Exam Review

Question 1

True or False: Instances in the standby state are not a part of the ASG?

Answer 1

False. They do not actively handle application traffic but are still a part of the ASG; they will not be actively replaced as your desired capacity is actually reduced by one

Question 2

What is Amazon Aurora Global Database?

Answer 2

Designed for globally distributed applications, where a single Amazon Aurora database spans multiple regions. It replicates your data with no impact on DB performance.

It consists of one primary DB in a primary region and up to five read replicas in secondary regions

Question 3

What is Amazon Guard Duty?

Answer 3

Amazon Guard Duty uses machine learning to inspect CloudTrail S3 Event Logs, CloudTrail Events, VPC Flow Logs and DNS Logs for threats

Question 4

What is Amazon Inspector?

Answer 4

Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure. Amazon Inspector automatically discovers and scans running Amazon EC2 instances, container images in Amazon Elastic Container Registry (Amazon ECR), and AWS Lambda functions

Question 5

What is a permissions boundary?

Answer 5

A permissions boundary is an advanced IAM concept where you can use a managed or custom IAM policy to set the maximum allowable permission on an IAM principal

Question 6

What is the rate limit of requests per second in an S3 bucket?

Answer 6

S3 buckets can theoretically scale infinitely, but each prefix can get up to 3,500 writes and 5,500 read requests per second

Question 7

We host files for customers in S3 buckets for our customers, why would it be a bad idea to have a bucket for each customer?

Answer 7

Bucket names need to be globally unique so this would have to be done manually and names may not be available. You would also need to have the connections string for each bucket

Question 8

What would be the major advantage of EFS over S3?

Answer 8

EFS can be used if you need EC2 instances to be closer to zero latency network communication, especially if in a cluster

Question 9

What is consolidated billing?

Answer 9

It allows you to track and manage spending across multiple accounts

Question 10

What services does AWS savings plan cover?

Answer 10

EC2, Lambda and Fargate

Question 11

How many messages can you batch together for SQS?

Answer 11

10 messages is the max for both standard and FIFO

Question 12

How many messages per second can FIFO queue support when you batch?

Answer 12

3,000 messages per second if you are batching 10 messages (maximum) per API operation; 10 messages x 300 operations (max requests per second) per second = 3,000 messages

Question 13

What is AWS Direct Connect?

Answer 13

Direct Connect lets you establish a direct connection from your on premise network to AWS Direct Connect locations

Question 14

Why would you use AWS Direct Connect plus site-to-site VPN?

Answer 14

The VPN allows for a more robust secure connection and Direct Connect allows lower latency and greater bandwidth

Question 15

Does RDS multi-az provide synchronous or async capabilities? What about Read Replicas?

Answer 15

Multi-AZ is syncronous and spans at least two AZs; Read Replicas are async and can span one AZ, cross AZ or Cross-Region

Question 16

We need to order and replay records in a data pipeline, should we use Kinesis Data Streams or Firehose?

Answer 16

Data Streams

Question 17

You need real time processing of data, would you use SQS or Kinesis Streams?

Answer 17

Kinesis Streams; also, if we want multiple applications to consume the same data concurrently, then Kinesis Streams is also the better choice

Question 18

What is RDS Custom?

Answer 18

RDS Custom allows for you to customize your database environment and the underlying operating system

RDS itself does not allow access to customize the DB server host and OS

Question 19

What is S3 Transfer Acceleration?

Answer 19

Utilizes the CloudFront edge locations to upload data to S3; as the data arrives at the edge locations, it uses an optimized path through Amazons network to deliver to S3

Question 20

True or False: AWS Firehouse can write directly into Lambda

Answer 20

False

Question 21

What is AWS FSx for Windows?

Answer 21

Allows you to host a Windows File Server in AWS that scales and is supported. Can access it through the file gateway

Question 22

We need to upload files to S3 faster, what should we use: Transfer Acceleration or Global Accelerator?

Answer 22

S3 Transfer Acceleration.

Global Acceleration is for utilizing AWS network endpoints to give access to Amazons network for faster application access and response times. It is used for ALB, NLB and EC2. Work through TCP or UDP

Question 23

True or False: we can apply a retention period to an object version

Answer 23

True and we must supply the Retain Until Date

Question 24

True or False: We cannot apply Object Lock to different object versions

Answer 24

False

Question 25

When should we choose between Snowball and Snowmobile?

Answer 25

Snowmobile is for datasets larger than 10PB and Snowball is for datasets less than 10PB or distributed in multiple locations Snowball provides Edge storage optimized device(s) that can store up to 80 TB

Question 26

How does CloudFront work?

