Digital Cloud Training

Question 1

You would like to share some documents with public users accessing an S3 bucket over the internet. What are two valid methods of granting public red permissions so you can share the documents?

Answer 1

Grant public read access to the objects when uploading.
Use the AWS Policy Generator to create a bucket policy for your Amazon S3 bucket granting read access to public anonymous users.

Question 2

Why would using CloudFront and a static website not be ideal for sharing documents from an S3 bucket over the Internet?

Answer 2

It’s not necessary when you can grant public read access through the AWS Policy Generator or the object policy, and it imposes some contraints on the solution.

Question 3

Dynamo DB

Answer 3

A Fully managed NoSQL database solution that can scale seamlessly and has very low read/write latency.

Question 4

Push Button Scaling

Answer 4

Scale the Database without incurring downtime. A key feature of DynamoDB.

Question 5

You are building an application that will collect information about user behavior. The application will rapidly ingest large amounts of dynamic data and requires very low latency. The database must be scalable without incurring downtime. Which database solution would you recommend for this scenario?

Answer 5

DynamoDB

Question 6

A Solutions Architect is building a complex application with several back-end APIs. The architect is considering using Amazon API Gateway. With Amazon API Gateway what are features that assist with creating and managing APIs?

Answer 6

Metering - define plans that meter and restrict third-party developer access to APIs
Lifecycle Management - Operate multiple API versions and multiple stages for each version simultaneously so that existing applications can continue to call previous versions after new API versions are published.

Question 7

Your company would like to restrict the ability of most users to change their own passwords whilst continuing to allow a select group of users within specific user groups. What is the best way to achieve this:

Answer 7

1) Under the IAM Password Policy, deselect the option to allow users to change their own passwords.
2) Create an IAM Policy that grants users the ability to change their own password and attach it to the groups that contain those users.

Question 8

What are IAM Roles used for?

Answer 8

IAM roles are Identity and Access Management entities that define a set of permissions for making AWS service requests. They are NOT associated with a specific user or group.

Question 9

What is the best way to restrict a port and protocol combination from a security group?

Answer 9

Update the security group by removing the rule. You can only assign permit rules in a security group, you cannot assign deny rules.

Question 10

You need to design a solution for distributing load across a number of EC2 instances across multiple AZs within a region. Customers will connect to several different applications running on the client’s serers through their browser using multiple domain names and SSL ceritificates. The certificates are stored in AWS Certificate Manager (ACM).
What is the optimal architecture to ensure HA, Cost Effectiveness, and performance?

Answer 10

Launch a single ALB and bind multiple SSL certificates to the same secure listener. Clients will use the Server Name Indication (SNI) extension.
With Server Name Indication (SNI) a client indicates the hostname to connect to. SNI supports multiple secure websites using a single secure listener.

Question 11

SNI

Answer 11

Server Name Indication - An extension to the TLS protocol that is supported by browsers and clients released after 2010. If you configure CloudFront to server HTTPS requests using SNI, CloudFront associates your alternate domain name with an IP address for each edge location. This is the recommended method if you want viewers to use HTTPS and also use alternate domain names for your files.

Question 12

What is the other option for allowing CloudFront to serve HTTPS requests?

Answer 12

Dedicated IP Addresses. This will incur an additional monthly charge.

Question 13

What are the two ways you can encrypt data stored on an EBS volume without downtime?

Answer 13

Either create an encrypted volume and migrate the data, or take a snapshot, encrypt it, and create a new encrypted volume from the snapshot.

Question 14

A customer has asked you to recommend the best solution for a highly available database. The database is relational OLTP type of database and the customer does not want to manage the operating system the database runs on. Failover between AZs must be automatic.

Answer 14

Use RDS in a Multi-AZ configuration. RDS is a managed service that will allow you to configure Multi-AZ which creates a replica in another AZ and synchronously replicates to it (DR only)

Question 15

What is the difference between OLTP and OLAP

Answer 15

Online Transaction Processing is a class of software capable of supporting transactional-based software over the internet. Online Analytical Processing is a technology for report viewing and complex analytical calculations.

Question 16

Name an AWS service that is used for OLAP

Answer 16

RedShift is used for data warehous analytics

Question 17

Name an AWS service that is used for OLTP

Answer 17

RDS

Question 18

Name all RDS database engines

Answer 18

Amazon Aurora
PostgreSQL
MySQL
MariaDB
Oracle
MS SQL Server

Question 19

What are the benefits of Amazon Aurora

Answer 19

Cost-effectiveness of Open Source Databases (MySQL)
3x faster than PostgreSQL
5x faster than MySQL
1/10th the cost of Commercial Databases
Fully Managed by RDS
64TB fault-tolerant, self healing, distributed storage per instance
up to 15 low-latency read replicates
Replication across 3 AZs
Continuous backup to S3

Question 20

You are troubleshooting a connectivity issue where you cannot connect to an EC2 instance in a public subnet in your VPC from the Internet. Which configuration items would you check first?

