Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

AWS-SAA > Rapid Fire Exam Questions > Flashcards

Rapid Fire Exam Questions Flashcards

(112 cards)

Start Studying
1
Q

What is the ReplaceUnhealthy process used for in auto-scaling groups?

A

The ReplaceUnhealthy process is used to terminate/replace EC2 instances which have been marked as unhealthy during a health check performed by a load balancer or the EC2 service.

Processes in auto-scaling groups can be suspended/resumed at any time. This can be useful when performing maintenance on EC2 instances which are part of the ASG without triggering undesired actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What happens when an EC2 instance’s status is modified from InService to Standby?

A

The Standby status is mainly used for updating + troubleshooting EC2 instances which are part of an auto-scaling group. Instances which are on Standby are still part of the Auto Scaling group, but they do not actively handle load balancer traffic.

When you put an instance on Standby, you can either decrement the desired capacity through this operation, or keep it at the same value. If you choose to decrement the desired capacity of the Auto Scaling group, this prevents the launch of an instance to replace the one on Standby. If you choose not to decrement the desired capacity of the Auto Scaling group, Amazon EC2 Auto Scaling launches an instance to replace the one on Standby.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Kinesis Data Streams?

A

Amazon Kinesis Data Streams is a service which enables real-time processing of streaming big data. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple Amazon Kinesis Applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

List 4 advantages/applications of Kinesis Data Streams.

A

1) Routing related records to the same record consumer (as in streaming MapReduce). For example, counting and aggregation are simpler when all records for a given key are routed to the same record processor.

2) Ordering of records. For example, you want to transfer log data from the application host to the processing/archival host while maintaining the order of log statements.

3) Ability for multiple applications to consume the same stream concurrently. For example, you have one application that updates a real-time dashboard and another that archives data to Amazon Redshift. You want both applications to consume data from the same stream concurrently and independently.

4) Ability to consume records in the same order a few hours later. For example, you have a billing application and an audit application that runs a few hours behind the billing application. Because Amazon Kinesis Data Streams stores data for up to 365 days, you can run the audit application up to 365 days behind the billing application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What software tools can be used to create or retrieve records from a shard in a Kinesis Data Stream?

A

The Amazon Kinesis Producer Library (KPL) can be used for creating/delivering records to a particular shard in a data stream.

The Amazon Kinesis Client Library (KCL) can be used for retrieving records stored in a particular shard.

Both the KPL/KCL are high-level libraries built on top of the AWS SDK.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the min/max retention periods for records stored in a Kinesis Data Stream?

A

Between 1-365 days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

List 3 different AWS services which can be set as a shard consumer in a Kinesis Data Stream.

A

1) AWS Lambda
2) Kinesis Data Firehose
3) Kinesis Data Analytics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an Amazon S3 event notification? List 4 different AWS services which can be used as target destinations.

A

The Amazon S3 event notification feature enables AWS services to receive notifications when certain API calls are made and events are triggered in an S3 bucket (Ex: object creation). To enable notifications, you must first add a notification configuration which identifies the events you want Amazon S3 to publish and the destination where you want Amazon S3 to send the notifications. To send S3 event notifications from a single bucket to multiple destinations, a separate event notification must be configured for each destination.

Amazon S3 supports the following event destinations:

SNS Topics (not FIFO)
SQS Queues (not FIFO)
AWS Lambda Functions
Amazon EventBridge

-Note that each AWS service which receives S3 event notifications must have a resource policy attached allowing access from the S3 bucket.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is object key name filtering and how is it used when configuring S3 event notifications?

A

Object key name filtering allows S3 event notifications to be configured which only send event notifications related to objects whose key names (prefix or suffix) match a particular filtering condition. Ex: only sending notifications originating from objects with a particular file extension (*.jpg).

Note that when configuring an S3 bucket to send event notifications to Amazon EventBridge, any/all events generated will be delivered to EventBridge. It is not possible to limit or filter which events are sent by either event type (Ex: S3:ObjectCreated) or using object key name filtering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the AWS Glue service.

A

AWS Glue is a managed service for performing extract, transform, and load (ETL) operations using a serverless architecture and is commonly used to transform data in preparation for data analytics.

Ex: a Glue job could involve loading data from an S3 bucket or RDS DB, transforming it using a Lambda function, then loading into a RedShift Data Warehouse.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which AWS service can be used to convert data into the Apach Parquet or ORC file formats and why is this beneficial?

A

The AWS Glue service can be used to convert file formats (Ex: csv) into the ORC/Parquet formats. These are both columnar file formats for efficient data storage and retrieval. This is useful when employing AWS services such as Amazon Athena, which improves performance and saves costs by reducing the amount of data scanned during an SQL query.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Describe an AWS architecture which can be used to automatically trigger a Glue job after uploading a file to an S3 bucket.

A

One architecture could involve using S3 event notifications triggered on object creation events and attached to either a Lambda function or Amazon EventBridge. This in turn could be used to trigger a Glue job on the S3 object which might transform the file and push it to another destination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are Glue job bookmarks?

