AWS Cloud Practitioner Exam
With AWS orgs, you can use either just the consolidated billing feature, or all the offered features
True
S3 One Zone - IA (Storage Class)
For when you want a lower cost option for infrequently accessed data but do not require the multiple AZ data resilience (less resilient)
Neptune
fast, reliable, fully managed graph database services that makes it easy to build and run applications that work with highly connected datasets
S3 Standard (Storage Class)
99.999% availability and durability, stored redundantly, immediately available, frequently accessed and is designed to sustain the loss of 2 facilities concurrently
AWS Cloud Compliance
Enables you to understand the robust controls in place at AWS to maintain security and data protection in the cloud
Which Compliance certs attests to the security of the AWS platform regarding credit card transactions
PCI DSS level 1
Snowball
Petabyte scale data transport solution that uses secure appliances to transfer large amounts of data into and out of the AWS cloud
Dedicated Instances
Physical EC2 server dedicated for your use. Good for: -Regulatory requirements -Licensing
Dedicated instances
Physical isolation at the host hardware level from instances belonging to other customers - Pay per instances
Dedicated host
Physical servers dedicated to your use - Socket/core visibility, host affinity - Pay per host - Workloads with server-bound software licenses
What is the document used to grant permissions to users, groups, and roles
Policy
Data archival service that is extremely inexpensive, but has a server hour data retrieval window
Glacier
Amazon virtual private cloud (VPC)
- A VPC is a virtual network dedicated to your AWS ACCOUNT - Analogous to having your own DC inside aws - Is it logically isolated from other virtual networks in the AWS cloud
Amazon virtual private cloud (VPC) range
- A VPC spans all availability zones in the region - By default you can create up to 5 VPC per region - A default VPC is created in each region with a subnet in each AZ
AWS OpsWorks
- A configuration management service that provides managed instances of Chef and Puppet - Updates include patching, updating, backup, configuration and compliance management
File Storage
- A filesystem is mounted to the OS using a network share - A filesystem can be shared by many users/computers (Amazon Elastic File System)
Amazon Macie
- A fully managed data security and data privacy service - Uses machine learning and pattern matching to discover, monitor, and help you protect your sensitive data on Amazon S3 - Enables security compliance and preventative security
AWS Shield
- A managed distributed denial of service (DDoS) protection service - Safeguards web application running on aws with always-on detection and automation inline mitigations
S3 glacier vault lock
- Also used to enforce a WORM model - Can apply a policy and lock the policy from future edits - Used for compliance objectives and data retention
Amazon detective
- Analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities - Automatically collects data from aws resources - Uses machine learning, statistical analysis and graph theory - Data sources include VPC flow logs, cloudtrail, and guardduty
Serverless services include:
- Aws lambda - Aws fargate - Amazon eventbridge - Aws step functions - Amazon SQS - Amazon SNS - Amazon API gateway - Amazon S3 - Amazon DynamoDB
AWS global accelerator vs Cloudfront
- Both use the aws global network and edge locations - Cloudfront improves performance for cacheable content and dynamic content - GA improves performance for a wide range of applications over TCP and UDP - GA provides connections to application in one or more AWS regions - GA provides failover between aws regions
Amazon Quicksight
- Business intelligence service (BI) - Create and publish interactive BI dashboards for Machine Learning powered insights
A computer includes:
- CPU - Center Processing Unit Measurements: Gigahertz (GHZ) Random Access Memory (RAM) Non-persistent storage: data is lost when it is off Measurements: Gigabyte (GB) Hard Disk Drive (HDD) Data is persistent even when off When your turn your computer off, data is loaded into memory Measurement: Gigabyte (GB) Network Interface Card (NIC) Network router to the internet Measurements: megabits per second (Mbps) or Gigabits per second (Gbps)
Amazon Simple Storage service (s3) file size
- Can store any type of file in S3 - Files can be anywhere from 0 bytes to 5 TB
Elastic load balancing access logs
- Capture detailed info about request sent to the load balancer - Use to analyze traffic patterns and troubleshoot issues - Can identify requester, IP, request type etc - Can be optionally stored and retained in S3
AWS CloudHSM
- Cloud based hardware security module (HSM) - Generate and use your own encryption keys on the aws cloud - Manage your own encryption keys using FIPS 140-2 level 3 validated HSMs
AWS CloudTrail
- CloudTrail logs API activity for auditing - By default, management events are logged and retained for 90 days - A couldtrail tail logs any events to S3 for indefinite retention - Trail can be within region or all regions - Cloudwatch event can be triggered based on API calls in cloudtrail
AWS CodeStar
- CodeStar can work with many different AWS developer tools and other services like CloudFormation. - it uses those to then build applications and it automates this entire process for you.
AWS transit gateway
- Connect VPCs and on-premises networks through a central hub - Simplifies network configuration
AWS elastic bean stalk features:
- Considered a Platform as a Service (paaS) solution - Allows full control of the underlying resources - Code is deployed using a ZIP file, WAR file or Git repository.
AWS trust & safety team
- Contact if aws resources are being used for: ○ Spam ○ Port scanning denial of services attack ○ Intrusion attempts ○ Hosting of objectionable or copyrighted content - Malware
S3 Replication
- Cross-region replication (CRR) type - Same-region replication (SRR) type -Buckets must have versioning enabled
AWS Outposts
- Deploy aws infrastructure on-premises and connect aws services - Can extend VPC into the on-premises environment - Support several aws services
Amazon elastic block store (EBS): Instances
- EBS volume do not need to be attached to an instance, it is attached over the NETWORK - You can attached multiple EBS volumes to an instance
Aws x-ray supports applications running on:
- EC2 - ECS - Lambda - Elastic beanstalk
IP addresses: public vs elastic vs private
- Public IP is dynamic and lost when instance is stopped - Public IP cannot be moved between instances - Private Ips are attached to all EC2 instances - Private IP are retained when the instance is stopped - Elastic Ips are static public addresses - Elastic Ips are retained when the instance is stopped - Elastic IP can be moved between instances - Elastic IP are charged if not used
Benefits of Amazon EC2
- Elastic computing- easily launch hundreds to thousands of EC2 instances within minutes - Complete control - full control over EC2 instances with root access - Flexible - choice of instances types, operating systems, and software packages. - Reliable - EC2 is highly available and instances can be rapidly commissioned and replaced - Secure - integrated with Amazon VPC and security features Inexpensive - pay for what you use
Infrastructure as a service (IaaS)
- Example: "hotel" responsible for operations system but not hardware -Responsible for virtual server and upwards
Amazon elastic file system (EFS)
- File based storage system - Uses the NFS protocols - Can connect many Ec2 instances concurrently - EC2 instances can be connected from multiple Azs - Only available for Linux instances - Can connect instances from other VPCs
Storage Gateway: 3 different types
- File gateway - provides file system interface to on-premises servers - Volume gateway - provides block-based access for on premises servers - Tape gateway - provides a virtual tape library that is compatible with common backup software (block & file interfaces)
Network access control list (ACLs)
- Firewall at the subnet level - Supports allow and deny rules, apply only to traffic entering/exiting the subnet - Stateless - Process rules in order
Security groups
- Firewall for EC2 instances - Operate at the instance level - Support allow rules only - Stateful
VPC flow logs
- Flow logs captures info about the IP traffic going to and from network interfaces in a VPC - Is stored using amazon cloudwatch logs - Can be created at the following levels: VPC, Subnet and Network interface
Amazon DynamoDB
- Fully managed NoSQL database service - Key/value store and document store - It is a non-relational, key-value type of database - Fully serverless service - Push button scaling
Amazon documentDB
- Fully managed document database service (non-relational) - Supports MongoDB workloads - Queries and indexes JSON data
Inspector
1. Automated security assessment service that helps improve security and compliance of applications deployed on AWS 2. Automatically assesses for vulnerabilities and deviances 3. Produces a detailed list of security findings
AWS Glue
- Fully managed extract, transform and load (ETL) service - Used for preparing data for analytics - Aws glue runs the ETL jobs on a fully managed scale-out Apache Spark environment - Works with data lakes, data warehouses (redshift) and data stores (RDS or EC2 databases)
Amazon ElastiCache
- Fully managed implementation Redis and Memcached - ElastiCache is a key / value store - In memory database offering high performance and low latency - Can be put in front of databases such as RDS and DynamoDB
Amazon managed blockchain
- Fully managed service for joining public and private networks using Hyperledger fabric and Ethereum
AWS storage gateway
- Hybrid cloud storage service - Access cloud storage from on-premise apps - Enables access to proprietary object storage using standard protocols
CloudFormation features:
- Infrastructure is provisioned consistently with fewer mistakes (Human error) - Free to use (only charged for provisioned resources) - A template is a YAML or JSON template used to described the end-state of the infrastructure you are either provisioning or changing - Cloudformation creates a stack based on the template - Can be easily rollback and delate the entire stack as well
Instantiating Compute Resources
1. Bootstrapping 2. Golden Images 3. Hybrid Images 4. Containers
AWS GuardDuty
- Intelligent threat detection service - Detects account compromise, instance compromise, malicious reconnaissance, and bucket compromise - Continuous monitoring for events across: ○ Aws cloudtrail management events ○ Aws cloudtrail S2 data events ○ Amazon VPC flow logs - DNS logs
Amazon RedShift
- Is a SQL based data warehouse used for analytics applications - Is a relational database that is used for online analytics processing (OLAP) use cases - Uses amazon EC2 instances so you must choose an instance type - Always keeps 3 copies of your data Provides continuous/incremental backups
AWS WAF
- Is a web application firewall - Creates rules that block common web exploits like SQL injection and cross site scripting - The rules are known as web ACLs
Amazon aurora
- Is an aws database offering in the RDS family - Amazon aurora is a MySQL and PostgreSQL compatible relational database built for the cloud - Features a distributed, fault tolerant, self-healing storage system that auto scales up to 128TB per database instance
Docker container
- It includes all the code, settings, and dependencies for the running application. - Replaces the hypervisor and shares the operating system with the underlying host - Can have any many containers because each is isolated from the other containers
Amazon Athena
- Queries data in S3 using SQL - Can be connected to other data sources with lambda - Data can be in CSV, TSV, JSON, Parquet or ORC formats - Uses a managed data catalog (AWS Glue) to store info and schemas about the databases and tables
Amazon EC2 Auto Scaling characteristics
- Launches and terminates EC2 instances based on demand - Helps to ensure that you have the correct number of EC2 instances available to handle the app load - EC2 Auto Scaling provies elasticity and scalability - Responds to EC2 status checks and CloudWatch metrics - Can scale based on demand or a schedule
Amazon elastic Map Reduce (EMR)
- Managed cluster platform that simplifies running big data frameworks including apache hadoop and apache spark - Used for processing data for analytics and business intelligence - Can also be used for transforming and moving large amounts of data - Performs extract, transform, and load (ETL) functions
AWS elastic bean stalk
- Managed service for web application on amazon EC2 instances and docker containers - Deploys an environment that can include auto scaling, elastic load balancing and databases
Private cloud
- Manager by you everything - Benefits: Complete control, security - VPC, virtual space with your own resources privately - Have public IP address but exist within the VPC - Go public with a internet gateway
AWS systems manager
- Manages many AWS resources including amazon EC2, amazon S3, amazon RDS ect. - Systems manager components: ○ Automation - uses documents to run automations ○ Run command - runs commands on EC2 instances ○ Inventory - gather inventory info ○ Patch manager - manage patching schedules and installation ○ Session manager - connect securely without SSH or RDP - Parameter store - store secrets and configuration data security
Object Storage
- Massively scalable, low cost - There is no hierarchy of object in the container - Uses REST API (Amazon simple storage services (S3))
Microservices Application are organized
- Microservices are loosely coupled - They are organized around business capabilities - They can be spread across host Many instances of each microservices can run on each host
AWS storage gateway user cases
- Moving backups to the cloud - Using on-premise file shares back by the cloud storage - Low latency access to data in AWS for on-premises apps - Disaster recovery
Network attached storage
- NAS devices are file based storage systems - The NAS shared filesystems over the network
Benefits of lambda
- No servers to manage - Continuous scaling - Low billing - Integrates with almost all other AWS services
Amazon Simple Queue Service (SQS)
- Offers a reliable scalable, hosted queue for storing messages in transit between computers - Used for distributed/decoupled applications - Uses a message-oriented API Uses pull based (polling) not push based
Trust Advisor
- Online resource that helps to reduce cost, increase performance and improve security by optimizing your AWS environment - Provides real time guidance to help you provision your resources following best practice - Advises you on cost optimization, performance, security, and fault tolerance
AWS Cloud Development Kit (CDK)
- Open-source software development framework to define your cloud application resources sing familiar programming languages - Preconfigures cloud resources with proven defaults using constructs - Provisions your resources using aws cloudformation - Enables you to model application infrastructure using typeScript, Python, Java, and .NET - Using existing IDE, testing tools, and workflow patterns
AWS direct connect
- Private connection from on-premises to aws - Avoids the public internet
AWS Pipeline
- Processes and moved data between different aws compute and storage services - Save results to services including S3, RDS, dynamoDB, and EMR
Amazon Kinesis Data streams
- Producers send data which is stored in shards for up to 7 days - Consumers process the data and save to another service - Kinesis Data Firehose - Kinesis data analytics
AWS personal health dashboard
- Proves alerts and remediation guidance when AWS is experiencing events that may impact you - Gives you a personalized view into the performance and availability of the AWS services underlying your aws resources - Also provides proactive notification to help you plan for scheduled activities
AWS security Hub
- Provides a comprehensive view of security alerts and security posture across aws accounts - Aggregates, organizes, and prioritizes security alerts or findings from multiple aws services
Amazon virtual private cloud (VPC) features:
- Provides complete control over the virtual networking environment - You can launch your AWS resources such as amazon EC2 instances in to your VPC - When you create a VPC, you have to specify a range of IP addresses in the form of what we call classless inter-domain routing, a CIDR block. For examples, 10.0.0.0/16
S3 access logs
- Provides detailed records for the request that are made to a bucket - Details include the requester, bucket name, request time, request action, response status, and error code
AWS artifact
- Provides on-demand access to AWS' security and compliance reports and select online agreements - Reports available: 1. Service organization control (SOC) reports 2. Payment card industry (PCI) reports
AWS systems manager parameter store
- Provides secure, hierarchical storage for configuration data management and secrets management - You can store data such as plaintext (unencrypted data) or ciphertext (encrypted data) - You can then reference values by using the unique name that you specified when you created the parameter
Customers are responsible for
"security in the cloud" Responsible for EC2 including, network level security, operating system patches and updates, IAM user access, and client and server=side data encryption
RDS (Amazon relational databases service)
- RDS uses EC2 instances, so you must choose an instance type - Relational databases are known as structured query language (SQL) databases - Is an online transaction processing (OLTP) type of database - Easy to set up, highly available, fault tolerant and scalable - Common use cases include online stores and banking systems - Can encrypt you amazon RDS instances and snapshots at rest - Encryption uses AWS Key Management Services (KMS) - It supports the following database engines: ○ SQL server, oracle, mySQL server, PostgreSQL, Aurora, mariaDB - Scales up by increasing instances size (compute and storage) - Read replicas option for read heavy workloads (scales out of reads/queries only) - Disaster recover with multi-AZ option
Regional Edge Cache
- Regional edge caches sit between your cloudfront origin servers and edge locations - Regional edge has more bandwidth
AWS global accelerator
- Routes connections to application endpoints in multiple regions - Improves the availability and performance of applications with local or global users -Uses the aws global network to optimize the path from users to applications, improving the performance of TCP and UDP traffic
Six S3 storage classes
- S3 standard: durable, immediately available, frequently accessed - S3 intelligent-tiering: automatically moves data to the most cost effective tier - S3 standard-IA: durable, immediately available, infrequently accessed - S3 one-zone-IA: lower cost for infrequently accessed data with less resilience - S3 glacier: archived data, retrieval times in mins or hours - S2 glacier deep archive: lowest cost storage class for long term retention
Dynamo DB features
- Serverless - Highly available - NoSQL type of database with name / value structure - Horizontal scaling - dynamoDB Accelerator (DAX) - increases microsecond latency - Backup - Global tables
Amazon API Gateway
- Serverless event bus - Used for building event-driven architectures - Ingest data and routes it to target AWS services
Amazon EventBridge
- Serverless event bus - Used for building event-driven architectures - Ingest data and routes it to target AWS services
AWS Service health dashboard
- Shows you current status of aws services Not personalized
Route 53 routing policies
- Simple: IP address associated w/ name - Failover: if primary is down, route to secondary - Geolocation: route based on geolocation of request - Latency: use lowest latency route to resources - Multivalue answer: returns several IP addresses - Weighted: relative weights for traffic (80%/20%)
AWS control Tower
- Simplifies the process of creating multi-account environments - Sets up governance, compliance, and security guardrails for you - Integrates with other services and features to setup the environment for you including; Organizations, SCPs, OUs, use Config for compliance, set up CloudTrail, S3, amazon SNS, AWS cloudfront, AWS service catalog, aws single sign on(SSO)
Multi-factor authentication
- Something you know ○ Password - Something you have ○ Physical device ○ Physical tokens come from third party - Something you are Fingerprints
Stateful vs stateless
- Stateful firewall allows the return traffic automatically - Stateless firewall checks for an allow rule for both connections
Block Storage
- The OS reads/writes at the block level. - Disks can be internal or network attached - The OS sees volumes that can be partitioned and formatted (Amazon Elastic Block Store)
Penetration testing
- The practice of testing one's own applications security for vulnerabilities by simulating an attack - Allows testing without prior approval for 8 aws services
Additional S3 features
- Transfer acceleration - speeds up uploads using cloudfront - Requester pays - the account requesting the objects pays - Events - can trigger notifications to SNS, SQS, and lambda - Static website hosting - setup a static website - Encryption - encrypt objects in the bucket - Replication - replicate within (SRR) or across (CRR) regions
NAT instances and gateways
- Used for accessing the internet from private subnets - Deployed in public subnets - Must be update the route table in private subsets - Nat instances are managed by you - NAT gate way are managed by aws
AWS Keys management services (KMS)
- Used for created and managing encryption keys - Gives you centralized control over the encryption keys used to protect your data - KMS is integrated with most other aws services - Easy to encrypt the data you store in these services with encryption keys you control
Object storage systems
- Users upload objects using a web browsers - The HTTP Protocol is used with REST API - Objects go to the object Storage Container like videos, pics, file, ect.
AWS managed VPN
- Virtual private network (VPN) connection between on-premises sites and AWS - Uses the public internet
CloudFront
- a content delivery network (CND) that allows you to store (cache) your content at "edge locations" located around the world - This allows customers to access content more quickly and provides security against DDoS attacks - Can be used for data, videos, applications and APIs - Reduces latency for global users
Snapshots attributes
- are stored in Amazon s3 - Snapshots are incremental - A snapshot can be used to create a AMI ( amazon machine image)
On Amazon EC2 Instance in a public subnet, the instance crosses the VPC through _____ which enables access to/from the internet. Then the instance goes into ______ which controls__________
- crosses the VPC through the Internet Gateway which enables access to/from the internet - goes into the availability zone to the public subnet then passes a Security Group which controls inbound and outbound traffic
Amazon QLDA
- fully managed ledge database for immutable change history - Provides cryptographically verifiable transaction logging
Hybrid cloud
-Keep sensitive data private or public Facilitates portability of data, apps and services and more choices for deployment models
How many IGWs can you attach to an Amazon VPC at any one time? A. 1 B. 2 C. 3 D. 4
A. 1 You may only have one IGW for each Amazon VPC.
Reserved
1 to 3 year commit - Up to 75% discount - Steady state, predictable workloads and reserved capacity
EC2 Pricing
1. Clock hours of server time 2. Instance type - CPU, memory, storage, networking, capacity 3. Pricing Model - spot, on demand, reserved 4. Number of instances 5. Load balancing 6. Detailed Monitoring - CloudWatch 7. AutoScaling 8. Elastic IP addresses 9. Operates systems and software packages
Enterprise Support Plan
1. 24/7 tech support 2. General < 24 hrs 3. System Impaired < 12 hrs 4. Production system impaired < 4 hrs 5. Production System down < 1 hr 6. Business critical system down < 15 min 7. TAM 8. Pricing - $15000/month
Business Support Plan
1. 24/7 tech support 2. General < 24 hrs 3. System Impaired < 12 hrs 4. Production system impaired < 4 hrs 5. Production System down < 1 hr 6. Pricing - $100/month
What are the features of consolidated billing?
1. A single bill is issued containing the charges for all AWS accounts 2. Multiple standalone accounts are combined and may reduce your overall bill 3. Account charges can be tracked individually
Load Balancers come in 3 types:
1. Application Load Balancers - layer 7 2. Network Load Balancers - extreme performance 3. Classic Load Balancers - Test/Dev
Caching
1. Application caching 2. Edge caching
Traditional Computing v Cloud Computing
1. Architecting for Cost 2. Built in Security 3. Higher level Manager Services 4. Operations on AWS 5. Global, Available, and Scalable 6. Assets provisioned resource
Which are principles of sound cloud design
1. Assume everything will fail 2. Disposable Resources 3. Scalability 4. Infrastructure as code
Database Types
1. RDS - SQL, MySQL, Aurora, PostgreSQL, Orcale, MariaDB 2. DynamoDB - No SQL 3. Redshift
RDS Pricing
1. Clock hours of server times 2. DB characteristics 3. DB purchase types 4. Number of DB instances 5. Provisioned storage 6. Additional Storage 7. Requests 8. Deployment Type 9. Data Transfer Out
Types of Amazon Organizations
1. Consolidated Billing 2. All features: gives you consolidated billing and other controls such as service control policies.
Which options should you take in securing your AWS account?
1. Create individual IAM users 2. Activate MFA on the root account 3. Use groups to assign permission to IAM users
Customer Security Responsibilities
1. Customer data 2. Platform, application, identity, and access management 3. Operating system, network, firewall config 4. Client side data, encryption, data integrity, authentication 5. Server Side encryption 6. Network traffic protection
AWS Shield
1. DDos protection service that safeguards web applications running on AWS 2. 2 tiers - standard and advanced 3. Always on detection and inline migrations that minimize downtime and latency -Designed to stop DDoS attacks
You have been asked to deploy a clustered application on a small number of EC2 instances. The application must be placed across multiple az's have speed, low latency communication between each of the nodes, and should also minimize the chance of underlying hardware failure. Best solution?
1. Deploy the EC2 servers in a spread placement group 2. Spread placement groups are recommended for applications that have a small number of critical instances which need to be kept separate from each other
Continuous Integration VS Continuous Delivery
1. Developer commits code 2. Build servers build and tests code 3. Results returned to developer VS 1. Developer commits code 2. Build servers build and tests code 3. Code released for deployment 4. Code deployed to application
Reserved Options
1. EC2 2. DynamoDB 3. Elasticache 4. Relational DB 5. Redshift
Develop Support Plan
1. General Guidance < 24 hrs 2. System Impaired < 12 hrs 3. Pricing - $29/month
Amazon EBS SSD-Backed Volumes
1. General Purpose SSD 2. Provisioned IOPS SSD
Advantages of cloud compute
1. Global in minutes 2. Increase speed and agility 3. Elasticity 4. Variable expense
AWS Total Cost of Ownership
1. How much it costs to do things yourself versus on AWS 2. Gives Comparison 3. Gives a report as to why you should move to the cloud
Name 5 free AWS services
1. IAM 2. Elastic Beanstalk 3. AutoScaling 4. CloudFormation 5. VPC
3 Types of Cloud Computing
1. IaaS 2. PaaS 3. SaaS
Benefits of AWS Security
1. Keep your data safe 2. Meet Compliance Requirements 3. Save Money 4. Scale Quickly
Key fundamentals of S3
1. Key - name of object 2. Value - data made up of sequence of bytes
Tags attributes
1. Key value pairs attached to AWS resources 2. Metadata (data about data) 3. Tags can sometimes be inherited 4. global
Pricing Models
1. On demand 2. Spot 3. Reserved 4. Dedicated
Advantages of Consolidated Billing
1. One bill per AWS account 2. Very easy to track charges and allocate costs 3. Volume pricing disocunt
CloudTrail
1. Per AWS account and is enabled per region 2. Can consolidated logs using S3 buckets -Turn on CloudTrail in paying account -Create a bucket policy that allows cross account access -Turn on CloudTrail in the other accounts and use the bucket in the paying account
DynamoDB Pricing
1. Provisioned Throughput (write) -As low as $.47 per WCU 2. Provisioned Throughput (read) -As low as $.09 per RCU 3. Indexed Data Storage -As low as $.25 per GB
3 Types of Cloud Deployment
1. Public 2. Private 3. Hybrid
Lambda Pricing
1. Request pricing - Free tier: 1 million requests per month - $.20 per 1 million requests 2. Duration Period - 400 gb seconds per month free, up to 3.2 mill seconds of compute time 3. Additional Charge -If your lambda functions incorporate other AWS functions
Optimize cost
1. Right size 2. Elasticity 3. Take advantage of the variety of purchasing options
Control your AWS cost by..
1. Right size your services to meet capacity needs at the lowest cost 2. Save money when you reserve 3. Use the spot market 4. Monitor and track service usage 5. Use cost explorer to optimize savings
Assurance Programs AWS complies with:
1. SOC 2. FISMA 3. PCI 4. ISO
EBS Pricing
1. SSD backed Volumes/HDD backed volumes - per GB 2. Snapshots - per gb 3. Data Transfer out
In addition to choosing the correct EBS volume type for your specific task, what else can be done to increase the performance of your volume?
1. Schedule snapshots of HDD based volumes for periods of low use 2. Ensure that your EC2 instances are types that can be optimized for use with EBS 3. Stripe volumes together in a RAID 0 configuration
Snowball Pricing
1. Service fee per job - snowball 50 tb: $200 - snowball 80 tb: $250 2. Daily Charge - First 10 days are free, after 3. Data Transfer out
AWS Security Responsibilities
1. Software -Compute -Storage -Database -Networking 2. Hardware/AWS global infrastructure -Regions -AZ -Edge locations
Glacier Pricing
1. Storage 2. Data retrieval times 3. $.0004 per GB per month
S3 Pricing
1. Storage class (standard/IA/AZ IA/etc) 2. Storage 3. Requests (get, put, copy) 4. Data transfer out
Amazon EBS HDD-Backed Volumes
1. Throughput Optimized HDD (ST1) 2. Cold HDD (SC1) 3. Magnetics lower performance but also lower cost than solid state
Name the 6 advantages of Cloud
1. Trade Capital Expense for variable expense 2. Benefit from massive economies of scale 3. Stop guessing about capacity 4.increased speed and agility 5. Stop spending money running and maintaining data centers 6. Go global in minutes
CloudFront Pricing
1. Traffic Distribution 2. Data transfers out 3. Requests
Security
1. Use AWS features for defense in depth 2. Share security responsibility with AWS 3. Reduce privileged access 4. Security as a code 5. Real time Auditing
What are the access types for IAM users?
1. Using SDKs 2. AWS managment console access 3. Programmatic access via the command line
Free Services
1. VPC - virtual data centers 2. Elastic Beanstalk 3. CloudFormation 4. IAM 5. Autoscaling 6. Opsworks 7. Consolidating Billing
CloudFront Distributions
1. Web distributions 2. RTMP - for media
Fundamental Drivers of Cost
1. compute 2. storage 3. data outbound
Route 53
1. global 2. similar to IAM and S3 3. you can use it to direct traffic all around the world and you can use it to register a domain name (domain naming system) 4. A hosted zone represents a set of records belonging to a domain
Removing Single Points of Failure
1. introducing redundancy 2. detect failure 3. durable data storage 4. automated multi data center resilience 5. fault isolation and traditional horizontal scaling 6. Shading - split across multiple shards - process data faster
RDS Features
1. multi AZ - for disaster recovery 2. read replicas - for performance
S3 attributes
1. object based 2. 0-5 tb 3. unlimited storage 4. files are stored in buckets 5. universal namespace 6. connect over HTTP
Principles of AWS billing
1. pay as you go 2. pay less when you reserve 3. pay even less when you use more 4. pay even less as AWS grows 5. custom pricing
Scale out
1. stateless applications 2. distribute load to multiple nodes 3. stateless components 4. Stateful components 5. Implement session affinity 6. Implement distributed processing
Ways to access AWS
1. via console 2. Programmatically - command line 3. Using SDK's
By default, what is the maximum number of linked accounts per paying account under consolidated billing?