Answer 26

When a user requests content/files, they are routed to the nearest edge location. If the edge location has the assets/files, it will deliver it. If not, it will reach out to the origin host, retrieve them there and then cache. This all utilized AWS backbone network

Question 27

True or False: CloudFront can have a Route53 DNS record as an endpoint

Answer 27

False

Question 28

How can we block requests from specific countries using AWS WAF?

Answer 28

Geo Match Conditions in AWS WAF allow us to restrict application access based on the geographical location of our viewers

Question 29

Which is better for improving performance over TCP/UDP: CloudFront or Global Accelerator?

Answer 29

Global Accelerator; GA is a great fit for non-http use cases

Question 30

What is DynamoDB Acccelerator (DAX)?

Answer 30

DAX is an in-memory cache for DynamoDB that delivers up to 10x performance improvement

Question 31

We need a high-performance file system where files can be accessed rapidly and that can easily integrate with S3. What can we use?

Answer 31

FSx for Lustre. We use FSx for Lustre for workloads where speed matters such as machine learning, high performance computing, video processing and financial modeling

Question 32

What is Amazon EMR?

Answer 32

EMR is a managed cluster platform that simplifies running big data frameworks like Hadoop and Spark

Question 33

What is the difference in pricing between ECS (with EC2) and ECS Fargate?

Answer 33

ECS with EC2 charges based on number of instances and EBS volumes Fargate charges based on vCPU and memory resources that the containerized application requests

Question 34

How many concurrent requests per account does Lambda support?

Answer 34

1000. Past that, you need to contact AWS support

Question 35

What content types skip the regional cache in cloudfront?

Answer 35

Proxy methods PUT/POST/PATCH/OPTIONS/DELETE go directly to the origin Dynamic content, as determined at request time

Question 36

For our application, we do not want to provide our own encryption keys but do want to maintain an audit trail of the when the encryption key was used and by whom. What do we use?

Answer 36

AWS SSE-KMS

Question 37

We accidentally deleted a key in AWS KMS, what can we do?

Answer 37

Keys deleted in KMS go into a "waiting" period. The waiting period is 7 days and can be configured to go up to 30 days

Question 38

What is the difference between AWS Storage Gateway - Volume Gateway vs AWS Storage Gateway - File Gateway?

Answer 38

Volume Gateway is a block storage and File Gateway is a file system Storage Gateway is a cloud-hybrid storage option

Question 39

When does the user data on an EC2 execute?

Answer 39

When you first boot up the instance

Question 40

True or False: Scripts entered as EC2 user data are executed with root user privileges

Answer 40

True

Question 41

What is AWS Transit Gateway?

Answer 41

Transit Gateway provides a hub and spoke design for connecting VPCs and on-premises networks as a fully managed service without requiring to provision virtual appliances No VPN overlay is needed and AWS manages high availability and scalability

Question 42

If we are doing big data workloads on EC2 and need it to be highly available would we use partition or spread placement group?

Answer 42

We want partition. Partition has clusters which is great for big data and spread across different racks so it is fault tolerant and highly available

Question 43

What is AWS Data Sync?

Answer 43

It is a data discovery and migration service provided by AWS; helps move data quickly and securely between services such as S3, NFS, Snowcone, FSx for Lustre, ect. Transfers data online

Question 44

Why would you use an S3 VPC endpoint?

Answer 44

It provides a way for a resource in a private subnet to reach out to an S3 bucket Stays within the AWS network

Question 45

True or False: Objects uploaded to an S3 bucket are owned by the up-loader and not the bucket owner

Answer 45

True. By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account.

Question 46

True or False: RDS read replicas improve both scalability and availability

Answer 46

False. The improve scalability but not availability.

Question 47

What is the health check grace period for ASG?

Answer 47

The HealthCheckGracePeriod determines how long the ASG will wait before checking the health status of an EC2 instance

Question 48

Does an ASG use the ELB health check?

Answer 48

Not by default, but it can be set up

Question 49

What is the difference between Cognito User Pools and Identity Pools?

Answer 49

User Pools are for Authentication and Identity Pools are for Authorization

Question 50

What is the difference between AWS PrivateLink and Direct Connect?

Answer 50

PrivateLink ensures data security in connections with the cloud. Primarily used for security Direct Connect goes through a private network, but does not ensure security with encryption (need a VPN for that). Primarily used for low-latency, higher bandwith use cases

Question 51

What is the difference between AWS PrivateLink and Direct Connect?

