AWS SAA Flashcards
1
Q
AWS Organizations
A
Main account is the management account, all other accounts are members of the organization.
OUs for departments IE- Finance, Devs, etc.
2
Q
SCP (Security Control Policies)
A
Security policies that restrict what services accounts can access.
3
Q
Amazon Cognito
A
Gives users an identity to interact with web or mobile app hosted on AWS. Database of users for your web app
4
Q
AWS IAM Identity Center
A
SSO for your AWS users in IAM. Can connect to a 3rd party IdP.
5
Q
AWS Control Tower
A
Easily setup a secure and compliant multi-account environment in AWS based on best practices. IE- Kinda like AWS Config but for IAM.
6
Q
EC2 User Data
A
You can input a bash script when launching the instance. Upon launching of the instance, the bash script will be run as root on the new instance.
7
Q
EC2 Security Groups
A
Security groups control your inbound and outbound traffic to the instance.
8
Q
EC2 Instance (On-Demand)
A
Short workloads, pay by second.
9
Q
EC2 Instance (Reserved (1&3 Years))
A
Long workloads, you can rent for 1-3 years.
10
Q
EC2 Instance (Savings Plans (1&3 Years))
A
Commitment to an amount of usage, like reserved but committed.
11
Q
EC2 Instance (Spot Instances)
A
Short workloads, auction house instances, can lose at any time if the price rises.
12
Q
EC2 Instance (Dedicated Hosts)
A
book an entire physical server, get control over instance placement. Allows you to use existing software licenses.
13
Q
EC2 Instance (Dedicated Instances)
A
no other customer will share your hardware, book an entire instance in the data center.
14
Q
EC2 Instance (Spot Fleet)
A
Have continuously running spot instances based on predefined configuration templates. If one of the instances gets deleted due to cost, another one will attempt to spin up if pricing works out. Set and forget type of configuration.
15
Q
EC2 Networking (Private IP)
A
IP address in the data center’s network.
16
Q
EC2 Networking (Public IP)
A
IP address facing the internet.
17
Q
EC2 Networking (Elastic IP)
A
IP you can assign to an instance to have the same public IP even if the instance is stopped and started again. Think of this like a DHCP lease but for AWS.
18
Q
EC2 Cluster Placement Group
A
Single AZ, all on the same rack in close proximity.
19
Q
EC2 Spread Placement Group
A
Spreads instances across same set of underlying hardware. Different AZs but all running the same application. Reliability is good because if one rack goes down, we can switch to the other racks in the other AZs. Limited to 7 instances per AZ.
20
Q
EC2 Partition Placement Group
A
Each partition is a different rack, many instances on one partition. Reliability is good because they are all on different racks/partitions. This is the best for large scale (100s of instances). These instances do not share hardware. Each partition is isolated from failure from the others.
21
Q
ENI (Elastic Network Interface)
A
Virtual network cards that are “attached to instances”. Used to assign elastic IPs to the instance it is attached to.
22
Q
EBS (Elastic Block Store)
A
A virtual drive that you can attach to one instance. It is locked to one AZ. Think of as “network USB sticks”. You must define the capacity size of this type of storage and you pay for the whole thing.
23
Q
EFS (Elastic File System)
A
Managed network file system that can be mounted to many instances at the same time. Can be used in any AZ zone, on any instance. Pay-as-you-go model.
24
Q
Horizontal Scaling
A
Spinning up more instances to handle traffic load.
25
Vertical Scaling
Upgrading hardware capabilities of existing instances to handle traffic load.
26
Application Load Balancer (ALB)
For accessing an application running on multiple instances.
27
Sticky Sessions
Can be enabled to lock an instance to a user trying to access. For example, User1 gets Instance5 when they first access the application. From now on, whenever they access, they will get Instance5.
28
Cross-Zone Load Balancing
Makes sure performance is distributed across multiple AZs
29
Network Load Balancer (NLB)
Handles TCP/UDP traffic, one IP per AZ.
30
Gateway Load Balancer (GWLB)
Used for routing all traffic through something before hitting a 3rd party virtual security application like a firewall application hosted in AWS.
31
Deregistration Delay
When an EC2 instance is shutting down/becoming unhealthy, the load balancer will automatically start sending traffic to other EC2 instances.
32
Auto Scaling Group (ASG)
Automatically spin up/spin down number of instances to handle load of traffic.
33
Server Name Indication (SNI)
Hosts multiple certificates for multiple domains that are handed out by the load balancer when traffic is received. IE- User1 contacts the load balancer asking to go to www.google.com. The load balancer gets the cert for that domain and hands it to the user in the SSL handshake.
34
RDS (Relational Database Service)
Managed database service that uses SQL as a query language.
35
Amazon Auora
Amazon’s native built-in DB, optimized for the cloud. It is multi-regional.
