Study Guide Flashcards

Question

A ______________ is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity and act as a filter.

Answer 1

permissions boundary NOTE: explicitly grant to prevent implicit deny

Answer 2

users or roles.

Answer 3

NOTE: Improves overhead and simplified billing * To group resources for categorization and discovery * To improve your security posture with a logical boundary * To limit potential impact in case of unauthorized access * To simplify management of user access to different environments

Answer 4

AWS Organizations provides these key features: * Centralized management of all your AWS accounts * Consolidated billing for all member accounts helps with consolidating the costs to get discounts Create a hierarchy by grouping accounts into organizational units (OUs). Apply service control policies (SCPs) to control maximum permissions in every account under an organization unit (OU). NOTE: anywhere on the exam that an option is manual work, then it's incorrect. always go with automation

Answer 5

SCP (service control policy) Attaching an SCP to an Organizations entity (root, OU, or account) defines a guardrail. SCPs set limits on the actions that the IAM users and roles in the affected accounts can perform. To grant permissions, you must attach identity-based or resource-based policies to IAM users, or to the resources in your organization's accounts. When an IAM user or role belongs to an account that is a member of an organization, the SCPs limit the user's or role’s effective permissions. SCP doesn't grant but does control **Keyword:** guardrail

Answer 6

/28 because you lose 5 from each subnet

Answer 7

The first four IP addresses and the last IP address in each subnet CIDR block are not available and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved: * 10.0.0.0: Network address. * 10.0.0.1: Reserved by AWS for the VPC router. * 10.0.0.2: Reserved by AWS. The IP address of the DNS server is always the base of the VPC network range plus 2. * 10.0.0.3: Reserved by AWS for future use. * 10.0.0.255: Network broadcast address. AWS does not support broadcast in a VPC; therefore, we reserve this address. NOTE: Consider larger subnets over smaller ones (/24 and larger). You are less likely to waste or run out of IPs if you distribute your workload into larger subnets.

Answer 8

A public subnet requires the following: * Internet gateway: The internet gateway allows communication between resources in your VPC and the internet. * Route table: A route table contains a set of rules (routes) that are used to determine where network traffic is directed. It can direct traffic to the internet gateway. * Public IP addresses **Note** associate a route table with a subnet; a router table can be associated with multiple subnets but subnets only with one route table

Answer 9

main route table every route table is associated with a VPC mapped to a local VPC route; every table has a local route that can't be deleted providing inter VPC connectivity as a result This local route permits communication for all the resources within the VPC. You can't modify the local route in a route table A subnet can be associated with only one route table at a time, but you can associate multiple subnets with the same route table. Use custom route tables for each subnet to permit granular routing for destinations. Each AWS account comes with a default Amazon VPC

Answer 10

Elastic IP address You are limited to five Elastic IP addresses. To help conserve them, you can use a NAT device. We encourage you to use an Elastic IP address primarily to be able to remap the address to another instance in the case of instance failure.

Answer 11

Elastic IP address An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing. You can associate an Elastic IP address with an instance by updating the network interface attached to the instance. The advantage of associating the Elastic IP address with the network interface instead of directly with the instance is that you can move all the attributes of the network interface from one instance to another in a single step.

Answer 12

Elastic IP address You can move an Elastic IP address from one instance to another. The instance can be in the same VPC or another VPC. An Elastic IP address is accessed through the internet gateway of a VPC. If you set up a VPN connection between your VPC and your network, the VPN traffic traverses a virtual private gateway, not an internet gateway. Therefore, it cannot access the Elastic IP address.

Answer 13

elastic network interface When moved to a new instance, the network interface maintains its public and Elastic IP address, private IP and Elastic IP address, and MAC address. The attributes of a network interface follow it. When you move a network interface from one instance to another, network traffic is redirected to the new instance. Each instance in a VPC has a default network interface (the primary network interface).

Answer 14

bastion host associated with port 22

Answer 15

NAT gateways NAT gateways come in 2 versions now: public and private; use private to inter-VPC or to connect to on-premise but can't get to the Internet

Answer 16

a NAT gateway **exam:** need to get rid of a SPOF, so use multiple instances of NAT gws

Answer 17

Deploying a VPC across multiple Availability Zones creates an architecture that achieves high availability

Answer 18

Elastic Load Balancing LBs can be used for internal and external facing workloads

Answer 19

network ACL You can create a custom network ACL and associate it with a subnet. By default, custom network ACLs deny all inbound and outbound traffic until you add rules. exam - ports of interest are 80, 443, & 22 (SSH) Firewall at the subnet level with default deny alls; a subnet may only have one nacl but nacls can be associated with multiple subnets; stateless so need return entry to allow traffic

Answer 20

A security group The default group allows inbound communication from other members of the same group and outbound communication to any destination. Traffic can be restricted by any IP protocol, by service port, and by source or destination IP address (individual IP address or CIDR block). **exam** -- SGs are on the boundary of the instance; instance level firewalls; no numerical priority and no default deny

Answer 21

Security groups The default group allows inbound communication from other members of the same group and outbound communication to any destination. Traffic can be restricted by any IP protocol, by service port, and by source or destination IP address (individual IP address or CIDR block). exam -- SGs are on the boundary of the instance; instance level firewalls; no numerical priority and no default deny

Answer 22

A network ACL Each network ACL has a rule whose number is an asterisk. This rule denies a packet that doesn't match any of the numbered rules.

Answer 23

Security groups in default VPCs allow all outbound traffic. Custom security groups have no inbound rules, and they allow outbound traffic.

Answer 24

security groups They are more versatile than network ACLs because of their ability to perform stateful packet filtering and to use rules that reference other security groups. However, network ACLs can be effective as a secondary control for denying a specific subset of traffic or providing high-level guard rails for a subnet. By implementing both network ACLs and security groups as a defense-in-depth means of controlling traffic, a mistake in the configuration of one of these controls will not expose the host to unwanted traffic.

Answer 25

to provide depth of protection... only allow the minimum required to pass a boundary The inbound and outbound rules are set up so that traffic can only flow from the top tier to the bottom tier and back up again. The security groups act as firewalls to prevent a security breach in one tier from automatically providing subnet-wide access of all resources to the compromised client

Answer 26

A security group Network ACLs A security group acts as a firewall for associated EC2 instances, controlling both inbound and outbound traffic at the instance level. Network ACLs act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level. Both can have different default configurations depending on how they are created. Security groups * Security groups in default VPCs allow all traffic. * New security groups have no inbound rules and allow outbound traffic. Network ACLs * Network ACLs in default VPCs allow all inbound and outbound IPv4 traffic. * Custom network ACLs deny all inbound and outbound traffic, until you add rules.

