AWS Solutions Architect Flashcards

Question

What are IAM groups?

Answer 1

An IAM group is a collection of users. All users in the group inherit the permissions assigned to the group. This makes it possible to give permissions to multiple users at once. It’s a more convenient and scalable way of managing permissions for users in your AWS account. This is why using IAM groups is a best practice.

Answer 2

IAM policies To manage access and provide permissions to AWS services and resources, you create IAM policies and attach them to an IAM identity. Whenever an IAM identity makes a request, AWS evaluates the policies associated with them. For example, if you have a developer inside the developers group who makes a request to an AWS service, AWS evaluates any policies attached to the developers group and any policies attached to the developer user to determine if the request should be allowed or denied. Example: "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "*", "Resource": "*" }] }

Answer 3

This policy has four major JSON elements: Version, Effect, Action, and Resource. The Version element defines the version of the policy language. It specifies the language syntax rules that are needed by AWS to process a policy. To use all the available policy features, include "Version": "2012-10-17" before the "Statement" element in your policies. The Effect element specifies whether the policy will allow or deny access. In this policy, the Effect is "Allow", which means you’re providing access to a particular resource. The Action element describes the type of action that should be allowed or denied. In the example policy, the action is "*". This is called a wildcard, and it is used to symbolize every action inside your AWS account. The Resource element specifies the object or objects that the policy statement covers. In the policy example, the resource is the wildcard "*". This represents all resources inside your AWS console.

Answer 4

B) Latency, price, service availability, and compliance

Answer 5

C) Regions are a grouping of Availability Zones. Availability Zones are one or more discrete

Answer 6

D) Pay as you go.

Answer 7

A client is a person or computer that sends a request.

Answer 8

1) Virtual machines (instances) 2) Containers 3) Serverless

Answer 9

Is a web service that provides secure and resizable compute capacity in the cloud

Answer 10

1) Provision and launch one or more EC2 instances in minutes. 2) Stop or shut down EC2 instances when you finish running a workload. 3) Pay by the hour or second for each instance type (minimum of 60 seconds).

Answer 11

through the: 1) AWS Management Console 2) AWS CLI 3) AWS SDKs 4) automation tools 5) and infrastructure orchestration services

Answer 12

Amazon Machine Image (AMI) In the AWS Cloud, the operating system installation is not your responsibility. Instead, it's built into the AMI that you choose. An AMI includes the operating system, storage mapping, architecture type, launch permissions, and any additional preinstalled software applications.

Answer 13

1) Quick Start AMIs Quick Start AMIs are commonly used AMIs created by AWS that you can select to get started quickly. 2) AWS Marketplace AMIs AWS Marketplace AMIs provide popular open-source and commercial software from third-party vendors. 3) My AMIs My AMIs are created from your EC2 instances. 4) Community AMIs Community AMIs are provided by the AWS user community. 5) Custom image Build your own custom image with EC2 Image Builder.

Answer 14

First position – The first position, c, indicates the instance family. This indicates that this instance belongs to the compute optimized family. Second position – The second position, 5, indicates the generation of the instance. This instance belongs to the fifth generation of instances. Remaining letters before the period – In this case, n indicates additional attributes, such as local NVMe storage. After the period – After the period, xlarge indicates the instance size. In this example, it's xlarge.

Answer 15

being able to scale in or out based on need

Answer 16

When you stop an instance, it enters the stopping state until it reaches the stopped state. AWS does not charge usage or data transfer fees for your instance after you stop it. But storage for any Amazon EBS volumes is still charged. While your instance is in the stopped state, you can modify some attributes, like the instance type. When you stop your instance, the data from the instance memory (RAM) is lost. When you stop-hibernate an instance, Amazon EC2 signals the operating system to perform hibernation (suspend-to-disk), which saves the contents from the instance memory (RAM) to the EBS root volume. You can hibernate an instance only if hibernation is turned on and the instance meets the hibernation prerequisites.

Answer 17

With On-Demand Instances, you pay for compute capacity per hour or per second, depending on which instances that you run. There are no long-term commitments or upfront payments required. Billing begins whenever the instance is running, and billing stops when the instance is in a stopped or terminated state. You can increase or decrease your compute capacity to meet the demands of your application and only pay the specified hourly rates for the instance that you use.

Answer 18

For applications that have flexible start and end times, Amazon EC2 offers the Spot Instances option. With Amazon EC2 Spot Instances, you can request spare Amazon EC2 computing capacity for up to 90 percent off the On-Demand price. Spot Instances are recommended for the following use cases: Applications that have flexible start and end times Applications that are only feasible at very low compute prices Users with fault-tolerant or stateless workloads With Spot Instances, you set a limit on how much you want to pay for the instance hour. This is compared against the current Spot price that AWS determines. Spot Instance prices adjust gradually based on long-term trends in supply and demand for Spot Instance capacity. If the amount that you pay is more than the current Spot price and there is capacity, you will receive an instance.

Answer 19

Savings Plans are a flexible pricing model that offers low usage prices for a 1-year or 3-year term commitment to a consistent amount of usage. Savings Plans apply to Amazon EC2, AWS Lambda, and AWS Fargate usage and provide up to 72 percent savings on AWS compute usage. For workloads that have predictable and consistent usage, Savings Plans can provide significant savings compared to On-Demand Instances.

Answer 20

For applications with steady state usage that might require reserved capacity, Amazon EC2 offers the Reserved Instances option. With this option, you save up to 72 percent compared to On-Demand Instance pricing. You can choose between three payment options: All Upfront, Partial Upfront, or No Upfront. You can select either a 1-year or 3-year term for each of these options. With Reserved Instances, you can choose the type that best fits your applications needs. Standard Reserved Instances: These provide the most significant discount (up to 72 percent off On-Demand pricing) and are best suited for steady-state usage. Convertible Reserved Instances: These provide a discount (up to 54 percent off On-Demand pricing) and the capability to change the attributes of the Reserved Instance if the exchange results in the creation of Reserved Instances of equal or greater value. Like Standard Reserved Instances, Convertible Reserved Instances are best suited for steady-state usage. Scheduled Reserved Instances: These are available to launch within the time windows that you reserve. With this option, you can match your capacity reservation to a predictable recurring schedule that only requires a fraction of a day, a week, or a month.

Answer 21

A Dedicated Host is a physical Amazon EC2 server that is dedicated for your use. Dedicated Hosts can help you reduce costs because you can use your existing server-bound software licenses, such as Windows Server, SQL Server, and Oracle licenses. And they can also help you meet compliance requirements. Amazon EC2 Dedicated Host is also integrated with AWS License Manager, a service that helps you manage your software licenses, including Microsoft Windows Server and Microsoft SQL Server licenses. Dedicated Hosts can be purchased on demand (hourly). Dedicated Hosts can be purchased as a Reservation for up to 70 percent off the On-Demand price.

Answer 22

Amazon Machine Image

Answer 23

A container is a standardized unit that packages your code and its dependencies. This package is designed to run reliably on any platform, because the container creates its own independent environment. With containers, workloads can be carried from one place to another, such as from development to production or from on-premises environments to the cloud.

Answer 24

Compared to virtual machines (VMs), containers share the same operating system and kernel as the host that they are deployed on. But virtual machines contain their own operating system. Each virtual machine must maintain a copy of an operating system, which results in a degree of wasted resources.

Answer 25

In AWS, containers can run on EC2 instances. For example, you might have a large instance and run a few containers on that instance. Although running one instance is uncomplicated to manage, it lacks high availability and scalability. Most companies and organizations run many containers on many EC2 instances across several Availability Zones. If you’re trying to manage your compute at a large scale, you should consider the following: * How to place your containers on your instances * What happens if your container fails * What happens if your instance fails * How to monitor deployments of your containers This coordination is handled by a container orchestration service. AWS offers two container orchestration services: Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS).

Answer 26

1) ECS 2) EKS

Answer 27

Amazon ECS is an end-to-end container orchestration service that helps you spin up new containers. With Amazon ECS, your containers are defined in a task definition that you use to run an individual task or a task within a service. You have the option to run your tasks and services on a serverless infrastructure that's managed by another AWS service called AWS Fargate. Alternatively, for more control over your infrastructure, you can run your tasks and services on a cluster of EC2 instances that you manage.

Answer 28

1) Launching and stopping containers 2) Getting cluster state 3) Scaling in and out 4) Scheduling the placement of containers across your cluster 5) Assigning permissions 6) Meeting availability requirements

Answer 29

Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services

Answer 30

Amazon EKS is a managed service that you can use to run Kubernetes on AWS without needing to install, operate, and maintain your own Kubernetes control plane or nodes. Amazon EKS is conceptually similar to Amazon ECS.

Answer 31

1) In Amazon ECS, the machine that runs the containers is an EC2 instance that has an ECS agent installed and configured to run and manage your containers. This instance is called a container instance. In Amazon EKS, the machine that runs the containers is called a worker node or Kubernetes node. 2) An ECS container is called a task. 3) An EKS container is called a pod. Amazon ECS runs on AWS native technology. Amazon EKS runs on Kubernetes.

Answer 32

By using serverless compute

Answer 33

With serverless compute, you can spend time on the things that differentiate your application, rather than spending time on ensuring availability, scaling, and managing servers. Every definition of serverless mentions the following four aspects: * There are no servers to provision or manage. * It scales with usage. * You never pay for idle resources. * Availability and fault tolerance are built in.

Answer 34

* AWS Fargate * AWS Lambda

Answer 35

Amazon Container Resources: Used to store ECS and EKS images for use. Like an image library.

Answer 36

Fargate abstracts the EC2 instance so that you’re not required to manage the underlying compute infrastructure. However, with Fargate, you can use all the same Amazon ECS concepts, APIs, and AWS integrations. It natively integrates with IAM and Amazon Virtual Private Cloud (Amazon VPC). With native integration with Amazon VPC, you can launch Fargate containers inside your network and control connectivity to your applications. AWS Fargate is a purpose-built serverless compute engine for containers. AWS Fargate scales and manages the infrastructure, so developers can work on what they do best, application development. It achieves this by allocating the right amount of compute. This eliminates the need to choose and manage EC2 instances, cluster capacity, and scaling. Fargate supports both Amazon ECS and Amazon EKS architecture and provides workload isolation and improved security by design.

Answer 37

Use Lambda With Lambda, you can run code without provisioning or managing servers. You can run code for virtually any type of application or backend service. This includes data processing, real-time stream processing, machine learning, WebSockets, IoT backends, mobile backends, and web applications like your employee directory application! Lambda runs your code on a high availability compute infrastructure and requires no administration from the user. You upload your source code in one of the languages that Lambda supports, and Lambda takes care of everything required to run and scale your code with high availability. There are no servers to manage. You get continuous scaling with subsecond metering and consistent performance.

Answer 38

You have the option of configuring your Lambda functions using the Lambda console, Lambda API, AWS CloudFormation, or AWS Serverless Application Model (AWS SAM). You can invoke your function directly by using the Lambda API, or you can configure an AWS service or resource to invoke your function in response to an event.

Answer 39

1) Function A function is a resource that you can invoke to run your code in Lambda. Lambda runs instances of your function to process events. When you create the Lambda function, it can be authored in several ways: * You can create the function from scratch. * You can use a blueprint that AWS provides. * You can select a container image to deploy for your function. * You can browse the AWS Serverless Application Repository. 2) Trigger Triggers describe when a Lambda function should run. A trigger integrates your Lambda function with other AWS services and event source mappings. So you can run your Lambda function in response to certain API calls or by reading items from a stream or queue. This increases your ability to respond to events in your console without having to perform manual actions. 3) Event An event is a JSON-formatted document that contains data for a Lambda function to process. The runtime converts the event to an object and passes it to your function code. When you invoke a function, you determine the structure and contents of the event. 4) Application Environment An application environment provides a secure and isolated runtime environment for your Lambda function. An application environment manages the processes and resources that are required to run the function. 5) Deployment package You deploy your Lambda function code using a deployment package. Lambda supports two types of deployment packages: * A .zip file archive – This contains your function code and its dependencies. Lambda provides the operating system and runtime for your function. * A container image – This is compatible with the Open Container Initiative (OCI) specification. You add your function code and dependencies to the image. You must also include the operating system and a Lambda runtime. 6) Runtime The runtime provides a language-specific environment that runs in an application environment. When you create your Lambda function, you specify the runtime that you want your code to run in. You can use built-in runtimes, such as Python, Node.js, Ruby, Go, Java, or .NET Core. Or you can implement your Lambda functions to run on a custom runtime. 7) Lamda function handler The AWS Lambda function handler is the method in your function code that processes events. When your function is invoked, Lambda runs the handler method. When the handler exits or returns a response, it becomes available to handle another event. You can use the following general syntax when creating a function handler in Python. def handler_name (event, context): ... return some_value

Answer 40

B) Instance family and instance size

Answer 41

D) You never pay for idle resources.

