Networking Flashcards
1
Q
Where is data encrypted with encrypted AWS EBS?
A
Data at rest, snapshots and data moving between the volume and the instance is encrypted
2
Q
How do you setup an IPsec (site-to-site VPN) between an on-premise and AWS VPC?
A
Create a Virtual Private Gateway on the AWS side and a customer gateway on the on-premise side
3
Q
What is VPN CloudHub?
A
Provides secure coms between multiple site-to-site VPN connections for both on-premise and VPCs
4
Q
What is a VPC Endpoint?
A
Connect your VPC to supported AWS services without traffic leaving AWS
5
Q
What is a VPC Peering connection?
A
Connection between two VPCs in AWS
6
Q
What is AWS Shield Advanced?
A
Sophisticated protection against DDOS attacks, costs $3k / month / org. Cost is per org if consolidated billing enabled
7
Q
When is user data script run?
A
When an instance is first started - can set it to be everytime instance restarts but not by default
8
Q
What is RDS Custom?
A
Allows you to customize your database and operating system but still use RDS
9
Q
What is Amazon FSx Lustre?
A
Highpperformance file system, useful for HPC
10
Q
What is an EC2 Launch Configuration
A
Instance configuration template that an Auto Scaling group uses to launch EC2 instances
11
Q
Can you modify an EC2 Launch Configuration?
A
No, you must create a new launch configuration and then modify the auto scaling group
12
Q
What is Amazon Aurora?
A
MySQL and PostgreSQL compatbile relational database for the cloud
13
Q
Can a NAT instance be used as a bastion host?
A
Yes
14
Q
Are security groups associated with a NAT instance?
A
Yes
15
Q
Can port forwarding be enabled on a NAT instance?
A
Yes
16
Q
Can port forwarding be enabled on a NAT gateway?
A
No
17
Q
Are security groups associated with a NAT gateway?
A
No
18
Q
What is CloudTrail?
A
Log management API calls to your AWS account
19
Q
What is AWS Global Accelerator?
A
Network layer service that directs traffic to optimal endpoints over the AWS global network.
Protected by AWS Shield
Can do weighted routing which is great for global blue/green deployments
20
Q
What is Amazon Redshift?
A
Uses SQL to analyze data across data warehouses and data lakes for BigData queries
21
Q
What is Amazon Redshift Spectrum?
A
Directly query S3 without having to load data into Redshift tables. Offload processing to the Redshift Spectrum layer
22
Q
What are IAM Permission Boundaries?
A
limits the maximum permissions for a given IAM principle
23
Q
What are placement groups?
A
Describes the spread of EC2 instances
Cluster - packs instances physically close together for low latency
Partition - spread instances across different AZs but in the same rack
Spread - Places small group of instances across AZs
24
Q
What is the minimum storage period before you can transition objects to IA?
A
30 days
25
What are the different S3 storage tiers?
S3 Standard, Standard IA, S3 Intelligent Tiering, S3 One Zone-IA, S3 Glacier
26
What are the different Aurora DB endpoints?
Primary DB instance - Supports read/write operations, only one DB instance
Aurora Replica - Supports only read operations, can have up to 15 replicas in this cluster
27
What is VPC sharing?
Allows multiple AWS accounts to share subnets, so that different accounts can deploy resources to subnets with other accounts. There is a primary account which controls the VPC
28
How to stream S3 data files and changes to Amazon Kinesis Data Streams?
Use AWS DMS (Database Migration Service) as a bridge between S3 and Kinesis Data Streams
29
I need to stream data from RDS into Redshift for querying, how should I do this?
Use AWS Database Migration Service to replicate the data from the database into Amazon Redshift
30
What is AWS EMR?
Elastic Map Reduce (Hadoop Clusters)
Run BigData open source petabyte data scale with Apache Spark, Hive or Presto
A serverless option
31
What is AWS Glue?
Extract, Transform and load (ETL) service for preparing their data for analytics.
32
Describe S3 consistency
Strong read-after-write consistency
33
What is AWS DataSync?
