Exams 1 & 2 Flashcards

Question

'Amazon Kinesis' questions placeholder..

Answer 1

when worded like this, it can mean any form of Kinesis, including data streams, firehose, analytics. differences between each type.... Firehose can invoke lambda to transform. data streams can capture many sources with manual work, firehose can use the same sources as data streams. see other slides

Answer 2

Macie looks for S3 issues with PII, unencrypted buckets, access controls, iam gaps…; in s3 macie looks for this activity using ML Guard duty monitors Vpc flow logs DnS logs Cloud trail logs Kuberneties EKS audit logs

Answer 3

Cloudfront = ONE correct answer. Aurora read replica option two. (maybe data cache? but not in question) memorise Cloudfront cold front shaped like a sharp wedge.

Answer 4

Incorrect - bigger deployment package, slower lambda to start - not true. Backed up by independent blog. Weird. Java and .net 100 times slower than py or js. Lambda operates from a aws owned vpc and can access pub internet or pub aws apis, like dynamo **When lambda is vpc enabled it no longer has pub access ** and will need a route through a nat gateway in a public subnet to access pub resources. Use Lambda layer for reusable code between functions Yes You can package a lambda function in ECS container images, new. (i got this wrong) Best practice - Set up CW alarm for concurrent executions or invocations over a threshold. Max run time 15 min.

Answer 5

PUB, PRIV, NAT, VPN, CIDR Vpc with single pub subnet Vpc with pub and private and site to site vpn Vpc with pub and private subnets and NAT cidr rules for the above. NOT SUPPORTED vpc with pub and private subnets and vpn site to site. ?? weird.

Answer 6

USE multipart upload and s3 transfer accelerator S3TA. Speed increase of 50 to 500%. For long distance and larger objects. Shortens the upload point for remote locations. Routes transfers through cloudfront edge locations. memorise, transfer accelerator, a different rocket ship that transfers cargo in buckets with baggage handlers to other rockets in clouds. not a global accelerator rocket.

Answer 7

Can’t use snowball. Use s3 batch replication -- plus s3 sync copy. * Sync all the new or changed objects, only current versions if bucket versioned. * Batch replication copies existing objects, not changes or new ones. This is why both are needed. memorise: batches of buckets, on pallets on a ship. copy sync, the ship has a giant kitchen sink. Sync can be used from on prem device directory. - true but not relevant.

Answer 8

Transit Gateway, more efficient than vpc peering memorise: Transit lounge virgin lounge. thousands of private clouds in the lounge. different to cloud hub which is a shopping mall in the clouds.

Answer 9

NACL is stateless, SEcurity group is statefull therefore it knows to allow the response of a request out (due to session) regardless of rules. NACL needs a rule.

Answer 10

/32 = 1 ip address = 2 ^ 0 (2 ^ (32 - 32)) /31 = 2 ip address = 2 ^ 1 /30 = 4 ip address = 2 ^ 2 (2 ^ (32 - 30)) /24 = 256 ip address = 2 ^ 8 /8 means last 3 octets are available 10.x x x /16 means last 2 octets avail 10.0.x.x /24 means last 1 octet avail 10.0.0.x

Answer 11

Total 7 services. Human subsrcibers (M E S) * Emails * Sms and * mobile push AWS services ( F H Q L -- f**ing hot in queensland) * SQS * Http endpoints on EC2 made to spec * Lambda * Kinesis firehose. 12.5 million subscribers 100,000 topics. throughput is 10 - 20 per sec for sms or email, but some questions say unlimited. and lambda threshold of 1000 per sec is the problem. be careful.

Answer 12

* After a message is polled by a consumer, it becomes invisible to other consumers * By default, the “message visibility timeout” is 30 seconds * That means the message has 30 seconds to be processed * After the message visibility timeout is over, the message is “visible” in SQS If a message is not processed within the visibility timeout, it will be processed twice • A consumer could call the ChangeMessageVisibility API to get more time • If visibility timeout is high (hours), and consumer crashes, re-processing will take time • If visibility timeout is too low (seconds), we may get duplicates

Answer 13

Use georestriction in CloudFront, to prevent users in specific locations. Use Route 53 based geolocation routing policy to restrict distn of content to only locations specified. Do not use Route 53 weighted routing policy, which lets you associate domains with weighted routing, more for LB.

Answer 14

Create **customer specific** custom prefixes within a single bucket, then upload daily files into prefixed locations S3 can handle : 3,500 put copy post delete reqs 5,500 get head req ** PER SECOND PER PREFIX ** NO limits to number of prefixes in a bucket. use this to increase performance with parellelised reads. with 10 prefixes we could get 55,000 reads per sec. Therefore the prefix becomes like a shard in kinesis. (my logic) INCORRECT change to use EFS.