Answer 51

PrivateLink ensures data security in connections with the cloud. Primarily used for security Direct Connect goes through a private network, but does not ensure security with encryption (need a VPN for that). Primarily used for low-latency, higher bandwidth use cases

Question 52

True or False: You can move from Snowball straight to S3 Glacier

Answer 52

False. You need to go through S3 Standard then implement a Lifecycle Policy if we want it directly to Glacier

Question 53

We need to ensure cross-account control and user-level control on an S3 bucket, should we use ACLs, Bucket policies or IAM policies

Answer 53

Bucket policies because we can control them on an account and personal level ACLs will do cross-account but not user-level (Note: ACLs are no longer recommended by AWS) IAM policies can do a user level but not cross-account

Question 54

Which are costlier, dedicated hosts or instances

Answer 54

Hosts. They reserve a physical server and give you complete control to how instances are placed on there

Question 55

True or False: We can directly integrate Cognito Authentication via Cognito User Pools with a CloudFront distribution

Answer 55

False. We would need a Lambda@Edge function to create the rest of the authentication logic

Question 56

You want to share specific resources in one AWS account with another for low cost and can scale. What should we use?

Answer 56

AWS Resource Access Manager. Allows you to share resources cross-account and determine permissions. RAM is available with no additional charge, so it is also cheap We could use VPC Peering but that we would have to manage for each account connection and that would be higher cost and would not scale well Transit Gateway would be expensive

Question 57

True or False: To grant a Lambda cross-account access to an S3 bucket, we need to give the Lambda the proper IAM execution role

Answer 57

False. We also need to make sure the bucket policy allows the Lambda functions execution role

Question 58

What must we configure in a Site-to-Site VPN?

Answer 58

A Virtual Private Gateway on the AWS side and a Customer Gateway on the on-premise side

Question 59

What is a VPC endpoint?

Answer 59

VPC endpoint enables the creation of a private connection between VPC to supported AWS services and VPC endpoint services powered by PrivateLink using its private IP address

Question 60

What is the difference between AWS Database Migration Service and AWS Glue?

Answer 60

DMS is for moving entire datasets and schemas over in a managed fashion. Almost like a point and shoot. Glue helps you perform ETL which is more involved with discovery, transformation scripts and transfer AWS Glue is not for database migrations

Question 61

What is the difference between an SQS delay queue and a visibility timeout?

Answer 61

Visibility timeout is for pausing retrieval from the queue, delay queue is for pausing the insertion

Question 62

True or False: Schema Conversion Tool and Database Migration Service are the same service

Answer 62

True. Schema Conversion Tool is part of the Database Migration Service

Question 63

True or False: EFS supports SMB protocol

Answer 63

False

Question 64

True or False: NAT gateways can exist in multiple AZs

Answer 64

False

Question 65

We want to reduce the price of our SQS usage, what can we use?

Answer 65

Long polling

Question 66

If we have files that are larger than 1GB in S3 and they need to be delivered, what can we do?

Answer 66

For files larger than 1GB, we can use Transfer Acceleration

Question 67

True or False: Terminated instances cannot be recovered. A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata.

Answer 67

True

Question 68

True or False: if your instance has a public IPv4 address, it retains the public IPv4 address after recovery.

Answer 68

True

Question 69

True or False: You can copy AMI across Regions but not across accounts

Answer 69

False. You can copy across both

Question 70

What is the difference between a Internet Gateway and a VPC Gateway Endpoint?

Answer 70

An Internet Gateway allows a subnet to connect to the Internet whereas a VPC Gateway Endpoint allows resources in subnets to access S3 or DynamoDB without using a NAT Instance of IG

Question 71

True or False: NAT Gateway supports port forwarding

Answer 71

False. NAT Instances support port forwarding

Question 72

True or False: An Application Load Balancer can be assigned an Elastic IP

Answer 72

False

Question 73

What is the best service option when trying to decouple a monolithic application into microservices

Answer 73

SQS

Question 74

What is AWS CloudHub?

Answer 74

CloudHub helps you manage multiple site-to-site VPN connections

Question 75

True or False: AWS File Gateway can move files to EFS

Answer 75

False. File Gateway can only transfer to S3

Question 76

What is VPC Sharing?

Answer 76

VPC sharing is a part of Resource Access Manager that allows AWS accounts to create their resources in a centrally-managed VPC by sharing a subnet (NOT sharing a VPC)

Question 77

True or False: An Internet Gateway ID can be a custom source in a security group

Answer 77

False

Question 78

What is Cross-Zone Load Balancing?

Answer 78

With Cross-Zone Load Balancing enabled, each NODE gets a fair share of the traffic across AZs; when it is disabled, the traffic is spread across the AZs

Question 79

True or False: you cannot create a CNAME record for the top node the same DNS namespace

Answer 79

True: example.com cannot go to www.example.com

Question 80

Which service can we consume concurrently, Kinesis Streams or Firehose?

Answer 80

Streams

Question 81

You need to set up a consistent resource provisioning process across AWS Organization departments so that each resource is pre-defined. What can we use?

Answer 81

CloudFormation StackSets; they allow you to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation