Deck 1 Flashcards by Trevor Christie-Taylor

How much data can be stored on S3

Unlimited

How well did you know this?

Not at all

Perfectly

An object can be of any size ranging from 1 byte to

5 TB

How well did you know this?

Not at all

Perfectly

The largest object that can be uploaded in a single PUT is

5 GB

How well did you know this?

Not at all

Perfectly

What does cloudformation not support

Amazon Glacier

How well did you know this?

Not at all

Perfectly

The AWS Storage Gateway is

a service connecting an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization’s on-premises IT environment and AWS’s storage infrastructure.

How well did you know this?

Not at all

Perfectly

What kind of security is used on Amazon Glacier

Amazon Glacier is protected using serverside encryption. AWS generates separate unique encryption keys for each Amazon Glacier archive, and encrypts it using AES-256. The encryption key then encrypts itself using AES-256 with a master key that is stored in a secure location.

How well did you know this?

Not at all

Perfectly

In Amazon Glacier, the volume of storage billed in a month is based on the average storage used throughout the month, measured in

Gigabyte months

How well did you know this?

Not at all

Perfectly

Amazon Glacier prepares an inventory for each vault periodically, every _______. If there have been no archive additions or deletions to the vault since the last inventory, _______________________

24 Hours

The inventory date is not updated

How well did you know this?

Not at all

Perfectly

There is no maximum limit to the total amount of data that can be stored in Amazon Glacier. Individual archives are limited to a maximum size of

40 Terabytes

How well did you know this?

Not at all

Perfectly

What is the limit of Glacier - Total Number of Archivers or Total Volume of archives

Neither

How well did you know this?

Not at all

Perfectly

Archives stored in Amazon Glacier are immutable which means

archives can be uploaded and deleted but cannot be edited or overwritten.

How well did you know this?

Not at all

Perfectly

What happens when the user requests to restore an S3 object archived in Glacier?

AWS S3 creates temporary copy of the object in RRS.

How well did you know this?

Not at all

Perfectly

For customers who have architected complex transactional databases using EBS, it is recommended that

backups to Amazon S3 be performed through the database management system so that distributed transactions and logs can be checkpointed

How well did you know this?

Not at all

Perfectly

AWS Import/Export supports:

Import to Amazon S3
Export from Amazon S3
Import to Amazon EBS
Import to Amazon Glacier

How well did you know this?

Not at all

Perfectly

AWS Import/Export does not currently support

export from Amazon EBS or Amazon Glacier.

How well did you know this?

Not at all

Perfectly

In Amazon Glacier, which operations require programming?

In Amazon Glacier, any archive operation, such as upload, download, and delete, requires programming. There is no console support for archive operations.

How well did you know this?

Not at all

Perfectly

Some services support resource-based permissions, which let you attach policies to the service’s resources instead of to IAM users or groups which services are these?

Resource-based permissions are supported by Amazon S3, Amazon SNS, and Amazon SQS.

How well did you know this?

Not at all

Perfectly

AWS S3 provides multiple options to achieve the protection of data at REST. The options include

Configurable Protections
Permission (Policy), 
Encryption (Client and Server Side), 
Bucket Versioning  
MFA based delete. 
Automatic Protections
Replication across all availability zones

How well did you know this?

Not at all

Perfectly

What does s3 stand for

Simple Storage Service

How well did you know this?

Not at all

Perfectly

How do you allow anyone to access your S3 bucket

use an Amazon S3 bucket policy that specifies a wildcard (*)

How well did you know this?

Not at all

Perfectly

Using multipart upload provides the following advantages:

Improved throughput—You can upload parts in parallel to improve throughput.
Quick recovery from any network issues—Smaller part size minimizes the impact of restarting a failed upload due to a network error.
Pause and resume object uploads—You can upload object parts over time. Once you initiate a multipart upload there is no expiry; you must explicitly complete or abort the multipart upload.
Begin an upload before you know the final object size—You can upload an object as you are creating it.

How well did you know this?

Not at all

Perfectly

You have been given a scope to set up an AWS Media Sharing Framework for a new start up photo sharing company similar to flickr. The first thing that comes to mind about this is that it will obviously need a huge amount of persistent data storage for this framework. Which of the following storage options would be appropriate for persistent storage?

Persistent storage—If you need persistent virtual disk storage similar to a physical disk drive for files or other data that must persist longer than the lifetime of a single Amazon EC2 instance, Amazon EBS volumes or Amazon S3 are more appropriate

How well did you know this?

Not at all

Perfectly

How are you billed for Virtual Tape Shelf usage on Glacier

You are billed for the virtual tape data you store in Amazon Glacier. You are only billed for the portion of virtual tape capacity that you use, not for the size of the virtual tape.

How well did you know this?

Not at all

Perfectly

For Amazon Web Services, the Web identity federation allows you to create cloud-backed mobile apps that

use public identity providers, such as login with Facebook, Google or Amazon

How well did you know this?

Not at all

Perfectly

You are designing a web application that stores static assets in an Amazon Simple Storage Service (S3) bucket. You expect this bucket to immediately receive over 150 PUT requests per second. What should you do to ensure optimal performance?

Add a random prefix to the key names.

A client application requires operating system privileges on a relational database server. What is an appropriate configuration for highly available database architecture?

Not RDS - no operating system privileges

A Solutions Architect is designing a web application. The web and application tiers need to access the Internet, but they cannot be accessed from the Internet. Which of the following steps is required?

Launch a NAT gateway in the public subnet and add a route to it from the private subnet.

An Administrator is hosting on application on a single Amazon EC2 instance, which users can access by the public hostname. The administrator is adding a second instance, but does not want users to have to decide between many public hostnames. Which AWS service will decouple the users from specific Amazon EC2 instances?

Auto Scaling group

You are launching an application in an Auto Scaling group. To store the user session state, you need a structured storage service with durability and low latency. Which service meets your needs?