Online data transfer service that simplifies, automates and accelerates copying large data between on-premise and AWS Storage services as well as between AWS Storage services
34
When would you use EC2 dedicated hosts?
Gives you the physical server dedicated for you use. Great for server-bound licences
35
When would you use EC2 dedicated instances?
Instances are physically isolated from instances from other AWS accounts, can't be used for server-bound licences
36
What is AWS Direct connect?
On-premise connection to AWS without going over the internet.
37
What is Amazon GuardDuty?
Threat detection service that monitors for malicous activity by monitoring across AWS data sources including CloudTrail, VPC Flow Logs and DNS logs
Can integrate with EventBridge
38
Can you directly copy data from Snowball into S3 Glacier?
No, it goes directly into S3 Standard Tier. You can create an S3 lifecycle policy to move it into S3 Glacier
39
What is the maximum number of instances running in an AVailability Zone for a spread placement group?
Maximum in 7
40
How can you secure data in transit with RDS?
Configure RDS to use SSL for data in transit. RDS will create a certificate so the client can verify the connection
41
What is the difference between a Launch Template and Launch Configuration?
Launch Configuration - used by ASGs
Launch Template - used to launch spot / on-demand instances
42
SQS FIFO
SQS FIFO
Max throughput 3000 messages per second
Queue name must end in '.fifo'
Must specify queue type at creation time, if you want to change the type you must recreate the queue
Exactly once delivery
43
What is Amazon Macie?
Removes PII from data automatically with AI
44
What is Amazon GuardDuty?
Intelligent threat discovery with machine learning
45
What data sources are supported by GuardDuty?
CloudTrail, VPC Flow Logs, DNS Logs and K8 logs
46
What are the targets of a CloudWatch alarm?
EC2 action, auto scaling action or SNS
47
What is a Launch template?
Similar to launch configuration but allows you to provision capacity across multiple instance types and using Spot and On-Demand instances.
48
Your Amazon Kinesis Data Stream has many consumers reading from it, how do you speed it up?
Use enhanced fan-out feature so that each consumer can consume it's own output pipe of 2MB/second pipe per shard
49
What is a VPC Gateway Endpoint?
Specify a target in your route table directly to an AWS service. Current supported are DynamoDB and S3
50
What is a VPC Interface Endpoint?
An Elastic Network Interface with a private IP address to route to an AWS service
51
How can you copy data from one bucket to another?
Use aws S3 sync command that copies objects that aren't in the target bucket but are in the source bucket. Can run multiple times.
Set up S3 batch replication
52
How can you save money on EC2 instances based on your usage?
Use AWS Cost Explorer Resource Optimization to get a report of EC2 instances that are idle or have low utilization
Use the AWS Compute Optimizer to look at instance type recommendations
53
How can you speed up client bucket uploads?
Use Amazon S3 Transfer Acceleration to enable faster file uploads
Use multipart uploads for faster file uploads
54
What is the AWS Database Migration Service?
Helps you migrate databases to AWS quickly and securely
55
What is AWS Schema Conversion Tool?
Converts the source schema and code to match that of the target database
56
What is a transit gateway?
A network transit hub that you can use to interconnect VPCs and on-premise networks
Can connect Transit Gateways with Inter-Region peering
57
What is AWS Global Accelerator?
Provides static IP addresses as a fixed entry point to your applications
Routes traffic to the optimal endpoint based on performance
58
What are the pillars of the AWS Well-Architected Framework?
Operational excellence
Security
Reliability
Performance efficiency
Cost Optimization
Sustainability
59
What is EBS?
Elastic Block Store: Network drive you can attach to a single instance
One EBS can be attached to only on EC2 instance
Bound to a specific AZ
60
How to query meta data on an EC2 instance?
169.254.169.254/latest/meta-data
Holds IAM credentials, private IP
61
How to migrate an EBS volume across regions?
Create a snapshot, then restore that snapshot into another region
62
What is an EC2 instance store?
