AWS-SA-Pro Flashcards by Dan Kositzke

What are the two most common features of AWS Systems Manager?

Run Command
Patch Manager

How well did you know this?

Not at all

Perfectly

What is the name of the AWS Systems Manager command that is used for a patch?

AWS-RunPatchBaseline

How well did you know this?

Not at all

Perfectly

Which AWS service can you use if you want to migrate Chef and/or Puppet configuration management tools into the cloud?

AWS OpsWorks

How well did you know this?

Not at all

Perfectly

Are AMI’s global or region-specific?

Region-specific

How well did you know this?

Not at all

Perfectly

AWS OpsWorks is more suited for _______ whereas Elastic Beanstalk is more suited for _______.

AWS OpsWorks is more suited for infrastructure engineers whereas Elastic Beanstalk is more suited for development teams.

How well did you know this?

Not at all

Perfectly

How do the key concepts of AWS OpsWorks interrelate (Stacks, Layers, Apps, Recipes, Cookbooks) ?

Stacks = one or more Layers.
Layers = set of EC2 instances grouped by function.
Apps = deployed (from S3) onto the layers.
Recipes = scripts applied to layers.
Cookbooks = collection of recipes that can be stored on GitHub.

How well did you know this?

Not at all

Perfectly

How are Amazon GuardDuty & Amazon Inspector different from AWS Shield & AWS WAF?

GuardDuty & Inspector = detection.
Shield & WAF = protection.

How well did you know this?

Not at all

Perfectly

Which service creates serverless GraphQL and Pub/Sub APIs?

AWS AppSync

How well did you know this?

Not at all

Perfectly

What 4 services can be used with AWS WAF?

(1) CloudFront
(2) ALB
(3) API Gateway
(4) AppSync

How well did you know this?

Not at all

Perfectly

Which AWS service scans EC2 instances for vulnerabilities and provides a report of findings?

Amazon Inspector

How well did you know this?

Not at all

Perfectly

Which AWS service provides a CVE (common vulnerabilities and exposures) report?

Amazon Inspector

How well did you know this?

Not at all

Perfectly

Differences between Amazon Inspector and Amazon GuardDuty?

Inspector scans EC2 instances for vulnerabilities.
GuardDuty scans entire AWS account using ML-based threat detection.

How well did you know this?

Not at all

Perfectly

Would you use SAML 2.0 Identity Federation with Google, Facebook, Twitter, etc?

No. Use SAML 2.0 Identity Federation with an Enterprise Identity Provider (used mainly for on-prem IDs to indirectly login to AWS)

How well did you know this?

Not at all

Perfectly

What is the difference between Cognito and IAM Identity Center?

Cognito will be used for customer login scenarios and IAM Identity Center will be used for enterprise / workforce login scenarios.

How well did you know this?

Not at all

Perfectly

What’s the difference between Cognito User Pools and Identity Pools?

User Pools offer a sign-up or sign-in experience and provide users with a JWT.
Identity Pools offer a way to swap an unauthenticated or authenticated identity for AWS credentials.

How well did you know this?

Not at all

Perfectly

Can API Gateway accept JWT’s for authentication?

Yes

How well did you know this?

Not at all

Perfectly

How can an AWS admin create predefined products (and IaC templates) that end users can provision without fully accessing the AWS service (e.g. EC2 instances) ?

AWS Service Catalog

How well did you know this?

Not at all

Perfectly

VPC Flow Logs can capture metadata for what three items (levels)?

(1) VPC
(2) Subnet
(3) ENI

How well did you know this?

Not at all

Perfectly

Do VPC Flow Logs provide real-time data?

No. There is a delay.

How well did you know this?

Not at all

Perfectly

What two log destinations can be used with VPC Flow Logs?

(1) S3
(2) CloudWatch logs

How well did you know this?

Not at all

Perfectly

Where is a Network Firewall deployed?

At the VPC level

How well did you know this?

Not at all

Perfectly

What layer does AWS WAF use?

How well did you know this?

Not at all

Perfectly

What is used to configure your WAF rules?

A Web ACL

How well did you know this?

Not at all

Perfectly

What is the default Web ACL Capacity Unit (WCU) maximum?

1500

How well did you know this?

Not at all

Perfectly

What are the three types of WAF Rule Groups? (Rule Group = reusable set of rules that you can add to a web ACL)

(1) Managed groups (2) Self-managed groups (3) Service-owned groups (Shield, Firewall Manager)

AWS WAF can inspect a request body, header, and cookie (among other items). However, what is the limit for how much can be inspected?

8 KiB (or 8192 bytes)

How are you charged for using WAF?

(1) $5 / month / Web ACL (2) $1 / month / Web ACL Rule (3) $0.60 / 1 million requests

What layer does AWS Shield Standard protect?

L3 and L4

Does AWS Shield Advanced get automatically applied to your resources?

No, even after paying for it, you still need to explicitly choose how to configure it for your resources.

What are two benefits of AWS Shield Advanced?

(1) DDoS cost protection -- service credits are provided if your resources auto-scale in response to a DDoS attack (2) Health-based detection -- Shield Advanced can monitor Route 53 health checks to detect changes in resources and more quickly identify threats / attacks

Which AWS service offers Desktop-As-A-Service (DaaS)?

Amazon Workspaces

Are Amazon Workspaces highly available?

No, they run on EC2 instances inside a single subnet (and therefore AZ).

Which AWS Directory Service is best when you have more than 5000 users, you want it to be highly available (2+ AZs), and you want a trust relationship between on-prem and cloud directory?

AWS Directory Service for Microsoft Active Directory

Which AWS service uses schema extensions (remote desktop, Sharepoint, SQL, DFS)?

AWS Directory Service for Microsoft Active Directory

What is the best AWS directory service to use when you don't want any directory data hosted in AWS?

AD Connector

What is the best AWS directory service for continuous operations if the network link between AWS and on-prem environment fails?

AWS Directory Service for Microsoft Active Directory -- because the directory is simultaneously running on AWS EC2 instances in addition to on-prem

What AWS service allows your on-premises active directory to use other directory-compatible AWS services -- without any identity data being stored in AWS?

AD Connector

What are the three categories of internet networking zones?

(1) Public Internet (2) AWS Public Zone (3) AWS Private Zone (VPCs)

Can DHCP Option Sets be edited?

No, once created they are immutable

When you associate a DHCP Option Set to a VPC, do the changes occur immediately?

No, the changes require a DHCP Renew which takes some time

In every subnet, what is the "subnet+1" IP address reserved for?

The VPC router's network interface -- every VPC router needs an interface in every subnet

What AWS service would you use to provision infrastructure for a contact center?

Amazon Connect -- also it is omnichannel (voice + chat)

What AWS service would you use to ingest the following types of data: security cameras, smartphones, cars, drones, audio, thermal, depth, radar.. ?

Kinesis Video Streams

What AWS service will likely be used when the exam mentions GStreamer or RTSP (real-time streaming protocol) ?

Kinesis Video Streams

What AWS service is used for serverless ETL ?

AWS Glue

How many AWS Glue Data Catalogs can you have?

One catalog per region per account

How can you avoid data silos and improve visibility into your data stores across all AWS services?

Use AWS Glue Data Catalog crawlers to discover data

What AWS service provides managed web and mobile application testing using a fleet of real browsers and devices?

AWS Device Farm

What AWS service uses NLP to analyze text?

Amazon Comprehend

What AWS service would you use for intelligent enterprise search capability?

Amazon Kendra

What AWS service uses "slots" as parameters to categorize talking points during a conversation?

Amazon Lex

What routes traffic between subnets and is controlled by the route tables?

VPC Router

Every VPC is created with a _____ that is the default for every subnet in the VPC.

Main route table

How many route tables can a subnet have associated to it?

Only 1

How does a route table prioritize traffic routing when there are multiple matching entries?

The most specific route is prioritized

For a stateless firewall to work smoothly, you often have to ______ all outbound traffic so your server can return the responses to the changing client ephemeral ports.

allow

What AWS component has both "allow" and "deny" rules?

NACL

How are the NACLs and Security Groups different in regards to their default configurations?

NACLs allow all traffic by default. Security Groups deny all traffic by default.

When you create a Custom NACL, what is the default inbound rule and default outbound rule?

Both are "deny all" rules.

Can Security Groups have explicit deny rules?

No. Only allow rules.

Security Groups are not actually attached to EC2 Instances; they are attached to _____

ENIs (primary network interface of the EC2 instance)

What AWS service would you use when you need single digit millisecond latency and AWS infrastructure physically located closer to your end users?

AWS Local Zones

What AWS service is conceptually just a single AZ that is physically closer to your end users?

AWS Local Zones

What AWS service converts text into "life-like" speech (no translation service) ?

Amazon Polly

What AWS service performs deep learning image and video analysis?

Amazon Rekognition

What AWS service can detect and analyze text in documents such as JPEG, PNG, PDF, or TIFF ?

Amazon Textract

What AWS service can you use to generate predictions based on time-series data?

Amazon Forecast

What service can you conceptually think of as an IDE for ML model lifecycles?

Amazon SageMaker Studio

Which Disaster Recover strategy would be analogous to moving from your current house to building a new backup house from scratch?

Backup & Restore

Which Disaster Recover strategy only runs the bare minimum resources required for a recovery?

Pilot Light

Which Disaster Recover strategy keeps a fully functional copy of your resources running but in a smaller and scaled down capacity than your current infrastructure?

Warm Standby

What keyword is used to describe the main CloudWatch service?

CloudWatch Metrics

How would you capture richer and more detailed metrics for CloudWatch?

Install the CloudWatch agent

What term is used in CloudWatch to define a container for metrics?

Namespaces

What is the term that CloudWatch uses to differentiate metrics between distinct EC2 instances?

Dimensions (a name/value pair that is part of the identity of a metric)

What are the two CloudWatch resolutions, which is the default, and what are the time intervals?

1. Standard (default): 60 second granularity 2. High: 1 second granularity

What CloudWatch feature can be used to view data aggregation over a time period, such as Min, Max, Sum, Average ?

CloudWatch Statistics

How do the three main CloudWatch Logs items interrelate (Log Events, Log Streams, Log Groups) ?

Log Groups contain Log Streams, which contain Log Events, which consist of a timestamp and raw message.

If you use the S3 Export feature of CloudWatch Logs, is the data transferred in real time?

No, it can take up to 12 hours

What integration would you use if you want near-real-time handling of CloudWatch Logs data?

Kinesis Firehose

What integration would you use if you need real-time handling of CloudWatch Logs data?

Lambda functions and/or Kinesis Data Streams

How long are CloudTrail Events stored by default at no cost?

90 days

What are the three different types of CloudTrail Events?

(1) Management Events (2) Data Events (3) Insight Events

What type of CloudTrail Events are captured by default?

Management Events, but NOT Data Events

What are the two scopes that can be used when creating a CloudTrail Trail?

(1) One Region (2) All Regions

How many CloudTrail Trails can you have per Region?

How would you capture global service events using CloudTrail for services like IAM, STS, CloudFront ?

This isn't captured by default, so you would have to create a new CloudTrail Trail. The Trail would log these events into us-east-1 since they are global services.

Does CloudTrail capture events in real-time?

No, it takes approximately 15 minutes.

For CloudTrail, what is the cost to have one Trail for ongoing Management Events delivered to S3 ?

Free

Which AWS service is used to trace user requests through your application to identify bottlenecks and view latency data at each stage of the application?

AWS X-Ray

The following items are two common examples of AWS-generated ___________ ? (1) aws:createdBy (2) aws:cloudformation:stack-name

Cost Allocation Tags

After creating a Cost Allocation Tag, is it immediately available?

No, it can take up to 24 hours to be visible and active

After creating a Cost Allocation Tag, does it apply retroactively to your cost reporting?

No, it is not retroactive.

What are the 7 free AWS Trusted Advisor checks for the AWS Basic Support and AWS Developer Support plans?

(1) S3 Bucket Permissions (2) Security Groups - Specific Ports Unrestricted (3) IAM Use (i.e. does each account have IAM users and not using root user) (4) MFA on Root Account (5) Are EBS Snapshots public? (6) Are RDS Snapshots public? (7) 50 service limit checks (80%+ quota utilization)

Which AWS support plans give you access to the AWS Support API to integrate with your applications?

AWS Business Support AWS Enterprise Support

What CloudWatch Logs feature allows you to stream logging data into different systems?

Subscription Filters

What protocol operates over TCP/179 ?

Border Gateway Protocol (BGP)

What can be conceptually thought of as a network in BGP?

An Autonomous System (AS)

What's the difference between iBGP and eBGP?

iBGP (internal) deals with routing within an AS. eBGP (external) deals with routing between AS's.

In BGP, each AS broadcasts ______ to the other AS's.

The shortest ASPATH (doesn't take into account the path performance/latency).

How can you configure AS route tables in BGP to manipulate the routes that each AS broadcasts?

You can use Path Prepending to artificially lengthen certain paths. This will solve the problem of AS's broadcasting the shortest path without taking into account latency.

What AWS service uses anycast IP addresses, so a customer's request to the IP address will be routed the closest location?

AWS Global Accelerator

In regards to the OSI layers, how is Global Accelerator different from CloudFront?

CloudFront only uses L7, but Global Accelerator uses L4 (TCP/UDP) and L7.

How are Symmetric Encryption and Asymmetric Encryption different?

Symmetric Encryption is fast but less secure, because both parties use the same key to encrypt/decrypt the data. Asymmetric Encryption is slower but more secure, because it uses a public key + private key.

IKE (Internet Key Exchange) Phase 1 and IKE Phase 2 are the two main phases of ________.

IPSEC VPNs

What are the two types of VPNs?

(1) Policy-based VPNs (different rules for different types of traffic) (2) Route-based VPNs (target matching based on prefixes)

With a Site-to-Site VPN, is the Virtual Private Gateway (VGW) highly available?

Yes, behind the scenes there are separate endpoints distributed across AZs.

How would you configure a Site-to-Site VPN to be highly available?

Add a second Customer Gateway (CGW).

What is the AWS Site-to-Site VPN speed limit?

1.25 Gbps

What AWS service would you use to reduce complexity when connecting multiple VPCs and on-prem networks?

AWS Transit Gateway (TGW)

What is the benefit of peering TGW's?

You can create connections to other AWS Regions either in the same account or also cross-account.

When Transit Gateways (TGWs) are peered, are the routes in each TGW route table automatically shared/propagated between TGWs?

No.

How many peering attachments per TGW?

Up to 50

A ________ is associated with VPCs, Subnets, Internet Gateways (IGW), Virtual Private Gateways (VGW), and Transit Gateways (TGW).

route table

What's the difference between static routes and dynamic routes in a route table?

Static routes are added manually. Dynamic routes are propagated into the route table, if this is enabled for a TGW or VGW association.

What could you do to enable better performance for your Site-to-Site VPN?

Use the Accelerated Site-to-Site VPN feature. This utilizes Global Accelerator edge locations.

What would you use for an AWS-managed implementation of OpenVPN, typically as a way for a remote workforce to securely access AWS resources?

Client VPN (different from Site-to-Site VPN)

Is the Split Tunnel feature of AWS Client VPN the default?

No, it must be enabled. Split Tunnel allows your client to retain it's existing route tables when associating the Client VPN route table onto it.

How are you billed for DX ?

Hourly cost for the port allocation at the DX location. Outbound data transfer (inbound is free).

Is a DX location owned by AWS ?

No, typically these are regional data centers where AWS has rented equipment.

What are the 3 speed options for a DX connection?

1, 10, or 100 Gbps

How could you secure your DX connection at the L2 level on a hop-by-hop basis?

Use MACsec

Regarding a DX connection (which is a L2 connection), what is used to allow multiple L3 networks to run over the DX ?

Virtual Interfaces (VIFs)

____ VIFs are used to connect to public IPs in AWS Public Zones. ____ VIFs are used to connect to private IPs within AWS VPCs. ____ VIFs are used to integrate DX with Transit Gateways (TGWs).

Public Private Transit

An Accelerated Site-to-Site VPN can be used for ____ but not _____.

Can be used for TGW, but not VGW.

When using a Private VIF to run over your DX connection, what is the max number of prefixes that you can advertise to the BGP network?

100

A ______ ____ is layered over a DX connection and runs from on-prem infrastructure to a Virtual Private Gateway (VGW). It must be attached to a VGW within the same region that the DX connection terminates into.

Private VIF

A _____ VIF can access all AWS Regions. There is no region specific limitation like for ______ VIFs.

Public..... Private

What AWS service could you use to connect on-prem infrastructure to multiple VPCs spread across AWS Regions using a single DX connection?

Direct Connect Gateway (DGW)

A Direct Connect Gateway (DGW) can be associated with VPCs & ______, or TGWs & a ______, but not both.

Private VIFs.... Transit VIF

Would you use a DX Link Aggregation Group (LAG) more for speed purposes or for resiliency purposes?

Speed

A DX _____ ____________ _______ is when you utilize multiple DX connections going into a single DX location for faster speeds (parallel data transit).

Link Aggregation Group (LAG)

A DX LAG is capable of using 2 ___ GB ports or 4 ports if they use less than ___ GB.

100

What AWS service is used to register domains and host zones (nameservers)?

Route 53

When you create a Route 53 Hosted Zone, how many nameservers does AWS allocate for your hosted zone?

In Route 53, a CNAME record can map a domain to another _______, but not to an ___ _________.

... domain.... IP address

What type of DNS record is used for a server to find the mail server of a specific domain?

MX records

What type of DNS record can be used to prove domain ownership?

TXT records

What DNS feature is used to cache DNS query results?

TTL - depending on how long the TTL is, sometimes a query may not use the most up-to-date IP address and the request will take longer to go through

What is a Route 53 Hosted Zone in simple terms?

It is a DNS database for a domain

What is the difference between CNAME and ALIAS records?

CNAME maps name-->name (does not support apex) ALIAS maps name-->name (does support apex)

What is the main limitation of Route 53 Simple Routing?

doesn't support health checks

Which Route 53 routing policy improves availability but is NOT a replacement for load balancing?

Route 53 Multi Value Routing

Which Route 53 routing policy would you use to optimize performance and user experience?

Route 53 Latency-Based Routing

Which Route 53 routing policy checks for records based on the state, country, and continent?

Route 53 Geolocation Routing

Which Route 53 routing policy routes based on physical distance and includes a bias value?

Route 53 Geoproximity Routing

When using a Route 53 Private Hosted Zone, what two attributes need to be set to "true" ?

1. enableDnsHostnames 2. enableDnsSupport

What AWS service can you use to track changes that are made to your resources?

AWS Config

Can you deploy an application to your on-prem servers using Elastic Beanstalk?

_________ multi-master DB instances are confined to the same region, whereas _________ multi-master DB instances allow read/write to any region.

Aurora... DynamoDB Global Tables...

_________ is a serverless Database-Table-as-a-Service (DBaaS), whereas _________ is NOT serverless and is a Database-Server-as-a-Service (DBSaaS).

DynamoDB.... Amazon RDS...

Each DynamoDB table item (conceptually, a row) can have a max size of _____ KB.

400

Does an ELB provide you with an IP address or a DNS name to use?

ELB only provides you with a DNS name

How does AWS incentivize customers to use ALIAS records for mapping from a DNS name to an AWS resource?

They do not charge for this. It is free.

For DNS resolution, you would use _____ records to map www.example.com to an IPv4 address.

Can the Management Account of an AWS Organization be restricted with a Service Control Policy (SCP) ?

No. SCPs do not affect the Management Account.

Do SCPs affect service-linked roles?

No. Service-linked roles will still work normally even with an SCP attached.

Would you use Amazon Macie to scan your CodeCommit repositories for secret keys?

No, Amazon Macie is generally used for scanning S3 buckets.

How many subnets can you have per VPC?

Default is 200

Can a Security Group block a specific IP address?

No, because Security Groups block all inbound traffic by default and only use allow rules.

How many IAM users can you have per account? Can this quota be changed?

5000.... No, this is a hard limit.

What could you set up to ensure your AWS Service Quotas don’t end up restricting your application as its demand grows?

You could create CloudWatch Alarms to notify you when you're approaching your Service Quotas. Then you can request a quota increase before your application hits the quota ceiling.

Permissions Boundaries can be applied to ________ or ________.

IAM Users... IAM Roles

What are the 6 sequential items that are checked when determining allow/deny status for anything within the SAME AWS account?

1. Check for any "Explicit Deny" rules 2. SCPs 3. Resource Policies 4. Permissions Boundaries 5. Session Policies (only applicable for "assumeRole" situations) 6. Identity Policies

AWS Resource Access Manager allows AWS resources to be shared from one account to another AWS _________, _________, or _________.

Account... Organizational Unit (OU)... Organization

Is there a cost for using AWS Resource Access Manager?

No cost.

Are AZ's always mapped to the same physical data centers, when comparing two accounts? For example, would "us-east-1a" for account A always match "us-east-1a" for account B?

No. AWS rotates how the AZ's are mapped to the physical data centers. Solution = AZ ID's... These ARE consistent across accounts.

When sharing AWS resources using AWS Resource Access Manager between accounts WITHIN the same organization, does the recipient account need to manually accept the invite?

No, the recipient account automatically accepts the invitation.

When sharing AWS resources using AWS Resource Access Manager between accounts across DIFFERENT organizations, does the recipient account need to manually accept the invite?

Yes.

When using a Shared Services VPC with AWS Resource Access Manager, can the participant accounts provision services into the Shared Services VPC?

Yes

When using a Shared Services VPC with AWS Resource Access Manager, can the account that owns/shares the VPC delete or modify resources created by the participant accounts?

No. Ownership of a provisioned resource by a participant account remains with that participant account.

VPC Peering allows shared access to ______ VPC resources, whereas AWS PrivateLink only allows access (via interface endpoints) to a ________ VPC service/application.

all ..... specific

Does a VPC Gateway Endpoint go into a specific subnet or specific AZ?

Neither, a VPC Gateway Endpoint is used across all AZ's in a region. Then you can define which subnets will have the Gateway Endpoint prefix added into their route tables.

What type of endpoint provides private access to S3 and/or DynamoDB ?

VPC Gateway Endpoint

Can VPC Gateway Endpoints access services in other regions?

No, they are a regional service.

AWS Internet Gateways are conceptually attached to the perimeter of a _________.

VPC

Does your default VPC come with an Internet Gateway?

Yes. Also it comes with a public subnet in each AZ.

A VPC ______ Endpoint allows private access to the AWS Public Zone services (S3, DynamoDB) without using an Internet Gateway or NAT Gateway.

Gateway

In Amazon ECS, you cannot attach security groups to the ECS Tasks when using the _____ networking mode.

bridge or host

In Amazon ECS, which networking mode assigns an ENI and a private IPv4 address to each ECS Task?

awsvpc (this provides more control than the "bridge" networking mode)

Are certificates from AWS Certificate Manager regional or global?

Regional. If multiple regions are desired, you must request a certificate for each region.

st1 and sc1 are examples of _______ EBS volumes and they have a _______ (high/low) max IOPS count.

HDD... low...

To troubleshoot constantly failing EC2 instances in an ASG, are you able to suspend the "Terminate" process of the ASG?

Yes.

Even if you enable EC2 instance protection for an EC2 instance, the ______ still has the ability to terminate an EC2 instance that it has created.

ASG

For an Amazon SQS Queue, the _______ attribute specifies the number of times a message is delivered to the queue before being moved to a dead-letter queue.

maxReceiveCount

A VPC ________ Endpoint goes into a specific subnet whereas a VPC ________ Endpoint is used across all AZ's in a region.

Inferface... Gateway...