Amazon DynamoDB

A Solutions Architect is designing a three-tier web application that includes an Auto Scaling group of Amazon EC2 Instances running behind an ELB Classic Load Balancer. The security team requires that all web servers must be accessible only through the Load Balancer and that none of the web servers are directly accessible from the Internet. How should the Architect meet these requirements?

Create an Amazon CloudFront distribution in front of the ELB Classic Load Balancer

A company has a workflow that sends video files from their onpremise system to AWS for Trans coding. They use EC2 worker instances that pull Trans coding jobs from SQS an appropriate service for this scenario?

SQS helps to facilitate horizontal scaling of encoding tasks

A photo sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application signin using an Open ID Connect compatible identity provider. Which AWS Security Token approach to temporary access should you use for the Amazon S3 operations?

SAML-based identity Federation

A company has reproducible data that they want to store on Amazon Web Services. The company may want to retrieve the data on a frequent basis. Which Amazon web services storage option allows the customer to optimize storage costs and still achieve high availability for their data?

Amazon S3 Reduced Redundancy Storage

A Solutions Architect is designing an application in AWS. The Architect must not expose the application or database tier over the Internet for security reasons. The application must be low-cost and have a scalable front end. The databases and application tier must have only one-way Internet access to download software and patch updates Which solution helps to meet these requirements?

Use an ELB Classic Load Balancer as the front end for the application tier, and a NAT Gateway to allow Internet access for private resources

Application Load Balancers, Network Load Balancers, and Classic Load Balancers. There is a key difference between the way you configure these load balancers

With Application Load Balancers and Network Load Balancers, you register targets in target groups, and route traffic to the target groups. With Classic Load Balancers, you register instances with the load balancer.

A customer owns a MySQL database that is accessed by various clients who expect, at most 100 ms latency on requests. Once a record is stored in the database, it is rarely changed Clients only access one record at a time. Database access has been increasing exponentially due to increased client demand. The resultant load will soon exceed the capacity of the most expensive hardware available for purchase. The customer wants to migrate to AWS, and is willing to change database systems. Which service would alleviate the database load issue and offer virtually unlimited scalability for the future?

Amazon Redshift

What is the minimum interval for the data that Amazon CloudWatch receives and aggregates?

1 Minute

Your Amazon RDS MySQL DB instance runs on the largest available instance type. The DB instance runs at near capacity for CPU and network bandwidth. You expect traffic to increase and are looking for ways you can continue to scale your database. Which strategies allow you to continue to scale and take on more traffic?

D. Create a read replica of the master database in another Availability Zone (needs to be another AZ); configure the app to send read-only calls to the replica. E. Create an Amazon Elasticache cluster; configure the app to retrieve frequently accessed data and queries from the cache.

After launching an instance that you intend to serve as NAT (Network Address Translation) device in a public subnet you modify your route tables to have the NAT device be the target of internet bound traffic of your private subnet. When you try and make an outbound connection to the internet from an instance in the private subnet, you are not successful. Which of the following steps could resolve the issue?

A. Disabling the Source/Destination check attribute on the NAT instance

If you choose to create a NAT gateway in your VPC, you are charged for

each “NAT Gateway-hour" that your NAT gateway is provisioned and available

Data transfer costs for transferring data in the same region and within the same availability zone are zero, with one caveat

you must be using a private IP address.

When an EC2 EBSbackend (EBS root) instance is stopped. What happens to the data on any Ephemeral store volumes?

Data will be deleted and will no longer be accessible

A customer's security team requires the logging of all network access attempts to Amazon EC2 instances in their production VPC on AWS.Which configuration will meet the security team's requirement?

Enable VPC Flow Logs for the production VPC.

A company collects click-stream data from amazon EC2 instances that are in an auto scaling group. The age data feeds a centralized dashboard and is critical to the company's business. Which method will help ensure data is collected before an auto scaling policy terminates an instance from the auto scaling group?

Use Auto Scaling lifecycle hooks

You are designing a scalable web application with stateless web servers. Which service or feature is well suited to store user session information?

Amazon EC2 instance store

A company has a popular multi-player mobile game hosted in its on-premises datacenter. The current infrastructure can no longer keep up with demand end the company is considering a move to the cloud. Which solution should a Solutions Architect recommend as me MOST scalable and cost- effective solution to meet these needs?

Amazon EC2 and an Application Load Balancer

A customer has a public-facing web application hosted on a single amazon Elastic compute Cloud (EC2) instance and serving videos directly from an amazon simple storage service bucket. Which of the following will restrict third parties from directly accessing the video assets in the bucket?

Use a bucket policy to only allow the public IP address of the Amazon EC2 instance hosting the customer website

You need a solution to distribute traffic across all the containers for a task running on Amazon ECS. Your task definitions define dynamic host port mapping for your containers. What AWS feature provides this functionality?

Application Load Balancers support dynamic host port mapping

You are running a web application with four Amazon EC2 instances across two Availability Zones. The instances are in an Auto Scaling group behind an ELB Classic Load Balancer. A scaling event adds one instance to the group. After the event, you notice that, although all instances are serving traffic, some instances are serving more traffic than others. Which of the following could be the problem?

Cross-zone load balancing is not configuring on the ELB Classic Load Balancer

You are working with a customers who is using chef configuration management in their data center. Which service is designed to let the customer leverage existing chef recipes in AWS?

AWS OpsWorks

A company has a workflow that uploads video files from their data center to AWS for transcoding. They use Amazon EC2 worker instances that pull transcoding jobs from SQS. Why is SQS an appropriate service for this scenario?

SQS checks the health of the worker instances.

A Solutions Architect is designing a solution for a media company that will stream large amounts of data from an Amazon EC2 instance. The data streams are typically large and sequential, and must be able to support up to 500 MB/s. Which storage type will meet the performance requirements of this application?