Ephemeral storage for EC2 instance that is physically connected to EC2 instance for high I/O. But data is lost when EC2 instance crashes.
63
How to encrypt a non encrypted EBS volume?
Create an encrypted snapshot form volume, create a volume from the encrypted snapshot
64
What is EFS?
Elastic File System - NFS a single EFS can be mounted to many EC2 instances. Can be across multiple AZs within a single region
Access control is done with Security Groups
Supports 1000s of attached EC2 instances
65
What is a Gateway Load Balancer?
GLB - routes traffic via a target group and then to a destination. Operates at level 3 and is good for firewalls or packet inspection
66
What is Cross-Zone Load Blancing
Allows the load balancer instance to distribute traffic across all registered instances in all AZs. Enabled by default for ALB.
67
What are the Auto Scaling Groups Dynamic scaling policies?
Target Tracking Scaling, tracks a simple metric
Step scaling - When a CloudWatch alarm is triggered then step up/down
Scheduled scaling - Change the capacity at a time period
Predicative Scaling - forecast load and schedule scaling
68
What is RDS Read Replicas?
For read scalability
Up to 5 read replicas
Can be cross region/AZ
Each replica has it's own DNS name
Asynchronous replication
69
What is RDS Multi-AZ?
Used for failover not scaling
Increases availability
Synchronous replication
Can only connect to it in the event of a failure
70
What is RDS Custom?
You have access to the underlying OS and control it but still within RDS
71
What is Amazon Aurora?
A performant manage relational database service
Compatible with Postgres & MySQL
More performant than RDS
Up to 15 replicas
Can backtrack to snapshots in the past
72
What are the Aurora scaling methods?
Serverless - auto scaling based on actual usage
Multi-Master - Instance failover if the master DB crashes
73
What is Global Aurora?
High availability of aurora across the globe, great for disaster recovery
74
What is Aurora Machine Learning?
Simple SQL interface for ML based predications on data
75
Your RDS instance is dropping connections frequently, how to solve?
Use Amazon RDS Proxy, a fully managed proxy for RDS which intelligently reuses DB connections to reduce stress on DB
76
What is Amazon ElastiCache?
Managed Redis / Memcached for read intensive workloads
77
When to use Redis?
Multi AZ, replicas, with data durability and supports complex queries
78
When to use Memcached?
Simple key-value data that does not need to be persisted
79
How is access managed on ElastiCache?
Security Groups
80
What are the caching strategies?
Lazy loading: data is added to cache as it is read with TTL
Write through: adds / updates cache when written to the DB
81
What is Amazon Route 53?
Fully managed DNS service for registering certificates
82
What are the DNS record types?
A - maps a hostname to IPv4
AAAA - maps a hostname to IPv6
CNAME - maps a hostname to another hostname
NS - Name Servers for the Hosted Zone
83
What are Route 53 hosted Zones?
Public Hosted Zones - contains records that specify how to route traffic on the internet
Private Hosted Zones - contains records that specify how your traffic is routed within a VPC
84
What is the difference between CNAME vs Alias?
CNAME: Points a hostname to any other hostname for non root domains
Alias (A or AAAA): Points a hostname to an AWS Resource
85
What are the Route 53 Routing Policies?
Simple: specify multiple values in same record
Weighted: control the % of requests that go to each resource
Failover: DNS lookup can point to a different ip based on a health check
Latency: redirect to resource that is closed to the user
Geolocation: direct to a server based on Geolocation
Geoproximity: Direct to a server based on distance, can set a bias to attract more traffic
86
What is Elastic Beanstalk?
Platform-as-a-Service tool that manages an application for you including:
ECS instances, ALB, RDS, SQS and CloudWatch it uses CloudFormation under the hood at no extra cost!
87
What are the different Elastic Beanstalk tiers and what are their uses?
Web Server tier: handling web requests
Work Environment Tier: handling longer running jobs, e.g periodic or background tasks. Can be triggered by SQS
88
What is the max S3 object size?
5 TB
89
What is the max S3 object single part upload size?
5 GB but consider doing it smaller than that as it will be faster
90
What are the main S3 access controls?
