Quick Facts

Question 1

Amazon S3

Answer 1

All Amazon S3 buckets have encryption configured by default
Amazon S3 managed keys (SSE-S3) is the default encryption configuration
S3 Object Lock uses “Write Once Read Many” (WORM) model
S3 Object Lock help prevent accidental or inappropriate deletion of data
Stores data across multiple Availability Zones by default
S3 CRR, you can replicate data between distant AWS Regions
Use S3 Inventory to audit and report for business, compliance, and regulatory needs
Enable Amazon S3 server access logging to provide detailed records of the bucket requests
S3 Storage Lens is a cloud-storage analytics feature
Trusted Advisor gives Amazon S3 “open access permissions”

Question 2

Amazon AppFlow

Answer 2

Securely exchange data between software as a service (SaaS) applications, such as Salesforce, and AWS services, such as Amazon Simple Storage Service (Amazon S3) and Amazon Redshift

AWS we encrypt your data at rest and in transit
Integrates with AWS PrivateLink to provide private data transfer

Question 3

Amazon Athena

Answer 3

You can run queries in Amazon Athena on encrypted data in Amazon S3 in the same Region and across a limited number of Regions

User can encrypt the results of all queries in Amazon S3 or AWS Glue Data Catalog

Amazon Athena uses Transport Layer Security (TLS) encryption for data in-transit between Athena and Amazon S3

Monitor Athena usage with CloudTrail and Amazon QuickSight

AWS Lake Formation allows you to define and enforce database, table, and column-level access policies when using Athena queries to read data stored in Amazon S3

AWS Lake Formation helps you centrally govern, secure, and globally share data for analytics and machine learning

Amazon Athena makes it easy to interactively run data analytics and exploration using Apache Spark

Question 4

AWS Data Exchange

Answer 4

AWS Data Exchange is a service that helps AWS easily share and manage data entitlements from other organizations at scale

As a data receiver, you can track and manage all of your data grants and AWS Marketplace data subscriptions in one place

For data senders, it eliminates the need to build and maintain any data delivery and entitlement infrastructure

AWS Data Exchange always encrypts all data products stored in the service at rest without requiring any additional configuration. This encryption is automatic when you use AWS Data Exchange

Question 5

AWS Data Pipeline

Answer 5

Automate the movement and transformation of data

Define data-driven workflows

For ege. , you can use AWS Data Pipeline to archive your web server’s logs to Amazon Simple Storage Service (Amazon S3) each day and then run a weekly Amazon EMR (Amazon EMR) cluster over those logs to generate traffic reports

Question 6

Amazon EMR

Answer 6

Its a managed cluster platform that simplifies running big data frameworks, such as Apache Hadoop and Apache Spark

It has Cluster that consists of EC2 instances. Each EC instance is called a node and there are three types of nodes - Primary, Core and Task

Regional Service

It can run on Outposts or Local Zones

Amazon EC2 security groups act as a virtual firewall for Amazon EMR cluster instances, limiting inbound and outbound network traffic.

Amazon EMR block public access (BPA) prevents you from launching a cluster in a public subnet

Secure Shell (SSH) helps provide a secure way for users to connect to the command line on cluster instances

You can use Amazon EMR security configurations to configure data encryption

Question 7

Amazon Glue

Answer 7

Helps you to discover, prepare, move, and integrate data from multiple sources

You can manage your data in a centralized data catalog

You can immediately search and query cataloged data using Amazon Athena, Amazon EMR, and Amazon Redshift Spectrum

AWS Glue Data Brew – A visual data preparation tool that you can use to clean and normalize data without writing any code

Athena, Redshift Spectrum, EMR use AWS Glue Data Catalog

AWS Glue Streaming is more focused on high-level ETL processing, while Kinesis Data Streams provides a lower-level streaming platform

AWS Glue provides statistics about the health of your environment

Question 8

Amazon Kinesis Data Streams

Answer 8

Used to collect and process large streams of data records in real time

A common use is the real-time aggregation of data followed by loading the aggregate data into a data warehouse or map-reduce cluster

The Kinesis Client Library enables fault-tolerant consumption of data from streams and provides scaling support for Kinesis Data Streams applications

Kinesis Client Library (KCL) provides metrics per shard, worker, and KCL application

Question 9

Amazon RedShift

Answer 9

It has On-demand pricing for provisioned capacity by the hour

Amazon Redshift Serverless for as low as $3 per hour and pay only for the compute capacity your data warehouse consumes when it is active

Managed storage pricing - You pay for data stored in managed storage at a fixed GB-month rate for your region

Amazon Redshift Spectrum allows you to directly run SQL queries against exabytes of data in Amazon S3

Amazon Redshift Spectrum pricing - You are charged for the number of bytes scanned by Redshift Spectrum, rounded up to the next megabyte

Question 10

Amazon EventBridge

Answer 10

An event indicates a change in an environment. Events are represented as JSON objects and they all have a similar structure, and the same top-level fields

1) Amazon EC2 generates an event when the state of an instance changes from pending to running.
2) Amazon EC2 Auto Scaling generates events when it launches or terminates instances.
3) AWS CloudTrail publishes events when you make API calls.