EBS Throughput Optimized HDD

A retail company has sensors placed in its physical retail stores. The sensors send messages over HTTP when customers interact with in-store product displays. A Solutions Architect needs to implement a system for processing those sensor messages; the results must be available for the Data Analysis team. Which architecture should be used to meet these requirements?

Implement an Amazon API Gateway to server as the HTTP endpoint. Have the API Gateway trigger an AWS Lambda function to process the messages, and save the results to an Amazon DynamoDB table.

Can a placement group be deployed across multiple availability zones?

Yes

You can launch or start instances in a placement group, which determines how instances are placed on underlying hardware. When you create a placement group, you specify one of the following strategies for the group

Cluster – clusters instances into a low-latency group in a single Availability Zone Partition – spreads instances across logical partitions, ensuring that instances in one partition do not share underlying hardware with instances in other partitions Spread – spreads instances across underlying hardware

The Trusted Advisor service provides insight regarding which four categories of an AWS account?

Performance, cost optimization, security, and fault tolerance

A company has an application that uses Amazon CloudFront for content that is hosted on an Amazon S3 bucket. After an unexpected refresh, the users are still seeing old content. Which step should the Solutions Architect take to ensure that new content is displayed?

Change the TTL value tor removing the old objects.

You are deploying an application to track GPS coordinates of delivery trucks in the United States. Coordinates are transmitted from each delivery truck once every three seconds. You need to design an architecture that will enable real-time processing of these coordinates from multiple consumers. Which service should you use to implement data ingestion?

Amazon Kinesis

A Solutions Architect needs a storage solution for a fleet of Linux web application servers. The solution should provide file system interface and be able to support millions of files. Which AWS service should the Architect choose?

Amazon Elastic File System

A Solutions Architect needs to convert potential single points of failure to a highly-available configuration. The current architecture contains Amazon EC2 instances with databases running in one Availability Zone. Web-tier resources have not been given public addresses, but still require Internet access. Which solution should the Architect use to maintain high availability?

Use ELB Classic Load Balancer with the web tier. Deploy EC2 instances in two Availability Zones and enable Multi-AZ RDS Deploy NAT gateways in both Availability Zones

Which services natively encrypts data at rest within an AWS region? Choose 2 answers

Amazon Glacier | AWS storage Gateway

A popular e-commerce application runs on AWS. The application encounters performance issues. The database is unable to handle the amount of queries and load during peak times. The database is running on the RDS Aurora engine on the largest instance size available. What should an administrator do to improve performance?

Convert the database to use EBS Provisioned IOPS.

A Solution Architect is trying to bring a data warehouse workload to an Amazon EC2 instance. The data will reside in Amazon EBS volumes and full table scans will be executed frequently. What type of Amazon AWS EBS volume would be most suitable in this scenario?

General Purpose SSD (BUT WHY?)

A company wants to migrate a highly transactional database to AWS Requirements state that the database has more than 6 TB of data and will grow exponentially. Which solution should a Solutions Architect recommend?

Amazon Aurora

Your company has set up an application in eu-west1 with a disaster recovery site in eu-central-1. You want to be notified of any AWS API activity in regions other than these two. How can you monitor AWS API activity in other regions?

Create a CloudWatch alarm for CloudTrail events

You are building a solution for a customer to extend their on-premises data centre to AWS. The customer requires a 50-Mbps dedicated and private connection to their VPC. Which AWS product or feature satisfies this requirement?

AWS Direct Connect

A Solutions Architect is building an application on AWS that will require 20,000 IOPS on a particular volume to support a media event. Once the event ends, the IOPS need is no longer required. The marketing team asks the Architect to build the platform to optimize storage without incurring downtime. How should the Architect design the platform to meet these requirements?

Change the EBS volume type to Provisioned IOPS.

What is AWS STS?

AWS Security Token Service

Name 2 security functions that are based on AWS STS?

1. Using Web federated identity to authenticate users | 2. Using access keys to authenticate IAM users

If you have an s3 endpoint in your VPC does this mean that no systems outside of your VPC can access the endpoint

No - the default policy allows full access to all AWS buckets and does not change the existing access to the buckets

What is Amazon Athena?

A service that queries log files in a similar way to SQL

Change the TTL value tor removing the old objects.

You're building an API backend available at services.yourcompany.com. The API is implemented with API Gateway and Lambda. You successfully tested the API using curl. You implemented JavaScript to call the API from a webpage on your corporate website, www.yourcompany.com. When you access that page in your browser, you get the following error: "The same origin policy disallows reading the remote resource" How can you allow your corporate webpages to invoke the API?

Enable CORS in the API Gateway

A bank is writing new software that is heavily dependent upon database transactions for write consistency. The application will also occasionally generate reports on data in the database, and will do joins across multiple tables. The database must automatically scale as the amount of data grows. Which AWS service should be used to run the database?

Amazon DynamoDB

S3 provides read-after-write consistency for any type of PUT or DELETE. True or False?

False | S3 provides eventual consistency for overwrite PUTS and DELETES.

A Solutions Architect is designing a mobile application that will capture receipt images to track expenses. The Architect wants to store the images on Amazon S3. However, uploading images through the web server will create too much traffic. What is the MOST efficient method to store images from a mobile application on Amazon S3?

Upload directly to S3 using a pre-signed URL

Your existing web application requires a persistent key-value store database that must service 50,000 reads/second. Your company is looking at 10% growth in traffic and data volume month over month for the next several years. Which service meets these requirements?

Amazon DynamoDB

AWS is responsible for Encryption of traffic within a virtual private cloud (True or False)

False

Amazon Kinesis

Amazon ElastiCache

True or false Amazon Glacier natively encrypts data at rest within an AWS region

True

True of false Amazon Storage Gateway natively encrypts data at rest within an AWS region

True

Convert the database to use EBS Provisioned IOPS.