IAM: Role based policies
Bucket policies - bucket wide rules
91
What are the S3 Storage classes?
Standard
Standard IA
S3 Glacier
92
What S3 Lifecycle Rules?
Automatically transition objects between storage classes or deleting them
93
What are S3 Event Notifications?
Become notified of s# event with object pattern name filtering
Destination can be SQS queue, Lambda, EventBridge or SNS
94
What are the S3 Server-Side encryption options?
SSE-S3: Encryption keys entirely handled by AWS, enabled by default
SSE-KMS: Encryption managed by a key AWS KMS
SSE-C: Server side encryption using keys managed by the customer
95
S3 encryption in transit
Use SSL/TLS, S3 exposes a HTTP and HTTPS endpoint.
Can force encryption with a bucket policy to refuce API calls without encryption options
Must use HTTPS for SSE-C
96
What is S3 CORS?
Web Browser based mechanism to control request to other origins
If the resource server does not have the origin 'Access-Control-Allow-Origin' header then the request will fail.
97
How is the CloudFront cache invalidated?
Data is refreshed after the TTL has expired
OR
You can force a cache refresh by performing a CloudFront Invalidation
98
What is Athena?
Serverless query service to analyze data stored in S3. Integrated with QuickSight
99
What is Athena Federated Query
Use lambda to run queries across many data sources (S3, RDS, DDB, CloudWatch)
100
What is Amazon ElasticSearch / Open Search Service?
Search any field, supports partial matches
101
What is Amazon QuickSight?
Create interactive dashboards, integrates with RDS, Aurora, Athena Redshift, OpenSearch
102
What is AWS Glue?
ETL (Extract, Transform and Load) service. Convert data between formats
103
What is AWS Lake Formation?
Central place for data to be stored for analytics
104
What is Amazon Rekognition?
Find object, people in images/video using ML
105
What is Amazon Transcribe?
Convert speech to text
Able to automatically remove PII
106
Amazon Polly
Convert text to speech
107
Amazon Translate
Natural and accurate language translation
108
Amazon Lex
Automatic speech recognition
Natural Language understanding
Helps to build chatbots and call center bots
109
What is Amazon Connect
Virtual contact center solutions using Lex
110
What is Comprehend
Natural Language Processing that is serverless. Finds relationships in text
111
What is Amazon Comprehend Medical?
Detects & returns useful info in clinical text
112
What is Amazon SageMaker?
Fully managed service for building ML models
113
What is Amazon Forecast?
Fully managed amazon service to make predications from data in S3
114
What is Amazon Kendra?
Fully managed document search analyzer across many document sources
115
What is Amazon Personalzie?
Fully managed ML service to build apps and make personalized recommendations
116
What is Amazon Textract?
Extracts text, handwritting and data from scanned documents
117
What are the EC2 metrics?
Out of the box metrics: disk IO, CPU and network IO
Install unified agent to get more
118
What is Amazon EventBridge?
Schedule events
Schedule to event patterns
Send event to destinations
119
What is CloudTrail Insights?
Using a baseline for normal management events then detects anomalies of this and creates an event in EventBridge
120
What is AWS Config?
See how a resource was modified over time
Auditing and record compliance
Periodically evaluate or when config changes
121
What is AWS Organizations?
Manage multiple AWS accounts with consolidated billing
122
What are Service Control Policies?
SCPs limit permissions within an account or OU
123
What are IAM conditions?
Set conditions such as NotIpAddress or RequestRegion to trigger when IAM policy is in affect
124
What is Cognito User Pools?
Allows users to sign-in/sign-up against a user pool or 3p federated idp
Integrates with API G/W or ALB
125
What is Cognito Identity Pools?
Exchange a token from user pool for temporary AWS credentials so that the user can access AWS resources directly
126
What is AWS IAM Identity Center?
Integrates with AWS to allow developers to integrate with multiple AWS accounts
One login (single sign-on SSO) for all your AWS accounts
127
What is AWS Control Tower?
Detect policy violations and remediate them within an Organizational Unit
Offers guardrails for control of your AWS environment and prevents config changes.
Automates account creation.
128
What is AWS Firewall Manager?
Manage rules in all accounts of an AWS Organization
Manage:
* WAF, AWS Shield, Security Groups, Network Firewall, Route 53 Resolver DNS firewall
129
What is Amazon Inspector?
Automated Security Assessments for running EC2 instances, ECR and lambda functions
130
How many VPCs can you have per region?
5 , but this is a soft limit
131
How many IP addresses does AWS resource in a subnet?
5, so you need to be aware of that when determining the subnet size
132
What are the characteristics of a subnet?
Within a single VPC,
Has a CIDR range
Within a single AZ
133
What are the characteristics of a VPC?
Within a single AWS region
Has a CIDR range
Contains multiple subnets
134
What is an Internet Gateway?
Allows resources in a VPC to connect to the internet in a VPC but be used with route table and router for internet access
135
What is a route table?
Associated with a subnet(s) and contains traffic routing rules to other subnets or IGW
136
What is a NAT Gateway?
AWS managed NAT, highly available and high bandwidth
Links a private subnet to the NATGW to the IGW
One NAT gateway per public subnet / AZ
137
What is a NACL?
Network Access Control List
Operates at the subnet level
Inbound/outbound rules and is stateless
Default accepts everything inbound/outbound
Be wary of ephemeral ports on the NACL rules!
138
What is S3 Object Lock?
Store objects using a write-once-read-many (WORM) model to prevent objects from being deleted.
139
What is S3 Object Lock Governance mode?
Locks the object over a retention period but certain IAM users can delete the protect object versions
140
What is S3 Object Lock Compliance mode?
Locks the object over a retention period but no users can delete the protected object
141
What is the S3 Legal Hold?
Legal hold prevents an object from being deleted and remains in place until the legal hold is removed. Legal holds can be removed by users with correct permission
142
Do Lambdas have resource based permissions?
Yes, to allow a role or AWS service to invoke the function on your behalf
143
What is a Lambda execution role?
The role that lambda assumes when the function is launched
144
What is AWS Trusted Advisor?
Analyzes your AWS accounts and provides recommendations for cost, performance, security, fault tolerance and service limits
145
What is AWS Application Migration Service (MGN)?
An automated lift-and-shift (rehost) service to move a workload from on-premise to AWS.
146
What is AWS Compute Optimizer?
Recommends optimal AWS resource for your AWS workloads to reduce costs/improve performance using machine learning.
Can be run on:
* EC2, ASGs, EBS and Lambda
147
How to manage Prometheus and Grafana in AWS?
Use "AWS Manage Service for Prometheus" and set that workspace as the data source in "AWS Managed Grafana"
148
How to protect against CloudTrail log modifications/deletion?
Enable CloudTrail log file integrity validation and have the logs delivered to an S3 bucket
149
What is AWS Application Discovery Service?
Helps you plan your migration to AWS cloud by collecting usage and configuration data about your on-premises services.
It integrates wtih the AWS Migration Hub console to track the migration of each application.
150
What is Amazon Quantum Ledger Database (QLDB)?
A fully managed ledger database that provides transparent, immutable and cryptographically verifiable transaction log.
151
How to get more metrics from EC2 instances?
Install the CloudWatch agent to the EC2 instance
152
How to get more detailed metrics of RDS?
Enable enhanced monitoring
153
You have an on-premise provider IdP and you want to give users access to AWS resources, how to do this?
Setup an identity provider, app assumes role with SAML to get tokens to assume a role
154
How to avoid "hot" partitions in DynamoDB?
Choose high-cardinality partition keys which vary greatly between items
155
What is AWS Storage Gateway service?
File interface into S3 with mount points
Clients can use SMB or NFS to interact with it
Maintains a local cache for frequently accessed items
156
What is Amazon FSx
Launch and manage high performance file systems in the cloud
157
What is FSx for Windows?