Answer 20

The subnet has “Auto-assign public IPv4 address” set to “Yes”
The security group attached to the EC2 instance has an inbound rule allowing the traffic.

Question 21

Public subnets are subnets that have:

Answer 21

“Auto-assign public IPv4 address” set to “Yes” which will assign a public IP
The subnet route tabe has an attached Internet Gateway
The instance will also need a security group with an inbound rule allowing the traffic.

Question 22

When using a public subnet with an Internet Gateway, the instance needs ______ to be addressable from the Internet?

Answer 22

a Public IP address

Question 23

NAT Gateways

Answer 23

Used to enable Outbound Internet access for instances in private subnets. Managed service, and provides availability, higher bandwidth, and requires less effort than a NAT Instance.

Question 24

NAT Instances

Answer 24

A Non-managed NAT option to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic from the Internet.

Question 25

You would like to provide some on-demand and live streaming video to your customers. The plan is to provide the users with both the media player and the media files from the AWS cloud. One of the features you need is for the content of the media files to begin playing while the file is still being downloaded. What AWS services can deliver these requirements?

Answer 25

Use CloudFront with a Web and RTMP distribution: -A web distribution for the media player -An RTMP distribution for the media files Store the Media files in an S3 bucket.

Question 26

RTMP

Answer 26

Adobe Real-Time Messaging Protocol Distribute streaming media files using Adobe Flash Media Server's RTMP protocol Allows an end user to begin playing a media file before the file has finished downloading from a CloudFront edge location Files must be stored in an S3 buicket (NOT an EBS volume or EC2 instance)

Question 27

There is a requirement to implement in-memory caching for an application due to increasing read-heavy load. The data must be stored persistenly. Automatic failover across AZs is also required. What two items deliver these requirements?

Answer 27

ElastiCache with the Redis engine - Stores data persistently. Multi-AZ with Cluster mode and Automatic Failover enabled.

Question 28

Redis vs Memcache

Answer 28

Redis: Stores Data persistenly, Supports Multi-AZ using read replicas in other AZs int he same Region, fully falut tolerant and automated if both cluster mode and multi-AZ failover are enabled. Memcache: Does NOT store data persistently, Does NOT support Multi-AZ failover or Replication.

Question 29

ECS

Answer 29

Elastic Container Service - A highly scalable, high performance service that supports Docker containers and allows you to run applications across a managed cluster of EC2 instances.

Question 30

ECS Task

Answer 30

Instances of Containers that are run on underlying compute, but are more or less isolated.

Question 31

ECR

Answer 31

Elastic Container Registry - An AWS managed registry of Container images that is secure, scalable, and reliable.

Question 32

You have launched a Spot instance on EC2 for working on an application development project. What are the possible behaviors that can be configured in the event of an interruption?

Answer 32

Hibernate Stop Terminate (Default)

Question 33

You create a new ASG with 6 instances distributed evenly between two AZs, AZ1 and AZ2. After creating these, you find that all 6 EC2 instances are being hosted on AZ1 since AZ2 does not currently have the capacity for your instance type. What will happen once AZ2 does have the capacity?

Answer 33

The ASG will try to redistribute the EC2 instances evenly between the two availability zones. They will only delete the instances in AZ1 once the instances in AZ2 have been created and verified.

Question 34

You would like to create a highly available web application that serves static content hosted on multiple On-Demand EC2 instances. What three features can help you do that?

Answer 34

Multiple Availability Zones Elastic Load Balancer Auto Scaling Group

Question 35

An EBS-backed EC2 instance has been configured with some proprietary software that uses an embedded license. You need to move the EC2 instance to another AZ in the region. What is the best way to accomplish this?

Answer 35

Create an image from the instance and launch an instance from the image from the AMI in the destination AZ.

Question 36

Spread Placement Group

Answer 36

A group of EC2 instances that are each placed on distinct underlying hardware.

Question 37

An application that you will be deploying in your VPC requires 14 EC2 instances that must be placed on distinct underlying hardware to reduce the impact of the failure of a hardware node. The instances will use varying instance types. What configuration will cater to these requirements taking cost-effectiveness into account?

Answer 37

Use Spread Placement Group across two AZs.

Question 38

How many IAM roles can you apply to a Task Definition?

Answer 38

One

Question 39

How can you apply granular permissions to distinct containers hosted on the same EC2 instance?

Answer 39

Create separate Task Definitions for any Task/Container you'd like to alter permissions on.

Question 40

PFS

Answer 40

Perfect Forward Secrecy - provides additional afeguards against eavesdropping of encrypted data through the use of a unique random session key.

Question 41

Can you use Instance IDs with On-Premises targets?

Answer 41

No. Be sure to utilize IP address targets, which are supported by either Network or Application Load Balancers. A VPN or Direct Connect connection is required for On-Premises communication.

Question 42

You would like to start recording source IP addresses of traffic that hits your Web Applications that are behind an Elastic Load Balancer. What ELB features will you enable with which protocols?

Answer 42

Proxy Protocol for TCP | X-Forwarded-For response header for HTTP

Question 43

You would like to record source IP addresses of traffic that hit your Elastic Load Balancers before they get to the EC2 instances hosted behind it. What feature would you enable to start that?

Answer 43

Access Logs

Question 44

According to EC2 IO optimized SLAs, what would be the average IOPS an io1 EBS volume configured to provide 1000 IOPS give most of the time throughout the year?

Answer 44

900 - SLAs for Provisioned Optimized IOPS guarantees to be within 10 percent of the provisioned IOPS 99.9 percent of the time.

Question 45

Valid options for storing CloudWatch logs include:

Answer 45

CloudWatch Logs Centralized Logging System (i.e. Splunk) Custom script and store on S3

Question 46

What AWS service can help convert media files for multiple mobile formats?

Answer 46

Elastic Transcoder

Question 47

You need to add a layer in your application architecture to retain information about user sessions. What are two options available to you?

Answer 47

In-Memory Key/Value store like Redis or MemCache | Stick Sessions enabled at the ELB level

Question 48

What AWS service can send you SNS or Email notifications when you are forecast to exceed your funding capacity?

Answer 48

AWS Budgets

Question 49

CORS

Answer 49

Cross-Origin Resource Sharing: - Allows the sharing of resources between different domains - Can be used to enable request from domains other than the API's domain

Question 50

Amazon Athena

Answer 50

An interactive, serverless query service that makes it easy to analyze data stored in S3.

Question 51

Can Amazon RedShift analyze data stored in Amazon S3?

Answer 51

No

Question 52

AWS Glue

Answer 52

A fully managed ETL service used to prepare and load date for analytics. It is not used for S3.

Question 53

ETL

Answer 53

Extract, Transform, and Load service

Question 54

AWS Data Pipeline

Answer 54

Used to reliably process and move data between AWS compute and storage services, as well as on-premises resources, at specified intervals

Question 55

OAI

Answer 55

Original Access Identity - Can be setup in CloudFront to provide a "user" that can be assigned permissions.

Question 56

DynamoDB classic charges:

Answer 56

More cost effective for read heavy workloads Priced based on provisioned throughput (read/write) regardless of whether you use it or not. Changes only for Dynamo DB Auto Scaling feature.

Question 57

RedShift

Answer 57

OLAP databases - Large databases recommended for analytics not transaction functions. Always keeps 3 copies of your data. Provides continuous/incremental backups.

Question 58

What two ways can you use MFA to authentication in AWS?

Answer 58

AWS Management Console and AWS API

Question 59

Fully Meshed Architecture?

Answer 59

Allows a Many to Many VPC communication topology.

Question 60

What are the AWS and Customer facing sides of AWS VPN?

Answer 60

AWS Side: Virtual Private Gateway | Customer Side: Customer Gateway

Question 61

You host a lot of resources in AWS through a VPC. Your IT security team wants you to monitor all the traffic from the network interfaces in the VPC. Which service should you use to monitor this traffic?

Answer 61

VPC Flow Logs - Used to monitor all network traffic within a VPC.

Question 62

Cloud Trail

Answer 62

A service that allows you to log all API calls.

Question 63

You are deploying a two-tier web application within your VPC. The application consists of multiple EC2 instances and an Internet-facing ELB. The application will be used by a small number of users with fixed public IP addresses and you need to control access so only these users can access the application. What are the two practical methods of implementing these controls?

Answer 63

Configure the ELB security group to only allow traffic from certain IP sources. Configure ELB to send the X-Forwarded-For header and configure the EC2 instances to filter on traffic based on the source IP information in the header.

Question 64

Amazon DAX

Answer 64

Amazon DynamoDB Accelerator - fully managed, highly available, in memory cache for DynamoDB that delivers 10x performance improvement - from milliseconds to microseconds - even at millions of requests per second.

Question 65

DynamoDB has Read Replicas: T/F

Answer 65

False

Question 66

You need to create an encrypted Read Replica in a different region than your current unencrypted RDS Database. What steps do you need to take?

Answer 66

Take a snapshot of the current unencrypted database and create an encrypted database from that snapshot. Create a Read Replica using the region specific encryption key.

Question 67

What database architecture would you choose for fast, repeat queries?

Answer 67

RedShift can improve performance for repeat queries by caching results and returning the cached result when the queries are re-run.

Question 68

Developers regularly create and update CloudFormation stacks using API calls. For security reasons, you need to ensure that users are restricted to a specified template. How can this be achieved?

Answer 68

Create an IAM policy with a Condition: TemplateURL parameter

Question 69

Amazon MQ

Answer 69

Messaging queue that supports industry-standard APIs and protocols. Unique to SQS as that is a messaging queuing system that is not compatible with industry-standard messaging brokers.

Question 70

Query String Parameters

Answer 70

Used to direct CloudFront to forward query strings to the origin and to cache based on the language parameter.

Question 71

Signed URLs and Cookies

Answer 71

Used by CloudFront to provide additional control over access to content.

Question 72

What status check would you set to alert you to the presence of an issue with an operating system?

Answer 72

StatusCheckFailed_Instance - where ..._System status checks indicate problems with the instance the require AWS involvement to repair, Instance status checks detect problems that require the customer's involvement to repair.

Question 73

CloudTrail

Answer 73

Records API calls for auditing

Question 74

You want to monitor API calls across several regions inside an AWS account and you have to encrypt the results. What is the best solution for this?

Answer 74

Create a single CloudTrail trail and apply it to all regions. Encrypt the results with a single KMS key.

Question 75

What encryption is used or CloudTrail log files?

Answer 75

S3 Server Side Encryption (SSE) with the option to enable SSE KMS for additional security.

Question 76

An EBS-backed EC2 instance has been configured with some proprietary software that uses an embedded license. You need to move the EC2 instance to another Availability Zone (AZ) within the region. What's the best way to accomplish this?

Answer 76

Create an image from the instance. Launch an instance from the AMI in the destination AZ.

Question 77

How do Sticky Sessions Work for an ALB?

Answer 77

The ALB supports load balancer-generated cookies only (not application-generated) and the cookie name is always AWSALB. The Sticky session feature is enabled at the target group level.

Question 78

Amazon RedShift Enhanced VPC routing

Answer 78

Forcess all COPY and UNLOAD traffic between clusters and data repositories through a VPC

Question 79

What has no standard metric in the CloudWatch dashboard?

Answer 79

Memory usage

Question 80

CDN

Answer 80

Content Delivery Network - Improves the delivery of content by replicating commonly requested files (static content) across a globally distributed set of caching servers.

Question 81

Origins

Answer 81

Used by CloudFront to specify the origin of the files that the CDN will distribute. Origins can be either an S3 bucket, EC2 instance, ELB, or Route 53. It can also be external to AWS.

Question 82

S3 pre-signed URL

Answer 82

Allows you to upload data to an S3 bucket without having AWS security credentials/permissions. This solution bypasses the web server, avoiding any performance bottlenecks.

Question 83

Connection Draining

Answer 83

ASG setting that will wait for in-flight connections to timeout before initiating a replacement

Question 84

AWS WAF

Answer 84

AWS Web Application Firewall - Blocks malicious web requests targeted at your web application.

Question 85

You have created an application in a VPC that uses a Network Load Balancer (NLB). The application will be offered in a service provider model for AWS principals in other accounts within the region to consume. Based on this model, what AWS service will be used to offer the service for consumption?

Answer 85

VPC Endpoint Services using AWS PrivateLink

Question 86

How can you control your API Gateway cache to enhance performance and reduce the load on back-end services?

Answer 86

Using time-to-live (TTL) settings

Question 87

What are Access Keys?

Answer 87

Used to make programmatic calls to AWS through AWSCLI et al

Question 88

AWS OpsWorks

Answer 88

A Configuration management service that provides managed instances of Chef and Puppet to automate how servers are configured, deployed, and managed across EC2 or on-premises compute environments.

Question 89

When using a Classic Load Balancer, what two sets of listeners support the Proxy protocol

Answer 89

SSL front-end and TCP back-end | TCP front-end and TCP back-end

Question 90

ELB Proxy Protocol

Answer 90

Adds header information that lists the source IP, destination IP, and port number Supported by CLB

Question 91

ELB Proxy Protocol

Answer 91

Adds header information that lists the source IP, destination IP, and port number. Supported by CLB. Proxy Protocol v2 supported by NLB.

Question 92

Detail the default termination policy for ASG on Multiple AZs with even number of instances on each AZ

Answer 92

1) oldest launch configuration | 2) closest to next billing hour

Question 93

AWS STS

Answer 93

AWS Security Token Service - An AWS service that requests temporary, limited permission credentials to IAM users or for users that you authenticate (federated users).

Question 94

Lists the steps performed by the custom identity broker to sign users into the AWS management console

Answer 94

1) Verify authentication by your local identity system (like Active Directory) 2) Call AWS STS AssumeRole or GetFedertionToken API operations and obtain temp security creds 3) Call AWS federation endpoint to supply the temp security creds to request a sign-in token 4) Construct a URL for the console that includes the token 5) Give the URL to the user or invoke it on the user's behalf.

Question 95

What are 3 common use cases of assigning secondary IP addresses

Answer 95

1) Host multiple websites on a single server by using multiple SSL certificates on a single server and associating each certificate with a specific IP address. 2) Operate network appliances, such as firewalls or load balancers, that have multiple IP addresses for each network interface. 3) Redirect internal traffic to a standby instance in case your instance fails, by reassigning the secondary IP address to the standby instance.

Question 96

Name the 3 ways an ENI can be attached to an instance

Answer 96

Hot-attached - attached to a running instance. Warm-attached - attached to a stopped instance. Cold-attached - attached while an instance is being launched.

Question 97

What happens when DynamoDB hits its provisioned capacity for writes?

Answer 97

The requests will be throttled and fail with an HTTP 400 code (Bad Request) with the error: ProvisionedThroughputExceededException

Question 98

Name some differences between ASG reacting to an unhealthy instance, and reacting to AZ rebalancing?

Answer 98

If an instance is marked as unhealthy, it is marked for termination and terminated before the replacement is launched, where as AZ rebalancing will launch the replacement in the new AZ before terminating the old instance.

Question 99

Are manually added ENIs terminated when the instance is terminated?

Answer 99

No, secondary/manually added ENI interfaces are not terminated by default when an instance is terminated.

Question 100

What are 3 reasons why a previously running EC2 instance would suddenly terminate when restarted?

Answer 100

EBS volume limit has been hit EBS snapshot is corrupted The root EBS volume is encrypted and you do not have the KMS key to decrypt it.

Question 101

What are the IPs ber GB or GiB for each EBS volume?

Answer 101

GS2 - 3 IOPS/GB IO1 - 50 IOPS/GiB ST1 - 500 IOPS/Vol No SLA SC1 - 250 IOPS/Vol No SLA

Question 102

ECS Clusters

Answer 102

Logical grouping of container instances you can place tasks on. Can contain tasks using BOTH the Fargate and EC2 launch types Containers can only be part of one cluster at a time. Region Specific For EC2 Launch type, clusters can contain different container instance types.

Question 103

Name two ways you can protect a web application from suffering from a DDoS attack?

Answer 103

Use CloudFront to distribute static and dynamic content. Has the added benefit of ensuring only valid HTTP(S) request swill be forwarded to backend hosts. Use AutoScaling to be sure that the largest amount of servers can distribute the load.

Question 104

Name the CloudFront capabilities to block malicious traffic

Answer 104

Filters request to ensure only valid HTTP(S) requests will be forwarded to backend hosts. Supports geoblocking to prevent requests from particular geographic locations from being served.

Question 105

Amazon Aurora Global Database

Answer 105

Replicates a single database across multiple AWS regions with no impact to performance Enables fast local reads with low latency in each region Provides DR recovery from region-wide outages. Uses storage-based replication with typical latency of less than 1 second

Question 106

Identity Pools

Answer 106

Users can obtain temporary AWS credentials to access AWS services, such as S3 and DynamoDB

Question 107

User Pool

Answer 107

A user directory in Amazon Cognito. | Can sign into web or mobile apps through Cognito, or federate through a third-party IdP (identity provider)

Question 108

Global Tables

Answer 108

DynamoDB feature that provides fully managed solution for multi-master, multi-region database. Specify what regions you want the table to be available.

Question 109

Detailed Monitoring for ASG is always enabled by default through CLI: True/False?

Answer 109

True

Question 110

What VPC-specific information must you includ in your Lambda function to ensure it to connect to an ElastiCache cluster within your VPC?

Answer 110

VPC Security Group IDs | VPC Subnet IDs

Question 111

What are the two S3 URL formats

Answer 111

https: //.s3.amazonaws.com/ https: //s3-.amazonaws.com//

Question 112

AWS CloudHSM

Answer 112

Cloud-based hardware security module (HSM)