C. General Purpose SSD (gp2)

Amazon EBS provides a range of options that allow you to optimize storage performance and cost for your workload. These options are divided into two major categories

1. SSD-backed storage for transactional workloads, such as databases and boot volumes 2. HDD-backed storage for throughput intensive workloads, such as MapReduce and log processing

One would use SSD volumes for ________ intensive work loads but HDD volumes for ________ intensive

IOPS intensive | MB/s intensive

Create a CloudWatch alarm for CloudTrail events

AWS Direct Connect

Change the EBS volume type to Provisioned IOPS.

Which security functions are based on AWS STS? Choose 2 answers A. Adding conditions to managed policies B. Using Web federated identity to authenticate users C. Using IAM roles with Amazon EC2 instances D. Assigning managed policies to IAM groups E. Using access keys to authenticate IAM users

B and E

A Solutions Architect is designing a VPC. Instances in a private subnet must be able to establish IPv6 traffic to the Internet. The design must scale automatically and not incur any additional cost. This can be accomplished with:

an egress-only internet gateway

An organization hosts 10 microservices, each in an Auto Scaling group behind individual Classic Load Balancers Each EC2 instance is running at optimal load. Which of the following actions would allow the organization to reduce costs without impacting performance? A. Reduce the number of EC2 instances behind each Classic Load Balancer B. Change instance types in the Auto Scaling group launch configuration. C. Change the maximum size but leave the desired capacity of the Auto Scaling groups D. Replace the Classic Load Balancers with a single Application Load Balancer

B. Change instance types in the Auto Scaling group launch configuration.

A Solutions Architect is about to deploy an API on multiple EC2 instances in an Auto Scaling group behind an ELB The support team has the following operational requirements 1 They get an alert when the requests per second go over 50,000 2 They get an alert when latency goes over 5 seconds 3 They can validate how many times a day users call the API requesting highly-sensitive data Which combination of steps does the Architect need to take to satisfy these operational requirements? (Select TWO.)

B. Create a custom CloudWatch metric to monitor the API for data access D. Ensure that detailed monitoring for the EC2 instances is enabled

A customer needs to deploy a NoSQL-based datastore to Amazon EC2 instances. The NoSQL software has native replication for durability of the data store. Which of the following storage options is the most cost-effective and performs best for the data store? A. Amazon EBS Magnetic volumes B. Amazon EBS provisioned IOPS volumes C. Amazon EBS general purpose SSD volumes D. SSD-based Amazon EC2 instance store volumes

B. Amazon EBS provisioned IOPS volumes

An organization runs an online voting system for a television program. During broadcasts, hundreds of thousands of votes are submitted within minutes and sent to a front-end feet of auto- scaled Amazon EC2 instances. The EC2 instances push the votes to a RBDMS database. The database is unable to keep up with the front-end connection requests. What is the MOST efficient and cost-effective way of ensuring that votes are processes in a timely manner?

Each front-end node should send votes to an Amazon SQS queue. Provision worker instances to read the SQS queues and process the message information into the RBDMS database

A Solutions Architect is developing a solution for sharing files in an organization. The solution must allow multiple users to access the storage service at once from different virtual machines and scale automatically. It must also support file-level locking. Which storage service meets the requirements of this use case?

Amazon EFS

A TTL can be set for an Alias record in Amazon Route 53. (True or False)

False

What does TTL in DNS mean

TTL (Time to Live) is a setting for each DNS record that specifies how long a resolver is supposed to cache (or remember) the DNS query before the query expires and a new one needs to be done

An Amazon Route 53 Alias record can point to any DNS record hosted anywhere (True or False)

False

An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere. True or False

True

A company is using AWS Key Management Service (AWS KMS) to secure their Amazon RDS databases. An auditor has recommended that the company log all use of their AWS KMS keys. What is me SIMPLEST solution?

Use AWS CloudTrail to log AWS KMS key usage.

A Solutions Architect needs to design an Amazon EC2 duster to analyze data that is currently stored in Amazon S3. A key requirement is to utilize the fastest storage service available when analyzing the data locally on the Amazon EC2 instance. Which of the following storage types should the Architect choose to meet the requirement? A. AWS Storage Gateway B. Amazon EBS using Provisioned IOPS (PIOPS) C. Amazon EC2 instance (ephemeral) Store D. Amazon Glacier

B. Amazon EBS using Provisioned IOPS (PIOPS)

You manually launch a NAT AMI in a public subnet. The network in properly configured. Security groups and network access control lists are properly configured. Instances in a private subnet can access the NAT. The NAT can access the internet. However, private instances cannot access the internet. What additional step is required to allow access from the private instances? A. Enable Source/Destination check on the private instances B. Enable Source/Destination check on the NAT instance C. Disable Source/Destination check on the private instance D. Disable Source/Destination check on the NAT instance

D. Disable Source/Destination check on the NAT instance

Which of the following are true regarding encrypted Amazon Elastic Block Store (EBS) volumes? Choose 2 answers A. Snapshots are automatically encrypted B. Existing volumes can be encrypted C. Supported on all Amazon EBS volume types D. Available to all instances types E. Shared volumes can be encrypted

A. Snapshots are automatically encrypted | C. Supported on all Amazon EBS volume types

A customer need to capture all client connection information from their load balancer every five minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting their applications. Which of the following options meets the customer requirements? A. Enable access logs on the load balancer B. Enable Amazon CloudWatch metrics on the load balancer C. Enable AWS CloudTrail for the load balancer D. Install the Amazon CloudWatch logs agent on the load balancer Why is B not the right answer

A. Enable access logs B is not correct because Elastic Load Balancing reports metrics to CloudWatch only when requests are flowing through the load balancer. If there are requests flowing through the load balancer, Elastic Load Balancing measures and sends its metrics in 60-second intervals. If there are no requests flowing through the load balancer or no data for a metric, the metric is not reported.

Spot Instances are a cost-effective choice if

you can be flexible about when your applications run and if your applications can be interrupted.