Microsoft Active Directory (AD) integration
Accessible from Windows, Linux and Mac instances
158
How to capture changes from an Aurora DB or RDS instance?
Create a lambda and trigger than lambda on update events. Lambda can then send message in SQS.
159
What is AWS Artifact?
View compliance related information and security reports
160
What is AWS Security Hub?
Comprehensive view of high-priority security alerts and security of your AWS account
161
What is KMS custom key store?
Logical store to store keys but still use KMS for convenience. Customer is in full control of keys.
Can you CloudHSM or external key store for key material.
162
How to enable RDS data IAM access?
Enable IAM DB Authentication, so that authentication is managed through IAM
163
How do ASGs decide which instance to terminate?
Choose the AZ with the most number of instances
Select instances with the oldest launch config
Select the instance that is closest to the next billing hour
164
How to query data from buckets in multiple accounts?
Use AWS Lake Formation to consolidate data from multiple accounts into a single account
165
When to consider using the snow family over internet to transfer large amounts of data?
When it takes > 1 week to transfer the data
166
What is AWS Tape Gateway?
Backs up data to AWS Storage Gateway to backup data directly to S3 Glacier Flexible Retrieval / Deep Archive
167
What are cost allocation tags?
Tag AWS resources with a key value pair (department - eng).
Activate the tags in the Billing and Cost Management console, which generates a allocation report across the tags.
168
Can you directly transfer data into S3 glacier deep archive / flexible retrieval from DataSync?
Yes, you don't have to wait 30 days
169
What is S3 Infrequent Access best for?
Long-lived, rapid but less frequently accessed data
170
What is One Zone S3 best for?
Data is only stored in one AZ so has lower availability (99.5%) but is cheaper
171
What are SNS filter policies?
A filter policy on an SNS subscription in which the subscriber would only receive messages that they are interested in
172
What is AWS Proton?
Deploy serverless / container-based applications with infrastructure broken down into environment and service templates
173
What is AWS Proton?
Deploy serverless / container-based applications with infrastructure broken down into environment and service templates
174
What is Amazon Simple Workflow Service (SWF)?
Coordinate work across distributed applications which are task-oriented
175
What is Amazon Database Migration Service (AWS DMS)?
Migrate data stores, good for one-time migrations and replicating ongoing changes between sources and targets.
Can also encrypt source/target endpoints with SSL but you need to add certificate tothe endpoint.
176
What is the relationship between load balancers and subnets?
An ELB can be associated with multiple subnets.
An ELB can forward traffic as needed into other subnets.
177
What is AWS Backup?
Configure backup policies for AWS / on-premise across accounts / regions
178
What is the SQS message retention period?
Default 4 days
Minimum 1 minute
Max 14 days
179
How to route traffic using Route 53 to a public website hosted in S3?
Configured bucket to host a static website and public access enabled
Name the bucket the same as your domain or subdomain
A registered domain name
180
What is Amazon Data Lifecycle Manager (Amazon DLM)?
Used to automate the creation, retention and deletion of EBS volume snapshots
181
What is the ASG cooldown period?
300 secs
182
What is AWS Resource Access Manager (RAM)?
Helps you share resource across AWS accounts or within OUs.
183
What is EC2 hibernation?
Instance is put in hibernation, you pay only for the EBS volumes and Elastic IP address
184
Can you enable EC2 hibernation on a running instance?
No, you have to enable hibernation when launching an instance. Also the EBS volume must be encrypted.
185
Are you billed if your on-demand EC2 instance is stopping to hibernate?
Yes
186
Are you billed if an EC2 instance is shutting-down to terminate?
No
187
Are you billed if your spot EC2 instance is stopping?
No
188
Are you billed if your Reserved instance is in a terminated state?
Yes
189
Compare Transit Gateways to AWS VPN CloudHub?
Both interconnect VPCs and on-premise networks.
But
Transit Gateways use Direct connect a dedicated connection to connect to on-premise so traffic doesn't traverse internet
AWS VPN CloudHub traverses the internetƒ
190
What is AWS AppSync?
Keep app data updated in real-time from DynamoDB and ElastiCache with Lambda
Serverless and uses GraphQL with pub/sub
191
What are the AWS Kinesis services?
Kinesis Data Streams, Kinesis Data Firehose, Kinesis Video Stream and Kinesis Data Analytics
192
What is Kinesis Data streams used for?
Process and store data streams
193
Kinesis Data Firehose?
Load data streams into AWS data stores
Transforms as well.
194
Kinesis Data Analytics?
Analyze data streams with SQL / Apache Flink
195
What should you do if you no longer need a reserved instance?
Sell the Reserved instances on the AWS Reserved Instance Marketplace OR
Terminate the Reserved instances to avoid being charged for the on-demand price once it expires
196
How does Amazon S3 Transfer Acceleration work?
Leverages CloudFront's globally distributed AWS Edge locations so users can upload around the world
197
Is autoscaling enabled by default with DynamoDB?
No, you have to enable it manually
198
What is the cloudformation CreationPolicy attribute?
For when you want to wait on resource configuration actions before stack creation proceeds. You need to signal success wtih the cfn-signal helper script.
199
What is the Kinesis data stream retention period?
Time from when a record is added to when it is no longer available.
Default is 24 hours and can be increased to 365 days.
200
Can you peer two VPCs with overlapping CIDR blocks?
No
201
How to migrate an Aurora replica with no down time and performance being affected?
Use AWS DMS to migrate data
202
How can you quickly access small amounts of data quickly from S3 Glacier?
Quickly access your data for urgent requests for a subnet of archives
Purchase provisioned retrieval capacity (1 - 5 mins retrieval)
203
What is Route 53 active-active failover?
All your resources are routed to, when a resource becomes unavailable Route 53 can detect that and stop routing traffic to it
204
What is Route 53 active-passive failover?
When you want a primary resource to be available and a standby resource to be routed to in case the primary fails
205
Does an Elastic IP disassociate with an instance after it is stopped?
No, it remains attached
206
An RDS instance is running out of disk storage, how best to fix?
Enable storage autoscaling
207
What is the maximum backup retention period of Aurora?
35 days, if you need more use an AWS Backup plan
208
What limits how many EC2 instances you can launch?
The vCPU limit per account per region
209
How to grant users access to private content on CloudFront?
Using special CloudFront signed URLs / cookies
210
How to import a certificate into AWS?
Use AWS Certificate Manager or IAM certificate store
211
If your identity store is not compatible with SAML 2.0 how can you integrate it with AWS?
Develop a custom identity broker and use STS to issue AWS credentials
212
How is CloudWatch agent used with SSM Parameter store?
SSM Param store stores the CloudWatch agent config.
213
An EC2 instance launched doesn't have a DNS name. Why?
DNS resolution and hostname of the VPC should be enabled
214
How to get logs from an EC2 instance?
Install the CloudWatch unified agent
215
Differences between DataSync and Storage Gateway?
DataSync supports a variety of AWS storage services whereas Storage G/W supports a few.
DataSync is more suitable in automating and accelerating data transfers or migrating data
Storage Gateway is more suitable for integrating on-premise with cloud.
216
What is RAID 0 instance store configuration?
Improves the IOPS
217
What is an Elastic Fabric Adapter? (EFA)
Network device you can attach to your EC2 instance to accelerate HPC
218
What is S3 server access logging?
Enabled per bucket, logs all access requests to bucket. Like CloudTrail but also includes referer.
219
What is the AWS Personal Health dashboard?
Shows AWS events which may affect resources in your account. Subscribe with EventBridge.
220
What is the Origin Access identity used for with S3?
Can give cloudFront permission to read the bucket but not make the bucket public.
CloudFront needs a Origin Access Identity (OAI)
221
What are the regular RDS metrics?
CPU Utilization, Database Connections, and Freeable Memory
222
What is AWS License Manager?
A service to manage your software licences. Gives visibility with SNS topics and reduces risk of non-compliance.
223
Do RDS Read replicas have their own DNS name?
Yes, you need to distribute requests amongst them yourself, route 53 can do this.
224
What is S3 cross-region replication?
Makes your bucket available, even in the event of a regional failure.
225
How can you use AWS Config to attempt remediation of non compliance
Use AWS Config to define the compliance rule, when Config detects a non-compliance event then trigger an EventBridge event which triggers Lambda to attempt remediation.
226
What EBS volumes support the multi attach feature?
io1 / io2, doesn't support multi-az resiliency
227
What are EBS magnetic volumes?
Lowest cost per gigabyte, ideal for infrequently accessed data
228
Does SSE-S3 provide an audit trail?
No, must use SSE-KMS for this.
228
Does SSE-S3 provide an audit trail?
No, must use SSE-KMS for this.
229
What are the storage gateways?
S3 File Gateway - NFS/SMB with S3 backing
FSx File Gateway - integrates with FSx
Volume Gateway - can cache data volumes, data is on-premise
Tape Gateway - backed with S3 and S3 glacier
230
What are CloudTrail Management events?
Events for management operations (who, what action and if successful)
231
What are CloudTrail Data events?
S3 object activity/lambda invokes. Not logged by default.
232
What are the S3 lifecycle transition limits
Apply only to IA accessed. You must store the data for at least 30 days in the standard class.
Other transitions have no limits.
233
Do ALBs support weighted target groups
Yes, other ELBs don't though
234
What is CloudWatch Application Insights?
Provides automated dashboards to show potential problem with monitored applications.
235
What is SQS visibility timeout?
30s default
12 hrs max
236
What is the Auto Scaling Group instance warm up time?
The time before the instance metrics are taken into account for the ASG action
237
What is ALB slow start mode?
ALB gradually increases percentage of traffic that target receives
238
What is Amazon Workspaces?
Virtual desktops to use in the cloud
239
What is the S3 GET /PUT limits?
3500 PUT requests / s
5000 GET requests /s
240
Does adding random prefixes to S3 objects help?
No, this is no longer needed
241
Can tags be used in IAM conditions?
Yes!
242
How to programatically ensure you are not close to exceeding your service limits?
Lambda function that refreshes the AWS Trusted Advisor Service checks and then capture these events with Amazon EventBridge
243
What is an Elastic Network Adapter? (ENA)
Like EFA but more compatible with windows
244
What is AWS Network Firewall?
Define rules that provide fine-grained control on in/egress traffic
Inspect traffic
245
What is AWS Systems Manager Run Command?
Manage the config of many EC2 instances (or on-premise) or run commands
246
What is an IAM role trust policy?
Who can assume this role? Other accounts/services
247
ASG Step scaling vs Target tracking
Use step scaling when you want to base the scaling based on a set of scaling adjustments
248
How to increase the throughput of Site-to-Site VPN connections?
Associate the VPCs to an Equal Cost Multipath Routing enabled transit gateway
249
What are On-Demand Capacity Reservations?
Enables you to reserve compute capacity for EC2 in a specific AZ for any duration
250
How to get notified of certificate expiry in ACM?
Use Amazon EventBridge to run every day to determine expiry of certificates
Use EventBridge and listen to expiration events from ACM, starts 45 days prior to expiration.
Use an AWS Config managed rule "built-in-acm-certificate-expiration-check"
251
Do IAM users need access keys to make API calls?
Yes
252
What is the minimum storage in S3 Deep Archive?
180 days
253
What is the RDS read replica asynchronous replication time
seconds
254
What is the Aurora replica asynchronous replication time
milliseconds
255
Do RDS instances have security groups?
Yes but can also use IAM auth when enabled
256
Does athena have security groups
No, access is controlled by IAM
257
Received a capacity error when launching an instance in a placement group that already has instances. What to do?
Stop and restart the instances in the placement group and launch the group again.
258
Athena queries slow, what to do?
Convert the S3 data with Glue to Apache Parquet
259
What is Aurora cloning?
Space and resource efficient clone of another aurora DB (records the diff)