Answer 27

io -- iops SSDs Specific use cases for io2 Block Express include: * Sub-millisecond latency * Sustained IOPS performance * More than 64,000 IOPS or 1,000 MiB/s of throughput **Exam** -- for this one the numbers aren't needed but will be for the sysops; just know io is for high io needs **Exam:** anywhere you see throughput and low cost think st

Answer 28

instance store An instance store is ideal for temporary storage of information that changes frequently, such as buffers, caches, scratch data, and other temporary content. It is also good for data that is replicated across a fleet of instances, such as a load-balanced pool of web servers. **exam** -- attached to host but not persistent but very fast; use it for cases where fast processing and fault tolerance is able to retry; Reclaimed when the instance is stopped or terminated ==> data will be lost when restarted, etc.

Answer 29

1. On-demand 2. Savings plans 3. Spot instances most flexible will be the most expensive, so on demand will be the most expensive; watch the key words such as spiky or temporary

Answer 30

Lambda These resources include: * Server and OS maintenance * Capacity provisioning and automatic scaling * Code monitoring and logging serverless (Lambda) is always a great answer for "saving money" questions

Answer 31

object, file, and block **EXAM:** S3 with cloudfront is always a great answer Block storage – Enterprise applications like databases or enterprise resource planning (ERP) systems often require dedicated, low-latency storage for each host. This storage is similar to direct-attached storage (DAS) or a storage area network (SAN). Block-based cloud storage solutions like Amazon Elastic Block Store (Amazon EBS) are provisioned with each virtual server and offer the ultra-low latency required for high-performance workloads. File storage – Many applications must access shared files and require a file system. This type of storage is often supported with a Network Attached Storage (NAS) server. File storage solutions like Amazon Elastic File System (Amazon EFS) are ideal for use cases such as large content repositories, development environments, media stores, or user home directories. Object storage – Applications developed in the cloud need the vast scalability and metadata of object storage. Object storage solutions like Amazon Simple Storage Service (Amazon S3) are ideal for building modern applications. Amazon S3 provides scale and flexibility. You can use it to import existing data stores for analytics, backup, or archive. * Amazon EBS for block storage * Amazon EFS and Amazon FSx for file storage * Amazon S3 and Amazon S3 Glacier for object storage

Answer 32

EBS **NOTE:** S3 object lock can also be used

Answer 33

EFSx on NetApp ONTAP

Answer 34

EFSx Luster

Answer 35

Amazon S3 is object-level storage. An object includes file data, metadata, and a unique identifier. Object storage does not use a traditional file and folder structure. Great for static content such as a website providing documents, videos, etc. **exam** -- bucket name must be globally unique; buckets "live" in a region and can't be replicated outside the region by AWS but can be by the customer; s3 is the cheapest so it's why logs are stored there

Answer 36

* Backup and restore – You can use Amazon S3 to store and retrieve any amount of data, at any time. You can use Amazon S3 as the durable store for your application data and file-level backup and restore processes. Amazon S3 is designed for 99.999999999 percent durability, or 11 9’s of durability. * Data lakes for analytics – Run big data analytics, artificial intelligence (AI), machine learning (ML), and high-performance computing (HPC) applications to unlock data insights. * Media storage and streaming – You can use Amazon S3 with Amazon CloudFront’s edge locations to host videos for on-demand viewing in a secure and scalable way. Video on demand (VOD) streaming means that your video content is stored on a server, and viewers can watch it at any time. You’ll learn more about Amazon CloudFront later in this course. * Static website – You can use Amazon S3 to host a static website. On a static website, individual webpages include static content. They might also contain client-side scripts. Amazon S3’s object storage makes it easier to manage data access, replications, and data protection for static files. * Archiving and compliance – Replace your tape with low-cost cloud backup workflows, while maintaining corporate, contractual, and regulatory compliance requirements.

Answer 37

Bucket policies Access control for your data is based on policies, such as IAM policies, S3 bucket policies, and AWS Organizations service control policies (SCPs). "EAR" in the JSON -- { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:ListBucket", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::doc-example-bucket", "arn:aws:s3:::doc-example-bucket/*" ] } ] } **exam** -- be able to recognize "Principal" in that it is different from identity that lives with the account NOTE:a principal is a specific type of entity that can take actions in AWS, while an identity is the unique identifier associated with that principal. The principal is defined in IAM policies to grant or deny access, and the identity is used for authentication and authorization purposes.

Answer 38

Cryptographic keys Amazon S3 offers three options + customer provided for encrypting your objects: * Server-side encryption (SSE) with Amazon S3-managed keys (SSE-S3) – When you use SSE-S3, each object is encrypted with a unique key. As an additional safeguard, it encrypts the key itself with a primary key that it regularly rotates. Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard (AES-256) to encrypt your data. * Server-side encryption with AWS KMS keys stored in AWS Key Management Service (AWS KMS) (SSE-KMS) – KMS keys stored in SSE-KMS are similar to SSE-S3, but with some additional benefits and charges. There are separate permissions for the use of a KMS key that provides added protection against unauthorized access of your objects in Amazon S3. SSE-KMS also provides you an audit trail that shows when your KMS key was used, and by whom. * Dual-layer server-side encryption with AWS KMS keys (DSSE-KMS) – Using DSSE-KMS applies two individual layers of object-level encryption instead of one layer. Each layer of encryption uses a separate cryptographic implementation library with individual data encryption keys. * Server-side Encryption with Customer-Provided Keys (SSE-C) – With SSE-C, you manage the encryption keys and Amazon S3 manages the encryption as it writes to disks. Also, Amazon S3 manages decryption when you access your objects.

Answer 39

* S3 Standard for general-purpose storage of frequently accessed data. * S3 Standard-Infrequent Access (S3 Standard-IA) for long-lived, but less frequently accessed data. * S3 One Zone-Infrequent Access (S3 One Zone-IA) for long-lived, less frequently accessed data that can be stored in a single Availability Zone. * S3 Glacier Instant Retrieval for archive data that is rarely accessed but requires a restore in milliseconds. * S3 Glacier Flexible Retrieval for the most flexible retrieval options that balance cost with access times ranging from minutes to hours. Your retrieval options permit you to access all the archives you need, when you need them, for one low storage price--good for unpredictable needs. This storage class comes with multiple retrieval options: --Expedited retrievals (restore in 1–5 minutes). --Standard retrievals (restore in 3–5 hours). --Bulk retrievals (restore in 5–12 hours). Bulk retrievals are available at no additional charge. * S3 Glacier Deep Archive for long-term cold storage archive and digital preservation. Your objects can be restored in 12 hours or less. S3 has a storage class associated with it. All storage classes offer high durability (99.999999999 percent durability) exam -- very important for the exam! the 6 classes that you need to know, the use case, & the timing; to the right is less expensive with time increasing

Answer 40

Amazon S3 Intelligent-Tiering When you assign an object to S3 Intelligent-Tiering, it is placed in the Frequent Access tier which has the same storage cost as S3 Standard. Objects not accessed for 30 days are then moved to the Infrequent Access tier where the storage cost is the same as S3 Standard-IA. After 90 days of no access, an object is moved to the Archive Instant Access tier, which has the same cost as S3 Glacier Instant Retrieval. S3 Intelligent-Tiering is the ideal storage class for data with unknown, changing, or unpredictable access patterns, independent of object size or retention period. You can use S3 Intelligent-Tiering as the default storage class for virtually any workload, especially data lakes, data analytics, new applications, and user-generated content. NOTE: know this and understand that life-cycle policies are different that this... I-T is both ways & uses machine learning to know that something is getting accessed frequently/infrequently to move

Answer 41

1 Cost-effective storage Lowest cost for specific data access patterns 2 Flexible data retrieval Three storage classes with variable access options 3 Secure and compliant Encryption at rest, AWS CloudTrail integration, and retrieval policies 4 Scalable and durable Meets needs from gigabytes to exabytes with 11 9s of durability

Answer 42

Use S3 Object Lock for data retention or protection.

Answer 43

Buckets that use versioning can help you recover objects from accidental deletion or overwrite: * If you delete an object, instead of removing it permanently, Amazon S3 inserts a delete marker, which becomes the current object version. * If you overwrite an object, it results in a new object version in the bucket. When S3 Versioning is turned on, you can restore the previous version of the object to correct the mistake.

Answer 44

Use S3 Lifecycle polices to transition objects to another storage class. S3 Lifecycle rules take action based on object age. With S3 Lifecycle policies, you can delete or move objects based on age. You should automate the lifecycle of your data that is stored in Amazon S3. Using S3 Lifecycle policies, you can have data cycled at regular intervals between different Amazon S3 storage types. In this way, you reduce your overall cost because you are paying less for data as it becomes less important with time. In addition to being able to set lifecycle rules per object, you can also set lifecycle rules per bucket. Amazon S3 supports a waterfall model for transitioning between storage classes. Lifecycle configuration automatically changes data storage tiers.

Answer 45

With a multipart upload, you can consistently upload large objects in manageable parts. This process involves three steps: * Initiating the upload * Uploading the object parts * Completing the multipart upload When the multipart upload request is completed, Amazon S3 will recreate the full object from the individual pieces. **exam** -- anything over 100MB will be uploaded in multipart Improve the upload process of larger objects with the following features: * Improved throughput – You can upload parts in parallel to improve throughput. * Quick recovery from any network issues – Smaller part sizes minimize the impact of restarting a failed upload due to a network error. * Pausing and resuming object uploads – You can upload object parts over time. When you have initiated a multipart upload, there is no expiration. You must explicitly complete or cancel the multipart upload. * Beginning an upload before you know the final object size – You can upload an object as you are creating it. * Uploading large objects – Using the multipart upload API, you can upload large objects, up to 5 TB.

Answer 46

Event driven architectures With Amazon S3 Event Notifications, you can receive notifications when certain object events happen in your bucket. Event-driven models like this one mean that you no longer need to build or maintain server-based polling infrastructure to check for object changes. You also don’t pay for idle time of that infrastructure when there are no changes to process. Amazon S3 can send event notification messages to the following destinations: * Amazon Simple Notification Service (Amazon SNS) topics * Amazon Simple Queue Service (Amazon SQS) queues * AWS Lambda functions You specify the Amazon Resource Name (ARN) value of these destinations in the notification configuration. In the example, you have a JPEG image uploaded to the images bucket that your website uses. Your website needs to be able to show smaller thumbnail preview images of each uploaded file. When the image object is added to the S3 bucket, an event notification is sent to invoke a series of AWS Lambda functions. The output of your Lambda functions is a smaller version of the original JPEG image and puts the object in your thumbnails bucket. S3 Event Notifications manage the activity in the bucket for you and automate the creation of your thumbnail.

Answer 47

* Storage – Per-gigabyte cost to hold your objects. You pay for storing objects in your S3 buckets. The rate that you’re charged depends on your objects' size, how long you stored the objects during the month, and the storage class. You incur per-request ingest charges when using PUT, COPY, or lifecycle rules to move data into any S3 storage class. * Requests and retrievals – The number of API calls: PUT and GET requests. You pay for requests that are made against your S3 buckets and objects. S3 request costs are based on the request type, and are charged on the quantity of requests. When you use the Amazon S3 console to browse your storage, you incur charges for GET, LIST, and other requests that are made to facilitate browsing. * Data transfer – Usually no transfer fee for data-in from the internet and, depending on the requester location and medium of data transfer, different charges for data-out. * Management and analytics – You pay for the storage management features and analytics that are activated on your account’s buckets. These features are not discussed in detail in this course. S3 Replication and S3 Versioning can have a big impact on your AWS bill. These services both create multiple copies of your objects, and you pay for each PUT request in addition to the storage tier charge. S3 Cross-Region Replication also requires data transfer between AWS Regions.

Answer 48

Amazon Elastic File System (Amazon EFS) and Amazon FSx

Answer 49

Amazon EFS **exam** -- only for Linux; it's is server less as well; fast; scales; pay for only what you need

Answer 50

1. Amazon EFS uses burst throughput mode to scale throughput based on your storage use. 2. Amazon EFS automatically grows and shrinks file storage without provisioning.

Answer 51

Amazon FSx **exam** -- windows: FSx; fully managed built on windows file server; but can be used by Windows, Linux, & MacOS

Answer 52

FSx Lustre **exam** -- HPC & machine learning, big data analytics

Answer 53

AWS Storage Gateway: Sync files with SMB, NFS, and iSCSI protocols from on-premises to AWS. AWS Storage Gateway connects an on-premises software appliance with cloud-based storage AWS DataSync: Sync files from on-premises file storage to Amazon EFS, Amazon FSx, and Amazon S3.

Answer 54

AWS Snow Family: Move terabytes to petabytes of data to AWS by using appliances that are designed for secure, physical transport. AWS Snow Family is a group of edge computing, data migration, or edge storage devices that are designed for secure, physical transport.

Answer 55

AWS Transfer Family permits the transfer of files into and out of Amazon S3 or Amazon Elastic File System (EFS)

Answer 56

1. Amazon S3 File Gateway presents a file interface that you can use to store files as objects in Amazon S3. You use the industry-standard NFS and SMB file protocols. Access your files through NFS and SMB from your data center or Amazon EC2, or access those files as objects directly in Amazon S3. **exam** -- associate with s3, archiving, data lakes, etc. 2. Amazon FSx File Gateway provides fast, low-latency, on-premises access to fully managed, highly reliable, and scalable file shares in Amazon FSx for Windows File Server. It uses the industry-standard SMB protocol. You can store and access file data in Amazon FSx with Microsoft Windows features, including full New Technology File System (NTFS) support, shadow copies, and ACLs. 3. Tape Gateway presents an iSCSI-based virtual tape library (VTL) of virtual tape drives and a virtual media changer to your on-premises backup application. 4. Volume Gateway presents block storage volumes of your applications by using the iSCSI protocol. You can asynchronously back up data that is written to these volumes as point-in-time snapshots of your volumes. Then, you can store it in the cloud as Amazon EBS snapshots. **exam** -- associate with EBS & your "boot" device

Answer 57

Amazon S3 File Gateway, Amazon FSx File Gateway (use for your home directories), Tape Gateway, or Volume Gateway (iSCSI).

Answer 58

Reduce on-premises storage infrastructure by shifting SMB-based data stores and content repositories from file servers and NAS arrays to Amazon S3 and Amazon EFS for analytics.

Answer 59

AWS Snowcone Snowcone is a small, rugged, edge computing and data storage product.

Answer 60

Snowball Edge is an edge computing and data transfer device that the AWS Snowball service provides. **exam** -- has compute with it Snowball Edge is a petabyte-scale data transport option that doesn’t require you to write code or purchase hardware to transfer data.

Answer 61

RDS & Aurora (provides PostgreSQL)

Answer 62

ElastiCache

Answer 63

DynamoDB & ElastiCache

Answer 64

RDS & Aurora Relational databases such as Oracle, IBM DB2, SQL Server, MySQL, and PostgreSQL * Amazon Aurora is a proprietary, fully-managed relational database engine that is MySQL and PostgreSQL-compatible. In terms of performance, Aurora provides up to five times better latency than RDS and can scale up to ten times more packed operations per second than MySQL engine in RDS. It also offers an encrypted storage option for better data security. It has a serverless option. * Amazon RDS is a hosted database service that supports a variety of relational database engines, including MySQL, PostgreSQL, MariaDB, Microsoft SQL Server, and Oracle. **NOTE:** In RDS, Failover to read replica is done manually, which could lead to data loss. You can use Multi-AZ (Standby instance) feature for automatic failover, and to prevent downtime and data loss. In Aurora, Failover to read replica is done automatically to prevent data loss. Failover time is faster on Aurora.

Answer 65

RDS **EXAM:** serverless option is Aurora; RDS is managed Amazon RDS is a web service that helps you to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity, while managing time-consuming database administration tasks. By using Amazon RDS, you can focus on your applications and business. Amazon RDS provides you with six familiar database engines to choose from, including Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and Microsoft SQL Server. Therefore, most of the code, applications, and tools that you already use with your existing databases can be used with Amazon RDS. Amazon RDS automatically patches the database software and backs up your database. It stores the backups for a user-defined retention period and provides point-in-time recovery. You benefit from the flexibility of scaling the compute resources or storage capacity associated with your relational DB instance with a single API call.

Answer 66

Amazon RDS Proxy also know what RDS proxy provides connection pooling, improved scale, improved/faster resiliency, etc.

Answer 67

Amazon RDS Multi-AZ deployments provide enhanced availability and durability for database (DB) instances, which makes them a natural fit for production database workloads. When you provision a Multi-AZ DB instance, Amazon RDS synchronously replicates the data to a standby instance in a different Availability Zone. You can modify your environment from Single-AZ to Multi-AZ at any time. Each Availability Zone runs on its own physically distinct, independent infrastructure and is engineered to be highly reliable. by default is not HA; multi AZ cluster provides read replica access while the single AZ can't

Answer 68

Read replicas -- for offloading reads; improves performance; takes load off primary With Amazon RDS, you can create read replicas of your database. Amazon automatically keeps them in sync with the primary DB instance. Read replicas are available in Amazon RDS for MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server as well as Amazon Aurora.

Answer 69

No not by default Amazon RDS provides encryption of data at rest by using the AWS Key Management Service (AWS KMS). AWS KMS is a managed service (Always associate with encryption)

Answer 70

Aurora -- It replicates six copies of your data across three Availability Zones and continuously backs up your data to Amazon Simple Storage Service (Amazon S3).

Answer 71

Aurora Serverless v2

Answer 72

DynamoDB Key value store

Answer 73

DynamoDB because it uses Key-value stores. Key-value databases are good for use cases where the requested data can be associated with a single primary key. Consider this example of a video game’s user profile database. Each item has a collection of key-value pairs, including keys such as TopScore, UserID, and Level. All key-value pairs for an item are associated with the primary key, GamerTag. You can rapidly retrieve any of these key-value pairs by locating their GamerTag.

Answer 74

On-demand Provisioned

Answer 75

On-demand capacity mode is best when you: * Have unknown workloads * Have unpredictable traffic * Prefer to pay for only what you use On-demand capacity mode is a pay-per-request model. EXAM: no autoscaling

Answer 76

Provisioned capacity mode is best when you: * Have predictable application traffic * Have traffic that is consistent or changes gradually * Can forecast capacity requirements to control costs With provisioned capacity mode, you set a maximum number of RCUs and WCUs. When traffic exceeds those limits, DynamoDB throttles those requests to control your costs. You can adjust your provisioned capacity by using auto scaling. EXAM: takes advantage of autoscaling

Answer 77

DynamoDB global tables Global tables automate replication across Regions **exam** -- performance and DR

Answer 78

global table replica table (or replica, for short) global table NOTE: Each replica stores the same set of data items. Any given global table can only have one replica table per Region, and every replica has the same table name and the same primary key schema.

Answer 79

* Speed and expense – Some database queries are inherently slower and more expensive than others. For example, queries that perform joins on multiple tables are significantly slower and more expensive than simple, single-table queries. If requesting data requires a slow and expensive query, it's a candidate for caching. * Data and access pattern – Determining what to cache also involves understanding the data itself and its access patterns. For example, it doesn't make sense to cache data that is rapidly changing or is seldom accessed. For caching to provide meaningful benefit, the data should be relatively static and frequently accessed, such as a personal profile on a social media site. * Cache validity – Data can become out-of-date while it is stored in cache. Writes that occur on that data in the database might not be reflected in that cached data. To determine whether your data is a candidate for caching, you must determine your application's tolerance for occasionally inaccurate cached data. **exam** - temp storage and performance; on any exam question, if the answer involves caching it's almost always the right answer; faster & reduces cost

Answer 80

lazy loading and write-through Lazy loading can have stale data, but doesn't fail with empty nodes. Write-through maintains fresh data, but can fail with empty nodes and can populate the cache with superfluous data. By adding a time to live (TTL) value to each write to the cache, you can maintain fresh data without cluttering the cache with extra data. In lazy loading, updates are made to the database without updating the cache. In the case of a cache miss, the information that is retrieved from the database can be subsequently written to the cache. Lazy loading loads data that the application needs into the cache, but it can result in high cache-miss-to-cache-hit ratios in some use cases. An alternative strategy is to write through to the cache every time the database is accessed. This approach results in fewer cache misses. The result is improved performance, but it requires additional storage for data that the applications might not need. The best strategy depends on your use case. It is critical to understand the impact of stale data on your use case. If the impact is high, then consider maintaining freshness with write-throughs. If the impact is low, then lazy loading might be sufficient. It also helps to understand the frequency of change of the underlying data because it affects the performance and cost tradeoffs of the caching strategies. NOTE: file/object caching works the same but is cloud front specific implementation

Answer 81

Amazon ElastiCache

Answer 82

* Redis * Memcached

Answer 83

With ElastiCache for Memcached, you can build a scalable caching tier for data-intensive apps. The service works as an in-memory data store and cache to support the most demanding applications requiring sub-millisecond response times. ElastiCache for Memcached is fully managed, scalable, and secure, which makes it an ideal candidate for use cases where frequently accessed data must be in memory.