A

AWS Glue tracks data which has already been processed during a previous run of an ETL job by persisting information from the job run, known as a job bookmark. This helps AWS Glue maintain state information and prevent the reprocessing of old data.

With job bookmarks, you can process new data when rerunning on a scheduled interval. Ex: an ETL job might read only new partitions in an Amazon S3 file. AWS Glue tracks which partitions the job has processed successfully to prevent duplicate processing and duplicate data in the job’s target data store.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

List 3 types of data sources which can be tracked using a Glue job bookmark.

A

Glue job bookmarks are implemented for: JDBC data sources, the Relationalize transform, and S3 buckets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Describe the Amazon SageMaker service.

A

Amazon SageMaker is a managed service used to simplify the process of building and training machine-learning models for data scientists in a serverless fashion.

SageMaker can automate many common ML tasks, including: data labeling, ML model building, training, and deployment. This is all done using training data provided by the data scientist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What AWS service should be used when you’d like to analyze data stored in an S3 bucket using serverless SQL?

A

Amazon Athena.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the advantages of launching EC2 instances using dedicated hardware?

A

Dedicated hosts and dedicated instances are EC2 purchasing options which are useful for companies which have strict regulatory/compliance requirements or software licenses which demand dedicated hardware. This can include legal requirements such as HIPPA which require dedicated infrastructure for storing patient information. EC2 instances launched using dedicated hardware do not share their physical resources with any other AWS accounts.

Dedicated purchasing options are also useful for software with complicated licensing models (BYOL - Bring Your Own License).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the differences between the dedicated host and dedicated instance options when launching an EC2 instance?

A

Dedicated Instances are Amazon EC2 instances which run on hardware dedicated to a single customer. Dedicated Instances may share hardware with other instances from the same AWS account that are not Dedicated Instances.

With Dedicated Hosts, the entire physical server is reserved for a single AWS account. It does not change, it’s always the same physical machine for as long as you are paying. As soon as you ‘allocate’ a Dedicated Host, you start paying for the entire host.

A host computer is very large. In fact, it is the size of the largest instance of the selected family, but can be divided-up into smaller instances of the same family. (“You can run any number of instances up to the core capacity associated with the host.”)

Any instances that run on that Host are not charged, since you are already being billed for the Host. That is why a Dedicated Host is more expensive than a Dedicated Instance – the charge is for the whole host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the minimum and maximum retention periods for messages stored in an SQS queue? What is the default retention period?

A

The default retention period for messages stored in an SQS queue is 4 days. The min/max ranges are between 1 min. and 14 days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What are the minimum and maximum sizes (in KB) allowed when submitting messages to an SQS queue?

A

1-256 KB.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How many messages can be stored simultaneously in an SQS message queue?

A

A single SQS message queue can contain an unlimited number of messages. However, there is a limit on the # of in-flight messages allowed for both standard and FIFO queues.

Messages are in-flight after they have been received from the queue by a consuming component, but have not yet been deleted from the queue. However, there is a limit of 120,000 messages for the number of in-flight messages for a standard queue and 20,000 messages for a FIFO queue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

An IAM user successfully creates a Route 53 CNAME record for a domain called ‘www.example.com’ but when trying to create a similar record for ‘example.com’, the request failed. Why is this?

A

‘example.com’ is an example of a second-level domain (SLD) also known as a Zone Apex. It is not possible to create CNAME records for either TLD’s or SLD’s.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is a Route 53 hosted zone? What are the two types of hosted zones available in AWS?

A

A Route 53 hosted zone is a container for records which define how to route traffic for a particular domain and any of its subdomains. Hosted zones come in two varieties: public and private.

Public hosted zones contain records specifying how to route traffic over the internet (Ex: www.google.com). Public hosted zones connect public domain names (which must be purchased) to public IP addresses.

Private hosted zones instead contain records specifying how to route traffic within one or more VPC’s. Private hosted zones connect private domain names to private IP addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the default TTL for records returned in Route 53 DNS queries?