Scheduled Reserved Instances (Scheduled Instances) enable you to purchase capacity reservations that

recur on a daily, weekly, or monthly basis, with a specified start time and duration, for a one-year term.

which storage service office single-digit millisecond latency at any scale

DynamoDB

You are deploying an application to collect votes for a very popular television show. Millions of users will submit votes using mobile devices. The votes must be collected into a durable, scalable, and highly available data store for real-time public tabulation. Which service should you use?

Amazon Kinesis

If you want to setup a web server on EC2 with multiple Virtual Hosts Using distinct SSL certificates you need to:

Create one Amazon Elastic Load Balancer with SSL termination

What is Latency-based Routing

If your application is hosted in multiple AWS Regions, you can improve performance for your users by serving their requests from the AWS Region that provides the lowest latency.

Name three AWS services that are not Lambda Event Sources

Amazon Route53 Amazon Redshift Elastic Load Balancing

What is a placement group?

A feature that enables EC2 instances to interact with each other via high bandwidth, low latency connections

What allows you to extend your queries to your S3 data lake without having to load the data

Amazon Athena

_________ is a tool designed to work with data of up to dozens of petabytes. Powered by PostgreSQL, it is mostly applied to any kind of SQL applications with minimum changes

Amazon Redshift

Redshift is a cloud-based data warehouse offered by Amazon. It exposes a Postgres-like interface, but under the hood it’s different in a couple ways:

Data is stored in columns It is distributed It doesn’t support indexes Constraints aren’t enforced

Is it possible to encrypt and existing unencrypted EBS volume

A global multi-player game has a multi-master topology, storing data in multiple AWS regions. Each master stays in sync by consuming and replaying the changes that occur in the remote regions. How could you do this?

DynamoDB streams

A Solutions Architect must design a solution that encrypts data in Amazon S3 Corporate policy mandates encryption keys be generated and managed on premises Which solution should the Architect use to meet the security requirements?

SSE-KMS. Server-side encryption with AWS KMS managed keys

Why would you create your own CMK?

Creating your own CMK gives you more flexibility, including the ability to create, rotate, disable, and define access controls, and to audit the encryption keys used to protect your data.

A Solutions Architect is designing a microservices-based application using Amazon ECS. The application includes a WebSocket component, and the traffic needs to be distributed between microservices based on the URL. Which service should the Architect choose to distribute me workload?

ELB Application Load Balancer

A customer owns a simple API for their website that receives about 1,000 requests each day and has an average response time of 50 ms. It is currently hosted on one c4.large instance. Which changes to the architecture will provide high availably at the LOWEST cost?

Recreate the API using Amazon API Gateway and use AWS Lambda as the service backend.

Why is the API gateway plus lambda sometimes the cheapest?

It is a charge per request model so when there are not a large number of requests charges are minimal

What is Throughput Optimized HDD (st1) designed for

Designed for high-throughput MapReduce, Kafka, ETL, log processing, and data warehouse workloads

An organization is currently hosting a large amount of frequently accessed data consisting of key-value pairs and semi-structured documents in their data center. They are planning to move this data to AWS. Which of one of the following services MOST effectively meets their needs?

Amazon DynamoDB

You are working with a customer who is using Chef configuration management in their data center. Which service is designed to let the customer leverage existing Chef recipes in AWS?

AWS OpsWorks

How do you encrypt data in redshift?

You can enable encryption when you launch your cluster, or you can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption

If you are using AWS Key Management Service (AWS KMS) encryption to encrypt a Redshift cluster do you use a an AWS-managed key or a customer-managed key (CMK)

either

Why would you configure EBS volumes into a raid 0?

To increase throughput The standard RAID 0 advantage is that it provides n times higher data read and write where n is the number of EBS volumes within your RAID array.

Which set of Amazon S3 features helps to prevent and recover from accidental data loss?

Object versioning and Multi-factor authentication

An organization designs a mobile application for their customers to upload photos to a site The application needs a secure login with MFA. The organization wants to limit the initial ouiW time and maintenance of the solution. Which solution should a Solutions Architect recommend to meet the requirements?

Use Amazon Cognito Identity with SMS-based MFA

You originally built a VPC for a two-tier application. The subnets for the web and data tiers use all the IP address space in the VPC. Now you want to add subnets for an application tier. How can you accommodate the new subnets in your VPC?

Change the CIDR block for the VPC to create enough free address space for the new subnets

Which service should an organization use if it requires an easily managed and scalable platform to host its web application running on Nginx?

AWS Elastic Beanstalk

What is AWS Import / Export

A method of getting large numbers of data into AWS Storage using portable storage devices for transport

Which AWS service allows you to collect and process e-commerce data for near real-time analysis?

Amazon Elastic Map reduce

A Solutions Architect is designing a solution that can monitor memory and disk space utilization of all Amazon EC2 instances running Amazon Linux and Windows. Which solution meets this requirement? A. Default Amazon CloudWatch metrics B. Custom Amazon CloudWatch metrics C. Amazon inspector resource monitoring D. Detailed monitoring of Amazon EC2 instances

A. Default Amazon CloudWatch metrics

Your Auto Scaling group is configured to launch one new Amazon EC2 instance if the overall CPU load exceeds 65% over a five-minute interval. Occasionally, the Auto Scaling group launches a second Amazon EC2 instance before the first is operational. The second instance is not required and introduces needless compute costs. How can you prevent the Auto Scaling group from launching the second instance?

Add a scaling-specific cooldown period to the scaling policy

Your customers located around the globe require low-latency access to private video files. Which configuration meets these requirements? A. Use Amazon CloudFront with signed URLs B. Use Amazon EC2 with provisioned IOPS Amazon EBS volumes C. Use Amazon S3 with signed URLs D. Use Amazon S3 with access control lists

A. Use Amazon CloudFront with signed URLs

What is the difference between Provisioned IOPS SSD (io1) and Throughput Optimized HDD (st1)

Provisioned IOPS SSD (io1) Highest-performance SSD volume for mission-critical low-latency or high-throughput workloads Throughput Optimized HDD (st1) Low-cost HDD volume designed for frequently accessed, throughput-intensive workloads

Developers are creating a new online transaction processing (OLTP) application for a small database that is very read-write intensive. A single table in the database is updated continuously throughout the day, and the developers want to ensure that the database performance is consistent. Which Amazon EBS storage option will achieve the MOST consistent pertoimance to help maintain application performance? A. Provisioned IOPS SSD B. General Purpose SSD C. Cold HDD D. Throughput Optimized HDD

A. Provisioned IOPS SSD | Throughput Optimized HDD is lower cost but Provisioned IOPS SSD is more consistent

An application provides a feature that allows users to securely download private and personal files. The web server is currently overwhelmed with serving files for download. A Solutions Architect must find a more effective solution to reduce web server load and costs, and must allow users to download only their own files Which solution meets all requirements? A. Store the files securely on Amazon S3 and have the application generate an Amazon S3 pre-signed URL for the user to download. B. Store the files in an encrypted Amazon EBS volume, and use a separate set of servers to serve the downloads. C. Have the application encrypts the files and stores them in the local Amazon EC2 Instance Store prior to serving them up for download. D. Create an Amazon CloudFront distribution to distribute and cache the files.

D. Create an Amazon CloudFront distribution to distribute and cache the files.

If you store your objects in an Amazon S3 bucket, you can either have users get your objects directly from S3, or you can configure CloudFront to get your objects from S3 and then distribute them to your users. (True or false)

True

Is it possible to store an access key on an Amazon EC2 instance with rights to a Dynamo DB table.

Yes

A customer is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The customer also uses Amazon Route S3 to manage their public DNS. How should the customer configure the DNS zone apex record to point to the load balancer?

Create a CNAME record aliased to the load balancer DNS name

Per the AWS Acceptable Use Policy, Penetration testing of EC2 instances:

May be performed by the customer on their own instances with prior authorization from AWS

How would you choose between using amazon kinesis streams and firehose

use Kinesis Streams if you want to do some custom processing (with producers and consumers) with streaming data. With Kinesis Firehose you are simply ingesting it into S3, Redshift or ElasticSearch.

``` The AWS CloudHSM service is integrated with which of the following service? Choose 2 answers A. Amazon Elastic Block Store B. Amazon Simple Storage Service C. Amazon redshift D. Amazon DynamoDB E. Amazon RDS (Oracle) ```

C. Amazon redshift | E. Amazon RDS (Oracle)

What is CloudHSM?

Hardware Security Module a security service that offers isolated hardware security module (HSM) appliances to give customers an extra level of protection for data with strict corporate, contractual and regulatory compliance requirements.

``` Which of the following instance types are available as Amazon EBS backend only? A. General purpose T2 B. General purpose M3 C. Compute-optimized C4 D. Compute-optimized C3 E. Storage-optimized 12 ```

A. General purpose T2 | C. Compute-optimized C4

A user in account A has created a bucket and added a bucket policy allowing all actions for a user in account B. the user in account B has uploaded a file to the bucket, specifying Amazon S3 server-side encryption (SSE) and Amazon S3 reduced redundancy storage (RRS). Using the AWS management console, the user in account A attempts to download the file from the bucket but gets an "Access Denied" error. What is causing the error?

Account B user has not granted READ permission to account A user

Your security team requires each Amazon ECS task to have an IAM policy that limits the task's privileges to only those required for its use of AWS services. How can you achieve this?

Use IAM roles for Amazon ECS tasks to associate a specific IAM role with each ECS task definition

What is one key difference between an Amazon EBS-backed and an instance-store backed instance?

Amazon EBS-backed instances can be stopped and restarted

Within a VPC, you need to allow a wide range of ports, and block several non-contiguous ports within the range. Which option will allow you to do this ?

Using a network ACL, place a DENY rule for ports to be blocked after the ALLOW rule for the wide range of ports

A Solutions Architect was tasked with reviewing several templates that build VPCs and ensuring that they meet specific security requirements. After reviewing the templates, the Architect realizes that all of the templates are missing important security best practices. What should the Architect do to implement security best practices in an efficient manner?

Create AWS identity and Access Management (IAM) policies that enforce the corporate VPC architecture standards

For which of the following use cases are Simple Queue Service (SQS) and Amazon EC2 an appropriate solution? Choose 2 answers A. Using as a distributed session store for your web application B. Managing a multi-step and multi-decision checkout process of an e-commerce website C. Using as an SNS endpoint to trigger execution of video transcoding jobs D. Orchestrating the execution or distributed and auditable business processes E. Using as an encrypted to collect thousands of data points per hour from a distributed fleet of sensors

Orchestrating the execution or distributed and auditable business processes Using as an encrypted to collect thousands of data points per hour from a distributed fleet of sensors