Answer 42

Virtual Private Cloud It is the Network

Answer 43

Networking is how you connect computers around the world and allow them to communicate with one another. In this course, you’ve already seen a few examples of networking. One is the AWS Global Infrastructure. AWS has built a network of resources using data centers, Availability Zones, and Regions.

Answer 44

To properly route your messages to a location, you need an address. Just like each home has a mailing address, each computer has an IP address. However, instead of using the combination of street, city, state, zip code, and country, the IP address uses a combination of bits, 0s and 1s.

Answer 45

IPv4 notation Typically, you don’t see an IP address in its binary format. Instead, it’s converted into decimal format and noted as an IPv4 address.

Answer 46

Classless Inter-Domain Routing CIDR notation 192.168.1.30 is a single IP address. If you want to express IP addresses between the range of 192.168.1.0 and 192.168.1.255, how can you do that? One way is to use CIDR notation. CIDR notation is a compressed way of representing a range of IP addresses. Specifying a range determines how many IP addresses are available to you. CIDR notation is shown here. The number after the forward slash "/" denotes how many bits in an IP address are fixed.

Answer 47

192.168.1.0 because the 24 specifies the first 24 bits where each number before the period is 8 bits; the other 8 are considered flexible. 32 total bits subtracted by 24 fixed bits leaves 8 flexible bits. Each of these flexible bits can be either 0 or 1, because they are binary. That means that you have two choices for each of the 8 bits, providing 256 IP addresses in that IP range. The higher the number after the /, the smaller the number of IP addresses in your network. For example, a range of 192.168.1.0/24 is smaller than 192.168.1.0/16.

Answer 48

A virtual private cloud (VPC) is an isolated network that you create in the AWS Cloud, similar to a traditional network in a data center. When you create an Amazon VPC, you must choose three main factors: * Name of the VPC * Region where the VPC will live – A VPC spans all the Availability Zones within the selected Region. * IP range for the VPC in CIDR notation – This determines the size of your network. Each VPC can have up to five CIDRs: one primary and four secondaries for IPv4. Each of these ranges can be between /28 (in CIDR notation) and /16 in size.

Answer 49

The subnet. After you create your VPC, you must create subnets inside the network. Think of subnets as smaller networks inside your base network, or virtual local area networks (VLANs) in a traditional, on-premises network. In an on-premises network, the typical use case for subnets is to isolate or optimize network traffic. In AWS, subnets are used to provide high availability and connectivity options for your resources. Use a public subnet for resources that must be connected to the internet and a private subnet for resources that won't be connected to the internet.

Answer 50

1) VPC that you want your subnet to live in—in this case: VPC (10.0.0.0/16) 2) Availability Zone that you want your subnet to live in—in this case: Availability Zone 1 3) IPv4 CIDR block for your subnet, which must be a subset of the VPC CIDR block—in this case: 10.0.0.0/24

Answer 51

High availability with a VPC When you create your subnets, keep high availability in mind. To maintain redundancy and fault tolerance, create at least two subnets configured in two Availability Zones. As you learned earlier, remember that “everything fails all of the time.” With the example network, if one of the Availability Zones fails, you will still have your resources available in another Availability Zone as backup.

Answer 52

AWS reserves five IP addresses in each subnet. These IP addresses are used for routing, Domain Name System (DNS), and network management.

Answer 53

Internet gateway To activate internet connectivity for your VPC, you must create an internet gateway. Think of the gateway as similar to a modem. Just as a modem connects your computer to the internet, the internet gateway connects your VPC to the internet. Unlike your modem at home, which sometimes goes down or offline, an internet gateway is highly available and scalable. After you create an internet gateway, you attach it to your VPC.

Answer 54

Virtual private gateway A virtual private gateway connects your VPC to another private network. When you create and attach a virtual private gateway to a VPC, the gateway acts as anchor on the AWS side of the connection. On the other side of the connection, you will need to connect a customer gateway to the other private network. A customer gateway device is a physical device or software application on your side of the connection. When you have both gateways, you can then establish an encrypted virtual private network (VPN) connection between the two sides.

Answer 55

AWS Direct Connect To establish a secure physical connection between your on-premises data center and your Amazon VPC, you can use AWS Direct Connect. With AWS Direct Connect, your internal network is linked to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. This connection allows you to create virtual interfaces directly to public AWS services or to your VPC.

Answer 56

When you create a VPC, AWS creates a route table called the main route table. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. AWS assumes that when you create a new VPC with subnets, you want traffic to flow between them. Therefore, the default configuration of the main route table is to allow traffic between all subnets in the local network. The following rules apply to the main route table: * You cannot delete the main route table. * You cannot set a gateway route table as the main route table. * You can replace the main route table with a custom subnet route table. * You can add, remove, and modify routes in the main route table. * You can explicitly associate a subnet with the main route table, even if it's already implicitly associated.

Answer 57

Custom route tables The main route table is used implicitly by subnets that do not have an explicit route table association. However, you might want to provide different routes on a per-subnet basis for traffic to access resources outside of the VPC. For example, your application might consist of a frontend and a database. You can create separate subnets for the resources and provide different routes for each of them. If you associate a subnet with a custom route table, the subnet will use it instead of the main route table. Each custom route table that you create will have the local route already inside it, allowing communication to flow between all resources and subnets inside the VPC. You can protect your VPC by explicitly associating each new subnet with a custom route table and leaving the main route table in its original default state.

Answer 58

Firewalls at the subnet Level

Answer 59

Firewalls at the EC2 instance Level

Answer 60

True; you don't have to specify outbound traffic for Security Groups when configuring

Answer 61

True; you have to create Allow rules in order to accept traffic

Answer 62

C) Subnets

Answer 63

B) It blocks all inbound traffic and allows all outbound traffic.

Answer 64

1) Block 2) Object Block storage File storage treats files as a singular unit, but block storage splits files into fixed-size chunks of data called blocks that have their own addresses. Each block is an individual piece of data storage. Because each block is addressable, blocks can be retrieved efficiently. Think of block storage as a more direct route to access the data. When data is requested, the addresses are used by the storage system to organize the blocks in the correct order to form a complete file to present back to the requestor. Besides the address, no additional metadata is associated with each block. If you want to change one character in a file, you just change the block, or the piece of the file, that contains the character. This ease of access is why block storage solutions are fast and use less bandwidth. Object storage In object storage, files are stored as objects. Objects, much like files, are treated as a single, distinct unit of data when stored. However, unlike file storage, these objects are stored in a bucket using a flat structure, meaning there are no folders, directories, or complex hierarchies. Each object contains a unique identifier. This identifier, along with any additional metadata, is bundled with the data and stored. Changing just one character in an object is more difficult than with block storage. When you want to change one character in an object, the entire object must be updated.

Answer 65

1) file storage 2) block storage, 3) and object

Answer 66

File storage You might be familiar with file storage if you have interacted with file storage systems like Windows File Explorer or Finder on macOS. Files are organized in a tree-like hierarchy that consist of folders and subfolders. For example, if you have hundreds of cat photos on your laptop, you might want to create a folder called Cat photos, and place the images inside that folder to organize them. Because you know that these images will be used in an application, you might want to place the Cat photos folder inside another folder called Application files.

Answer 67

Block storage File storage treats files as a singular unit, but block storage splits files into fixed-size chunks of data called blocks that have their own addresses. Each block is an individual piece of data storage. Because each block is addressable, blocks can be retrieved efficiently. Think of block storage as a more direct route to access the data. When data is requested, the addresses are used by the storage system to organize the blocks in the correct order to form a complete file to present back to the requestor. Besides the address, no additional metadata is associated with each block. If you want to change one character in a file, you just change the block, or the piece of the file, that contains the character. This ease of access is why block storage solutions are fast and use less bandwidth.

Answer 68

Use cases for block storage Because block storage is optimized for low-latency operations, it is a preferred storage choice for high-performance enterprise workloads and transactional, mission-critical, and I/O-intensive applications. Transactional workloads Organizations that process time-sensitive and mission-critical transactions store such workloads into a low-latency, high-capacity, and fault-tolerant database. Block storage allows developers to set up a robust, scalable, and highly efficient transactional database. Because each block is a self-contained unit, the database performs optimally, even when the stored data grows. Containers Developers use block storage to store containerized applications on the cloud. Containers are software packages that contain the application and its resource files for deployment in any computing environment. Like containers, block storage is equally flexible, scalable, and efficient. With block storage, developers can migrate the containers seamlessly between servers, locations, and operating environments. Virtual machines Block storage supports popular virtual machine (VM) hypervisors. Users can install the operating system, file system, and other computing resources on a block storage volume. They do so by formatting the block storage volume and turning it into a VM file system. So they can readily increase or decrease the virtual drive size and transfer the virtualized storage from one host to another.

Answer 69

File storage is ideal when you require centralized access to files that must be easily shared and managed by multiple host computers. Typically, this storage is mounted onto multiple hosts, and requires file locking and integration with existing file system communication protocols. Web serving Cloud file storage solutions follow common file-level protocols, file naming conventions, and permissions that developers are familiar with. Therefore, file storage can be integrated into web applications. Analytics Many analytics workloads interact with data through a file interface and rely on features such as file lock or writing to portions of a file. Cloud-based file storage supports common file-level protocols and has the ability to scale capacity and performance. Therefore, file storage can be conveniently integrated into analytics workflows. Media and entertainment Many businesses use a hybrid cloud deployment and need standardized access using file system protocols (NFS or SMB) or concurrent protocol access. Cloud file storage follows existing file system semantics. Therefore, storage of rich media content for processing and collaboration can be integrated for content production, digital supply chains, media streaming, broadcast playout, analytics, and archive. Home directories Businesses wanting to take advantage of the scalability and cost benefits of the cloud are extending access to home directories for many of their users. Cloud file storage systems adhere to common file-level protocols and standard permissions models. Therefore, customers can lift and shift applications that need this capability to the cloud.

Answer 70

Object storage In object storage, files are stored as objects. Objects, much like files, are treated as a single, distinct unit of data when stored. However, unlike file storage, these objects are stored in a bucket using a flat structure, meaning there are no folders, directories, or complex hierarchies. Each object contains a unique identifier. This identifier, along with any additional metadata, is bundled with the data and stored. Changing just one character in an object is more difficult than with block storage. When you want to change one character in an object, the entire object must be updated.

Answer 71

With object storage, you can store almost any type of data, and there is no limit to the number of objects stored, which makes it readily scalable. Object storage is generally useful when storing large or unstructured data sets. Data archiving Cloud object storage is excellent for long-term data retention. You can cost-effectively archive large amounts of rich media content and retain mandated regulatory data for extended periods of time. You can also use cloud object storage to replace on-premises tape and disk archive infrastructure. This storage solution provides enhanced data durability, immediate retrieval times, better security and compliance, and greater data accessibility. Backup and recovery You can configure object storage systems to replicate content so that if a physical device fails, duplicate object storage devices become available. This ensures that your systems and applications continue to run without interruption. You can also replicate data across multiple data centers and geographical regions. Rich media With object storage, you can accelerate applications and reduce the cost of storing rich media files such as videos, digital images, and music. By using storage classes and replication features, you can create cost-effective, globally replicated architecture to deliver media to distributed users.

Answer 72

* Block storage in the cloud is analogous to direct-attached storage (DAS) or a storage area network (SAN). * File storage systems are often supported with a network-attached storage (NAS) server.

Answer 73

Amazon Elastic File System (Amazon EFS) is a set-and-forget file system that automatically grows and shrinks as you add and remove files. There is no need for provisioning or managing storage capacity and performance. Amazon EFS can be used with AWS compute services and on-premises resources. You can connect tens, hundreds, and even thousands of compute instances to an Amazon EFS file system at the same time, and Amazon EFS can provide consistent performance to each compute instance. With the Amazon EFS simple web interface, you can create and configure file systems quickly without any minimum fee or setup cost. You pay only for the storage used and you can choose from a range of storage classes designed to fit your use case.

Answer 74

Standard storage classes EFS Standard and EFS Standard-Infrequent Access (Standard-IA) offer Multi-AZ resilience and the highest levels of durability and availability. One zone classes EFS One Zone and EFS One Zone-Infrequent Access (EFS One Zone-IA) provide additional savings by saving your data in a single availability zone.

Answer 75

Amazon FSx is a fully managed service that offers reliability, security, scalability, and a broad set of capabilities that make it convenient and cost effective to launch, run, and scale high-performance file systems in the cloud. With Amazon FSx, you can choose between four widely used file systems: Lustre, NetApp ONTAP, OpenZFS, and Windows File Server. You can choose based on your familiarity with a file system or based on your workload requirements for feature sets, performance profiles, and data management capabilities.

Answer 76

Internal: EC2 Instance Store External: Amazon (Elastic Block Store)

Answer 77

Since it is tied to the instnace it is immediately deleted.

Answer 78

True, the EBS volume is separate. If the EC2 volume is turned off, the data is still retained on the EBS volume for access.

Answer 79

True, you are not able to directly access the EBS volume. You will need to attach it to an EC2 instance in order to access the data.

Answer 80

Because if the EC2 goes down, you can still access your data once you connect another EC2 instance.

Answer 81

SSD and HDD volume types EBS volume types EBS volumes are organized into two main categories: solid-state drives (SSDs) and hard-disk drives (HDDs). SSDs are used for transactional workloads with frequent read/write operations with small I/O size. HDDs are used for large streaming workloads that need high throughput performance. AWS offers two types of each.

Answer 82

Amazon Elastic Compute Cloud (Amazon EC2) instance store provides temporary block-level storage for an instance. This storage is located on disks that are physically attached to the host computer. This ties the lifecycle of the data to the lifecycle of the EC2 instance. If you delete the instance, the instance store is also deleted. Because of this, instance store is considered ephemeral storage. Instance store is ideal if you host applications that replicate data to other EC2 instances, such as Hadoop clusters. For these cluster-based workloads, having the speed of locally attached volumes and the resiliency of replicated data helps you achieve data distribution at high performance. It’s also ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content.

Answer 83

As the name implies, Amazon Elastic Block Store (Amazon EBS) is block-level storage that you can attach to an Amazon EC2 instance. You can compare this to how you must attach an external drive to your laptop. This attachable storage is called an EBS volume. EBS volumes act similarly to external drives in more than one way. * Detachable: You can detach an EBS volume from one EC2 instance and attach it to another EC2 instance in the same Availability Zone to access the data on it. * Distinct: The external drive is separate from the computer. That means that if an accident occurs and the computer goes down, you still have your data on your external drive. The same is true for EBS volumes. * Size-limited: You’re limited to the size of the external drive, because it has a fixed limit to how scalable it can be. For example, you might have a 2 TB external drive, which means you can only have 2 TB of content on it. This also relates to Amazon EBS, because a volume also has a max limitation of how much content you can store on it. * 1-to-1 connection: Most external drives can only be connected with one computer at a time. Most EBS volumes have a one-to-one relationship with EC2 instances, so they cannot be shared by or attached to multiple instances at one time.

Answer 84

1) Increase volume size 2) Attach multiple volumes Increase the volume size only if it doesn’t increase above the maximum size limit. Depending on the volume selected, Amazon EBS currently supports a maximum volume size of 64 tebibytes (TiB). For example, if you provision a 5-TiB io2 Block Express volume, you can choose to increase the size of your volume until you get to 64 TiB. Attach multiple volumes to a single EC2 instance. Amazon EC2 has a one-to-many relationship with EBS volumes. You can add these additional volumes during or after EC2 instance creation to provide more storage capacity for your hosts.

Answer 85

Amazon EBS use cases Amazon EBS is useful when you must retrieve data quickly and have data persist long term. Volumes are commonly used in the following scenarios. Operating systems Boot and root volumes can be used to store an operating system. The root device for an instance launched from an Amazon Machine Image (AMI) is typically an EBS volume. These are commonly referred to as EBS-backed AMIs. Databases As a storage layer for databases running on Amazon EC2 that will scale with your performance needs and provide consistent and low-latency performance. Enterprise applications Amazon EBS provides high availability and high durability block storage to run business-critical applications. Big data analytics engines Amazon EBS offers data persistence, dynamic performance adjustments, and the ability to detach and reattach volumes, so you can resize clusters for big data analytics.

Answer 86

* High availability - When you create an EBS volume, it is automatically replicated in its Availability Zone to prevent data loss from single points of failure. * Data persistence - Storage persists even when your instance doesn’t * Data encryption - When activated by the user, all EBS volumes support encryption. * Flexibility - EBS volumes support on-the-fly changes. Modify volume type, volume size, and input/output operations per second (IOPS) capacity without stopping your instance. * Backups - Amazon EBS provides the ability to create backups of any EBS volume.

Answer 87

Using snapshots EBS snapshots are incremental backups that only save the blocks on the volume that have changed after your most recent snapshot. For example, if you have 10 GB of data on a volume and only 2 GB of data have been modified since your last snapshot, only the 2 GB that have been changed are written to Amazon S3. When you take a snapshot of any of your EBS volumes, the backups are stored redundantly in multiple Availability Zones using Amazon S3. This aspect of storing the backup in Amazon S3 is handled by AWS, so you won’t need to interact with Amazon S3 to work with your EBS snapshots. You manage them in the Amazon EBS console, which is part of the Amazon EC2 console.

Answer 88

True, access is restricted by default; user or AWS account that created the S3 resource. Security in Amazon S3 Everything in Amazon S3 is private by default. This means that all Amazon S3 resources, such as buckets and objects, can only be viewed by the user or AWS account that created that resource. Amazon S3 resources are all private and protected to begin with. If you decide that you want everyone on the internet to see your photos, you can choose to make your buckets and objects public. A public resource means that everyone on the internet can see it. Most of the time, you don’t want your permissions to be all or nothing. Typically, you want to be more granular about the way that you provide access to your resources.

Answer 89

Amazon S3 Unlike Amazon EBS, Amazon Simple Storage Service (Amazon S3) is a standalone storage solution that isn’t tied to compute. With Amazon S3, you can retrieve your data from anywhere on the web. If you have used an online storage service to back up the data from your local machine, you most likely have used a service similar to Amazon S3. The big difference between those online storage services and Amazon S3 is the storage type. Amazon S3 is an object storage service. Object storage stores data in a flat structure. An object is a file combined with metadata. You can store as many of these objects as you want. All the characteristics of object storage are also characteristics of Amazon S3. In Amazon S3, you store your objects in containers called buckets. You can’t upload an object, not even a single photo, to Amazon S3 without creating a bucket first. When you store an object in a bucket, the combination of a bucket name, key, and version ID uniquely identifies the object.

Answer 90

True each bucket name must be unique across all AWS accounts in all AWS Regions within a partition. A partition is a grouping of Regions, of which AWS currently has three: Standard Regions, China Regions, and AWS GovCloud (US). When naming a bucket, choose a name that is relevant to you or your business. For example, you should avoid using AWS or Amazon in your bucket name.

Answer 91

Object key names The object key (key name) uniquely identifies the object in an Amazon S3 bucket. When you create an object, you specify the key name. As described earlier, the Amazon S3 model is a flat structure, meaning there is no hierarchy of subbuckets or subfolders. However, the Amazon S3 console does support the concept of folders. By using key name prefixes and delimiters, you can imply a logical hierarchy. For example, suppose your bucket called testbucket has two objects with the following object keys: 2022-03-01/AmazonS3.html and 2022-03-01/Cats.jpg. The console uses the key name prefix, 2022-03-01, and delimiter (/) to present a folder structure.

Answer 92

Backup and storage Amazon S3 is a natural place to back up files because it is highly redundant. As mentioned in the last lesson, AWS stores your EBS snapshots in Amazon S3 to take advantage of its high availability. Media hosting Because you can store unlimited objects, and each individual object can be up to 5 TB, Amazon S3 is an ideal location to host video, photo, and music uploads. Software delivery You can use Amazon S3 to host your software applications that customers can download. Data lakes Amazon S3 is an optimal foundation for a data lake because of its virtually unlimited scalability. You can increase storage from gigabytes to petabytes of content, paying only for what you use. Static websites You can configure your S3 bucket to host a static website of HTML, CSS, and client-side scripts. Static content Because of the limitless scaling, the support for large files, and the fact that you can access any object over the web at any time, Amazon S3 is the perfect place to store static content.

Answer 93

To be more specific about who can do what with your Amazon S3 resources, Amazon S3 provides several security management features: * IAM policies * S3 bucket policies * encryption to develop and implement your own security policies.

Answer 94

resource-based policies

Answer 95

user policies

Answer 96

* You have many buckets with different permission requirements. Instead of defining many different S3 bucket policies, you can use IAM policies. * You want all policies to be in a centralized location. By using IAM policies, you can manage all policy information in one location.

Answer 97

Like IAM policies, S3 bucket policies are defined in a JSON format. Unlike IAM policies, which are attached to resources and users, S3 bucket policies can only be attached to S3 buckets. The policy that is placed on the bucket applies to every object in that bucket. S3 bucket policies specify what actions are allowed or denied on the bucket.

Answer 98

* You need a simple way to do cross-account access to Amazon S3, without using IAM roles. * Your IAM policies bump up against the defined size limit. S3 bucket policies have a larger size limit.

Answer 99

True Amazon S3 reinforces encryption in transit (as it travels to and from Amazon S3) and at rest. To protect data, Amazon S3 automatically encrypts all objects on upload and applies server-side encryption with S3-managed keys as the base level of encryption for every bucket in Amazon S3 at no additional cost.

Answer 100

When you upload an object to Amazon S3 and you don’t specify the storage class, you upload it to the default storage class, often referred to as standard storage. In previous lessons, you learned about the default Amazon S3 standard storage class.

Answer 101

This is considered general-purpose storage for cloud applications, dynamic websites, content distribution, mobile and gaming applications, and big data analytics.

Answer 102

This tier is useful if your data has unknown or changing access patterns. S3 Intelligent-Tiering stores objects in three tiers: a frequent access tier, an infrequent access tier, and an archive instance access tier. Amazon S3 monitors access patterns of your data and automatically moves your data to the most cost-effective storage tier based on frequency of access.

Answer 103

This tier is for data that is accessed less frequently but requires rapid access when needed. S3 Standard-IA offers the high durability, high throughput, and low latency of S3 Standard, with a low per-GB storage price and per-GB retrieval fee. This storage tier is ideal if you want to store long-term backups, disaster recovery files, and so on.

Answer 104

Unlike other S3 storage classes that store data in a minimum of three Availability Zones, S3 One Zone-IA stores data in a single Availability Zone, which makes it less expensive than S3 Standard-IA. S3 One Zone-IA is ideal for customers who want a lower-cost option for infrequently accessed data, but do not require the availability and resilience of S3 Standard or S3 Standard-IA. It's a good choice for storing secondary backup copies of on-premises data or easily recreatable data.

Answer 105

Use S3 Glacier Instant Retrieval for archiving data that is rarely accessed and requires millisecond retrieval. Data stored in this storage class offers a cost savings of up to 68 percent compared to the S3 Standard-IA storage class, with the same latency and throughput performance.