A

300 seconds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is an **NS record**?
NS stands for ‘nameserver,’ and **the nameserver record indicates which DNS server is authoritative for that domain** (i.e. which server contains the actual DNS records). Basically, NS records tell the Internet where to go to find out a domain's IP address.
26
What are the difference between **CNAME records** and **Alias records** when resolving DNS queries in **Route 53**?
**CNAME** records are used to redirect a hostname to any other hostname (Ex: www.google.com -> google.com). The client will then perform a subsequent DNS query using the value from the CNAME record to obtain the IP address for routing traffic. Note that **a CNAME record cannot be used to route the root domain to a subdomain** (Ex: google.com -> www.google.com). **Alias records are unique to the Route 53 service and are used to redirect a hostname to an AWS resource**. Unlike CNAME records, alias records **can** be used to route a root domain to a subdomain. Aliases are also **free of charge and have a built-in health check**.
27
List 8 **valid AWS resource targets** which can be set as the value of an **Alias record**. Which AWS service/resource is a notable exception?
Valid **Alias record** targets include: 1) Elastic Load Balancers 2) CloudFront Distributions 3) API Gateway 4) Elastic Beanstalk Environments 5) S3 Static Websites 6) VPC Interface Endpoints 7) Global Accelerator 8) Any other Route 53 record in the same hosted zone. **Note that EC2 instances cannot be set as the value of an Alias record in Route 53**.
28
List 8 different **routing policies** which can be applied to a **hosted zone** in **Route 53**.
1) Simple 2) Weighted 3) Latency 4) Failover 5) Geolocation 6) Geoproximity 7) IP-based 8) Multi-Value
29
Describe the **simple routing policy** in **Route 53**. What happens if there are **multiple values** attached to the **same DNS record**?
Most common routing policy employed in **Route 53**. The simple routing policy is used to route traffic to a **single destination**. Note that simple routing is **not compatible with AWS Health Checks**. It is possible for a DNS record to contain multiple values (Ex: an A-record with multiple IP addresses listed). If this is the case, in simple routing the **client machine** will **randomly** select one of the values contained in the record to use as a destination for traffic.
30
Describe the **weighted routing policy** in **Route 53**. What are some use cases where it may be employed?
Weighted routing is used **to control what % of incoming traffic is routed to a particular destination** by assigning relative weights to DNS records with the same record name. The **relative weights of Route 53 records with the same name** will be used to determine which record is returned to clients in a DNS query. Unlike simple routing policies, weighted routing **can be associated with AWS Health Checks**. Use cases for weighted routing include: load balancing traffic between different AWS regions. testing new application versions by sending a small % of traffic.
31
Describe the **latency-based routing policy** in **Route 53**.
**Latency-based routing policies** route traffic to destinations which have the **lowest possible latency**. This is useful when latency is a significant factor impacting user experience/performance. Latency is **measured by the amount of traffic between users and destination AWS Regions**. Ex: users in Germany might have their traffic directed to a different AWS Region than users in the U.S.
32
Describe the **failover routing policy** in **Route 53**.
**Failover routing policies** associate each destination with a **health check defined in Route 53**. If the primary destination passes the health check, then **Route 53** will return the DNS record associated with the primary destination. If the primary destination fails the health check, then **Route 53** will instead return the DNS record for a secondary destination.
33
Describe the **geolocation routing policy** in **Route 53**. With what geographic precision can the routing policy be defined?
**Geolocation-based routing policies** are used to route users to target destinations **based on their geophysical location**. Geolocation for routing can be specified at the **continent, country, or U.S. state levels**. With **geolocation-based routing**, there is typically a **default record** set which is returned by **Route 53** if the user's geolocation does not match any of the other records.
34
Describe the **geoproximity routing policy** in **Route 53**.
**Geoproximity routing policies** are used to route users **based on the geographic distance between users and destination resources specified in their DNS records**. This automatically routes users to the closest geographic location by default. However, a **bias value** can be applied to each DNS record, either positive (1-99) or negative (-1 to -99), in order to change the weight given to a particular resource/DNS record. Geoproximity routing can be thought of as a combination of **geolocation routing** and **weighted routing** policies. Note that the **Route 53 Traffic Flow advanced feature** must be enabled to use this routing policy.
35
Describe the **IP-based routing policy** in **Route 53**.
**IP-based routing** routes users to different target destinations **based on the IP address of the client**. Each **Route 53** DNS record can be associated with a **CIDR Block** defining which client IP addresses should be routed to a particular endpoint/destination. This can be used to, for example, route end users to a particular endpoint based on their Internet Service Provider (ISP).
36
Describe the **Multi-Value routing policy** in **Route 53**.
**Multi-Value routing** is used to return **multiple records to a client during a DNS query**. Up to **8 healthy records** can be returned for each multi-value query. The client will then **randomly** determine which destination to send subsequent requests to. Note that, unlike simple routing, **Multi-Value routing policies can be associated with Route 53 health checks** and are a better solution when multiple desinations should be returned in a DNS query.
37