20
Amazon site to site VPN
A Virtual private gateway is deployed on the aws site
Which best describes an AWS region?
A distinct location within a geographic area designed to provide high availability to a specific geography - each has 2 or more availability zones
You are building a large order processing system and are responsible for securing the database. Which actions will you take to protect the data? (Choose 3 answers) A. Adjust AWS Identity and Access Management (IAM) permissions for administrators. B. Configure security groups and network Access Control Lists (ACLs) to limit network access. C. Configure database users, and grant permissions to database objects. D. Install anti-virus software on the Amazon RDS DB Instance.
A, B, C. Protecting your database requires a multilayered approach that secures the infrastructure, the network, and the database itself. Amazon RDS is a managed service and direct access to the OS is not available.
Your team manages a popular website running Amazon Relational Database Service (Amazon RDS) MySQL back end. The Marketing department has just informed you about an upcoming television commercial that will drive thousands of new visitors to the website. How can you prepare your database to handle the load? (Choose 3 answers) A. Vertically scale the DB Instance by selecting a more powerful instance class. B. Create read replicas to offload read requests and update your application. C. Upgrade the storage from Magnetic volumes to General Purpose Solid State Drive (SSD) volumes. D. Upgrade to Amazon Redshift for faster columnar storage.
A, B, C. Vertically scaling up is one of the simpler options that can give you additional processing power without making any architectural changes. Read replicas require some application changes but let you scale processing power horizontally. Finally, busy databases are often I/O- bound, so upgrading storage to General Purpose (SSD) or Provisioned IOPS (SSD) can often allow for additional request processing.
True or False? Amazon RDS automatically patches the database software and backs up your database, storing the backups for a user-defined retention period and enabling point-in-time recovery. A. True B. False
A. True
Which of the following techniques can you use to help you meet Recovery Point Objective (RPO) and Recovery Time Objective (RTO) requirements? (Choose 3 answers) A. DB snapshots B. DB option groups C. Read replica D. Multi-AZ deployment
A, C, D. DB snapshots allow you to back up and recover your data, while read replicas and a Multi-AZ deployment allow you to replicate your data and reduce the time to failover.
What properties of an Amazon VPC must be specified at the time of creation? (Choose 2 answers) A. The CIDR block representing the IP address range B. One or more subnets for the Amazon VPC C. The region for the Amazon VPC D. Amazon VPC Peering relationships
A, C. The CIDR block is specified upon creation and cannot be changed. An Amazon VPC is associated with exactly one region which must be specified upon creation. You can add a subnet to an Amazon VPC any time after it has been created, provided its address range falls within the Amazon VPC CIDR block and does not overlap with the address range of any existing CIDR block. You can set up peering relationships between Amazon VPCs after they have been created.
Which of the following are steps you should take in securing your AWS account? (Choose 3) A. Activate Multifactor Authentication (MFA) on your root account. B. Create a Root IAM role. C. Use Groups to assign permissions to IAM users. D. Create individual IAM users.
A. & C. & D. The Root account should have MFA enabled; you should always create individual users (the Root account should never be used for actual work); and groups should be used to grant permissions to the users you create.
What is the maximum size IP address range that you can have in an Amazon VPC? A. /16 B. /24 C. /28 D. /30
A. /16 The maximum size subnet that you can have in a VPC is /16.
What is the default limit for the number of Amazon VPCs that a customer may have in a region? A. 5 B. 6 C. 7 D. There is no default maximum number of VPCs within a region.
A. 5 The default limit for the number of Amazon VPCs that a customer may have in a region is 5.
Which of the following are characteristics of Amazon S3? (Select TWO.) A. A global file system B. An object store C. A local file store D. A network file system E. A durable storage system
A. A global file system B. An object store pepe
What happens when you create a new Amazon VPC? A. A main route table is created by default. B. Three subnets are created by default—one for each Availability Zone. C. Three subnets are created by default in one Availability Zone. D. An IGW is created by default.
A. A main route table is created by default. When you create an Amazon VPC, a route table is created by default. You must manually create subnets and an IGW.
Elastic Load Balancing health checks may be what? (Choose three) A. A ping B. A key pair verification C. A connection attempt D. A page request E. An Amazon EC2 instance status check
A. A ping C. A connection attempt E. An Amazon EC2 instance status check
When you create a table in Amazon DynamoDB, in addition to the table name, you must specify the _____ of the table. A. Primary Key B. Local secondary index C. Sort key D. Global secondary index
A. A. Primary Key You must specify the primary key of the table.
What are the minimum elements required to create an Auto Scaling launch configuration? Select 3 A. AMI B. Security Group C. Instance type D. Block device mapping E. Launch Configuration Name
A. AMI C. Instance type E. Launch Configuration Name
Which of the following AWS services should you use to migrate an existing database to AWS? A. AWS DMS B. Storage Gateway C. Route 53 D. SNS
A. AWS DMS The AWS Database Migrations Service is the best choice.
Which of the following Amazon Web Services can be referred to as a serverless service? (Select three)? A. AWS Lambda B. Elastic Load Balancing C. Amazon SNS D. Amazon DynamoDB
A. AWS Lambda C. Amazon SNS D. Amazon DynamoDB The serverless concept refers to the ability to leverage compute processing functions without the infrastructure overhead. AWS Lambda is a serverless online code scripting platform within AWS that allows the user to write, edit and run code functions in various languages including JSON. These functions can be triggered to call or invoke other AWS applications in the user's build. AWS Cloud9 is a serverless online integrated development environment (IDE) used to author, edit, run debug code of various languages. With DynamoDB, there are no servers to provision, patch, or manage and no software to install, maintain, or operate.
An administrator would like to efficiently automate the replication and deployment of a specific software configuration existent on one EC2 instance onto four hundred others. Which AWS service is BEST suited for this implementation? A. AWS OpsWorks B. AWS Beanstalk C. AWS Launch Configuration D. AWS Auto-scaling
A. AWS OpsWorks
Select TWO statements that describe the main roles of AWS Web Application Firewall (WAF) and AWS Shield? A. AWS Shield Standard is inherently available within the AWS WAF service at no extra cost B. AWS WAF is inherently available within the AWS Shield Standard service at an additional charge C. AWS Web Application Firewall (WAF) will provide expanded protection against SYN floods, DNS query floods and UDP reflection attacks at no additional cost D. AWS Web Application Firewall (WAF) and AWS Shield are fully-managed services E. AWS WAF is a web application firewall that includes AWS Shield - a service that prevents distributed denial of service (DDoS) attacks
A. AWS Shield Standard is inherently available within the AWS WAF service at no extra cost E. AWS WAF is a web application firewall that includes AWS Shield - a service that prevents distributed denial of service (DDoS) attacks AWS Web Application Firewall (WAF) is a web-based application that allows for monitoring of ingress and egress traffic on provisioned web services. These could be in an AWS CloudFront distribution, behind an AWS Load Balancer or standalone instance. AWS WAF includes AWS Shield (AWS Shield Standard that comes at no additional cost and AWS Shield Advanced, on subscription) that protects against SYN floods, DNS query floods and UDP reflection attacks amongst others.
Which of the following are Migration services? Select 2 A. AWS Snowball B. AWS Config C. AWS Application Discovery Service D. AWS OpsWorks
A. AWS Snowball C. AWS Application Discovery Service AWS Config and AWS OpsWorks are Management Tools.
Which of the following are best practices when it comes to securing your Root AWS account? Select 5 A. Activate MFA on the Root Account. B. Create individual IAM users. C. Delete your Root account password D. Delete your Root access keys. E. Store your Root account keys on your application for easy access. F. Apply an IAM password policy. G. Use groups to assign permissions.
A. Activate MFA on the Root Account. B. Create individual IAM users. D. Delete your Root access keys. F. Apply an IAM password policy. G. Use groups to assign permissions.
Which Amazon Relational Database Service (Amazon RDS) database engines support Multi-AZ? A. MySQL B. Microsoft SQL Server, MySQL, and Oracle C. Oracle, Amazon Aurora, and PostgreSQL D. All of them
A. All Amazon RDS database engines support Multi-AZ deployment.
A business analyst would like to move away from creating complex database queries and static spreadsheets when generating regular reports for high-level management. They would like to dynamically publish insightful, graphically appealing reports with interactive dashboards. Which service can they use to accomplish this? A. Amazon QuickSight B. Business intelligence on Amazon Redshift C. Amazon CloudWatch dashboards D. Amazon Athena integrated with Amazon Glue
A. Amazon QuickSight
You are working for a small organization without a dedicated database administrator on staff. You need to install Microsoft SQL Server Enterprise edition quickly to support an accounting back office application on Amazon Relational Database Service (Amazon RDS). What should you do? A. Launch an Amazon RDS DB Instance, and select Microsoft SQL Server Enterprise Edition under the Bring Your Own License (BYOL) model. B. Provision SQL Server Enterprise Edition using the License Included option from the Amazon RDS Console. C. SQL Server Enterprise edition is only available via the Command Line Interface (CLI). Install the command-line tools on your laptop, and then provision your new Amazon RDS Instance using the CLI. D. You cannot use SQL Server Enterprise edition on Amazon RDS. You should install this on to a dedicated Amazon Elastic Compute Cloud (Amazon EC2) Instance.
A. Amazon RDS supports Microsoft SQL Server Enterprise edition and the license is available only under the BYOL model.
Which of the following service is most useful when a Disaster Recovery method is triggered in AWS? A. Amazon Route 53 B. Amazon SNS C. Amazon SQS D. Amazon Inspector
A. Amazon Route 53 Rouet53 is a domain name system service by AWS. When a Disaster does occur , it can be easy to switch to secondary sites using the Route53 service.
There is a requirement to store objects. The objects must be downloadable via a URL. Which storage option would you choose? A. Amazon S3 B. Amazon Glacier C. Amazon Storage Gateway D. Amazon EBS
A. Amazon S3
Which of the following storage options provides the option of Lifecycle policies that can be used to move objects to archive storage? A. Amazon S3 B. Amazon Glacier C. Amazon Storage Gateway D. Amazon EBS
A. Amazon S3
Which of the following are principles of sound design when it comes to performance efficiency? (Choose 3) A. Democratize advanced technologies. B. Deploy into multiple Regions to go global in minutes. C. Have your IT staff master all new technologies. D. Use Serverless architectures. E. Mechanical empathy
A. Democratize advanced technologies. B. Deploy into multiple Regions to go global in minutes. D. Use Serverless architectures. Of these choices, you should democratize advanced technologies, deploy into multiple Regions, and use Serverless technologies
Which of the following are Support Levels offered by AWS? (Choose 3) A. Basic B. Developer C. Business D. Individual E. Start-up
A. Basic B. Developer C. Business The AWS Support levels are Basic, Developer, Business, and Enterprise.
True or False: A Distribution is what we call a series of Edge Locations that make up CDN? A.True B. False
A. True The collection of a CDN's Edge Locations is called a Distribution.
Which of the following support plans features a < 4-hour response time in the event of an impaired production system? A. Business B. Developer C. Individual D. Basic
A. Business Both the Business and Enterprise support levels offer a < 4-hour response time in the event of an impaired production system.
Which of the following AWS Support levels offers 24x7 support via phone or chat? A. Business B. Individual C. Developer D. Basic
A. Business The Business and Enterprise support plans offer 24 X 7 support via phone or chat.
You plan to deploy an application on AWS. This application needs to be PCI Compliant. Which of the below steps are needed to ensure compliance? Choose 2 answers from the below: A. Choose AWS services which are PCI Compliant B. Ensure the right steps are taken during application development for PCI Compliance C. Ensure the AWS Services are made PCI Compliant D. Do an audit after the deployment of the application for PCI Compliance
A. Choose AWS services which are PCI Compliant B. Ensure the right steps are taken during application development for PCI Compliance
Which of the following AWS services should you use if you'd like to be notified when you have crossed a billing threshold? A. CloudWatch B. AWS Budget C. AWS Cost Allocation D. Trusted Advisor
A. CloudWatch A CloudWatch alarm can be set to monitor spending on your AWS Account.
Amazon CloudWatch supports which types of monitoring plans? (Choose two) A. Detailed monitoring, which has an additional cost. B. Detailed monitoring, which is free. C. Basic Monitoring, which has an additional cost. D. Ad hoc monitoring, which has an additional a cost. E. Basic monitoring, which is free
A. Detailed monitoring, which has an additional cost. E. Basic monitoring, which is free
The AWS Risk and Compliance Programs is made up of which of the following components? (Choose three) A. Control Environment B. Automation Environment C. Identity Management D. Physical Security E. Risk Management F. Information Security
A. Control Environment E. Risk Management F. Information Security
After initial login, what does AWS recommend as the best practice for the AWS Account Root User? (Select the best answer) A. Delete root user access keys B. Delete root user account C. Revoke all permissions on the root user account D. Restrict permission on root user account
A. Delete root user access keys
Which of the following AWS services use serverless technology? Choose 2 answers from the options given below. A. DynamoDB B. EC2 C. Simple Storage Service D. AWS Autoscaling
A. DynamoDB C. Simple Storage Service The Simple Storage service and DynamoDB are services where you don't need to manage the underlying infrastructure.
Which of the following Route 53 policies allow you to a) route data to a second resource if the first is unhealthy, and b) route data to resources that have better performance? A. Failover Routing and Latency-based Routing B. Geoproximity Routing and Geolocation Routing C. Geolocation Routing and Latency-based Routing D. Failover Routing and Simple Routing
A. Failover Routing and Latency-based Routing are the only two correct options, as they consider routing data based on whether the resource is healthy or whether one set of resources is more performant than another. Any answer containing location based routing (Geoproximity and Geolocation) cannot be correct in this case, as these types only consider where the client or resources are located before routing the data. They do not take into account whether a resource is online or slow. Simple Routing can also be discounted as it does not take into account the state of the resources.
