Exam Answers Flashcards
With ASG, the Cooldown timer is only supported by which scaling policy?
Simple Scaling Policy
True or False, you can attach user-defined metadata directly to S3 objects?
True
What is the user-defined metadata size limited to in S3?
2KB
What are the 5 types of EBS Storage?
- General Purpose (SSD) - (gp2)
- Provisioned IPOS (SSD) - (io1)
- Throughput Optimized HDD - (st1)
- Cold HDD - (sc1)
- EBS Magnetic - (standard)
What is IOPS?
Input/Output per second : It is the speed at which non-continuous reads and writes can be performed on a storage medium
What is Throughput?
The data transfer rate to and from the storage medium in megabytes per second
What is Bandwidth?
The measurement of the total possible speed of data movement along the network
When is EBS General Purpose (SSD) (gp2) best used?
for general usage without specific requirements
When is EBS provisioned IOPS (SSD) (io1) best used?
When you require really fast input and ouput
When is EBS Throughput Optimised HDD (st1) best used?
magnetic drive optimised for quick throughput
When is EBS Cold HDD (sc1) best used?
Lowest cost HDD volume for infrequently accessed workloads
What are the use cases for EBS general purpose?
Most workloads
What are the use cases for EBS Provisioned IOPS SSD?
- Large databases
- IOPS greater than 16,000
- Throughput greater than 250 MiB
What are the use cases for EBS Throughput optimised HDD?
- Data warehouses
- Big data
- Log processing
What are the use cases for EBS Cold HDD?
File storage
What are the use cases for EBS Magnetic?
Archival storage
Volume size for EBS General purpose?
1 GB - 16 TB
Volume size for EBS Provisioned IOPS SSD?
4GB - 16 TB
Volume size for EBS Throughput Optimised HDD?
500 GB - 15 TB
Volume size for EBS Cold HDD?
500 GB - 15 TB
Volume size for EBS Magnetic
500 GB - 15 TB
Max IOPS for EBS General Purpose?
16,000
Max IOPS for EBS Provisioned IOPS SSD?
64,000
Max IOPS for EBS Throughput Optimised HDD?
500
Max IOPS for EBS Cold HDD?
250
Max IOPS for EBS Magnetic?
40 - 200
How do you move an EBS Volume from one AZ to another?
1, take a snapshot of the volume
2, create an AMI from the snapshot
3, launch new EC2 in the desired AZ
How do you move an EBS Volume from one region to another?
1, take a snapshot of the volume
2, create an AMI from the snapshot
3, copy the AMI to another region
4, launch new EC2 instance from the copied AMI
True or False; DynamoDB allows you to provision your capacity to have a guarantee of reads and writes per second at any scale?
True
What is DocumentDB?
- MongoDB compatible database
- Can store JSON data
- Very fast but there is no guarantee of reads and writes per second at scale.
True or False; DocumentDB is Highly Available?
False; since it can only launch a single instance which would be susceptible becoming unavailable if that single AZ failed.
What should be referred to if you want to map Amazon Elastic Block Store to an Amazon EC2 instance for AWS CloudFormation resources?
Reference the logical IDs of both the block stores and the instance
An application running on an EC2 instance managed by an Auto Scaling Group and which backed by an RDS Postgres database is gaining in popularity the database cannot keep up with the number of queries being request. What solution would improve the performance of this architecture?
ElastiCache in front of the database.
ElastiCache can be placed in front of RDS to cache the most read common queries and would resolve our performance issues.
True or False; You can only log across all AWS Accounts with a trail that is created in the master account
True
True or False; AWS Glue can be more suited for large batches?
True
Which AWS service allow you to transform raw streaming data into formats like Apache Parquet, and dynamically partition streaming data without building your own processing pipelines.
Kinesis Firehose
True or False; Kinesis Firehose has the ability to archive, encrypt as well as transform JSON to parquet?
True
What is Amazon FPS?
Amazon Flexible Payment Service, a service that allows for building very flexible payment systems. The service can be classified as a part Gateway and part Integration (offsite processor).
What is Amazon DevPay?
A simple-to-use online billing and account management service that makes it easy for businesses to sell applications that are built in, or run on top of, Amazon Web Services. It is designed to make running applications in the cloud and on demand easier for developers.
