Miscellaneous Flashcards

Question

A High Performance Computing (HPC) application needs storage that can provide 135,000 IOPS. The storage layer is replicated across all instances in a cluster. What is the optimal storage solution that provides the required performance and is cost-effective?

Answer 1

Instance stores offer very high performance and low latency. As long as you can afford to lose an instance, i.e. you are replicating your data, these can be a good solution for high performance/low latency requirements.

Answer 2

Use Lambda@Edge to compress the files as they are sent to users

Answer 3

Deploy an AWS DataSync agent for the on-premises environment. Configure a task to replicate the data and connect it to a VPC endpoint

Answer 4

S3 \< EBS \< EFS

Answer 5

An **AWS Batch** multi-node parallel job is compatible with any framework that supports IP-based, internode communication, such as Apache MXNet, TensorFlow, Caffe2, or Message Passing Interface (MPI)

Answer 6

An **AWS Batch** multi-node parallel job is compatible with any framework that supports IP-based, internode communication, such as Apache MXNet, TensorFlow, Caffe2, or Message Passing Interface (MPI)

Answer 7

900 seconds (15mins)

Answer 8

You can use both **Athena and Redshift Spectrum** against the same data assets. You would typically use Athena for ad hoc data discovery and SQL querying, and then use Redshift Spectrum for more complex queries and scenarios where a large number of data lake users want to run concurrent BI and reporting workloads.

Answer 9

**Programmatic access:** The IAM user might need to make API calls, use the AWS CLI, or use the Tools for Windows PowerShell. In that case, create an access key (access key ID and a secret access key) for that user. **AWS Management Console access**: If the user needs to access the AWS Management Console, [create a password for the user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_admin-change-user.html). Disabling console access for a user prevents them from signing in to the AWS Management Console using their user name and password. It does not change their permissions or prevent them from accessing the console using an assumed role.

Answer 10

1. You use the AWS Schema Conversion Tool (AWS SCT) to extract the data locally and move it to an Edge device. 2. You ship the Edge device or devices back to AWS. 3. After AWS receives your shipment, the Edge device automatically loads its data into an Amazon S3 bucket. 4. AWS DMS takes the files and migrates the data to the target data store. If you are using change data capture (CDC), those updates are written to the Amazon S3 bucket and then applied to the target data store.

Answer 11

Amazon Athena is an interactive query service that makes it easy to analyse data in Amazon S3, using standard SQL commands. It will work with a number of data formats including "JSON", "Apache Parquet", "Apache ORC" amongst others, but "XML" is not a format that is supported.

Answer 12

Size constraint, IP match, String match

Answer 13

1. Ensure EC2 instances are types that can be optimized to use with EBS 2. Schedule snapshots of HDD based volumes for periods of low use 3. Stripe volumes together in a RAID 0 config

Answer 14

Has at least one route in its route in its routing table that uses an Internet Gateway

Answer 15

1. Description 2. Parameters 3. Mappings 4. Resources 5. Outputs 6. Metadata 7. Rules 8. Conditions 9. Transform

Answer 16

There is no route connecting your VPC back to the on premise data center. You need to add this route to the route table and then enable propagation on the Virtual Private Gateway.

Answer 17

content-type host x-amz-date x-amz-target

Answer 18

The names of the AZs are randomly applied so es-west-1b is not necessarily same physical location for all three accounts!

Answer 19

The public IP address is not managed on the instance. It's an alias applied as a network address translation of the private IP address.

Answer 20

Modify the ASG cool-down timers Modify the Amazlon CloudWatch alarm period

Answer 21

20 per region, soft limit

Answer 22

SQL Server Oracle

Answer 23

You can specify whether a read is eventually consistent or strongly consistent. To get a strongly consistent read result, you can specify optional parameters in a request. It takes more resources to process a strongly consistent read than an eventually consistent read.