Answer 15

API Gateway plus Kinesis data analytics. use kinesis DA with Apache Fink to transform and analyse streaming data in real time. Kinesis DA for logs, clickstream, IOT, ad tech, gaming. Streaming ETL, continuous metrics, real time analytics, interactive querying of data streams. This combo can handle 50 GB running storage per kinesis processing unit. API gateway - pub, monitor secure APIs at scale. http, rest, web socket apis. INCORRECT - quicksight with redshift, api gateway with lambda, athena with s3.

Answer 16

server side encryption: SSE-KMS no audit trail on these: therefor not SSE-s3 SSE-C not client side encryption.

Answer 17

Create a strong password Enable MFA on root Not !! create user access keys and share with the business owner. Not recommended. unless as a last resort.

Answer 18

CloudFront with custom origin pointing to on prem servers. global network of edge caches. Do not migrate to S3 because dynamic. Route 53 does not cache. Route 53 with geo proximity routing to US would not speed up requests.

Answer 19

S3 standard infrequent access IA. Not intelligent tiering, IA has "lower per GB storage price and GB retrieval" Glacier is a possibility not sure why it was not in the answer. Deep archive hase minutes to hours retrieval.

Answer 20

Cold HDD sc1 (tick) Throughput optimised St1 also HDD. so HDD are not boot volumes. INCORRECT therefore **can** be used for boot volumes: * instance store * Provisioned iops SSD io1, and io2 * SSD gp2 and gp3 memorise: instagram store, io jupiter moon 1, grand prix 2 on the moon. HDD backed volumes are throughput (MiB/s) optimised for large streaming workloads , compared with iops optimised SSD which is number of ops.

Answer 21

From top to bottom, a higer tier can transfer to any lower tier, not in reverse. * 1. Standard * 1. Standard Infrequent access IA * 1. Intelligent Tiering * 1. One Zone IA (skips Glacier instant) * 1. Glacier (Instant then Flexible) * 1. Glacier deep archive

Answer 22

Guard duty threat detection, monitor protect, accounts, workloads, data in S3. monitors streams from CloudTrail events, VPC flow logs, DNS logs. integrated threat intelligence from IP address,s and ML. Correct: disable GD in general settings. deletes all data. incorrect - suspend does not delete, deregister does not exist. guard duty memorise - trail, vpc flow, domains, guard besite a river - flow, walking trail, with a fenced domain.

Answer 23

Kinesis data streams, has the ability for multiple apps to consume the same stream concurrently. Supports ordered data, real time processing. stores data for up to 1 year. Not SNS and or SQS or simple email service

Answer 24

config auto scaling group to use **target tracking policy** and set CPU util as target metric with value of 50% auto scaling creates and manages the cloudwatch alarms that trigger the scaling policy memorise: archery target, rolling down railway tracks, with a policy document stuck to it with an arrow. Incorrect - config auto scale group to use simple scaling policy. or step scaling. neither of these can be set with a target, they use threshold values from CW alarms. auto scale group cannot directly use CW alarms as the source of the scale in or out. must use policy.

Answer 25

EC2 instance AMI Snapshot (see below) when an api is copied to a new region, it creates a snapshot in the new region because ami s are based on the underlying snapshots.

Answer 26

sensor data into SQS standard queue. Poll with Lambda in batches Write to auto scalled DynamoDB for processing incorrect ingest data with kinesis data streams polled by EC2 (a server!) , write into dynamodb. kinesis firehose cannot write into dynamo without custom code or lambda.

Answer 27

Suspend the ReplaceUnhealthy process type in the ASG and apply the patch. When done and ec2 healthy activate ReplaceUnhealthy process. Put the instance in standby state then update the instance with patch. then exit standby. memorise; replace unhealthy. push an old man in i wheelchair off a cliff. process type, he is holding a process document.. standby and watch. horrible memorable.

