test questions Flashcards

Question

when to install CW agent, what information can be attained

Answer 1

MEMORY AND SPECIFIC METRICS

Answer 2

Even though snapshots are saved incrementally, the snapshot deletion process is designed so that you need to retain only the most recent snapshot in order to create volumes. Data that was present on a volume, held in an earlier snapshot or series of snapshots, that is subsequently deleted from that volume at a later time, is still considered unique data of the earlier snapshots. This unique data is not deleted from the sequence of snapshots unless all snapshots that reference the unique data are deleted.

Answer 3

AWS Organizations SCPs don't replace associating IAM policies within an AWS account. IAM policies allow or deny access to AWS services or API actions that work with IAM. An IAM policy can be applied only to IAM identities (users, groups, or roles). IAM policies can't restrict the AWS account root user. You can use SCPs to allow or deny access to AWS services for individual AWS accounts with AWS Organizations member accounts, or for groups of accounts within an organizational unit (OU). The specified actions from an attached SCP affect all IAM identities including the root user of the member account. Now, using SCPs, you can specify Conditions, Resources, and NotAction to deny access across accounts in your organization or organizational unit. For example, you can use SCPs to restrict access to specific AWS Regions, or prevent your IAM principals from deleting common resources, such as an IAM role used for your central administrators. You can also define exceptions to your governance controls, restricting service actions for all IAM entities (users, roles, and root) in the account except a specific administrator role.

Answer 4

An S3 ACL is a sub-resource that's attached to every S3 bucket and object. It defines which AWS accounts or groups are granted access and the type of access. A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy. You add a bucket policy to a bucket to grant other AWS accounts or IAM users access permissions for the bucket and the objects in it. Object permissions apply only to the objects that the bucket owner creates.

Answer 5

AUTOMATION WITH LONGER SCALING: Docker is a software container platform, It lets you packages all your tools into one isolated container. That container will be run as a service, e.g : Nginx, mysql server, redis. AUTOMATION AND SCALING: AWS Lambda is a FAAS (Function as a service), it lets you run code without provisioning or managing servers.

Answer 6

Per account, per region | Cost if not attached to anything

Answer 7

Enhanced Networking enables you to get significantly higher packet per second (PPS) performance, lower network jitter and lower latencies. This feature uses a new network virtualization stack that provides higher I/O performance and lower CPU utilization compared to traditional implementations.

Answer 8

grouped together on same instance or same machine Availability zone can do max 20ec2 usually, or based on v-cpu. still 20.. MAKE SURE ALL SAME TYPE AND SIZE FOR THE AVAIL ZONE, MACHINE MAY BE BEST USING THIS This means if you have an amount and need more you will need to terminate entire amount because they are on the same machine.

Answer 9

allowing dynamic routing for VPN connections We recommend that you use BGP-capable devices, when available, because the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down. Devices that don't support BGP may also perform health checks to assist failover to the second tunnel when needed.

Answer 10

When using autoscaling and automated ec2 creation its best to pass commands in cloud init for access files from S3, for security procedure make sure that a role is used, a role will be able to be taken away easier if needed. The cloud-init package configures specific aspects of a new Amazon Linux instance when it is launched; most notably, it configures the .ssh/authorized_keys file for the ec2-user so you can log in with your own private key. For more information, see cloud-init.

Answer 11

You can set RCU limits to limit speed, increase limit to increase consumption to allow increased scalling. Amazon DynamoDB has two read/write capacity modes for processing reads and writes on your tables: Read 4kb Write 1kb On-demand Provisioned (default, free-tier eligible) --------- On-Demand Mode- pay as you go Thousands of operations per second pay as you go for unknown workload that is unpredictable. Peak Traffic and Scaling, the scaling depends on YOUR PEAK TRAFFIC, so it scales to your PEAK load!!! ----------- provisioned- just pay before this is throttled, system tries to maintain capacity specify reads and writes autoscaling can change in response to changes good for predictable, consistent, forecasted workload

Answer 12

EFS posix compliant and uses nfsv4 protocol, SHARED | EBS is block store, only for one location at a time. NOT SHARED

Answer 13

SSE KMS, AWS alkows users to create and manage keys, but aws manages encryption, SERVER SIDE -KMS can perform cryptographic operations itself. -AWS KMS encrypts only the object data. Any object metadata is not encrypted. FIPS 140-2 Regional service ------- SSEC, client manage keys, AWS manage encryption and decryption. S3 encrypts data S3 services manages the actual encryption and decryption --------- SSE-S3 AES256 AWS manage key and encryption, SERVER SIDE, encryption happens in S3 S3 generates fully managed and rotated master key automatically. Master key used to encrypt, the encrypted master key along with item is stored together -------------- Client- AWS sees nothing ---- CMK- customer master key, managed by KMS, physical keys, used for encryption

Answer 14

Anything including application load balancer and below needs ADVANCED Anything that starts at route 53 and cloudfront uses FREE cloudfront without route 53 is difficult

Answer 15

SNS has fanout to send multiple requests for SQS queues.

Answer 16

Static, if links are the key then you can scale this much easier and cheaper, ec2 not needed, EC2 is only needed for dynamic pages.

Answer 17

In computer networking, multicast is group communication where data transmission is addressed to a group of destination computers simultaneously. build servers in ASG/LT group and use OS?

Answer 18

Messages need to be processed, sometimes if they are errored, the return message of "process complete" doesnt occur, which puts the message back into the main queue, you would be best to assign this to another list called a DEAD LETTER QUEUE. Amazon SQS supports dead-letter queues, which other queues (source queues) can target for messages that can't be processed (consumed) successfully. Dead-letter queues are useful for debugging your application or messaging system because they let you isolate problematic messages to determine why their processing doesn't succeed. For information about creating a queue and configuring a dead-letter queue for it using the Amazon SQS console

Answer 19

EGRESS IS ONLY FOR IPV6 | NAT GATEWAY ALLOWS INTERNAL IPV4 TO NAT TRANSLATE TO CONNECT ONLINE

Answer 20

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud HSM will not integrate with AWS by design and uses industry standard APIs. PKCS#11 Java Cryptography Extensions (JCE) Microsoft CryptoNG (CNG) libraries INTEGRATION: With KMS, it is used as a custom Key store not HA, needs endpoint in subnet of VPC Cloud HSM Use Cases No native AWS integration with AWS products. You can't use S3 SSE with CloudHSM. Can offload the SSL/TLS processing from webservers. CloudHSM is much more efficient to do these encryption processes. Oracle Databases can use CloudHSM to enable transparent data encryption (TDE) Can protect the private keys an issuing certificate authority. Anything that needs to interact with non AWS products.

Answer 21

Customer Master keys, can be generated in cloudHSM used in KMS to create customer owned keys. Custom Key store is supported by KMS, backed by CloudHSM, KMS generates and stores NON extractible encrypted keys. CUSTOMER OWNED AND CUSTOMER MANAGED However, you might consider creating a custom key store if your organization has any of the following requirements: Key material cannot be stored in a shared environment. Key material must be backed up in multiple AWS Regions. Key material must be subject to a secondary, independent audit path. The HSMs that generate and store key material must be certified at FIPS 140-2 Level 3. FIPS 140-2 Level 3. FIPS 140-2 Level 3. FIPS 140-2 Level 3.

Answer 22

when you are currently using messaging systems outside of amazon and want to migrate into AWS It supports industry-standard APIs and protocols switch from any standards-based message broker to Amazon MQ without rewriting the messaging code in your applications

Answer 23

FOR REDSHIFT ONLY ALLOWS CUSTOM ENDPOINTS CANNOT MAKE FLOWLOG OF REDSHIFT CLUSTER separation of labor for clusters Redshift forces all COPY and UNLOAD traffic between your cluster and your data repositories through your Amazon VPC. By using enhanced VPC routing, you can use standard VPC features, such as VPC security groups, network access control lists (ACLs), VPC endpoints, VPC endpoint policies, internet gateways, and Domain Name System (DNS) servers, as described in the Amazon VPC User Guide.

Answer 24

Columnar storage Paralell processing , columnar result caching backs up to S3 Components Cluster, set of nodes, LEADER and COMPUTE slave nodes One DB per cluster, scale by adding nodes, or better types Leader: Accepts paralell connections and requests and fowards them to compute Compute: Execute search, sent to leader node NODE type Dense storage large HDD Dense Compute Performance large SSD

Answer 25

Queries against exabytes of data in S3 no Ehanced vpc routing scans only columns rather than rows

Answer 26

Lambda@Edge lets you run Lambda functions to customize the content that CloudFront delivers, executing the functions in AWS locations closer to the viewer. RUN VIA in response to CloudFront events, events - After CloudFront receives a request from a viewer (viewer request) - Before CloudFront forwards the request to the origin (origin request) - After CloudFront receives the response from the origin (origin response) - Before CloudFront forwards the response to the viewer (viewer response)

Answer 27

501 not setup 502 internet issues 503 server down 504 timeout, dns slow

Answer 28

Stop would mean that persistant information is required, CLI doesnt allow stopping of instance stores, only EBS. It gives a CLI error.

Answer 29

Partition key: A simple primary key, composed of one attribute known as the partition key. Attributes in DynamoDB are similar in many ways to fields or columns in other database systems. Partition key and sort key: Referred to as a composite primary key, this type of key is composed of two attributes. The first attribute is the partition key, and the second attribute is the sort key. Following is an example.

Answer 30

Partition keys and request throttling DynamoDB evenly distributes provisioned throughput—read capacity units (RCUs) and write capacity units (WCUs)—among partitions and automatically supports your access patterns using the throughput you have provisioned. However, if your access pattern exceeds 3000 RCU or 1000 WCU for a single partition key value, your requests might be throttled with a ProvisionedThroughputExceededException error. Reading or writing above the limit can be caused by these issues: Uneven distribution of data due to the wrong choice of partition key Frequent access of the same key in a partition (the most popular item, also known as a hot key) A request rate greater than the provisioned throughput To avoid request throttling, design your DynamoDB table with the right partition key to meet your access requirements and provide even distribution of data.

Answer 31

Values that are unique, colors are low card, ID are high cardinal, **repeating items over and over for low cardinality WHEN YOU SEARCH YOU WANT TO MAKE SURE YOU DONT OVERSEARCH ALL ITEMS, HAVING EASY TO SEARCH TERMS MAKE IT BETTER

Answer 32

Use high-cardinality attributes. These are attributes that have distinct values for each item, like e-mailid, employee_no, customerid, sessionid, orderid, and so on. Use composite attributes. Try to combine more than one attribute to form a unique key, if that meets your access pattern. For example, consider an orders table with customerid+productid+countrycode as the partition key and order_date as the sort key. Cache the popular items when there is a high volume of read traffic using Amazon DynamoDB Accelerator (DAX). The cache acts as a low-pass filter, preventing reads of unusually popular items from swamping partitions. For example, consider a table that has deals information for products. Some deals are expected to be more popular than others during major sale events like Black Friday or Cyber Monday. DAX is a fully managed, in-memory cache for DynamoDB that doesn’t require developers to manage cache invalidation, data population, or cluster management. DAX also is compatible with DynamoDB API calls, so developers can incorporate it more easily into existing applications. Add random numbers or digits from a predetermined range for write-heavy use cases. so that a query comes up with less choices and doesn't need to read everything

Answer 33

Provides managed AWS endpoints. Can also perform authentication to prove you are who you claim. You can create an API and present it to your customers for use. THROTTLE API tracks requests, owners set rate limit for REST and BURST, rest meaning norm and burst for high Beyond limit request will equal 429 HTTP response, which will protect backend! RESULT CACHING caching can allow reduced traffic to source, TTL will determine how long it needs to stay and alternative outside management api will help inavlidate cache for each stage.

Answer 34

Cloudwatch only does CPU utilization EHANCED allow MEMORY and CPU BANDWITH

Answer 35

1. multiple AZ, choose one with most INSTANCES 2. when even, choose oldest launch config 3. which is next to closest next billing hour 4. NEXT IS RANDOM

Answer 36

works with MYSQL AND POSTRESQL, dont use password, use a token. IAM database authentication provides the following benefits: Network traffic to and from the database is encrypted using Secure Sockets Layer (SSL). You can use IAM to centrally manage access to your database resources, instead of managing access individually on each DB instance. For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security. STS NOT COMPATIBLE WITH RDS

Answer 37

S3 REDSHIFT ELASTISEARCH SPLUNK

Answer 38

hot, freq access warm, less freq access cold, rare acess

Answer 39

LUSTRE parallel hot storage! is a high-performance file system for fast processing of workloads. Lustre is a popular open-source parallel file system which stores data across multiple network file servers to maximize performance and reduce bottlenecks. NOT PARALELL!!! is a fully managed Microsoft Windows file system with full support for the SMB protocol, Windows NTFS, Microsoft Active Directory ( AD ) Integration.

Answer 40

Aurora synchronously replicates the data across Availability Zones to six storage nodes associated with your cluster volume. RDS NOT SYNCHRONOUS MULTI AZ IS SYNCHRONOUS DYNAMO IS ASYNCH

Answer 41

IO is good for high throughput but small IO tasks ST is only high throughput at large IO tasks or SEQUENTIAL

Answer 42

Cluster, each connection via a specific DB instance. to connect to aurora, the host name and port is given to a intermediate handler called an ENDPOINT. 15 READ ONLY INSTANCES CAN BE USED, THESE CAN BE GIVEN DIFFERENT ROLES Endpoints can be used to load balance requests And multiple endpoints can be used for specific type of requests, you can assign certain tasks to be on certain instances, group those in a specific endpoint and have requests portal through them. CUSTOM ENDPOINTS WILL NEED TO BE USED need to use a custom endpoint to load-balance the database connections based on the specified criteria.

Answer 43

requests that use both ipv6 and ipv4 will both need aliases on A and AAAA records, CNAME doesnt work with cloudfront on ZONE APEX which is ROOT domain after apex it will need a new target which is the A and AAAA

Answer 44

ST1 is expensive high throughput, large data sequential small IO FREQ ACCESS SC1 is similar, slower throughput but less expensive INFREQ ACESS

Answer 45

allows multiple domains to serve SSL traffic over the same IP address by including the hostname which the viewers are trying to connect to. SSL cert with need to be made with AWS cert manager create cloudfront distro associate cert with distro enable support for SNI NOT ON CLASSIC LOAD BALANCER WORKS WITH APP LOAD OR CLOUDFRONT ONLY

Answer 46

not transitive, not a HA or fault tolerant method | use connections to each site without a peering conneciton

Answer 47

shard iterator expires unexpectedly. DynamoDB table used by kinesis doesnt have enough capacity to store lease data happens with large number of shards INCREASE WRITE CAP of shard table to fix it DAX is for read improve, not writing via kinesis shards

Answer 48

STEPS only for multiple items or services to be used Lambda alone is cheaper, as long as its quick LAMBDA HAS 15 MIN LIMIT\ AWS Lambda supports synchronous and asynchronous invocation of a Lambda function. You can control the invocation type only when you invoke a Lambda function. When you use an AWS service as a trigger, the invocation type is predetermined for each service. You have no control over the invocation type that these event sources use when they invoke your Lambda function. Since the processing only takes 5 minutes, Lambda is also a cost-effective choice.

Answer 49

SQS and SWF Amazon Simple Queue Service (SQS) and Amazon Simple Workflow Service (SWF) are the services that you can use for creating a decoupled architecture in AWS. Decoupled architecture is a type of computing architecture that enables computing components or layers to execute independently while still interfacing with each other.

Answer 50

datasync COPY LARGE AMOUNTS OF DATA ST GATEWAY, CONTINOUS FILE TRANSFER DS: to S3 or EFS or FSX SMB windows SG: S3 ONLY

Answer 51

Customer gateway VPN border vpc, Virtual private gateway in vpc routers

Answer 52

To create a VPN connection, you must create a customer gateway resource in AWS, which provides information to AWS about your customer gateway device. Next, you have to set up an Internet-routable IP address (static) of the customer gateway's external interface. THIS IS CLIENT MODEM!!!!!! OR ROUTER!!!! ONSITE FIREWALL

Answer 53

Cognito: user authentication and not for providing access to your AWS resources SSO: uses STS but not for issuing credentials. SINGLE SIGN ON STS AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.

Answer 54

**You can use Elastic Load Balancing to manage incoming requests by optimally routing traffic so that no one instance is overwhelmed. ... You can also optionally enable Amazon EC2 Auto Scaling to replace instances in your Auto Scaling group based on health checks provided by Elastic Load Balancing.** Elastic Load Balancing is used to automatically distribute your incoming application traffic across all the EC2 instances that you are running. You can use Elastic Load Balancing to manage incoming requests by optimally routing traffic so that no one instance is overwhelmed. To use Elastic Load Balancing with your Auto Scaling group, you set up a load balancer and then you attach the load balancer to your Auto Scaling group to register the group with the load balancer. Your load balancer acts as a single point of contact for all incoming web traffic to your Auto Scaling group. When an instance is added to your group, it needs to register with the load balancer or no traffic is routed to it. When an instance is removed from your group, it must deregister from the load balancer or traffic continues to be routed to it.

Answer 55

BIAS!!! Geoproximity Routing lets Amazon Route 53 route traffic to your resources based on the geographic location of your users and your resources. You can also optionally choose to route more traffic or less to a given resource by specifying a value, known as a !!!bias. A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource.!!! Geolocation Routing lets you choose the resources that serve your traffic based on the geographic location of your users, meaning the location that DNS queries originate from. **Geolocation Routing is incorrect because you cannot control the coverage size from which traffic is routed to your instance in Geolocation Routing. It just lets you choose the instances that will serve traffic based on the location of your users.***

Answer 56

Perfect forward secrecy means that a piece of an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised, it exposes only a small portion of the user's sensitive data. CloudFront and Elastic Load Balancing are the two AWS services that support Perfect Forward Secrecy. Hence, the correct answer is: CloudFront and Elastic Load Balancing. EC2 and S3, CloudTrail and CloudWatch, and Trusted Advisor and GovCloud are incorrect since these services do not use Perfect Forward Secrecy. SSL/TLS is commonly used when you have sensitive data travelling through the public network.

Answer 57

You can use Amazon Cognito to deliver temporary, limited-privilege credentials to your application so that your users can access AWS resources. Amazon Cognito identity pools support both authenticated and unauthenticated identities. You can retrieve a unique Amazon Cognito identifier (identity ID) for your end user immediately if you're allowing unauthenticated users or after you've set the login tokens in the credentials provider if you're authenticating users.

Answer 58

``` STREAMS INGESTS AND STORES DATA FOR PROCESSING data available for 24 hours for customized processing LAMBDA USED HERE ``` FIREHOSE To load into specific programs S3, Elasticsearch Service, or Redshift, where data can be copied for processing through additional services.

Answer 59

Weighting and Latency can be used in conjunction with health routing policy, Weighted just seperates the conneciton according to your specs Latency makes it route to best region of latency After failure, the policy still is in affect.

Answer 60

you can assign specific endpoints and termination for aurora ONE CLUSTER 15 READERS Cluster has its own endpoint for writing and reading readers have only reading Balance to reader is built in by querying reader endpoint you can more CUSTOM ENDPOINTS for more control of read distro

Answer 61

AWS Groups are the standard groups which you can consider as collection of several users and a user can belong to multiple groups. AWS IAM Roles are all together different species; they operate like individual users except that they work mostly towards the impersonation style and perform communication with AWS API calls without specifying the credentials.

Answer 62

16 to 28 65000 to 16 Classless Inter-Domain Routing

Answer 63

S3 is immediate write but eventual consistent for puts deletes overwrites also for programs that access S3 from multiple regions they may access different reads and will have a parallel form of information that may be inconsistent. happens when FREQ WRITES AND READS MULTIPLE regions

Answer 64

However, when an RI expires, you might notice a change in the pricing of one or more of your instances. This is because any instances that were covered by the RI pricing benefit are now billed at the on-demand price.

Answer 65

Allows multiple SSL certs for the same IP address *** BIND multiple certificates behind same secure listener behind load balancer ALB will auto choose proper TLS Cert for each client. for diff domains, not sub domains

Answer 66

CERT for multiple SUB domains, not diff domains

Answer 67

Wait on resource config before stack creation proceeds | cfn-signal allows it to signal for next step

Answer 68

Not billed pending not billed preparing to stop not billed for stopped Billed for hibernate preparing to stop Billed for terminated until next bill period

Answer 69

Default, except when made in CLI

Answer 70

AWS Lambda scales your functions automatically on your behalf. Every time an event notification is received for your function, AWS Lambda quickly locates free capacity within its compute fleet and runs your code. Since your code is stateless, AWS Lambda can start as many copies of your function as needed without lengthy deployment and configuration delays.

Answer 71

Overlapping CIDR blocks Transitive peering Edge to edge routing through a gateway or private connection

Answer 72

You can copy the same AMI to multiple regions simultaneously. The console-based interface is push-based; you log in to the source region and select where you'd like the AMI to end up.

Answer 73

NOT DONE IN REGIONS | for Elastic load balancer and HA, use availability zones

Answer 74

- Attach a bucket policy to the source bucket in Account A. - Attach an AWS Identity and Access Management (IAM) policy to a user or role in Account B. - Use the IAM user or role in Account B to perform the cross-account copy.

Answer 75

CORS defines a method for client web app to load into one domain to interact with resources in another domain, NOT ANOTHER ACCOUNT Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.

Answer 76

build collaborative apps that keep shared data updated in real time. You just specify the data for your app with simple code statements and AWS AppSync manages everything needed to keep the app data updated in real time. This will allow your app to access data in Amazon DynamoDB, trigger AWS Lambda functions, or run Amazon Elasticsearch queries and combine data from these services to provide the exact data you need for your app. AWS AppSync simplifies application development by letting you create a flexible API to securely access, manipulate, and combine data from one or more data sources. AppSync is a managed service that uses GraphQL to make it easy for applications to get exactly the data they need. DATA TO DATABASE, LIKE DYNAMO DB

Answer 77

its 20, but can be increased with a request There is a vCPU-based On-Demand Instance limit per region which is why subsequent requests failed. Just submit the limit increase form to AWS and retry the failed requests once approved.

Answer 78

Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied immediately regardless of any higher-numbered rule that may contradict it.

Answer 79

encrypt plaintext with data key Then encrypt the data key AWS KMS

Answer 80

AWS KMS KEYS

Answer 81

SWF Amazon Simple Workflow allows you to structure the various processing steps in an application that runs across one or more machines as a set of “tasks.” Amazon SWF manages dependencies between the tasks, schedules the tasks for execution, and runs any logic that needs to be executed in parallel. The service also stores the tasks, reliably dispatches them to application components, tracks their progress, and keeps their latest state. Step Function Visual workflow AWS Step Functions makes it easy to coordinate the components of distributed applications and microservices using visual workflows. Building applications from individual components that each perform a discrete function lets you scale and change applications quickly.

Answer 82

AWS Batch is a set of batch management capabilities that enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS. ... AWS Batch plans, schedules, and executes your batch computing workloads using Amazon EC2 and Spot Instances.

Answer 83

Amazon Elastic MapReduce (Amazon EMR) is a web service that makes it easy to quickly and cost-effectively process vast amounts of data. Amazon EMR uses Hadoop, an open source framework, to distribute your data and processing across a resizable cluster of Amazon EC2 instances.

Answer 84

CloudWatch Logs Insights enables you to interactively search and analyze your log data in Amazon CloudWatch Logs. You can perform queries to help you more efficiently and effectively respond to operational issues. If an issue occurs, you can use CloudWatch Logs Insights to identify potential causes and validate deployed fixes.

Answer 85

One is for optimized data movement, and the other is more suitable for hybrid architecture. AWS DataSync is ideal for online data transfers. You can use DataSync to migrate active data to AWS, transfer data to the cloud for analysis and processing, archive data to free up on-premises storage capacity, or replicate data to AWS for business continuity. AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited cloud storage.

Answer 86

Anycast, also known as IP anycast, is a networking technique that allows for multiple machines to share the same IP address. Based on the location of the user request, the routers send it to the machine in the network that is closest.Oct 4, 2018 AWS Global Accelerator simplifies global traffic management by providing 2 static anycast IP addresses that only need to be allow-listed by users once. Behind these IP address you can add or remove AWS origins, opening up uses such as endpoint failover, scaling, or testing without any user-side changes

Answer 87

Amazon S3 Transfer Acceleration can speed up content transfers to and from Amazon S3 by as much as 50-500% for long-distance transfer of larger objects. FOR S3 AWS Global Accelerator is a networking service that sends your user's traffic through Amazon Web Service's global network infrastructure, improving your internet user performance by up to 60%. FOR ALL

Answer 88

Redshift is automated for backups and fully managed, however this is only in one region for region outage use CROSS REGION SNAPSHOT

Answer 89

multiple applications may be used in subnets or security groups, usually separate items use separate security groups so for a security group to access a sep resource, IE app to database

Answer 90

locations for SSL certs that are obtained from third parties ACM lets you import third-party certificates from the ACM console, as well as programmatically. ***If ACM is not available in your region***, use AWS CLI to upload your third-party certificate to the IAM certificate store.

Answer 91

is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. EFA enables you to achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by the AWS Cloud. ALLOWS OS BYPASS FOR TIGHTLY COUPLED HPC EFA limitations: You can attach only one EFA per instance. EFA OS-bypass traffic is limited to a single subnet. In other words, EFA traffic cannot be sent from one subnet to another. Normal IP traffic from the EFA can be sent from one subnet to another. EFA OS-bypass traffic is not routable. Normal IP traffic from the EFA remains routable. The EFA must be a member of a security group that allows all inbound and outbound traffic to and from the security group itself.

Answer 92

An elastic network interface is a logical networking component in a VPC that represents a virtual network card. It can include the following attributes: ENI: Utilize this for normal use, like Web servers, DB servers, etc. This is the basic adapter type for when you don’t have any high-performance requirements. All instance types have an ENI.

Answer 93

doesn't have OS-bypass capabilities, ENA is a custom network interface optimized to deliver high throughput and packet per second (PPS) performance, and consistently low latencies on EC2 instances. Using ENA, customers can utilize up to 20 Gbps of network bandwidth on certain EC2 instance types. Use Cases: Good for use cases that require higher bandwidth and lower inter-instance latency. Supported for limited instance types (HVM only).

Answer 94

An ENA ENI provides traditional IP networking features necessary to support VPC networking. An EFA ENI provides all the functionality of an ENA ENI, plus hardware support for applications to communicate directly with the EFA ENI without involving the instance kernel (OS-bypass communication) using an extended programming interface. Due to the advanced capabilities of the EFA ENI, EFA ENIs can only be attached at launch or to stopped instances.

Answer 95

You must create one of the following virtual interfaces to begin using your AWS Direct Connect connection. -Private virtual interface: A private virtual interface should be used to access an Amazon VPC using private IP addresses.

Answer 96

AWS Direct Connect virtual interfaces You must create one of the following virtual interfaces to begin using your AWS Direct Connect connection. Public virtual interface: A public virtual interface can access all AWS public services using public IP addresses.

Answer 97

Transit virtual interface: A transit virtual interface should be used to access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways. You can use transit virtual interfaces with 1/2/5/10 Gbps AWS Direct Connect connections. For information about Direct Connect gateway configurations, see Direct Connect gateways. You must create one of the following virtual interfaces to begin using your AWS Direct Connect connection. AWS Direct Connect virtual interfaces

Answer 98

Amazon SWF provides useful guarantees around task assignments. It ensures that a task is never duplicated and is assigned only once. Thus, even though you may have multiple workers for a particular activity type (or a number of instances of a decider), Amazon SWF will give a specific task to only one worker (or one decider instance). Additionally, Amazon SWF keeps at most one decision task outstanding at a time for a workflow execution. Thus, you can run multiple decider instances without worrying about two instances operating on the same execution simultaneously. These facilities enable you to coordinate your workflow without worrying about duplicate, lost, or conflicting tasks.

Answer 99

You can add multi-factor authentication (MFA) to a user pool to protect the identity of your users. MFA adds a second authentication method that doesn't rely solely on user name and password. You can choose to use SMS text messages, or time-based one-time (TOTP) passwords as second factors in signing in your users. You can also use adaptive authentication with its risk-based model to predict when you might need another authentication factor. It's part of the user pool advanced security features, which also include protections against compromised credentials.

Answer 100

3 IOPS/GiB | 50 ios/gib

Answer 101

DynamoDb can be integrated with lambda to create triggers. Events can respond to dynamodb streams with triggers to build applications If you enable DynamoDB Streams on a table, you can associate the stream ARN with a Lambda function that you write. Immediately after an item in the table is modified, a new record appears in the table's stream. AWS Lambda polls the stream and invokes your Lambda function synchronously when it detects new stream records. CloudWatch Alarms only monitor service metrics, not changes in DynamoDB table data.

Answer 102

STORED 30 DAYS in cloudwatch logs RDS child processes – Shows a summary of the RDS processes that support the DB instance, for example aurora for Amazon Aurora DB clusters and mysqld for MySQL DB instances. Process threads appear nested beneath the parent process. Process threads show CPU utilization only as other metrics are the same for all threads for the process. RDS processes – Shows a summary of the resources used by the RDS management agent, diagnostics monitoring processes, and other AWS processes that are required to support RDS DB instances. OS processes – Shows a summary of the kernel and system processes, which generally have minimal impact on performance.

Answer 103

CloudWatch gathers metrics about CPU utilization from the hypervisor for a DB instance, and Enhanced Monitoring gathers its metrics from an agent on the instance. As a result, you might find differences between the measurements, because the******** hypervisor layer performs a small amount of work*******. The differences can be greater if your DB instances use smaller instance classes, because then there are likely more virtual machines (VMs) that are managed by the hypervisor layer on a single physical instance. Enhanced Monitoring metrics are useful when you want to see how different processes or threads on a DB instance use the CPU.

Answer 104

You can use AWS CloudTrail logs together with server access logs for Amazon S3. CloudTrail logs provide you with detailed API tracking for Amazon S3 bucket-level and object-level operations, while server access logs for Amazon S3 provide you visibility into object-level operations on your data in Amazon S3. every access request sent to the S3 bucket including the referrer and turn-around time information. These two records are not available in CloudTrail which is why the correct answer is to enable server access logging for all required Amazon S3 buckets.

Answer 105

read replica does not support automatic failover, multiaz does, also read replica can still be upgraded

Answer 106

Kensis is durable and provides order of records and read/replay in order they came in garuntees no dups SQS doesnt garuntee no dups

Answer 107

You can only specify one launch configuration for an Auto Scaling group at a time, and you can't modify a launch configuration after you've created it. Therefore, if you want to change the launch configuration for an Auto Scaling group, you must create a launch configuration and then update your Auto Scaling group with the new launch configuration.

Answer 108

Enhanced monitor is only for RDS Cloudwatch install gets memory and others detailed metrics allows sub 5 min watching.

Answer 109

Acts like transitive peering Allows secure comm between remote sites. HUB AND SPOKE MODEL like transit gateway Use this approach if you have multiple branch offices and existing internet connections and would like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices.

Answer 110

cloud hub is a branched connection, needs bpg transit is a hubed connection where it is a main router for all VPC

Answer 111

in transit, SSL HTTPS | In rest KMS, with KMS management

Answer 112

Requires credentials AUTH TOKEN needed Access to Amazon ElastiCache requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an ElastiCache cache cluster or an Amazon Elastic Compute Cloud (Amazon EC2) instance. The following sections provide details on how you can use AWS Identity and Access Management (IAM) and ElastiCache to help secure your resources by controlling who can access them.

Answer 113

for RDS and Aurora NOT AURORA SERVERLESS NOT DYNAMO DB

Answer 114

Get an ACCESS key for a role create a credential to login This allows programmatic access to write to the DATABASE and the keys are used to authenticate requests programmatically.

Answer 115

IAM role plus permissions to act on resources Role allow it Resource allows specific role

Answer 116

for cloudfront, NEEDS TO ORIGINS origin group with two origins primary and second origin cloudfront auto switches to when primary fails, this prevents failed requests.

Answer 117

An origin is the location where content is stored, and from which CloudFront gets content to serve to viewers. To specify an origin: Use the S3OriginConfig type to specify an Amazon S3 bucket that is not configured with static website hosting.

Answer 118

This model works well when the database workload is predictable because you can adjust capacity manually based on the expected workload. A better database setup here is to use an Amazon Aurora Serverless cluster. not suitable for intermittent, sporadic, and unpredictable transactional workloads SET CAPACITY TO WHAT IT CAN BE, NO BURSTING

Answer 119

KMS; KMS API instead to automatically encrypt the data before saving it to disk for maximum security, rather than after.

Answer 120

Dedicated- all items launch on hardware that is dedciated to single client Default- shared

Answer 121

Only from Dedicated to Default, modifying tenancy of vpc doesnt affect whats inside.

Answer 122

Multiaz Synchronous replication to standby in diff AZ auto fail over possible synchronous replication auto failover same ENDPOINT Readreplica ``` Asynch read only copy for increase usage for updating, snapshots NOT for DR can be manually promoted, new endpoint ```

Answer 123

cross-site scripting attacks (XSS attacks). SQL injection attacks. ip match http flood

Answer 124

gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. endpoint policy is an AWS Identity and Access Management (AWS IAM) resource policy that you can attach to an endpoint when you create or modify the endpoint. If you do not attach a policy when you create an endpoint, a default policy gets attached for you to allow full access to the service

Answer 125

Server order Determine which cipher is used for https ask, server decides Predefined security policy Determine which protocol to use for ssl security Perfect forward Secrecy derived session key to provide additional safeguards against the eavesdropping of encrypted data. This prevents the decoding of captured data, even if the secret long-term key is compromised For cloudfront and elb!!!!!

Answer 126

Manager (Amazon DLM) is an automated procedure to back up the data stored on your Amazon EBS volumes. Use Amazon DLM to create lifecycle policies to automate snapshot management.

Answer 127

- Data at rest inside the volume - All data moving between the volume and the instance - All snapshots created from the volume - All volumes created from those snapshots

Answer 128

A record alias from Route 53 A-IPV4

Answer 129

Cloudwatch Metric of items | Cloudtrail Changes and API calls

Answer 130

OLTP database is Aurora | OLAP is Redshift

Answer 131

Weighted or latency with health check is active active | failover is active passive

Answer 132

Immediately after the message is received, it remains in the queue. To prevent other consumers from processing the message again, Amazon SQS sets a visibility timeout, a period of time during which Amazon SQS prevents other consumers from receiving and processing the message. The default visibility timeout for a message is 30 seconds. The maximum is 12 hours.

Answer 133

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client's IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.

Answer 134

Aurora Server- Flips cname to another healthy replica, then promoted Serverless- recreate db in a new AZ If no replica, no serverless, Aurora will recreate the DB in the same availability zone!

Answer 135

Elasticache Sticky session for classic load balancer is not distributed, it is only at the specific location. Session Management There are various ways to manage user sessions including storing those sessions locally to the node responding to the HTTP request or designating a layer in your architecture which can store those sessions in a scalable and robust manner. Common approaches used include utilizing Sticky sessions or using a Distributed Cache for your session management. These approaches are described below.

Answer 136

VPC endpoint? A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection (ENI)interface endpoint (privatelink) is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service (ROUTE TABLE)gateway endpoint is a gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service.

Answer 137

S3, Dynamo DB

Answer 138

SCSI Volume gateway TAPE, tape gateway Network File System (NFS) and Server Message Block (SMB)NFS, File gateway

Answer 139

HTTPS only

Answer 140

lustre is LINUX Fsx windows is SMB protocol and Windows NTFS, Active Directory (AD) integration, and Distributed File System (DFS).

Answer 141

windows will make you pay for the hour Terminated in the first hour by amazon , no charge terminated your self, to the nearest second terminated by amazon after the first hour, you will be charged per second

Answer 142

it is on SSE S3 by default you can also do KMS

Answer 143

Enhanced fabric adapters will not have OS bypass capabilities on windows instances, they will act as elastic network adapter.

Answer 144

enables applications to retrieve only a subset of data from an object by using simple SQL expressions. only need bucket name and key for object info Metadata gets more details about it tags- allows grouping

Answer 145

Extract transform load Emr is server Glue serverless

Answer 146

The CloudWatch Logs agent is comprised of the following components: - A plug-in to the AWS CLI that pushes log data to CloudWatch Logs. - A script (daemon) that initiates the process to push data to CloudWatch Logs. - A cron job that ensures that the daemon is always running.

Answer 147

use versioning, control the versions of files that are served from your distribution, you can either invalidate files or give them versioned file names.

Answer 148

Versioning enables you to control which file a request returns even when the user has a version cached either locally or behind a corporate caching proxy. If you invalidate the file, the user might continue to see the old version until it expires from those caches. - CloudFront access logs include the names of your files, so versioning makes it easier to analyze the results of file changes. - Versioning provides a way to serve different versions of files to different users. - Versioning simplifies rolling forward and back between file revisions. - Versioning is less expensive. You still have to pay for CloudFront to transfer new versions of your files to edge locations, but you don't have to pay for invalidating files.

Answer 149

On your custom origin web server application, add Cache-Control no-cache, no-store, or private directives to the objects that you don't want CloudFront to cache. Or, add Expires directives to the objects that you don't want CloudFront to cache. For Object Caching, select Customize. For Minimum TTL, enter 0. For Maximum TTL, enter 0

Answer 150

Use SSL to encrypt in flight data, when DB is created, aws creates SSL cert for RDS. " RDS Root CA certificate" you can use SSL 1. force SSL for all connections- rds client does no work rds. force_ssl 2. Encrypt specific connections- rds client must do work to encrypt connection by defailt rds.force_ssl is off, turn it to true and restart instance of DB

Answer 151

As long as Elastic IP is being used, price is ZERO As long as its one also.

Answer 152

- Network traffic to and from the database is encrypted using Secure Sockets Layer (SSL). - You can use IAM to centrally manage access to your database resources, instead of managing access individually on each DB instance. - For applications running on Amazon EC2, you can use profile credentials specific to your EC2 instance to access your database instead of a password, for greater security

Answer 153

Server logs can be stored optionally in S3 or cloudwatch application files in S3

Answer 154

data to a standby instance in a different Availability Zone (AZ) that is in the same region and not in a different one.

Answer 155

Origin is where content is stored, cloudfront can be setup with origin failover An origin group may contain two origins, primary and secondary Primary origin failure will trigger automatic routing to second, needs to be deployed at sep availability zone.

Answer 156

Classic Load Balancer can distribute requests regardless of Availability Zone, this is known as cross-zone load balancing your load balancer nodes distribute incoming requests evenly across the Availability Zones enabled for your load balancer. Otherwise, each load balancer node distributes requests only to instances in its Availability Zone.

Answer 157

fast HPC system, POSIX compliant

Answer 158

The data need to be stored redundantly across multiple AZs and allows concurrent connections from thousands of EC2 instances hosted on multiple Availability Zones. Amazon EFS is a fully-managed service that makes it easy to set up and scale file storage in the Amazon Cloud. With a few clicks in the AWS Management Console, you can create file systems that are accessible to Amazon EC2 instances via a file system interface (using standard operating system file I/O APIs) and supports full file system access semantics (such as strong consistency and file locking). Amazon EFS file systems can automatically scale from gigabytes to petabytes of data without needing to provision storage. Tens, hundreds, or even thousands of Amazon EC2 instances can access an Amazon EFS file system at the same time, and Amazon EFS provides consistent performance to each Amazon EC2 instance. Amazon EFS is designed to be highly durable and highly available.

Answer 159

these are on machines with VCPU limit, when you need to add more than whats left on the pooled machine, you can stop and restart New ip address for public would mean that machine is hosting now on sep hardware, you can now request more!

Answer 160

anycast allows multiple items to be hosted behind one static ip, the static ip acts as fixed entry. allowing less config for larger network When the application usage grows, the number of IP addresses and endpoints that you need to manage also increase. AWS Global Accelerator allows you to scale your network up or down. AWS Global Accelerator lets you associate regional resources, such as load balancers and EC2 instances, to two static IP addresses. You only whitelist these addresses once in your client applications, firewalls, and DNS records.

Answer 161

Target policy is for route 53 routing policy of where to send traffic being balanced to two endpoints. target group is for a app load balancer -allows to choose how much weighting goes to each target group of ec2 devices

Answer 162

The blue-green deployment approach does this by ensuring you have two production environments, as identical as possible. increases availability and reduces risk Canary deployments are a pattern for rolling out releases to a subset of users or servers. The idea is to first deploy the change to a small subset of servers, test it, and then roll the change out to the rest of the servers. A hybrid deployment is a way to connect infrastructure and applications between cloud-based resources and existing resources that are not located in the cloud.

Answer 163

1. instance - The targets are specified by instance ID. 2. ip - The targets are IP addresses. 3. Lambda - The target is a Lambda function.

Answer 164

Weighted Weighted routing lets you associate multiple resources with a single domain name or subdomain name. To configure weighted routing, you create records that have the same name and type for each of your resources. You assign each record a relative weight that corresponds with how much traffic you want to send to each resource. Latency If your application is hosted in multiple AWS Regions, you can improve performance for your users by serving their requests from the AWS Region that provides the lowest latency. Multivalue Multivalue answer routing lets you configure Amazon Route 53 to return multiple values, such as IP addresses for your web servers, in response to DNS queries. ... If a web server becomes unavailable after a resolver caches a response, client software can try another IP address in the response.

Answer 165

Step scaling policies increase or decrease the current capacity of a scalable target based on a set of scaling adjustments, known as step adjustments. The adjustments vary based on the size of the alarm breach. When you configure dynamic scaling, you must define how to scale in response to changing demand. For example, you have a web application that currently runs on two instances and you want the CPU utilization of the Auto Scaling group to stay at around 50 percent when the load on the application changes. This gives you extra capacity to handle traffic spikes without maintaining an excessive amount of idle resources. You can configure your Auto Scaling group to scale automatically to meet this need. The policy type determines how the scaling action is performed.

Answer 166

Step scaling, increases according to amounts specified as metric, steps up scaling as alarm gets breached higher simple scaling- increase based on single scaling adjustment target tracking scaling- scale up/down to keep metric stable

Answer 167

nondistro- sticky sessions | distributed- use elasticache

Answer 168

When a user requests your content, CloudFront typically serves the requested content regardless of where the user is located. If you need to prevent users in specific countries from accessing your content, you can use the CloudFront geo restriction feature to do one of the following: Allow your users to access your content only if they're in one of the countries on a whitelist of approved countries. Prevent your users from accessing your content if they're in one of the countries on a blacklist of banned countries.

Answer 169

EXCUTION ROLE: LAMBDA A Lambda function's execution role is an AWS Identity and Access Management (IAM) role that grants the function permission to access AWS services and resources TASK ROLE: ECS With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances. Instead of creating and distributing your AWS credentials to the containers or using the EC2 instance’s role, you can associate an IAM role with an ECS task definition or RunTask API operation. The applications in the task’s containers can then use the AWS SDK or CLI to make API requests to authorized AWS services. task execution role grants the Amazon ECS container and Fargate agents permission to make AWS API calls on your behalf

Answer 170

Service control policy Organizational units NO PERMISSIONS, ONLY RESTRICTRIONS SCPs alone are not sufficient for allowing access in the accounts in your No permissions are granted by an SCP. Attaching an SCP to an AWS Organizations entity (root, organizational unit (OU), or account) defines a guardrail, or sets limits, on the actions that the IAM users and roles in the affected accounts can perform. You still need to attach identity-based or resource-based policies to IAM users or roles, or to the resources in your organization's accounts to actually grant permissions.

Answer 171

period- data point generated per time --1 per second Evaluation period- the number of periods to evaluate to determine a breach, not the breach but the total of data points in a set of periods. --60 points per minute data points to alarm- the number of data points in the evaluation periods that breach to change alarm state to alarm. --of 60 points, how many were in breached level

Answer 172

Redis- DB CACHE/ FAILOVER MULTI AZ In-memory data structure store used as database, cache and message broker. ElastiCache for Redis offers Multi-AZ with Auto-Failover and enhanced robustness. DATA REP , HIGH AVAIL ``` Memcached- SPEED UP APPS High-performance, distributed memory object caching system, intended for use in speeding up dynamic web applications. REPEAT QUERIES IN-MEMORY CACHE **********MULTI THREADED!!!!!!!!! ```

Answer 173

A read replica of an Amazon RDS encrypted instance is also encrypted using the same CMK as the primary DB instance when both are in the same AWS Region. If the primary DB instance and read replica are in different AWS Regions, you encrypt using the CMK for that AWS Region.

Answer 174

NOT REGIONAL KMS keys are never shared outside the AWS region in which they were created. When you encrypt data under a KMS CMK, the ciphertext cannot be decrypted with any other CMK. This is true even when you import the same key material into a different CMK.

Answer 175

OAI: s3 bucket acccess as origin of cloudfront distribution Presigned URL S3: Temp bucket and object access Cloudfront Signed URL: Signed URL/Cookie: S3 bucket for HTTP server

Answer 176

Enter and exit standby You can put any instance that is in an InService state into a Standby state. This enables you to remove the instance from service, troubleshoot or make changes to it, and then put it back into service. Instances in a Standby state continue to be managed by the Auto Scaling group. However, they are not an active part of your application until you put them back into service.

Answer 177

Key pair is to access EC2 instances | Programmatic access via access key Id to invoke third party actions

Answer 178

API Gateway sets a limit on a steady-state rate and a burst of request submissions against all APIs in your account, per Region. In the token bucket algorithm, the burst is the maximum bucket size. When request submissions exceed the steady-state request rate and burst limits, API Gateway fails the limit-exceeding requests and returns 429 Too Many Requests error responses to the client.

Answer 179

Server-side throttling limits are applied across all clients. These limit settings exist to prevent your API—and your account—from being overwhelmed by too many requests. Per-client throttling limits are applied to clients that use API keys associated with your usage policy as client identifier.

Answer 180

Causes HTTP 400, bad request If your application's read or write requests exceed the provisioned throughput for a table, DynamoDB might throttle that request. When this happens, the request fails with an HTTP 400 code (Bad Request), accompanied by a ProvisionedThroughputExceededException. The AWS SDKs have built-in support for retrying throttled requests. However, you might want to consider using exponential backoff logic in your error handling code. For more information, see Error Retries and Exponential Backoff.

Answer 181

Connection draining is a process that ensures that existing, in-progress requests are given time to complete when a VM is removed from an instance group or when an endpoint is removed HAPPENS IN ELB

Answer 182

Any other instance state other than Healthy is considered bad Impaired or: stopping stopped terminating terminated Amazon EC2 Auto Scaling considers the instance to be unhealthy and launches a replacement instance. Auto Scaling marks an instance unhealthy and launches a replacement if the instance is in a state other than running, the system status is impaired, or Elastic Load Balancing reports the instance state as OutOfService.

Answer 183

When an instance launches, Amazon EC2 Auto Scaling uses the value of the HealthCheckGracePeriod for the Auto Scaling group to determine how long to wait before checking the health status of the instance. default 300

Answer 184

After an instance has been marked unhealthy because of a health check, it is almost immediately scheduled for replacement. It never automatically recovers its health. You can intervene manually by calling the set-instance-health command or the SetInstanceHealth operation to set the instance's health status back to healthy. If the instance is already terminating, you get an error.

Answer 185

Security Assertion Markup Language 2.0 (SAML) is an open federation standard that allows an identity provider (IdP) to authenticate users and pass identity and security information about them to a service provider (SP), typically an application or service. ONCE VERIFIED SAML calls to app of STS to grant temp security credentials temp credentials used to login.

Answer 186

Identity pool Access to aws resources Temp aws creds for unauth users ``` User Pool signin signup pages for your app access and manage user data track device, ip loci etc auth flow for app ```

Answer 187

Template is for EC2 launching in AWS EC2 Console launch templates can have versions Launch config is for ASG, when updated they need to be stopped and redone. LC is immutable!!!! you can replace launch config to launch template?

Answer 188

Amazon Aurora Global Database is a new feature in the MySQL-compatible edition of Amazon Aurora, designed for applications with a global footprint. It allows a single Aurora database to span multiple AWS regions, with fast replication to enable low-latency global reads and disaster recovery from region-wide outages.

Answer 189

The AWS Schema Conversion Tool makes heterogeneous database migrations predictable by automatically converting the source database schema and a majority of the database code objects, including views, stored procedures, and functions, to a format compatible with the target database. AWS Database Migration Service (AWS DMS) is a cloud service that makes it easy to migrate relational databases, data warehouses, NoSQL databases, and other types of data stores. You can use AWS DMS to migrate your data into the AWS Cloud, between on-premises instances (through an AWS Cloud setup), or between combinations of cloud and on-premises setups.

Answer 190

Sync, PUSH : API Asynch , EVENT: SNS S3 Poll Based SQS Dynamo DB Kinesis

Answer 191

AWS Batch dynamically provisions the optimal quantity and type of compute resources (e.g., CPU or memory optimized instances) based on the volume and specific resource requirements of the batch jobs submitted.

Answer 192

Similarities Managed Key/Value Store Services Similar Encryption Options Both Referenceable in CloudFormation Differences Secrets manager Generate random password Rotation of passwords Secrets shared accross accounts Parameter store FREEE NO CROSS ACCOUNT ACCESS no passsword generator !!!storing environmental configuration data !!! software settings to be used in cloud formation

Answer 193

3000 with batching | 300 without batching

Answer 194

Athena stores information into s3 JSON PARQUET FILE FORMAT Redshift spectrum loads into redshift direct FLAT DATA ONLY Both take from S3, take SQL standard for data

Answer 195

Direct Private VIF [AWS cloud: VPC/VGW connects to Direct connect gateway ] -----Private Virtual interface ------------> [direct connect location] ==================== Public VIF [AWS cloud: [ service (s3 etc) connects to Direct connect gateway ] -----Public Virtual interface-----> [direct connect location] ===================== Transit Gateway interface *** SPECIAL **** [Transit gateway which connects to VPC's] ----Transit Gateway Association------> [Direct connect gateway] -----Transit Virtual interface----------> [Direct connect connection]

Answer 196

You can use an AWS Direct Connect gateway to connect your AWS Direct Connect connection over a transit virtual interface to the VPCs or VPNs that are attached to your transit gateway. You associate a Direct Connect gateway with the transit gateway. Then, create a transit virtual interface for your AWS Direct Connect connection to the Direct Connect You cannot attach a Direct Connect gateway to a transit gateway when the Direct Connect gateway is already associated with a virtual private gateway or is attached to a private virtual interface. gateway.

Answer 197

A virtual private gateway is a logical, fully redundant distributed edge routing function that sits at the edge of your VPC. As it is capable of terminating VPN connections from your on-prem or customer environments, the VPG is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.

Answer 198

need versioning on both buckets | need two buckets to be created , one for each region.

Answer 199

Stage: Reference to a deployment, configure settings to cache, throttle, configure logging variables, canary etc. method request and a method response. what a client should or must do to submit a request to access the service at the backend and to define the responses that the client receives in return. Caching You can enable API caching in Amazon API Gateway to cache your endpoint's responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.

Answer 200

AWSAuthenticationPlugin will be used with IAM

Answer 201

Although AWS does not natively integrate with MPLS as a protocol, we provide mechanisms and best practices to connect to your currently deployed MPLS/WAN via AWS Direct Connect and VPN MPLS L3 VPN provides the flexibility of connecting multiple sites privately.

Answer 202

Per-client throttling limits are applied to clients that use API keys associated with your usage policy as client identifier. Server-side throttling limits are applied across all clients. These limit settings exist to prevent your API—and your account—from being overwhelmed by too many requests.

Answer 203

Interface endpoint using private link, which is a VPC interface endpoint will connect via a elastic network interface ENI, a private IP address acts as entry point for a private API GATEWAY

Answer 204

OIDC allows to authenticate via ALB, can also use saml

Answer 205

dedicated host, pay per entire host | dedicated instance, pay per instance for one EC2 at a time.

Answer 206

DB security groups- controls access to DB instance not in VPC VPC security groups- access to DB instance inside VPC EC2 Security groups- access to ec2 instance used with DB instance

Answer 207

Retrieving instance metadata

Answer 208

file Gateway securely and durably stores both file contents and metadata as objects, while providing your on-premises applications low-latency access to cached data

Answer 209

If you're using AWS Elastic Beanstalk to deploy and manage applications in the AWS Cloud, you can use Amazon Route 53 to route DNS traffic for your domain, such as example.com, to a new or an existing Elastic Beanstalk environment. use CNAME or ALIAS

Answer 210

you create a change set by submitting changes against the stack you want to update. CloudFormation compares the stack to the new template and/or parameter values and produces a change set that you can review and then choose to apply Change sets don't indicate whether AWS CloudFormation will successfully update a stack. they dont tell about permissions or limits etc

Answer 211

S3 bucket policies specify what actions are allowed or denied for which principals on the bucket that the bucket policy is attached to ACL: defines which AWS accounts or groups are granted access and the type of access.

Answer 212

Management Events management operations that are performed on resources in your AWS account. Data Events CloudTrail data events are disabled by default. data plane operations Data events provide visibility into the resource operations performed on or within a resource. These are also known as data plane operations. Data events are often high-volume activities. The following two data types are recorded: Amazon S3 object-level API activity (for example, GetObject, DeleteObject, and PutObject API operations) AWS Lambda function execution activity (the Invoke API)

Answer 213

``` Cost optimization performance security fault tolerance service limits ```

Answer 214

Amazon EC2 uses an instance profile as a container for an IAM role. When you create an IAM role using the IAM console, the console creates an instance profile automatically and gives it the same name as the role to which it corresponds. Containers that are running on your container instances have access to all of the permissions that are supplied to the container instance role through instance metadata.

Answer 215

RTMP is for S3