Network access to a VPC ________ Endpoint can be controlled with a Security Group (b/c it is within a subnet within a VPC) whereas a VPC ________ Endpoint cannot.

Inferface... Gateway...

Which type of VPC endpoint uses DNS for its routing?

VPC Interface Endpoint

VPC ________ Endpoints use prefix lists and route tables, whereas VPC ________ Endpoints use DNS.

Gateway... Interface...

When deploying resources into a public subnet, does the resource need to have a public IP address?

No, you can choose to only assign a private IP address to your resources, even in public subnets.

Can a public (aka internet-facing) ALB communicate with instances inside a private subnet?

Yes, as long as the ALB is running from a public subnet.

Can the Fargate deployment type run on AWS Outposts?

No.

______ allow us to run multiple L3 networks over the L2 Direct Connect.

VIFs

A VIF uses a ______ Peering Session + _______.

BGP... VLAN

When creating a site-to-site VPN connection, specify ________ routing if your customer gateway device supports BGP.

dynamic (as opposed to static)

Would you use AWS X-Ray to help plan a migration?

No, it is used to debug production applications.

A Network ACL can filter requests based on _______ but not ________.

IP addresses... URLs

A _______ server acts as an intermediary between the client and the server, effectively functioning like a firewall/filter.

proxy

What enables private connections to AWS services without using public IPs, and uses AWS PrivateLink under the hood?

Interface Endpoints

Metric Filters and Subscription Filters are components of which AWS service?

CloudWatch Logs

Management Events and Data Events are components of which AWS service?

CloudTrail

Which AWS services can be directly accessed through Gateway Endpoints?

S3 and DynamoDB

How does traffic routing work with Gateway Endpoints in a VPC?

Gateway Endpoints are added as a target for a specific route in your VPC route table

When generating an S3 Presigned URL, what permissions get embedded into the link?

The permissions will match those of the IAM user who created the link.

Is it a good practice to generate an S3 Presigned URL using an IAM role?

No, because the IAM role will generally expire faster than the URL and then the URL will not work.

What AWS service could you use to simplify access to S3 (for example, providing different departments with their own S3 URL each containing separate permissions policies)?

S3 Access Points

What CLI command would you use to set up an S3 Access Point?

create-access-point

Does S3 Object Lock require versioning to be enabled on the bucket?

Yes. Thus, it is actually the object versions, rather than the object, that are being locked.

What are the two types of S3 Object Lock?

(1) S3 Object Lock - Retention — compliance mode: immutable — governance mode: some changes allowed (2) S3 Object Lock - Legal Hold — on/off switch: prevents deletion

What service can be used to monitor and discover sensitive data in S3 (for example, PII) ?

Amazon Macie

What service runs discovery jobs based on (1) managed data identifiers and/or (2) custom data identifiers?

Amazon Macie

In the context of EBS, 1 IOPS is equal to __ KB per second.

16 KB

What is the standard and maximum IOPS for an EBS GP3 volume?

Standard: 3,000 IOPS Maximum: 16,000 IOPS

What are the 3 types of EBS Provisioned IOPS SSD Volumes?

(1) io1 (2) io2 (3) Block Express

What are the two types of EBS HDD-Based Volumes?

(1) st1: throughput optimized (2) sc1: cold, lowest cost

Can you attach an instance store volume to an already-launched EC2 instance?

No, instance store volumes must be attached at the time of launch.

Instance store volumes are often included in the price of _____

EC2 Instances

Can st1 or sc1 EBS volumes be used as EC2 boot volumes?

No.

You can aggregate multiple EBS volumes into a RAID0 set, and this can provide up to _____ IOPS of performance.

260,000 IOPS

The io1 and io2 EBS volumes can provide up to ____ IOPS and the io2 Block Express volume can provide up to _____ IOPS.

64,000 … 256,000

What is the max item size for an item in a DynamoDB table?

400 KB

What is the data transfer rate for DynamoDB Table RCU’s and WCU’s ?

RCU: 4KB/s WCU: 1KB/s

What are the two modes of ECS?

(1) EC2 Mode (2) Fargate Mode

Which ECS mode injects ENI’s into your VPC while the EC2 instances are run and hosted within AWS’s internal EC2 pool?

Fargate mode

Are SQS and SNS public zone services or private zone services?

Public zone

With SQS and SNS, which is one-to-many and which is one-to-one ?

SNS: one-to-many SQS: one-to-one

Which AWS service is kind of a hybrid between SNS and SQS and provides both queues and topics?

AmazonMQ

What is the default Lambda function timeout, and the max timeout?

Default: 3 seconds Max: 15 minutes

If you want to always reference the most recent Lambda version, what would you point to (a phrase)?

$LATEST

What database compatibility does AWS Aurora offer?

MySQL, PostgreSQL

What is a key difference between AWS Aurora and RDS?

Aurora: More scalable, RDS: Broader DB engine options

Which AWS service is used for orchestrating multiple AWS Lambda functions?

AWS Step Functions

What are the three types of API endpoints offered by AWS API Gateway?

Edge-Optimized, Regional, Private

What AWS service integrates with API Gateway for user authentication and authorization?

AWS Cognito

What file does AWS SAM use to define serverless resources?

sam-template.yaml

What AWS service does AWS SAM internally use to deploy applications?

AWS CloudFormation

Which service can be used with AWS CloudFront to protect against DDoS attacks?

AWS Shield

Key difference between Trusted Key Groups and Origin Access Identity (OAI) in CloudFront?

Trusted Key Groups: URL signing; OAI: S3 bucket access

What AWS service's primary function is to manage SSL/TLS certificates?

AWS Certificate Manager (ACM)

When a SSL/TLS certificate is needed for a CloudFront distribution (or any global services), where must the certificate be generated?

us-east-1

Which AWS service is commonly used with ElastiCache for database caching?

Amazon RDS

Does ElastiCache for Redis or Memcached support complex data types?

Redis

Which supports multi-threading, ElastiCache for Redis or Memcached?

Memcached

Which ElastiCache option offers persistence and replication?

Redis

Key difference between AWS Internet Gateway and AWS NAT Gateway?

Internet Gateway: Two-way internet access; NAT Gateway: Outbound-only for private subnets

What format can AWS CloudFormation templates be written in?

JSON, YAML

What feature does AWS CloudFormation provide for grouping related resources?

CloudFormation Stacks

Can you update a running CloudFormation Stack?

Yes

A CloudFormation Stack is a collection of AWS resources that is created as a result of deploying a single _____________.

CloudFormation template

Which CloudFormation service can deploy and manage stacks across multiple accounts and regions?

CloudFormation StackSets

Key difference between CloudFormation Templates and Stacks?

Templates: JSON or YAML file blueprint of the infrastructure; Stacks: the collection of resources deployed from the template

What are the three types of AWS Storage Gateway?

File Gateway, Volume Gateway, Tape Gateway

Which type of Storage Gateway is used to store and retrieve objects in S3 using file protocols (NFS, SMB)?

AWS Storage Gateway File Gateway

Which AWS Storage Gateway type supports block-based storage?

AWS Storage Gateway Volume Gateway

What SSM capability provides a centralized store for configuration data?

SSM Parameter Store

What is the main difference between AWS Config and AWS SSM?

Config: resource configuration SSM: resource operations / automation

For a hybrid environment storage solution where on-prem and cloud integration is desired, what AWS service is best?

AWS Storage Gateway File Gateway

Between AWS Transfer Family and AWS DataSync, which is best for continuous, regular file transfers and which is best for one-time or batch large-scale data transfer?

AWS Transfer Family: continuous, regular AWS DataSync: fast high-volume transfer

_______ can transfer data quickly to and from Amazon S3, EFS, FSx for Windows File Server.

AWS DataSync

What is the maximum data storage capacity of a standard AWS Snowball device?

80 TB

What is a Homogeneous Migration in AWS DMS?

Migration between the same database engines

What is a Heterogeneous Migration in AWS DMS?

Migration between different database engines

What AWS service is often used alongside DMS for schema conversion? Is it used for homogeneous or heterogeneous migrations?