Answer 84

ElastiCache for Redis It can power the most demanding real-time applications in gaming, ad tech, ecommerce, healthcare, financial services, and Internet of Things (IoT).

Answer 85

DynamoDB Accelerator (DAX) DAX is a caching service compatible with DynamoDB that provides fast in-memory performance for demanding applications. You create a DAX cluster in your Amazon VPC to store cached data closer to your application. You install a DAX client on the EC2 instance that is running your application in that VPC. At runtime, the DAX client directs all of your application's DynamoDB requests to the DAX cluster. If DAX can process a request directly, it does so. Otherwise, it passes the request through to DynamoDB. **exam** -- in region aimed at EC2 performance improvements; TAKES FROM MILLISECONDS TO MICROSECONDS

Answer 86

AWS Database Migration Service With AWS DMS, you can also use a Snowball Edge device as a migration target. You would use this method if your environment has poor internet connectivity or if the source database is too large to move over the internet. You would also use it if your organization has privacy or security requirements.

Answer 87

AWS Database Migration Service

Answer 88

AWS Database Migration Service

Answer 89

AWS Schema Conversion Tool (AWS SCT) keywords: discover, convert, migrate, etc.; go from on-prem to managed

Answer 90

CloudWatch

Answer 91

CloudWatch metrics Note: Each data point has an associated timestamp. You can publish your own metrics. data points & time; cloudwatch means both metrics & logs

Answer 92

CloudTrail This event history simplifies security analysis, resource change tracking, and troubleshooting. CloudTrail facilitates governance, compliance, and operational and risk auditing. With CloudTrail, you can log, continuously monitor, and retain account activity that is related to actions across your AWS infrastructure **exam** -- use this for APIs

Answer 93

VPC Flow Logs **exam** -- packet capture

Answer 94

CloudTrail With CloudTrail, you can get a history of AWS API calls in your account. Store your CloudTrail API usage logs in an S3 bucket. **exam** -- event triggering and useful for security

Answer 95

VPC Flow Logs **exam** -- this is for packet capture... any question dealing with stuff moving or not connecting eg network diagnostics; if it's a problem with permissions would be cloudwatch

Answer 96

CloudWatch alarm An alarm has three possible states: * OK – The metric is within the defined threshold. * ALARM – The metric is outside the defined threshold. * INSUFFICIENT_DATA – The alarm has started, the metric is not available, or not enough data is available for the metric to determine the alarm state. exam -- trick question measuring memory util is not available as part of the based metrics; will need to use an agent to send log data

Answer 97

EventBridge Amazon EventBridge removes the friction of writing point-to-point integrations. You can access changes in data that occur in both AWS and software as a service (SaaS) applications through a highly scalable, central stream of events. EventBridge is the preferred way to manage your events that are captured in CloudWatch. CloudWatch Events and EventBridge are the same underlying service and API, but EventBridge provides more features. Changes that you make in either CloudWatch or EventBridge will appear in each console. NOTE: can react and do something such as send an alarm to a specific target; gives you more services

Answer 98

Elastic Load Balancing **exam** -- key area; works with services in multiple AZs to provide HA

Answer 99

App, network, & gateway * Application Load Balancer – This load balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. Application Load Balancer supports content-based routing, applications that run in containers, and open standard protocols (WebSocket and HTTP/2). This type of balancer is ideal for advanced load balancing of HTTP and HTTPS traffic. * Network Load Balancer – This load balancer is designed to handle tens of millions of requests per second while maintaining high throughput at ultra-low latency. Network Load Balancer operates at the transport layer (Layer 4), and routes connections to targets based on IP protocol data. Targets include EC2 instances, containers, and IP addresses. It is ideal for balancing TCP and User Diagram Protocol (UDP) traffic. * Gateway Load Balancer – You can use this load balancer to deploy, scale, and manage your third-party virtual appliances. It provides one gateway for distributing traffic across multiple virtual appliances, and scales them up or down, based on demand. This distribution reduces potential points of failure in your network and increases availability. Gateway Load Balancer passes all Layer 3 traffic transparently through third-party virtual appliances. It is invisible to the source and destination NOTE: could use multiple ones together.

Answer 100

Application Load Balancer NOTE: considered "smart" but at a speed cost

Answer 101

Network Load Balancer NOTE: does support certificate manager (ACM) TLS offloading as well; you put NLBs in front of ALBs **Elastic Load Balancing now supports forwarding traffic directly from Network Load Balancer to Application Load Balancer. With this feature, you can use AWS PrivateLink and expose static IP addresses for applications that are built on Application Load Balancer.

Answer 102

Gateway Load Balancer **EXAM:** speed; used with virtual appliances (keywords) such as firewall, IDS, etc.

Answer 103

AWS Auto Scaling Provides application scaling for multiple resources across services, in short intervals EC2 & ASG (autoscaling group) supporting HA but you don't have to use a LB with ASG;

Answer 104

AWS EC2 Auto Scaling

Answer 105

AWS Auto Scaling

Answer 106

Amazon EC2 Auto Scaling Auto Scaling groups

Answer 107

Launch templates: What resources do you need? Amazon EC2 Auto Scaling group: Where and how many do you need? Auto scaling policy: When and for how long do you need them? NOTE: You are strongly encouraged to create Auto Scaling groups from launch templates to get the latest features from Amazon EC2. A launch configuration is an instance configuration template that an Auto Scaling group uses to launch EC2 instances. When you create a launch configuration, you must specify information about the EC2 instances to launch. Include the AMI, instance type, key pair, security groups, and block device mapping. Launch or terminate instances to meet capacity demands.

Answer 108

scheduled scaling: you can scale your application before known load changes. For example, every week, the traffic to your web application starts to increase on Wednesday, remains high on Thursday, and starts to decrease on Friday. You can plan your scaling activities based on the known traffic patterns of your web application. dynamic scaling: you define how to scale the capacity of your Amazon EC2 Auto Scaling group in response to changing demand. For example, suppose that you have a web application that currently runs on two instances. You want the CPU utilization of the group to stay at about 50 percent when the load on the application changes. As a result, you have extra capacity to handle traffic spikes without maintaining an excessive number of idle resources. predictive scaling: to increase the number of EC2 instances in your group in advance of daily and weekly patterns in traffic flows. NOTE: it is recommended that you scale out early and fast, while you scale in slowly over time.

Answer 109

IaC has the following benefits: * Speed and safety – Your infrastructure is built programmatically, which makes it faster than manual deployment and makes errors less likely. * Reusability – You can organize your infrastructure into reusable modules. * Documentation and version control – Your templates document your deployed resources, and version control provides a history of your infrastructure over time. You can also roll back to a previous working version of your infrastructure in the event of error. * Validation – You perform code review on your templates, which decreases the chances of errors.

Answer 110

* Written as JSON or YAML * Describes the resources to be created or modified * Treated as source code: * Code reviewed * Version controlled JSON { "Resources" : { "HelloBucket" : { "Type" : "AWS::S3::Bucket" } } } YAML Resources: HelloBucket: Type: AWS::S3::Bucket **exam** -- Make sure you know how to look at the events; some parameter info; know that there are 2 languages and difference between

Answer 111

* A collection of AWS resources that are managed as a single unit * Can deploy and delete resources as a unit * Can update resources and settings on running stacks * Supports nested stacks and cross-stack references All resources in a stack are defined by the stack’s CloudFormation template. You can manage a collection of resources by creating, updating, or deleting stacks

Answer 112

Elastic Beanstalk **exam:** generates a cloud formation script The goal of Elastic Beanstalk is to help developers deploy and maintain scalable web applications and services in the cloud without worrying about underlying infrastructure. Elastic Beanstalk configures each EC2 instance in your environment with the components necessary to run applications for the selected application type.

Answer 113

AWS Systems Manager **exam** -- suite of servicees With Systems Manager, you can: * Create logical groups of resources such as applications, different layers of an application stack, or development and production environments. * Select a resource group and view its recent API activity, resource configuration changes, related notifications, operational alerts, software inventory, and patch compliance status. * Take action on each resource group depending on your operational needs. * Centralize operational data from multiple AWS services and automate tasks across your AWS resources.

Answer 114

Amazon CodeWhisperer Key is that integrates with IDEs AI coding companion: * Generates code suggestions based on comments and existing code * Offers real-time support for code authoring directly within your integrated development environment (IDE) Also, AI security scanner: * Helps identify hard-to-find vulnerabilities

Answer 115

Amazon EKS **exam** -- ec2 runs under both; ECS is easier least effort; eks has more features

Answer 116

Amazon ECS **exam** -- ec2 runs under both; ECS is easier least effort; eks has more features

Answer 117

Amazon Elastic Container Registry (Amazon ECR)

Answer 118

Amazon Elastic Container Service (Amazon ECS)

Answer 119

Application Load Balancer This diagram shows an application load balancer that is sending web traffic based on the path of APIs in the request for each service. You register the user service, topic service, and message service with different target groups. When Amazon ECS starts a task for your service, it registers the container and port combination with the service’s target group. The Application Load Balancer routes traffic to and from that container.

Answer 120

Amazon Elastic Kubernetes Service (Amazon EKS)

Answer 121

AWS Fargate **exam** -- fargate manages the raw compute resources fully; you just run and manage the apps Fargate eliminates the need for you to interact with or think about servers or clusters. With Fargate, you can focus on designing and building your applications instead of managing the infrastructure that runs them.

Answer 122

Amazon EKS Amazon EKS requires more configuration, but offers more control over your environment

Answer 123

ECS with Fargate

Answer 124

VPC Endpoint

Answer 125

VPC endpoints A VPC endpoint provides a reliable path between your VPC and supported AWS services. You do not need an internet gateway, a NAT device, a VPN connection, or an AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. They permit communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

Answer 126

gateway (VPC) endpoint or gateway endpoint **EXAM:** Must have routes and only supports 2 services; know that S3 & DynamoDB are for GW only; if question has no "on premise" points to it, then it's gateway as the answer

Answer 127

Amazon S3 and Amazon DynamoDB **EXAM:** for S3 decision (interface v. gateway), then see if it's needed from on-prem the it's interface; if not and want the cheapest, then it's gateway

Answer 128

An interface (VPC) endpoint or interface endpoint **EXAM:** Interface will have ENIs along with supporting more services; **exam** -- useful for sites on outside of VPC; if you want to access something from a public subnet in your VPC to a private resource on the exam question, then it's interface even if it's S3 or DynamoDB

Answer 129

Interface endpoint

Answer 130

VPC peering **exam:** can be cross regions but No transitive peering relationships meaning a to b to c doesn't allow a to talk to c & vice versa VPC peering limitations and rules include: * There is a limit on the number of active and pending VPC peering connections that you can have per VPC. * You can have only one VPC peering connection between the same two VPCs. * The maximum transmission unit (MTU) across a VPC peering connection is 1,500 bytes.

Answer 131

*Bypasses the internet gateway or virtual private gateway * Provides highly available connections — no single point of failure *Avoids bandwidth bottlenecks *Uses private IP addresses to direct traffic between VPCs Traffic using inter-region VPC Peering always stays on the global AWS backbone and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.

Answer 132

T each VPC must have a one-to-one connection with each VPC with which it is approved to communicate.

Answer 133

AWS Site-to-Site VPN exam: always 2 GWs to ensure failover; but this has limited bandwidth due to VPN overhead; that's why direct connect might be better option

Answer 134

customer gateway device must bring up the tunnels for your AWS Site-to-Site VPN connection by generating traffic and initiating the Internet Key Exchange (IKE) negotiation process

Answer 135

AWS Direct Connect links your internal network to a Direct Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to a Direct Connect router. This connection is called the cross-connect. With this connection, you can create virtual interfaces directly to public AWS services (for example, to Amazon S3) or to Amazon VPC, bypassing internet service providers (ISPs) in your network path. **exam:** know that it can be up to 100GB; it's a single point of failure so not highly available--key point!; secure physical connection; for private connectivity

Answer 136

common architecture practice to have both; ensures redundancy/bc

Answer 137

Site-to-Site VPN * Connection fee (per hour) * Data transfer out (DTO) ** Measured per gigabyte (GB) ** First 100 GB are at no charge Direct Connect * Capacity (Mbps) * Port hours ** Time that a port is provisioned for your use in the data center * Data transfer out (DTO) ** Measured per gigabyte (GB) DTO is egress out charge

Answer 138

Choose AWS VPN solutions when you: * Need a way to quickly establish a network connection between your on-premises networks and your VPC * Need to stay within a small budget * Require encryption in transit * Faster to configure than Direct Connect NOTE: Limited to 1.25 Gbps connection maximum

Answer 139

Consider Direct Connect when you: * Need faster connectivity options than what AWS Site-to-Site VPN can provide * Are already in a collocation that supports Direct Connect * Need predictable network performance NOTE: Sub-1, 1, 10, or 100 Gbps connection options Requires special agreements and physical cabling to the data center Pay for port hours whether the connection is active or not Not encrypted by default, but a private, dedicated connection

Answer 140

Transit Gateway

Answer 141

transit gateway A transit gateway acts as a cloud router to simplify your network architecture.

Answer 142

Transit Gateway Network Manager

Answer 143

F Traffic between a VPC and transit gateway remains on the AWS global private network and is not exposed to the public internet. Transit Gateway inter-Region peering encrypts all traffic. With no single point of failure or bandwidth bottleneck, it protects you against DDoS attacks and other common exploits.

Answer 144

attachments and route tables **Attachments** — You can attach the following: * One or more VPCs * A Connect SD-WAN/third-party network appliance * An AWS Direct Connect gateway * A peering connection with another transit gateway * A VPN connection to a transit gateway

Answer 145

a source and a destination of packets. You can attach one or more of the following resources if they are in the same Region as the transit gateway: * VPC * VPN connection * Direct Connect gateway * Transit Gateway Connect * Transit Gateway peering connection You can use VPN connections and Direct Connect gateways to connect your on-premises data centers to transit gateways. With a transit gateway, you can connect with VPCs in the AWS Cloud, which creates a hybrid network.

Answer 146

default transit gateway route table if only one route table/gw, then everything in there is meshed; operates at layer 3

Answer 147

T and this provides one central routing point

Answer 148

You can use AWS Resource Access Manager to share your transit gateway with other accounts. After you share a transit gateway with another AWS account, the account owner can attach their VPCs to your transit gateway. A user from either account can delete the attachment at any time.

Answer 149

Attachment

Answer 150

A transit gateway attachment is a source and a destination of packets. You can attach the following resources to your transit gateway: * One or more VPCs * One or more VPN connections * One or more Direct Connect gateways * One or more transit gateway peering connections

Answer 151

Transit Gateway is the central hub that helps you control communication between attached resources. It is controlled through route tables.

Answer 152

serverless **exam:** decoupling from an architect concern

Answer 153

* No infrastructure to provision or manage * No servers to provision, operate, or patch * Scales automatically by unit of consumption, rather than by server unit * Pay-for-value billing model (pay for the unit, rather than by server unit) * Built-in availability and fault tolerance * No need to architect for availability because it is built into the service

Answer 154

serverless code versus serverless containers

Answer 155

SQS--serverless queues (Standard or FIFO) which is always 1-1; polling; publisher/consumer; persistent with DLQ for error handling; offers hosted queues that integrate and decouple distributed software systems and components. Amazon SQS provides a generic web services API that you can access using any programming language supported by AWS SDK. Messages in the queue are typically processed by a single subscriber. SNS--use when you need more than one recipient; create topics (FIFO or Standard) pub/sub; 1-many; publish-subscribe service that provides message delivery from publishers (also known as producers) to multiple subscriber endpoints(also known as consumers). Publishers communicate asynchronously with subscribers by sending messages to a topic, which is a logical access point and communication channel. Subscribers can subscribe to an Amazon SNS topic and receive published messages using a supported endpoint type, such as Amazon Data Firehose, Amazon SQS, Lambda, HTTP, email, mobile push notifications, and mobile text messages (SMS). Amazon SNS acts as a message router and delivers messages to subscribers in real time. If a subscriber is not available at the time of message publication, the message is not stored for later retrieval; managed service that provides message delivery from publishers to subscribers (also known as producers and consumers) **Exam:** SQS is persistent; SNS isn't; SQS is 1-1, serverless, & uses a polling model

Answer 156

real time need it now; streaming

Answer 157

SQL queries; serverless Athena helps you analyze unstructured, semi-structured, and structured data stored in Amazon S3. Athena is serverless, so there is no infrastructure to set up or manage, and you can start analyzing data immediately. You don’t even need to load your data into Athena; it works directly with data stored in Amazon S3. Analyze petabyte-scale data where it lives

Answer 158

API gateway With Amazon API Gateway, you can create, publish, maintain, monitor, and secure APIs **exam:** can be in front of SQS, Lambda, etc.

Answer 159

* Creates a unified API frontend for multiple microservices * Provides distributed denial of service (DDoS) protection and throttling for your backend * Authenticates and authorizes requests to a backend * Throttles, meters, and monetizes API usage by third-party developers

Answer 160

SQS Note: it's FIFO push/pull-polling/pull; DLQ is an error handler of sorts

Answer 161

**exam:** know that producer/consumer is associated with SQS In this example, a producer application creates customer orders and sends them to an Amazon SQS queue. A consumer application processes orders from the producer application tier. The consumer application polls the queue and receives messages. It then records the messages in an Amazon Relational Database Service (Amazon RDS) database and deletes the processed messages from the SQS queue. Amazon SQS sends messages that cannot be processed to a dead-letter queue where they can be processed later.

Answer 162

Standard & FIFO Standard queues support at-least-once message delivery and provide best-effort ordering. Messages are generally delivered in the same order in which they are sent. However, because of the highly distributed architecture, more than one copy of a message might be delivered out of order. Standard queues can handle a nearly unlimited number of API calls per second. You can use standard message queues if your application can process messages that arrive more than once and out of order. FIFO queues are designed to enhance messaging between applications when the order of operations and events is critical or where duplicates can't be tolerated. FIFO queues also provide exactly-once processing, but have a limited number of API calls per second

Answer 163

Standard Standard queues support at-least-once message delivery and provide best-effort ordering. Messages are generally delivered in the same order in which they are sent. However, because of the highly distributed architecture, more than one copy of a message might be delivered out of order. Standard queues can handle a nearly unlimited number of API calls per second. You can use standard message queues if your application can process messages that arrive more than once and out of order.

Answer 164

FIFO queues are designed to enhance messaging between applications when the order of operations and events is critical or where duplicates can't be tolerated. FIFO queues also provide exactly-once processing, but have a limited number of API calls per second.

Answer 165

-Service-to-service communication -Asynchronous work items -State change notifications Not good for: -Selecting specific messages -Large messages (256K & up) **exam:** anywhere there are 2 services, think decoupling; know these use cases

Answer 166

Amazon SNS is a web one-to-many; push algorithm **exam:** publisher / subscriber (pub-sub) are key terms here versus SQS

Answer 167

Instead of including a specific destination address in each message, a publisher sends a message to the topic. Amazon SNS matches the topic to a list of subscribers for that topic, and delivers the message to each subscriber

Answer 168

**exam:** know use cases; use this with cloud watch notifications * You can receive immediate notification when an event occurs, such as a specific change to your Auto Scaling group. * You can push targeted news headlines to subscribers by email or SMS. Upon receiving the email or SMS text, interested readers can choose to learn more by visiting a website or launching an application. * You can send notifications to an app, indicating that an update is available. The notification message can include a link to download and install the update.

Answer 169

-Single published message -No recall options (When a message is delivered successfully, there is no way to recall it. ) -HTTP or HTTPS retry -Standard or FIFO topics **exam:** no durability ... once it expires it's gone

Answer 170

Uses the observer type and illustrates a fan-out scenario using Amazon SNS and Amazon SQS. **exam:** know fan-out term and that use both SNS & SQS; one message with many destinations In a fan-out scenario, a message is sent to an SNS topic and is then replicated and pushed to multiple SQS queues, HTTP endpoints, or email addresses. This allows for parallel asynchronous processing. In this example, Amazon SNS fans out orders to two different SQS queues. Two Amazon EC2 instances each observe a queue. One of the instances handles the processing or fulfillment of the order, while the other is attached to a data warehouse for analysis of all orders received.

Answer 171

**exam:** this is the key to know; Kinesis: recognize data streams (analytics even though it collects & stores); associate with large amounts of real time data consumption; ex: IoT processing vs. firehose (loading data & ETL it); no intermediary; focuses on back end processing; Kinesis Data Firehose can send records to Amazon S3, Amazon Redshift, Amazon OpenSearch Service, and any HTTP endpoint that you own.

Answer 172

shards exam: streams breaks up data to move through the stream to have "manageable chunks"; shard determines throughput for bandwidth required Producers write data into the stream. A producer might be an EC2 instance, a mobile client, an on-premises server, or an IoT device. You can send data such as infrastructure logs, application logs, market data feeds, and web clickstream data. Consumers read the streaming data that the producers generate. A consumer might be an application running on an EC2 instance or AWS Lambda. An application on an EC2 instance will need to scale as the amount of streaming data increases.

Answer 173

Step Functions known as a state engine (vending machine example) allows you to visually build the end-to-end coordination of services

Answer 174

exam: higher level protection at layer 7; associate AWS Shield with DDoS

Answer 175

Route 53 **exam:** DNS; used for load balancing; HA across AZs; can load balance across regions with weighting routing It translates names like example.com into the numeric IP addresses that computers use to connect to each other. With Route 53, you can purchase and manage domain names, such as example.com, and automatically configure DNS settings for your domains. Route 53 effectively connects user requests to infrastructure running in AWS, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, Elastic Load Balancing (ELB) load balancers, or Amazon Simple Storage Service (Amazon S3) buckets. You can also use it to route users to infrastructure outside of AWS. You can configure an Amazon CloudWatch alarm to check on the state of your endpoints. Combine your DNS with health check metrics to monitor and route traffic to healthy endpoints.

Answer 176

Public hosted zone * Route to internet-facing resources * Resolve from the internet * Use global routing policies Private hosted zone * Route to VPC resources * Resolve from inside the VPC * Integrate with on-premises private zones using forwarding rules and endpoints exam: know the difference

Answer 177

Private hosted zones; used for internal subdomains

Answer 178

exam: allows you to load balance with failover (uses health check such as a server, app perf, or other resource; can use cloud watch alarm) and weighted routing; know each of these policies * Simple routing policy – Use for a single resource that performs a given function for your domain. An example is a web server that serves content for the example.com website. * Failover routing policy – Use when you want to configure active-passive failover. * Geolocation routing policy – Use when you want to route traffic based on the location of your users. * Geoproximity routing policy – Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another. * Latency routing policy – Use when you have resources in multiple AWS Regions and you want to route traffic to the Region that provides the lowest latency with less round-trip time. * Multivalue answer routing policy – Use when you want Route 53 to respond to DNS queries with up to eight healthy records selected at random. * Weighted routing policy – Use to route traffic to multiple resources in proportions that you specify.

Answer 179

CloudFront improves security because you can add additional services such as WAF and Shield

Answer 180

CloudFront caching

Answer 181

* TCP optimization – CloudFront uses TCP optimization to observe how fast a network is already delivering your traffic and the latency of your current round trips. It then uses that data as input to automatically improve performance. * TLS 1.3 support – CloudFront supports TLS 1.3, which provides better performance with a simpler handshake process that requires fewer round trips. It also adds improved security features

Answer 182

everyone gets standard; get extra services with Advanced -- SRT, WAF, Firewall Manager, etc.

Answer 183

AWS Firewall Manager * Centrally set up baseline security. * Consistently enforce the protections. * Seamlessly manage multiple accounts.

Answer 184

AWS Outposts family You need a solution to securely store and process customer data that must remain on premises or in countries outside of an AWS Region. You need to run data-intensive workloads and process data locally, or when you want closer controls on data analysis, backup, and restore

Answer 185

your Outpost exam: know these services

Answer 186

Lack of testing

Answer 187

more than one availability zone

Answer 188

Fault tolerance

Answer 189

Recovery Point Objective (RPO)

Answer 190

Recovery Time Objective (RTO)

Answer 191

AWS Snow Family

Answer 192

AWS Backup central place to build your backup policy AWS Backup works with AWS Organizations. It centrally deploys data protection policies to configure, manage, and govern your backup activity. It works across your AWS accounts and resources, including Amazon EC2 instances and Amazon EBS volumes. You can back up databases such as DynamoDB tables, Amazon DocumentDB and Amazon Neptune graph databases, and Amazon RDS databases, including Amazon Aurora database clusters. You can also back up Amazon EFS, Amazon S3, AWS Storage Gateway volumes, and all versions of Amazon FSx, including FSx for Lustre and FSx for Windows File Server.

Answer 193

Simplicity Compliance Control costs Simplicity: Policy-based and tag-based backup solution; Backup access policies; provides a central place to manage and monitor your backups Compliance: Automated backup scheduling; Monitoring and logs of centralized backup activity; Encrypted backups; enforce backup policies, encrypt your backups, protect your backups from manual deletion, and prevent changes to your backup lifecycle settings Control costs: Automated management of backup retention; No added cost for orchestration; reduces the risk of downtime; reduce operating costs by reducing time spent on manual configuration and by automating backups.

Answer 194

Vault When you create a backup vault, you assign an AWS Key Management Service (AWS KMS) encryption key to encrypt backups that do not have their own encryption methods. Also, it's a best practice to use Tags for backup – You specify tags that will be assigned to backups created by this plan.

Answer 195

From cheapest to most expensive: (sorted from highest to lowest RTO and RPO), 1. Backup and restore: RPO-RTO: Hours 2. Pilot light: RPO-RTO: 10s of minutes 3. Warm standby: RPO-RTO: minutes 4. Multi-site active/active: RPO-RTO: Real time

Answer 196

Elastic Fabric Adapter (EFA)

Answer 197

Amazon Cognito processes more than 100 billion authentications per month. The service helps you implement customer identity and access management (CIAM) into your web and mobile applications. You can quickly add user authentication and access control to your applications in minutes. * Frictionless, customizable customer IAM * Advanced security features for sign-up and sign-in * High-performing, scalable user directory * Standards-based, federated sign-in capabilities As an alternative to using IAM roles and policies or Lambda authorizers (formerly known as custom authorizers), you can use an Amazon Cognito user pool to control who can access your API in Amazon API Gateway.

Answer 198

Standard-Infrequent Access (S3 Standard-IA)

Answer 199

One Zone-Infrequent Access (S3 One Zone-IA)

Answer 200

Glacier Instant Retrieval

Answer 201

Glacier Flexible Retrieval

Answer 202

Glacier Deep Archive

Answer 203

permissions boundary An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.

Answer 204

“long term”

Answer 205

Volume Gateway exam – associate with EBS & your “boot” device