36
RDS Read Replicas
Like “imagining” a copy database so you can have more read power to your application from the database. IE - Two read replicas alongside the main database.
37
RDS Proxy
Across multiple AZs, instances will connect to the proxy which will serve as a single point of connection to the actual DB, this is useful during times of high traffic requests to the database.
38
Amazon ElastiCache
Cache memory for DBs. Stores common queries or user session caches on the cache so that the DB doesn’t need to be queried each time/ user doesn’t lose data. Requires it to be built into the code of the app to work.
39
Redis
Multi-AZs, read replicas for ElastiCache.
40
Route 53 (DNS)
Route 53 is Amazon’s “NS1”, built-in DNS service.
41
Public Hosted Zone
Able to be accessed by anyone, like buying a domain name online.
42
Private Hosted Zone
Your own, internal DNS server for you and your company only.
43
TTL (Time to Live)
How long clients querying your DNS server will keep the query results.
44
True or False: A CNAME DNS record can point to the root server.
False. IE- Can’t point to www.google.com but can point to www.app.google.com.
45
True or False: An "Alias" DNS record can point to the root server.
True.
46
Simple DNS Routing Policy
Routes to a single resource. Query can return multiple IPs. No health checks.
47
Weighted DNS Routing Policy
Controls the % of requests that go to each resource. IE - 70% of queries go to Instance2. Health checks enabled here.
48
Latency DNS Routing Policy
Routes to resource with the lowest latency. Geolocation of the user comes into play here.
49
Failover DNS Routing Policy
If a health check fails, DNS server will start routing queries to other instance that is healthy.
50
Geolocation DNS Routing Policy
If a user comes from a specific geolocation, route them to a specific resource. IE- People in China get routed to instance 3.
51
Multi-Value Answer DNS Routing Policy
Returns multiple values for one query. If you define 3 values with health checks at each, can return the other values that are healthy if one fails.
52
Geoproximity DNS Routing Policy
For zones inside a specific country. Biases come into play here on where to route users. IE- USEAST and USWEST. 4 people evenly distributed horizontally across the US. USEAST has a bias of 50 and USWEST has a bias of 0. Even though USEAST is not closest to one of the users, they will get routed there due to the bias.
53
True or False: You can host your DNS domain that you bought on a third party website on AWS Route 53.
True.
54
AWS Elastic Beanstalk
Takes the entire configuration and allows it to be easily managed by AWS. This is meant for developers who just want to make an app, upload it, and not worry about the backend configuration.
55
Golden AMI
AMIs with dependencies and configurations pre-installed in them so you can quickly and easily spin up more instances to scale without having to manually configure everything yourself.
56
S3 Buckets
Defined at the region level, must have a globally unique name in all of the world.
57
S3 Objects
Have a ‘key’ which is the full file path. Max size is 5TB. Can be public or private. Private is default, public gives a URL that can be accessed from the internet
58
True or False: You cannot make “Folders” within buckets.
False, you can make folders within buckets.
59
Multi-Part Upload
Grabbing a file larger than 5GB, splitting it into sections and uploading all sections in parallel.
60
Transfer Acceleration
Uploading to a nearby edge location for faster uploading. IE- File in US trying to upload it into a bucket in Australia. The file will be uploaded to an AWS edge location and then upload to the S3 bucket with faster speeds and lower latency.
61
Byte-Ranges
For downloading files from S3. Splits large files up into sections. You download all sections in parallel faster and then you get the whole file at the end.
62
S3 Security: User-Based
Specfic users are allowed to access this bucket
63
S3 Security: Resource-Based
Bucket policies are bucket-wide rules in the form of a JSON document.
64
S3 Security: Encryption
You can also encrypt the objects in buckets using encryption keys.
65
True/False: S3 Buckets are made available to the public by default.
False, all S3 buckets are private by default.
66
True/False: You can host static websites on AWS S3.
True, as long as the content never changes.
67
At what level is S3 Versioning enabled?
Per S3 bucket.
68
What is S3 Versioning?
Once file with same name is uploaded, it gets saved to “Version 2” and is not overridden. So on and so forth. Each version has a unique version ID.
69
S3 Replication: CRR (Cross-Region Replication)
For lower latency. When you are replicating to a bucket in a different region.
70
S3 Replication: SRR (Same-Region Replication)
Log aggregation between buckets, or live replication between buckets.
71
What is a requirement before SRR can be done?
Versioning must be enabled in both the source and destination buckets.
72
Name all S3 Storage Classes
Standard, Standard IA, One-Zone IA, Glacier Instant Retrieval, Glacier Flexible Retrieval, Glacier Deep Archive, Intelligent Tiering
73
S3 Standard Storage Class
Frequently accessed data, low latency, standard one.