AWS Schema Conversion Tool (SCT) Only used for heterogeneous migrations.

What policies define the maximum permissions for an account, organization, or organizational unit (OU) in AWS Organizations?

SCPs

Do SCPs grant permissions?

No, they only restrict permissions

Can SCPs override IAM policies?

No, they are used in conjunction with IAM policies

Key difference between SCPs and IAM Policies?

SCPs: Restrict permissions at the account/OU level; IAM Policies: Grant specific permissions to users, groups, and roles

How many IP addresses are reserved in each subnet in AWS VPC?

Which specific IP address in a subnet is reserved for the network address?

The first IP address (e.g., 10.0.0.0)

Which IP address in a subnet is reserved for the subnet's default gateway (aka router)?

The second (VPC + 1) IP address (e.g., 10.0.0.1)

Which specific IP address in a subnet is reserved for DNS?

The third (VPC + 2) IP address (e.g., 10.0.0.2)

Which AWS service uses DHCP Option Sets?

Amazon VPC

What can be specified in a custom DHCP Option Set?

DNS servers, NTP servers, domain name, NetBIOS name servers, NetBIOS node type

What service can be used to capture information about IP traffic going to and from network interfaces in a VPC?

VPC Flow Logs

Where can VPC Flow Logs be published to?

CloudWatch Logs, Amazon S3

Can VPC Flow Logs be created for subnets and individual network interfaces, in addition to VPCs?

Yes

Key difference between VPC Flow Logs and AWS CloudTrail?

Flow Logs: Network traffic logs; CloudTrail: API activity logs

Are VPC Flow Logs in AWS real-time?

No, there's a slight delay

In VPC Flow Logs, what are the protocol numbers that are used to identify ICMP, TCP, and UDP traffic?

ICMP: 1 TCP: 6 UDF: 17

What is the primary use of SAML 2.0 in cloud services?

Single Sign-On (SSO) for web applications

In SAML 2.0, what is the role of the "Identity Provider" (IdP)?

Authenticates user's identity and sends SAML assertions

What format are SAML 2.0 assertions typically in?

XML

How does the Service Provider (SP) use SAML 2.0 in Identity Federation?

Consumes the assertion from IdP to grant user access

What are the two main components of AWS Cognito?

User Pools, Identity Pools

What does AWS Cognito User Pool provide?

User directory and handles sign-up/sign-in processes

What does AWS Cognito Identity Pool enable?

Granting access to AWS services for authenticated and unauthenticated users

What is the primary function of AWS Route 53?

Managed Domain Name System (DNS) service

Can AWS Route 53 be used for domain registration?

Yes

Are VPC Gateway Endpoints region-specific in AWS?

Yes, they are confined to the region in which your VPC is located

What happens when you create a VPC Interface Endpoint in a VPC with DNS resolution enabled?

Private DNS entries are automatically added for the service

What is the purpose of Route 53 Resolver Endpoints in AWS?

Enable DNS queries to flow between your VPC and your on-prem network

What are the two types of Route 53 Resolver Endpoints?

Inbound Endpoints, Outbound Endpoints

What AWS service can be used to compile and test code?

AWS CodeBuild

What is the build file called in AWS CodeBuild that is stored in the root of the source?

buildspec.yml

Can Read Replicas in RDS be promoted to primary instances?

Yes, useful for failover or scaling purposes

Are RDS Read Replicas replicated synchronously or asynchronously?

Asynchronously

Can RDS Read Replicas be located in different regions than the primary database?

Yes

What technology does Gateway Load Balancer utilize to efficiently distribute traffic?

GENEVE protocol

How do ALBs differ from Network Load Balancers (NLBs) in AWS?

ALBs operate at Layer 7 (application layer), NLBs at Layer 4 (transport layer)

What are the scaling options available in AWS Auto Scaling Groups?

(1) Manual (2) Scheduled (3) Dynamic (simple, step, target tracking)

Do autoscaling groups have a cost?

No, they are free.

Within an autoscaling group, what defines the instance types and instance configurations?

The launch template

What can you use to pause EC2 instances in an ASG during launch or termination so that custom actions can occur?

ASG Lifecycle Hooks

Do ASGs require a scaling policy?

No, not required.

What service is used to simplify the deployment of third-party virtual security appliances in a scalable and fault-tolerant manner?

AWS Gateway Load Balancer (GWLB)

What is the default granularity for CloudWatch metrics?

1 minute.

What is the difference between CloudWatch Logs and CloudWatch Metrics?

Logs collect text-based log files, Metrics collect quantitative data.

What feature does CloudWatch provide to react to metric thresholds being breached?

CloudWatch Alarms that trigger notifications or actions.

Which service provides request tracing to debug and analyze applications?

AWS X-Ray

What determines the level of access to Trusted Advisor checks and recommendations?

The AWS support plan (Basic, Developer, Business, or Enterprise)

What are the two main types of backups for AWS RDS?

Automated backups and manual snapshots.

How long does AWS RDS retain automated backups by default?

7 days (configurable up to 35 days).

What AWS service provides connection pooling to enhance database efficiency and scalability?

AWS RDS Proxy

What are the two main types of indexes in Amazon DynamoDB?

Global Secondary Index (GSI) and Local Secondary Index (LSI)

What is a limitation of a Local Secondary Index (LSI) in DynamoDB?

It must be defined at the time of table creation. LSI’s cannot be added or removed later.

In DynamoDB, a _____ supports queries over the entire table and a _____ only supports queries within the same partition.

Global Secondary Index (GSI) ... Local Secondary Index (LSI)

What is the primary purpose of Amazon DynamoDB Accelerator (DAX)?

To provide in-memory caching for DynamoDB

What DynamoDB feature provides multi-region, fully managed, multi-master database replication?

DynamoDB Global Tables

How is Amazon Athena priced?

Based on the amount of data scanned by the queries.

How does Amazon Athena differ from Amazon Redshift?

Athena is serverless and queries data directly in S3, while Redshift is a managed, petabyte-scale data warehouse that requires data loading.

What is the default data retention period for Kinesis Data Streams?

24 hours (extendable up to 365 days).

Name four AWS services that Kinesis Data Firehose can deliver data to.

Amazon S3, Redshift, OpenSearch Service, and Splunk.

Name two AWS services that can be used as data sources for Kinesis Data Analytics.

Kinesis Data Streams and Kinesis Data Firehose.

What processing languages does Kinesis Data Analytics support?

SQL and Java (Apache Flink).

What are three open-source frameworks that can be run on Amazon EMR?

Hadoop, Spark, HBase.

What are the two types of nodes in Amazon EKS?

Worker nodes and control plane nodes.

Name two AWS services that can be integrated with Amazon EKS for logging and monitoring.

Amazon CloudWatch, AWS CloudTrail.

What are four AWS services that can be protected by AWS WAF?

(1) CloudFront (2) API Gateway (3) ALB (4) AWS AppSync (GraphQL APIs)

How does AWS WAF allow you to control web traffic?

Through web ACLs (Access Control Lists).

How does AWS WAF differ from AWS Shield?

WAF provides customizable web traffic control, Shield offers DDoS protection.

How can you enable HTTPS for an application running on AWS Elastic Beanstalk?

By applying an SSL certificate to your Elastic Beanstalk environment's load balancer.

What AWS Elastic Beanstalk feature could you use for testing changes, blue/green deployments, or quickly replicating environments for different purposes without manual configuration?

Environment cloning

What type of file is used to configure multi-container Docker applications?

Docker Compose file

What are the three categories of Elastic Beanstalk runtimes/platforms?

Built-in languages, Docker, and custom platforms

What is the hierarchical structure of Elastic Beanstalk?

Applications, which contain Environments, which contain Versions.

In Elastic Beanstalk, what are the two tier options when configuring an environment?

(1) web server tier (user interacts with) (2) worker tier (processes application logic)

Elastic Beanstalk is great for _______ ___________ _______.

small development teams

When using Elastic Beanstalk, should you host the database part of the application within Elastic Beanstalk?