Answer 28

Intelligent tiering to Standard (correct and invalid) One zone IA to standard IA. (missed and correct and invalid) Std > IA > Intel > IA One Z > Glac Inst > Glac Flex > Glac Deep memorise: std > IA > Intel > one zone IA Instant (skip) > FLexible > Deep IA One zone skips Glac Inst

Answer 29

Storage Gateway - File Gateway. A hybrid service that gives on prem access to unlimited cloud storage. Tape, File and Volume. They cache data locally for low latency. File gateway (S3), seamless way to store files in S3, the files appear to be on SMB or NFS locally, but in background, by translating requests into http S3 requests. File gw supports SMB or NFS. File gateway also supports FSx for Windows File Server as an alternative to S3 in AWS Requires IAM roles, and SMB supports AD on prem. Volume gateway supports iscsi block storage in cloud to on prem. does not support NFS. Volume gw has cache and .... mode which indicates where the primary data is stored) Memorise. Storage gateway. shipping container at diggers with doors open. File cabinet, volume on guitar amp, tape player

Answer 30

Aurora will promote the read repliaca that has * the highest priority (which means the lowest tier number) * If 2 or more with same priority, then promote the replica with the largest size. choice was between tier-1 **32 TB** or tier-1 16 TB. Aurora allows you create up to 15 read replicas to increase read throughput and for use as failover targets. The replicas share storage with the primary instance and provide lightweight, fine-grained replication that is almost synchronous, with a replication delay on the order of 10 to 20 milliseconds.

Answer 31

Higest to lowest EBS due to 100GB total size EFS because based on usage, bytes used. S3 standard based on usage.

Answer 32

Replace NLB with Application LB, config http health checks. use auto scale group to replace unhealthy instances. (using the ALB health checks) NLB at layer 4 of osi model. uses TCP connection. does not support http health checks. (although documentation says it does with limitations on TLS version, be careful. Possible CORRECTION)

Answer 33

use Application LB with EC2 instances across multi AZ. Plus Auto scale group. ALB can configure **content based routing** using headers or urls. (/api -> A /mobile-> B) memorise: app LB (scales with weights, the weights are mobile phones with apps, at a crossroads (route) there is content on the phones) incorrect. Network LB, EC2, private ip addresses. (pretty obvious, no auto scale, no HA.)

Answer 34

ElastiCache (redis and ...d) which can be used with DynamoDB DynamoDB DAX incorrect ElastiSearch.

Answer 35

seven. PPG alow you to have separate network hardware and rack per instance for HA. partition is like a rack. spread placement group is where each instance is in a separate partition or rack. memorise: partition seven. seven deadly partitions, each one has a venemous animal.

Answer 36

protect from a DDOS attack standard version free and active for all accounts advanced version for sophisticated attacks on EC2 Elastic LB Cloudfront global accelerator adds WAF rules and WAF is integral to the service. has a team on call 24 7 AWS Shield Standard provides always-on network flow monitoring, which inspects incoming traffic to AWS services and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real time.

Answer 37

FSx File Gateway for on prem access to AWS FSx for Windows File Server. incorrect - Storage Gateway / File Gateway does not support shares for windows. memorise - storage gateway is a container with doors with filing cabinets and volume amp does not have any windows.

Answer 38

WAF (web application firewall) attached to the Application LB in a VPC. use ip address to block. configure the WAF based on rules in the ACL with geo match conditions. not in obvious docs. Correction suggestion. Geo restriction feature of cloudfront. aparently incorrect because CF is not in the VPC.

Answer 39

WAF (web application firewall) on the Application LB in a VPC. use ip address to block. configure the WAF based on rules in the ACL with geo mathch conditions. Waf can be deployed on App LB API gateway Cloudfront incorrect - Geo restriction feature of cloudfront. aparently incorrect because CF is not in the VPC and harder and more $. memorise - spider web putting out the fire on the wall with a scales with apps on mobile phones on the scale.

Answer 40

10 Snowball edge storage optimised devices VPN site to site for on going connectivity. Each snowball edge has 80 tB of HDD and 1 TB SSD and 40 vcpus. 40 GB network connectivity. Same storage as the old Snowball device. * Snowmobile 100 PB * Snowball Edge 210TB (104 vcpu, 416 GB mem) * Snowball Edge 80TB (40 vcpu, 80 GB mem) * Snowball Edge Compute Optimised 28 TB (104 vcpu, 416 GB mem) * Snowcone 8TB (4 vcpu, 4GB mem)

Answer 41

Kinesis data firehose with Lambda to filter and transform the stream, send output to S3 (dumped). kinesis data streams, or Kinesis agent and all the same sources as KDS can be used to capture the data. The question may be incomplete. incorrect - Kinesis data analytics, with SQL queries to filter and transform, write to s3

Answer 42

Global Accelerator, multi region, supports UDP. improve perf lower latency, less variation of latency, increased throughput. good fit for non http. such as gaming and IOT, voice. Use with ELB. incorrect - Elastic LB. one region only. Gamers in the blue green global accelerator rocket, gamers use udp.