True or False; EC2 can be used for caching?
True, EC2 any kind of computing so you can do anything you like as long as you’re willing to maintain the instances yourself.
A web application which consists of a single EC2 instance that has an Elastic IP (EIP) is accessed by employees from remote locations. How can the IP addreses from the inbound traffic be audited to determine if they are company approved IP addresses?
VPC Flow Logs:
Turning on VPC Flow Logs within your VPC will capture inbound traffic from the internet into your VPC. Within these logs contains the IP address of the source of the incoming request.
True or False; CloudTrail can help provide insight into the failure of an instance?
False; CloudTrail is for governance and auditing about who has accessed what services.
What is the SQS FIFO limit?
300 messages per second
True or False’ ElastiCache is a global service?
False; it is regional
Which IAM policy condition key should be used if you want to check whether the request was sent using SSL?
Secure Transport.
To determine HTTP or HTTPS requests in a bucket policy, use a condition that checks for the key “aws:SecureTransport”. When this key is true, then request is sent through HTTPS.
What is Amazon Macie?
Amazon Macie is a data security and data privacy service that uses machine learning (ML) and pattern matching to discover and protect your sensitive data.
What are the 3 S3 Glacier Flexible Retrieval Options?
- Expedited = 1-5 mins
- Standard = 3-5 hours
- Bulk = 5-12 hours
How many consumers can Kinesis Firehose have?
Just 1, and it is generally S3
How many consumers can Kinesis Data Streams have?
Multiple
True or False; Encryption is turned on by default for CloudTrail logs that are delivered to S3?
True, by SSE-S3 (AES)
True or False; Interface Endpoints support S3?
False; but Gateway Endpoints do
An Internet Gateway in your VPC enable instances within a public or Private subnet to reach the Internet?
Public - check this
An application is running within a private subnet and needs an outbound connection to the internet to fetch package updates. Which solution will provide that instance with a connection to the Internet?
Launch a NAT Gateway in the public subnet and create a route in the route table for 0.0.0.0/0 for the NAT
A NAT in a public subnet in your VPC enables instances in the private subnet to initiate outbound IPv4 traffic to the Internet
True or False; You can failover to a website hosted on a S3?
True
A company has an on-premise Cassandra database with an existing large workload which they are migrating to AWS to an EC2 Which EBS Volume Type would be most the most performance their use case?
EBS Provisioned IOPS SSD
A company is utilizing multiple cloud computing providers for computing capacity. Sometimes these public-facing instances on platforms other than AWS become unresponsive and need to be manually restarted. The company needs a way to detect these failing instances so it can take action to replace them. What solution will resolve this issue?
Use Route 53 Health Checks
Route53 Health Checks takes an endpoint from anywhere. So it can check the health of an instance if its public-facing and alert you.
True or False; CloudWatch logs are real-time?
False
True or False; to use Kinesis Data Analytics you must have an input and output stream?
True
A company has an application which runs in multiple regions. The company needs to analyze the application logs in real-time to detect suspicious behaviour attempting to abuse their platform. Which solution could they use to complete their analysis?
Send logs to Kinesis Data Streams which in turn sends it to Kinesis Data Analytics which in turn sends it to Kinesis Firehose to then later store the results in S3.
Kinesis is a streaming service which is designed to perform operations in realtime. Kinesis Data Analytics is used to allow you to perform queries on incoming data in realtime. To use Kinesis Data Analytics you must have an input and output stream. For the input stream if we use Kinesis Data Stream we can transform the application logs into a format that will easily queryable when it reaches Data Analytics and then we can place it in output stream to Kinesis Firehose. Kinesis Firehose is just a buffer and will allow us to dump the results easily to S3.
A company has a DynamoDB table which when an item is inserted they want to evaluate the contents of the item to decide whether they should receive an alert via email. Which solution would be most performant to meet their requirements?
Stream new records to a Lambda function
DynamoDB Streams allows you to trigger a Lambda function when records are inserted into a table. DyanmoDB Streams do not consume you read capacity so you need not worry about adjust your provision capacity settings.
When launching containers in Amazon ECS, where may PortMapping be defined?
