you must
A
enable versioning
8
Q
If object locking is enabled can you use regional replication?
A
yes
9
Q
What types of access control exists for s3?
A
ACLs, bucked policy, iam
10
Q
s3 standard replication to # of az?
A
3 availability zone replication
11
Q
s3 intelligent does what
A
moves data to the most cost-effective access tier
12
Q
s3 one zone ia
also s3 IA
A
one zone, used to be RRS, costs 20% less than standard IA vs
s3 IA is multi zone (3)
13
Q
Glacier AZ, cost, retrieval
A
Multiple AZ, retrieve in minutes or hours, low cost
14
Q
Glacier deep dive details
A
lowest cost, accessed 1,2x per year compliance types, 12 hours, 3 AZ
15
Q
for cross region replication to work + what happens to new/old/deleted files
A
1 versioning must be enabled on both
2 existing files not auto replicated, new will
3 deletes not replicated
16
Q
object vs block and which is s3
A
object = files, block = os, s3 is object
17
Q
bucket names are
A
are universal, unique
18
Q
4 types of at rest encryption
A
s3 managed keys (sse-s3 / aes-256
aws key mgt - sse-kms
server side w/client keys sse-c
or client side and upload
19
Q
transfer accelerator uses
A
edge locations to speed up transfer
20
Q
What is cloudfront
A
content delivery network - simple api that allows files to be delivered to end-users using a global network of edge locations
21
Q
What are the main logical components of AWS IAM?
A
Users, Groups, Roles, Permission Policies
22
Q
Can a user assume a role in another account?
A
Yes, a user can assume a role in another account by calling assume-role using the CLI or using the Web console switch role function. With the CLI asume-role requires an –role-arn and a –role-service-name.
23
Q
From an IAM perspective, what should I do with the root user first thing after setting up a new account?
A
- Remove the access key.
- Set an extremely secure password on the root user.
- Do not use the root password only;y in emergencies
- Enable MFA and lock away the security key.
24
Q
List the EC2 instance categories?
A
Spot Instance, On-Demand Instances, Reserved Instances.
25
3 types of LB
app - intelligent
network - performance
basic - easy
26
x-forwarded-for
if you need the ip of end user
27
instances reported by ELB are reported as
inService, out of service
28
LB have their own DNS name but never
never an IP
29
sticky sessions can be set with these types of lb
classic, application (target group level)
30
cross-zone lb
balancing across AZ
31
path pattern
route based on path (images or content, different paths)
32
multi-az vs read replicas
az is for DR, Read replicas for performance
33
Cloudformation is
script cloud environment - Create Your AWS Stack From a Recipe
34
Quickstart cloudformation
templates already built to create environments
35
Elastic Beanstalk is for
developers can upload code and elatic beanstalk handles deployment, scaling,etc
36
SQS is
decouple components, stores messages in que
acts as buffer
pull not pushed
37
types of sqs queues
standard - unlimited transactions per second
| fifo - exactly once, first in/out 300ps
38
SQS retention period
default 4 days
| can be 1min to 14 days
39
sqs visibility timeout
re appears if ec2 doesn't delete after pickup
40
SWF is
SWF as a fully-managed state tracker and task coordinator that runs background jobs
41
SNS
web notifications
| push, delivers messages to subscribers
42
elastic transcoder is
converts media files to other formats
43
api gateway can access
can access ec2 or serverless
44
api gw features
cache, auto scale, can throttle for attacks, cloudwatch logging
45
What is CORS
allows webpages to talk to resources in another domain
46
what if you get "Origin policy cannot be read at remote source"
enable CORS API GW
47
Kinesis is used for
streaming data
48
3 types of Kinesis & define
Streams - endpoints stream and its stored in *shards*
Firehose - no storage, need to process asap
Analytics - analyzes streams/firehose and stores data
49
Cognito is
AWS web ID federation
50
cognito user vs identity pools
cognito aws user - registration, accounts
| identity - grants IAM roles
51
lambda is
compute service, upload code and go
very cheap, scales out auto (not up)
serverless
52
aws x-ray
debug lambda
53
lambda can do global activities like
backup s3 bucket
54
What can't trigger lambda
rds, ec2
55
IAM is universal or regional
Universal
56
root account
account created when you setup account that has admin access
57
new users have _ permission
no permissions
58
new users are assigned a
access key and secret access key to access system - cannot use this to access console
59
2 types of aws access for user
console and programmatic
60
s3 file size, and maximum
0 to 5TB, unlimited
61
s3 namespace is _
universal, global, creates http://xxxname
62
successful s3 upload
200 ok
63
how to protect objects in s3
mfa
64
s3 file fundamentals & components
```
key - name
value - data
version id
metadata
sub resources like acls and torrents
```
65
s3 PUTS new ojbects =
read after write (instant)
66
s3 overwrite PUTS or deletes
eventual consistency
67
control access to buckets using
bucket ACL or policy
68
Versioning can be use for backups and w/lifecycle rules
yes
69
Can versioning use MFA for delete
yes, adds extra security
70
Lifecycle management summary
moves object between tiers of storage
can be used with versioning
applies to current/past versions
71
cross-region replication versioning
must be enabled on source and destination bucket
72
cross-region replication regions must be
unique
73
what is an edge location, is it read or write
where content is cached
| can read and write
74
CloudFront originates from what AWS services
s3 bucket, ec2 instance, elb, rt53
75
Cloudfront distribution points are what
collection of edge locations given to CDN
76
For streaming what does each stand for : WEB vs RTMP
websites vs media streaming
77
what is snowball & where does it import/export
Petabyte scale transport system, big disk
| import/export to s3
78
termination protection is turned _ by default
off
79
EBS backed instance default action is for root EBS volume to be _ on termination
deleted
80
Can root volume of default ami be encrypted
yes
81
Security group defaults
all inbound traffic blocked, outbound allowed
82
security groups applied to EC2 max
no max, both directions (EC2 in sec groups)
83
Can you block a IP using security groups
no
84
can you set deny rules in a security group
no, they deny all by default
85
can volumes exist on ebs
yes, its a virtual hard disk
86
where do snapshots live
s3, like a photo of the disk
87
what is a snapshot
point in time copy of volume
88
are snapshots incremental
yes
89
Should you stop an instance before taking snapshot of the root volume
yes
90
can you take a snaphot while instance is running
yes, but should only of not root volumes
91
what can you change for a used ebs volume
can change on the fly
| can change type
92
How to move ec2 volume from one AZ or region to another
take snapshot
create ami
launch ec2 instance in new az
for regions you have to copy the ami to new region first
93
instance store volumes are sometimes called
ephemeral
94
instance vs ebs backed - will you lose data
if instance host fails data is gone, ebs will stay
95
what happens to root volumes on instance termination
they are deleted unless you told aws to keep ebs
96
are snapshots of encrypted volumes auto encrypted
yes
97
volumes of restored encrypted snapsots are
encrypted automatically
98
can you share snaphots
only if they are unencrypted
99
can you encrypt root devices volumes
yes
100
If you don't select encrypt when building, how to encrypt root volume
snapshot
copy snapshot, select encryption
create ami
use ami to create instance
101
what is cloudwatch
monitors performance
can monitor applications, events, billing, can create notifications
create dashboards, alarms, logs
102
cloudtrail is all about
auditing
103
CloudWatch standard vs detailed monitoring time
1 vs 5 min
104
roles vs storing keys for IAM
roles are much more secure and easier to manage
105
roles can be assigned to
ec2 instances
106
are roles universal
yes
107
how to get info about an instance
curl command, ec2 instance metadata
108
EFS supports & pay
NFS v 4
| pay for what you use, no pre provisioning, up to Petabytes
109
EFS stored where and consistency is
stored - multiple AZs in region
| read after write consistency
110
3 types of placement groups
clustered - low network latency (ec2 same AZ)
spread - need individual ec2 on separate hardware
partitioned - multiple ec2 instances separate hw
111
placement group names and regions
must be same region
| must have unique name in account
112
how to move instance into a placement group
instance must be stopped, using cli or sdk (no console)
113
Elasticache does what and the names of memory types are
improves performances of web apps to speed up databases
| memcached, redis
114
RDS OLTP flavors
sql, mysql, postgresql, oracle, aurora, mariadb
115
aws no sql
dynamo db
116
redshift olap
data warehousing or bus intelligence
117
RDS runs on
virtual machines that you have no access to
118
can you patch your rds instance
no, amazon does it
119
is RDS serverless
no, but there is serverless aurora
120
read replicas allow
read only copy of database, to improve performance
121
2 ways to improve DB performance
elasticache and read replicas
122
read replicas available for following databases
mysql, postgresql, mariadb, oracle, aurora
123
must have _ turned on to deploy read replicas
automatic backups
124
you can have up to _ copies of any db
5
125
Can you have read replicas of read replicas
yes - watch for latency
126
each read replica will have its own
dns endpoint
127
can you have read replicas in multi az or region
yes
128
can you promote read replicas
yes, it breaks replication
129
2 types of RDS backups
automated - scheduled
| snapshots - manually
130
how to force failover from one az to another for RDS
reboot RDS instance
131
Encryption at rest supported for which rds
all server RDS options
132
dynamo db used what kind of disk
ssd storage
133
dynamo db spread across
3 AZ
134
dynamo db read options
eventually consistent - over 1 second
| strongly consistent - under 1 second
135
redshift is available in _ azs
1
136
redshift backups
1-35 days, 1 is default, maintains 3 copies of data in s3
137
Aurora is
aws own sql compatible with mysql, postgrssql
| 2 copies stores in min 3 az
138
can you share aurora snapshots with other accounts
yes
139
2 types of aurora replicas & what can failover
aurora and mysql
| automated failover only w/aurora
140
aurora backups
on by default
141
redis is highly available?
yes - multi az
142
ELBs have IP or DNS name
DNS name only assigned
143
alias vs cname
alias - naked (always choose alias in exam)
| cname - other than naked
144
can you buy domain names through aws
yes- can take 3 days to register
145
rt53 simple routing
1 dns record, multiple IP, random order to user
146
rt53 weighted routing
send to region based on weights we supply
147
rt53 health checks
removed a record entry until its online and you can send sns notification if one fails
148
rt53 latency based routing
rt53 chooses lowest latency path
149
rt53 failover routing
active/passive site - rt53 healthcheck will failover
150
rt53 geolocation routing
send based on user location
151
rt53 Geoproximity routing
send users based on location of users and resources, must use rt53 traffic flow
152
rt53 multi value answers
multiple record sets, same as simple w/health checks
153
VPC consists of
```
Internet gateways
route tables
NACLs
Subnets
Security groups
```
154
1 subnet =
1 availability zone
155
which can have deny rules - nacls or security groups
nacls
156
can VPCs have transitive pairing
no
157
When you creaet a VPC what is created by default
route table, nacl, security group ( no subnets)
158
how many IPs does AWS reserve in your subnet
5
159
how many internet gateways per vpc
1
160
can security groups span vpcs
no
161
are nat gateways redundant in the AZ
yes
162
how many nat gateways per AZ
1
163
NAT GW throughput scales automatically
true
164
are nat gateways associated with security groups
no
165
do nat gateways have a public IP
yes
166
what do you need to do if you add a nat gateway so your ec2's can talk out
add a route to the nat gw in the route table
167
if you have resources in multiple AZ that share a nat GW what happens if that AZ goes down
resources in the other AZ will not have a GW, configure a nat gw in all AZ where you have resources
168
default network ACL default allow
all outbound/inbound
169
customer network ACLs allow
nothing, denies all
170
each subnet in your vpc must be associated with a _
ACL, else its assigned to default
171
can you block IP
yes with NACL
172
how many NACLs can a subnet be associated with, and vice versa
network ACL to many subnets
| subnet to just 1 ACL
173
NACL rules applied how
in order, lowest number first (so last wins)
174
How many public subnets to create a LB
2+
175
can you enable flow logs for peered VPCs
only if the VPC is in your account
176
can you tag a flow log
no
177
can you change a flow log
no
178
what is direct connect
connects your datacenter to aws for high throughput workloads or stable/secure connection
179
If you have a VPN connection that keeps dropping out due to throughput erros what should you use
direct connect
180
what is a VPC endpoint
connect VPC to aws services
181
2 types of VPC endpoints
interface
| gateway - s3, dynamo db
182
If you upload an object using AWS Identity and Access Management (IAM) user or role credentials who owns the object?
the AWS account that the user or role belongs to owns the object.
183
File gateway types
Volume gateway
Tape Library (backups only)
File gateway
184
volume gateway has what 2 modes
cached and stored
| stored uses EBS snapshots
185
which storage gateway for object based files
file gateway
186
are security groups stateful or stateless & meaning
security groups are stateful - incoming rule auto allows outgoing
187
are NACLs stateful or stateless + meaning
stateless - if you add a rule it doesn't auto allow the other directions
188
Maximum dynamodb string size
400kb
189
List the rt53 routing policies (names only)
```
simple
failover
geolocation
geoproximity
latency
multivalue
weighted
```
190
max instances for spread placement group per AZ
7
191
can you use 3rd party encryption tools
no
192
Are security groups global
no, regional only
193
If you copy a ami to a new region do the tags and iam permissions follow it
no
194
What is the maximum VisibilityTimeout of an SQS message in a FIFO queue?
12 hours
195
AWS premium support levels
basic, developer, business, enterprise
196
What can aws see for cloudwatch in the ec2 instance
```
For the most part think it can't see inside but...
CPU = how much
Network in
disk read
Can't see Memory
```
197
what is an elastic IP
static, public ip associated with your AWS account which allows you to rapidly remap to a new instance in case of failure
198
You create flow logs for these network items
You can create a flow log for a VPC, a subnet, or a network interface
199
You can create flow logs for network interfaces on these network services
ELB, RDS, Elasiticach, etc
200
VPC Flow Logs is a feature that enables you to...
capture information about the IP traffic going to and from network interfaces in your VPC.
201
What are dedicated instances
HW dedicated to single customer
202
management service that provides managed instances of Chef and Puppet
AWS OpsWorks
203
Access Keys are used for
API Calls
204
What do you use to logon to an ec2 instance
key pairs
205
EBS volume types
General purpose - SSD
Provisioned IOPS - SSD
Throughput optomized - hDD
Cold - HDD
206
how traffic is shifted from the original AWS Lambda function version to the new AWS Lambda function
Canary, linear, all at once
207
What is AWS IoT Core
service for Internet of Things
208
Is all data between gateway appliance and s3 encrypted
yes, SSL
209
Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which two AWS services?
CloudFront and ELB
210
what is Server Name Indication (SNI)
host multiple TLS secured applications, each with its own TLS certificate, behind a single load balancer
211
What is an ENI
Elastic Network Interface - VPC network card, can attached to ec2
212
snowball vs snowball edge capacity
80 vs 100TB
213
What is AWS Security Token Service (AWS STS)
the service that you can use to create and provide trusted users with temporary security credentials
214
Can you use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes
yes
215
Auto scaling cooldown does what
ensures new ec2 is not launched too soon
| default 300 seconds
216
How are EBS volumes stored and replicated
Single AZ only
217
Is Redshift fast or slow
fast, scalable, cost effective
218
what is Pilot light DR
minimal standby architecture
219
Authenticate to your RDS instance using what IAM ___
IAM DB authentication
220
set custom budgets that alert you when your costs or usage exceed
AWS budgets
221
Lambda encrypts using
AWS Key Management Service
222
S3 Select is an Amazon S3 feature that makes it easy to
retrieve specific data from the contents of an object using simple SQL expressions
223
Amazon DynamoDB Accelerator (DAX) cab
reduce Amazon DynamoDB response times`
224
What allows you to establish a trusted relationship between your Active Directory and AWS
AWS connector
225
To monitor advanced metrics on DB use
Enhanced monitoring
226
What provides you a managed Hadoop framework to process data across dynamically scalable Amazon EC2 instances
EMR
227
For Redshift, OLap, to define the number of query queues that are available and how queries are routed
Use WLM work load management
228
A DynamoDB stream is an _ _ _
Ordered flow of information about changes to items in an Amazon DynamoDB table
229
CloudFront signed URLs and signed cookies provide the same basic functionality which is what ?
They allow you to control who can access your content
230
Which ec2 instance will be removed first from a scale in on auto scale groups
wherever there are the most in AZ ECs, then oldest
231
Use Amazon MQ instead of SQS when you are
moving messaging with existing apps to cloud quickly
232
If you will get bursts of traffic on your API gateway use _
Throttling
233
What protects against DDOS attached
AWS Shield
234
Instances that you launch into a default subnet receive what IP(s)
public and private
235
What to use when data must be stored in a columnar fashion
Redshift
236
Max IOPS SSD
32000
237
Retrieval types to use/purchase to speed things up
provisioned and expedited
238
Do SQS standard queues preserve the order of message?
yes
239
What is a scheduled reserved instance
It allows you to reserve instances for a specific time period at a cheaper rate than on demand when using a 1 year term
