AWS UseCases

Question 1

EC2 needs access to sensitive data in S3. Cannot travers the internet must use private IPs. S3 can only allow access from services in the VPC

Answer 1

• Create a VPC Gateway endpoint for the S3 buck

- Enable a bucket policy to restrict S3 access

Question 2

A company needs to migrate 50TB of data into AWS within a month. They also want a secure and reliable private connection

Answer 2

• Use a snowball device for the initial 50TBs

- Order a Direct Connect that could take over a month

Question 3

Website developers needs a solution for a static website over https without managing server infrastructure and should be scalable as the company grows.

Answer 3

• Cloud Front with S3 as the origin
• since its https vs http
• can restrict with OAI - origin access identity

Question 4

RDS postgres is configured in Multi-az. Need to scale read performance and the solution must be configured for high availablity.

Answer 4

• Create a read replica as a Multi-az DB

Question 5

A shared services VPC is being created for use by several AWS accounts. An application needs to be security shared from the shared services vpc.

Answer 5

• Use AWS private link to expose the application as an endpoint
• Use a NLB to front the application.
• IP in the VPC

Question 6

A Web application that runs on EC2 instance behind an ELB and all data in transit must be encrypted. How is this accomplished for both ALB and NLB?

Answer 6

• Using an ALB with HTTP Listener - Install Certs on ALB and EC2 Terminate on ALB and send to EC2
• Using an NLB with TCP listener - terminate on EC2 - pass through

Question 7

Easiest way to block access to content from certain countries

Answer 7

Use Cloudfront to serve the application and block the content.

Question 8

Restrict access to Dynamo DB to specific private source IPs from their VPC… what network resources?

Answer 8

Use a VPC Gateway endpoint.

Question 9

EC2 instances need to make api calls to Dynamo DB from your VPC where it does not go over the internet.

Answer 9

• Create a VPC Gateway endpoint

- add a route to the endpoint

Question 10

Can an ALB be used to redirect clients to another region if a health check fails?

Answer 10

No. It only identifies the health of targets.

Question 11

What EBS storage should be used with a variable Disk I/O with peaks up to 3000 IOPS?

Answer 11

gp2… since it can burst to 3000 IOPS for an extended period of time

Question 12

Aurora replica in Multi-AZ configuration. DB reads are high and causing performance issues. What can you do.

Answer 12

Update the app to read from the aurora replica.

Question 13

How do you add encryption to a DirectConnect Connection?

Answer 13

Use a Virtual Private Gateway (VPG) A VPG is used to setup an AWS VPN which you can use in combination with DX to provide IPSEC-encrypted private comms.

You can’t just enable IPSec on the DX… that is not an option.

Question 14

How can an ASG be used with an SQS queue to scale.

Answer 14

Use a custom cloud watch metric for the number of messages in the queue. Configure the ASG to scale based on the metric.

Question 15

How can a security team limit access to specific services or actions in all of the teams AWS accounts that are part of a large org in AWS Organizatinos.

Answer 15

Use an SCP in the root org unit

Question 16

Does CloudWatch Container Insights work with EKS?

Answer 16

Yes it does… with both ECS and EKS

Question 17

Need to scale read ops within a region for an Aurura DB… what do you implement

Answer 17

Aurora Replicas - these offer standby and read scaling

Question 18

How to block malicious traffic from the same CIDR range… Security Group or NACL/

Answer 18

Use the NACL Inbound rule to block that CIDR range.

Question 19

What protocol does CloudFront support?

Answer 19

HTTP/HTTPS only

Question 20

Can cloudfront expose static public IP addresses?

Answer 20

No

Question 21

Mutiple consumer apps have total reads exceeding the per-shard limits of a Kinesis data stream…. how can this be resolved?

Answer 21

Increase the number of shards

Question 22

How are custom EC2 metrics enabled?

Answer 22

Use CloudWatch Agent

Question 23

Which AWS service is used to Accelerate the migration of on-prem data to S3

Answer 23

AWS DataSync… StorageGateway is used for hybrid scenarios where servers need local access to data

Question 24

Steps to create a SSO solution for users signed into the organizations active directory

Answer 24

Call the AWS STS AssumeRole or GetFederationToken API to obtain temp access
Call the AWS federation endpoint and supply the temp access to get the token

Question 25

Provide temporary AWS credentials for users who are guests (unathorized) and for Users who have been authenticated and received a token. Is a store of user identity data specific to your account

Answer 25

Cognito identity pools

Question 26

Allows users to sign into web or mobile apps through AWS Cognitio

Answer 26

User Pools

Question 27

What AWS S3 access control method should be used to grant API access.

Answer 27

IAM Policy | Grant Programmatic access

Question 28

A webservice that enables biz, research, data analysis, and developers to easily and cost effectively process vast amounts of data.

Answer 28

EMR

Question 29

Which service allows programmatically access to the IAM WebServer? How is this authenticated

Answer 29

Query API | Access KeyID and secret access key

Question 30

How can I limit traffic to the DB from only the web tier

Answer 30

Add the webtier security group to the DB security group for the assigned DB port

Question 31

AWS services that Allows security access and authentication to manage on-prem and AWS resources via console...

Answer 31

AWS STS and SAML

Question 32

On prem app to connect to AWS API Gateway…all api calls use private address and avoid inet

Answer 32

Use private virtual interface and creat a vpc endpoint

Question 33

Make updates in cloud formation with preview option for complexity

Answer 33

Use change sets

Question 34

Can tags be used in IAM policies?

Answer 34

Yes. Use this to segment access based on tags

Question 35

Vpc info needed by lambda to connect to vpc resources?

Answer 35

Subnet ids | Security group ids

Question 36

ElasticCache that supports multi-thread

Answer 36

Memcached

Question 37

Can IAM groups be principals in policies?

Answer 37

No

Question 38

Can IAM groups assume a role?

Answer 38

No

Question 39

Which service uses multiple dynamically changing IPs. CloudFront or GlobalAccelerator?

Answer 39

CloudFront

Question 40

Which service uses a set of static IPs as fixed entry points?

Answer 40

Global Accelerator

Question 41

Global Accelerator uses what protocols?

Answer 41

Http and non http such as TCP and UDB

Question 42

What service uses edge to cache?

Answer 42

CloudFront

Question 43

What service uses edge to find the optimal pathway to the nearest region

Answer 43

Global Accelerator

Question 44

Use this to provide low latency live sports via an application using udp?

Answer 44

Global Accelerator

Question 45

Should I use step functions or SWF for lambda workflow?

Answer 45

Step functions first

Question 46

CloudFront price class

Answer 46

Where the content will be cached. Better performance

Question 47

What is the lambda timeout

Answer 47

15 minutes

Question 48

Can an ALB authenticate a user via facebook or google?

Answer 48

Yes... Use ALB authentication action listener rule that configures AWS Cognito USER pool with social IDPs

Question 49

These containers will use several AWS services. A container from one customer must not be able to access data from another customer.

Answer 49

Use IAM Roles for Tasks

Question 50

Can an ALB be a cloudfront origin

Answer 50

Yes

Question 51

What sse can use customer keys stored and managed in aws

Answer 51

SSE-KMS

Question 52

SSE that uses customer keys that are not stored in aws

Answer 52

SSE-c

Question 53

Transfer more than 10pbs

Answer 53

Snowmobile

Question 54

Can CloudFront route to specific regions based on price class?

Answer 54

No. Only on connect

Question 55

How many CloudFront price classes

Answer 55

3 Default- all regions Most Cheapest

Question 56

Stream data from S3 to kenisis

Answer 56

Use DMS as an option

Question 57

What is the RPO for PilotLight

Answer 57

A few minutes

Question 58

Only resource based policy that the IAM service supports

Answer 58

Trust policy

Question 59

Which snow family supports storage clustering

Answer 59

Snowball edge compute optimized

Question 60

Host multiple tls secured apps behind a single alb. Multiple HTTPS endpoints behind a single alb

Answer 60

SSL certificates with sni

Question 61

Grant additional permissions to an individual ECS application container on an ECS cluster that you have deployed without granting additional permissions to the other containers that are running on the cluster.

Answer 61

Create a separate Task Definition for the application container that uses a different Task Role

Question 62

implement more granular level security controls in ECS

Answer 62

achieved using IAM roles for tasks, and splitting the containers according to the permissions required to different task definition profiles

Question 63

Which sse is integrated with cloudtrail

Answer 63

Sse-kms

Question 64

Can you use cognito user pools with CloudFront

Answer 64

Nope. Plug it into the ALB instead

Question 65

DNS caching impacts route 53. Use global accelerator instead

Answer 65

True

Question 66

Which kinesics automatically scales to match the throughput?

Answer 66

Firehose… you have to add shards to Data streams