Task definition
True or False; You can automatically create and backup to another region Redshift snapshots via Snapshot Schedule within the Redshift console?
True
True or False; Elastic Load Balancer can send traffic to instances within private subnet?
True
How many AWS managed Customer Master Keys can you have for EBS?
AWS managed Customer Master Keys (CMKs) are keys created by default for you by AWS. These keys are managed by AWS as the name implies. There is only one AWS managed CMK for EBS called aws/ebs
What are customer created Customer Master Keys?
Customer managed Customer Master Keys are unique keys created by you the customer
True or False; Lambda can run C#?
True
What is the advantage of instantiating AWS clients outside the scope of the handler when constructing a Lambda function?
Taking advantage of connection re-use
A company handles documents received through an Amazon S3 bucket. Users can upload documents to an S3 bucket using a web user interface.
When files are received in S3, an AWS Lambda function is executed to process them, but the Lambda function times out on a regular basis.
What happens to the S3 event if the Lambda function is setup with the default settings?
The S3 event is discarded after the event is retried twice
If the function returns an error, Lambda attempts to run it two more times. When an event expires or fails all processing attempts, Lambda discards it.
NAT Gateways should be launched in public or private subnets?
Public, or they won’t be able to access the internet
What connection speeds does Direct Connect allow?
Direct Connect can handle low bandwith 50-500MB and high bandwidth connections 1GB or 10GB
What is a good use case for Route 53 Geoproximity Routing Policy?
For very specific location requirements
What does the Transform section of a CloudFormation template do?
Specifies the version of the AWS Serverless Application Model (AWS SAM) to use for serverless applications (also referred to as Lambda-based applications),
What are particularly suited for batch job workloads?
Docker containers
What allows you to change the configuration of your database such a number of connections?
Parameter Groups
A company has a fleet of EC2 instances managed by an Auto Scaling Group which are processing various files of different sizes but no larger than 1TB. These files need to be stored in the same location and it’s important that this storage is highly available and resilient. Which storage solution would meet this company needs?
A single S3 bucket
True or False; DynamoDB Streams allows you to trigger Lambdas when records are inserted?
True
A Solution Architect has been tasked with keeping the usage of Redshift cost-effective. Which of the following would ensure no additional charge occur?
Avoid increasing the backup retention period or taking additional snapshots.
Thousands of sensitive audio and video data must be stored in an Amazon S3 bucket. All data written to this bucket must be encrypted according to organizational security rules.
How can this policy’s compliance be ensured?
Configure an Amazon S3 bucket policy to prevent the upload of objects that do not contain the x-amz-server-side-encryption header.
To encrypt an object at the time of upload, you need to add a header called x-amz-server-side-encryption to the request to tell S3 to encrypt the object using SSE-C, SSE-S3, or SSE-KMS.
True or False; NAT Gateways are AZ specific?
True, so a NAT needs to be launched for each AZ.
True or False; an ASG’s are AZs specifc?
False, ASGs are not bound to AZs.
PCI Compliance; what is PCI?
Payment Card Industry
True or False; Internet Gateways (IGW) can only be attached each to a single VPC
True
True or False; VPC Endpoints cannot be set for RDS?
True
True or False; RDS Multi-AZ uses asynchronous replication?
False; it uses synchronous replication
True or False; RDS read replicas uses asynchronous replication?
True
True or False; you can promote an RDS read replica to a master?
True
True or False; for DynamoDB; one strategy for distributing loads more evenly across a partition keyspace is to add a random number to the end of the partition key values?
True, this randomizes the writes across the larger space.
Athena is used for searching full-text or querying structured data?
Querying structured data
What is AWS Cloudsearch?
CloudSearch is AWS’s managed full-text search engine
When should I choose Provisioned IOPS over Standard RDS storage?
If you use production online transaction processing (OLTP) workloads
Amazon RDS provisions that IOPS rate and storage for the lifetime of the DB instance or until you change it. Provisioned IOPS storage is optimized for I/O intensive, online transaction processing (OLTP) workloads that have consistent performance requirements.
An application running in a private subnet needs to access financial documents stored on S3. Due to the content of these documents they should not traverse outbound on the internet. How can these documents stay within the AWS network?
