Solutions Architect - Associate

Question 1

What was the first AWS service and when was it lauched?

Answer 1

SQS, 2004

Question 2

What is a region?

Answer 2

Specific geography engineered for fault tolerance and high availability

Question 3

How many AZs are in each region (minimum)?

Answer 3

2

Question 4

What is an AZ?

Answer 4

Availability zone - specific DC with redundant power etc. Can be close but far enough away so local issues like flooding don’t affect multiple AZs

Question 5

What is an edge location?

Answer 5

Location specialised for caching content allowing faster upload/download from AWS

Question 6

Which services use edge locations?

Answer 6

CloudFront, S3 (accelerated transfer)

Question 7

Describe these IAM terms:
Users
Groups
Policies
Roles

Answer 7

Users - people/accounts
Groups - collection of users
Policies - JSON docs that define permissions
Roles - allows one part of AWS to do something with another (e.g. EC2 roles)

Question 8

Is IAM regional?

Answer 8

No, it’s global

Question 9

What permissions do new users have when created?

Answer 9

None

Question 10

What is the structure of a policy statement?

Answer 10

Effect (Allow), Action () and Resource ().

Question 11

What are AWS managed policies?

Answer 11

Read-only policies that AWS update when new features come out

Question 12

What sort of storage is S3?

Answer 12

Object-based

Question 13

What size files can be stored in S3?

Answer 13

0B to 5TB

Question 14

What’s the maximum storage size of a bucket?

Answer 14

Unlimited

Question 15

What’s the URL structure of an S3 bucket?

Answer 15

s3-.amazonaws.com/
s3.amazonaws.com/

.s3.amazonaws.com
.s3-.amazonaws.com

Question 16

What is the data consistency behaviour of S3?

Answer 16

Read after write consistency for PUTs of new objects

Eventual consistency for overwrite PUTs and DELETES

Question 17

What data is stored for each S3 object?

Answer 17

Key (name of object)
Value (sequence of bytes)
Version ID (for versioning)
Metadata (e.g. tags)

Subresources:
Access Control Lists
Torrent (not an exam topic)

Question 18

What are the SLAs for S3 standard?

Answer 18

Build for 99.99% availability

Guaranteed 99.9% availability

99.99999999999% durability for S3 information (11 x 9s)

Designed to sustain the loss of 2 facilities concurrently

Question 19

What’s the use case for S3-IA?

Answer 19

Data accessed less frequently but still requires rapid access - lower standard fee but charged a retrieval fee

Question 20

What’s the use case for S3 one zone?

Answer 20

Temporary or reproducible data - no multi-AZ resilience

Question 21

What is the use case of S3 RRS (reduced redundancy storage)?

Answer 21

Non-critical, reproducible data. Like S3 standard but only replicated in at least 3 AZs. Legacy now - cheaper to use S3 standard.

Question 22

What’s the SLA for S3 IA?

Answer 22

Availability is 99.0%, not 99.9% (but durability is the same)

Question 23

What is S3 intelligent tiering?

Answer 23

Changes tiers of objects depending on access behaviour to object

Question 24

What’s the minimum capacity charge and storage duration of IA tier in S3?

Answer 24

128KB and 30 days

Question 25

What is the first byte latency for all S3 tiers apart from Glacier?

Answer 25

Milliseconds

Question 26

What are the S3 charges?

Answer 26

Storage
Requests
Storage Management Pricing (object tagging, S3 inventory, S3 analytics storage class analysis)
Data transfer
Transfer acceleration

Question 27

What is S3 transfer acceleration?

Answer 27

Transfer of files over long distances using CloudFront edge locations - data routed over optimised netowrk path

Question 28

What are the rules for bucket names?

Answer 28

Between 3 and 63 characters - DNS compliant

Question 29

Is it possible to record object-level API activity?

Answer 29

Yes, for an additional cost in CloudTrail

Question 30

What are the 4 ways to encrypt data in S3?

Answer 30

Client side
Server side - S3 managed keys (SSE-S3)
Server side - KMD (SSE-KMS)
Server side - customer provided keys (SSE-C)

Question 31

What is the advantage of usig SSE-KMS over SSE-S3?

Answer 31

Separate permissions and auditing for key use

Question 32

Is it possible to disable S3 bucket versioning?

Answer 32

Once it’s enabled it can’t be disabled but it can be suspended

Question 33

What happens when you delete an object in a versioned S3 bucket?

Answer 33

Additional version created that is a delete marker

Question 34

How can you prevent accidental deletion of an S3 file in a versioned bucket?

Answer 34

MFA delete - can be configured via API

Question 35

Can S3 replication be used to replicate to a bucket within the same region?

Answer 35

No

Question 36

What happens to delete markers with S3 replication?

Answer 36

They are not replicated (idea is to prevent deleting backups of data). Previous config (V1) did allow delete markers to be replicated.

Question 37

Can you have multiple S3 replication rules?

Answer 37

Yes - each rule has a priority to determine what runs first

Question 38

How does S3 replication handle SSE encrypted objects?

Answer 38

Decrypts and then re-encrypts in destination bucket

Question 39

What is a potential risk of replicating encrypted objects using S3 replication?

Answer 39

KMS limits might be exceeded - an increase to these limits can be requested

Question 40

Can S3 replication be configured to replicate to another AWS account?

Answer 40

Yes - there’s an option to change ownership of objects to destination bucket account owner

Question 41

Which objects are copied as part of S3 replication?

Answer 41

New and changed objects - anything existing won’t be. Would have to use cli: aws s3 cp –recursive

Question 42

Can you daisy-chain S3 replicated buckets?

Answer 42

No

Question 43

Are actions performed by S3 lifecycle management replicated by S3 replication?

Answer 43

No

Question 44

What is S3 lifecycle management?

Answer 44

Used to transition objects to different storage classes, or expire objects (put delete marker in)

Can also clean up multipart uploads

Question 45

How can the scope of S3 lifecycle management be limited?