You could create a pipe with a DynamoDB stream for a source, and an event bus as the target. The pipe receives events from the DynamoDB stream and sends them to the event bus, which then sends them on to multiple targets according to the rules you’ve specified on the event bus

EventBridge encrypts event metadata and message data that it stores. By default, EventBridge encrypts data using 256-bit Advanced Encryption Standard (AES-256) under an AWS owned key

Question 11

Amazon MQ

Answer 11

A message broker allows software applications and components to communicate using various programming languages, operating systems, and formal messaging protocols

Amazon SQS and Amazon SNS are queue and topic services that are highly scalable, simple to use, and don’t require you to set up message brokers. Amazon MQ is a managed message broker service that provides compatibility with many popular message brokers.

We recommend Amazon MQ for migrating applications from existing message brokers. We recommend SQS and SNS these services for new applications.

When you create an Amazon MQ for ActiveMQ broker or an Amazon MQ for RabbitMQ broker, you can specify the AWS KMS key that you want Amazon MQ to use to encrypt your data at rest. If you do not specify a KMS key, Amazon MQ creates an AWS owned KMS key for you and uses it on your behalf

Question 12

Amazon SNS

Answer 12

You can develop an application that publishes a message to an SNS topic whenever an order is placed for a product. Then, SQS queues that are subscribed to the SNS topic receive identical notifications for the new order. An Amazon Elastic Compute Cloud (Amazon EC2) server instance attached to one of the SQS queues can handle the processing or fulfillment of the order

You can receive immediate notification when an event occurs, such as a specific change to your Amazon EC2 Auto Scaling group, a new file uploaded to an Amazon S3 bucket, or a metric threshold breached in Amazon CloudWatch

You could send e-commerce order confirmations as user notifications to individuals or groups

You can use Amazon SNS to send update notifications to an app. The notification message can include a link to download and install the update

User has to enable encryption for data stored in SNS Topics

Message data protection safeguards the data that’s published to your Amazon SNS topics by using data protection policies to audit, mask, redact, or block the sensitive information that moves between applications or AWS services

Question 13

Amazon SQS

Answer 13

SQS and SNS are NOT synchronous and does NOT have message brockers like MQ

Amazon SQS supports two types of queues – standard queues and FIFO queues

Standard Queue is needed if you have to send data between applications when the throughput is important

FIFO queue is needed if you have to send data between applications when the order of events is important

SSE protects the contents of messages in queues using SQS-managed encryption keys (SSE-SQS) or keys managed in the AWS Key Management Service (SSE-KMS)

Distributed queues is example of resilience

Question 14

AWS Step Functions

Answer 14

Step Functions has two workflow types. Standard workflows have exactly-once workflow execution and can run for up to one year. This means that each step in a Standard workflow will execute exactly once. Express workflows, however, have at-least-once workflow execution and can run for up to five minutes

Standard workflows are ideal for long-running, auditable workflows, as they show execution history and visual debugging. Express workflows are ideal for high-event-rate workloads, such as streaming data processing and IoT data ingestion

The Amazon Simple Workflow Service (Amazon SWF) provides a way to build, run, and scale background jobs that have parallel or sequential steps

Question 15

Amazon Chime

Answer 15

You can use Amazon Chime for online meetings, video conferencing, calls, and chat

Question 16

Amazon Pinpoint

Answer 16

You can use Amazon Pinpoint to send push notifications, in-app notifications, emails, text messages, voice messages, and messages over custom channels.

Using the analytics that Amazon Pinpoint provides, you can gain insight into your user base by viewing trends related to user engagement, campaign outreach, revenue, and more

Question 17

Amazon SES

Answer 17

Amazon Simple Email Service (SES) is an email platform that provides an easy, cost-effective way for you to send and receive email using your own email addresses and domains.

You can send marketing emails such as special offers, transactional emails such as order confirmations, and other types of correspondence such as newsletters

Question 18

Amazon Savings Plan

Answer 18

Compute Savings Plans, EC2 Instance Savings Plans and SageMaker Savings Plans

With Compute Savings Plans, you can move a workload from C5 to M5, shift your usage from EU (Ireland) to EU (London), or migrate your application from Amazon EC2 to Amazon ECS using Fargate at any time.

With an EC2 Instance Savings Plan, you can change your instance size within the instance family (for example, from c5.xlarge to c5.2xlarge) or the operating system (for example, from Windows to Linux), or move from Dedicated tenancy to Default and continue to receive the discounted rate provided by your EC2 Instance Savings Plan

With SageMaker Savings Plans, you can move a workload from ml.c5 to ml.m5, shift your usage from Europe (Ireland) to Europe (London), or migrate your usage from Training to Inference at any time and continue to receive benefits

Savings plan recommendations can be found under AWS Cost Management console ->Savings Plans->Recommendations
OR
You can also receive your Savings Plans recommendations via the AWS Cost Explorer API

Automating Savings Plans with Amazon EventBridge

Question 19

AWS App Runner

Answer 19

Provides a fast, simple, and cost-effective way to deploy from source code or a container image directly to a scalable and secure web application in the AWS Cloud.

AWS App Runner takes your source code or source image from a repository, and creates and maintains a running web service for you in the AWS Cloud

Question 20

AWS Batch

Answer 20

AWS Batch CloudWatch Container Insights collects, aggregates, and summarizes metrics and logs from your AWS Batch compute environments and jobs. The metrics include CPU, memory, disk, and network utilization. You can add these metrics to CloudWatch dashboards.

Question 21

EC2

Answer 21

Leverage security groups as the primary mechanism for controlling network access to Amazon EC2 instances. When necessary, use network ACLs sparingly to provide stateless, coarse-grain network control

Customers often use the Windows Firewall for further visibility into network traffic and to complement security group filters

Resilience is achieved by replicating your data or applications over greater geographic distances, use AWS Local Zones
AND/OR
Copying AMIs and EBS snapshots across Regions
AND/OR
Use Amazon EC2 Auto Scaling
AND/OR
Distributing incoming traffic across multiple instances in a single Availability Zone or multiple Availability Zones using Elastic Load Balancing

Amazon EC2 stores the public key on your instance, and you store the private key

Security group rules enable you to filter traffic based on protocols and port numbers, they are stateful, you can add and remove rules at any time and you can associate multiple security groups with an instance

Question 22

Elastic Bean Stalk

Answer 22

You can also perform most deployment tasks, such as changing the size of your fleet of Amazon EC2 instances or monitoring your application, directly from the Elastic Beanstalk web interface (console)

EBS provides a managed updates feature. This feature automatically applies patch and minor updates for an Elastic Beanstalk supported platform version

The basic health reporting system provides information about the health of instances in an Elastic Beanstalk environment based on health checks performed by Elastic Load Balancing for load-balanced environments, or Amazon Elastic Compute Cloud for single-instance environments

Elastic Beanstalk also monitors the other resources in your environment and reports missing or incorrectly configured resources that can cause your environment to become unavailable to users

Additional Checks:
The environment’s Auto Scaling group is available and has a minimum of at least one instance.
The environment’s security group is available and is configured to allow incoming traffic on port 80
The environment CNAME exists and is pointing to the right load balancer.
In a worker environment, the Amazon Simple Queue Service (Amazon SQS) queue is being polled at least once every three minutes

With basic health reporting, the Elastic Beanstalk service does not publish any metrics to Amazon CloudWatch

Elastic Beanstalk stores various objects in an Amazon Simple Storage Service (Amazon S3) bucket that it creates for each AWS Region in which you create environments. Elastic Beanstalk doesn’t turn on default encryption for the Amazon S3 bucket that it creates

Question 23

AWS Lambda

Answer 23

Lambda service runs your code inside an execution environment

Execution environments are run on hardware virtualized virtual machines (MicroVMs) which are dedicated to a single AWS account

The Lambda service stores your function code in an internal S3 bucket that’s private to your account

Lambda execution environments handle one request at a time. After the invocation has ended, the execution environment is retained for a period of time. If another request arrives, the environment is reused to handle the subsequent request

If requests arrive simultaneously, the Lambda service scales up the Lambda function to provide multiple execution environments

When not to use a Lambda function:
For functions that act as orchestrators. Better moving the orchestration flow to AWS Step Functions
Lambda functions that transport data from one service to another without performing any business logic

Question 24

Amazon LightSail

Answer 24

AWS and Lightsail do not update or patch the operating system or applications on instances after you create them

Lightsail also does not update or patch the operating system and software that you configure on your Lightsail container services

Amazon Lightsail reports metric data for instances, databases, content delivery network (CDN) distributions, load balancers, container services, and buckets. You can view and monitor this data in the Lightsail console

Lightsail also offers Amazon Lightsail for Research

Question 25

AWS Local Zones

Answer 25

There's no additional charge for enabling Local Zones. You pay only for the resources that you deploy in your Local Zones. AWS resources in Local Zones have different prices than they do in parent AWS Regions Local Zones have their own connections to the internet and support AWS Direct Connect To use a Local Zone, you must first enable it. Next, you create a subnet in the Local Zone. Finally, you launch resources in the Local Zone subnet

Question 26

Amazon Elastic Container Registry (ECR)

Answer 26

An Amazon ECR private registry is provided to each AWS account; you can create one or more repositories in your registry and store Docker images, Open Container Initiative (OCI) images, and OCI compatible artifacts in them Image scanning helps in identifying software vulnerabilities in your container images Cross-Region and cross-account replication Amazon ECR stores images in Amazon S3 buckets By default, Amazon ECR uses server-side encryption with Amazon S3-managed encryption keys Use the CloudWatch console to visualize your service quotas

Question 27

Amazon Elastic Container Service (ECS)

Answer 27

There are three layers in Amazon ECS: Capacity - The infrastructure where your containers run Controller - Deploy and manage your applications that run on the containers Provisioning - The tools that you can use to interface with the scheduler to deploy and manage your applications and containers Runtime Monitoring in GuardDuty is an intelligent threat detection service that protects workloads running on Fargate and EC2 container instances by continuously monitoring AWS log and networking activity to identify malicious or unauthorized behavior

Question 28

AWS KMS

Answer 28

Create multi-Region keys, which act like copies of the same KMS key in different AWS Regions. Each AWS KMS key that you create in AWS KMS costs $1/month (prorated hourly) You are not charged for the following: Creation and storage of AWS managed or AWS owned KMS keys There is no charge for customer managed KMS keys that you manage and are scheduled for deletion By default, AWS KMS generates and protects the cryptographic key material for KMS keys

Question 29

AWS IQ

Answer 29

AWS IQ connects you to AWS Certified experts for hands-on help for your AWS projects. You create a request and choose from experts who respond

Question 30

AWS Support Plans

Answer 30

All AWS customers automatically have 24x7 access to these features of Basic Support: 1. One-on-one responses to account and billing questions 2. Support forums 3. Service health checks 4. Documentation, technical papers, and best practice guides Developer Support plan have access to these additional features: 1. Best practice guidance 2. Client-side diagnostic tools 3. Building-block architecture support: guidance on how to use AWS products, features, and services together 4. Supports an unlimited number of support cases that can be opened by one primary contact, which is the AWS account root user. In addition, Business, Enterprise On-Ramp, or Enterprise Support plan have access to these features: 1. Use-case guidance 2. AWS Trusted Advisor 3. The AWS Support API 4. Third-party software support 5. Supports an unlimited number of AWS (IAM) users In addition, Enterprise On-Ramp or Enterprise Support plan have access to these features: 1. Application architecture guidance 2. Infrastructure event management 3. Technical account manager 4. White-glove case routing 5. Management business reviews

Question 31

AWS support plan response time

Answer 31

Developer: General guidance: < 24 hours System impaired: < 12 hours Additional in Business: Production system impaired: < 4 hours Production system down: < 1 hour Additional in Enterprise-onramp: Business-critical system down: < 30 minutes Additional in Enterprise: Business/Mission-critical system down: < 15 minutes

Question 32

Amazon Aurora

Answer 32

Compatible with MySQL and PostgreSQL Aurora stores copies of the data in a DB cluster across multiple Availability Zones in a single AWS Region For high availability across multiple AWS Regions, you can set up Aurora global databases An Aurora global database consists of one primary AWS Region where your data is written, and up to five read-only secondary AWS Regions Aurora global databases currently don't support Aurora Auto Scaling for secondary DB clusters Amazon Aurora can encrypt your Amazon Aurora DB clusters. Data that is encrypted at rest includes the underlying storage for DB clusters, its automated backups, read replicas, and snapshots You can't turn off encryption on an encrypted DB cluster Aurora backs up your cluster volume automatically and retains restore data for the length of the backup retention period

Question 33

Amazon DoumentDB

Answer 33

Amazon DocumentDB supports two types of clusters: instance-based clusters and elastic clusters. Elastic clusters support workloads with millions of reads/writes per second and petabytes of storage capacity Instance based: Amazon DocumentDB automatically grows the size of your storage volume Amazon DocumentDB lets you scale the compute and memory resources for each of your instances up or down Amazon DocumentDB runs in Amazon Virtual Private Cloud (Amazon VPC) Amazon DocumentDB continuously monitors the health of your cluster On instance failure, Amazon DocumentDB automates failover to one of up to 15 Amazon DocumentDB replicas that you create in other Availability Zones. If no replicas have been provisioned and a failure occurs, Amazon DocumentDB tries to create a new Amazon DocumentDB instance automatically backup capability allows you to restore your cluster to any second during your retention period, up to the last 5 minutes

Question 34

Amazon MemoryDB

Answer 34

MemoryDB at-rest encryption is always enabled

Question 35

Amazon Neptune

Answer 35

Fully managed graph database service that makes it easy to build and run applications that work with highly connected datasets With Amazon Neptune, you don’t have to worry about database management tasks like hardware provisioning, software patching, setup, configuration, or backups.

Question 36

Amazon QLDB

Answer 36

You can use Amazon QLDB to track all application data changes, and maintain a complete and verifiable history of changes over time All data stored in Amazon QLDB is fully encrypted at rest by default QLDB doesn't provide a dedicated backup and related restore feature at this time

Question 37

Amazon RDS

Answer 37

Database on EC2, customer is responsible for: Application optimization, Scaling, High availability, Database backups, Database software patching, Database software install, OS patching, OS installation Using Amazon RDS, customer is responsible for: Application optimization Db2, MariaDB, Microsoft SQL Server, MySQL, Oracle, and PostgreSQL Amazon RDS Custom is an RDS management type that gives you full access to your database and operating system You can also subscribe to Amazon RDS events to be notified about changes to a DB instance, DB snapshot, or DB parameter group Pricing = DB instance hours + Provisioned Storage + (I/O) requests (for Amazon RDS magnetic storage only) + Provisioned IOPS + Backup storage + Data transfer in and out of your DB instance from or to the internet and other AWS Regions To copy an encrypted snapshot from one AWS Region to another, you must specify the KMS key in the destination AWS Region. This is because KMS keys are specific to the AWS Region that they are created in

Question 38

Amazon TimeStream

Answer 38

Use cases: Monitoring metrics to improve the performance and availability of your applications. Storage and analysis of industrial telemetry to streamline equipment management and maintenance. Tracking user interaction with an application over time. Storage and analysis of IoT sensor data.

Question 39

Amazon CloudShell

Answer 39

With the shell that's created for AWS CloudShell sessions, you can switch seamlessly between your preferred command line shells. More specifically, you can switch between Bash, PowerShell, and Z shell AWS CloudShell is an AWS service that's available at no additional charge. However, you pay for other AWS resources that you run with AWS CloudShell. Moreover, standard data transfer rates also apply

Question 40

AWS CodeBuild

Answer 40

The CodeBuild console also provides a way to quickly search for your resources, such as repositories, build projects, deployment applications, and pipelines

Question 41

Amazon CodeCatalyst

Answer 41

CodeCatalyst provides one place where you can plan work, collaborate on code, and build, test, and deploy applications with continuous integration/continuous delivery (CI/CD) tools. Its similar to AWS CodeStar

Question 42

AWS CodeCommit

Answer 42

Anyone with an AWS account can get started with AWS CodeCommit for free. Your account gets 5 active users per month for free (within limits), after which you pay $1.00 per additional active user per month. There are no upfront fees or commitments. CodeCommit is not integrated with gitHUB Things not to use for CodeCommit: Large files that change frequently - Use S3 Audit trails - Use S3 Backups - AWS Backup and Restore Large numbers of branches or references - We recommend using CodeCommit, but delete branches and tags that are no longer needed

Question 43

AWS CodeDeploy

Answer 43

CodeDeploy is able to deploy applications to three compute platforms: EC2/On-Premises AWS Lambda Amazon ECS Customer code is not stored in CodeDeploy Service model data for deployments, deployment configuration, deployment groups, applications, and application revisions are stored in Amazon DynamoDB and encrypted at rest using an AWS owned key, owned and managed by CodeDeploy

Question 44

Amazon AppStream 2.0

Answer 44

A streaming instance (also known as a fleet instance) is an EC2 instance that is made available to a single user for application streaming. After the user’s session completes, the instance is terminated by EC2

Question 45

Amazon WorkSpaces

Answer 45

WorkSpaces uses your Simple AD, AD Connector, or AWS Managed Microsoft AD directory to authenticate users

Question 46

Amazon WorkSpaces Web

Answer 46

Designed to facilitate secure browser access to internal websites and software-as-a-service (SaaS) applications

Question 47

Amazon WorkSpaces Core

Answer 47

Managed virtual desktop infrastructure designed to work with third-party VDI solutions

Question 48

AWS Amplify

Answer 48

Enables frontend web and mobile developers to quickly and easily build full-stack applications on AWS Amplify uses Amazon CloudFront to serve your app to your customers

Question 49

AWS AppSync

Answer 49

Enables developers to connect their applications and services to data and events with secure, serverless and high-performing GraphQL and Pub/Sub APIs

Question 50

AWS Security Credentials

Answer 50

You can't use IAM policies to deny the root user access to resources explicitly. You can only use an AWS Organizations service control policy (SCP) to limit the permissions of the root user If you lose your root user access keys, you must be able to sign in to your account as the root user to create new ones Only Root User can: 1. Change account settings 2. Restore IAM user permissions. 3. Close account 4. Activate IAM access to the Billing and Cost Management console 5. Register as a seller 6. Configure an Amazon S3 bucket to enable MFA 7. Edit or delete an Amazon SQS resource policy that denies all principals 8. Edit or delete an Amazon S3 bucket policy that denies all principals 9. Sign up for AWS GovCloud (US) Don't create long-term access keys for human users who need access to applications or AWS services Don't store long-term access keys within an AWS compute service Use IAM roles to generate temporary security credentials whenever possible Don't embed long-term access keys and secret access keys in your application code or in a code repository AWS IAM Access Analyzer does the following: 1. Identify resources that are shared with an external entity 2. Identify unused access 3. Validates IAM policies against AWS best practices 4. Validate IAM policies against your specified security standards 5. Generates IAM policies based on access activity in your AWS CloudTrail logs

Question 51

AWS Service Endpoints

Answer 51

Service General EndPoint supported by : EC2, ASG, EMR When you use a general endpoint, AWS routes the API request to US East (N. Virginia) (us-east-1), which is the default Region for API calls

Question 52

AWS Tagging

Answer 52

Each resource can have a maximum of 50 user created tags For each resource, each tag key must be unique, and each tag key can have only one value The tag value must be a minimum of 0 and a maximum of 256 Unicode characters in UTF-8 Allowed characters are letters, numbers, spaces representable in UTF-8, and the following characters: _ . : / = + - @ Tag keys and values are case sensitive Tags for automation Tags for access control

Question 53

AWS IoT Core

Answer 53

Use secure tunneling to establish bidirectional communication to remote devices over a secure connection that is managed by AWS IoT Using FleetIndexing you can query a group of devices AWS IoT Device Defender is a security service that allows you to audit the configuration of your devices, monitor connected devices to detect abnormal behavior, and mitigate security risks Device Advisor is a cloud-based, fully managed test capability for validating IoT devices during device software development

Question 54

AWS IoT Greengrass

Answer 54

AWS IoT Greengrass is an open source Internet of Things (IoT) edge runtime and cloud service that helps you build, deploy and manage IoT applications on your devices

Question 55

Amazon Comprehend

Answer 55

Find the documents about a particular subject using Amazon Comprehend topic modeling. Scan a set of documents to determine the topics discussed, and to find the documents associated with each topic. You can specify the number of topics that Amazon Comprehend should return from the document set. If your company publishes a catalog, let Amazon Comprehend tell you what customers think of your products Use Amazon Comprehend topic modeling to discover the topics that your customers are talking about on your forums and message boards, then use entity detection to determine the people, places, and things that they associate with the topic. Use sentiment analysis to determine how your customers feel about a topic

Question 56

Amazon CodeGuru

Answer 56

CodeGuru Security is a rearchitected and redesigned version of CodeGuru Reviewer Currently, CodeGuru Security is in preview release and is free to use Types of code scans 1. Code security analysis 2. Code quality analysis 3. Secrets detection

Question 57

AWS Billing Conductor

Answer 57

AWS Billing Conductor is a custom billing service that can support the showback and chargeback workflows of AWS Solution Providers and Enterprise customers Group your accounts into a set of mutually exclusive set of accounts (billing groups) Apply custom pricing plans Create and apply one-time or recurring charges or credits to your billing groups

Question 58

AWS Cost Categotries

Answer 58

You can create groupings of costs using cost categories. For example, assume that your business is organized by teams and that each team has multiple accounts within. To build this structure in cost categories, create a cost category named Team. Then, you can map costs to a cost category value that's named Team 1.

Question 59

AWS Credits

Answer 59

The order of how credits apply if an AWS account has more than one credit: 1. The soonest to expire amongst the credits 2. The credit with the least number of eligible services 3. The oldest of all credits

Question 60

Consolidate Billing

Answer 60

Reserved Instances and Savings Plans discount sharing: To share an Reserved Instance or Savings Plans discount with an account, both accounts must have sharing activated

Question 61

Amazon Rekognition

Answer 61

Common use cases for using Amazon Rekognition include the following: Searchable image and video libraries Face Liveness Detection : helps you verify that a user is physically present in front of the camera and isn’t a bad actor spoofing Face-based user verification Facial detection and analysis - can detect and analyze different facial components and attributes, such as: emotional expressions (like happy, sad, or surprised), demographic information (like gender or age) Facial Search Unsafe content detection - can detect inappropriate, unwanted, or offensive content Celebrity recognition Text detection Custom labels - you can find your logo in social media posts, identify your products on store shelves

Question 62

AWS AppConfig

Answer 62

Safely release new capabilities to your customers in a controlled environment Carefully introduce application changes while testing the impact of those changes with users in production environments Control access to premium features or instantly block specific users without deploying new code Keep your configuration data organized and consistent across all of your workloads

Question 63

Amazon EC2 ASG

Answer 63

Better fault tolerance Better availability Better cost management Strategies: Maintain a fixed number of instances Scale based on a schedule - This is useful when you know exactly when to increase or decrease the number of instances in your group Scale dynamically based on demand a) Step scaling b) Simple scaling c) Target tracking scaling Step Scaling e.g. : You can define different step adjustments based on the breach size of the alarm. You can define separate scaling policies to handle scaling out (increasing capacity) and scaling in (decreasing capacity) when an alarm threshold is breached For example: Scale out by 10 instances if the alarm metric reaches 60 percent Scale out by 30 instances if the alarm metric reaches 75 percent Scale out by 40 instances if the alarm metric reaches 85 percent Simple scaling policies are similar to step scaling policies, except they're based on a single scaling adjustment Target tracking scaling e.g. : You can meet this need by creating a target tracking scaling policy that targets an average CPU utilization of 50 percent. Then, your Auto Scaling group will scale out (increase capacity) when CPU exceeds 50 percent to handle increased load. It will scale in (decrease capacity) when CPU drops below 50 percent to optimize costs during periods of low utilization. Predictive scaling e.g. : Consider an application that has high usage during business hours and low usage overnight. At the start of each business day, predictive scaling can add capacity before the first influx of traffic. This helps your application maintain high availability and performance when going from a period of lower utilization to a period of higher utilization

Question 64

AWS CloudFormation

Answer 64

Public and Private extensions Public extensions - AWS Lambda functions or Amazon S3 buckets Private extensions - Custom resource types like third party resources

Question 65

AWS CloudTrail

Answer 65

CloudTrail provides three ways to record events: 1. Event history 2. CloudTrail Lake 3. Trails

Question 66

Amazon CloudWatch

Answer 66

Services used along with Amazon CloudWatch 1. SNS 2. EC2 Auto Scaling 3. CloudTrail 4. iAM CloudWatch cross-account observability is used to get cross-account, cross-Region metrics, logs, and traces CloudWatch agent can collect metrics from 1. Amazon EC2 instances across operating systems 2. System-level metrics from on-premises servers 3. Custom metrics from your applications or services 4. Collect logs from Amazon EC2 instances and on-premises servers You can use Amazon CloudWatch Synthetics to create canaries, configurable scripts that run on a schedule, to monitor your endpoints and APIs. Canaries check the availability and latency of your endpoints and can store load time data and screenshots of the UI. By using canaries, you can discover issues before your customers do Amazon EC2 detailed monitoring provides more frequent metrics, published at one-minute intervals, instead of the five-minute intervals used in Amazon EC2 basic monitoring

Question 67

AWS Compute Optimizer

Answer 67

Compute Optimizer generates recommendations for the following resources: 1. EC2 2. EC2 ASG 3. EBS 4. Lambda functions 5. ECS 6. Commercial software licenses Recommendation preferences 1. Rightsizing recommendation preferences - Free 2. Enhanced infrastructure metrics for ASG - Paid 3. Savings estimation mode - Allows Compute Optimizer to analyze specific pricing discounts when generating the estimated cost savings of rightsizing recommendations

Question 68

AWS Control Tower

Answer 68

AWS Control Tower offers the easiest way to set up and govern a secure, compliant, multi-account AWS environment AWS Control Tower has the following features: 1. Landing zone 2. Controls 3. Account Factory 4. Dashboard

Question 69

AWS OpsWorks

Answer 69

AWS OpsWorks is a configuration management service that helps you configure and operate applications in a cloud enterprise by using Puppet or Chef AWS OpsWorks Services 1. AWS OpsWorks for Puppet Enterprise 2. AWS OpsWorks for Chef Automate 3. AWS OpsWorks Stacks (to be migrated to AWS Systems Manager)

Question 70

AWS Organizations

Answer 70

In SCPs, you can restrict which AWS services, resources, and individual API actions the users and roles in each member account can access. You can also define conditions for when to restrict access to AWS services, resources, and API actions You can use backup policies to configure and automatically apply AWS Backup plans to resources across all your organization's accounts The user can access only what is allowed by both the AWS Organizations policies and IAM policies AWS Organizations is a global service with a single endpoint that works from any and all AWS Regions. You don't need to explicitly select a region to operate in

Question 71

Global Services

Answer 71

Their Data Plane is in different regions AWS IAM AWS Organizations AWS Account Management Route 53 Application Recovery Controller (ARC) AWS Network Manager Route 53 Private DNS Their Data Plane is on Point of Presence(PoP) Amazon CloudFront AWS WAF for CloudFront AWS Global Accelerator AWS Shield Advanced Some operations of these services have global impact: Route 53 Amazon S3 CloudFront AWS STS AWS IAM Identity Center Amazon S3 Storage Lens

Question 72

AWS Systems Manager

Answer 72

Capabilities: 1. Application Manager helps DevOps engineers investigate and remediate issues with their AWS resources. 2. Change Manager is for requesting, approving, implementing, and reporting on operational changes to your application configuration and infrastructure 3. Use Compliance to scan your fleet of managed nodes for patch compliance and configuration inconsistencies 4. Incident Manager is an incident management console that helps users mitigate and recover from incidents affecting their AWS hosted applications 5. Use Quick Setup to configure frequently used AWS services and features with recommended best practices

Question 73

Amazon Elastic Transcoder

Answer 73

You can convert large, high-quality digital media files into formats that users can play back on mobile devices, tablets, web browsers, and connected televisions You can protect your Elastic Transcoder data by encrypting any input and output files using S3 Server-Side Encryption or Client-Side Encryption Using Customer-Provided Keys

Question 74

AWS Application Discovery Service

Answer 74

Application Discovery Service integrates with application discovery solutions from AWS Partner Network (APN) partners. These third-party solutions can help you import details about your on-premises environment directly into Migration Hub, without using any agentless collector or discovery agent.

Question 75

AWS Application Migration Service

Answer 75

Retire: Retiring the application means that you can shut down the servers within that application stack. Retain: This is the migration strategy for applications that you want to keep in your source environment or applications that you are not ready to migrate. You might choose to migrate these applications in the future. Rehost (lift and shift): Rehost is the process of moving applications from your source environment to the AWS Cloud without making any changes to the application. Relocate: Relocate is transferring a large number of servers, comprising one or more applications, at a given time from on-premises platform to a cloud version of the platform. For example, you can use this strategy to transfer servers in bulk from VMware software-defined data center (SDDC) to VMware Cloud on AWS. Repurchase (drop and shop): Repurchase means replacing your application with a different version or product. Replatform (lift, tinker, and shift): Replatform is moving an application to the cloud and introducing some level of optimization in order to operate the application efficiently, reduce costs, or take advantage of cloud capabilities. Refactor: Refactor is moving an application to the cloud, and modifying its architecture by taking full advantage of cloud-native features to improve agility, performance, and scalability.

Question 76

AWS DataSync

Answer 76

DataSync works with the following on-premises storage systems: Network File System (NFS) Server Message Block (SMB) Hadoop Distributed File Systems (HDFS) Object storage The only data that DataSync handles at rest relates to the information that it discovers about your on-premises storage system and the details needs to complete your transfer. DataSync stores the following data with full at-rest encryption in Amazon DynamoDB

Question 77

AWS Transfer Family

Answer 77

AWS Transfer Family supports transferring data from or to the following AWS storage services. Amazon S3 and Amazon EFS AWS Transfer Family supports transferring data over the following protocols: Secure Shell (SSH) File Transfer Protocol (SFTP): version 3 File Transfer Protocol Secure (FTPS) File Transfer Protocol (FTP) Applicability Statement 2 (AS2)

Question 78

Amazon API Gateway

Answer 78

Optimization: Enabling API caching to enhance responsiveness Enabling payload compression for an API

Question 79

Amazon CloudFront

Answer 79

Function code and configuration in CloudFront Functions is always stored in an encrypted format on the edge location POPs, and in other storage locations used by CloudFront You can improve resiliency and increase availability for specific scenarios by setting up CloudFront with origin failover

Question 80

AWS DirectConnect

Answer 80

AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. AWS Direct Connect does not encrypt your traffic that is in transit by default

Question 81

Elastic Load Balancing

Answer 81

Application Load Balancer (Layer 7) Protocols : HTTP or HTTPS Target Types are: 1. InstanceID 2. ip Address 3. Lambda Function When the target type is ip, you can specify IP addresses from one of the following CIDR blocks: 1. The subnets of the VPC for the target group 2. List as specified by AWS You can't specify publicly routable IP addresses. Network Load Balancers(Layer 4) Protocols: TCP, TLS, UDP, TCP_UDP Target Types are: 1. InstanceID 2. ip Address 3. Application Load Balancer Gateway Load Balancer (Gateway Load Balancers listen for all IP packets across all ports. Layer 3) Protocol : GENEVE Target Types are: 1. InstanceID 2. ip Address

Question 82

AWS Global Accelerator

Answer 82

The static IP addresses provided by AWS Global Accelerator serve as single fixed entry points for your clients. The static IP addresses accept incoming traffic onto the AWS global network from the edge location that is closest to your users By using a standard accelerator, you can improve the availability and performance of your applications running on Application Load Balancers, Network Load Balancers, or Amazon EC2 instances

Question 83

Amazon Route 53

Answer 83

Three main functions: 1. Register domain names 2. Route internet traffic to the resources for your domain 3. Check the health of your resources If Route 53 considers the endpoint unhealthy and if you configured notification for the health check, Route 53 notifies CloudWatch AWS Direct Connect - Describes establishing a private, logical connection from your remote network to Amazon VPC, using AWS Direct Connect. AWS Direct Connect + AWS Site-to-Site VPN – Describes establishing a private, encrypted connection from your remote network to Amazon VPC, using AWS Direct Connect and AWS Site-to-Site VPN. AWS VPN CloudHub – Describes establishing a hub-and-spoke model for connecting remote branch offices.

Question 84

AWS Site-to-Site VPN

Answer 84

A Site-to-Site VPN connection has the following limitations. IPv6 traffic is not supported for VPN connections on a virtual private gateway. An AWS VPN connection does not support Path MTU Discovery. When connecting your VPCs to a common on-premises network, we recommend that you use non-overlapping CIDR blocks for your networks

Question 85

AWS Ground Station

Answer 85

AWS Ground Station is a fully managed service that enables you to control satellite communications, process satellite data, and scale your satellite operations

Question 86

AWS Network Firewall

Answer 86

Intrusion detection and prevention service for your AWS VPC Filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect Tasks: Pass traffic through only from known AWS service domains or IP address endpoints, such as Amazon S3. Use custom lists of known bad domains to limit the types of domain names that your applications can access. Perform deep packet inspection on traffic entering or leaving your VPC. Use stateful protocol detection to filter protocols like HTTPS, independent of the port used.

Question 87

AWS WAF

Answer 87

Monitor the HTTP(S) requests that are forwarded to your protected web application resources. Protect the following resources: CloudFront API Gateway REST API ALB AppSync GraphQL API Amazon Cognito App Runner AWS Verified Access instance You protect by defining a web access control list (ACL) Tasks: Allow the requests to go to the protected resource for processing and response. Block the requests. Count the requests. Run CAPTCHA or challenge checks

Question 88

Amazon EBS

Answer 88

We recommend Amazon EBS for data that must be quickly accessible and requires long-term persistence. Primary storage for file systems, databases You can attach multiple EBS volumes to a single instance The volume and instance must be in the same Availability Zone You create an EBS volume in a specific Availability Zone, and then attach it to an instance in that same Availability Zone. To make a volume available outside of the Availability Zone, you can create a snapshot and restore that snapshot to a new volume anywhere in that Region. You can copy snapshots to other Regions and then restore them to new volumes there, making it easier to leverage multiple AWS Regions for geographical expansion, data center migration, and disaster recovery When you create snapshots, you incur charges in Amazon S3 based on the size of the data being backed up, not the size of the source volume. Subsequent snapshots of the same volume are incremental snapshots. They include only changed and new data written to the volume since the last snapshot was created, and you are charged only for this changed and new data

Question 89

AWS Instance Store

Answer 89

Instance store volumes can be attached to an instance only when you launch it. You can't attach instance store volumes to an instance after you've launched it After you launch an instance with attached instance store volumes, you must mount the volumes before you can access them The data on an instance store volume persists even if the instance is rebooted. However, the data does not persist if the instance is stopped, hibernated, or terminated

Question 90

File Storage

Answer 90

Use Amazon S3 with Amazon EC2 Use Amazon EFS with Amazon EC2 Use Amazon FSx with Amazon EC2 Use Amazon File Cache with Amazon EC2 Amazon EFS is not supported on Windows instances. EFS automatically grows and shrinks as you add and remove files

Question 91

AWS Acceptable Use Policy

Answer 91

The focus is on main focus is on ensuring responsible and legal use of AWS services which is "Security, Compliance, Data Protection, and Intellectual Property"