Describe the **Amazon FSx** service in AWS. List 4 different types of resources which can be launched using the service.
**Amazon FSx** is a fully managed service for **launching 3rd party high-performance files systems on AWS**. Files systems which can be launched on **Amazon FSx** include: 1) Windows File Server 2) Lustre 3) NetApp ONTAP 4) OpenZFS
38
Describe the **Amazon FSx for Lustre** file system.
**Lustre == 'Linux Cluster'**. Lustre is a high-performance, **parallel distributed file system** for large-scale computing. It is used for **workloads such as machine learning, high-performance computing (HPC)**, video processing, and financial modeling. Lustre can be accessed from on-premise servers using either **VPN or Direct Connect**. The open-source Lustre file system is designed for applications which require fast storage – where you want your storage to keep up with your compute. **FSx for Lustre integrates with Amazon S3**, making it easy to process data sets with the Lustre file system. When linked to an S3 bucket, an FSx for Lustre file system transparently **presents S3 objects as files** and allows you to **write changed data back to S3**.
39
Describe **3 technical specifications** of the **Amazon FSx for Lustre** file system.
**Lustre** supports: up to 100s GB/sec. millions of IOPS. sub-ms latencies for read/write operations.
40
Describe the **Amazon FSx for Windows File Server** file system.
**FSx for Windows File Server** is a fully managed, Windows file system **shared drive**. It supports the **SMB & Windows NTFS protocols** and has **Microsoft Active Directory integration**. **FSx for Windows File Server** also supports Microsoft's Distributed File System (DFS) Namespaces. **FSx for Windows File Server** can be accessed from on-premise servers using either **VPN or Direct Connect**. It also can be configured for Multi-AZ and **data is backed up daily to an S3 bucket**. Note that **FSx for Windows File Server can be mounted on Linux EC2 instances**.
41
Describe **3 technical specifications** of the **Amazon FSx for Windows File Server** file system.
**Windows File Server** supports: up to 10s GB/sec. millions of IOPS. 100s PB's of data.
42
Describe the **AWS Transfer Family** service.
**AWS Transfer Family** is a managed AWS service which is used to read/write files into **Amazon S3 or Amazon EFS** using the **FTP or FTPS** protocols rather than the standard AWS API's for interacting with S3/EFS. **AWS Transfer Family** supports integration with authentication systems such as **Microsoft Active Directory, LDAP, and Amazon Cognito**. Accounts are **billed per provisioned endpoint per hour + the amount of data transferred in GB**.
43
Describe the **AWS Storage Gateway** service. List the **4 different types** of the Storage Gateway service.
**AWS Storage Gateway** is an AWS service which is used to enable **hybrid cloud architectures** where some infrastructure exists in the cloud and other parts of the infrastructure remain on-premises. This can be useful for applications such as: **exposing S3 bucket data (or other AWS cloud-native storage options) on-premises**. Different types of **AWS Storage Gateways** include: 1) S3 File Gateway 2) FSx File Gateway 3) Volume Gateway 4) Tape Gateway
44
Describe the **Amazon S3 File Gateway** service.
**Amazon S3 File Gateway** is a service which is used to **make S3 bucket objects accessible using the SMB and NFS protocols**. Files/objects accessed recently will be cached in the gateway application, for subsequent rapid access. **Amazon S3 File Gateway** supports storing/retrieving files in any of the S3 storage tiers **except Glacier**, although files can be **transitioned into S3 Glacier using a Lifecycle Policy**. Additionally, **S3 Gateways** using the **SMB protocol** can be integrated with **Active Directory (AD) for user authentication**.
45
Describe the **Amazon FSx File Gateway** service.
**Amazon FSx File Gateway** is used to enable **native access to Amazon FSx File Server for Windows clients**. Clients can communicate through **File Gateway** using **SMB** and **NTFS** protocols and it supports **integration with Active Directory**. **Amazon FSx File Gateway** is useful for **group file shares** and supports **caching of frequently accessed** data.
46
Describe the **Amazon Volume Gateway** service.
**Amazon Volume Gateway** is a service which stores on-premise data in **Amazon S3** using the **iCSI protocol** to communicate between application servers/Volume Gateway. Data stored in **S3** is **backed up regularly using EBS snapshots. Amazon Volume Gateway** operates in two modes: **cached volumes** and **stored volumes**. In the **cached Volume Gateway mode**, your primary data is stored in **Amazon S3**, while retaining your frequently accessed data locally in the cache for low latency access. In the **stored Volume Gateway mode**, your primary data is stored locally and your entire dataset is available for low latency access on premises while also asynchronously getting backed up to **Amazon S3**.
47
What **URL endpoint** can be called from **within an EC2 instance** to retrieve information about its **public IP address**?
http://169.254.169.254/latest/meta-data/public-ipv4
48
List 3 different **placement group strategies** for **EC2 instances** in AWS.
1) Cluster 2) Spread 3) Partition
49
Describe the **spread placement group** strategy.
The **spread placement group** strategy is intended for **mission-critical applications** where **EC2 instances** are distributed across as many physical servers as possible.. Within a single placement group, a **maximum of 7 instances** can be launched **per AZ**.
50
Describe the **cluster placement group** strategy.
The **cluster placement group** strategy is intended for **HPC or high-performance applications** by placing all **EC2 instances** in close proximity on the **same physical server in the same AZ**. This significantly reduces network latency/communication between **EC2 instances** allowing up to **10 GB/s bandwidth**.
51
Describe the **partition placement group** strategy.
The **partition placement group** strategy can be thought of as a combination of the **cluster and spread placement group strategies**. The user has the ability to specify **up to 7 partitions per AZ** where each partition **represents a separate physical server**. Users can then **add up to hundreds of EC2 instances to each partition**, combining the benefits of high-performance/network throughput among **EC2 instances** within a single partition with the benefits of maximum availability.
52
How many **records** can be ingested into a **Kinesis Data Stream** using a single **PutRequest API call**? What is th **maximum size** of each data record?
500 records per request. Each record can be up to 1 MB in size.
53
What is an **AWS-owned Customer Master Key (CMK)**?
**AWS-owned CMKs are a collection of CMKs that an AWS service owns and manages for use in multiple AWS accounts**. Although AWS owned CMKs are not in your AWS account, an AWS service can use its AWS owned CMKs to protect the resources in your account. You do not need to create or manage the **AWS owned CMKs. However, you cannot view, use, track, or audit them**. You are not charged a monthly fee or usage fee for AWS owned CMKs and they do not count against the AWS KMS quotas for your account. The **key rotation strategy** for an AWS owned CMK is **determined by the AWS service** that creates and manages the CMK.
54
True/False: rebooting an **EC2 instance** will delete data stored on an **instance store volume**?
**False**. Only stopping, hibernating, or terminating an **EC2 instance** will delete the data stored on an **instance store volume**.
55
What is a **dead letter SQS queue**?
**Dead-letter queues** can be used by other queues (source queues) as a target for **messages that can't be processed (consumed) successfully**. Dead-letter queues are **useful for debugging your application or messaging system** because they let you **isolate problematic messages** to determine why their processing doesn't succeed. The **redrive** policy specifies the source queue, the dead-letter queue, and the conditions under which Amazon SQS moves messages from the former to the latter if the consumer of the source queue fails to process a message a specified number of times. The **maxReceiveCount is the number of times a consumer tries receiving a message from a queue** without deleting it before being moved to the dead-letter queue.
56
Describe the **Amazon Inspector** service.
**Amazon Inspector** automatically discovers workloads, such as Amazon EC2 instances, containers, and Lambda functions, and **scans them for software vulnerabilities and unintended network exposure**. **Amazon Inspector** is used to **test the network accessibility of your Amazon EC2 instances** and the security state of your applications running on the instances.
57
Describe the **AWS Firewall Manager** service.
**AWS Firewall Manager** is a security management service which allows you to **centrally configure and manage firewall rules across your accounts and applications in AWS Organization**. As new applications are created, **AWS Firewall Manager** makes it easy to bring new applications and resources into compliance by **enforcing a common set of security rules**, using a single service to build firewall rules, create security policies, and enforce them in a consistent, hierarchical manner across your entire infrastructure.
58
List **5 different services** which **AWS Firewall Manager** can use for enforcing security constraints. List one prominent resource which **AWS Firewall Manager** cannot configure rules for.
1) AWS WAF Rules 2) AWS Shield Advanced Protections 3) VPC Security Groups 4) AWS Network Firewalls 5) Route 53 DNS Firewall Rules Note that **NACL rules** cannot be configured using **AWS Firewall Manager**.
59
List **3 different resources** which **AWS Firewall Manager** rules can be applied to.
1) Application Load Balancers 2) API Gateways 3) CloudFront Distributions
60
Which AWS service is commonly used to block unauthorized activity related to **cryptocurrency mining** in a user's AWS account?
**Amazon GuardDuty**. The service is commonly used to **detect Amazon EC2 instances querying IP addresses** associated with the **cryptocurrency-related activity**, informing you whether **EC2 instances** in your account are querying a domain name that is associated with Bitcoin or other cryptocurrency-related activity.
61
Describe the **Amazon GuardDuty** service.
**Amazon GuardDuty** continuously monitors for malicious or unauthorized behavior to help **protect your AWS resources**, including your AWS accounts and access keys. **Amazon GuardDuty** identifies any unusual or unauthorized activity, like cryptocurrency mining or infrastructure deployments in a region that has never been used. **Powered by threat intelligence and machine learning**, GuardDuty is continuously evolving to help you protect your AWS environment.
62
What are the **3 sources of input data** which **Amazon GuardDuty** will use in assessing potential security threats?
1) VPC Flow Logs 2) CloudTrail Event Logs 3) DNS Logs
63
What is a **bastion host**?
A **bastion host** is a server whose purpose is to **provide access to a private network from an external network**, such as the Internet. The bastion host **runs on an Amazon EC2 instance** that is typically **in a public subnet of your Amazon VPC**. Other EC2 instances can be in a subnet that is not publicly accessible, and they are set up with a security group that **allows SSH access from the security group attached to the underlying EC2 instance running the bastion host**.
64
What is **AWS Site-to-Site VPN**?
**AWS Site-to-Site VPN** is a service which is used to enable **resources in an AWS VPC to communicate securely with your on-premise network**. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and **configuring routing to pass traffic through the connection**. A VPN connection refers to the connection between your VPC and your own on-premises network. A Site-to-Site VPN connection offers **two VPN tunnels** between a **virtual private gateway** or a **transit gateway** on the AWS side, and a **customer gateway** (which represents a VPN device) on the remote (on-premises) side.
65
What is **AWS Direct Connect**?
**AWS Direct Connect** is a network service that **provides an alternative to using the Internet to utilize AWS cloud services**. This uses a private connection to access a VPC from a private network and will be **exposed as a AWS PrivateLink interface VPC endpoint**. AWS Direct Connect enables customers to have low latency, secure and **private connections to AWS for workloads that require higher speed or lower latency than the internet**. A Dedicated Connection is made through a 1 Gbps, 10 Gbps, or 100 Gbps Ethernet port dedicated to a single customer. Note that **AWS Direct Connect takes about a month to provision** the connection.
66
What is **Availability Zone rebalancing**? Describe the process in-depth.
**Amazon EC2 Auto Scaling helps ensure that you have the correct number of Amazon EC2 instances** available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling groups. You can specify the minimum number of instances in each Auto Scaling group, and **Amazon EC2 Auto Scaling ensures that your group never goes below this size**. Actions such as **changing the Availability Zones for your group** or **explicitly terminating** or **detaching instances** can lead to the Auto Scaling group becoming unbalanced between Availability Zones. **Amazon EC2 Auto Scaling compensates by rebalancing the Availability Zones**. When rebalancing, **Amazon EC2 Auto Scaling launches new instances before terminating the old ones**, so that rebalancing does not compromise the performance or availability of your application.
67
What happens when files are uploaded to **Amazon S3** using the **SSE-S3** encryption scheme?
**Amazon S3 encrypts your data at the object level as it writes it to disk** in its data centers and decrypts it for you when you access it. When you use server-side encryption with **Amazon S3** managed keys (SSE-S3), **each object is encrypted with a unique key**. As an additional safeguard, it encrypts the key itself with a root key that it regularly rotates. **Note: Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3**. Starting January 5, 2023, all new object uploads to Amazon S3 will be automatically encrypted at **no additional cost** and with **no impact on performance**.
68
Describe **two tools** which can be used to **restrict access to CloudFront distributions** to only approved users.
To securely serve private content for a **CloudFront distribution**, there are **two options**: 1) CloudFront-signed URLs 2) CloudFront-signed Cookies Both methods are commonly used in **web applications** where administrators would like to **restrict content access to only approved users**, such as through subscription fees. If the application approves access, then the user will be provided with the URL/cookie in order to access the desired content through their web browser.
69
Describe the two different **throughput modes** available when deploying **EFS file systems** in AWS.
**EFS file systems** support two throughput modes: 1) Provisioned Throughput Mode 2) Bursting Throughput Mode **Provisioned Throughput mode** is available for applications with high throughput to storage (MiB/s per TiB) ratios. This is useful when the **amount of data in your file system is low relative to throughput demands**. Your file system can now get the high levels of throughput your applications require **without having to pad your file system**. With **Bursting Throughput mode**, a file system's throughput **scales as the amount of data stored in the standard storage class grows**.
70
Describe a method for preventing an **EBS root volume** from being deleted **without stopping the EC2 instance to which it is attached**.
Set the **DeleteOnTermination** attribute to False for the target **EC2 instance** using the command line. Note that this attribute **cannot be modified** from the **AWS Management Console** except when the instance is first created.
71
Which **in-memory database service** in AWS supports **multi-threaded architectures**?
**Amazon ElastiCache for Memcached**.
72
Which **two settings** in a **VPC** need to be enabled to perform DNS resolution using a **Route 53 private hosted zone**?
1) enableDnsHostnames 2) enableDnsSupport
73
What is an **Amazon SQS delay queue**?
**Delay queues let you postpone the delivery of new messages to a queue** for a number of seconds, for example, when your **consumer application needs additional time to process messages**. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes.
74
What is an **Amazon SQS temporary queue**?
**Temporary queues** help to save development time and deployment costs when using common message patterns such as **request-response**. You can use the Temporary Queue Client **to create high-throughput, cost-effective, application-managed temporary queues**.
75
What **S3 feature** can be used to read **only the first 250 bytes** for an object (file) **stored in an S3 bucket**?
**S3 Byte Range Fetch**.
76
What is the **maximum amount of data** which can be submitted to a **Kinesis Data Stream** in a **single message**?
1 MB.
77
What are the **data ingestion limits** of **Kinesis Data Streams** when receiving data from **producer applications**?
**Kinesis Data Streams** can handle up to **1 MB/sec per shard** or **1,000 messages/sec per shard** from producers.
78
What are the **data ingestion limits** of **Kinesis Data Streams** when sending data to **consumer applications**?
**Kinesis Data Streams** can send up to **2 MB/sec per shard** across **all consumers**. Or alternatively, if running in **enhanced mode** then each **Kinesis Data Stream** can send up to **2MB/sec per shard per consumer**.
79
Describe the **Amazon Transcribe** service.
**Amazon Transcribe** is an automatic speech recognition (ASR) service that makes it easy to **convert audio to text**. One key feature of the service is called speaker identification, which you can use to label each individual speaker when transcribing multi-speaker audio files. You can specify Amazon Transcribe to identify 2–10 speakers in the audio clip.
80
True or False: **dedicated instances** are compatible with **Bring Your Own License (BYOL)** applications.
False. Only **EC2 instances** launched on **dedicated hosts** are compatible with **BYOL**.
81
Describe the **AWS DataSync** service.
**AWS DataSync** is an online data transfer service that simplifies, automates, and **accelerates copying large amounts of data between on-premises storage systems and AWS Storage services**, as well as between AWS Storage services. Using task scheduling in **AWS DataSync**, you can **periodically execute a transfer task** at a given interval. You can use **AWS DataSync** to migrate data located on-premises, at the edge, or in other clouds to Amazon S3, Amazon EFS, Amazon FSx for Windows File Server, Amazon FSx for Lustre, Amazon FSx for OpenZFS, and Amazon FSx for NetApp ONTAP.
82
Describe the **AWS Resource Access Manager (RAM)** service.
**AWS Resource Access Manager** is a service which enables you to easily and securely **share AWS resources with any AWS account or within your AWS Organization**. **Sharable resources include: AWS Transit Gateways, Subnets**, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM. RAM **eliminates the need to create duplicate resources in multiple accounts**, reducing the operational overhead of managing those resources in every single account you own. You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts in **three simple steps: create a Resource Share, specify resources, and specify accounts**. RAM is available to you at no additional charge.
83
Which **http header** must be included in the **s3:PutObject API call** when **uploading files to an S3 bucket** while **server-side encryption (SSE)** is required?
**x-amz-server-side-encryption**. This header is **required** if the S3 bucket has a bucket policy enforcing SSE.
84
True or false: a single-region **KMS key** can be converted into a multi-region **KMS key**.
False.
85
True or false: **EC2 instances** configured with **instance store** storage at launch can be recovered automatically using a **CloudWatch Alarm**.
False. Only **EC2 instances** with **EBS Root Volumes** can be configured for **automatic recovery**.
86
Describe the **Amazon Aurora Serverless** service.
**Amazon Aurora Serverless** is an on-demand, auto-scaling configuration for **Amazon Aurora** where the **database will automatically start-up, shut down, and scale capacity up or down based on your application's needs**. It enables you to run your **database in the cloud without managing any database instances**. It's a simple, cost-effective option for infrequent, intermittent, or **unpredictable workloads**. You pay on a per-second basis for the database capacity you use when the database is active and **can migrate between standard and serverless configurations with a few clicks in the Amazon RDS Management Console**.
87
What is a **CloudFormation** template?
A **CloudFormation template** is a JSON or YAML-format, text-based file that **describes all the AWS resources you need to deploy to run your application**. A template acts as a blueprint for a stack.
88
What is a **CloudFormation** stack?
A **CloudFormation stack** is a **set of AWS resources that are created and managed as a single unit** when AWS CloudFormation instantiates a template.
89
What is a **CloudFormation stack set**?
A **CloudFormation Stack Set** lets you create stacks in AWS accounts across regions by **using a single AWS CloudFormation template**. Using an **administrator account** of an **AWS Organization**, you define and manage an AWS CloudFormation template, and **use the template as the basis for provisioning stacks into selected target accounts** of an **AWS Organization** across specified regions.
90
When should **S3 Transfer Acceleration** be used over **CloudFront's PUT/POST methods** for uploading data to an **S3 bucket**?
**S3 Transfer Acceleration** optimizes the TCP protocol and adds additional intelligence between the client and the **S3 bucket**, making **S3 Transfer Acceleration** a better choice if a higher throughput is desired. If you have **objects smaller than 1 GB**, you should consider using **Amazon CloudFront's PUT/POST commands for optimal performance**.
91
Describe the **3 different tenancy values** which can be assigned to an **EC2 instance**.
1) Default: the **EC2 instance** runs on shared hardware. 2) Dedicated: the **EC2 instance** runs on single-tenant hardware. 3) Host: the **EC2 instanc** runs on an isolated server with configurations you can control. Note that **EC2 instances** deployed with **dedicated or host tenancy cannot be switched to shared hardware after startup**.
92
What is an **AZ ID**?
**AWS maps the physical Availability Zones randomly to the Availability Zone names for each AWS account**. This approach helps to distribute resources across the Availability Zones in an **AWS Region**, instead of resources likely being concentrated in Availability Zone "a" for each Region. As a result, **the Availability Zone us-east-1a for your AWS account might not represent the same physical location as us-east-1a for a different AWS account**. An **AZ ID is a unique and consistent identifier for an Availability Zone** across all AWS accounts. For example, **use1-az1** is an AZ ID for an Availability Zone in the us-east-1 Region and it **represents the same physical location in every AWS account**.
93
Describe the **AWS Compute Optimizer** service.
**AWS Compute Optimizer** recommends **optimal AWS Compute resources for your workloads to reduce costs and improve performance** by using machine learning to analyze historical utilization metrics. Over-provisioning compute (**Amazon EC2 and ASGs**) can lead to unnecessary infrastructure cost and under-provisioning compute can lead to poor application performance. Compute Optimizer helps you **choose the optimal Amazon EC2 instance types**, including those that are part of an Amazon EC2 Auto Scaling group, based on your utilization data.
94
Describe the **AWS Cost Explorer** service.