Answer 45

By prexifes or tags

Question 46

How is behaviour defined for S3 Lifecycle management (e.g. what can be defined and what are the limits)?

Answer 46

Behaviour can be defined for current and previous versions of object.

You define the desired storage tier and the number of days after object creation or when object became a previous version.

Current versions - min 30 days
Previous versions - min 1 day

Question 47

How can expiration and deletion be defined in S3 lifecycle management?

Answer 47

Expiration puts delete marker on the current object (min 31 days)

Can configure deletion of previous version (min 61 days)

Object delete markers clearup - when objects are expired, and previous versions deleted, current object will have delete marker. It clears these markers up. It can’t be set if rule has object expiry enabled.

Question 48

What types of origin are available for CloudFront?

Answer 48

S3, EC2, ELB, Route53, Some other non-AWS origin server

Question 49

What are the two types of CloudFront distribution?

Answer 49

Web Distribution

RTMP (real-time messaging protocol) - adobe flash media server

Question 50

How can you restrict bucket access so all requests must go via CloudFront?

Answer 50

Create an Origin Access Identity (essentially a new user with permission to call S3 bucket that is used by CloudFront)

Question 51

What is the default CloudFront TTL?

Answer 51

24h

Question 52

How could you restrict access to CloudFront data?

Answer 52

Signed URLs - can restrict by datetime, IP address rang etc.

Question 53

If a signed CloudFront URL expires while a download is in progress, does it still complete?

Answer 53

Yes - although for RTMP distributions, if user skips to another position in the media file (which triggers another play event) after expiry, CloudFront won’t serve the media file.

Question 54

Can WAF be used with CloudFront

Answer 54

Yes

Question 55

How do multiple origins work in CloudFormation, in terms of which origin is used?

Answer 55

Failover

Routing based on path (e.g. /images/*.jpg)

Question 56

Can geo-restrictions be used with CloudFront?

Answer 56

Yes - can whitelist or blacklist particular countries

Question 57

What is AWS storage gateway?

Answer 57

Virtual appliance installed into a hypervisor running in an on-premises DC, which async replicates data to S3 of glacier

Question 58

Which hypervisors does AWS storage gateway support?

Answer 58

VMware ESXi

Microsoft Hyper-V

Question 59

What are the 4 types of AWS storage gateway?

Answer 59

File gateway - NFS
Volumes gateway (stored volumes) - iSCSI (block-based storage - vHDD stored in S3 as EBS snapshots)
Volumes gateway (cached volumes) - iSCSI (block-based storage - only most recently accessed data stored on site - rest in AWS)
Tape gateway - VTL - virtual tapes sent to S3

Question 60

What are the 3 ways AWS storage gateway can communicate with S3/Glacier?

Answer 60

Direct connect
Internet
VPC

Question 61

What is iSCSI?

Answer 61

Pronounced “i-scuzzy” - internet small computer systems interface

Question 62

How does storage gateway: volume gateway work?

Answer 62

Data written to volumes is async backed up as point-in-time snapshot and stored in S3 as EBS snapshots

Snapshots are incremental (only changed blocks captured)

Snapshot storage is compressed

Question 63

What are the two types of volume gateway?

Answer 63

Stored volumes - low-latency access to all data on-prem with incremental backups to S3 (as EBS snapshots)

Cached volumes - S3 is primary data storage while retaining frequently accessed data locally in storage gateway

Question 64

What is the size range for volume gateway stored volumes?

Answer 64

1GB-16TB

Question 65

What is the size range for volume gateway cached volumes?

Answer 65

1GB-32TB

Question 66

What are the 3 types of snowball and the amount of data they can handle?

Answer 66

Snowball - 80TB

Snowball edge - 100TB - has compute capability (e.g. lambda on the edge)

Snowmobile - Peta/exo-byte

Question 67

How does S3 transfer acceleration work?

Answer 67

Uses CloudFront edge network to accelerate uploads to S3

Question 68

What is the URL format for S3 transfer acceleration?

Answer 68

.s3-accelerate.amazonaws.com

Question 69

What do you pay for when S3 versioning is enabled?

Answer 69

Each version of the object - so 10 versions of a 1GB object results in charges for 10GB

Question 70

What are the time limits for lifecycle transitions?

Answer 70

Standard -> IA = 30 days after created

IA -> Glacier = 30 days

Question 71

What is the default maximum number of S3 buckets per account?

Answer 71

100

Question 72

What is the maximum number of PUTs per second that S3 will allow?

Answer 72

3500

Question 73

What are the pricing options for EC2 instances?

Answer 73

On-demand: fixed rate per hour (windows) or minute (linux)

Reserved: 1-3 year contract, pay up to 100% up-front for maximum discount

Spot: bid price you want for instant capacity

Dedicated hosts - physical servers

Question 74

What is the use case for on-demand EC2 instances?

Answer 74

Need for flexibility
Short-term, spiky or unpredictable workloads that cannot be interrupted
Dev/test

Question 75

What is the use case for reserved EC2 instances?

Answer 75

Apps with steady/predictable usage

Apps that require reserved capacity

Question 76

What are the 3 types of reserved EC2 instance?

Answer 76

Standard RIs - up to 75% off on-demand price

Convertible RIs - up to 54% off - can change attributes providing creation of RIs of equal or greater value

Scheduled RIs - launch within time window you reserved on predictable recurring schedule

Question 77

What is the use case for spot EC2 instances?

Answer 77

Workloads that can be interrupted and with flexible start/end times
Workloads only feasible at very low compute prices (e.g. genomics)
Users with urgent need for large amounts of additional capacity

Question 78

When will you be charged for a terminated spot EC2 instance?

Answer 78

If you terminate, you’ll be charged for complete hour. If EC2 terminates, you won’t be charged

Question 79

What is the use case for dedicated EC2 instances?

Answer 79

Software licences that don’t support multi-tenant or virtualized environments
Data protection laws that prohibit multi-tenant virtualized environments

Question 80

What is EBS?

Answer 80

Elastic Block Storage - volumes that can be attached to EC2 instances

Question 81

Is EBS durable storage?

Answer 81

Yes - an EBS instance is placed in a specific AZ and auto-replicated to protect from failure of single component

Question 82

What is IOPS?

Answer 82

Input/output operations per second

Question 83

What are the EBS volume types?

Answer 83

General purpose SSD - 3 IOPS per GB, max 10,000 IOPS, can burst upto 3000 IOPS for extended periods for volumes >3334GB

Provisioned IOPS (IO1) - for I/O intensive apps, up to 20,000 IOPS per volume

Throughput optimized HDD (ST1) - big data, warehousing, cannot be a boot volume

Cold HDD (SC1) - low cost, infrequently accessed workloads (e.g. file servers). Cannot be a boot volume

Magnetic (standard) - can be a boot volume, lowest cost per GB that is bootable - considered legacy

Question 84

By default, what happens to an EBS volume when the EC2 instance it is attached to is terminated?

Answer 84

It is deleted (additional volumes are not deleted by default - just the bootable volumes)

Question 85

What are the two EC2 instance status checks that AWS provides?

Answer 85

System status check - checks that packets get to instance (checking underlying hypervisor infrastructure)

Instance status check - checks packets get to OS

Question 86

Can encrypted boot volumes be created using public AMIs?

Answer 86

No. Either:
Use third party tools (e.g. BitLocker)
Make a copy of AMI and enable encryption on the copy

Additional volumes can be encrypted

Question 87

How many security groups can a single EC2 instance be associated with?

Answer 87

Many

Question 88

How quickly do security group changes take effect?

Answer 88

Immediately

Question 89

Can you use security groups to DENY specific traffic?

Answer 89

Not really - everything is blocked by default. There are only ALLOW rules - which is why multiple security groups are always compatible and can’t conflict

Question 90

Can you use security groups to block an IP address?

Answer 90

No - use network access control lists for this

Question 91

Are security groups stateful?

Answer 91

Yes - traffic in will be allowed back out

Question 92

Are network access control lists stateful?

Answer 92

No - have to configure both ways

Question 93

What is the SSH port?

Answer 93

22

Question 94

What is the RDP port?

Answer 94

3389

Question 95

What is the MySQL/Aurora port?

Answer 95

3306

Question 96

What are the default settings for a security group?

Answer 96

All inbound traffic is blocked

All outbound traffic is allowed

Question 97

Can volume type of EBS be changed while instance is running?

Answer 97

Yes - might be some performance degradation while it’s changing

Question 98

Which EBS volume types cannot be changed?

Answer 98

Standard (magnetic) volumes

Question 99

How can you migrate an EC2 instance to another region?

Answer 99

Copy the EBS snapshot (or AMI created from the snapshot) to another region using console/cli

Question 100

Are volumes created from encrypted snapshots encrypted?

Answer 100

Yes

Question 101

What are the two types of EC2 instance/AMI?

Answer 101

EBS-backed

Instance store backed (ephemeral)

Question 102

What are the properties of instance store EC2 instances?

Answer 102

Can only be rebooted or terminated
Upon reboot or termination, any data on the instance will be lost
Longer provisioning times because store volume created from template in S3

Question 103

What are the three types of ELBs?

Answer 103

Application load balancer - great for HTTP(S) - layer 7

Network load balancer - great for TCP where extreme performance required - layer 4

Classic load balancer - layer 7 and 4 - http(s) - legacy

Question 104

What would a 504 error indicate from an ELB?

Answer 104

Struggling to communicate with whatever it’s balancing load to (e.g. EC2 instance)

Question 105

What is the purpose of the X-Forwarded-For header?

Answer 105

EC2 instances only see private IP address of load balancer, therefore application or classic load balancer will pass on user’s IPv4 address in this header

Question 106

How are instances monitored by ELB reported?

Answer 106

InService

OutOfService

Question 107

How can health checks be configured for ELB?

Answer 107

Requesting a particular path over a particular protocol and port

Question 108

What are the 4 broad EC2 metrics that CloudWatch can monitor?

Answer 108

CPU (usage)
Disk (IOPS)
Network (packets in/out)
Status (e.g. failed instance/system)

Question 109

What actions can happen when a CloudWatch alarm is triggered?

Answer 109

Notification (SNS topic)
EC2 action (start, stop, restart etc.)
AutoScaling action

Question 110

What are CloudWatch events?

Answer 110

Events are streamed when AWS resources change state - rules can be created to match selected events in the stream and route them to targets to take action (e.g. invoke lambda, put in Kenisis stream, create an EBS snapshot etc.)

Question 111

How can logs be sent to CloudWatch?

Answer 111

There is an agent that can be installed on EC2 instances

Question 112

What is the difference between CloudWatch and CloudTrail?

Answer 112

CloudWatch - logging and monitoring

CloudTrail - auditing

Question 113

Can you change EC2 roles while the instance is running?

Answer 113

Yes

Question 114

How can you get meta-data on an EC2 instance?

Answer 114

http://169.254.169.254/latest/meta-data/

Question 115

How can you get the IP address of an EC2 instance?

Answer 115

http://169.254.169.254/latest/meta-data/public-ipv4

Question 116

Is EC2 userdata suitable for sensitive information?

Answer 116

No - it’s not cryptographically stored

Question 117

What comes first - launch configuration or autoscaling group?

Answer 117

Autoscaling groups require a launch configuration

Question 118

What is a launch configuration?

Answer 118

A selected AMI, instance size etc. - essentially like configuring a new instance without actually creating it

Question 119

What is an autoscaling group?

Answer 119

Uses a launch configuration to launch a desired number of instances into specific AZs (AWS will spread instances across selected AZs)

Autoscaling groups also need to know which ELB to use and about health check configuration

Question 120

What are the 2 types of health check that autoscaling groups support?

Answer 120

EC2 (monitor health of instances)

ELB (uses load balancer health check config)

Question 121

What is a health check grace period on autoscaling groups?

Answer 121

Length of time in seconds before health checks start to prevent instance being regarded as unhealthy while it is still being provisioned

Question 122

What are auto-scaling launch templates?

Answer 122

New thing that lets you define combinations of different instance sizes etc.

Question 123

What sort of policies can drive auto-scaling groups?

Answer 123

Specific group size

Mix/max number based on CPU, ELB request count, network traffic

Can use steps to incrementally add instances when particular metrics are met, or just set a specific amount

Can disable “scale-in” (i.e. reducing number of instances after scaling - or can use a different metric to drive this)

Question 124

Which technology would be useful for mitigating EC2 regional failures?

Answer 124

Route53

Question 125

What are the three types of EC2 placement groups?

Answer 125

Clustered (usually what exam refers to) - group within single AZ - good for low latency and/or high network throughput - only certain instances (usually bigger) - no particular instance count limit advertised

Spread - each instance on distinct underlying hardware - good for small number of critical instances - can span multiple AZs - max of 7 per AZ per placement group

Partition - instances in different partitions won’t share underlying hardware (but instances in same partition might) - max 7 partitions per AZ - no limit to instance count

Question 126

What is EFS?

Answer 126

Elastic File System - elastic (like S3) file storage

Question 127

What benefit does EFS have over EBS?

Answer 127

EFS instance can be mounted on two or more EC2 instances at once - EBS instances can only be mounted to one instance at a time

Question 128

What protocol does EFS support?

Answer 128

NFSv4 (network file system version 4)

Question 129

What is the consistency model of EFS?

Answer 129

Read after write

Question 130

Is EFS regional? How does it behave with regards to AZs?

Answer 130

Yes - use select “mount targets” - essentially which AZs to use, along with subnets, IP addresses and security groups for each mount target

You get an IP address for each mount target

Question 131

What are the two ways Lambda can be invoked?

Answer 131

Event-driven (e.g. in response to a change in S3)

Request-driven - API gateway or SDK call

Question 132

Can requests share an instance of a lambda function?

Answer 132

Not concurrently - each request is routed to its own instance, but instances can be reused once a request has finished

Question 133

What are the runtimes available for Lambda functions?

Answer 133

C# (.net core 1.0, 2.0, 2.1)
Go 1.x
Java 8
Node.js (various versions)
Python (various versions)
Ruby 2.5

Question 134

What are the triggers for lambda functions?

Answer 134

(*** = remember for exam)
API Gateway ***
AWS IoT
Alexa Skills Kit (in response to alexa skill being invoked) ***
Alexa Smart Home
CloudFront ***
CloudWatch Events *** 
CloudWatch Logs ***
CodeCommit
Cognito Sync Trigger
Dynamo DB ***
Kinesis ***
S3 ***
SNS ***

Question 135

How is lambda priced?

Answer 135

Number of requests

Duration (per GB-second)

Question 136

What tool can assist with debugging lambda architectures?

Answer 136

AWS X-ray

Question 137

What is the maximum running time of a lambda function?

Answer 137

15 minutes

Question 138

What is CORS?

Answer 138

Cross origin resource sharing

Question 139

How can you make an unencrypted EBS-backed root volume encrypted?

Answer 139

Provision instance, take snapshot, and encrypt volume when deploying snapshot

Question 140

What’s the difference between standard and detailed CloudWatch monitoring of EC2 instances?

Answer 140

Every 5 minutes vs every 1 minute

Question 141

In addition to choosing the correct EBS volume type for your specific task, what else can be done to increase the performance of your volume?

Answer 141

Striping using RAID 0

Choose EC2 instance that supports EBS optimisation

For HDDs, ensure snapshots are done in periods of low-usage

Question 142

Can I delete a snapshot of an EBS Volume that is used as the root device of a registered AMI?

Answer 142

No

Question 143

What is the underlying Hypervisor for EC2 ?

Answer 143

Xen and Nitro

Question 144

Can I move a reserved instance from one region to another?

Answer 144

No

Question 145

How many bits make up an IPv4 address?

Answer 145

32

Question 146

How many bits make up an IPv6 address?

Answer 146

128

Question 147

Which port does DNS operate over?

Answer 147

53

Question 148

What’s the big difference between CNAME records and Route53 alias records?

Answer 148

Alias records can handle “naked” domains - CNAME can’t.

Also, alias records save time because Route53 automatically recognises changes in record sets that the alias record refers to

Question 149

Which two records does a DNS zone always contain?

Answer 149

SOA and global TTL

Question 150

What are the 6 routing policies available in Route53?

Answer 150

Simple routing
Weighted routing
Latency-based routing
Failover routing
Geolocation routing
Multivalue answer routing
Geoproximity (traffic flow only)

Question 151

How does failover routing work in Route53?

Answer 151

Stand-alone Route53 healthchecks can monitor:
Endpoint (domain or IP)
Status of other health checks
State of CloudWatch alarm
Advanced health checks available for additional cost, e.g. string matching or latency measurement

Question 152

What is multivalue answer routing in Route53?

Answer 152

For randomly routing traffic to multiple resources - can return up to 8 healthy records in response to query in random order - if one is down, client software will try another.

Essentially simple routing with multiple records

Question 153

What is the difference between geolocation and geoproximity routing in Route53?

Answer 153

Geoproximity is only available in traffic manager

Geoproximity allows you to resize geo-regions (bias between -99 and 99). If using non-AWS resources, can specify lat/long

Question 154

What is a CNAME record?

Answer 154

It assigns an alias name to a Canonical name - essentially points to A record of the canonical name given

Question 155

What is the maximum default limit of domain names for Route53?

Answer 155

50 - more can be requested

Question 156

Which DBs are available in RDS?

Answer 156

Microsoft SQL Server
Oracle
MySQL
PostgreSQL
Amazon Aurora
Maria DB

Question 157

What is DynamoDB?

Answer 157

Non-relational database - serverless

Question 158

What are the components of a non-relational database like DynamoDB?

Answer 158

Collection (like a table)

Document (like a row)

Key-value pairs (like a field)

Question 159

What is OLTP and OLAP?

Answer 159

Online transaction processing (RDS/No-SQL DBs)

Online analytical processing (like datawarehousing/Redshift)

Question 160

Which in-memory caching engines are supported by Elasticache?

Answer 160

Memcached

Redis

Question 161

What are the two ways to perform a backup of an RDS DB?

Answer 161

Automated backups

Database snapshots (manually initiated)

Question 162

What is the maximum retention period of an RDS backup?

Answer 162

35 days

Question 163

RDS automated backups - do they store transaction logs?

Answer 163

Yes, for the full daily snapshot. This allows point-in-time restores when recovering

Question 164

Where are RDS automated backups stored?

Answer 164

S3

Question 165

When restoring an RDS automated backup or snapshot, what happens to the RDS instance?

Answer 165

It is re-created with a new DNS enpoint

Question 166

Which RDS DBs support encryption at rest?

Answer 166

All of them

Question 167

What is RDS Multi-AZs used for?

Answer 167

DR

Question 168

How is data replicated to multi-AZ in RDS?

Answer 168

Synchronously replicated to the other (stand-by) instances

Question 169

What are RDS read-replicas used for?

Answer 169

To scale out read capacity

Question 170

How is data replicated to read-replicas in RDS?

Answer 170

Asynchronously

Question 171

What must be enabled to deploy read replicas in RDS?

Answer 171

Automatic backups

Question 172

Can RDS read-replicas have multi-AZ, and multi-AZ instances have read-replicas?

Answer 172

Yes

Question 173

Which RDS DB types are read-replicas available for?

Answer 173

MySQL
PostegreSQL
MariaDB
(Not SQL Server, Oracle or Aurora)

(Aurora works a bit differently but you can get the same benefits)

Question 174

How can you scale write capacity in RDS?

Answer 174

Vertically scale the instance (this will result in downtime or failover to multi-AZ instance)

Question 175

What data models does DynamoDB support?

Answer 175

Document

Key-value pairs

Question 176

What storage medium type does DynamoDB use?

Answer 176

SSD

Question 177

What are the two consistency models available for DynamoDB?

Answer 177

Eventually consistent reads (default - consistency usually within 1 second - best performance)

Strongly consistent reads - all writes that received success response can be read immediately

Question 178

How does DynamoDB pricing work?

Answer 178

It’s based on provisioned throughput capacity

Write throughput and read throughput are priced differently - writes are more expensive

A unit is 1 read or 1 write per second

Billed in blocks of 50 read capacity units and 10 write capacity units

Can work out requirements by dividing number of reads/writes by seconds in a day, and rounding to nearest block amount

Question 179

Can reserved capacity be purchased for DynamoDB?

Answer 179

Yes

Question 180

What are the properties of a DynamoDB table?

Answer 180

Each table has a name and a primary key (can be string, binary or number)

Read/write capacity can be adjusted per table

Tables contain “items” - JSON documents

These items can have key/value pairs in addition to primary key of table

Question 181

What is Redshift?

Answer 181

Data Warehouse as a service in AWS

Question 182

What are the two configurations of Redshift?

Answer 182

Single node - up to 160GB - good for starting out

Multi-node - lead node and up to 128 compute nodes

Question 183

How does Redshift store data in comparison to relatonal databases?

Answer 183

It uses columnar storage, as opposed to rows (results in fewer I/Os as data stored sequentially on storage media and only columns needed are there)

Question 184

How does Redshift handle compression?

Answer 184

Data automatically sampled and most appropriate compression scheme is selected

Question 185

How is encryption managed in Redshift?

Answer 185

Can use KMS or manage own keys through HSM

Question 186

How is Redshift priced?

Answer 186

Compute node hours (not charged for lead node hours - just sum of compute node hours)

Backup

Data transfer

Question 187

Is Redshift highly available?

Answer 187

Only 1 AZ supported currently - can restore snapshots to another AZ in event of an outage

Question 188

What is the difference between Memcached and Redis?

Answer 188

Memcached is an in-memory object caching system, whereas Redis is an in-memory key/value store

Question 189

Which caching engines support multi-AZ in Elasticache?

Answer 189

Redis - supports master/slave replication across multiple AZs to achieve redundancy

Question 190

What are the data transfer charges in DynamoDB?

Answer 190

No charges for transferring data in, providing you stay within single region (cross region - charged at both ends for data transfer)

Question 191

What is Aurora?

Answer 191

Highly available relational database - x5 speed of MySql

Question 192

What are the data redundancy properties of Aurora?

Answer 192

2 copies of data in each AZ, with a minimum of 3 AZs (so 6 copies of data)

Designed to lose two copies of data without affecting DB write availability and 3 copies without affecting read availability (note - this is the physical storage volume - use Aurora replicas for additional instances)

Storage is self healing

Question 193

How many Aurora replicas can you have?

Answer 193

Up to 15

Question 194

How many Aurora (MySql) read recplicas can you have?

Answer 194

Up to 5 (no failover if primary is lost)

Question 195

How to Aurora replicas and failovers relate?

Answer 195

Primary instance can failover to any Aurora replica.
Replicas have failover priorities.
If replica is not the primary, it’s used as a read replica.

Question 196

How are Aurora replicas addressed?

Answer 196

Each replica gets an instance DNS address.

Primary instance has cluster address - can be used by apps (in event of failover DNS is automatically updated)

Question 197

Are automated backups in RDS enabled by default?

Answer 197

Yes

Question 198

What is the SQL Server port?

Answer 198

1433

Question 199

Can you get reserved instances for RDS?

Answer 199

Yes, for multi-AZ deployments

Question 200

How is a VPC address range defined?

Answer 200

CIDR (classless inter-domain routing) block

Question 201

What is a high level overview of how traffic might flow through from the internet to an EC2 instance?

Answer 201

Internet Gateway
Router (invisible)
Route table
Network ACL
Security Group
EC2 instance

Question 202

Can subnets span multiple AZs?

Answer 202

No

Question 203

What are the 3 internal IP address schemes allowed (for use by subnets)?

Answer 203

10/8 - biggest address range

172. 16/12
173. 168/16 - smallest address range

Question 204

What’s the soft limit for VPCs in a region?

Answer 204

5

Question 205

How would you block an IP address?

Answer 205

Using a network ACL

Question 206

What is the default VPC?

Answer 206

Automatically created in every region, allowing instant deployment of instances

Question 207

What IP addresses does an EC2 instance get?

Answer 207

Public and private, unless deployed in a private subnet, in which case you only get a private IP address

Question 208

What is VPC peering?

Answer 208

Allows you to connect one VPC with another via a direct network route using a private IP address

Instances behave as if they’re on the same network

Can peer VPCs with other AWS accounts

Transitive peering is not supported

Question 209

Do VPCs have a router?

Answer 209

Yes - it’s implicit - you can’t modify it

Question 210

What are the tenancy options for a VPC?

Answer 210

Shared (default)

Dedicated (dedicated hardware - expensive)

Question 211

What do you get on creation of a VPC?

Answer 211

Route table (allows subnets to communicate by default)

Network ACL (allows all out/in traffic by default)

Security group

(No subnets or internet gateway)

Question 212

Which 5 private IP addresses does AWS reserve in a VPC?

Answer 212

First: network address

Second: VPC router

Third: to do with DNS

Fourth: reserved for use

Last: Network broadcast address (AWS don’t support broadcast in a VPC, and therefore reserve this address)

Question 213

How many internet gateways can be attached to a VPC?

Answer 213

1

Question 214

How many VPCs can an internet gateway be attached to?

Answer 214

1

Question 215

What routes is the default route table created with?

Answer 215

IPv4 and IPv6 rules allowing subnets to communicate (destination is subnet mask of entire VPC)

Question 216

What subnet associations does the default route have?

Answer 216

None - any subnets not explicitly associated with any route table are associated with the default route table by default

Question 217

How would you enable internet access for a subnet?

Answer 217

Add a new route to the route table that the subnet is associated with that takes all traffic and targets the internet gateway

So, destination: 0.0.0.0/0 and ::/0

Target: internet gateway

Question 218

What’s the default setting for auto-assigning public IPv4 addresses in a VPC?

Answer 218

Set to “yes” - would need to explicitly disable this behaviour if desired

Question 219

Can security groups be shared across VPCs?

Answer 219

No

Question 220

What are the two options for NAT?

Answer 220

NAT gateway (serverless)

NAT instance (set up yourself - AMIs available)

Question 221

Why might you use a NAT instance or NAT gateway?

Answer 221

To provide internet access to private subnets (because the private instances within won’t have public IP addresses)

Question 222

If you’re using IPv6, how could you provide internet access to a private subnet?

Answer 222

Egress only internet gateway (works because all instances do have an IP address)

Question 223

What are the high level steps for setting up a NAT gateway?

Answer 223

Create NAT instance in a PUBLIC subnet

Disable source/destination checks for NAT instance

Configure route table to route all traffic in subnet to NAT instance

Set up any scaling or redundancy needed

Question 224

Why might you use a NAT instance over a NAT gateway?

Answer 224

Can be used as a bastion server (not supported with NAT gateways) - allows SSH to private instances

Question 225

What ports does the NAT gateway use?

Answer 225

Ephemeral ports (1024-65535)

Question 226

What is the ephemeral port range?

Answer 226

1024-65535

Question 227

What are the relationships between Network ACLs, subnets and VPCs

Answer 227

Many subnets to one Network ACL

One network ACL per subnet

One VPC per network ACL

Question 228

What is assessed first - network ACLs or security groups?

Answer 228

Network ACLs, then security groups

Question 229

What are the requirements for creating an ELB in a custom VPC?

Answer 229

ELB must be in at least 2 AZs for redundancy

Subnets must be public (have an internet gateway)

Question 230

What are the 3 levels of VPC flow logs?

Answer 230

VPC (captures all Elastic Network Interface traffic)

Subnet (only EC2/ENIs in that subnet)

Network interface

Question 231

Can you enable flow logs for a peered VPC?

Answer 231

Yes if that VPC is in the same account

Question 232

Which traffic is excluded from VPC flow logs?

Answer 232

Amazon DNS server traffic

Amazon windows licence activation

169.254.169.254 (instance metadata)

Traffic to default VPC router (reserved IP address)

DHCP traffic

Question 233

What is a bastion/jump box?

Answer 233

Allows connection to instances in private subnet (e.g. via SSH or RDP)

Question 234

What are the two types of VPC endpoints?

Answer 234

Interface (an ENI attached to an EC2 instance)

Gateway (managed, HA, target for route in route table, can be used by all instances - it’s not attached to them).

Question 235

What are VPC gateway endpoints?

Answer 235

Gateway (managed, HA, target for route in route table, can be used by all instances - it’s not attached to them).

Different gateways for different services, e.g. DynamoDB, S3.

Can define policy for VPC endpoint in terms of what it can access

Question 236

If an EC2 instance doesn’t already have a public IP address, how can it be made public?

Answer 236

Create elastic IP address and internet gateway. Associate the elastic IP with the EC2 instance.

Question 237

What are the default settings of a newly created security group?

Answer 237

All OUTBOUND traffic is allowed by default

Question 238

What is the policy on conducting your own vulnerability scans on your own VPC?

Answer 238

Can’t do it without alerting AWS first

Question 239

What’s the difference between SQS and SNS?

Answer 239

SQS is a pull-based message queue

SNS is push-based (pub/sub)

Question 240

What’s the maximum size of an SQS message?

Answer 240

256 KB

Question 241

How many attributes (metadata) can an SQS message have?

Answer 241

Up to 10

Question 242

What are the two types of SQS queues?

Answer 242

Standard

FIFO

Question 243

What are the maximum transactions per second (TPS) for each type of SQS queue?

Answer 243

Standard - virtually unlimited

FIFO - 300 TPS (could be up to 3000 with batching (can process 10 at a time))

Question 244

What are the message delivery guarantees of each type of SQS queue?

Answer 244

Standard - message delivered at least once

FIFO - message delivered exactly once

Question 245

What are the ordering properties of each type of SQS queue?

Answer 245

Standard - best effort ordering

FIFO - guaranteed ordering

Question 246

What is the purpose of message groups in SQS?

Answer 246

Used in FIFO queues

Messages with the same MessageGroupID will be processed in order. Messages with different MessageGroupIDs might be processed out of order

Question 247

What are the minimum, maximum and default retention periods for a message in an SQS queue?

Answer 247

1 minute - 14 days

Default: 4 days

Question 248

What properties must the name of an SQS FIFO queue have?

Answer 248

Ends in .fifo

Question 249

How to message deduplication IDs work in SQS?

Answer 249

Any message with the same deduplication ID will be successfully accepted but won’t be delivered within the 5 minute deduplication window

Applies to entire queue, not just individual message groups

SQS keeps track of deduplication IDs even after message is received and deleted

Question 250

What is an SQS sequence number?

Answer 250

Large, non-consecutive number that SQS assigns to each message

Question 251

What is SQS visibility timeout?

Answer 251

Amount of time a message is invisible in the queue after a reader picks up the message

Provided the job is processed before the visibility timeout expires, the message will then be deleted from the queue. If not, the message becomes visible again and another reader will process it

This could result in the same message being delivered twice

Question 252

What is the default and maximum visibility timeout of SQS?

Answer 252

Default: 30s

Max: 12h

Question 253

What’s the difference between SQS short and long polling?

Answer 253

Short polling returns immediately, even if queue is empty

Long polling doesn’t return until message is on the queue, or long poll times out (can save money)

Question 254

What is SWF?

Answer 254

Simple Workflow Service

Used to co-ordinate tasks across distributed application components, as a distribution of tasks

Tasks can include executable code, web api calls, human intervention etc.

Question 255

What are the following components in SWF?

Workflow starters
Worker
Decider

Answer 255

Workflow starters: App that can initiate workflow

Worker: Programs that interact with SWF to get and process tasks and return the result

Decider: Program that controls coordination of tasks (ordering, concurrency, scheduling)

Question 256

Could a task be duplicated in SWF?

Answer 256

No. Unlike SQS (where message visibility timeout could expire or duplicated on standard queue), SWF ensures no duplication of tasks

Question 257

What is an SWF domain?

Answer 257

Workflow and activity types and the workflow execution itself are all scoped to a domain.
Domains isolate a set of types, executions, and task lists from others within the same account.

Question 258

What is the maximum SWF workflow length (i.e. maximum idle time)?

Answer 258

1 year - value always measured in seconds

Question 259

What is the SWF retention period and the maximum value?

Answer 259

Days that history of workflow executions is retained.

Maximum: 90 days

Question 260

What is the difference between SQS and SWF?

Answer 260

SWF presents a task-oriented API, SQS is message-oriented API

SWF ensures a task is assigned only once and is never duplicated. SQS - need to handle duplicate messages and may also need to ensure a message is processed only once

SWF - keeps track of all tasks and events in an app SQS - need to implement app-level tracking, especially if app uses multiple queues

Question 261

Why might you use SWF over SQS?

Answer 261

If a process will take longer than 12h (because that’s the maximum visibility timeout in SQS)

Question 262

What subscribers does SNS support?

Answer 262

HTTP

HTTPS

Email

Email-JSON

SQS

Application

Lambda

Question 263

What is an SNS topic?

Answer 263

Group multiple recipients

Access point for allowing recipients to dynamically subscribe for identical copies of the same notification

One topic supports deliveries to multiple endpoint types

When you publish once to a topic, SNS delivers appropriately formatted copies of your message to each subscriber

Question 264

What is Elastic Transcoder?

Answer 264

Media transcoder in the cloud

Convert media files into other formats

Provides transcoding presets for popular output formats (takes away guessing about which settings work best on particular devices)

Pay based on minutes that you transcode and resolution at which you transcode

Question 265

What is Kinesis?

Answer 265

Kinesis is a service that you send streaming data to. Allows data to be loaded and analyzed.

Question 266

What are the 3 core Kinesis services?

Answer 266

Kinesis Streams

Kinesis Firehouse

Kinesis Analytics

Question 267

What is Kinesis Streams?

Answer 267

Producers send data in, which is retained for 24h - 7 days, and read by consumers (e.g. EC2 instances)

Data stored in shards. Each shard provides capacity, so data capacity of stream is a function of the number of shards in the stream.

Question 268

What is Kinesis Firehose?

Answer 268

Producers send data in, but unlike Kinesis Streams there is no data retention - data goes straight to a destination (e.g. S3)

Can optionally use lambda to transform data in real-time

CAn write directly to elasticache clusters

Can’t write directly to redshift (need to save to S3 first and then copy over)

Question 269

What is Kinesis Analytics?

Answer 269

Allows you to run SQL-like queries on data in Kinesis streams or Kinesis Firehose - can store results somewhere else (e.g. S3)

Question 270

What are the 5 pillars of the AWS well architected framework?

Answer 270

Security

Reliability

Performance Efficiency

Cost Optimization

Operational Excellence

Question 271

In the AWS well architected framework, what are the areas of Security?

Answer 271

Data Protection

Privilege management

Infrastructure protection

Detective controls

Question 272

In the AWS well architected framework, what are the areas of Reliability?

Answer 272

Foundations

Change management

Failure management

Question 273

In the AWS well architected framework, what are the areas of Performance Efficiency?

Answer 273

Compute

Storage

Database

Space-time trafeoff

Question 274

In the AWS well architected framework, what are the areas of Cost Optimization?

Answer 274

Matched supply and demand

Cost effective resources

Expenditure awareness

Optimizing over time

Question 275

In the AWS well architected framework, what are the areas of Operational Excellence?

Answer 275

Preparation

Operation

Response

Question 276

What is OpsWorks?

Answer 276

Orchestration service that uses Chef and Puppet

A way of using infrastructure as code to ensure desired state across resources

Contains “recipes” to maintain a consistent state

Look for terms chef, recipes or “cook books” and think OpsWorks

Question 277

What are the 2 feature sets of AWS organisations?

Answer 277

Consolidated billing (just having a single payer and consolidated bill)

All features (consolidated billing features AND policy-based controls and hierarchical management of accounts)

Question 278

What is the default maximum of linked AWS accounts?

Answer 278

20 accounts

Question 279

How does volume discounts and RIs work with linked accounts?

Answer 279

You get the volume discount of all resources used across accounts, and unused RIs will be used by other accounts that need them

Question 280

How can you consolidate CloudTrail logs?

Answer 280

Turn on CloudTrail in paying account

Create bucket policy that allows cross-account access

Turn on CloudTrail in other accounts and use bucket in paying account

Question 281

What is an SCP?

Answer 281

SCP - Service Control Policy - control AWS service use across multiple AWS accounts (e.g. deny use of DynamoDB to some group within an organisation) - even if IAM in that account allows it, SCP will override it

Overall effect of an SCP can be to allow or deny specific services and actions

Can be applied to accounts and/or OUs

Question 282

How can cross-account access be configured?

Answer 282

Using roles.

Assuming a prod account with resources and a corporate account with users:

Create policy in prod account that grants access to stuff

Create role in prod account that uses that new policy (you also have to provide account ID of corporate account here)

In corporate account, create group policy that allows users to assume that role (will need arn of role in production account. Action is sts:AssumeRole).

Question 283

What are the two types of resource group?

Answer 283

Classic - global groups

AWS systems manager - regional groups, groups themselves can be tagged, much more powerful (can do stuff like execute automations and get detailed insights)

Question 284

Is cross-region VPC peering supported?

Answer 284

Yes

Question 285

Can you peer VPCs with overlapping CIDR blocks?

Answer 285

No

Question 286

What is AWS Direct Connect?

Answer 286

Dedicated line from on-prem to AWS. Can reduce network cost, increase throughput and maintain consistency. Can also increase reliability.

Question 287

What’s the difference between direct connect and VPN?

Answer 287

VPN is quickly configured and good for immediate need
Low-modest bandwidth requirements
Can tolerate variability in internet-based connectivity

AWS Direct Connect does not involve the internet
Private network connection between on-prem and Amazon VPC

Question 288

What are the available connection speeds with AWS Direct Connect?

Answer 288

10 Gbps

1 Gbps

<1 Gbps (through AWS Direct Connect Partners)

Question 289

What is STS?

Answer 289

Security Token Service

Grants users limited and temporary access to AWS resources

Question 290

Where can users come from with respect to STS?

Answer 290

Federation - e.g. AD, uses SAML

Federation with mobile apps - e.g. Fb, Google, other OpenID providers…

Cross account access - roles issue temp credentials via STS

Question 291

What is LDAP?

Answer 291

Lightweight Directory Access Protocol - industry standard for accessing directory services (AD supports LDAP)

Question 292

What is AWS Workspaces?

Answer 292

VDI: Virtual Desktop Infrastructure

Replacement for traditional desktop

Can connect from many devices via AWS client app

Supports windows and linux desktops

Question 293

How is AWS Workspaces backed up?

Answer 293

All data on D drive (user’s volume) is backed up every 12 hours (or if WorkDocs Sync is enabled on WorkSpace, folder a user chooses to sync will be continuously backed up and stored in Amazon WorkDocs)

Question 294

What is ECS?

Answer 294

Elastic Container Service

Question 295

What are the high-level components of Docker?

Answer 295

DockerFile - creates a layer in a docker image

Docker image - like an AMI

Docker container - initialised docker image

Layers/union file system - allows the file systems of container and host to be transparently overlaid to provide single file system

Docker engine/daemon - runs containers

Docker client - UI for daemon

Docker registries - store and download docker images

Question 296

What is ECR?

Answer 296

Elastic Container Registry

Question 297

Is ECS a regional service?

Answer 297

Yes

Question 298

What does ECS do?

Answer 298

Schedules placement of containers on a cluster based on resource needs, isolation policies and availability requirements

Abstracts the operation of cluster management

Can also be used to manage and scale batch and ETL workloads

Question 299

What is an ECS task definiton and ECS scheduling?

Answer 299

JSON file that describes one or more containers that form an app. Define stuff like the docker images to use, CPU allocation, networking, IAM roles, desired container count etc.

ECS scheduler ensures desired number of tasks are running and are registered with an ELB (if desired). Can create your own or use a third-party

Question 300

What is ECS container agent?

Answer 300

Allows cluster instance to connect to cluster

Included in ECS-optimized AMI

Can be installed separately

Linux based (windows support??)

Question 301

In ECS, at what level do security groups attach?

Answer 301

At the instance level (the host - not the task or a container)

Question 302

What is SAML?

Answer 302

Security Assertion Markup Language

Question 303

High level, how might AD integration work with AWS in terms of signing into the AWS console with AD credentials?

Answer 303

Active Directory Federation Services (ADFS) is installed at company

User goes to some internal site hosted by domain

SSO page prompts for AD credentials (or this is handled by browser - reverse proxy magic)

ADFS authenticates user with AD

User receives SAML assertion in form of authentication response from ADFS

User posts SAML assertion to AWS sign-in endpoint for SAML (https://signin.aws.amaozn.com/saml)

Behind the scenes, sign-in uses AssumeRoleWithSAML API to get temp creds and the constructs sign-in URL for console

User redirected to this address

Question 304

At a high level, how can AD integration be configured in AWS?

Answer 304

Configure in IAM.

Create new Identity Provider in IAM (will need to upload FederationMetadata.xml from ADFS that defines the trust)

Create roles for AD users to assume.

Configure relay in ADFS and configure SAML attributes required by AWS. (So there’s two-way trust that must be configured).