Common Amazon SNS Scenarios

``` Fanout Push Email and Text Messaging Application and System Alerts Mobile Push Notifications Message Durability ```

A Solutions Architect needs to use AWS to implement pilot light disaster recovery for a three- tier web application hosted in an on-premises datacenter. Which solution allows rapid provision of a working, fully-scaled production environment? A. Continuously replicate the production database server to Amazon RDS Use AWS CloudFormation to deploy the application and any additional servers if necessary B. Continuously replicate the production database server to Amazon RDS Create one application load balancer and register on-premises servers Configure ELB Application Load Balancer to automatically deploy Amazon EC2 instances for application and additional servers if the on- premises application is down. C. Use a scheduled Lambda function to replicate the production database to AWS Use Amazon Route 53 health checks to deploy the application automatically to Amazon S3 if production is unhealthy D. Use a scheduled Lambda function to replicate the production database to AWS Register on-premises servers to an Auto Scaling group and deploy the application and additional servers if production is unavailable.

B. Continuously replicate the production database server to Amazon RDS Create one application load balancer and register on-premises servers Configure ELB Application Load Balancer to automatically deploy Amazon EC2 instances for application and additional servers if the on- premises application is down.

A development team is building an application win front-end and backend application tiers. Each tier consists of Amazon EC2 instances behind on ELB Classic Load Balancer. The instances run in Auto Scaling groups across multiple Availability Zones. The network team has allocated the 10.0.0.0/24 address space for this application. Only the front-end load balancer should be exposed to the Internet. There are concerns about the limited size of the address space and the ability of each tier to scale. What should the VPC subnet design be in each Availability Zone? A. One public subnet for the load balancer tier, one public subnet for the front-end tier, and one private subnet for the backend tier B. One shared public subnet for all tiers of the application C. One public subnet for the load balancer tier and one shared private subnet for the application tiers D. One shared private subnet for all tiers of the application

A. One public subnet for the load balancer tier, one public subnet for the front-end tier, and one private subnet for the backend tier

You are tasked with migrating a high throughput, distributed, fault-tolerent NoSQL data store to AWS. The system is extremely disk-IO intensive. Which instance family is best suited for this workload?

I2 eye-two

A stray Amazon EC2 r3.8xlarge instance is running in your AWS account. Before terminating it, you want to find the owner to confirm that it is not needed. Where can you find the identity that launched this instance? A. CloudTrail logs B. VPC flow logs C. ELB access logs D. Operating system logs

A. CloudTrail logs

How does performance compare on EFS and EBS

``` EFS = 10+ GB per second. EBS = Up to 2GB per second ```

Use Cases for EFS

Big data and analytics, media processing workflows, content management, web serving, and home directories.

Up to thousands of Amazon EC2 instances, from multiple AZs, can connect concurrently to a file system. True or false

True

Amazon EBS Provisioned IOPS use cases

Boot volumes, transactional and NoSQL databases, data warehousing, and ETL.

Your application currently stores data on an unencrypted EBS volume. A new security policy mandates that all data must be encrypted at rest. How can you encrypt the data? A. Create a snapshot of the volume. Create a new, encrypted volume from the snapshot. Replace the volume. B. Create a snapshot of the volume. Make an encrypted copy of the snapshot. Create a new volume from the new snapshot. Replace the volume. C. Modify the EBS settings to encrypt the volume. You do need to detach the volume or stop the instance. D. Stop the instance. Detach the volume. Modify the EBS settings to encrypt the volume. Reattach the volume. Start the instance.

C. Modify the EBS settings to encrypt the volume. You do need to detach the volume or stop the instance.

Which of the following approaches provides the lowest cost for Amazon Elastic Block Store snapshots while giving you the ability to fully restore data? A. Maintain a single snapshots: the latest snapshot is both incremental and complete B. Maintain the most current snapshots, archive the original and incremental to Amazon Glacier C. Maintain a volume snapshot: subsequent snapshots will overwrite one another D. Maintain two snapshots: the original snapshot and the latest incremental snapshot

A. Maintain a single snapshots: the latest snapshot is both incremental and complete

A customer has written an application that uses Amazon S3 exclusively as a data store. The application works well until the customer increases the rate at which the application is updating information. The customer now reports that outdated data occasionally appears when the application accesses objects in Amazon S3. What could be the problem, given that the application logic is otherwise correct?

The application is reading parts of objects from Amazon S3 using a range header.

What is asynchronous replication and when would one use it

asynchronous replication is not performed at the same time as changes are made in the primary storage. Data is replicated only in predetermined time periods (this could be hourly, daily, or weekly). This can help to increase throughput during peak times.

How can a user track memory usage in an EC2 instance?

Place en agent on the EC2 instance to push memory usage to an Amazon CloudWatch custom metric.

A Solutions Architect is designing an architecture for a mobile gaming application. The application is expected to be very popular. The Architect needs to prevent the Amazon ROS MySQL database from becoming a bottleneck due to frequently accessed queries. Which service or feature should the Architect add to prevent a bottleneck?

Amazon ElastiCache in front of the RDS MySQL Database.

I created a new AWS Identity and Access Management (IAM) role, but I can't find the role in the drop-down list when I launch an instance.

The drop-down list includes instance profiles and not IAM roles, but you can add an IAM role to an instance profile. You must choose the instance profile that has the required IAM role added to it.

Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that to security keys are allowed to be stored on the EC2 instance. A. Launch an EC2 instance with the IAM user included in the launch configuration B. Create an IAM user that allows write access to the DynamoDB table C. Add an IAM user to a running EC2 instance D. Create an IAM role that allows write access to the dynamoDB table E. Add an IAM role to a running EC2 instance F. Launch an EC2 instance with the IAM role included in the launch configuration

D. Create an IAM role that allows write access to the dynamoDB table F. Launch an EC2 instance with the IAM role included in the launch configuration

A company needs to quickly ensure that all files created in an Amazon S3 bucket in us-east-1 are also available in another bucket in ap-southeast-2. Which option represents the SIMPLEST way to implement this design? A. Add an S3 lifecycle rule to move any new files from the bucket in us-east-1 to the bucket in ap-southeast-2. B. Create a Lambda function to be triggered for every new file in us-east-1 that copies the file to the bucket in ap-southeast-2 C. Use SNS to notify the bucket in ap-southeast-2 to create a file whenever a file is cheated in the bucket in us-east-1. D. Enable versioning and configure cross-region replication from the bucket in us-east-1 to the bucket in ap-southeast-2.

B. Create a Lambda function to be triggered for every new file in us-east-1 that copies the file to the bucket in ap-southeast-2

A Solutions Architect is designing a solution that includes a managed VPN connection. To monitor whether the VPN connection is up or down, the Architect should use:

the CloudWatch TunnelState Metric

A media company has deployed a multi-tier architecture on AWS. Web servers are deployed in two Availability Zones using an Auto Scaling group with a default Auto Scaling termination policy. The web servers' Auto Scaling group currently has 15 instances running. Which instance will be terminated first during a scale-in operation?

The oldest instance in the group.

A Solutions Architect is designing an application that stores objects encrypted in an Amazon S3 bucket. The company's security requirements state that the encryption key is stored by the organization. Which methods meet this requirement? (Select TWO.) A. Use S3 server-side encryption with customer-provided keys. B. Use S3 client-side encryption. C. Use S3 server-side encryption with Amazon S3 managed keys D. Use S3 server-side encryption with AWS KMS managed keys. E. Use S3 server-side encryption with the company's own keys imported into AWS KMS

A. Use S3 server-side encryption with customer-provided keys. D. Use S3 server-side encryption with AWS KMS managed keys.

A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations?

Because they are using an using an OpenID Connect-compatible identity provider you will use Web Identity Federation

``` Which services allow the customer to retain full administrative privileges of the underlying EC2 instances? Choose 2 answers A. Amazon Relational Database Service B. Amazon Elastic Map Reduce C. Amazon ElastiCache D. Amazon DynamoDB E. AWS Elastic Beanstalk ```

C and E When you create a web server environment, Elastic Beanstalk creates one or more Amazon Elastic Compute Cloud (Amazon EC2) virtual machines configured to run web apps on the platform that you choose. You can configure and log into those instances.

What sort of consistency does Amazon Glacier provide

Read after write

``` A company is deploying a two-tier, highly available web application to AWS. Which service provides durable storage for static content while utilizing lower overall CPU resources for web tier? A. Amazon S3 B. Amazon EBS volume C. Amazon RDS instance D. Amazon EC2 instance store ```

Amazon s3

An application consists of microservices. The microservices need to communicate asynchronously and the solution must ensure that each message is consumed only once. Which service should be used?

Amazon SQS

``` A Solutions Architect a VPC. Instances in a private subnet must to be able to establish IPv6 traffic to the Internet. The design must scale automatically and not incur any additional cost. This can be accomplished with: A. An egress-only internet gateway B. A NAT Gateway C. A custom NAT Instance D. A VPC endpoint ```

A. An egress-only internet gateway

Which of the following are true regarding AWS Cloud Trail? Choose 3 answers A. Cloudtrail is enabled globally B. Cloudtrail is enabled by default C. Cloudtrail is enabled on a per-region basis D. Cloudtrail is enabled on a per-service basis E. Logs can be delivered to a single Amazon S3 bucket for aggregation F. Logs can only be processes and delivered to the region in which they are generated

Which of the following are true regarding AWS Cloud Trail? Choose 3 answers A. Cloudtrail is enabled globally C. Cloudtrail is enabled on a per-region basis E. Logs can be delivered to a single Amazon S3 bucket for aggregation

Which load balancers support dynamic port mapping

application load balanced

``` Your company wants to start working with AWS, but has not yet opened an account. With which of the following services should you begin local development? A. Amazon DynamoDB B. Amazon Simple Queue Service C. Amazon Simple Email Service D. Amazon CloudSearch ```

A. Amazon DynamoDB

``` Which Auto Scaling features allow you to scale ahead of expected increases in load? Choose 2 answers A. Cooldown period B. Lifecycle hooks C. Desired capacity D. Metric-based scaling E. Health check grace period F. Scheduled scaling ```

C. Desired capacity | F. Scheduled scaling

You have a web portal composed of two services. Each service musts scale independently. Both services should be served under the same domain. Which configuration allows this?

Use two AWS Application Load Balancer; one for each service. Assign the same CNAME to both.

A Solution Architect is designing a three-tier web application. The Architect wants to restrict access to the database tier to accept traffic from the application servers only. However, these application servers are in an Auto Scaling group and may vary in quantity. How should the Architect configure the database servers to meet the requirements? C. Configure the database subnet network ACL to deny all inbound non-database traffic from the applicationtier subnet. D. Configure the database subnet network ACL to allow inbound database traffic from the application-tier subnet.

- Configure the database subnet network ACL to deny all inbound non-database traffic from the application tier subnet. - Configure the database subnet network ACL to allow inbound database traffic from the application-tier

Your company moved into AWS and created separate AWs accounts per department. To address latency and bandwidth challenges, the company ordered a single AWS Direct Connect circuit. How should you allocate the cost of the data transfer over AWS Direct Connect back to each department ?

Configure virtual interfaces and tag each with the department account number. Use detail usage reports

You have launched an Amazon elastic compute cloud (EC2) instance in a VPC with an attached internet gateway. You assigned a public IP address to the Amazon EC2 instance but cannot connect from your on-premises client via SSH. Which of the following may be the cause of the behavior experienced? Choose 2 answers

A. An incorrect security group rule for inbound SSH traffic | B. An incorrect policy in the AWS IAM service

What is the difference between an interface VPC endpoint and a gateway VPC endpoint.

An interface VPC endpoint is an elastic network interface that has a private IP address and can be used to communicate with the supported VPC endpoint services. A gateway VPC endpoint is a gateway, on which a router is configured to distribute traffic to cloud services.

How do you improve the launch time of new instances in a Auto Scaling group?

Reduce the values of the Default Cooldown and Health Check Grace Period settings for the Auto Scaling group

Which of the following techniques should an Amazon DynamoDB customer follow the maximize throughput? A. Create tables with as few partition keys as possible B. Create tables with a partition key that has a large number of distinct values requested uniformly C. Create tables with a partition key that has a small number of distinct values requested uniformly D. Create tables with only range keys

B. Create tables with a partition key that has a large number of distinct values requested uniformly.

A solution architect is designing an application that will encrypt all data in an Amazon Redshift cluster. Which action will encrypt the data at rest?

You can enable encryption when you launch your cluster, or you can modify an unencrypted cluster to use AWS Key Management Service (AWS KMS) encryption. To do so, you can use either an AWS-managed key or a customer-managed key (CMK). When you modify your cluster to enable KMS encryption, Amazon Redshift automatically migrates your data to a new encrypted cluster. Snapshots created from the encrypted cluster are also encrypted.

Deck 1 Flashcards

(194 cards)