Create a Gateway Endpoints
A Gateway Endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. Gateway Endpoint only supports two AWS services:
- S3
- DynamoDB
So when you need to keep traffic within AWS for S3 you need to use a Gateway Endpoint
True or False; CloudWatch Logs only publishes metric data for events that happen after the metric filter is created?
True
A parent company has an S3 bucket containing instructional documents they want to provide to a branch office which has their own AWS account. What means can be used to restrict access to these S3 objects to only the branch office’s AWS account?
- Bucket policies
- Access Control Lists
True or False; When you create a VPC from scratch it does not let you Enable DNS hostname on creation?
True; You need to turn this on afterwards. DNS Hostnames will generate a domain url so you don’t have to use your public IP address.
There is a requirement to host a database server. This server should not be able to connect to the Internet except while downloading required database patches. What is the best way to achieve this?
Setup the database in a private subnet which connects to the Internet via a NATInstance.
True or False; CloudFront can distribute videos to user?
True; it is a file, why not?
How many AZs does an AWS service need to run in to be considered ‘highly available’?
3
True or False; For an EC2 instance to connect to the internet, you have to ensure that the Route table has an entry to the Internet Gateway?
True. This is required for instances to communicate over the Internet.
When should you use S3 multipart uploads?
In general, when your object size reaches 100 MB, you should consider using multipart uploads instead of uploading the object in a single operation.
A company has assigned two web servers instances to an Elastic Load Balancer. However, the instances and the ELB are not reachable via URL to the elastic load balancer serving the web app data from the EC2 instances. How might you resolve the issue so that your instances are serving the web app data to the public Internet? Choose the correct answer from the options given below
Attach an Internet Gateway to the VPC and route it to the subnet.
If the Internet Gateway is not attached to the VPC, which is a prerequisite for the instances to be accessed from the Internet, the instances will not be reachable.
A customer wants to import their existing virtual machines to the cloud. Which service can they use for this?
VM Import/Export
VM Import/Export enables customers to import Virtual Machine (VM) images in order to create Amazon EC2 instances.
True or False; you can point Route53 Failover policy at an Auto Scaling Group?
False
True or False; resource tags can be used to control access via an IAM Policy?
True
A company’s requirement is to have a Stack-based model for its resources in AWS. There is a need to have different stacks for the Development and Production environments. Which of the following can be used to fulfil this required methodology?
Use AWS OpsWorks to define the different layers for your application.
True or False; you can use Reserved Instances for Redshift Clusters?
True
What is AWS RAM?
Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with AWS account or within your AWS Organisation
What is AWS ParallelCluster?
An AWS-supported open-source cluster management tool that makes it easy for you to deploy and manage High-Performance Computing (HPC) clusters on AWS.
What is Transit Gateway?
It acts as a cloud router that allows you to integrate multiple networks.
How can you improve data security on a Redis Server?
Using Redis AUTH command can improve data security by requiring the user to enter a password before they are granted permission to execute Redis commands on a password-protected Redis server.
What is an Aurora Serverless DB cluster?
An Aurora Serverless DB cluster is a DB cluster that automatically starts up, shuts down, and scales up or down its compute capacity based on your application’s needs.
When to use Aurora Serverless?
Aurora Serverless provides a relatively simple, cost-effective option for infrequent, intermittent, sporadic or unpredictable workloads.
True or False; an Aurora Provisioned DB cluster is suitable for intermittent, sporadic, and unpredictable transactional workloads?
False
What is the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for Amazon Aurora Global Database?
Recovery Point Objective (RPO) of 1 second and a Recovery Time Objective (RTO) of less than 1 minute.
How to securely serve this private content by using CloudFront?
– Require that your users access your private content by using special CloudFront signed URLs or signed cookies.
– Require that your users access your content by using CloudFront URLs, not URLs that access content directly on the origin server (for example, Amazon S3 or a private HTTP server). Requiring CloudFront URLs isn’t necessary, but we recommend it to prevent users from bypassing the restrictions that you specify in signed URLs or signed cookies.
If you want to serve private content through CloudFront, when to use signed URLs and when to use signed cookies?
Use signed URLs for the following cases:
– You want to use an RTMP distribution. Signed cookies aren’t supported for RTMP distributions.
– You want to restrict access to individual files, for example, an installation download for your application.
– Your users are using a client (for example, a custom HTTP client) that doesn’t support cookies.
Use signed cookies for the following cases:
– You want to provide access to multiple restricted files, for example, all of the files for a video in HLS format or all of the files in the subscribers’ area of a website.
– You don’t want to change your current URLs.
Amazon S3 supports which 3 destinations where it can publish events?
- SNS topic
- SQS queue
- AWS Lambda
How many destination can an Amazon S3 event notification be sent to?
1
True or False; S3 can be used for file storage?
False; it is ‘object storage’, not ‘file storage’.
True or False; Amazon Aurora typically involves a cluster of DB instances instead of a single instance?
True
True or False; you can create custom endpoints in Aurora?
True
5 Custom CloudWatch metrics for EC2
- Memory utilisation
- Disk swap utilisation
- Disk space utilisation
- Page file utilisation
- Log collection
Amazon ECS enables you to inject sensitive data into your containers by storing your sensitive data in which two services?
- AWS Secrets manager
- AWS Systems Manager Parameter Store
True or False; Amazon ECS supports resource-based policies.
False; use a role based policy instead
What is an egress-only internet gateway?
A horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet and prevents it from initiating an IPv6 connection with your instances.
What is AWS Network Firewall?
A managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs)
A NAT Gateway is for IPv4, IPv6 or both?
IPv4 only
What is AWS Directory Service?
It provides multiple ways to use Amazon Cloud Directory and Microsoft Active Directory (AD) with other AWS services.
True or False; You can invoke an AWS Lambda function from RDS to capture data-modifying events (INSERT, DELETE, UPDATE)?
False; RDS events only provide operational events such as DB instance events, DB parameter group events, DB security group events, and DB snapshot events.
True or False; You can invoke an AWS Lambda function from an Amazon Aurora MySQL-Compatible Edition DB cluster with a native function or a stored procedure?
True
True or False; When you create or update Lambda functions that use environment variables, AWS Lambda encrypts them using the AWS Key Management Service?
True
True or False; Amazon RDS provides metrics in real time for the operating system (OS) that your DB instance runs on
True
For RDS, where does CloudWatch gather metrics about CPU utilization from?
From the hypervisor for a DB instance
For RDS, where does RDS Enhanced Monitoring gather metrics about CPU utilization from?
An agent on the instance
Which sort of database can handle frequent schema changes or provides a flexible schema?
NoSQL, SQL databases are rigid
What are RDS and DynamoDBs optimised for?
- RDS is optimised for storage
- DynamoDB is optimised for compute
What is Amazon EventBridge?
Amazon EventBridge (formerly called CloudWatch Events) is a serverless event bus that makes it easy to connect applications together.
This simplifies the process of building event-driven architectures by decoupling event producers from event consumers.
Which uses synchronous data replication; RDS Read Replicas or RDS Multi-AZ deployment?
RDS Multi-AZ deployment
A Docker application, which is running on an Amazon ECS cluster behind a load balancer, is heavily using DynamoDB. You are instructed to improve the database performance by distributing the workload evenly and using the provisioned throughput efficiently.
What would you consider to implement for your DynamoDB table?
Use partition keys with high-cardinality attributes, which have a large number of distinct values for each item.
What are Amazon S3 access points?
Amazon S3 access points simplify data access for any AWS service or customer application that stores data in S3. Access points are named network endpoints that are attached to buckets that you can use to perform S3 object operations, such as GetObject and PutObject.
What is IAM DB Authentication?
You can authenticate to your DB instance using AWS Identity and Access Management (IAM) database authentication. IAM database authentication works with MySQL and PostgreSQL. With this authentication method, you don’t need to use a password when you connect to a DB instance. Instead, you use an authentication token.
True or False; when you use client-side master key for client-side data encryption, your client-side master keys and your unencrypted data are never sent to AWS?
True
True or False; for SQS queues, you have to ensure that you delete the message after processing to prevent the message from being received and processed again once the visibility timeout expires?
True
What are the maximum days for the EFS lifecycle policy?
90 days
True or False; Reserved Instances are not physical instances, but rather a billing discount applied to the use of On-Demand Instances in your account?
True