No, create the databases outside of Elastic Beanstalk so they are not accidentally deleted (or data is lost) during blue/green deployments.

The term "source bundle" refers to an application within what AWS service?

Elastic Beanstalk

To decouple an existing RDS instance from within an Elastic Beanstalk environment to be a standalone RDS instance, you should create an _____ _________, click on "________ _______ __________" for the RDS instance, create a new EB environment without RDS, swap environments, and then terminate the old environment.

RDS snapshot... Enable Delete Protection

Behind the scenes, Elastic Beanstalk uses _______________ to provision resources for your application.

CloudFormation

You can customize your Elastic Beanstalk environment by creating a ____________ folder within the application source bundle and adding YAML or JSON CloudFormation files ending in ________.

.ebextensions .config

What AWS service automates server setup, configuration, deployment, and management with Chef and Puppet?

AWS OpsWorks

What AWS Systems Manager feature allows you to define the desired state of your AWS resources?

State Manager.

What AWS service is best suited for automated patch management, executing remote commands, and inventory management?

AWS Systems Manager

Does Systems Manager Run Command require SSH/RDP access?

No, it connects via the Systems Manager agent that is installed on the EC2 instance and/or on-prem instances.

In AWS Systems Manager, a ________ _________ is a set of rules for auto-approving patches.

Patch Baseline

In AWS Systems Manager, what is used to logically separate instances, allowing for different patch baselines to be applied to different sets of instances?

Patch Groups

In AWS Systems Manager, what is used to schedule tasks such as patching, automation, or software updates to run on instances at specific times?

Maintenance Windows

In AWS Systems Manager, ______ __________ specify the patches to apply, ______ __________ categorize instances for patching, and __________ ________ determine when patching occurs.

Patch Baselines... Patch Groups... Maintenance Windows

In Systems Manager Patch Manager, there are some predefined Patch Baselines that contain security patches and updates. What do each of these refer to? (1) AWS-AmazonLinux2DefaultPatchBaseline (2) AWS-UbuntuDefaultPatchBaseline (3) AWS-DefaultPatchBaseline (4) AWS-WindowsPredefinedDefaultPatchBaseline-OS (5) AWS-WindowsPredefinedDefaultPatchBaseline-OS-Applications

(1) default for Linux (2) default for Ubuntu (3) default for Windows (2 possible names) (4) default for Windows (2 possible names) (5) defaults for Windows + MS App updates

What is the name of the AWS Systems Manager command that patches the instances?

AWS-RunPatchbaseline

What is the default behavior of a newly created custom NACL in AWS?

It denies all inbound and outbound traffic until rules are added to allow traffic.

How are rules in a NACL evaluated by AWS?

Sequentially, based on the rule number, from lowest to highest.

What is the default behavior of a newly created Security Group in AWS?

Allows all outbound traffic; denies all inbound traffic

The rules in a ____________ allow traffic based on protocol, port, and source/destination.

Security Group

Often an AWS Site-to-Site VPN can be configured in less than ...

1 hour

What are the three key components of an AWS Site-to-Site VPN connection?

(1) Virtual Private Gateway (VGW) (2) Customer Gateway (CGW) (3) the IPsec tunnel

What are the two types of AWS Site-to-Site VPNs?

(1) Static VPN (2) Dynamic VPN

How is an AWS Static VPN different from a Dynamic VPN?

Static = route table routes are added manually Dynamic = "route propagation" (if enabled) allows routes to be automatically added to the route tables using BGP

What is the speed limit for AWS Site-to-Site VPNs?

1.25 Gbps

What are four supported attachments for the Transit Gateway?

(1) VPCs (2) Site-to-Site VPNs (i.e. VGW) (3) Direct Connect Gateways (4) Other TGWs

Can a Transit Gateway peer with another Transit Gateway in a different AWS account?

Yes. Transit Gateway supports cross-account, and cross-region, peering.

Is there a cost for using the AWS RAM?

In AWS RAM, what are the three "principals" with whom a resource can be shared?

(1) Account (2) OU (3) Organization

When subnets are shared across AWS accounts using RAM, if a participant account provisions resources into the shared subnet, who owns the resource?

The account that provisions the resource owns the resource (in this example, the RAM participant account).

When subnets are shared across AWS accounts using RAM, can the VPC (subnet) owner delete or modify resource created by participant accounts?

No.

To attach a Direct Connect Gateway to a Transit Gateway, you would need a ________ ______ running over the DX connection.

transit VIF

What AWS service allows you to use on-premises Active Directory with AWS services without any directory data stored in AWS?

AD Connector - this redirects requests to on-prem servers

What service provides a fully managed Active Directory in AWS?

AWS Managed Microsoft AD

The AWS AD Connector injects ENIs into _____ subnets within your VPC and these go into (different/same) AZs.

two... different

The AWS AD Connector requires a _______ or ________ for connecting to your on-premises Active Directory.

Site-to-Site VPN or Direct Connect

The AWS-Managed _____________ service is highly available by default and it deploys the domain controller into 2 AZ's by default.

Microsoft AD

What AWS service supports RADIUS-based MFA?

AWS-Managed Microsoft AD

To enhance the speed of Direct Connect connections, you can combine multiple DX connections (up to 4), assuming they are all terminating into the same endpoint, using ____________.

Link Aggregation Groups

What key feature does Managed Microsoft AD support that Simple AD does not?

Trust relationships with on-premises Active Directory.

What is the maximum speed for an AWS DX LAG?

200Gbps

In DNS, an A record maps a _______ to a ________.

host... IPv4 address

In DNS, an AAAA record maps a _______ to a ________.

host... IPv6 address

In DNS, a CNAME record maps a _______ to a ________.

host... host

In DNS, if the resolver has to walk the tree in order to find the destination IP address, this result is known as an _____________ answer.

authoritative

In DNS, if the resolver does NOT have to walk the tree in order to find the destination IP address (i.e. the result is already cached on the DNS resolver server) this result is known as a _____________ answer.

non-authoritative

What is meant by Resource Records within a Route 53 Public Hosted Zone?

Resource Records are simply the collection of A, AAAA, CNAME, MX, TXT, etc records

What R53 feature is ideal if you want to use the same domain name for public access and private access, but you want the records to be different for each?

Route 53 Split View Hosted Zone

Let's say within DNS, you want to map the following: catagram.io -> ALB Could you use a CNAME record for this?

No, because CNAME records don't support the apex (e.g. catagram.io). You would use an ALIAS record for this.

Does R53 Simple Routing support health checks?

Route 53 health checks are conducted every ____ seconds by default, or up to ____ seconds for an extra cost.

30... 10

What three protocols can be used for Route 53 health checks?

(1) HTTP (2) HTTPS (3) TCP

Route 53 health checks can monitor what three things?

(1) endpoints (2) status of other health checks (3) state of CloudWatch alarms

Is KMS a regional or global service?

regional

AWS KMS has been validated by the United States National Institute of Standards and Technology (NIST) under what level of security?

Federal Information Processing Standards (FIPS) 140-2 (Level 3)

The term CMKs (Customer Master Keys) in KMS has been superseded by simply __________.

KMS Keys

KMS Keys can be used for up to ___ KB of data.

4KB

For encrypting data > 4KB, you can't use KMS directly, but you can use KMS to generate ___________ which then encrypts and decrypts the data.

Data Encryption Keys (DEKs)

Can an EBS volume be encrypted after its creation?

No, you would have to a take an EBS snapshot, encrypt the snapshot, and create a new EBS volume from the encrypted snapshot.

Can an EBS volume be attached to multiple EC2 instances simultaneously?

No, except for EBS Multi-Attach enabled volumes.

What are the three throughput modes of EFS?

(1) elastic (default) (2) provisioned (predictable) (3) bursting (unpredictable)

____________ is specific for managing secrets, whereas _________ is used for a wider range of configuration data and secrets.

Secrets Manager... Parameter Store

Which AWS service supports automatic rotation of credentials without application changes?

AWS Secrets Manager

If the exam mentions needing to store passwords or API keys, and Parameter Store and Secrets Manager are both options, you should default to choosing _____________.

Secrets Manager

What service directly integrates with other AWS services (such as RDS) for automatic key rotation?

AWS Secrets Manager

When choosing between Secrets Manager and Systems Manager Parameter Store, and you need to store either of the following: (1) hierarchical configuration information (2) CloudWatch agent configuration then you should lean towards ____________ as the correct answer.

Systems Manager Parameter Store

__________ is a continuous security monitoring service for threat detection. It identifies unexpected and unauthorized activity.

Amazon Guard Duty

_____________ can support multiple AWS accounts via an administrator account that manages threat detection on behalf of the member accounts.

Amazon Guard Duty

Which AWS logs does Amazon Guard Duty analyze to identify threats and malicious activity?

(1) VPC Flow Logs (2) CloudTrail (3) DNS Logs

What is required to enable AWS Config across multiple accounts in an organization?

Enable AWS Config in each account and designate an aggregator account to collect the configuration and compliance data.

Can AWS Config track changes to IAM roles and policies?

Yes

Which AWS service records configuration changes over time on resources?

AWS Config

Can AWS Config prevent changes from happening?

No, it simply records changes.

AWS Config is a ________ (regional/global) service by default.

regional

Where is AWS Config data stored?

In an S3 bucket that you specify during AWS Config setup.

Using _____________, your AWS resources can be evaluated with predefined or custom rules (using Lambda) and labeled as 'compliant' or 'non-compliant'. These compliant / non-compliant states can then trigger remediation via EventBridge.

Config Rules (a feature of AWS Config)

One distinction between Guard Duty and Inspector is that _________ focuses more narrowly on EC2 instances.

Inspector

__________ focuses on vulnerability and deviations from best practices within EC2 instances, while __________ focuses on broader threat detection across the AWS environment.

Inspector... Guard Duty

Which AWS service provides a "security report" of findings as its output?

Amazon Inspector

Which AWS service might have an output containing a data attribute called "UnrecognizedPortWithListener"?

Amazon Inspector

When you see keywords on the exam like host assessments, common vulnerabilities and exposures (CVEs), and Center for Internet Security (CIS) benchmarks, the answer is likely ____________.

Amazon Inspector

Which AWS service gives you a centralized view of your security alerts and security posture across your AWS accounts?

AWS Security Hub

What are two main functions of AWS Security Hub?

(1) Aggregating security findings (2) Performing automated security checks against AWS best practices

What does PCI DSS stand for, and what is the primary purpose?

Payment Card Industry Data Security Standard To protect cardholder data and secure payment card transactions.

What intrinsic function in CloudFormation returns the value of a specified parameter or resource?

'Ref'

How can you concatenate values in a CloudFormation template?

'Fn::Join'

What feature of CloudFormation can be used to store and reference predefined values outside of the CloudFormation template?

CloudFormation Mappings

What CloudFormation attribute would you use to ensure resources are created and configured in a specific order?

DependsOn

What CloudFormation feature can you use to pause resource creation until a custom condition is met?

Wait Conditions

When sharing a Route 53 Hosted Zone across accounts, the account with the hosted zone must __________ the association, and the account receiving the access must then accept the _____________.

authorize... authorization

What is a fully qualified domain name (FQDN)?

It is the complete address of a host (for example, www.example.com)

When using ACM to create certificates for a multi-region deployment of ELBs, can you create all of the certificates in us-east-1?

No, that only works for global services (such as CloudFront). For a multi-region deployment of ELBs, you need to create ACM certificates within each desired region.

What feature allows AWS S3 to automatically replicate data across multiple AWS regions?

S3 Cross-Region Replication.

How do you ensure that AWS resources can only be accessed within your organization?

Implement a private hosted zone in Amazon Route 53.

Which AWS service is used to manage containerized workloads across AWS and on-premises environments?

Amazon ECS Anywhere.

How can AWS Lambda be triggered by changes in an AWS CodeCommit repository?

Based on CodeCommit push events.

For a static website hosted on S3 to be publicly accessible, how would you do this in the console?

Uncheck (i.e. disable) the “Block Public Access” checkboxes

To avoid simultaneous EC2 instance reboots during patching, what feature should you configure?

Non-overlapping maintenance windows.

What feature allows you to transfer S3 data transfer costs to the requester?

Requester Pays.

Which DynamoDB feature allows automatic deletion of items after a specified time?

Time to Live (TTL).

What is the recommended way to collect logs from EC2 instances for analysis?

Configure a unified CloudWatch Logs agent.

What are the three ECS networking modes?

(1) bridge (default for Linux) (2) host (3) awsvpc

Which ECS networking mode creates an ENI for each task?

awsvpc

Which network mode should be used in ECS to allow task-level security groups?

awsvpc

____________ is a free and open-source implementation of the Java Platform, Standard Edition (Java SE). It is an alternative to the commercially-licensed OracleJDK.

OpenJDK, or Open Java Development Kit

To save on Oracle Java SE licensing costs when migrating to AWS, what could you use as an alternative?

OpenJDK

_____________ is a unique type of IAM role in AWS that is predefined by the service, and only the linked service can assume the role.

service-linked role

What adjustment to SQS redrive policy can help prevent premature dead-letter queue transfers?

Increase maxReceiveCount.

Is multi-region deployment for read and write operations supported by RDS?

No, although it does support the creation of cross-Region read replicas for some database engines.

For a global application needing fault tolerance across regions with relational database features, what AWS database service fits best?

Amazon Aurora Global Database.

To comply with strict IT security policies at the container level, which AWS service and feature should be used?

Amazon ECS with awsvpc network mode and security groups.

What are two ways to ensure security for logs stored in S3?

(1) Enable MFA Delete (2) configure bucket policies

Which AWS service is used to migrate VMs from on-premises to AWS with minimal downtime?

AWS Application Migration Service (MGN)

By default, CloudTrail trails created via the AWS Management Console have _______ ________ events enabled.

global service

Which AWS service allows automated OS patching and management of EC2 instances?

AWS Systems Manager

To securely pass database credentials to an Amazon ECS container, you can use AWS Secrets Manager or AWS Systems Manager Parameter Store to store the sensitive data, and you also need to ensure that _____________.

the IAM execution role for the ECS task has the necessary permissions to retrieve the credentials.

The AWS Application Migration Service uses ___________ _________, that are installed on each source server, to facilitate the migration of on-premises servers to AWS.

replication agents

CloudTrail ______________ is a feature that allows you to check the integrity of your CloudTrail log files to determine if they have been changed after delivery.

log file validation

________________ with CloudFront is a feature that allows you to set up CloudFront with two origins: a primary and a secondary.

Origin failover

A ____________ is a globally available network device that allows you to connect your AWS Direct Connect connection to VPCs in remote Regions. It can be created in any AWS Region and accessed from all other Regions.

Direct Connect Gateway

How could you enable inter-region VPC access from your corporate environment?

Use a Direct Connect connection with a Direct Connect Gateway

___________Gateway focuses on private connectivity from on-premises, whereas ___________Gateway focuses on interconnectivity between VPCs, VPNs, and Direct Connect Gateways.

Direct Connect Gateway... Transit Gateway

What service enables the creation of a cloud-based contact center?

Amazon Connect

Which service allows you to build conversational interfaces with automatic speech recognition?

Amazon Lex

What AWS feature can trigger a Lambda function upon data file upload to S3?

Amazon S3 event notifications

In the context of the AWS Schema Conversion Tool (SCT), a ___________ can be installed on a separate on-premises server from the one running AWS SCT, allowing for the parallel extraction of data.

extraction agent

Large-scale data migrations of tens of TB of data often use the AWS SCT (Schema Conversion Tool) along with a ______________ for the migration.

Snowball Edge device

When a user attempts to access AWS resources, a ______________ is generated by the organization's identity provider (IdP) after the user's identity is verified (the "authentication" portion of authentication and authorization)

SAML assertion

______________ is a service that monitors and provides alerts on containerized applications at scale.

Amazon Managed Service for Prometheus

An example architecture for processing data from IoT devices to Amazon RDS might use ________ to trigger ________.

Amazon S3 event notifications... a Lambda function

The _______ record is specific to AWS Route 53 and provides a Route 53–specific extension to DNS functionality.

ALIAS

In Route 53, __________ records are nearly always preferred over __________ records, except when pointing to non-AWS resources.

Alias... CNAME

If another AWS account needs to copy information to or from a resource in your own AWS account, you can set up cross-account access with a __________ Policy

resource-based

Which AWS service allows you to create data-driven workflows to automate and orchestrate the movement and transformation of data?

AWS Data Pipeline

Which AWS service utilizes a standby instance for automatic failovers?

Amazon RDS

When you choose a ____________ deployment, Amazon RDS automatically creates a primary DB instance and synchronously replicates the data to a standby instance in a different Availability Zone.

Multi-AZ

_____________ is a scalable marketing communications AWS service that helps businesses connect with their customers through personalized multichannel communications.

Amazon Pinpoint

The "rehost" migration strategy is also known as ____________ and does not re-configure anything.

lift and shift

Between Amplify and Elastic Beanstalk, ________ is optimized for serverless and frontend-driven applications, whereas ________ is for traditional app deployments with more backend control.

Amplify… Elastic Beanstalk

The "Replatform" migration strategy could also be described as _______________.

lift and shift with optimization

When a company's migration encompasses a transition from a self-managed database to an AWS managed database (such as RDS), this would be an example of a __________ migration strategy.

Replatform

How can you restrict access to files in Amazon S3 to ensure they can only be accessed via CloudFront URLs?

Use the CloudFront feature called Origin Access Control (OAC).

______________ defines a way for client web applications (typically the JavaScript) that are loaded in one domain to interact with resources in a different domain.

Cross-origin resource sharing (CORS)

___________ is used for simplified (fully managed, aka serverless) deployment and management of containerized web applications, whereas ___________ is used for more flexible, larger, and configurable containerized workloads.

AWS App Runner... ECS

_________ APIs are often used in real-time applications such as chat applications, collaboration platforms, multiplayer games, and financial trading platforms.

WebSocket APIs

_________ provide full-duplex communication over a single TCP connection. Unlike ______, the connection is persistent and not closed after each request/response.

WebSocket APIs... Rest APIs

_________ use HTTP only briefly during the initial handshake phase when establishing the connection to upgrade from HTTP to _________ protocol. Once upgraded, all further messaging happens directly over TCP.

WebSocket APIs... WebSocket

_________ is a fully managed serverless GraphQL service.

AWS AppSync

What are three common types of APIs?

(1) REST API (2) GraphQL API (3) WebSocket API

An EC2 instance _______ is a container for an IAM role that is used to pass role information to an Amazon EC2 instance when the instance starts.

profile

What is the default configuration (enabled/disabled) of cross-zone load balancing ALBs, NLBs, and GLBs?

(1) ALB: enabled (2) NLB: disabled (3) GLB: disabled

A load balancer ________ checks for connection requests from clients, using the protocol and port that you configure, and forwards requests to a target group.

listener

A ________ Load Balancer offers support for static IP addresses (because it operates at _____ of the OSI model).

Network Load Balancer... L4

A ________ Load Balancer can route requests to multiple applications on a single EC2 instance, using different ports for each application

Network Load Balancer

A ________ Load Balancer is capable of managing sudden and unpredictable workloads, scaling to millions of requests per second

Network Load Balancer

Which AWS service integrates data flows between SaaS and AWS services?

Amazon AppFlow

What are the two primary methods to allow external users to access AWS resources?

(1) granting federated access via the IAM Identity Center (2) Cognito Identity Pools

__________ is used for managing access to AWS resources for human users within your organization, while __________ is used for providing temporary, limited access to AWS resources for users of mobile and web applications.

IAM Identity Center... Cognito Identity Pools

Are RDS automated backups enabled by default?

Yes

___________ occur once per day during a user-configurable period known as the backup window.

Amazon RDS automated backups

The S3 Glacier standard retrieval time is approximately ___________.

3 to 5 hours

Which CloudFormation intrinsic function allows you to retrieve attribute properties of other resources created within the CloudFormation template.

Fn::GetAtt

In the context of the AWS Storage Gateway, the term "iSCSI" indicates that _______ storage is being used, and thus the Storage Gateway _______ Gateway may be the answer.

block... Volume

__________ is an open-source platform developed by Red Hat for implementing Java applications, it provides a full range of Java EE (Enterprise Edition) features, and it is used as a framework by many software companies.

JBoss Application Server

_________ is a utility built into Oracle databases that automates the process of backup and recovery.

Oracle RMAN (Recovery Manager)

__________ is a search service purpose-built for simplicity, whereas __________ is a managed distribution of open-source Elasticsearch supporting advanced analytics features.

CloudSearch... OpenSearch Service

The ______________ is an identity authentication protocol that can help prevent replay attacks (where an adversary intercepts traffic and redirects or delays it).

Challenge-Handshake Authentication Protocol (CHAP)

Similar to how a NAT Gateway is used for outbound IPv4 traffic from a private subnet, a _______ is used for outbound IPv6 traffic.

egress-only Internet Gateway

What are the two Storage Gateway - Volume Gateway options?

(1) Cached Volumes (2) Stored Volumes

What is the term for a workflow within AWS Step Functions?

a state machine

Can AWS Step Functions read and write from DynamoDB?

Yes

____________ manages compute environments and job queues, allowing users to easily run thousands of jobs of any scale using Amazon ECS, Amazon EKS, and AWS Fargate with an option between Spot or on-demand resources.

AWS Batch

_________ is designed for running batch computing workloads of any scale, while _________ is tailored for processing vast amounts of data using open source big data tools.

AWS Batch... Amazon EMR

Is the Oracle feature called Real Application Clusters (RAC) supported in Amazon RDS?

The ___________ (error type) in AWS Lambda typically occurs when the function reaches the account's concurrency limit or when the request throughput limit is exceeded.

TooManyRequestsException

In DynamoDB, the ___________ error means that your request rate is too high for a table or global secondary index. To solve this, you can increase the ___________ of your DynamoDB table.

ProvisionedThroughputExceededException ... Write Capacity Units (WCUs)

When an EC2 instance assumes an IAM role, does it retrieve its security credentials from the instance metadata or user data?

metadata (from the instance metadata service (IMDS) within the instance itself)

To keep your SSL/TLS keys secure, you can use ____________ to offload SSL/TLS processing for your web servers.

AWS CloudHSM

Which disaster recover strategies would you use for the following: (1) RTO of 24 hours or less (2) RTO of hours (3) RTO of minutes (4) RTO essentially zero

(1) backup and restore (2) pilot light (3) warm standby (4) active-active

CloudFront _____________ allow you to control access to your content without changing your current URLs. It is also used when you want to provide access to multiple restricted files rather than a single file.

signed cookies

In Amazon Kinesis, a _______ is a high-level class within the Kinesis Client Library (KCL) that Kinesis applications use to start processing data.

worker

In AWS Lambda, what are the two types of concurrency?

(1) Reserved concurrency (2) Provisioned concurrency

In AWS Lambda, ________ concurrency represents the maximum number of concurrent instances allocated to your function, whereas ________ concurrency is the number of pre-initialized execution environments allocated to your function.

reserved... provisioned

The _________ metric in AWS Lambda represents the number of function execution attempts that were throttled due to invocation rates exceeding the current limits.

Throttles metric

Each separate source of logs in CloudWatch Logs makes up a separate _____ __________.

Log Stream

Would you use SNS or SQS as part of an architecture to help with scaling?

SQS

Is S3 or EBS the ideal storage solution you need to scaling an application?

The _________ ___________ is a built-in SSL/TLS certificate that is associated with the CloudFront default domain name (*.cloudfront.net)

default certificate

A CloudFront ________ origin refers to any web server or AWS resource that is not an Amazon S3 bucket

custom