Answer 106

S3 Glacier Flexible Retrieval offers low-cost storage for archived data that is accessed 1–2 times per year. With S3 Glacier Flexible Retrieval, your data can be accessed in as little as 1–5 minutes using an expedited retrieval. You can also request free bulk retrievals in up to 5–12 hours. It is an ideal solution for backup, disaster recovery, offsite data storage needs, and for when some data occasionally must be retrieved in minutes.

Answer 107

S3 Glacier Deep Archive is the lowest-cost Amazon S3 storage class. It supports long-term retention and digital preservation for data that might be accessed once or twice a year. Data stored in the S3 Glacier Deep Archive storage class has a default retrieval time of 12 hours. It is designed for customers that retain data sets for 7–10 years or longer, to meet regulatory compliance requirements. Examples include those in highly regulated industries, such as the financial services, healthcare, and public sectors.

Answer 108

Amazon S3 on Outposts delivers object storage to your on-premises AWS Outposts environment using S3 API's and features. For workloads that require satisfying local data residency requirements or need to keep data close to on premises applications for performance reasons, the S3 Outposts storage class is the ideal option.

Answer 109

Versioning keeps multiple versions of a single object in the same bucket. This preserves old versions of an object without using different names, which helps with object recovery from accidental deletions, accidental overwrites, or application failures. Amazon S3 versioning As described earlier, Amazon S3 identifies objects in part by using the object name. For example, when you upload an employee photo to Amazon S3, you might name the object employee.jpg and store it in a bucket called employees. Without Amazon S3 versioning, every time you upload an object called employee.jpg to the employees bucket, it will overwrite the original object. This can be an issue for several reasons, including the following: * Common names: The employee.jpg object name is a common name for an employee photo object. You or someone else who has access to the bucket might not have intended to overwrite it; but once it's overwritten, the original object can't be accessed. * Version preservation: You might want to preserve different versions of employee.jpg. Without versioning, if you wanted to create a new version of employee.jpg, you would need to upload the object and choose a different name for it. Having several objects all with slight differences in naming variations can cause confusion and clutter in S3 buckets. To counteract these issues, you can use Amazon S3 versioning. Versioning keeps multiple versions of a single object in the same bucket. This preserves old versions of an object without using different names, which helps with object recovery from accidental deletions, accidental overwrites, or application failures.

Answer 110

By using versioning-enabled buckets, you can recover objects from accidental deletion or overwrite. The following are examples: * Deleting an object does not remove the object permanently. Instead, Amazon S3 puts a marker on the object that shows that you tried to delete it. If you want to restore the object, you can remove the marker and the object is reinstated. * If you overwrite an object, it results in a new object version in the bucket. You still have access to previous versions of the object.

Answer 111

1) Unversioned (default) No new and existing objects in the bucket have a version. 2) Versioning-endabled Versioning is enabled for all objects in the bucket. After you version-enable a bucket, it can never return to an unversioned state. However, you can suspend versioning on that bucket. 3) Versioning-suspended Versioning is suspended for new objects. All new objects in the bucket will not have a version. However, all existing objects keep their object versions.

Answer 112

If you keep manually changing your objects, such as your employee photos, from storage tier to storage tier, you might want to automate the process by configuring their Amazon S3 lifecycle. When you define a lifecycle configuration for an object or group of objects, you can choose to automate between two types of actions: transition and expiration. * Transition actions define when objects should transition to another storage class. * Expiration actions define when objects expire and should be permanently deleted. For example, you might transition objects to S3 Standard-IA storage class 30 days after you create them. Or you might archive objects to the S3 Glacier Deep Archive storage class 1 year after creating them.

Answer 113

* Periodic logs: If you upload periodic logs to a bucket, your application might need them for a week or a month. After that, you might want to delete them. * Data that changes in access frequency: Some documents are frequently accessed for a limited period of time. After that, they are infrequently accessed. At some point, you might not need real-time access to them. But your organization or regulations might require you to archive them for a specific period. After that, you can delete them.

Answer 114

Object storage

Answer 115

Amazon S3 bucket names Amazon S3 supports global buckets. Therefore, each bucket name must be unique across all AWS accounts in all AWS Regions within a partition. A partition is a grouping of Regions, of which AWS currently has three: Standard Regions, China Regions, and AWS GovCloud (US). When naming a bucket, choose a name that is relevant to you or your business. For example, you should avoid using AWS or Amazon in your bucket name. The following are some examples of the rules that apply for naming buckets in Amazon S3. For a full list of rules, see the link in the resources section. * Bucket names must be between 3 (min) and 63 (max) characters long. * Bucket names can consist only of lowercase letters, numbers, dots (.), and hyphens (-). * Bucket names must begin and end with a letter or number. * Buckets must not be formatted as an IP address. * A bucket name cannot be used by another AWS account in the same partition until the bucket is deleted. If your application automatically creates buckets, choose a bucket naming scheme that is unlikely to cause naming conflicts and will choose a different bucket name, should one not be available.

Answer 116

Object key names The object key (key name) uniquely identifies the object in an Amazon S3 bucket. When you create an object, you specify the key name. As described earlier, the Amazon S3 model is a flat structure, meaning there is no hierarchy of subbuckets or subfolders. However, the Amazon S3 console does support the concept of folders. By using key name prefixes and delimiters, you can imply a logical hierarchy. For example, suppose your bucket called testbucket has two objects with the following object keys: 2022-03-01/AmazonS3.html and 2022-03-01/Cats.jpg. The console uses the key name prefix, 2022-03-01, and delimiter (/) to present a folder structure.

Answer 117

Backup and storage Amazon S3 is a natural place to back up files because it is highly redundant. As mentioned in the last lesson, AWS stores your EBS snapshots in Amazon S3 to take advantage of its high availability. Media hosting Because you can store unlimited objects, and each individual object can be up to 5 TB, Amazon S3 is an ideal location to host video, photo, and music uploads. Software delivery You can use Amazon S3 to host your software applications that customers can download. Data Lakes Amazon S3 is an optimal foundation for a data lake because of its virtually unlimited scalability. You can increase storage from gigabytes to petabytes of content, paying only for what you use. Static websites You can configure your S3 bucket to host a static website of HTML, CSS, and client-side scripts. Static content Because of the limitless scaling, the support for large files, and the fact that you can access any object over the web at any time, Amazon S3 is the perfect place to store static content.

Answer 118

Security in Amazon S3 Everything in Amazon S3 is private by default. This means that all Amazon S3 resources, such as buckets and objects, can only be viewed by the user or AWS account that created that resource. Amazon S3 resources are all private and protected to begin with. If you decide that you want everyone on the internet to see your photos, you can choose to make your buckets and objects public. A public resource means that everyone on the internet can see it. Most of the time, you don’t want your permissions to be all or nothing.

Answer 119

Amazon S3 and IAM policies Previously, you learned about creating and using AWS Identity and Access Management (IAM) policies. Now you can apply that knowledge to Amazon S3. When IAM policies are attached to your resources (buckets and objects) or IAM users, groups, and roles, the policies define which actions they can perform. Access policies that you attach to your resources are referred to as resource-based policies and access policies attached to users in your account are called user policies.

Answer 120

* You have many buckets with different permission requirements. Instead of defining many different S3 bucket policies, you can use IAM policies. * You want all policies to be in a centralized location. By using IAM policies, you can manage all policy information in one location.

Answer 121

JSON format Unlike IAM policies, which are attached to resources and users, S3 bucket policies can only be attached to S3 buckets. The policy that is placed on the bucket applies to every object in that bucket. S3 bucket policies specify what actions are allowed or denied on the bucket.

Answer 122

* You need a simple way to do cross-account access to Amazon S3, without using IAM roles. * Your IAM policies bump up against the defined size limit. S3 bucket policies have a larger size limit.

Answer 123

A) Object storage for media hosting

Answer 124

A) Configure Amazon CloudFront to deliver the content in the S3 bucket.

Answer 125

C) Amazon Elastic Block Store (Amazon EBS)

Answer 126

Relational databases A relational database organizes data into tables. Data in one table can link to data in other tables to create relationships—hence, the relational part of the name. A table stores data in rows and columns. A row, often called a record, contains all information about a specific entry. Columns describe attributes of an entry. The following image is an example of three tables in a relational database.

Answer 127

* MySQL * PostgresQL * Oracle * Microsoft SQL Server * Amazon Aurora

Answer 128

SQL SELECT * FROM table_name. This query selects all the data from a particular table. However, the power of SQL queries is in creating more complex queries that pull data from several tables to identify patterns and answers to business problems. For example, querying the sales table and the books table together to see sales in relation to an author’s books. Querying tables together to better understand their relationships is made possible by a "join".

Answer 129

Complex SQL With SQL, you can join multiple tables so you can better understand relationships between your data. Reduced redundancy You can store data in one table and reference it from other tables instead of saving the same data in different places. Familiarity Because relational databases have been a popular choice since the 1970s, technical professionals often have familiarity and experience with them. Accuracy Relational databases ensure that your data has high integrity and adheres to the atomicity, consistency, isolation, and durability (ACID) principle.

Answer 130

Applications that have a fixed schema These are applications that have a fixed schema and don't change often. An example is a lift-and-shift application that lifts an app from on-premises and shifts it to the cloud, with little or no modifications. Applications that need persistent storage These are applications that need persistent storage and follow the ACID principle, such as: * Enterprise resource planning (ERP) applications * Customer relationship management (CRM) applications * Commerce and financial applications

Answer 131

If you host a database on Amazon EC2, AWS implements and maintains the physical infrastructure and hardware and installs the EC2 instance operating system (OS). However, you are still responsible for managing the EC2 instance, managing the database on that host, optimizing queries, and managing customer data. You are still responsible for the following: * App optimization * Scaling * High availability * Database backups * DB software patches * DB software installs * OS patches

Answer 132

Managed databases To shift more of the work to AWS, you can use a managed database service. These services provide the setup of both the EC2 instance and the database, and they provide systems for high availability, scalability, patching, and backups. However, in this model, you’re still responsible for database tuning, query optimization, and ensuring that your customer data is secure. This option provides the ultimate convenience but the least amount of control compared to the two previous options. You're just responsible for: * App optimization

Answer 133

Amazon RDS is a managed database service customers can use to create and manage relational databases in the cloud without the operational burden of traditional database management. With Amazon RDS, you can offload some of the unrelated work of creating and managing a database. You can focus on the tasks that differentiate your application, instead of focusing on infrastructure-related tasks, like provisioning, patching, scaling, and restoring.

Answer 134

* Commercial: Oracle, SQL Server * Open source: MySQL, PostgreSQL, MariaDB * Cloud native: Aurora

Answer 135

Database instances The compute portion is called the database (DB) instance, which runs the DB engine. Depending on the engine selected, the instance will have different supported features and configurations. A DB instance can contain multiple databases with the same engine, and each DB can contain multiple tables. Underneath the DB instance is an EC2 instance. However, this instance is managed through the Amazon RDS console instead of the Amazon EC2 console. When you create your DB instance, you choose the instance type and size. The DB instance class you choose affects how much processing power and memory it has.

Answer 136

Storage on Amazon RDS The storage portion of DB instances for Amazon RDS use Amazon Elastic Block Store (Amazon EBS) volumes for database and log storage. This includes MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server. When using Aurora, data is stored in cluster volumes, which are single, virtual volumes that use solid-state drives (SSDs). A cluster volume contains copies of your data across three Availability Zones in a single AWS Region. For nonpersistent, temporary files, Aurora uses local storage.

Answer 137

TRUE When you create a DB instance, you select the Amazon Virtual Private Cloud (Amazon VPC) your databases will live in. Then, you select the subnets that will be designated for your DB. This is called a DB subnet group, and it has at least two Availability Zones in its Region. The subnets in a DB subnet group should be private, so they don’t have a route to the internet gateway. This ensures that your DB instance, and the data inside it, can be reached only by the application backend. Access to the DB instance can be restricted further by using network access control lists (network ACLs) and security groups. With these firewalls, you can control, at a granular level, the type of traffic you want to provide access into your database. Using these controls provides layers of security for your infrastructure. It reinforces that only the backend instances have access to the database.

Answer 138

1) Automated Backups 2) Manual Snapshots Automated Backups Automated backups are turned on by default. This backs up your entire DB instance (not just individual databases on the instance) and your transaction logs. When you create your DB instance, you set a backup window that is the period of time that automatic backups occur. Typically, you want to set the window during a time when your database experiences little activity because it can cause increased latency and downtime. Retaining backups: Automated backups are retained between 0 and 35 days. You might ask yourself, “Why set automated backups for 0 days?” The 0 days setting stops automated backups from happening. If you set it to 0, it will also delete all existing automated backups. This is not ideal. The benefit of automated backups that you can do point-in-time recovery. Point-in-time recovery: This creates a new DB instance using data restored from a specific point in time. This restoration method provides more granularity by restoring the full backup and rolling back transactions up to the specified time range. Manual Snapshots If you want to keep your automated backups longer than 35 days, use manual snapshots. Manual snapshots are similar to taking Amazon EBS snapshots, except you manage them in the Amazon RDS console. These are backups that you can initiate at any time. They exist until you delete them. For example, to meet a compliance requirement that mandates you to keep database backups for a year, you need to use manual snapshots. If you restore data from a manual snapshot, it creates a new DB instance using the data from the snapshot. Choosing a backup option It is advisable to deploy both backup options. Automated backups are beneficial for point-in-time recovery. With manual snapshots, you can retain backups for longer than 35 days.

Answer 139

TRUE An Amazon RDS Multi-AZ deployment, Amazon RDS creates a redundant copy of your database in another Availability Zone. You end up with two copies of your database—a primary copy in a subnet in one Availability Zone and a standby copy in a subnet in a second Availability Zone. The primary copy of your database provides access to your data so that applications can query and display the information. The data in the primary copy is synchronously replicated to the standby copy. The standby copy is not considered an active database, and it does not get queried by applications. To improve availability, Amazon RDS Multi-AZ ensures that you have two copies of your database running and that one of them is in the primary role. If an availability issue arises, such as the primary database loses connectivity, Amazon RDS initiates an automatic failover.

Answer 140

TRUE When you create a DB instance, a Domain Name System (DNS) name is provided. AWS uses that DNS name to fail over to the standby database. In an automatic failover, the standby database is promoted to the primary role, and queries are redirected to the new primary database.

Answer 141

FALSE When it comes to security in Amazon RDS, you have control over managing access to your Amazon RDS resources, such as your databases on a DB instance. How you manage access will depend on the tasks you or other users need to perform in Amazon RDS. Network ACLs and security groups help users dictate the flow of traffic. If you want to restrict the actions and resources others can access, you can use AWS Identity and Access Management (IAM) policies.

Answer 142

Use IAM policies to assign permissions that determine who can manage Amazon RDS resources. For example, you can use IAM to determine who can create, describe, modify, and delete DB instances, tag resources, or modify security groups.

Answer 143

Use security groups to control which IP addresses or Amazon EC2 instances can connect to your databases on a DB instance. When you first create a DB instance, all database access is prevented except through rules specified by an associated security group.

Answer 144

Use Amazon RDS encryption to secure your DB instances and snapshots at rest.

Answer 145

Use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connections with DB instances running the MySQL, MariaDB, PostgreSQL, Oracle, or SQL Server database engines.

Answer 146

Purpose-built databases for all application needs We covered Amazon RDS and relational databases in the previous lesson, and for a long time, relational databases were the default option. They were widely used in nearly all applications. A relational database is like a multi-tool. It can do many things, but it is not perfectly suited to any one particular task. It might not always be the best choice for your business needs. The one-size-fits-all approach of using a relational database for everything no longer works. Over the past few decades, there has been a shift in the database landscape, and this shift has led to the rise of purpose-built databases. Developers can consider the needs of their application and choose a database that will fit those needs. AWS offers a broad and deep portfolio of purpose-built databases that support diverse data models. Customers can use them to build data-driven, highly scalable, distributed applications. You can pick the best database to solve a specific problem and break away from restrictive commercial databases. You can focus on building applications that meet the needs of your organization.

Answer 147

Amazon DynamoDB DynamoDB is a fully managed NoSQL database that provides fast, consistent performance at any scale. It has a flexible billing model, tight integration with infrastructure as code (IaC), and a hands-off operational model. DynamoDB has become the database of choice for two categories of applications: high-scale applications and serverless applications. Although DynamoDB is the database of choice for high-scale and serverless applications, it can work for nearly all online transaction processing (OLTP) application workloads.

Answer 148

Amazon ElastiCache ElastiCache is a fully managed, in-memory caching solution. It provides support for two open-source, in-memory cache engines: Redis and Memcached. You aren’t responsible for instance failovers, backups and restores, or software upgrades.

Answer 149

Amazon MemoryDB for Redis MemoryDB is a Redis-compatible, durable, in-memory database service that delivers ultra-fast performance. With MemoryDB, you can achieve microsecond read latency, single-digit millisecond write latency, high throughput, and Multi-AZ durability for modern applications, like those built with microservices architectures. You can use MemoryDB as a fully managed, primary database to build high-performance applications. You do not need to separately manage a cache, durable database, or the required underlying infrastructure.

Answer 150

Amazon DocumentDB (with MongoDB compatibility) Amazon DocumentDB is a fully managed document database from AWS. A document database is a type of NoSQL database you can use to store and query rich documents in your application. These types of databases work well for the following use cases: content management systems, profile management, and web and mobile applications. Amazon DocumentDB has API compatibility with MongoDB. This means you can use popular open-source libraries to interact with Amazon DocumentDB, or you can migrate existing databases to Amazon DocumentDB with minimal hassle.

Answer 151

Amazon Keyspaces (for Apache Cassandra) Amazon Keyspaces is a scalable, highly available, and managed Apache Cassandra compatible database service. Apache Cassandra is a popular option for high-scale applications that need top-tier performance. Amazon Keyspaces is a good option for high-volume applications with straightforward access patterns. With Amazon Keyspaces, you can run your Cassandra workloads on AWS using the same Cassandra Query Language (CQL) code, Apache 2.0 licensed drivers, and tools that you use today.

Answer 152

Amazon Neptune Neptune is a fully managed graph database offered by AWS. A graph database is a good choice for highly connected data with a rich variety of relationships. Companies often use graph databases for recommendation engines, fraud detection, and knowledge graphs.

Answer 153

Amazon Timestream Timestream is a fast, scalable, and serverless time series database service for Internet of Things (IoT) and operational applications. It makes it easy to store and analyze trillions of events per day up to 1,000 times faster and for as little as one-tenth of the cost of relational databases. Time series data is a sequence of data points recorded over a time interval. It is used for measuring events that change over time, such as stock prices over time or temperature measurements over time.

Answer 154

Amazon Quantum Ledger Database (Amazon QLDB) With traditional databases, you can overwrite or delete data, so developers use techniques, such as audit tables and audit trails to help track data lineage. These approaches can be difficult to scale and put the burden of ensuring that all data is recorded on the application developer. Amazon QLDB is a purpose-built ledger database that provides a complete and cryptographically verifiable history of all changes made to your application data.

Answer 155

DynamoDB overview DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. With DynamoDB, you can offload the administrative burdens of operating and scaling a distributed database. You don't need to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling. With DynamoDB, you can do the following: * Create database tables that can store and retrieve any amount of data and serve any level of request traffic. * Scale up or scale down your tables' throughput capacity without downtime or performance degradation. * Monitor resource usage and performance metrics using the AWS Management Console.

Answer 156

tables, items, and attributes are the core components that you work with. DynamoDB uses primary keys to uniquely identify each item in a table and secondary indexes to provide more querying flexibility.

Answer 157

You might want to consider using DynamoDB in the following circumstances: * You are experiencing scalability problems with other traditional database systems. * You are actively engaged in developing an application or service. * You are working with an OLTP workload. * You care deploying a mission-critical application that must be highly available at all times without manual intervention. * You require a high level of data durability, regardless of your backup-and-restore strategy.

Answer 158

Develop software applications Build internet-scale applications supporting user-content metadata and caches that require high concurrency and connections for millions of users and millions of requests per second. Create media metadata stores Scale throughput and concurrency for analysis of media and entertainment workloads, such as real-time video streaming and interactive content. Deliver lower latency with multi-Region replication across Regions. Scale gaming platforms Focus on driving innovation with no operational overhead. Build out your game platform with player data, session history, and leaderboards for millions of concurrent users. Deliver seamless retail experiences Use design patterns for deploying shopping carts, workflow engines, inventory tracking, and customer profiles. DynamoDB supports high-traffic, extreme-scaled events and can handle millions of queries per second.

Answer 159

1) Use AWS CloudTrail to monitor AWS managed key usage. If you are using an AWS managed key for encryption at rest, usage of the key is recorded in AWS CloudTrail. CloudTrail can tell you who made the request, the services used, actions performed, parameters for the action, and response elements returned. 2) Use IAM roles to authenticate access to DynamoDB. For users, applications, and other AWS services to access DynamoDB, they must include valid AWS credentials in their AWS API requests. Use IAM roles to obtain temporary access keys. 3) Use IAM policy conditions for fine-grained access control. When you grant permissions in DynamoDB, you can specify conditions that determine how a permissions policy takes effect. Implementing least privilege is key in reducing security risk and the impact that can result from errors or malicious intent. 4) Monitor DynamoDB operations using CloudTrail. When activity occurs in DynamoDB, that activity is recorded in a CloudTrail event. For an ongoing record of events in DynamoDB and in your AWS account, create a trail to deliver log files to an Amazon Simple Storage Service (Amazon S3) bucket.

Answer 160

Amazon RDS, Aurora, Amazon Redshift Used for: Traditional applications, ERP, CRM, ecommerce

Answer 161

DynamoDB Used for: High-traffic web applications, ecommerce systems, gaming applications

Answer 162

Amazon ElastiCache for Memcached, Amazon ElastiCache for Redis Used for: Caching, session management, gaming leaderboards, geospatial applications

Answer 163

Amazon DocumentDB Used for: Content management, catalogs, user profiles

Answer 164

Amazon Keyspaces Used for: High-scale industrial applications for equipment maintenance, fleet management, route optimization

Answer 165

Neptune Used for: Fraud detection, social networking, recommendation engines

Answer 166

Timestream Used for: IoT applications, Development Operations (DevOps), industrial telemetry

Answer 167

Amazon QLDB Used for: Systems of record, supply chain, registrations, banking transactions

Answer 168

Breaking up applications and databases As the industry changes, applications and databases change too. Today, with larger applications, you no longer see just one database supporting them. Instead, applications are broken into smaller services, each with its own purpose-built database supporting it. This shift removes the idea of a one-size-fits-all database and replaces it with a complimentary database strategy. You can give each database the appropriate functionality, performance, and scale the workload requires.

Answer 169

C) You can increase or decrease specific database configurations independently.

Answer 170

C) Amazon DynamoDB

Answer 171

Data points generated from resources --> Metrics/Time = Statistics Use metrics to solve problems The AWS resources that host your solutions create various forms of data that you might be interested in collecting. Each individual data point that a resource creates is a metric. Metrics that are collected and analyzed over time become statistics, such as average CPU utilization over time showing a spike.

Answer 172

Amazon EC2 metrics examples: * CPUUtilization * NetworkIn * NetworkOut Amazon RDS metric example: * DatabaseConnections

Answer 173

A monitoring solution which allows you to monitor everything in one centralized place. Visibility using CloudWatch AWS resources create data that you can monitor through metrics, logs, network traffic, events, and more. This data comes from components that are distributed in nature. This can lead to difficulty in collecting the data you need if you don’t have a centralized place to review it all. AWS has taken care of centralizing the data collection for you with a service called CloudWatch. CloudWatch is a monitoring and observability service that collects your resource data and provides actionable insights into your applications. With CloudWatch, you can respond to system-wide performance changes, optimize resource usage, and get a unified view of operational health.

Answer 174

One way to evaluate the health of an EC2 instance is through CPU utilization. Generally speaking, if an EC2 instance has a high CPU utilization, it can mean a flood of requests. Or it can reflect a process that has encountered an error and is consuming too much of the CPU. When analyzing CPU utilization, take a process that exceeds a specific threshold for an unusual length of time. Use that abnormal event as a cue to either manually or automatically resolve the issue through actions like scaling the instance. CPU utilization is one example of a metric. Other examples of metrics that EC2 instances have are network utilization, disk performance, memory utilization, and the logs created by the applications running on top of Amazon EC2.

Answer 175

* Size of objects stored in a bucket * Number of objects stored in a bucket * Number of HTTP request made to a bucket

Answer 176

* Database connections * CPU utilization of an instance * Disk space consumption

Answer 177

* CPU utilization * Network utilization * Disk performance * Status checks

Answer 178

Respond proactively Respond to operational issues proactively before your end users are aware of them. Waiting for end users to let you know when your application is experiencing an outage is a bad practice. Through monitoring, you can keep tabs on metrics like error response rate and request latency. Over time, the metrics help signal when an outage is going to occur. You can automatically or manually perform actions to prevent the outage from happening and fix the problem before your end users are aware of it. Improve performance and reliability Monitoring can improve the performance and reliability of your resources. Monitoring the various resources that comprise your application provides you with a full picture of how your solution behaves as a system. Monitoring, if done well, can illuminate bottlenecks and inefficient architectures. This helps you drive performance and improve reliability. Recognize security threats and events By monitoring, you can recognize security threats and events. When you monitor resources, events, and systems over time, you create what is called a baseline. A baseline defines normal activity. Using a baseline, you can spot anomalies like unusual traffic spikes or unusual IP addresses accessing your resources. When an anomaly occurs, an alert can be sent out or an action can be taken to investigate the event. Make data-driven decisions Monitoring helps you make data-driven decisions for your business. Monitoring keeps an eye on IT operational health and drives business decisions. For example, suppose you launched a new feature for your cat photo app and now you want to know if it’s being used. You can collect application-level metrics and view the number of users who use the new feature. With your findings, you can decide whether to invest more time into improving the new feature. Create cost-efffective solutions Through monitoring, you can create more cost-effective solutions. You can view resources that are underused and rightsize your resources to your usage. This helps you optimize cost and make sure you aren’t spending more money than necessary.

Answer 179

When you monitor resources, events, and systems over time, you create what is called a baseline. A baseline defines normal activity. Using a baseline, you can spot anomalies like unusual traffic spikes or unusual IP addresses accessing your resources.

Answer 180

* Detect anomalous behavior in your environments. * Set alarms to alert you when something is not right. * Visualize logs and metrics with the AWS Management Console. * Take automated actions like scaling. * Troubleshoot issues. * Discover insights to keep your applications healthy.

Answer 181

With CloudWatch, all you need to get started is an AWS account. It is a managed service that you can use for monitoring without managing the underlying infrastructure.

Answer 182

Many AWS services automatically send metrics to CloudWatch for free at a rate of 1 data point per metric per 5-minute interval. This is called basic monitoring, and it gives you visibility into your systems without any extra cost. For many applications, basic monitoring is adequate. For applications running on EC2 instances, you can get more granularity by posting metrics every minute instead of every 5-minutes using a feature like detailed monitoring. Detailed monitoring incurs a fee.

Answer 183

Metrics are the fundamental concept in CloudWatch. A metric represents a time-ordered set of data points that are published to CloudWatch. Think of a metric as a variable to monitor and the data points as representing the values of that variable over time. Every metric data point must be associated with a timestamp.

Answer 184

AWS services that send data to CloudWatch attach dimensions to each metric. A dimension is a name and value pair that is part of the metric’s identity. You can use dimensions to filter the results that CloudWatch returns. For example, many Amazon EC2 metrics publish InstanceId as a dimension name and the actual instance ID as the value for that dimension.

Answer 185

By default, many AWS services provide metrics at no charge for resources such as EC2 instances, Amazon Elastic Block Store (Amazon EBS) volumes, and Amazon RDS database (DB) instances. For a charge, you can activate features such as detailed monitoring or publishing your own application metrics on resources such as your EC2 instances.

Answer 186

Suppose you have an application, and you want to record the number of page views your website gets. How would you record this metric with CloudWatch? First, it's an application-level metric. That means it’s not something the EC2 instance would post to CloudWatch by default. This is where custom metrics come in. With custom metrics, you can publish your own metrics to CloudWatch. If you want to gain more granular visibility, you can use high-resolution custom metrics, which make it possible for you to collect custom metrics down to a 1-second resolution. This means you can send 1 data point per second per custom metric. Some examples of custom metrics include the following: * Webpage load times * Request error rates * Number of processes or threads on your instance * Amount of work performed by your application

Answer 187

Once you provision your AWS resources and they are sending metrics to CloudWatch, you can visualize and review that data using CloudWatch dashboards. Dashboards are customizable home pages you can configure for data visualization for one or more metrics through widgets, such as a graph or text. You can build many custom dashboards, each one focusing on a distinct view of your environment. You can even pull data from different AWS Regions into a single dashboard to create a global view of your architecture. The following screenshot an example of a dashboard with metrics from Amazon EC2 and Amazon EBS.

Answer 188

CloudWatch aggregates statistics according to the period of time that you specify when creating your graph or requesting your metrics. You can also choose whether your metric widgets display live data. Live data is data published within the last minute that has not been fully aggregated. You are not bound to using CloudWatch exclusively for all your visualization needs. You can use external or custom tools to ingest and analyze CloudWatch metrics using the GetMetricData API. As far as security is concerned, with AWS Identity and Access Management (IAM) policies, you control who has access to view or manage your CloudWatch dashboards.

Answer 189

CloudWatch Logs is centralized place for logs to be stored and analyzed. With this service, you can monitor, store, and access your log files from applications running on EC2 instances, AWS Lambda functions, and other sources.

Answer 190

With CloudWatch Logs, you can query and filter your log data. For example, suppose you’re looking into an application logic error for your application. You know that when this error occurs, it will log the stack trace. Because you know it logs the error, you query your logs in CloudWatch Logs to find the stack trace. You also set up metric filters on logs, which turn log data into numerical CloudWatch metrics that you can graph and use on your dashboards. Some services, like Lambda, are set up to send log data to CloudWatch Logs with minimal effort. With Lambda, all you need to do is give the Lambda function the correct IAM permissions to post logs to CloudWatch Logs. Other services require more configuration. For example, to send your application logs from an EC2 instance into CloudWatch Logs, you need to install and configure the CloudWatch Logs agent on the EC2 instance. With the CloudWatch Logs agent, EC2 instances can automatically send log data to CloudWatch Logs.

Answer 191

Log event A log event is a record of activity recorded by the application or resource being monitored. It has a timestamp and an event message Log stream Log events are grouped into log streams, which are sequences of log events that all belong to the same resource being monitored. For example, logs for an EC2 instance are grouped together into a log stream that you can filter or query for insights. Log group A log group is composed of log streams that all share the same retention and permissions settings. For example, suppose you have multiple EC2 instances hosting your application and you send application log data to CloudWatch Logs. You can group the log streams from each instance into one log group.

Answer 192

You can create CloudWatch alarms to automatically initiate actions based on sustained state changes of your metrics. You configure when alarms are invoked and the action that is performed. First, you must decide which metric you want to set up an alarm for, and then you define the threshold that will invoke the alarm. Next, you define the threshold's time period. For example, suppose you want to set up an alarm for an EC2 instance to invoke when the CPU utilization goes over a threshold of 80 percent. You also must specify the time period the CPU utilization is over the threshold. You don’t want to invoke an alarm based on short, temporary spikes in the CPU. You only want to invoke an alarm if the CPU is elevated for a sustained amount of time. For example, if CPU utilization exceeds 80 percent for 5 minutes or longer, there might be a resource issue. To set up an alarm you need to choose the metric, threshold, and time period.

Answer 193

An alarm can be invoked when it transitions from one state to another. After an alarm is invoked, it can initiate an action. Actions can be an Amazon EC2 action, an automatic scaling action, or a notification sent to Amazon Simple Notification Service (Amazon SNS).

Answer 194

OK The metric is within the defined threshold. Everything appears to be operating like normal. ALARM The metric is outside the defined threshold. This might be an operational issue. INSUFFICIENT_DATA The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state.

Answer 195

CloudWatch Logs uses metric filters 1 Set up a metric filter For the employee directory application, suppose you set up a metric filter for HTTP 500 error response codes. 2 Define an alarm Then, you define which metric alarm state should be invoked based on the threshold. With this example, the alarm state is invoked if HTTP 500 error responses are sustained for a specified period of time. 3 Define an action Next, you define an action that you want to take place when the alarm is invoked. Here, it makes sense to send an email or text alert to you so you can start troubleshooting the website. Hopefully, you can fix it before it becomes a bigger issue. After the alarm is set up, you know that if the error happens again, you will be notified promptly.

Answer 196

A service that automatically increase or decrease EC2 instances based on the rules that you define.

Answer 197

Using Amazon Load Balancer

Answer 198

The availability of a system is typically expressed as a percentage of uptime in a given year or as a number of nines. In the following table is a list of availability percentages based on the downtime per year and its notation in nines. Availability (%) Downtime (per year) 90% (one nine of availability) 36.53 days 99% (two nines of availability) 3.65 days 99.9% (three nines of availability) 8.77 hours 99.95% (three and a half nines of availability) 4.38 hours 99.99% (four nines of availability) 52.60 minutes 99.995% (four and a half nines of availability) 26.30 minutes 99.999% (five nines of availability) 5.26 minutes

Answer 199

To increase availability, you need redundancy. This typically means more infrastructure—more data centers, more servers, more databases, and more replication of data. You can imagine that adding more of this infrastructure means a higher cost. Customers want the application to always be available, but you need to draw a line where adding redundancy is no longer viable in terms of revenue.

Answer 200

In the current application, one EC2 instance hosts the application. The photos are served from Amazon S3, and the structured data is stored in Amazon DynamoDB. That single EC2 instance is a single point of failure for the application. Even if the database and Amazon S3 are highly available, customers have no way to connect if the single instance becomes unavailable. One way to solve this single point of failure issue is to add one more server in a second Availability Zone.

Answer 201

The physical location of a server is important. In addition to potential software issues at the operating system (OS) or application level, you must also consider hardware issues. They might be in the physical server, the rack, the data center, or even the Availability Zone hosting the virtual machine. To remedy the physical location issue, you can deploy a second EC2 instance in a second Availability Zone. This second instance might also solve issues with the OS and the application.

Answer 202

* Replication process – The first challenge with multiple EC2 instances is that you need to create a process to replicate the configuration files, software patches, and application across instances. The best method is to automate where you can. * Customer redirection – The second challenge is how to notify the clients—the computers sending requests to your server—about the different servers. You can use various tools here. The most common is using a Domain Name System (DNS) where the client uses one record that points to the IP address of all available servers. However, this method isn't always used because of propagation — the time frame it takes for DNS changes to be updated across the Internet. * Another option is to use a load balancer, which takes care of health checks and distributing the load across each server. Situated between the client and the server, a load balancer avoids propagation time issues. You will learn more about load balancers in the next section. * Types of high availability – The last challenge to address when there is more than one server is the type of availability you need: active-passive or active-active.

Answer 203

Active-passive systems With an active-passive system, only one of the two instances is available at a time. One advantage of this method is that for stateful applications (where data about the client’s session is stored on the server), there won’t be any issues. This is because the customers are always sent to the server where their session is stored. Active-active systems A disadvantage of an active-passive system is scalability. This is where an active-active system shines. With both servers available, the second server can take some load for the application, and the entire system can take more load. However, if the application is stateful, there would be an issue if the customer’s session isn’t available on both servers. Stateless applications work better for active-active systems.

Answer 204

A stateless application is one where each request from a client is treated as an independent transaction, and the server doesn't retain any information about previous interactions. This means the server doesn't maintain any session or state data between requests. Instead, all necessary information for processing the request must be included in each request itself.

Answer 205

* Listener * Target group * Rule

Answer 206

Load balancing refers to the process of distributing tasks across a set of resources. In the case of the Employee Directory application, the resources are EC2 instances that host the application, and the tasks are the requests being sent. You can use a load balancer to distribute the requests across all the servers hosting the application. To do this, the load balancer needs to take all the traffic and redirect it to the backend servers based on an algorithm. The most popular algorithm is round robin, which sends the traffic to each server one after the other. A typical request for an application starts from a client's browser. The request is sent to a load balancer. Then, it’s sent to one of the EC2 instances that hosts the application. The return traffic goes back through the load balancer and back to the client's browser. Although it is possible to install your own software load balancing solution on EC2 instances, AWS provides the ELB service for you.

Answer 207

ELB features The ELB service provides a major advantage over using your own solution to do load balancing. Mainly, you don’t need to manage or operate ELB. It can distribute incoming application traffic across EC2 instances, containers, IP addresses, and Lambda functions. Other key features include the following: * Hybrid mode – Because ELB can load balance to IP addresses, it can work in a hybrid mode, which means it also load balances to on-premises servers. * High availability – ELB is highly available. The only option you must ensure is that the load balancer's targets are deployed across multiple Availability Zones. * Scalability – In terms of scalability, ELB automatically scales to meet the demand of the incoming traffic. It handles the incoming traffic and sends it to your backend application.

Answer 208

Health checks Monitoring is an important part of load balancers because they should route traffic to only healthy EC2 instances. That’s why ELB supports two types of health checks as follows: * Establishing a connection to a backend EC2 instance using TCP and marking the instance as available if the connection is successful. * Making an HTTP or HTTPS request to a webpage that you specify and validating that an HTTP response code is returned. Taking time to define an appropriate health check is critical. Only verifying that the port of an application is open doesn’t mean that the application is working. It also doesn’t mean that making a call to the home page of an application is the right way either.

Answer 209

1) Rule 2) Listener 3) Target groups Rule To associate a target group to a listener, you must use a rule. Rules are made up of two conditions. The first condition is the source IP address of the client. The second condition decides which target group to send the traffic to. Listener The client connects to the listener. This is often called client side. To define a listener, a port must be provided in addition to the protocol, depending on the load balancer type. There can be many listeners for a single load balancer. Target group The backend servers, or server side, are defined in one or more target groups. This is where you define the type of backend you want to direct traffic to, such as EC2 instances, Lambda functions, or IP addresses. Also, a health check must be defined for each target group.

Answer 210

1) Application Load Balancer (ALB) 2) Network Load Balancer (NLB) 3) Gateway Load Balancer (GLB) Application Load Balancer (ALB): * User authorization * Rich metrics and logging * Redirects * Fixed response Network Load Balancer (NLB): * TCP and User Datagram Protocol (UDP) connection based * Source IP preservation * Low latency Gateway Load Balancer (GLB): * Health checks * Gateway Load Balancer Endpoints * Higher availability for third-party virtual appliances

Answer 211

Application Load Balancer For our Employee Directory application, we are using an Application Load Balancer. An Application Load Balancer functions at Layer 7 of the Open Systems Interconnection (OSI) model. It is ideal for load balancing HTTP and HTTPS traffic. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply. It then routes traffic to targets based on the request content. FEATURES Routes traffic based on request data: An Application Load Balancer makes routing decisions based on the HTTP and HTTPS protocol. For example, the ALB could use the URL path (/upload) and host, HTTP headers and method, or the source IP address of the client. This facilitates granular routing to target groups. Sends responses directly to the client: An Application Load Balancer can reply directly to the client with a fixed response, such as a custom HTML page. It can also send a redirect to the client. This is useful when you must redirect to a specific website or redirect a request from HTTP to HTTPS. It removes that work from your backend servers. Uses T:S offloading: An Application Load Balancer understands HTTPS traffic. To pass HTTPS traffic through an Application Load Balancer, an SSL certificate is provided one of the following ways: * Importing a certificate by way of IAM or ACM services * Creating a certificate for free using ACM This ensures that the traffic between the client and Application Load Balancer is encrypted. Authenticates users: An Application Load Balancer can authenticate users before they can pass through the load balancer. The Application Load Balancer uses the OpenID Connect (OIDC) protocol and integrates with other AWS services to support protocols, such as the following: * SAML * Lightweight Directory Access Protocol (LDAP) * Microsoft Active Directory * Others Secures traffic: To prevent traffic from reaching the load balancer, you configure a security group to specify the supported IP address ranges. Supports sticky sessions: If requests must be sent to the same backend server because the application is stateful, use the sticky session feature. This feature uses an HTTP cookie to remember which server to send the traffic to across connections.

Answer 212

A Network Load Balancer is ideal for load balancing TCP and UDP traffic. It functions at Layer 4 of the OSI model, routing connections from a target in the target group based on IP protocol data. FEATURES Sticky sessions Routes requests from the same client to the same target. Low latency Offers low latency for latency-sensitive applications. Source IP address Preserves the client-side source IP address. Static IP support Automatically provides a static IP address per Availability Zone (subnet). Elastic IP address support Lets users assign a custom, fixed IP address per Availability Zone (subnet). DNS failover Uses Amazon Route 53 to direct traffic to load balancer nodes in other zones.

Answer 213

Gateway Load Balancer A Gateway Load Balancer helps you to deploy, scale, and manage your third-party appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. It provides a gateway for distributing traffic across multiple virtual appliances while scaling them up and down based on demand. FEATURES High availability Ensures high availability and reliability by routing traffic through healthy virtual appliances. Monitoring Can be monitored using CloudWatch metrics. Streamlined deployments Can deploy a new virtual appliance by selecting it in the AWS Marketplace. Private connectivity Connects internet gateways, virtual private clouds (VPCs), and other network resources over a private network.

Answer 214

1) Vertical 2) Horizontal Vertical Increase the instance size. If too many requests are sent to a single active-passive system, the active server will become unavailable and, hopefully, fail over to the passive server. But this doesn’t solve anything. With active-passive systems, you need vertical scaling. This means increasing the size of the server. With EC2 instances, you select either a larger type or a different instance type. This can be done only while the instance is in a stopped state. In this scenario, the following steps occur: * Stop the passive instance. This doesn’t impact the application because it’s not taking any traffic. * Change the instance size or type, and then start the instance again. * Shift the traffic to the passive instance, turning it active. * Stop, change the size, and start the previous active instance because both instances should match. Horizontal Add additional instances. As mentioned, for the application to work in an active-active system, it’s already created as stateless, not storing any client sessions on the server. This means that having two or four servers wouldn’t require any application changes. It would only be a matter of creating more instances when required and shutting them down when traffic decreases. The Amazon EC2 Auto Scaling service can take care of that task by automatically creating and removing EC2 instances based on metrics from Amazon CloudWatch. We will learn more about this service in this lesson. You can see that there are many more advantages to using an active-active system in comparison with an active-passive system. Modifying your application to become stateless provides scalability.

Answer 215

With a traditional approach to scaling, you buy and provision enough servers to handle traffic at its peak. However, this means at nighttime, for example, you might have more capacity than traffic, which means you’re wasting money. Turning off your servers at night or at times when the traffic is lower only saves on electricity. The cloud works differently with a pay-as-you-go model. You must turn off the unused services, especially EC2 instances you pay for on-demand. You can manually add and remove servers at a predicted time. But with unusual spikes in traffic, this solution leads to a waste of resources with over-provisioning or a loss of customers because of under-provisioning.

Answer 216

Automatically scales in and out based on demand.

Answer 217

Scales based on user-defined schedules.

Answer 218

Automatically replaces unhealthy EC2 instances.

Answer 219

Uses machine learning (ML) to help schedule the optimum number of EC2 instances.

Answer 220

Includes multiple purchase models, instance types, and Availability Zones.

Answer 221

Comes with the Amazon EC2 service.

Answer 222

The ELB service integrates seamlessly with Amazon EC2 Auto Scaling. As soon as a new EC2 instance is added to or removed from the Amazon EC2 Auto Scaling group, ELB is notified. However, before ELB can send traffic to a new EC2 instance, it needs to validate that the application running on the EC2 instance is available.

Answer 223

* Launch template or configuration: Which resources should be automatically scaled? * Amazon EC2 Auto Scaling groups: Where should the resources be deployed? * Scaling policies: When should the resources be added or removed?

Answer 224

Launch templates and configurations Multiple parameters are required to create EC2 instances—Amazon Machine Image (AMI) ID, instance type, security group, additional Amazon EBS volumes, and more. All this information is also required by Amazon EC2 Auto Scaling to create the EC2 instance on your behalf when there is a need to scale. This information is stored in a launch template. You can use a launch template to manually launch an EC2 instance or for use with Amazon EC2 Auto Scaling. It also supports versioning, which can be used for quickly rolling back if there's an issue or a need to specify a default version of the template. This way, while iterating on a new version, other users can continue launching EC2 instances using the default version until you make the necessary changes.

Answer 225

* Use an existing EC2 instance. All the settings are already defined. * Create one from an already existing template or a previous version of a launch template. * Create a template from scratch. These parameters will need to be defined: AMI ID, instance type, key pair, security group, storage, and resource tags. Another way to define what Amazon EC2 Auto Scaling needs to scale is by using a launch configuration. It’s similar to the launch template, but you cannot use a previously created launch configuration as a template. You cannot create a launch configuration from an existing Amazon EC2 instance. For these reasons, and to ensure that you get the latest features from Amazon EC2, AWS recommends you use a launch template instead of a launch configuration.

Answer 226

An Auto Scaling group helps you define where Amazon EC2 Auto Scaling deploys your resources. This is where you specify the Amazon Virtual Private Cloud (Amazon VPC) and subnets the EC2 instance should be launched in. Amazon EC2 Auto Scaling takes care of creating the EC2 instances across the subnets, so select at least two subnets that are across different Availability Zones. With Auto Scaling groups, you can specify the type of purchase for the EC2 instances. You can use On-Demand Instances or Spot Instances. You can also use a combination of the two, which means you can take advantage of Spot Instances with minimal administrative overhead.

Answer 227

1) Minimum capacity 2) Desired capacity 3) Maximum capacity Minimum capacity This is the minimum number of instances running in your Auto Scaling group, even if the threshold for lowering the number of instances is reached. When Amazon EC2 Auto Scaling removes EC2 instances because the traffic is minimal, it keeps removing EC2 instances until it reaches a minimum capacity. When reaching that limit, even if Amazon EC2 Auto Scaling is instructed to remove an instance, it does not. This ensures that the minimum is kept. Desired capacity The desired capacity is the number of EC2 instances that Amazon EC2 Auto Scaling creates at the time the group is created. This number can only be within or equal to the minimum or maximum. If that number decreases, Amazon EC2 Auto Scaling removes the oldest instance by default. If that number increases, Amazon EC2 Auto Scaling creates new instances using the launch template. Maximum capacity This is the maximum number of instances running in your Auto Scaling group, even if the threshold for adding new instances is reached. When traffic keeps growing, Amazon EC2 Auto Scaling keeps adding EC2 instances. This means the cost for your application will also keep growing. That’s why you must set a maximum amount to ensure it doesn’t go above your budget.

Answer 228

Scaling policies By default, an Auto Scaling group will be kept to its initial desired capacity. While it’s possible to manually change the desired capacity, you can also use scaling policies. In the Monitoring lesson, you learned about CloudWatch metrics and alarms. You use metrics to keep information about different attributes of your EC2 instance, such as the CPU percentage. You use alarms to specify an action when a threshold is reached. Metrics and alarms are what scaling policies use to know when to act. For example, you can set up an alarm that states when the CPU utilization is above 70 percent across the entire fleet of EC2 instances. It will then invoke a scaling policy to add an EC2 instance.

Answer 229

1) Simple Scaling Policy 2) Step Scaling Policy 3) Target Tracking Scaling Policy Simple Scaling Policy With a simple scaling policy, you can do exactly what’s described in this module. You use a CloudWatch alarm and specify what to do when it is invoked. This can include adding or removing a number of EC2 instances or specifying a number of instances to set the desired capacity to. You can specify a percentage of the group instead of using a number of EC2 instances, which makes the group grow or shrink more quickly. After the scaling policy is invoked, it enters a cooldown period before taking any other action. This is important because it takes time for the EC2 instances to start, and the CloudWatch alarm might still be invoked while the EC2 instance is booting. For example, you might decide to add an EC2 instance if the CPU utilization across all instances is above 65 percent. You don’t want to add more instances until that new EC2 instance is accepting traffic. However, what if the CPU utilization is now above 85 percent across the Auto Scaling group? Adding one instance might not be the right move. Instead, you might want to add another step in your scaling policy. Unfortunately, a simple scaling policy can’t help with that. This is where a step scaling policy helps. Step Scaling Policy Step scaling policies respond to additional alarms even when a scaling activity or health check replacement is in progress. Similar to the previous example, you might decide to add two more instances when CPU utilization is at 85 percent and four more instances when it’s at 95 percent. Deciding when to add and remove instances based on CloudWatch alarms might seem like a difficult task. This is why the third type of scaling policy exists—target tracking. Target Tracking Scaling Policy If your application scales based on average CPU utilization, average network utilization (in or out), or request count, then this scaling policy type is the one to use. All you need to provide is the target value to track, and it automatically creates the required CloudWatch alarms.

Answer 230

C. SQS ✅

Answer 231

B. Object storage ✅

Answer 232

D. Amazon DynamoDB ✅

Answer 233

B. Permissions for users and roles ✅

Answer 234

C. CloudFront ✅

Answer 235

B. Auto Scaling ✅

Answer 236

B. CloudFormation ✅

Answer 237

D. 5000 ✅

Answer 238

B. Multi-AZ Deployment ✅

Answer 239

C. 5 TB ✅

Answer 240

C. AWS Fargate ✅

Answer 241

B. CloudWatch Logs ✅

Answer 242

A. Route 53 ✅

Answer 243

C. S3 Glacier Deep Archive ✅

Answer 244

B. Temporary capacity with lower cost ✅

Answer 245

C. RDS ✅

Answer 246

C. DDoS attacks ✅

Answer 247

B. Load Balancer ✅

Answer 248

C. 99.999999999% (11 9's) ✅

Answer 249

D. Redshift ✅

Answer 250

C. Pre-signed URL ✅

Answer 251

B. Route 53 ✅

Answer 252

A. Monitors AWS resources and applications ✅

Answer 253

B. Lambda ✅

Answer 254

C. Pricing Calculator ✅

Answer 255

C. Block ✅

Answer 256

B. Firewall ✅

Answer 257

A. SNS ✅

Answer 258

C. Auto Scaling with health checks ✅

Answer 259

C. Provisioned IOPS ✅

Answer 260

B. Systems Manager ✅

Answer 261

C. Versioning + Replication ✅

Answer 262

B. Backup ✅

Answer 263

B. DynamoDB ✅

Answer 264

A. IAM Role with trust policy ✅

Answer 265

B. ECS ✅

Answer 266

A. Translate private IPs for outbound access ✅

Answer 267

A. Systems Manager Session Manager ✅

Answer 268

B. Compliance reports ✅

Answer 269

C. Private connection between VPCs ✅

Answer 270

B. Elastic Beanstalk ✅

Answer 271

B. A data center ✅

Answer 272

C. By VPC ✅

Answer 273

A. Auto Scaling ✅

Answer 274

B. SQL injection ✅

Answer 275

B. CodeDeploy ✅

Answer 276

C. S3 Glacier ✅

Answer 277

A. Trusted Advisor ✅

Answer 278

B. KMS ✅

Answer 279

C. CloudFront ✅

Answer 280

B. EBS Snapshot ✅

Answer 281

A. Lambda ✅

Answer 282

C. VPC Endpoint ✅

Answer 283

B. Config ✅

Answer 284

B. VPC ✅

Answer 285

C. Cost savings for steady-state usage ✅

Answer 286

C. Bucket Policy ✅

Answer 287

C. AWS Architecture Diagram Tool ✅

Answer 288

A. SageMaker ✅

Answer 289

C. Private network connection to AWS ✅

Answer 290

B. Athena ✅

Answer 291

C. On-demand scalability ✅

Answer 292

B. Migrate databases ✅

Answer 293

A. Versioning ✅

Answer 294

A. Kinesis ✅

Answer 295

A. Static IP for EC2 instance ✅

Answer 296

A. Monitor application health ✅

Answer 297

B. EBS ✅

Answer 298

B. Template for launching EC2 instances ✅

Answer 299

B. EKS ✅

Answer 300

A. CloudTrail ✅

Answer 301

B. IPSec ✅

Answer 302

B. AWS Organizations ✅

Answer 303

B. Collection of AWS resources managed as a single unit ✅

Answer 304

B. Security vulnerability assessment ✅

Answer 305

A. 0 bytes (empty object allowed) ✅

Answer 306

B. Relational (MySQL/PostgreSQL compatible) ✅

Answer 307

B. Auditing API calls and user activity ✅

Answer 308

B. Set of permissions that can be assumed by entities ✅

Answer 309

A. GuardDuty ✅

Answer 310

A. Security Groups are stateful; Network ACLs are stateless ✅

Answer 311

A. Database Migration Service (DMS) ✅

Answer 312

B. Bucket policy with VPC condition ✅

Answer 313

A. AWS Certificate Manager (ACM) ✅

Answer 314

C. Application Load Balancer ✅

Answer 315

B. Managed runtime environment where Lambda functions run ✅

Answer 316

A. ElastiCache ✅

Answer 317

A. Logical grouping of instances to optimize network performance ✅

Answer 318

B. Default network where instances can be launched without explicit VPC configuration ✅

Answer 319

D. Indefinite (configurable) ✅

Answer 320

A. SQL ✅

Answer 321

Answer: B) Amazon S3 + CloudFront

Answer 322

Answer: A) Amazon RDS Multi-AZ Deployment

Answer 323

A) Amazon SQS

Answer 324

C) Amazon EC2 with Auto Scaling Groups

Answer 325

D) S3 Bucket Policy with VPC Endpoint Condition

Answer 326

B) AWS Snowball

Answer 327

C) NAT Gateway in public subnet

Answer 328

C) Amazon S3 Glacier Deep Archive

Answer 329

A) AWS CloudTrail

Answer 330

B) AWS Lambda

Answer 331

A) AWS WAF

Answer 332

A) Amazon DynamoDB

Answer 333

A) Amazon ElastiCache

Answer 334

A) AWS CloudFormation

Answer 335

C) AWS Fargate

Answer 336

A) Use IAM policies with MFA conditions

Answer 337

C) Amazon Kinesis Data Analytics

Answer 338

A) Use TLS/SSL for application communication

Answer 339

A) AWS Secrets Manager

Answer 340

B) AWS Direct Connect

Answer 341

A) Amazon Route 53 with latency-based routing

Answer 342

A) Amazon Redshift

Answer 343

A) Amazon CloudWatch (with custom metrics for memory)

Answer 344

B) Create a VPC Endpoint for S3

Answer 345

A) Amazon Aurora Global Database

Answer 346

C) AWS Systems Manager Patch Manager

Answer 347

A) AWS Security Hub

Answer 348

D) Use VPC Endpoints

Answer 349

A) Amazon API Gateway + AWS Lambda + Amazon DynamoDB

Answer 350

B) Amazon EFS

Answer 351

A) Resource-based policy

Answer 352

D) A physically isolated data center within a region

Answer 353

B) AWS Organizations

Answer 354

B) Use AWS Shield and AWS WAF

Answer 355

A) Amazon Aurora Serverless

Answer 356

B) Use an IPsec VPN or AWS Direct Connect with MACsec

Answer 357

A) Enable encryption when creating the RDS instance (cannot be enabled after creation)

Answer 358

A) Configure the Lambda function to access the VPC subnets and security groups

Answer 359

D) Amazon S3 Glacier

Answer 360

A) AWS Systems Manager

Answer 361

A) Auto Scaling Group + Elastic Load Balancer

Answer 362

Answer: A) AWS Config

Answer 363

C) Use S3 Bucket Default Encryption

Answer 364

A) Amazon Aurora with Aurora Replicas

Answer 365

A) IAM Policies

Answer 366

A) AWS Database Migration Service (DMS)

Answer 367

B) SSE-S3 (AES-256)

Answer 368

A) VPN connection using IPsec

Answer 369

C) Amazon CloudWatch Logs and CloudWatch Dashboards

Answer 370

A) Amazon EventBridge

Answer 371

A) Use AWS Systems Manager Patch Manager

Answer 372

A) AWS Control Tower

Answer 373

B) Use Amazon CloudFront CDN in front of the S3 bucket

Answer 374

A) Amazon Cognito

Answer 375

A) Amazon ECS with EC2 launch type

Answer 376

D) Amazon Athena

Answer 377

A) Deploy instances in multiple Availability Zones

Answer 378

A) AWS Key Management Service (KMS)

Answer 379

Answer: A) S3 Cross-Region Replication (CRR)

Answer 380

C) Amazon VPC

Answer 381

A) Add an MFA condition in the IAM policy

Answer 382

C) AWS Elastic Beanstalk

Answer 383

A) AWS WAF

Answer 384

✅ Answers: A, B, C

Answer 385

✅ Answers: A, B, D

Answer 386

✅ Answers: A, C, E

Answer 387

✅ Answers: A, C, D

Answer 388

✅ Answers: A, B, C

Answer 389

✅ Answers: A, B, D

Answer 390

✅ Answers: A, B, C

Answer 391

✅ Answers: B, C, E

Answer 392

✅ Answers: A, B, D

Answer 393

✅ Answers: A, B, D

Answer 394

✅ Answers: A, C, D

Answer 395

✅ Answers: A, C, D

Answer 396

✅ Answers: A, B, C

Answer 397

✅ Answers: A, B, D

Answer 398

✅ Answers: A, B, C

Answer 399

✅ Answers: A, B, C

Answer 400

✅ Answers: A, B, D

Answer 401

✅ Answers: A, B, D

Answer 402

✅ Answers: A, B, D

Answer 403

✅ Answers: A, B, C

Answer 404

✅ Answers: A, B, D

Answer 405

✅ Answers: A, B, E

Answer 406

✅ Answers: A, C, D

Answer 407

✅ Answers: A, B, D

Answer 408

✅ Answers: A, B, C

Answer 409

✅ Answers: A, B, C

Answer 410

✅ Answers: A, B, C

Answer 411

✅ Answers: A, B, C

Answer 412

✅ Answers: A, B, E

Answer 413

✅ Answers: A, B, C

Answer 414

✅ Answers: A, B, D

Answer 415

✅ Answers: A, B, C

Answer 416

✅ Answers: A, B, C

Answer 417

✅ Answers: A, C, D

Answer 418

✅ Answers: A, B, C

Answer 419

✅ Answers: A, B, C

Answer 420

✅ Answers: A, B, C

Answer 421

✅ Answers: A, C, D

Answer 422

✅ Answers: A, B, E

Answer 423

✅ Answers: A, B, C

Answer 424

✅ Answers: A, B, C

Answer 425

✅ Answers: A, B, C

Answer 426

✅ Answers: A, B, C

Answer 427

✅ Answers: A, B, C

Answer 428

✅ Answers: A, B, C

Answer 429

✅ Answers: A, B, D

Answer 430

✅ Answers: A, B, C

Answer 431

✅ Answers: A, B, C

Answer 432

✅ Answers: A, B, C

Answer 433

✅ Answers: A, B, C

AWS Solutions Architect Flashcards

AWS architecture (465 cards)