Answer 24

Elasticache for Redis. Memcached **not.**

Answer 25

**Multi-AZ RDS** creates a replica in another AZ and **synchronously** replicates to it (DR only). Asynchronous replication is used by RDS for Read Replicas.

Answer 26

*AWS throttling limits* are applied across all accounts and clients in a region. These limit settings exist to prevent your API—and your account—from being overwhelmed by too many requests. These limits are set by AWS and can't be changed by a customer. Per-account limits are applied to all APIs in an account in a specified Region Per-API, per-stage throttling limits are applied at the API method level for a stage *Per-client throttling limits* are applied to clients that use API keys associated with your usage plan as client identifier

Answer 27

To enable your Lambda function to access resources inside your private VPC, you must provide additional VPC-specific configuration information that includes VPC subnet IDs and security group IDs. AWS Lambda uses this information to set up elastic network interfaces (ENIs) that enable your function.

Answer 28

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services. Please check the AWS link below for the latest information.

Answer 29

Trusted Advisor is an online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment. Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices. AWS Trusted Advisor offers a Service Limits check (in the Performance category) that displays your usage and limits for some aspects of some services.

Answer 30

The company should implement an AWS Direct Connect connection to the closest region. A Direct Connect gateway can then be used to create private virtual interfaces (VIFs) to each AWS region. Direct Connect gateway provides a grouping of Virtual Private Gateways (VGWs) and Private Virtual Interfaces (VIFs) that belong to the same AWS account and enables you to interface with VPCs in any AWS Region (except AWS China Region).

Answer 31

The ECS container agent is included in the Amazon ECS optimized AMI and can also be installed on any EC2 instance that supports the ECS specification (only supported on EC2 instances). Therefore, you don’t need to verify that the agent is installed. You need to verify that the installed agent is running and that the IAM instance profile has the necessary permissions applied. Troubleshooting steps for containers include: - Verify that the Docker daemon is running on the container instance. - Verify that the Docker Container daemon is running on the container instance. - Verify that the container agent is running on the container instance. - Verify that the IAM instance profile has the necessary permissions.

Answer 32

For RTMP CloudFront distributions files must be stored in an S3 bucket.

Answer 33

AWS OpsWorks is **a configuration management service that provides managed instances of Chef and Puppet**. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers.

Answer 34

curl to …/latest/meta-data/

Answer 35

VPC → Subnet → Network Interface

Answer 36

Set a ASN for the VPG

Answer 37

1. Use Termination Protection 2. Delay300

Answer 38

* [Elastic Load Balancing (Application Load Balancer)](https://docs.aws.amazon.com/lambda/latest/dg/services-alb.html) * [Amazon Cognito](https://docs.aws.amazon.com/lambda/latest/dg/services-cognito.html) * [Amazon Lex](https://docs.aws.amazon.com/lambda/latest/dg/services-lex.html) * [Amazon Alexa](https://docs.aws.amazon.com/lambda/latest/dg/services-alexa.html) * [Amazon API Gateway](https://docs.aws.amazon.com/lambda/latest/dg/with-on-demand-https.html) * [Amazon CloudFront (Lambda@Edge)](https://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html) * [Amazon Kinesis Data Firehose](https://docs.aws.amazon.com/lambda/latest/dg/services-kinesisfirehose.html)

Answer 39

* [Amazon Simple Storage Service](https://docs.aws.amazon.com/lambda/latest/dg/with-s3.html) * [Amazon Simple Notification Service](https://docs.aws.amazon.com/lambda/latest/dg/with-sns.html) * [Amazon Simple Email Service](https://docs.aws.amazon.com/lambda/latest/dg/services-ses.html) * [AWS CloudFormation](https://docs.aws.amazon.com/lambda/latest/dg/services-cloudformation.html) * [Amazon CloudWatch Logs](https://docs.aws.amazon.com/lambda/latest/dg/services-cloudwatchlogs.html) * [Amazon CloudWatch Events](https://docs.aws.amazon.com/lambda/latest/dg/with-scheduled-events.html) * [AWS CodeCommit](https://docs.aws.amazon.com/lambda/latest/dg/services-codecommit.html) * [AWS Config](https://docs.aws.amazon.com/lambda/latest/dg/services-config.html)

Answer 40

The purpose of an "Egress-Only Internet Gateway" is to allow IPv6 based traffic within a VPC to access the Internet, whilst denying any Internet based resources the possibility of initiating a connection back into the VPC.

Answer 41

Amazon Lightsail is a cloud service offered by Amazon Web Services ([AWS](https://www.techtarget.com/searchaws/definition/Amazon-Web-Services)) that bundles cloud compute power and memory for new or less experienced cloud users.

Answer 42

Route 53 has a security feature that prevents internal DNS from being read by external sources. The work around is to create a EC2 hosted DNS instance that does zone transfers from the internal DNS, and allows itself to be queried by external servers.

Answer 43

![]() When you create a **virtual private gateway**, you can specify the private Autonomous System Number (ASN) for the Amazon side of the gateway. If you don't specify an ASN, the virtual private gateway is created with the default ASN (64512). A ***customer gateway*** is a resource that you create in AWS that represents the customer gateway device in your on-premises network. When you create a customer gateway, you provide information about your device to AWS.

Answer 44

Multipart upload provides options for more robust file upload in addition to handling larger files than single part upload.

Answer 45

Spread Placement Groups are recommended for applications that have a small number of critical instances which need to be kept separate from each other. Launching instances in a Spread Placement Group reduces the risk of simultaneous failures that might occur when instances share the same underlying hardware.

Answer 46

**Wrong.** AWS holds compliance certification for the services that 'AWS' runs. As a customer you are still responsible for the compliance certification of the code and process and configurations that 'you' manage. However you can avoid the cost and complication of proving that the underlying services are compliant.

Answer 47

Each EC2 instance performs source/destination checks by default. This means that **the instance must be the source or destination of any traffic it sends or receives**. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself.

Answer 48

Once a VPC is set to Dedicated hosting, it can be changed back to default hosting via the CLI, SDK or API. Note that this will not change hosting settings for existing instances, only future ones. Existing instances can be changed via CLI, SDK or API but need to be in a stopped state to do so

Answer 49

When you create a custom VPC, a default **Security Group, Access control List, and Route Table** are created automatically. You must create your own subnets, Internet Gateway, and NAT Gateway

Answer 50

**Virtual style** puts your bucket name 1st, s3 2nd, and the region 3rd. **Path style** puts s3 1st and your bucket as a sub domain. Legacy Global endpoint has no region. **S3 static hosting** can be your own URL or your bucket name 1st, s3-website 2nd, followed by the region. *AWS are in the process of phasing out Path style, and support for Legacy Global Endpoint format is limited and discouraged.*

Answer 51

Run Command is designed to support a wide range of enterprise scenarios including installing software, running ad hoc scripts or Microsoft PowerShell commands, configuring Windows Update settings, and more. Run Command can be used to implement configuration changes across Windows instances on a consistent yet ad hoc basis and is accessible from the AWS Management Console, the AWS Command Line Interface (CLI), the AWS Tools for Windows PowerShell, and the AWS SDKs.

Answer 52

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It is not used for ad-hoc script execution.

Answer 53

- Instances in a peered VPC. - AWS resources that are addressable by IP address and port. - On-premises resources linked to AWS through Direct Connect or a VPN connection

Answer 54

A VPC automatically comes with a default network ACL which allows all inbound/outbound traffic. A custom NACL denies all traffic both inbound and outbound by default.

Answer 55

To prevent direct connectivity to the EC2 instances from the internet you can deploy your EC2 instances in a private subnet and have the ELB in a public subnet. To configure this you must enable a public subnet in the ELB that is in the same AZ as the private subnet.

Answer 56

Route tables determine where network traffic is directed. In your route table, you must add a route for your remote network and specify the virtual private gateway as the target. This enables traffic from your VPC that’s destined for your remote network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you.

Answer 57

You can associate an *AWS Direct Connect gateway* with either of the following gateways: - A transit gateway when you have multiple VPCs in the same Region. - A virtual private gateway. In this case account Z owns the Direct Connect gateway so a VPG in accounts A and B must be associated with it to enable this configuration to work. After Account Z accepts the proposals, Account A and Account B can route traffic from their virtual private gateway to the Direct Connect gateway. "Associate the Direct Connect gateway to a transit gateway in each region" is incorrect. This would be a good solution if the accounts were in VPCs within a region rather than across regions.

Answer 58

Default security groups have inbound allow rules (allowing traffic from within the group) whereas custom security groups do not have inbound allow rules (all inbound traffic is denied by default). All outbound traffic is allowed by default in custom and default security groups.

Answer 59

Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so.

Answer 60

Glacier is designed for durability of 99.999999999% of objects across multiple Availability Zones. Data is resilient in the event of one entire Availability Zone destruction. Glacier is “designed for” availability of **99.99%**

Answer 61

You can restore a DB instance to a specific point in time, creating a new DB instance. When you restore a DB instance to a point in time, the default DB security group is applied to the new DB instance. If you need custom DB security groups applied to your DB instance, you must apply them explicitly using the AWS Management Console, the AWS CLI modify-db-instance command, or the Amazon RDS API ModifyDBInstance operation after the DB instance is available. Restored DBs will always be a new RDS instance with a new DNS endpoint and you can restore up to the last 5 minutes.

Answer 62

*Amazon DynamoDB auto scaling* uses the AWS Application Auto Scaling service to dynamically adjust provisioned throughput capacity on your behalf, in response to actual traffic patterns. This is the most efficient and cost-effective solution to optimizing for cost.

Answer 63

Amazon Neptune is a new product that offers a fully-managed Graph database.

Answer 64

You can control who can administer your file system using IAM. You can control access to files and directories with POSIX-compliant user and group-level permissions. POSIX permissions allows you to restrict access from hosts by user and group. EFS Security Groups act as a firewall, and the rules you add define the traffic flow.

Answer 65

All EBS types and all instance *families* support encryption but not all instance *types* support encryption. There is no direct way to change the encryption state of a volume. Data in transit between an instance and an encrypted volume is also encrypted.

Answer 66

If using an ELB it is best to enable ELB health checks as otherwise EC2 status checks may show an instance as being healthy that the ELB has determined is unhealthy. In this case the instance will be removed from service by the ELB but will not be terminated by Auto Scaling More information on ASG health checks: - By default uses EC2 status checks. - Can also use ELB health checks and custom health checks. - ELB health checks are in addition to the EC2 status checks. - If any health check returns an unhealthy status the instance will be terminated. - With ELB an instance is marked as unhealthy if ELB reports it as OutOfService - A healthy instance enters the InService state. - If an instance is marked as unhealthy it will be scheduled for replacement. - If connection draining is enabled, Auto Scaling waits for in-flight requests to complete or timeout before terminating instances. - The health check grace period allows a period of time for a new instance to warm up before performing a health check (300 seconds by default).

Answer 67

You can use VPC Flow Logs to capture detailed information about the traffic going to and from your Elastic Load Balancer. Create a flow log for each network interface for your load balancer. There is one network interface per load balancer subnet.

Answer 68

EBS Throughput Optimized HDD is good for the following use cases (and is the most cost-effective option: - Frequently accessed, throughput intensive workloads with large datasets and large I/O sizes, such as MapReduce, Kafka, log processing, data warehouse, and ETL workloads. Throughput is measured in MB/s, and includes the ability to burst up to 250 MB/s per TB, with a baseline throughput of 40 MB/s per TB and a maximum throughput of 500 MB/s per volume.

Answer 69

only when you launch an instance. You can’t attach instance store volumes to an instance after you’ve launched it.

Miscellaneous Flashcards

(97 cards)