Answer 43

Instance store based EC2. temp block storage, disks physically attached. frequently changing data. works well for replicated data. high random io perf. at low cost. incorrect - EFS mount points ruled out because of extra cost and complexity, and lower IO perf.

Answer 44

expedited 1-5 min standard 3-5 hours bulk 5 - 12 hours everything above Flexible retrieval is millisecond Max time memorise 5 minutes / 5 hours / 12 hours 5m / 5h / 12h

Answer 45

Standard 12h, or Bulk 48h 12 x 4 = 48. half day or 2 days. long time. starting at max time of flex retrieval.

Answer 46

User based policy Bucket policies which allows cross account access Object ACL, Bucket ACL IAM principle (user, app) can access S3 object if (the user IAM perms Allow **OR** the resource policy allows) **AND** there is no explicit Deny

Answer 47

SNS, SQS, Lambda, Event Bridge ...can receive events from bucket object actions For each of the above, there are ____ Resource access policies, Bucket policy, bucket and object ACL, principle, effect, Action, resource, condition....

Answer 48

SNS, SQS, Lambda, event bridge. can receive events from bucket object actions For each of the above, there are ____ Resource access policies, principle, effect, Action, resource, condition.... Similar to s3 bucket policies. Not IAM roles!!

Answer 49

The data objects must be CSV, Json, parquet format, even when compressed. Use S3 Select can use SQL to filter the contents of these S3 objects

Answer 50

Server side encryption , type is AES-256, must set x-amz-sse header to AES256. enabled by default on new buckets and objects.

Answer 51

MANAge the keys in Key Management Service. benefits - user control and * audit of key usage using CloudTrail. * set S3 put header to x-amz-sse aws:kms. Limitations, each request to en/decrypt counts to the KMS quota per second based on region. * about 5500, to 30000 requests dependig on region

Answer 52

S3 Access points. each has a policy that restricts access for iam users to a prefix and read or write. Simplifies the bucket policy, because the access points do the work. access point has its own DNS name. memorise prefix, they them pronouns, excess point, excessive party point, they point access excess.

Answer 53

Retention Compliance Mode (strict permanent) Retention Governance Mode Legal Hold Glacier Vault Lock (strict permanent) --------- S3 object lock - retention compliance mode. object versions can't be overwritten or deleted by any user including root. ever. Retention modes can't be changed. Versioning must be enabled. Object Lock - Retention mode - governance. more relaxed. some users can delete or alter modes. Retention period, project object for time. Legal hold, protect object indefinitely, independent of retention period. hold can be removed. Glacier Vault Lock. create policy. object can't be changed or deleted, ever by anyone. The safe is buried under a glacier.

Answer 54

auto scale group with scheduled action that starts at hour/day of month. Set **desired capacity of instances** to 10. this causes the scale out to happen before peak incorrect - set the min and max to 10. incorrect. - simple and target tracking.

Answer 55

Guard duty for S3, plus accounts, workloads, cloudtrail events, vpc flow logs, dns logs. amazon inspector for EC2, network access, vulnrblty.

Answer 56

apply a retention period to object version explicitly, you specify **Retain Until Date - for the version** Different versions of an object can have different retention periods (got this wrong, but see above for hint. incorrect - you cannot place retention period on an object version thgouh a bucket default setting.

Answer 57

Multi az has synchronous replication and spans 2 or more AZ in one region, the primary DB instance repliactes **synchronously** to standby instance in different AZ Read repliacs have async replication and can be in AZ, cross AZ, cross region. **Incorrect !! Multi AZ has async replication**

Answer 58

the key was deleted one day ago, it will be in '**pending deletion**' status and can be recovered by canceling the delete. you can set a waiting peirod of 7 - 30 days before the deleted keys are deleted, default 30.

Answer 59

SNS delivery to Lambda have crossed the concurrency quota for Lambda, contact aws support to raise the limit. Lambda supports 1000 concurrent executions per AWS account per region. incorrect - SNS has hit a scalability limit. SNS limits are 20 per second for email or sms. but SNS dynamically scales so it shoul never be a bottleneck. AWS documentation contradicts this. be careful.

Answer 60

Yes, if TA is used across AZ/region, if you go direct to source bucket in same AZ/region then no charges for S3 without TA.

Answer 61

Application Load balancer is one that can, not sure about others. ALB also does host based routing, header based routing, method based routing, query string param routing, source ip / cidr routing.

Exams 1 & 2 Flashcards

(85 cards)