74
S3 Standard IA Storage Class
Less frequently accessed, requires rapid access when needed. Disaster recoveries, backups.
75
S3 One-Zone IA Storage Class
In a single AZ for backups, disaster recoveries. Data can be destroyed if something happens to the AZ.
76
S3 Glacier Instant Retrieval Storage Class
Fastest retrieval option from Glacier.
77
What is Glacier meant for?
Cold data, infrequently used data.
78
S3 Glacier Flexible Retrieval Storage Class
3 Tiers for retrieval speeds.
Expedited: 1-5 minutes
Standard: 3-5 hours
Bulk: 5-12 hours (free tier)
79
S3 Glacier Deep Archive Storage Class
2 Tiers for retrieval speeds.
Standard: 12 hours
Bulk: 48 hours
80
S3 Intelligent Tiering Storage Class
AWS will automatically move files around storage classes for you based on how frequently they are accessed.
81
Amazon SDK
Amazon Software Development Kit
82
What tool would you give to a developer to make API calls from within an application without using the AWS CLI?
An Amazon SDK.
83
S3 Lifecycle Rules
Define the conditions that need to be met before moving an object.
84
S3 Transition Actions
Move xyz to Glacier storage after 30 days from creation.
85
S3 Expiration Actions
Delete xyz from Glacier if not used in 6 months.
86
True/False: S3 Lifecycle Rules can only be applied to the entire bucket.
False, they can be applied to a whole bucket or specific folders in buckets.
87
S3 Requester Pays
Requester pays for the access to the bucket’s data, not the bucket owner.
88
What other AWS service does S3 Event Notifications send events into?
AWS EventBridge
89
What tools would you use to select specific S3 data?
S3 Select or Glacier Select
90
S3 Batch Operations
Perform actions on multiple S3 buckets or objects at one time.
91
How many different S3 Encryption Types
are there
3
92
S3 Encryption: SSE-S3
Encryption handled by AWS. Server-side.
93
S3 Encryption: SSE-KMS
You have control over the encryption keys and audit logs for when keys get used.
94
S3 Encryption: SSE-C
Encryption key provided outside of AWS. AWS does not store the encryption key you provide.
95
Client-Side Encryption
Customer manages encryption keys and encryption cycle.
96
Encryption in Transit (SSL/TLS)
S3 Endpoint uses HTTPS for encrypted network traffic in flight. IE- What most websites are using anyways nowadays.
97
S3 CORS (Cross-Origin Resource Sharing)
Allows sharing of restricted resources like fonts to be requested from another domain outside the original domain of where the first resource was shared from.
IE - You go to www.api.google.com and computer automatically asks the CORS web server for xyz of www.api2.google.com on behalf of www.api.google.com. Since CORS is enabled, it sees “where you are coming from” and gives you xyz.
98
S3 MFA Delete
Force MFA any time a user does an important operation on S3.
99
S3 Access Logs
For audit purposes, logging each time someone accesses a bucket. Can keep logs in a new S3 bucket.
100
S3 Pre-Signed URLs
Generate a URL that has the same user permissions as the user who generated the URL. For short-term access.
101
S3 Glacier Lock
Create an bucket and then Glacier Lock it so it can no longer be changed or deleted. Think of it as a sealed vault. Once you’re in, there is no getting out.
102
What does WORM stand for?
Write Once Read Many
103
S3 Object Lock
Lock on a single object within a bucket.
104
S3 Security - Compliance Mode
No changes or deletions can be made.
105
S3 Security -Governance Mode
Everyone but root users or admin users in IAM cannot change or delete objects under this mode.
106
S3 Security - Legal Hold
Place lock on an object indefinitely, no retention period required.
107
What is the only S3 object/bucket mode that does not require a retention period?
Legal Hold
108
S3 Access Points
Access points for buckets. Think of these just like wireless AP. Connecting to the AP to connect to the bucket. Easier to manage user permissions since you can apply them to an AP and not individual users.
109
S3 + Lambda Use Case
Changes content of the object just before it is received. Useful for redacting sensitive data from the bucket before it reaches the endpoint or adding content before it is received.
110
AWS CloudFront
Content Delivery Network (CDN)
Improves read performance by utilizing edge zones around the world.
111
What does CloudFront do on edge locations to improve performance from S3 Buckets?
Caches the content of the bucket at the nearest edge zone for fastest performance.
112
Cloudfront: OAC (Origin Access Control)
Making sure the origin is the actual S3 bucket for security purposes.
113
How does Cache Invalidations help keep the cache that CloudFront holds current?
Cache Invalidations basically tell CloudFront that the files it has in the cache are not genuine and “forces” a sync with the bucket.
114
AWS Global Accelerator
Uses an anycast IP System, assign multiple IP Addresses for your server. Once a user tries to access your application from the edge, they are automatically redirected to the nearest server to them to reduce latency. This happens through edge locations so internet traffic can go through the ultra-fast AWS network.
115
AWS Snow Family
Portable devices that handle data offline.
116
AWS Snowcone
Very portable and durable, small storage capacity, has a network port to sync to AWS
117
AWS Snowball Edge
For large storage capacity, less durable. Can come in storage or computing power optimized.
118
AWS Snowmobile
A literal semi-truck, largest storage capacity.
119
What is Edge Computing?
Computing power on the go using the snow family of devices.
120
What tool do you need to utilize to connect to AWS Snow devices?
AWS OpsHub
121
Amazon FSx
Allows you to launch 3rd party file systems on AWS
122
What is a Scratch File System used for?
Temporary storage, data is not replicated or backed up.
123
What is a Persistent File System used for?
Long-term storage with data replication within the same AZ.
124
True/False: Storage Gateways are used for fully cloud enviroments.
False, Storage Gateway bridge on-prem storage with the cloud storage in hybrid cloud enviroments.
125
AWS Transfer Family
Uses FTP to transfer files into and out of S3 or EFS
126
DataSync
An agent that runs on on-prem systems to automatically sync data to the cloud.
127
What is Decoupling Applications?
A way to set up a streamlined workflow between servers/applications.
128
What are the two parts of an SQS Queue?
Producer and consumer
129
What does a producer do in an SQS Queue?
Putting stuff into the queue.
130
What does a consumer do in an SQS Queue?
Pulling stuff out of the queue.
131
What is the Message Visibility Timeout in an SQS Queue?
30 seconds where once the message is in the queue, it is unable to be seen for 30 seconds since it was already received once. After 30 seconds, the message is “recieved” again if not deleted.
132
Long Polling
When a consumer picks up a message and waits for more that are coming in before taking them all.
133
SQS FIFO Queue (First In, First Out)
Queue with limited throughput with message order preserved.
134
SNS (Simple Notification Service)
One producer sending a message to multiple consumers (also known as subscribers).
135
Amazon Kinesis
Makes it easy to connect, process, and analyze streaming data in real time.
136
Kinesis Data Streams
Capture, process, and store data streams using multiple shards.
137
Each piece of data in a Kinesis Data Stream has what?
A partition key
138
True/False: You have the ability to "replay" data in a Kinesis Data Stream
True
139
True/False: You can't scale number of shards automatically in a Kinesis Data Stream.
False, you can use on-demand mode to automatically adjust the number of shards needed.
140
Kinesis Data Firehose
the easiest way to load streaming data into data stores and analytics tools.
141
Kinesis Data Analytics
Analyze data streams with SQL or Apache Flink
142
Kinesis Video Streams
Capture, process, and store video streams
143
Amazon MQ
Managed message broker service for RabbitMQ and ActiveMQ
144
Docker in AWS
Software development platform to deploy apps.
145
Amazon Elastic Container Service (ECS)
Amazon’s own container service.
146
Amazon Elastic Kubernetes Service (EKS):
Amazon’s managed Kubernetes.
147
What is Kubernetes?
an open-source system for automatic deployment, scaling, and management of containerized applications.
148
AWS Fargate
Amazon’s own serverless container platform.
149
What AWS service can you use to go in conjunction with Fargate to be entirely serverless?
Fargate + EFS
150
Amazon ECR
Store container images on AWS
151
AWS App Runner
AWS Fully managed service that allows you to deploy web applications at scale
152
AWS Lambda
a compute service where you upload your code as a function and AWS provisions the necessary details underneath the function so that the function executes successfully.
153
Lambda@Edge
Running Lambda on an edge zone for lower latency
154
AWS DynamoDB
Fully managed DB, highly available across multiple AZs
155
What are the types of modes for DynamoDB?
Provisioned Mode and On-Demand Mode
156
DyanmoDB Accelerator (DAX)
Highly available, seamless in-memory cache for DyanmoDB
157
DynamoDB Stream
is an ordered flow of information about changes to items in an Amazon DynamoDB table.
158
DynamoDB Global Tables
a multi-region, multi-master replication solution for fast local performance of globally distributed apps.
159
AWS API Gateway
Integrates with AWS Lambda for a fully serverless experience, no infrastructure.
160
How many types of API Gateways are there?
3
161
What are the three types of API Gateways and describe them.
Edge-Optimized: Edge locations, lower latency.
Regional: Don’t use edge locations, when you expect all users to come from one region.
Private: Only accessed from within your VPC.
162
AWS Step Functions
Build visual workflows to orchestrate your Lambda functions.
163
Databases: DocumentDB
AWS’s implementation for MongoDB.
164
Databases: Neptune
Fully managed graph database
165
Databases: Keyspaces
Fully managed Apache-Cassandra compatible database service
166
Databases: QLDB
Ledger of financial transactions. No entry can be removed or modified.
167
Databases: TimeStream
Timeseries database
168
AWS Athena
Serverless query service to analyze S3. Uses SQL
169
AWS Redshift
Based on PostgreSQL and used for data warehousing, has indexes.
170
AWS OpenSearch
Can search across all of the database for values, even partial matches.
171
AWS EMR
Helps create Hadoop clusters for analysis of big data.
172
AWS QuickSight
Serverless machine learning service to create interactive dashboards.
173
AWS Glue
ETL (extract, transform, load) service used to prepare and transform data for analytics.
174
AWS Lake Formation
Fully managed service that sets up data lakes in days.
175
AWS DataLake
Central place to have all your data for analytics purposes. Stored in Amazon S3.
176
Access Control Column-Level Security
Can lock down access to specific data
IE- User connecting to Lake Formation can only see the data they are wanting to see.
177
MSK (Managed Streaming for Kafka)
Alternative to AWS Kinesis. Serverless. Fully managed Apache Kafka on AWS.
178
AWS ML: Amazon Lex + Connect
Lex builds chatbots, Connect is like a virtual call center.
179
AWS ML: Amazon Comprehend
Natural Language Processing (NLP), “feelings” of customer.
180
AWS ML: Amazon Comprehend Medical
Will take unstructured healthcare notes and structure them.
181
AWS ML: Amazon SageMaker
Fully managed service for developers to build their own ML models.
182
AWS ML: Amazon Kendra
Document search service that extracts answers from within document files. (PDFs, etc.)
183
AWS ML: Amazon Textract
Extracts text from any scanned document. Can detect handwriting, text, etc.
184
AWS CloudWatch Metrics
provides metrics for every service in AWS, can be presented in the form of a dashboard.
185
AWS CloudWatch Logs
provides logs for services in AWS. Services send logs here automatically.
186
AWS Cloudwatch Alarms
Single alarm can be set to trigger for any metric IE- CPU usage over 70%.
187
Composite Alarms
Triggering on multiple alarms. IE - If conditions meet all 3 metrics, trigger the alarm.
188
AWS Cloudwatch Container Insights
collect, aggregate, and summarize metrics and logs from containers.
189
AWS Cloudwatch Lambda Insights
collect, aggregate, and summarize metrics and logs from AWS Lambda.
190
AWS Cloudwatch Contributor Insights
Find “Top-N” contributors from logs. (IE- EC2 with the top network usage)
191
AWS CloudWatch Application Insights
Automatic dashboard to troubleshoot your application and related AWS services.
192
AWS EventBridge
Receives events of AWS services to turn into actionable items. IE- The root user is signed into, so through SNS it sends an email to you.
193
AWS CloudTrail
Records all API calls made within your AWS account. You can store these logs in an S3 bucket.
194
AWS CloudTrail Insights:
Detects unusual activity in your AWS account.
195
AWS CloudTrail Events Retention
Events are stored for 90 days by default, need to log them to S3 and use Athena to store for longer.
196
AWS Config
Create rules or use AWS built-in rules to check your instance for compliance. Can pair with auto-remediation actions to re-ensure compliance
197
AWS KMS (Key Management Service)
Manages encryption keys.
198
KMS Symmetric Key Types
Single encryption key that is used to encrypt and decrypt.
199
KMS Asymmetric Key Types
Two keys, one public to encrypt data and one private to decrypt data.
200
CMK
Customer Managed Key
201
Multi-Region Keys
Same key replicated to multiple AWS regions. Regions will get a replica of the original, and not the actual original.
202
SSM Parameter Store
Secure storage for configuration and secrets. Serverless and scalable. Meant to store things used in scripts/configuration. Encrypted by default.
Think of this as a hashicorp vault! It stores variables/parameters that are used in scripts so they are not stored in plain text!
203
AWS Secrets Manager
Meant to store secrets, can rotate secrets every x days, integrated with many AWS services.
204
Multi-Region Secrets
Same secret replicated to multiple AWS regions. Regions get replica, not the original secret.
205
AWS Certificates Manager (ACM)
Manage and deploy TLS certificates
206
Web Application Firewall (WAF)
Protects your web application from web exploits (Layer7). Only works with Application load balancer (ALB).
207
AWS Shield
Protects against DDoS attacks
208
What service should you purchase if you need advanced DDoS protection?
AWS Shield Advanced
209
AWS Firewall Manager
Manage firewall rules in all accounts of an AWS organization. Set rules and automate protection of new AWS resources
210
AWS GuardDuty
Intelligent threat discovery to protect your AWS account. Looks at logs from different AWS services to identify suspicious behaviors.
211
AWS Inspector
Automated security assessments on EC2 instances, container images, and lambda functions. Reports findings to AWS Security Hub and EventBridge
212
AWS Macie
Fully managed data security and data privacy service that uses ML and pattern matching to protect your PII data in AWS
213
What is a VPC?
Virtual Private Cloud
214
CIDR
Method for allocating IP addresses within a VPC.
215
Internet Gateway
a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
216
Bastion Hosts
way for us to SSH into our private EC2 instances. Bastion hosts are in the public subnet.
217
NAT (Network Address Translation) Instances
Allows EC2 instances in private subnets to connect to the internet. Outdated, depreciated
218
NAT Gateway
AWS managed NAT instances, high availability since it is is in one AZ.
219
NACL
Operates at the subnet level. Stateless, inbound and outbound rules for network traffic.
220
Ephemeral Ports
Connection using ports on two endpoints. The port is only opened for as long as the connection is held.
221
Security Group
Operates at the instance level. Inbound and outbound rules for network traffic.
222
What is the main difference between Security Groups and a NACL?
Security groups operate at the instance level while NACLs operate at the subnet level.
223
VPC Peering
Privately connect two VPCs using AWS network
224
VPC Endpoints
Ensure that you can connect your VPC to supported AWS services without requiring an internet gateway.
225
VPC Flow Logs
capture information about IP traffic going in and out of your VPC
226
VPG (Virtual Private Gateway)
the VPN endpoint on the Amazon side of your Site-to-Site VPN connection
227
Customer Gateway
the customer endpoint of your Site-to-Site VPN connection
228
Direct Connect (DX)
provides a dedicated private connection from a remote network to your VPC.
229
Direct Connect Gateway
set up direct connect to multiple VPCs
230
Transit Gateway
a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway
231
VPC Traffic Mirroring
Mirrors traffic network from an EC2 instance to a network load balancer which distributes to other EC2 instances running security software for analysis.
232
Egress Only Internet Gateway
NAT gateways for IPv6.
233
AWS Local Zones
Low-latency to users. Think VIDEO GAME SERVERS.
234
AWS CloudHSM
a cloud-based Hardware Security Module (HSM) that enables you to easily generate and use your encryption keys on the AWS Cloud
235
What should you think of when you see "message broker"?
AmazonMQ
236
Which support plan provides 7 core checks?
Developer and basic.
237
What support plan provides 24x7 support?
Business and Enterprise.
238
Which support plan requires only one primary contact?
Developer
239
AWS Data Migration Service
To migrate data from on-prem to cloud.
240
EC2 Instance Store
High performance block storage that is attached physically to the EC2 instance.
241
Framework: Operational Excellency
Able to run good services within the cloud.
242
Framework: Cost Optimization
Able to cut costs when needed and spend the least amount of money.
243
Framework: Performance Efficiency
Selecting right resource types based on workload requirements
244
AWS CodeDeploy
a service that automates code deployments to any instance
245
Cost Allocation Tag
a label that you or AWS assigns to an AWS resource. Each tag consists of a key and a value. For each resource, each tag key must be unique, and each tag key can have only one value.
246
True/False: AWS can generate cost allocation tags for you if you enable the feature.
True
247
True/False: You must activate both AWS generated tags and user-defined tags separately before they can appear in Cost Explorer or on a cost allocation report
True
248
What are the 5 things AWS Trusted Advisor advises you on?
Cost Optimization, Performance, Security, Fault Tolerance, Service Limits.
249
What 3 budget types can be created using AWS budgets?
Cost, Usage, Reservation
250
Databases: Which AWS service can be used for online analytical processing?
Amazon Redshift
251
Compared to the On-demand prices, what is the highest possible discount offered for reserved instances?
72%
252
AWS Cost Explorer
an easy-to-use interface that lets you visualize, understand, and manage your AWS costs and usage over time
253
AWS Cost and Usage Reports
contains the most comprehensive set of cost and usage data available.
254
What is the primary benefit of read replicas?
Improves database scalability
255
True/False: Cloudwatch billing is stored in whatever region the resource is made in.
False. Cloudwatch billing is consolidated to the us-east-1 region and includes all global resources.
256
True/False: EFS are able to be used by EC2 instances regardless of AZ, VPC, or region.
True
257
AWS VPN
establish secure connections between on-premises networks, remote offices, client devices, and the AWS global network.
258
What AWS service can be used for message brokering?
AmazonMQ
259
AWS Service Quotas
enables you to view and manage your quotas for AWS services from a central location.
260
Which AWS support plan provides access to a designated Technical Account Manager (TAM)?
Enterprise
261
What service would you use to set up consolidated billing?
AWS Organizations
262
What are the 6 Pillars of the AWS Well-Architected Framework?
operational excellence, security, reliability, performance efficiency, cost optimization and sustainability
263
What support class features a 1 hour response time?
Enterprise.
264
AWS Compute Optimizer gives advice on what 3 AWS services?
EC2, EBS volumes, and Lambda functions.
265
Pay by _____ for EC2 On-Demand instances.
Pay by second
266
What is an example of a PaaS (Platform as a service)?
Elastic Beanstalk
267
AWS Personal Health Dashboard
When AWS services go down, how this is affecting your specific services.
268
AWS Systems Manager
allows you to centralize operational data from multiple AWS services and automate tasks across your AWS resources
269
True/False: Route53 can do health checks.
True
270
Where does a VPC span?
Across all AZs within ONE region.
271
IAM Access Advisor
Access advisor shows the service permissions granted to a user and when those services were last accessed.
272
AWS Quick Starts
Quick Starts are built by AWS solutions architects and partners to help you deploy popular technologies on AWS
273
Amazon CodeGuru
a developer tool that provides intelligent recommendations to improve code quality and identify an application’s most expensive lines of code.
274
AWS X-Ray
helps developers analyze and debug production code
275
AWS Cloud Development Kit (CDK)
AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define your cloud application resources using familiar programming languages. Infastructure as code.
276
When integrating identity management with a service like AD, what do you need to configure on the backend of AWS for it to work with your users?
IAM Roles and IAM Policies. You do NOT need to create a user base if you are using a 3rd party identity provider.
277
True/False: To increase database performance, you should use partition keys with low cardinality, which have few distinct values for each item.
False: You should be using partition keys with high cardinality, which have a large number of distinct values for each item.
278
What metric is not built into CloudWatch?
Memory utlization
279
True/False: You can create custom metrics on CloudWatch.
True!
280
True/False: CloudWatch is enabled by default and free of charge.
False, you need to enable this paid service.
281
What tool can you enable to make Redis more secure? This would require users to enter a password before they are granted permission to execute Redis commands.
Redis AUTH.
282
What tool would you use to manage database credentials and access from IAM?
IAM DB Authentication
283
True/False: When restricting traffic to a single IP address, what should the CIDR end with?
/32
284
What service allows you to share resources between multiple AWS accounts?
AWS Resource Access Manager (RAM)
285
If an ASG is scaling down, which EC2 instance will get killed off first?
Whichever EC2 instance that uses the oldest launch configuration.
286
What service automates snapshots of EBS on a regular basis?
Amazon Data Lifecycle Manager
287
What service would you use to implement a 90-day backup retention policy for AWS Aurora?
AWS Backup
288
AWS Security Token Service (STS)
Provides short lived access token that act as credentials to access AWS resources.
289
What database option has a flexible schema?
DynamoDB
290
What database option is globally available by default?
Amazon Aurora. It provides <1 second read replications for fast disaster mitigation.
291
True/False: Elasticache requires the code of the application to change.
True. Elasticache needs to be built natively into the code for it to be leveraged.
292
IAM Role
Acts as a "proxy" for permissions.
IE - Role says you can access S3 pucket. If a user assumes the IAM role, you assume all permissions associated with that role.
293
True/False: To trigger automation rules with EventBridge, you need an access policy to control the resource actions are being taken on.
True
294
Amazon PinPoint
Scalable inbound/outbound marketing communications service
295
SSM Session Manager
SSM agent installed on EC2 instances or on-prem instances. Works all OS systems. Allows SSH access to these instances.
296
AWS AppFlow
Fully managed integration service that transfers data from third party apps into AWS.
IE- Transfer data from Slack to an S3 bucket.
297
What service would you use to enable patching automation across mutliple resources to ensure compliance?
AWS Systems Manager
298
What is a parameter store?
It LITERALLY stores a parameter in a script. Think of powershell variables or parameters). This literally will store it for you and ensure it is encrypted.
299
IAM access advisor
Access advisor shows the service permissions granted to a user and when those services were last accessed.
300
If you are trying to separate costs for separate AWS accounts, what should you utilize to help you do it?
Create tags for each department's account.
301
Which decoupler sends and receives messages?
SQS
302
What tool would you utilize to see a "Cost Savings Plan" in AWS?
AWS Cost Explorer
303
What is the difference between AWS Pricing Calculator and AWS Costs Explorer?
AWS Pricing Calculator gives you forecasts of how much you can expect to spend once you are ALREADY using AWS Services. AWS Costs Explorer gives prospective buyers a ballpark figure of what they can expect to spend if they choose to go with AWS.
304
What AWS Service lets you connect IoT devices to the AWS cloud without the need to provision or manage servers?
AWS IoT Core
305
What AWS Service can make desktop applications available in browsers for users?
Amazon AppStream 2.0
306
AWS OutPosts
a fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any data center, co-location space, or on-premises facility for a truly consistent hybrid experience
307
Amazon WorkSpaces
a broad set of global cloud-based products including compute, storage, database, analytics, networking, machine learning and AI, etc.
308
CloudEndure Disaster Recovery
available from the AWS Marketplace, continuously replicates server-hosted applications and server-hosted databases from any source into AWS using replication of the underlying server. Can work with on-prem servers or anything.
309
Route Table
contains a set of rules, called routes, that are used to determine where network traffic from your VPC is directed
310
As part of a flexible pricing model, AWS offers two types of Savings Plans. What are the Savings Plans from AWS?
Compute Savings Plans, EC2 Instance Savings Plans
311
True/False: You can assign elastic IPs to ALBs.
False. You can only assign elastic IPs to NLBs. (Network Load Balancer).
312
Gateway Endpoint
a type of VPC endpoint that provides reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC.
313
Endpoint Policy
When you create a Gateway endpoint, you can attach an endpoint policy that controls access to the service to which you are connecting
314
How would you enable and use Remote Procedure Call (gRPC)?
Create an Application Load Balancer and select gRPC as the protocol version
315
To host a static website in Amazon S3 what do you need configured on the S3 bucket end and in Route 53?
The S3 bucket name must be the same as the domain name and you must have a domain name.
316
True/False: Once you configure an EBS storage volume, you cannot change the hardware configuration.
False. EBS volumes support live configuration changes while in production which means that you can modify the volume type, volume size, and IOPS capacity without service interruptions.
317
Which record types would you use to point the DNS name of the Application Load Balancer?
"A" records and "AAAA" records
318
AWS Proton
allows you to deploy any serverless or container-based application with increased efficiency, consistency, and control.
319
Is Kubernetes open-source?
Yes
320
True/False: You can set a priority to individual items in the SQS queue.
False, you cannot set a priority to individual items in an SQS queue. If you need to set a priority to a certain type of request, you need to create multiple SQS queues.
321
AWS Data Pipeline
a web service that helps you reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals
322
AWS AppSync
creates serverless GraphQL and Pub/Sub APIs that simplify application development through a single endpoint
323
AWS Wavelength
embeds AWS compute and storage services within 5G networks
324
AWS Device Farm
an application testing service that lets you improve the quality of your web and mobile apps by testing them across an extensive range of desktop browsers and real mobile devices
325
AWS Amplify
a complete solution that lets frontend web and mobile developers easily build, ship, and host full-stack applications on AWS. KEYWORD: Full-stack apps
326
Can CloudFront be used as a tool to mitigate DDoS attacks?
Yes by distributing static and dynamic content and taking load off of the actual application itself.
327
In CloudFormation, what policy would you put in place that would "wait" until one service is configured before moving to the next?
CreationPolicy
328
Within NACLs, when using ordered rules, when does the rule testing stop?
Once a match is found. If a match is found on Rule #2, any rules after that do not go through the matching process.
329
Origin Shield in CloudFront is primarily used for what?
improving your origin’s load times through CloudFront
330
What is provisioned capacity for Expedited retrievals?
Ensures that your retrieval capacity for expedited retrievals is available when you need it. For example, you need 150MB/s of provisioned capacity for expedited retrievals.
331
What are expedited retrievals for S3 Glacier?
allow you to quickly access your data when occasional urgent requests for a subset of archives are required
332
True/False: You can enable the hibernation option on an EC2 instance after it has been launched.
False, you must do it when you first create the EC2 instance.
333
Elastic Fabric Adapter
a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications.
334
Each subnet maps to what?
One availability zone.
335
Amazon S3 server access logs
provide detailed records for the requests that are made to an S3 bucket.
336
NAT Gateways belong in public or private subnets?
Public subnets, as they allow instances in the private subnets to connect out without exposing them to the internet.
337
What are the enhanced monitoring metrics that Amazon CloudWatch gathers from Amazon RDS DB instances?
RDS Child Policies & OS Processes
338
What kind of queue does not allow for duplicates messages?
FIFO Queue
339
What volume type is the cheapest for EBS storage volumes?
Magnetic Volume Type
340
What part of a Direct Connection is on the on-prem side?
A service endpoint
341
Standby Replica
A standby replica is a replica of the primary database that can AUTOMATICALLY become the primary one if the main one goes down.
342
RAID1 is for what?
Data mirroring
343
What prevents a LAMBDA function from getting "stuck"?
Maximum execution time, it is like a time limit for how long the function should take to run.
This ensures it does not get stuck.
344
Which database option handles highly transactional workloads (OLTP)?
Amazon Aurora
345
What kind of health checks can each load balancer perform?
ALB: HTTP, HTTPS health checks (Layer 7)
NLB: UDP/TCP health checks (Layer 4)
346
What are the target types for Application Load Balancers?
IP, Instances, Lambda, ECS
347
What are the target types for Network Load Balancers?
IP, instances