True or False: Identity Access Management (IAM) is a Regional service? A. False B. True
A. False Identity Access Management is a Global service.
True or False: S3 can be used to host a dynamic website, like one that runs on a LAMP stack? A. False B. True
A. False S3 can be used to host *static* websites.
Which of the following data archival services is extremely inexpensive, but has a several hour data-retrieval window? A. Glacier B. S3-RRS C. S3-IA D. S3-1Zone-IA E. S3
A. Glacier Glacier offers extremely inexpensive data archival, but requires a 3-5 hour data-retrieval window.
Which of the following are principles of sound cloud design? (Choose 4) A. Infrastructure as code B. Disposable resources C. Treat your servers like pets, not cattle. D. Limit the number of 3rd-party services. E. Scalability F. Tightly-coupled components G. Assume *everything* will fail.
A. Infrastructure as code B. Disposable resources E. Scalability G. Assume *everything* will fail. Build your systems to be scalable, use disposable resources, reduce infrastructure to code, and, please, assume EVERYTHING will fail sooner or later.
Which of the following are components of the Security Pillar of the AWS Well-Architected Framework? Select 3 A. Infrastructure protection B. Customer Service C. IAM D. Technical Account Management E. Detective Controls
A. Infrastructure protection C. IAM E. Detective Controls IAM, Detective Controls, and Infrastructure protection are components of the Security pillar.
In Amazon S3, what is the difference between lifecycle policies and intelligent tiering? A. Lifecycle policies are not dependant on access patterns as is the case with intelligent tiering, instead they are pre-configured with a transition rule. B. Intelligent tiering is an object storage class which is not dependant on access patterns, it uses a pre-configured transition rule. C. When transitioning objects into different storage classes, intelligent tiering is automatic whilst lifecycle policies have to be manually triggered. D. Lifecycle policies cannot be configured to permanently delete objects from an S3 bucket whilst intelligent tiering can do so if versioning is turned on.
A. Lifecycle policies are not dependant on access patterns as is the case with intelligent tiering, instead they are pre-configured with a transition rule.
In Amazon S3, what is the difference between lifecycle policies and intelligent tiering? A. Lifecycle policies are not dependent on access patterns as is the case with intelligent tiering, instead they are pre-configured with a transition rule. B. Intelligent tiering is an object storage class which is not dependent on access patterns, it uses a pre-configured transition rule. C. When transitioning objects into different storage classes, intelligent tiering is z automatic whilst lifecycle policies have to be manually triggered. D. Lifecycle policies cannot be configured to permanently delete objects from an S3 bucket whilst intelligent tiering can do so if versioning is turned on.
A. Lifecycle policies are not dependent on access patterns as is the case with intelligent tiering, instead they are pre-configured with a transition rule. Within Amazon S3, lifecycle policies are used to automatically transition objects through different storage classes in accordance to a preconfigured rule. This rule will typically move the object regardless of how frequently it is accessed.
A mobile shopping list app needs to be able to add, delete, and update items on specific lists anytime a user desires. The back end for the app will run on Amazon EC2 instances with Auto Scaling to manage fluctuations in user demand. Many times, a user will perform maintenance on many list items in a single session. What design characteristic must be incorporated into the app for these requirements to be met? A. Make sure the app doesn't need knowledge of previous transactions. B. Leverage load balancing to distribute transactions to multiple nodes C. Implement session affinity D. Use bootstrapping on the EC2 instances
A. Make sure the app doesn't need knowledge of previous transactions. In order for horizontal scaling to be effective, you'll want to make sure the app doesn't store previous transaction or session information on specific EC2 instances. That way, any EC2 instance provisioned by Auto Scaling can process the request. Leveraging load balancing is also a good practice, but doesn't address the need for a stateless app. Session affinity goes the other direction, directing a load balancer to route transactions to a specific instance each time. Bootstrapping runs scripts each time an EC2 instance is provisioned.
Which of the following is an optional security control that can be applied at the subnet layer of a VPC? A. Network ACL B. Security Group C. Firewall D. Web application firewall
A. Network ACL Network ACLs are associated to a VPC subnet to control traffic flow.
Which of the following are principles of sound design when it comes to reliability? select 2 A. Scale horizontally. B. Stop guessing about your capacity requirements. C. Manage change at the individual resource level. D. When in doubt, over-provision.
A. Scale horizontally. B. Stop guessing about your capacity requirements. The elasticity of cloud computing means that you need never over-provision or manage change at the resource level.
Common use cases for Amazon S3 include ________. (Choose 2) A. Static web hosting B. Installing a filesystem C. hosting a relational database D. Storing application assets
A. Static web hosting D. Storing application assets
Which AWS service gives the user the ability to group AWS resources across different AWS Regions by application and then collectively view their operational data for monitoring purposes? A. Systems Manager B. Management Console C. Resource Groups D. Resource Access Manager (AWS RAM)
A. Systems Manager
In which order is a user granted access to AWS services? A. The user is Authenticated, then Authorized to use AWS services. B. The user is Authorized, then Authenticated.
A. The user is Authenticated, then Authorized to use AWS services.
Which of the following is not one of the four areas of the performance efficiency pillar? (Select the best answer) A. Traceability B. Monitoring C. Selection D. Tradeoffs
A. Traceability
Which statements accurately distinguish AWS Cloud9 from AWS Lambda. (Select TWO). A. With AWS Cloud9, developers can share in real-time a development environment with just a few clicks and pair program together. This is not possible with AWS Lambda B. AWS Lambda can be used to create functions that run in AWS Cloud9 IDE C. AWS Lambda functions are dependent on the Amazon API Gateway whilst AWS Cloud9 IDE can write, run, and debug any code D. AWS Cloud9 provides an online platform to write, run, and debug code from the browser, whilst AWS Lambda functions can be installed locally E. Without locally installing an integrated development environment, AWS Cloud9 will not run.
A. With AWS Cloud9, developers can share in real-time a development environment with just a few clicks and pair program together. This is not possible with AWS Lambda B. AWS Lambda can be used to create functions that run in AWS Cloud9 IDE
An organization runs several EC2 instances inside a VPC using three subnets, one for Development, one for Test and one for Production. The Security team has some concerns about the VPC configuration and requires to restrict the communication across the EC2 instances using Security Groups. Which of the following options is true for Security Groups? A. You can change a Security Group associated to an instance if the instance state is stopped or running. B. You can change a Security Group associated to an instance if the instance state is stopped but not if the instance state is running. C. You can change a Security Group only if there are no instances associated to it. D. The only Security Group you can change is the Default Security Group. E. None of the above
A. You can change a Security Group associated to an instance if the instance state is stopped or running. After you launch an instance into a VPC, you can change the security groups that are associated with the instance. You can change the security groups for an instance when the instance is in the running or stopped state
Your team is building an order processing system that will span multiple Availability Zones. During testing, the team wanted to test how the application will react to a database failover. How can you enable this type of test? A. Force a Multi-AZ failover from one Availability Zone to another by rebooting the primary instance using the Amazon RDS console. B. Terminate the DB instance, and create a new one. Update the connection string. C. Create a support case asking for a failover. D. It is not possible to test a failover.
A. You can force a failover from one Availability Zone to another by rebooting the primary instance in the AWS Management Console. This is often how people test a failover in the real world. There is no need to create a support case.
To view all categories of instance metadata from within a running instance, which URI should you use? (Select the best answer) A. http://169.254.169.254/latest/meta-data/ B. http://245.196.245.196/latest/meta-data/ C. http://254.169.254.169/latest/meta-data/ D. http://196.245.196.245/latest/meta-data/
A. http://169.254.169.254/latest/meta-data/
AWS directory services differences:
AWS Managed Microsoft Active Directory: You have a hosted Microsoft Active Directory in the cloud the AD Connector: You're connecting for a single sign on to your on-premises Active Directory the Simple AD: A simple low cost alternative to Active Directory
You need to use an AWS service to assess the security and compliance of your EC2 instances. Which service should you use?
AWS Inspector
Which is AWS's managed DDoS protection service?
AWS Shield
Patches
AWS is responsible for patches within infrastructure, but customers are responsible for patching their guest OS and application
EBS volumes must be in the same
AZ as the instances they are attached to
Reservations
Ability to receive a greater discount by paying capacity ahead of time. Contract terms are 1 or 3 years. Good for: - steady state or predictable usage - require reserved capacity lalala
Aws rekognition
Add image and video analysis to your applications - Identify objects, people, text, scenes, and activities in images and videos
Amazon transcribe
Add speech to text capabilities to applications - Recorded speech can be converted to text before it can be used in applications
Within an instance there is a task, that task contains an
Amazon elastic container registry Docker images can be stored in the Amazon ECR
S3 Glacier Deep Archive (Storage Class)
Amazon's S3's lowest cost storage class where a retrieval time of 12 hours is acceptable
Kinesis data analytics vs Kinesis Data Firehose
Analytics: - Provides real time SQL processing for streaming data vs Firehouse: - No shards, completely automated and elastically scalable - Saves data directly to another service such as S3, Splunk, redshift or Elasticsearch
2 types of elastic load balancing (ELB)
Application load balancer (ALB) - layer 7 load balancer that routes connections based on the content of the request Network load balancer (NLB) - layer 4 load balancer that routes connections based on IP protocol data
Snowball family
Aws snowball and snowmobile are used for migrating large volumes of data to aws
AWS x-ray
Aws x-Ray helps developers analyze and debug production, distribution applications, such as those built using a microservice architecture
Choose the features of Consolidated Billing. (Choose 3) A. Charging is based per VPC B. Multiple standalone accounts are combined and may reduce your overall bill C. Account charges can be tracked individually D. A single bill is issued containing the charges for all AWS Accounts
B. & C. & D
Which of the following are characteristics of the Auto Scaling service on AWS? (Choose three) A. Sends traffic to healthy instances B. Responds to changing conditions by adding or terminating Amazon EC2 instances. C. Delivers push notifications D. Launches instances from a specified AMI E. Enforces a minimum number of running Amazon EC2 instances.
B. & D. & E.
Which of the following AWS resources would you use in order for an EC2-VPC instance to resolve DNS names outside of AWS? A. A VPC peering connection B. A DHCP option set C. A routing rule D. An IGW
B. A DHCP option set A DHCP option set allows customers to define DNS servers for DNS name resolution, establish domain names for instances within an Amazon VPC, define NTP servers, and define the NetBIOS name servers.
In Amazon DynamoDB, an attribute is ______. A. A collection of items B. A fundamental data element C. A collection of attributes
B. A fundamental data element In Amazon DynamoDB, an attribute is a fundamental data element.
Where can a customer find information about prohibited actions on AWS infrastructure? (Select the best answer) A. AWS Billing Console B. AWS Acceptable Use Policy C. AWS IAM D. AWS Trusted Advisor
B. AWS Acceptable Use Policy
Which AWS service is specifically designed to assist you in processing large data sets? A. AWS Big Data Processing B. AWS EMR C. ElastiCache D. EC2
B. AWS EMR Amazon EMR is a web service that makes it easy to process large amounts of data efficiently.
Which of the following services allows you to analyze EC2 Instances against pre-defined security templates to check for vulnerabilities? A. AWS Trusted Advisor B. AWS Inspector C. AWS WAF D. AWS Shield
B. AWS Inspector Enables you to analyze the behavior of your AWS resources and helps you to identify potential security issues. Using Amazon Inspector, you can define a collection of AWS resources that you want to include in an assessment target. You can then create an assessment template and launch a security assessment run of this target.
Which of the following services provides trusted users with temporary security credentials that can control access to your AWS resources? (Select the best answer) A. AWS CLI B. AWS Security Token Service(STS) C. AWS IAM User D. Application authentication
B. AWS Security Token Service(STS)
The Chief Marketing Officer of the hotel chain you work for would like to implement voice recognition capabilities in rooms so customers can request services without picking up the phone. Competitors have already begun rolling out these technologies in an attempt to improve their customers' experience. Which benefit of the AWS cloud would you most emphasize to the CMO in your business case for creating an AWS-based solution? A. Deploy Globally in Minutes B. Agility C. Elasticity D. Cost Savings
B. Agility The AWS cloud provides instant access to new technologies. Companies can move with agility to satisfy new business requirements and meet competitive demands. There is a very low barrier of entry for innovation. If a solution is not meeting expectations, services can be instantly de-provisioned. The other three options will also prove to be benefits of deploying in the AWS cloud, but the use case emphasizes the need to move quickly against competitive threats.
Which AWS database service is best suited for traditional Online Transaction Processing (OLTP)? A. Amazon Redshift B. Amazon Relational Database Service (Amazon RDS) C. Amazon Glacier D. Elastic Database
B. Amazon RDS is best suited for traditional OLTP transactions. Amazon Redshift, on the other hand, is designed for OLAP workloads. Amazon Glacier is designed for cold archival storage.
Amazon VPC ________. A. Allows you to build a private, virtual network in the AWS cloud. B. Amazon VPC offers all of these features. C. Offers several layers of security controls. Affords you complete control of network configuration.
B. Amazon VPC offers all of these features Amazon VPC allows you to build a private, virtual network in the AWS cloud, affords you complete control of network configuration, and offers several layers of security controls.
What are the three types of load balancers that ELB offers? A. Internet Load Balancer B. Application Load Balancer C.Network Load Balancer D. Compute Load Balancer E. Classic Load Balancer F. Auto Scaling Load Balancer
B. Application Load Balancer C.Network Load Balancer E. Classic Load Balancer
With RDS, read-replicas are available for which of the following? (Choose 5) A. MS SQLServer B. Aurora C. PostgreSQL D. MySQL E. Oracle F. MariaDB
B. Aurora C. PostgreSQL D. MySQL E. Oracle F. MariaDB Read-replicas are available for MySQL, Aurora, MariaDB, PostgreSQL and Oracle. MS SQL offers similar functionality but not in the form of RDS read replicas.
Which of the following is a Shared Control of the AWS Shared Responsibility Model? A. EC2 Instance Application Configuration B. Awareness & Training C. Identity and Access Management D. Datacenter Security
B. Awareness & Training Shared Controls are elements of the Shared Responsibility Model where both AWS and the customer have shared responsibilities within their own contexts. Awareness & Training is a Shared Control, since AWS trains AWS employees, but a customer must train their own employees. Datacentre Security is solely the responsibility of AWS. Configuration of an Application within an EC2 instance, and Identity and Access Management remain the responsibility of the customer
You have been using Amazon Relational Database Service (Amazon RDS) for the last year to run an important application with automated backups enabled. One of your team members is performing routine maintenance and accidentally drops an important table, causing an outage. How can you recover the missing data while minimizing the duration of the outage? A. Perform an undo operation and recover the table. B. Restore the database from a recent automated DB snapshot. C. Restore only the dropped table from the DB snapshot. D. The data cannot be recovered.
B. DB Snapshots can be used to restore a complete copy of the database at a specific point in time. Individual tables cannot be extracted from a snapshot.
Your company handles a crucial ecommerce application. This applications needs to have an uptime of at least 99.5%. There is a decision to move the application to the AWS Cloud. Which of the following deployment strategies can help build a robust architecture for such an application? A. Deploying the application across multiple VPC's B. Deploying the application across multiple Regions C. Deploying the application across Edge locations D. Deploying the application across multiple subnets
B. Deploying the application across multiple Regions
You are responsible for your company's AWS resources, and you notice a significant amount of traffic from an IP address in a foreign country in which your company does not have customers. Further investigation of the traffic indicates the source of the traffic is scanning for open ports on your EC2-VPC instances. Which one of the following resources can deny the traffic from reaching the instances? A. Security group B. Network ACL C. NAT instance D. An Amazon VPC endpoint
B. Network ACL rules can deny traffic
Why is Amazon DynamoDB service best-suited for implementation in mobile, Internet of Things (IoT) and gaming applications? A. DynamoDB is a fully-managed database instance with no infrastructure overheads B. DynamoDB has a flexible data model and single-digit millisecond latency C. Whilst in operation, DynamoDB instances are spread across at least three geographically distinct centers, AWS Regions D. DynamoDB supports eventual and strongly consistent reads
B. DynamoDB has a flexible data model and single-digit millisecond latency
Which Amazon VPC feature allows you to create a dual-homed instance? A. EIP address B. ENI C. Security groups D. CGW
B. ENI Attaching an ENI associated with a different subnet to an instance can make the instance dual-homed.
Which of the below does S3 Transfer Acceleration use to get your data into AWS quicker? A. Availability Zones B. Edge Locations C. AWS Regions D. VPCs
B. Edge Locations S3 Transfer Acceleration uses AWS' network of Edge Locations to more quickly get your data into AWS.
The Access Key and Secret Access Key are used to log into the AWS Management Console. A. True B. False
B. False
True or False? AWS is responsible for the security of everything above the hypervisor layer.True or False? AWS is responsible for the security of everything above the hypervisor layer. A. True B. False
B. False
True or False: Objects stored in S3 are stored in a single, central location within AWS? A. True B. False
B. False Objects stored in S3 are stored in multiple servers in multiple facilities across AWS.
True or False: The Standard version of AWS Shield offers automated application (layer 7) traffic monitoring. A. True B. False
B. False Only AWS Shield Advanced offers automated application layer monitoring.
True or False: S3 Transfer Acceleration uses AWS' network of Availability Zones to more quickly get your data into AWS. A. True B. False
B. False S3 Transfer Acceleration uses AWS' network of Edge Locations to more quickly get your data into AWS.
True or False: With Consolidated Billing, the Paying Account can make changes to any of the resources owned by a Linked Account. A. True B. False
B. False The Paying Account cannot make changes to any of the resources owned by a Linked Account.
True or False: To restrict access to an entire bucket, you use bucket control lists; and to restrict access to an individual object, you use object policies. A. True B. False
B. False To restrict access to an entire bucket, you use bucket policies; and to restrict access to an individual object, you use access control lists.
AWS IAM is appropriate for OS and application authentication. A. True B. Fasle
B. Fasle
Which of the following does AWS perform on its behalf for EBS volumes to make it less prone to failure? A. Replication of the volume across Availability Zones B. Replication of the volume in the same Availability Zone C. Replication of the volume across Regions D. Replication of the volume across Edge locations
B. Replication of the volume in the same Availability Zone When you create an EBS volume in an Availability Zone, it is automatically replicated within that zone to prevent data loss due to failure of any single hardware component
"S3 Intelligent-Tiering" object storage class delivers automatic cost savings by moving data between which of the two access tiers? A. Standard access and Frequent access B. Frequent access and Infrequent access C. Standard access and Infrequent access D. Standard access and One Zone-Infrequent access
B. Frequent access and Infrequent access
You are building the database tier for an enterprise application that gets occasional activity throughout the day. Which storage type should you select as your default option? A. Magnetic storage B. General Purpose Solid State Drive (SSD) C. Provisioned IOPS (SSD) D. Storage Area Network (SAN)-attached
B. General Purpose (SSD) volumes are generally the right choice for databases that have bursts of activity.
In Cost Optimization, what is referred to as EC2 Right Sizing? A. It is a cost-effective solution to determine the appropriate Amazon EC2 resources such as memory, processor type and storage when provisioning an instance type. B. It is a cost-saving solution that analyses data over a period of time to determine and recommend the type of Amazon EC2 instances appropriate for your workload. C. It is the scaling down or scaling up of Amazon EC2 instances and instance types to meet workload demand by maintaining only the threshold resources. D. It is a cost-saving solution that outlines the recommendations of best practice in four aspects namely cost optimization, performance, fault-tolerance and service limits.
B. It is a cost-saving solution that analyses data over a period of time to determine and recommend the type of Amazon EC2 instances appropriate for your workload.
IAM policies are written using ________. A. SGML B. JSON C. SAML D. XML
B. JSON IAM policies are written using JSON.
Which of the following are required elements of an Auto Scaling group? (Choose two) A. Desired Capacity B. Launch Configuration C. Health checks D. Minimum size
B. Launch Configuration D. Minimum size
Which of the following options will help increase the availability of a web server farm? (Choose two) A. Deploy the instance in an Amazon Virtual Private Cloud. B. Launch web server instance across Multiple AZ. C. Use CloudFront to deliver content to end users. D. Add more CPU & RAM to each instance. E. Leverage Auto Scaling to recover from failed instances.
B. Launch web server instance across Multiple AZ. E. Leverage Auto Scaling to recover from failed instances.
Which of the following is AWS's responsibility under the AWS shared responsibility model? (Select the best answer) A. Configuring third-party applications B. Maintaining physical hardware C. Securing application access and data D. Managing custom AMI
B. Maintaining physical hardware Infrastructure is the hardware, software, networking, and the facilities the run the cloud
You need to allow resources in a private subnet to access the internet. Which of the following must be present to enable this access? A. Network Access Control Lists B. NAT Gateway C. Security Groups D. Route Tables
B. NAT Gateway A NAT Gateway is required to allow resources in a private subnet to access the internet.
An administrator noticed a consistent spike in processor and memory activity on the organisation's web servers that host a large web application, this was after installing Secure Socket Layer/Transport Layer Security (SSL/TLS) for security. This increased activity degraded the web application's responsiveness. What is the best-practice solution to resolve the situation? A. Migrate the web application onto m4.4xlarge EC2 instances with robust compute, processing and networking capability. B. Offload the SSL/TLS from running locally to AWS CloudHSM. C. Create an auto-scaling group that scales out as traffic to the web application cluster increases. D. Create a custom AWS CloudWatch metric to monitor the instance resources, by writing a script in the AWS Command Line Interface (AWS CLI).
B. Offload the SSL/TLS from running locally to AWS CloudHSM.
Which Amazon Relational Database Service (Amazon RDS) database engines support read replicas? A. Microsoft SQL Server and Oracle B. MySQL, MariaDB, PostgreSQL, and Aurora C. Aurora, Microsoft SQL Server, and Oracle D. MySQL and PostgreSQL
B. Read replicas are supported by MySQL, MariaDB, PostgreSQL, and Aurora.
You need to find an item in a DynamoDB table using an attribute other than the item's primary key. Which of the following operations should you use? A. POST B. Scan C. Query D. GET
B. Scan To find an item in a DynamoDB table other then the item's primary key, you would use the scan operation.
Which of the following are some of the security benefits that AWS offers? (Choose two) A. Shared Collaboration Model B. Secure global infrastructure C. Meet compliance requirements D. Inventory and Application Management E. Data Storage
B. Secure global infrastructure C. Meet compliance requirements
What aspect of an Amazon VPC is stateful? A. Network ACLs B. Security groups C. Amazon DynamoDB D. Amazon S3
B. Security groups Security groups are stateful, whereas network ACLs are stateless.
Which of the following is not a characteristic of the Auto Scaling service on AWS? A. Enforces a minimum number of running Amazon EC2 instances. B. Sends traffic to heavy instances. C. Launches instances from a specified AMI. D. Responds to changing conditions by adding EC2 instances.
B. Sends traffic to heavy instances.
Which design principles are recommended when considering performance efficiency? (Choose two) A. Enabling traceability B. Serverless Architecture C. Expenditure awareness D. Democratize advance technologies E. Match supply with demand
B. Serverless Architecture D. Democratize advance technologies
True or False: S3 is object storage suitable for the storage of 'flat' files like Word documents, photos, etc. A. False B. True
B. True
True or False: A CloudFront Origin can be an S3 bucket, an EC2 instance, an Elastic Load Balancer, or Route 53? A. False B. True
B. True A CloudFront Origin can be an S3 bucket, an EC2 instance, an Elastic Load Balancer, or Route 53.
Which TWO statements best describe the AWS Personal Health Dashboard? A. A concise representation of the general status of AWS services B. User-specific view on the availability and performance of AWS services underlying their AWS resources. C. A service that prompts the user with alerts and notifications on AWS scheduled activities, pending issues, and planned changes. D. A minute-by-minute update of system outages and service errors on the AWS global infrastructure E. A rolling log of all service interruptions across the AWS network, records of incidencies persistent for a year
B. User-specific view on the availability and performance of AWS services underlying their AWS resources. C. A service that prompts the user with alerts and notifications on AWS scheduled activities, pending issues, and planned changes.
Which of the following scenarios is most appropriate to implement Amazon ElastiCache in order to improve on performance? A. Where there are frequent writes to a database instance B. Where there are frequent reads of static content on a web application C. Where there are frequent reads of dynamic content on a web application D. Where there are infrequent random reads to static content on a web application
B. Where there are frequent reads of static content on a web application
Spot instances
Bid for unused capacity, up to 90% discount - Can be terminated at any time - Workloads with flexible start and end times
AWS Storage Services
Block vs file vs object storage
Amazon RDS pricing
Clock hours of server uptime ○ Amount of time the DB instance is running - Databased characteristics ○ Database engine, size and memory class - Database purchase type ○ On demand, reserved
When using Amazon Relational Database Service (Amazon RDS) Multi-AZ, how can you offload read requests from the primary? (Choose 2 answers) A. Configure the connection string of the clients to connect to the secondary node and perform reads while the primary is used for writes. B. Amazon RDS automatically sends writes to the primary and sends reads to the secondary. C. Add a read replica DB instance, and configure the client's application logic to use a read-replica. D. Create a caching environment using ElastiCache to cache frequently used data. Update the application logic to read/write from the cache.
C, D. Amazon RDS allows for the creation of one or more read-replicas for many engines that can be used to handle reads. Another common pattern is to create a cache using Memcached and Amazon ElastiCache to store frequently used queries. The secondary slave DB Instance is not accessible and cannot be used to offload queries.
Which of the following AWS tools help your application scale up or down based on demand? (Choose two) A. Agile Load Balancing B. Auto Availability Zones C. Elastic Load Balancing D. AWS CloudFormation E. Auto Scaling
C. & E. Auto Scaling and Elastic Load balancing help your applications scale up or down.
What is the minimum size subnet that you can have in an Amazon VPC? A. /24 B. /26 C. /28 D. /30
C. /28 C. The minimum size subnet that you can have in an Amazon VPC is /28.
You are a solutions architect working for a large travel company that is migrating its existing server estate to AWS. You have recommended that they use a custom Amazon VPC, and they have agreed to proceed. They will need a public subnet for their web servers and a private subnet in which to place their databases. They also require that the web servers and database servers be highly available and that there be a minimum of two web servers and two database servers each. How many subnets should you have to maintain high availability? A. 2 B. 3 C. 4 D. 1
C. 4 You need two public subnets (one for each Availability Zone) and two private subnets (one for each Availability Zone). Therefore, you need four subnets.
You are the architect of a custom application running inside your corporate data center. The application runs with some unresolved bugs that produce a lot of data inside custom log files generating time-consuming activities to the operation team who is responsible for analyzing them. You want to move the application to AWS using EC2 instances, and at the same time, take the opportunity for improving logging and monitoring capabilities but without touching the application code. What AWS service should you use to satisfy the requirement? A. AWS Kinesis Data Streams B. AWS CloudTrail C. AWS CloudWatch Logs D. AWS Application Logs
C. AWS CloudWatch Logs
You need to use an AWS service to assess the security and compliance of your EC2 instances. Which of the following services should you use? A. AWS WAF B. AWS Shield C. AWS Inspector D. AWS Trusted Advisor
C. AWS Inspector AWS Inspector assesses the security and compliance of your EC2 instances.
When running a relational database on either your hardware or on an EC2 instance, you are responsible for which of the following? A. Database backups and high-availability B. Data security C. All of these D. Operating system maintenance E. Software install and patches
C. All of these When running a relational database on either your hardware or on an EC2 instance, you are responsible for all of these tasks. As the system designer or administrator you can control the energy footprint through; size selection, load smoothing, and powering it off when not in use.
You create a new VPC in US-East-1 and provision three subnets inside this Amazon VPC. Which of the following statements is true? A. By default, these subnets will not be able to communicate with each other; you will need to create routes. B. All subnets are public by default. C. All subnets will be able to communicate with each other by default. D. Each subnet will have identical CIDR blocks.
C. All subnets will be able to communicate with each other by default. When you provision an Amazon VPC, all subnets can communicate with each other by default.
If you are developing an application that requires a database with extremely fast performance, fast scalability, and flexibility in the database schema, what should you consider? A. Amazon RDS B. Amazon ElatiCache C. Amazon DynamoDB D. Amazon Redshift
C. Amazon DynamoDB
What is the AWS feature that enables fast, easy, and secure transfers of files over long distances between your client and your Amazon S3 bucket? A. File Transfer B. HTTP Transfer C. Amazon S3 Transfer Acceleration D. S3 Acceleration
C. Amazon S3 Transfer Acceleration
Your company is moving a large application to AWS using a set of EC2 instances. A key requirement is reusing existing server-bound software licensing. Which of the following options is the best for satisfying the requirement? A. EC2 Dedicated Instances B. EC2 Reserved Instances C. EC2 Dedicated Hosts D. EC2 Spot Instances
C. EC2 Dedicated Hosts instances run on a dedicated hardware where AWS gives visibility of physical characteristics. AWS documentation mentions this with the following sentence: "...Dedicated Host gives you additional visibility and control over how instances are placed on a physical server, and you can consistently deploy your instances to the same physical server over time. As a result, Dedicated Hosts enable you to use your existing server-bound software licenses and address corporate compliance and regulatory requirements."
Which of the following support plans features a < 15 minute response time in the event of a business-critical system down? A. Business B. Developer C. Enterprise D. Basic
C. Enterprise
EC2
Cloud Compute - web service that provides secure, resizable compute capacity in the cloud
What does the IAM policy simulator do? A. Generates policies. B. Automatically examines your existing IAM access control policies to ensure they comply with IAM policy grammar C. Evaluates the policies you chose and determines the effective permissions for each of the actions you specify. D. Is a standalone policy you can attach to multiple users, group, a& roles in your AWS account. E. All of the above.
C. Evaluates the policies you chose and determines the effective permissions for each of the actions you specify.
Amazon VPC allows you to build a private, virtual network in the AWS cloud, affords you complete control of network configuration, and offers several layers of security controls? A. Using the AWS DynamoDB service B. Using the AWS RDS service C. Hosting the database on an EC2 Instance D. Using the Amazon Aurora service
C. Hosting the database on an EC2 Instance If you want a self-managed database, that means you want complete control over the database engine and the underlying infrastructure. In such a case you need to host the database on an EC2 Instance
Which of the following Compliance certifications attests to the security of the AWS platform regarding credit card transactions? A. ISO 27001 B. SOC 2 C. PCI DSS Level 1 D. SOC 1
C. PCI DSS Level 1 A PCI DSS Level 1 certification attests to the security of the AWS platform regarding credit card transactions.
You are a solutions architect working for a media company that hosts its website on AWS. Currently, there is a single Amazon Elastic Compute Cloud (Amazon EC2) Instance on AWS with MySQL installed locally to that Amazon EC2 Instance. You have been asked to make the company's production environment more resilient and to increase performance. You suggest that the company split out the MySQL database onto an Amazon RDS Instance with Multi-AZ enabled. This addresses the company's increased resiliency requirements. Now you need to suggest how you can increase performance. Ninety-nine percent of the company's end users are magazine subscribers who will be reading additional articles on the website, so only one percent of end users will need to write data to the site. What should you suggest to increase performance? A. Alter the connection string so that if a user is going to write data, it is written to the secondary copy of the Multi-AZ database. B. Alter the connection string so that if a user is going to write data, it is written to the primary copy of the Multi-AZ database. C. Recommend that the company use read replicas, and distribute the traffic across multiple read replicas. D. Migrate the MySQL database to Amazon Redshift to take advantage of columnar storage and maximize performance.
C. In this scenario, the best idea is to use read replicas to scale out the database and thus maximize read performance. When using Multi-AZ, the secondary database is not accessible and all reads and writes must go to the primary or any read replicas.
In the Shared Responsibility Model, which of the following are examples of "security in the cloud?" (Choose two) A. Physical security of the facilities in which the service operate B. Compliance with compute security standards and regulations C. In which country content is stored D. Protecting the global infrastructure E. Which AWS service are used with the content
C. In which country content is stored E. Which AWS service are used with the content Responsible for EC2 including, network level security, operating system patches and updates, IAM user access, and client and server=side data encryption
Which of the following are included in AWS Assurance Programs? (Choose two) A. Industry best practices B. Customer testimonials C. Laws, regulations, & privacy D. Partner validations E. Certification/Attestations
C. Laws, regulations, & privacy E. Certification/Attestations
You have a mission-critical application which must be globally available at all times. Which deployment strategy should you follow? A. Deploy to all Availability Zones in your home region. B. Multi-VPC in two AWS Regions C. Multi-Region D. Multi-Availability Zone
C. Multi-Region A Multi-Region deployment will best ensure global availability.
You need to allow resources in a private subnet to access the internet. Which of the following must be present to enable this access? A. Route Tables B. Security Groups C. NAT Gateway D. Network Access Control Lists
C. NAT Gateway A NAT Gateway is required to allow resources in a private subnet to access the internet.
You need to find an item in a DynamoDB table using an attribute other than the item's primary key. Which of the following operations should you use? A. POST B. Query C. Scan D. GET
C. Scan A table scan will allow you to do this.
Which of the following is not part of the AWS Global infrastructure? A. Availability Zones B. Regions C. Security Groups D. Edge Locations
C. Security Groups Regions, AZs, and Edge Locations are part of the AWS Global Infrastructure.
What is AWS Trusted Advisor? A. AWS service that helps you manage access to your account. B. Partner program that helps you validate your application deployment. C. Online tool that helps you configure resources to follow best practices. D. Professional Service offering that helps your migrate to the cloud.
C. Online tool that helps you configure resources to follow best practices.
Your company provides media content via the Internet to customers through a paid subscription model. You leverage Amazon CloudFront to distribute content to your customers with low latency. What approach can you use to serve this private content securely to your paid subscribers? A. Use HTTS request to ensure that your objects are encrypted when Amazon CloudFront serves them to viewers. B. Configure Amazon CloudFront to compress the media files automatically fr paid subscribers. C. Provide signed Amazon CloudFront URLs to authenticated users to access the paid content.
C. Provide signed Amazon CloudFront URLs to authenticated users to access the paid content.
You are building a photo management application that maintains metadata on millions of images in an Amazon DynamoDB table. When a photo is retrieved, you want to display the metadata next to the image. Which Amazon DynamoDB operation will you use to retrieve the metadata attributes from the table? A. Scan operation B. Search operation C. Query operation D. Find operation
C. Query is the most efficient operation to find a single item in a large table.
A telecommunications company has his hired you as a consultant to develop a business case for moving its IT applications and infrastructure to AWS. The company's leadership understands the agility value of the cloud, but the finance group is not interested in shifting capital expense to operating expense due to the company's tax structure. What will you include in the business case to attempt to satisfy everyone at the company? A. Show the company the TCO value of moving to an operating expense model B. Show the value of an elastic infrastructure for avoiding wasted capacity C. Suggest that the company make reserved instance purchases and capitalize them D. Suggest that the company wait to migrate to AWS until the current infrastructure is fully depreciated
C. Suggest that the company make reserved instance purchases and capitalize them Many companies capitalize reserved instance purchases, especially those with 3-year terms. Waiting for current infrastructure to fully depreciate will cause the company to miss the other cloud benefits that are available. Moving the company to an operating expense model will prove too large a task, and will most likely result in a rejected business case. Elastic infrastructure is definitely a benefit, but doesn't address the capitalization issue.
You have created a custom Amazon VPC with both private and public subnets. You have created a NAT instance and deployed this instance to a public subnet. You have attached an EIP address and added your NAT to the route table. Unfortunately, instances in your private subnet still cannot access the Internet. What may be the cause of this? A. Your NAT is in a public subnet, but it needs to be in a private subnet. B. Your NAT should be behind an Elastic Load Balancer. C. You should disable source/destination checks on the NAT. D. Your NAT has been deployed on a Windows instance, but your other instances are Linux. You should redeploy the NAT onto a Linux instance.
C. You should disable source/destination checks on the NAT. You should disable source/destination checks on the NAT.
Which of the following features of an Amazon VPC can only exist in one Availability Zones at a time? A. None of these B. a Security Group C. a Subnet D. a Route Table
C. a Subnet A specific subnet can only exist in one availability zone, however you can create multiple subnets so that your VPC can span multiple Availability Zones. Route tables are applied to subnets, however one route table can be applied to mant subnets, meaning it can exist in multiple zones. Similarly, a single secuirty group can be used in more than one AZ.
Which of the following are AWS IAM best practices? (Choose two) A. Provide users with default admin privileges. B. Leave unused and unnecessary user and credentials in place. C.Monitor activity in your AWS account. D. Rotate credentials regularly
C.Monitor activity in your AWS account. D. Rotate credentials regularly
Infrastructure as Code
CF
What services would you use if you would like to be notified when you cross a billing threshold?
Cloudwatch AWS budgets
Saving plans
Commitment to a consistent amount of usage (EC2 + fargate + lambda) - Pay by $/hour - 1 to 3 year commit
Amazon Machine Image (AMI) comes in 3 main categories
Community AMIs- free, you select OS you want AWS marketplace AMIs- pay to use come packaged with additional, linked software My AMIs - AMIs that you create your self
Fundamentals of Pricing
Compute - CPU/RAM and duration Storage - quantity of data stored or allocated Outbound data transfer - data leaving an AWS region
Public cloud
Connected to internet Benefits: Varying cost Economies of scale Massive elasticity
Aws organizations
Consolidated billing benefits: ○ One bill - you get one bill for multiple accounts ○ Easy tracking - track charges across multiple account and download the combined cost and usage data ○ Combined usage - combine the usage across all accounts to share the volume pricing discounts and reserved instances discounts ○ No extra fee - consolidated billing is offered at no additional cost
AWS Developer Tools (code*)
Continuous Integration Continuous Delivery AWS Pipeline AWS CodeStar
docker container size
Containers are small so they start up quickly and very resource efficient don't use a lot of power or memory
Customer Specific
Controls which are solely the repsonsibility of the customer based on the application they are deploying within AWS services
Amazon lex
Conversational AI for chatbots - Build conversational interfaces into nay application using voice and text
Amazon polly turns text into lifelike speech
Create applications that talk and build entirely new categories of speech enabled products
Which of the following is the Amazon side of an Amazon VPN connection? A. An EIP B. A CGW C. An IGW D. A VPG
D. A VPG A CGW is the customer side of a VPN connection, and an IGW connects a network to the Internet. A VPG is the Amazon side of a VPN connection.
Which of the following is correct? A. # of Regions > # of Availability Zones > # of Edge Locations B. # of Availability Zones > # of Edge Locations > # of Regions C. # of Availability Zones > # of Regions > # of Edge Locations D. # of Edge Locations > # of Availability Zones > # of Regions
D. # of Edge Locations > # of Availability Zones > # of Regions The number of Edge Locations is greater than the number of Availability Zones, which is greater than the number of Regions.
How long does Amazon CloudWatch keep metric data? A. 2 weeks B. 1 month C. 12 months D. 15 months E. 24 months
D. 15 months
How many VPC Peering connections are required for four VPCs located within the same AWS region to be able to send traffic to each of the others? A. 3 B. 4 C. 5 D. 6
D. 6 Six VPC Peering connections are needed for each of the four VPCs to send traffic to the other.
You create a new subnet and then add a route to your route table that routes traffic out from that subnet to the Internet using an IGW. What type of subnet have you created? A. An internal subnet B. A private subnet C. An external subnet D. A public subnet
D. A public subnet By creating a route out to the Internet using an IGW, you have made this subnet public.
You are an AWS Enterprise customer with questions about billing and your overall AWS account. Which of the following AWS support personnel should you contact? A. AWS Technical Account Manager B. AWS Support C. AWS Billing and Accounts D. AWS Concierge
D. AWS Concierge For AWS Enterprise customers, the AWS Concierge is a resource dedicated to answering billing and account questions.
Your company is planning to host resources in the AWS Cloud. They want to use services which can be used to decouple resources hosted on the cloud. Which of the following services can help fulfil this requirement A. AWS EBS Volumes B. AWS EBS Snapshots C. AWS Glacier D. AWS SQS
D. AWS SQS Amazon Simple Queue Service (Amazon SQS) offers a reliable, highly-scalable hosted queue for storing messages as they travel between applications or microservices. It moves data between distributed application components and helps you decouple these components. ○ SQS uses a message-oriented API - SQS uses pull based (polling) not push based
In Amazon DynamoDB, what does the query operation allow you to do? A. Query a table using the partition key and an optional sort key filter B. Query any secondary indexes that exist for a table. C. Efficiently retrieve items from a table or secondary index. D. All of the Above.
D. All of the Above. In Amazon DynamoDB, the query operation allows you to do all these things.
_______ is up to five times faster than standard MySQL databases and three times faster than standard PostgreSQL databases. A. Amazon RDS B. Amazon Redshift C. Amazon DynamoDB D. Amazon Aurora
D. Amazon Aurora is up to five times faster than standard MySQL databases and three times faster than standard PostgreSQL databases.
Which AWS database service is best suited for non-relational databases? A. Amazon Redshift B. Amazon Relational Database Service (Amazon RDS) C. Amazon Glacier D. Amazon DynamoDB
D. Amazon DynamoDB is best suited for non-relational databases. Amazon RDS and Amazon Redshift are both structured relational databases.
Which AWS Cloud service is best suited for Online Analytics Processing (OLAP)? A. Amazon RDS B. Amazon Glacier C. Amazon DyanamoDB D. Amazon Redshift
D. Amazon Redshift is best suited for traditional OLAP transactions.
On a social media website, creative content goes viral for a few days and then rapidly declines in popularity and views thereafter. Which storage class and configuration option would you choose for a cost-effective storage? A. Amazon S3 Standard with object versioning B. Amazon S3 Intelligent-Tiering C. Amazon Elastic File Store (EFS) D. Amazon S3 Standard with lifecycle policies
D. Amazon S3 Standard with lifecycle policies
Which service would you use to send alerts based on Amazon CloudWatch alarms? A. AWS CloudTrail B. Amazon Route 53 C. AWS Trusted Advisor D. Amazon SNS
D. Amazon SNS is the service you would use to send alerts.
Which of the following disaster recovery deployment mechanisms that has the highest downtime? A. Pilot light B. Warm standby C. Multi Site D. Backup and Restore
D. Backup and Restore
As per the AWS Acceptable Use Policy, penetration testing of EC2 instances: A. May be performed by AWS, and will be performed by AWS upon customer request. B. May be performed by AWS, and is periodically performed by AWS. C. Are expressly prohibited under all circumstances. D. Can be performed by the customer, provided they work with the list of services mentioned by AWS. E. May be performed by the customer on their owninstances, only if performed from EC2 instances.
D. Can be performed by the customer, provided they work with the list of services mentioned by AWS.
What is defined as the ability for a system to remain operational even if some of the components of that system fail? (Select the best answer) A. DNS failover B. High durability C. High availability D. Fault Tolerance
D. Fault Tolerance
create numerous testing environments each day based on multiple concurrent project activities. Provisioning of these environments needs to happen within minutes to ensure that project deadlines are met. The number of environments needed daily varies depending shifting priorities in business requirements. How can the team best achieve the agility they need for creating the testing environments? A. Invoke AWS Lambda functions to run the test scenarios B. Leverage AWS Auto Scaling to expand and contract the testing server pool based on demand C. Use AWS Systems Manager Automation to provision and de-provision the testing environments D. Have AWS CloudFormation provision the stacks and resources needed for the testing environments
D. Have AWS CloudFormation provision the stacks and resources needed for the testing environments AWS CloudFormation provides templates to specify all the AWS resources needed by the testing environments. These templates can be instantiated as stacks to provision consistent environments every time one is needed. AWS Auto Scaling will only handle the EC2 instances, and expands and contracts instances based on policies. AWS Systems Manager is useful for system administration tasks, and AWS Lambda has run-time limitations.
Which of the following best describes a system that is always available, without the need for human intervention? (Select the best answer) A. Elastic B. Fault-Tolerant C. Scalable D. High-Available
D. High-Available
Which of the following is the security protocol supported by Amazon VPC? A. SSH B. Advanced Encryption Standard (AES) C. Point-to-Point Tunneling Protocol (PPTP) D. IPsec
D. IPsec is the security protocol supported by Amazon VPC.
What is an AWS IAM instance profile? (Select the best answer) A. Is a document created using JSON that describes a set of permissions. B. Defines what actions you want to allow. C. Defines which resources you allow the action on D. Is a container for an IAM role that you can use to pass role information to an EC@ instance when the instance starts.
D. Is a container for an IAM role that you can use to pass role information to an EC@ instance when the instance starts.
An online education company has customers on four continents. They need to run software functions to customize offerings for students in various locations around the globe based on parameters that each student enters. Which AWS service will provide this capability with the highest performance efficiency? A. Amazon API Gateway B. Amazon CloudFront C. Amazon Elastic Container Service D. Lambda@Edge
D. Lambda@Edge Lambda@Edge provides the capability to run Lambda functions at Edge Locations based on events generated by the CloudFront content delivery network, allowing customers to extend their web applications globally. Amazon Elastic Container Service and Amazon API Gateway would require implementations in each desired region.
You are a system administrator whose company has moved its production database to AWS. Your company monitors its estate using Amazon CloudWatch, which sends alarms using Amazon Simple Notification Service (Amazon SNS) to your mobile phone. One night, you get an alert that your primary Amazon Relational Database Service (Amazon RDS) Instance has gone down. You have Multi-AZ enabled on this instance. What should you do to ensure the failover happens quickly? A. Update your Domain Name System (DNS) to point to the secondary instance's new IP address, forcing your application to fail over to the secondary instance. B. Connect to your server using Secure Shell (SSH) and update your connection strings so that your application can communicate to the secondary instance instead of the failed primary instance. C. Take a snapshot of the secondary instance and create a new instance using this snapshot, then update your connection string to point to the new instance. D. No action is necessary. Your connection string points to the database endpoint, and AWS automatically updates this endpoint to point to your secondary instance.
D. Monitor the environment while Amazon RDS attempts to recover automatically. AWS will update the DB endpoint to point to the secondary instance automatically.
Amazon Lightsail is an example of which of the following? A. Software as a Service B. Infrastructure as a Service C. Functions as a Service D. Platform as a Service
D. Platform as a Service Lightsail is AWS' Platform-as-a-Service offering.
Amazon elastic load balancing
ELB automatically distributes incoming application traffic across multiple targets, such as amazon EC2 instances, containers and IP addresses - in a single availability zone or across multiple availability zones
Which use case would warrant the cost-effective implementation of Amazon EC2 Reserved Instances with Spot Instances in the same build? A. A build that has sudden unpredictable workload spikes but for a short time horizon B. One in which there is a predictable resource demand over a long time horizon C. One that has a predictable workload over a long time horizon with prolonged and unpredictable spikes. D. One that has a constantly predictable workload with brief unpredictable spikes
D. One that has a constantly predictable workload with brief unpredictable spikes
Which of the following are not valid CloudFormation template sections? A. Resources B. Parameters C. Outputs D. Options
D. Options In total there are 9 valid sections allowed within a CloudFormation template. In the answers above, only "Parameters", "Resources" and "Outputs" are considered valid. "Options" is not a template section.
Which of the following EC2 options is best for long-term workloads with predictable usage patterns? A. Spot instances B. On-Demand instances C. Dedicated Host D. Reserved instances
D. Reserved instances Reserved instances are the most economical option for long-term workloads with predictable usage patterns.
Which of the following is an accurate statement regarding AWS resource tags? (Select TWO) A. All AWS resource tags have a semantic interpretation B. Within a resource tag, every defined key must have a value string C. By default, resource tags are assigned as null, null D. Resource tags can be edited or removed at any time E. Placement group does not support tags
D. Resource tags can be edited or removed at any time E. Placement group does not support tags
You need to host a file in a location that's publicly accessible from anywhere in the world. Which AWS service would best meet that need? A. RDS B. EC2 C. EBS D. S3
D. S3 With S3, objects can be accessed from anywhere in the world via a dedicated URL.
In the Shared Responsibility Model, AWS has responsibility of providing what? (Select the best answer) A. Security of the Cloud B. Security for the cloud C. Security in the cloud D. Security of the cloud
D. Security of the cloud
While running an application on an EC2 instance behind an Elastic Load Balancer, an administrator receives a 504 error on their browser. What does this mean? A. The ELB instance has stopped running B. The application running on the EC2 instance is serving the 504 error page because it has exceeded its response timeout C. The URL for the application has expired D. The application is unresponsive so the ELB instance serves the 504 error page
D. The application is unresponsive so the ELB instance serves the 504 error page
Which of the following Amazon VPC resources would you use in order for EC2-VPC instances to send traffic directly to Amazon S3? A. Amazon S3 gateway B. IGW C. CGW D. VPC endpoint
D. VPC endpoint An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT device, VPN connection, or AWS Direct Connect.
Which of the following must be configured on an Elastic Load Balancing load balancer to except incoming traffic? A. An instance B. A network interface C. A port D. A listener
D. You configure the load balancer to accept incoming traffic by specifying one or more listeners.
Which service should you use to migrate an existing db to AWS
DMS
Traffic Distribution
Data transfer and requests used to deliver content
S3 Intelligence Tiering (Storage Class)
Designed to optimize costs by automatically moving data to the most cost effective access tier, without performance impact of operational overboard
What best describes an AZ
Distinct locations from within an AWS region that is engineering to be isolated from failures
What should you consider when choosing a database type? A. Data Size B. Data access period C. Query Frequency D. Highly-Available E. All of the above
E. All of the above
Which AWS service is specifically designed to assist you in processing large data assets
EMR - web service that makes it easy to process large amounts of data efficiency
2 types of ECS Launch
EC2 launch type & Fargate Launch Type
What does S3 Transfer Acceleration use to get your data into AWS quicker?
Edge location
Where is CloudFront content cached?
Edge locations
S3 Glacier access time
Expediated: 1-5 mins Standard:3-5 hrs Bulk: 5-12 hrs
S3 Glacier deep archive access time
Expediated: n/a Standard: 12 hrs Bulk: 48 hrs
FIGHT DR MCPXZ
F - FPGA - Field programmable gate array I - IOPS G - Graphics H - High Disk Throughput T - Cheap General Purpose D - Density R- RAM M - Main Choice for general purpose apps C - compute P- pics X - xtreme memory Z - extreme memory and CPU
Which of the Route 53 policies allow you to 1. Route data to second resource if the first is unhealthy, and 2. Route data to resources that have better performance
Failover Routing and latency based routing
IAM is a regional service
False
It's safter to use access keys than IAm roles
False
Access Control lists are used to make entire buckets public
False - bucket policies
With Consolidated Billing, the Paying Account can make changes to any of the resources owned by a linked account
False - the paying account cannot make changes to any of the resources owned by a linked account
To restrict access to an entire bucket, you use bucket control lists; and to restrict access to an individual objects, you can use object policies
False - you use bucket policies and to restrict you use control lists
Objects stored in S3 are stored in a single, central location within AWS
False, Objects stored in S3 are stored in multiple servers in multiple facilities across AWS
Route 53 3 functions
Features: ○ Domain registration - route 53 allows you to register domain names ○ Domain name service (DNS) - route 53 translates name to IP addressed using a global network of authoritative DNS servers - Health checking - route 53 send automatic request to your applications to verify that its reachable, available, and functional
Aws cost explorer
Free tool that allows you to view charts of your costs - Can be used to discover patterns in how much you spend on aws resources over time and to identify cost problem areas
Aws appstream 2.0
Fully managed non-persistent application streaming service - Alternative to popular products such as citrix xenapp
Aws workdocs
Fully managed secure content creation , storage and collaboration service - Create, edit, and share content that's centrally stored on aws
AWS config
Fully managed service for compliance management Helps with compliance auditing, security analysis, resource change tracking and troubleshooting
CPU - Center Processing Unit Measurements:
Gigahertz (GHZ)
AWS Simple monthly calculator
Gives a month view into AWS pricing
Which is not a feature of AWS organizations a. Hierarchical based control over groups of IAM users and roles, within multiple accounts b. Grouping all of your AWS accounts into organizational unit (OUs) as part of a hierarchy c. Granular configuration of Security groups within a vpc d. AWS accounts which are members of an organization can have the benefit of Consolidated billing
Granular configuration of Security Groups within a VPC
Which Compliance guarantees attests to the fact that the AWS platform has met the standard required for t he secure storage of medical records in the US?
HIPAA (Health insurance portability and Accountability Act)
Hard drives are____ based storage systems?
Hard driver are blocked based storage systems - The operating system can be used to create volumes.
Aws database migration service (DMS)
Help you migrate databases to aws quickly and securely - The source database remains fully operational during the migration, minimizing downtime to applications that reply on the database
Amazon sagemaker
Helps data scientists and developers to prepare, build, train, and deploy high quality machine learning (ml) models
3 types of cloud computing
Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS)
Save when you reserve
Invest in reserve capacity (RDS and EC2) - Save up to 75% compared to on-demand (pay-as-you-go) - The more you pay for upfront the greater the discount
Amazon Simple Storage service (s3) best practices
It is best practice to create buckets in your region that are physically closest to your user to reduce latency
Which AWS service allows you to run code without having to worry about provisioning any underlying resources
Lambda
IAM policies are written using...
JSON
Snowcone
Small device used for edge computing, storage, and data transfer - Can transfer data offline and online with aws datasync agent
The AWS web application firewall can go down to which of the following OSI layers?
Layer 7
Aws IoT core
Lets you connect IoT devices to the aws cloud without the need to provision or manage servers
Amazon workspaces
Managed desktop as a service (DaaS) solution - Provision either windows or linux desktops
Hard Disk Drive (HDD) measurement
Measurement: Gigabyte (GB) Data is persistent even when off When your turn your computer off, data is loaded into memory
Aws server migration service (SMS)
Migrates servers and virtual machines to amazon EC2 - Agentless service which makes it easier and faster for you to migrate thousands of on-premises workloads to aws - Automate, schedule and track incremental replications of live server volumes
You have a mission critical application which must be globally available at all times. Which deployment strategy should you follow?
Multi-region
Amazon translate
Neutral machine translation service that delivers fast, high quality, and affordable language translation - Localize content such as website and application for you diverse users
Amazon comprehend
Natural language processing (NLP) service - Uses machine learning to uncover info in unstructured data
Network Interface Card (NIC) measurement
Network router to the internet Measurements: megabits per second (Mbps) or Gigabits per second (Gbps)
Random Access Memory (RAM) measurements
Non-persistent storage: data is lost when it is off - Measurements: Gigabyte (GB)
Aws lambda
Number of requests - Duration of requests - rounded up to the nearest millisecond - Price is dependent on the amount of memory allocated to the function
Amazon Machine Image (AMI) includes..
One or more EBS snapshot or for instance store back AMI, a template for the root volume of the instance (IS, Apps)
Aws datasync
Online data transfer service - Transfer sata between on-premises and aws storage service
Platform as a service (Paas)
Only data and code managed by you
Which of the following are not valid CloudFormation sections a. Parameters b. Resources c. Outputs d. Options
Options
Amazon Lightsail is an example of which kind of service?
PaaS
Pay less by using more
Pay less by using volume-based discounts - Tiered pricing means the more you use the lower the unit pricing
Aws migration hub,
Provides a single location to track the progress of application migrations across multiple aws and partner solutions
Snowball edge compute optimized
Provides block and object storage and optional GPU - Edge computing use cases
Snowball edge storage optimized
Provides block storage and amazon S3-compatiblities object storage - Use for local storage and large scale data transfer
EMR
Provides managed Hadoop framework to process data across EC2 instances, big data
Awk worklink
Provides secure, one click access to your internal websites and web apps using mobile device - Does not require VPC client or app
You are considering moving an on prem SQL server cluster into AWS, using EC2 instances rather than RDS. You need to recommend the the most suitable EBS volume type for the cluster to use, but also pair it with a suitable Ec3 instance type. You know that the throughput must be good, but the most improtant thing is to maintain a consistent level of IOPS under normal load which can increase to a much higher level at busy times. Choose the best EC2 and EBS option..
Provisioned IOPS EBS volumes with R5 EC2 instances
Aws cost & usage report
Publish aws billing reports to an S3 bucket - Reports break down cost by: ○ Hour, day, month, product, product resource, tags
Aws price list API
Query the prices of aws services - Price list service API - Aws price list API
What is AWS' data warehousing service?
Redshift
AWS Global Network.
Regions are connected by using a high bandwidth connection
AWS VPN CloudHub
Remote offices connect to the virtual private gateway in a hub-and-spoke model then sent to the AWS site
Which EC2 instance type will realize a savings over time in exchange for a contracted term of service
Reserved
Which EC2 option is best for long term workloads with predictale usage patterns
Reserved
S3 can be used to host a dynamic website, like the one the runs on a LAMP stack
S3 can host static websites
You need to host a file in a location that's publicly accessible from anywhere the world. Which AWS service would best meet that need?
S3, objects can be accessed from anywhere in the world via a dedicated URL
SCPs do not
SCPs do not grant permissions
Scalability
Scale up Scale out
AWS security Bulletins
Security and privacy events effecting aws services are published
Aws budgets
Set custom budgets - set custom usage and reservation budgets - Configure alerts - receive alerts when you exceed or are forecast to exceed your alert threshold - Integrated with other aws services - includes cost explorer, chatbot, and service catalog
AWS secret manager
Similar to parameter store Allows native and automatic rotation of keys Fine-grained permissions Central auditing for secret rotation
SNS
Simple Notification Service - ○ Amazon SNS is used for building and integrating loosely coupled, distributed applications ○ Provides instantaneous, push based delivery (no polling) ○ Uses simple APIs and easy to integrate with applications - Offered under an inexpensive pay as you go model with no up-front cost
You have a project will require 90 hours of computing time. There is no deadline, and the work can be stopped and restarted without adverse effect. Which of the following computing options offers the most cost-effective solutions?
Spot instances
Which native AWS service will act as a file system mounted on an S3 bucket
Storage Gateway - used for attaching infrastructure located in a data center to the AWS storage infrastructure
Amazon S3 pricing
Storage class - standard or IA - Storage quantity - data volume stored in your buckets on a per GB basis - Number of requests - the number and type of requests lifecycles transitions requests - moving data between storage classes - Data transfer - data transferred out of an S3 region is charged
S3 object lock
Stores objects from being deleted or overwritten for a fixed time or indefinitely
A cloudfront origin can be an S3 bucket, an EC2 instance, an elastic load balancer, or Route53
True
A distribution is what we call a series of edge locations that make up CDN
True
S3 object storage is suitable for the storage of flat files (word docs, photos, etc)
True
Which of the following AWS services can help you assess the fault tolerance of your AWS environment
Trusted Advisor
Which of the following services will help you optimize your entire AWS environment in real time following AWS best practices?
Trusted Advisor
You need to implement an automated service that will scan your AWS environment with the goal of both improving security and reducing costs. Which service should you use?
Trusted advisor
VPC peering
Used to route between VPCs using private eIP addresses
Snowball family
Uses a secure storage device for physical transportation - Snowball: (80TB)(50TB) "petabyte scale" - Snowball edge: (100TB)"petabyte scale" - Snowmobile - "exabyte scale" with up to 100 PB per snowmobile
Systems Manager
Visibility and control of your infrastructure on AWS
Amazon EBS pricing
Volumes ○ Volume storage for all EBS volumes type is charged by the amount of GB provisioned per month - Snapshots ○ Based on the amount of space consumed by snapshots in S3
WAF
Web Application Firewall - Device that helps you protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources -Layer 7 firewall -Designed to stop hackers
User data is
data that is supplied by the user at instance launch in the form of a script - not encrypted so its not that secure
AWS Shared Responsibility Model
While AWS manages security OF the cloud, Customers manage security IN the cloud
Software as a service (SaaS)
You dont have to manage anything Pure consumption model
ECS launch types vs fargate
You manage EC2 instances which are the hosts for running the tasks VS AWS manages the underlying compute, cluster, and scaling - Serverless implementation so no need to manage - Limited control, but automatic
API (Application Programming Interface)
a collection of commands made available to a programmer - provides instructions
AWS CodeCommit
a secure, highly scalable, managed source control service that hosts private Git repositories. It makes it easy for teams to securely collaborate on code with contributions encrypted in transit and at rest.
AWS Budgets
ability to set custom budgets that alert you when your costs or usage exceed you budgeted amount
Service Control Policies (SPC)
are a feature of AWS Organizations
Extra non-boot volumes are
are not deleted on termination by default
EBS volumes are AZ specific but snapshots are
are region specific
Pay
as-you-go (on demand) - Easily adapt to changing business needs - Improved responsiveness to change - Adapt based on needs, not forecast - Reduce risk over over positioning of missing capacity
Data Lifecycle Management
automates the creation, retention, and deletion of EBS snapshots and EBS-backed AMIs
AutoScaling
automatically adjusts capacities to maintain steady, predictable performance at the lowest possible cost
General Purpose SSD (GP2)
balances price and performance for a variety of workloads
What service do all support accounts receive?
billing support
Amazon dynamoDB
charged for reading, writing, and storing data - On-demand capacity mode ○ Charged for read and writes ○ No need to specify how much capacity is required ○ Good for unpredictable workloads - Provisioned capacity mode ○ Specify number or reads and writes per second ○ Can use auto scaling ○ Good for predictable workloads ○ Consistent traffic or gradual change
Lightsail provides
compute, storage, and networking capacity and capabilities to deploy and manage websites, web apps, and databases in the cloud - Can deploy load balances and attach block storage
ECR
container registry that makes it easy for devs to store, manage, and deploy private Docker container images
Inherited Controls
controls which a customer fully inherits from AWS
Shared Controls
controls which apply to both infrastructure layer customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the reqs for the infrastructure and the customer must provide their own control implementation within their use of AWS services
Instance metadata is
data about your instance that you can use to configure or manage the running instance - not encrypted so its not that secure
Roles are used for
delegating permissions and are assumed by services
Root EBS volumes are
deleted on termination by default
On
demand - Standard rate - no discount - No commitments - Dev/test, short term or unpredictable workloads
Elasticsearch Service
deploy, secure, operate, and scale to search, analyze, and visualize data in real-time
AWS Batch enables
developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs - Dynamically provisions the optimal quantity of type of compute resources - Batch launches, manages, and terminates resources as required (EC2 and ECS/Farget)
CloudFormation
easy to create and manage a collection of related AWS resources, provisioning and updating them in an orderly and predictable fashion
AWS Cost Explorer
easy to use interface that lets you visualize, understand, and manage your AWS costs and usage over time
Edge Locations
endpoints for AWS which are used for caching content. Consists of CloudFront and Content Delivery Network (CDN)
Both you and a friend can have a S3 bucket called mytestbucket
false
Access keys are used for
for CLI/APL access (programmatic)
S3 standard - IA (Storage Class)
for data that is accessed less frequently, but requires rapid access when needed. Lower fee than S3, ut you are charged a retrieval fee
Instance store volumes are
high performance local disks that are physically attached to the host computer on which a EC2 instance runs
Provisioned IOPS SSD (IO1)
highest performance SSD volumes mission critical low latency or high throughput workloads - pay more
IAM
identity access management - when you create a user/group, it's created globally
EBS volume data persists
indecently of the life of the instance - persistent storage
Paying Accounts
independent, cannot access the resources of other accounts limit 20 accounts
A bucket
is a container for objects
Amazon CodeGuru
is a developer tool that provides intelligent recommendations to improve code quality and identify an application's most expensive lines of code.
S3 versioning
is a means of keeping multiple variants of an object in the same bucket Versioning-enabled buckets enable you to recover objects from accidental deletion or overwrite
AWS Lambda Functions
is a serverless online code scripting platform within AWS that allows the user to write, edit and run code functions in various languages including JSON. These functions can be triggered to call or invoke other AWS applications in the user's build. - Pay for your use only
Amazon Organizations
is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage
Spot
lets you purchase spare computing capacity with no upfront commitment at discounted hourly rates, flexible start and end time. Good for: -Feasible at low cost -need additional capacity
Throughput Optimized HDD (ST1)
low cost HDD volume designed frequently accessed, throughput intensive workloads
Cold HDD (SC1)
lowest cost HDD volume designed for less frequent accessed workloads (file servers)
ECS services are used to
maintain a desired count of tasks
Resource Groups
makes it easy to group your resources the tags assigned to them Can apply automation
CloudSearch
managed service that makes it simple to set up, manage, and scale a search solution for your website or application, allows you to build search indexes
CloudWatch
monitoring and management services for devs, sysops, site reliability engineers
Elastic Container Service (ECS) can run on
multiple availability zones
Cloud Computing
on demand delivery of compute power, database storage, applications, and other IT resources through a cloud services platform via the internet with pay as you go pricing
availability zones should have
one or more data centers - They are physically separate and isolated from each other
Origin
origin of all files that the CDN will distribute - S3 bucket, EC2, elastic load balancer
The access key will use
permissions assigned to the IAM User
Use S3 versioning to
preserve, retrieve, and restore every version of every object stored in your S3 bucket
DNS (Domain Name System)
process computers use to resolve domain names to IP addresses (phonebook) Amazon's DNS is Route 53
Tape gateway
provides a virtual tape library that is compatible with common backup software (block & file interfaces)
Volume gateway
provides block-based access for on premises servers
File gateway
provides file system interface to on-premises servers
Amazon Machine Image (AMI) is used to
provides the info required to launch an ec2 instance - consist of EBS snapshot, permissions and configurations
Trusted Advisor
reduce cost, increase performance, and improve security by optimizing your AWS environment - Core checks and recommendations - free - Full trusted advisor - business and enterprise only
Local zone extends
regions closer to end-users.
Amazon Elastic Containers Service (ECS) is used for
running Docker Containers (tasks) in the cloud
S3 Glacier (Storage Class)
securable, durable, low cost storage class for data archiving. Retrieval times configurable from minutes to hours
Instances stores are ideal for
temporary storage of info that changes frequency such as buffers, caches, or scratch data - Data is lost when powered off
Your Dev team uses 4 on demand EC2 instances and your QA has 5 reserved instances, only 3 of which are being used. Assuming all AWS account are under a single AWS Organization, how will the Dev team's instances be billed?
the dev team will be billed for two instances on demand prices and 2 instances at the reserved instance price
SCPs control
the max available permissions in an AWS account
HTTP (Hypertext Transfer Protocol)
the protocol used for transmitting web pages over the Internet to APIs
EC2 instances must be in the
the same Availability Zone as the EBS volume
Lightsail is great for
users who do not have deep AWS tech expertise as it makes it very easy to provision compute services
EC2 instances connect using
using public addresses & using private address too by the S3 Gateway Endpoint
What best describes EBS
virtual hard disks in the cloud
EBS
virtual hard disks, provides block level storage volumes for use with EC2 instances
API talks to
websites, applications, databases
Amazon EC2 instances can run
windows, Linux, and MacOS operating systems
Software development kit:
write code in a integrated development environment (IDE)
are there more edge locations than regions?
yes
On Demand
you pay a fixed rate for compute or db capacity with no long term commitments or upfront payments. Good for: -low cost + flexibility of ec2 without up front payment -short term workloads -applications that are being tested
IAM Best Practices
• Use roles for applications that run on Amazon EC2 instances • Use roles to delegate permissions • Do not share access keys • Rotate credentials regularly • Remove unnecessary credentials • Use policy conditions for extra security • Monitor activity in your AWS account • Lock away your AWS account root user access keys • Create individual IAM users • Use groups to assign permissions to IAM users • Grant least privilege • Get started using permissions with AWS managed policies • Use customer managed policies instead of inline policies • Use access levels to review IAM permissions • Configure a strong password policy for your users • Enable MFA
Primary use cases for lambda
○ Data processing ○ Real-time file processing ○ Real-time stream processing - Build serverless backends for web, mobile, IOT and 3rd party API requests
AWS Step Functions
○ It makes it easy to coordinate the components of distributed applications as a series of steps in a visual workflow - You can quickly build and run state machines to executes the steps of your applications in a reliable and scalable fashion
Consolidated billing includes:
○ Paying account - independent and cannot access resources of other accounts - Linked accounts - all linked accounts are independent
Server Virtualization: Without virtualization
○ Physical hardware, add operating system, then application on top ○ Limitations: OS is tied to hardware (can't move it somewhere else) & Hardware resource could be underutilized - waste
DLM helps with:
○ Protects valuable data by enforcing regular backup schedule ○ Create standardized AMIs that can be refreshed at regulars intervals ○ Retain backups as required by auditors or compliance ○ Reduce storage costs by deleting outdated backups - Create a disaster recovery backup policies that back up data to isolated accounts
AWS Simple Workflow Service
○ SWF is a web service that makes it easy to coordinate work across distributed application components ○ Create distributed asynchronous systems as workflows ○ Best suited for human-enabled workflows like order fulfilment - Aws recommends that for new applications customers consider step function instead of SWF
Server Virtualization: With virtualization
○ Server at the bottom then hypervisor which creates a layer of abstraction ○ On top is the virtual hardware which is presented to the OS - This is known as a virtual server, machine, or instance - You can have multiple virtual machines running on one hardware or move them easier to other servers or upgrade
Amazon EC2 Auto Scaling policies
○ Target tracking: attempts to keep the group at or close to the metric ○ Simple scaling: adjust the group size based on metric ○ Step scaling: adjust the group size based on a metric, adjustments vary based on the size of the alarm breach - Scheduled scaling: adjust the group size at a specific time
Amazon MQ
○ message broker services ○ Similar to amazon SQS ○ Based on Apache Active MQ and RabbitMQ ○ Used when customers require industry standard APIs and protocols - Useful when migrating existing queue based applications into the cloud