**AWS Cost Explorer** is a tool that enables you to view and **analyze your costs and usage**. You can explore your usage and costs using the main graph, the Cost Explorer cost and usage reports, or the Cost Explorer RI reports. You can **view data for up to the last 12 months**, forecast how much you're likely to spend for the next 12 months, and get **recommendations** for what Reserved Instances to purchase. You can use Cost Explorer to identify areas that need further inquiry and see **trends that you can use to understand your costs**.
95
True or False: data stored on an **EC2 instance store** will persist if the instance is **stopped, hibernated, or terminated**.
False. Data stored on an **EC2 instance store** will only persist if the instance is **rebooted**. Additionally, instance store volumes are **attached only at instance launch**. You can't attach instance store volumes after launch. You can’t detach an instance store volume from one instance and attach it to a different instance.
96
True or False: it is possible to modify the type or size of an **EC2 instance** after it is launched.
True. However, the instance must first be stopped **before** its size/type can be modified.
97
What is an **Elastic Fabric Adaptor (EFA)** device?
**An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications**. EFA enables you to achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by the AWS Cloud. EFAs provide lower and more consistent latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems. It **enhances the performance of inter-instance communication** that is critical for **scaling HPC** and machine learning applications. It is optimized to work on the existing AWS network infrastructure and it can scale depending on application requirements.
98
How many **VPC's** are allowed **per AWS Region**?
5, maximum.
99
How many **CIDR Block Ranges** are allowed **per AWS VPC** and what are the minimum/maximum # of IP addresses allowed **per block range**?
Each **VPC** may have **up to 5 CID Block Ranges** defined and each block may contain **between 16 - 65,536 IP addresses**.
100
Which IP addresses are **reserved by AWS** when defining a **new subnet within a VPC**?
AWS reserves the **first 4 and last IP address** defined within a subnet's CIDR Block Range. These are used for hosts such as: the VPC router, AWS-provided DNS server, etc.
101
What is the default timeout for **messages polled** inside an **SQS queue**?
30 seconds.
102
List 6 different types of **subscribers** which can receive **event notifications** from an **SNS queue**.
1) Email Address 2) Phone via SMS 3) Lambda Function 4) SQS Queue 5) Kinesis Data Firehose 6) Any custom HTTP (S) Endpoint
103
What is the **only valid type of subscription** which can act as a recipient of **event notifications** from an **SNS FIFO queue**?
**SQS FIFO Queues**.
104
Describe **two AWS services** which integrate with **Cognito User Pools**.
1) API Gateway 2) Application Load Balancers
105
What path under the **SSM Parameter Store** can be used to access **credentials** stored in **AWS Secrets Manager**?
/aws/reference/secretsmanager/secret_ID_in_Secrets_Manager
106
What is a **parameter policy** in the **SSM Parameter Store** service?
A **parameter policy**, only available as an advanced/pay for feature in **SSM Parameter Store**, allows a **TTL** (expiration date) to be **assigned to a parameter stored on AWS** which will force users to **update/delete the parameter to which the TTL has been assigned**. This in turn **can be passed as a notification in EventBridge** to let users know that a password/parameter will **soon expire** and needs to be updated.
107
What is **AWS WAF**? What **resources** can the service be deployed with (**5 total**)?
WAF == 'Web Application Firewall'. WAF is a **service for protecting web-based applications from common exploits performed over HTTP (layer 7)** using access control lists (ACL's). WAF can be deployed on any of the following resources **located in the same region:** -CloudFront (Global) -API Gateway -Cognito User Pool -AWS App Runner -Application Load Balancrs
108
List **4 different features of WAF** and how they are used to **protect against common web exploits**.
1) Scans against HTTP headers, bodies, and URI strings to protect against SQL Injection + Cross-Site Scripting (XSS) attacks. 2) Size constraints for blocking large request packets. 3) Geo-matching constraints for restricting specific countries. 3) Rate-based rules for counting request frequency (DDos Protection).
109
What is a **Web ACL**? What is a **rule group**? What is the default **WAF** action (allow/block) for incoming requests over http?
**Web ACL == 'Web Access Control List'** which is a set of rules used to determine what traffic is allowed/blocked for AWS resources on which a WAF has been deployed. WAF **can be configured to either allow or block all incoming traffic** for which a rule has not been explicitly defined. A rule group is a reusable set of pre-defined rules which can be attached to multiple Web ACL's simultaneously.
110
Compare the costs (in GB) of sending data **between EC2 instances** located: in the same AZ, in different AZ's, and in different **AWS Regions**.
1) Data transfer between **EC2 instances** located in the **same AZ is free, when using private IP addresses**. 2) Data transfer between **EC2 instances** located in **different AZ's costs $0.01/GB if using private IP addresses**. 3) Data transfer between **EC2 instances** located in **different AWS Regions costs $0.02/GB**. This is the same cost as sending any outbound traffic from an **EC2 instance** over the internet.
111
Describe the three different **AWS Directory Services** available in **AWS**.
1) **AWS Managed Microsoft AD**. Supports MFA. Can be used to create an Active Directory (AD) stored on AWS to manage users in the cloude. Can also establish a **trust connection** with an on-premise AD to proxy authentication requests. 2) **AD Connector**. Supports MFA. Acts as a **proxy, redirecting to an on-premise AD for user authentication**. 3) **Simple AD**. AD managed on AWS which **cannot be joined to an on-premise AD**.
112
Describe the naming convention used for **Amazon S3 website endpoints**.
1) http://bucket-name.s3-website-Region.amazonaws.com 2) http://bucket-name.s3-website.Region.amazonaws.com

AWS-SAA (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions